How to read the Boot ROM firmware code of P89C51RD2 and analyze the ISP function

1 Overview

P89C51RD2 is a derivative product of PHILIPS company's core based on the 8-bit 80C51 microcontroller. Under the framework of completely retaining the 80C51 instruction system and hardware structure, it has been strengthened, expanded and innovated in many aspects, making maximum use of all aspects of the original structure. P89C51RD2 utilizes the original 16-bit addressing mechanism of external data and program memory to expand the on-chip RAM to 1KB and the on-chip FLASH EPROM to 64KB to meet today's need for large on-chip storage capacity using embedded high-level languages.

The most notable feature of P89C51RD2 is its ISP (In-System Programming) function and IAP (In-Application Programming) function. ISP means that blank devices on the circuit board can be programmed to write end-user code without removing the device from the circuit board. Already programmed devices can also be erased or reprogrammed using ISP. IAP means that the MCU can obtain new code in the system and reprogram itself, that is, the program can be changed using the program. ISP and IAP technology are the development direction of future instrumentation. In order to promote ISP technology and IAP technology, PHILIPS company provides free Boot ROM firmware on the chip, and cleverly solves the address coverage problem of firmware and FLASH and some specific implementation details, making their implementation simple and ready-made. .

The contents of the Boot ROM are not made public by PHILIPS. However, many technical personnel are very interested in the implementation of the ISP (IAP) function in the Boot ROM firmware. As far as the ISP status is concerned, the host computer directly interacts with the program in the Boot ROM firmware. Therefore, the host computer program must be compiled according to the process and protocol provided by PHILIPS. As for how the ISP function is implemented inside the Boot ROM, it is unknown. . If we can figure out the specific method of realizing the ISP function, it will be of great benefit to the preparation of the host computer software. The following is some preliminary discussion on the implementation of ISP functions in Boot ROM.

2 How to read the Boot ROM firmware code

To analyze its ISP function, the source code in the Boot ROM must be read. For this reason, the relationship between Boot ROM space and FLASH space must be clarified. P89C51RD2 uses the most advanced FLASH (flash) EPROM, which has a capacity of 64KB and is divided into 8KB and 16KB memory blocks. We know that the maximum addressing capability of the 80C51 series 8-bit microcontroller is 64KB, and FLASH EPROM has occupied the entire addressing space. At the same time, PHILIPS Company provides a 1KB firmware called Boot ROM (Boot ROM) on-chip for P89C51RD2. There is a boot loader on the firmware, which can receive commands and data from the host via the serial port (such as via the RS-232C port of a PC). This firmware is placed at the highest end of the 64KB program memory, with the on-chip FLASH address 0FC00H "0FFFFH Phase coverage. Switching between the two is performed through the ENBOOT bit of the special function register AUXR1.

ENBOOT=1 The address is in the range of 0FC00H”0FFFFH, addressing the firmware

ENBOOT=0 The address is in the range of 0FC00H to 0FFFFH, addressing FLASH

Since the firmware can be addressed when ENBOOT=1, the firmware code can be read out by the application program. The following is the hardware part and software part when implementing code reading.

(1) Hardware part

In order to read the contents of the Boot ROM, a basic hardware system including reset, crystal oscillator and serial communication functions must be built for P89C51RD2. ICL232 is a single power supply serial port conversion chip that can complete the conversion between TTL level and RS-232C level.

(2) Software preparation

The purpose of compiling the software is to read the source code from the Boot ROM and send it to the host computer for display. In order to use ready-made software (such as HyperTerminal), the program converts the read binary code into ASCII code, and forms a HEX file format and directly transmits it to the host computer. In this way, the displayed content is saved and disassembled, and the Boot The contents of the ROM are analyzed. Since the program involves binary conversion into HEX file format, the relevant content about the HEX file format is expressed as follows:

The INTEL format of the HEX file is data information arranged by address proposed by INTEL. The data width is bytes. All data is represented by hexadecimal numbers. For example, the first 16 data of the Boot ROM starting from the address FC00H are (already converted into ASCII code):

75 89 02 75 C8 30 E4 F5 CD F5 CC 30 B0 FD 20 B0 (hex)

Then the conversion to HEX file format is:

:10FC000075890275C830E4F5CDF5CC30B0FD20B073

The ":" symbol indicates the start of the record; the following 2 characters indicate the length of the record, here is 10H, which is 16 hexadecimal digits; the following 4 characters give the transferred address, here is FC00H; and the following The two characters indicate the type of record, 00 indicates the data record, 01 indicates the end of the record file; the next 16 data are the real data records; the last two digits 73 are the checksum, which is added to all the previous data The sum is 0.

The last line of all HEX format files is the ending line. It is special and always looks like this:

:00000001FF

The main program to read the Boot ROM code is compiled as follows:

Two subroutines are used in the main program: READ_ROM and SEND_END.

READ_ROM subroutine function: read the code starting from FC00H, convert it into ASCII code and piece it together into a HEX file record and send it to the host computer.

Find the subroutine called by reading the Boot ROM code online.

3 Functional analysis of Boot ROM firmware

By analyzing the programs in the Boot ROM, you can have a deeper understanding of the relevant instructions of the ISP, and you can also learn from foreign countries on some programming methods. The following explains the relevant knowledge points of ISP.

3.1 About automatically determining the baud rate

The first step of the ISP function given by PHILIPS is: the upper computer sends an uppercase English character "U" to the lower computer for the lower computer to determine the baud rate.

3.1.1 Working principle

The uppercase English character "U" has its particularity. Its ASCII code is 55H, which is converted into binary as "01010101B", which means it is an alternating data of "0" and "1". If the transmission time tp of one bit can be calculated, the corresponding baud rate can be calculated.

3.1.2 Count value corresponding to tp

First, let's take a look at how the count value corresponding to a bit is calculated in Boot ROM. The following is the source code and disassembly program between the Boot ROM slave addresses FC00H and FC17H:

Source code disassembler

FC00 75 89 02 MOV TMOD, #02H; T1 working mode 2, timer

FC03 75 C8 30 MOV T2CON, #30H; T2 works as serial port baud

;rate generator

FC06 E4 CLR A

FC07 F5 CD MOV TH2,A

FC09 F5 CC MOV TL2,A;T2=0000H

FC0B 30 B0 FD JNB P3.0, $; if P3.0=0, wait,

; until it becomes 1

FC0E 20 B0 FD JB P3.0, $; if P3.0=1, wait,

; Until the falling edge comes

FC11 D2 CA SETB TR2; Start T2 timer

FC13 30 B0 FD JNB P3.0, $; if P3.0=0, wait,

; Until the rising edge comes

FC16 C2 CA CLR TR2; turn off the T2 timer, at this time

;The value in T2 is tp

First, clear T2 to 0, and then measure the falling edge. After detecting the falling edge, start setting TR2=1 and T2 starts counting. After detecting the rising edge, set TR2=0 and stop counting. At this time, 1 bit is transmitted in T2. (low level) count value. Taking the baud rate of 2400 bps as an example, the time it takes to transmit 1 bit is 1/2400 s, which is 416.67μs. The main frequency of P89C51RD2 is 11.0592 MHz. According to the data sheet of PHILIPS company, when T2 works in baud rate generator mode, OSC directly enters the T2 counter without frequency division. From this, the theoretical count of T2 within the tp time can be obtained The value is: (T2) = 0.000 416 67×110 592 00 = 4608 (decimal) = 1200H. Here, it is important to emphasize that this number is only a theoretical value. The actual value was tested when the baud rate was 2400 bps and it was found that the actual measured value was about 11FAH. No matter how you measure it, the actual measured value is always about 6 digits smaller than the theoretical value. This data provides an important basis for the following baud rate calculation.

3.1.3 Calculation of baud rate

The baud rate calculation in the program is quite unique. The following is the source code and disassembly program between the addresses FC18H and FC36H:

Source code disassembler

FC18 E5 CC MOV A, TL2

FC1A C4 SWAP A

FC1B 54 0F ANL A, #0FH; take the high 4 bits of TL2

FC1D F8 MOV R0,A

FC1E E5 CD MOV A, TH2

FC20 C4 SWAP A

FC21 54 F0 ANL A, #0F0H; take the lower 4 bits of TH2

FC23 48 ORL A, R0

FC24 F8 MOV R0, A; send to R0 after combination

FC25 E5 CD MOV A, TH2

FC27 C4 SWAP A

FC28 54 0F ANL A, #0FH; take the high 4 bits of TH2

FC2A F9 MOV R1,A

FC2B E8 MOV A, R0; The above program implements dividing the data in T2

;16, send R1 and R0 to save

FC2C F4 CPL A; Negate the low bits

FC2D F5 CC MOV TL2,A

FC2F F5 CA MOV RCAP2L,A

FC31 E9 MOV A, R1

FC32 F4 CPL A; Negate the high bit

FC33 F5 CD MOV TH2, A

FC35 F5 CB MOV RCAP2H,A

The above program is a program that converts the corresponding value of tp into a baud rate. Let’s first look at how the baud rate is defined. Timer 2 works in baud rate generator mode, the external clock signal enters from the T2 pin, and the baud rate

(1)

Therefore, in the program, the count value in T2 is first processed, which is equivalent to shifting 4 bits to the right, removing the lower 4 bits, 11FAH becomes 011FH, corresponding to dividing by 16 in equation (1), sending R1 and R0 to save, and then R1 Invert the value in R0 and its value is FEE0H. This value is exactly the same as calculated according to equation (1). Send this value to T2 and RCAP2 to get the corresponding assignment of 2400bps.