IBM LPFK reverse engineering

[Philip Pemberton]

Scanning wrote:
> Philip,
> 
> Could you execute a small loop in RAM that iterates the flash and pukes the
> code byte by byte onto the serial bus ?

No -- the 8051 latches the state of the EA (External Access Enable) pin on 
startup. This is the pin that tells the chip whether to run from internal ROM 
or from an external ROM.

If it's running from ext-ROM, the MOVC instruction won't work (or it'll read 
from ext-ROM).

It's also a Harvard architecture MCU, so the code and data spaces are 
separate. You can't just JMP MY_EVIL_ROUTINE_IN_RAM and dump the ROM that way. 
Princeton (Von Neumann) architecture chips like the 8086 will allow this, and 
the 8051 will if you wire-OR /PSEN with /RD. It's not really a common 
configuration though, and only works when the 8051 is being operated as an 
external CPU.

Thanks,
-- 
Phil.
classiccmp at philpem.me.uk
http://www.philpem.me.uk/