Vakumat P80C552 - Ghidra, BinaryNinja, IDA or Cutter?
After getting a good firmware image, the next question is which program to use for the disassembly. The chip used is an extension of the 8052, so any program that supports this out of the box would make the work much easier. Lets check out the usual 4 programs.
Ghidra has 3 options to select for chips in this family:
I tried all 3 and the result was the same as far as disassembly was concerned. The decompiler window varied a bit. Here the first few lines executed right after the reset.
And there are some clear errors. MOV FIFLG, #0xff should be MOV P4,#0xff for example. Many of the special function registers have incorrect or missing names. After fixing those, the disassembly is much better. The decompiler seems to make mistakes, though. I was thinking that maybe it's optimizing all the P1.5 calls and lumping the end result together into a single assignment, but then it should also remove all the nop() calls. I could not find any option in Ghidra to get a better result. I submitted a bug report. So hopefully this will be fixed or maybe I get a beat-down for stupidly not using some sort of decompiler option...
Binary Ninja does not support this chip family out of the box. After asking around in the forum, I was pointed to the Intel 8051 Family Architecture Plugin by amtal:
The plugin is still in development and does not support my chip out of the box, but amtal was awesome and helped me out with a custom loader script for this firmware image:
and some other super-helpful information. I then got a list of where the registers are mapped to:
And since this plugin supports 8051, as in Ghidra P4 does not have the right name, though in this case it's obvious that the name is missing.
But, no problem, as we can easily change the names in both programs. Both programs produce decompiled output, but one has to be careful as it's sometimes wrong. On to the next program.
amtal later gave some extra helpful patches:
"Because it's not (afaict) using register banks you can also apply this:"
IDA shows two varieties of 8051
But selecting either one shows the same list of sub-options
Going through the options sometimes results in only registers with generic names
Or sometimes in partial name resolution with helpful comments.
Or sometimes incorrect register names, like in Ghidra
But there is not an option that covers our particular Philips chip. IDA does not have any decompilation at all for this chip family.
Cutter offers two options for the 8051 family
The first produces some basic disassembly with correct register names or register address if the name is not known. The second produces garbage.
Like in IDA, this processor is not supported by the Cutter decompiler.
The SFR at 0x92:
One thing in common for all the tools is that they don't know anything about a SFR at address 0x92, but there is an access to it in the code. Neither does the datasheet for this chip mention this register: https://www.nxp.com/docs/en/data-sheet/80C552_83C552.pdf
It will be interesting to see how important this is for the front panel communication.
I expect to be using a combination of Binary Ninja and Ghidra, which has sort of become my go-to approach lately....
80C51 FAMILY DERIVATIVES, 8XC552/562 overview - https://www.keil.com/dd/docs/datashts/philips/8xc5x2_ov.pdf
Intel 8051 Family Architecture Plugin - https://github.com/amtal/i8051
80C552/83C552 Datasheet - https://www.nxp.com/docs/en/data-sheet/80C552_83C552.pdf