In the spirit of "homebrew" firmware and pissing off profiteers Tongue :
This isn't really for total noobs. The outline is assumes you know your way around a dos prompt, binary files, hex editor,
and prefereably some assembler.
Many have expressed a desire for "how to get started reversing", so here it is.
If you want to LEARN read on, but if you want spoon feeding, this isn't for you==
This example is for TS, but simialr for hitachi too:
Take your basic MS28 firmware, extract the first bank, 0x0000...0xffff with a hex editor. Save as binary file MS28B0.BIN
Do the same thing with your favorite extreme software (XTRM.BIN). Save as XTRMB0.BIN. Both new files should be 64K each.
Get the disassembler DIS8051 and the Assembler ASEM-51 here:
http://bit.kuas.edu.tw/~8051/
Get into your working dir and type at command line:
dis8051 MS28B0.BIN /bclr
dis8051 XTRMB0.BIN /bclr
You should now have 2 .src files MS28B0.SRC and XTRMB0.SRC
Now load both B0 (bank 0) bin files in a hex editor, Do a file compare.
Start up notepad, load up XTRMB0.SRC
Start up notepad, empty, for your new source
For the first difference you see, put an org entry in your source using the failing compare address of the MS28 as a parameter:
Example:
org 0395h
Then copy the extreme source line corresponding to that address
Example:
org 0395h
nop
This will tell the assembler to create a NOP byte at rom location 0395h
For every change you see, go to the extreme.src and copy the source code that corresponds to the difference in the MS28 bin.
Keep repeating this until you have created a complete source file, documenting all changes you want the assembler to make to
the target firmware (MS28.BIN).
You do not need a new org statement for each block of code, only when you need to target a different address with your new code.
Example:
org 0395h
nop
mov dptr,#4c00
Will assemble into 4 bytes starting at 0395h
Finally put an end statement on the last line of your source code.
Save your work in notepad as MYSOURCE.SRC
OK now you are ready to assemble==
In your working dir type:
Asem MYSOURCE.SRC
If you get no errors, you will get a MYSOURCE.HEX file. If you get errors, see the assembler documentation.
This .HEX file contains all the patches required to apply to your MS28.bin.
Now the tricky part? You need a program that can load a .HEX file. Most programmmer software can do it.
First load up your original MS28.bin into the programmer software, as a binary file, the whole thing, not just the B0.
Next you need to load the "overlay" .HEX file created by the assembler .
IT IS EXTREMELY IMPORTANT THAT THE PROGRAMMER SOFTWARE DOES NOT CLEAR THE EXISTING BUFFER,
PRIOR TO LOADING THE .HEX file.
Otherwise you will wipe out your original, and only get the changes= When your done, save your patched file as MYFIRM.BIN=
For verification now compare MYFIRM.BIN to original XTRM.BIN there should be no differences
If there are, you made a mistake, look at the failing compare point to see what went wrong,
you can also look at MYSOURCE.LST to see what addresses are going to be targeted with what data.
That's it, you now have source code==
Need to target a different version? Just change the "orgs" ==
Want to insert a new feature? Just edit MYSOURCE.SRC, assemble, and overlay.
Need to add some custom code? Just add an org to target location, and another for where your code will live.
Example:
org oldcode ;oldcode is an an address to target in original .bin
ljmp mycode
org freeromformycode
mycode:
mov r0,#7 ;My code
nop
mov dptr,#4c00h
ljmp back in somewhere ;Don't forget you overwrote something with "org oldcode" so be careful to clean up
;after yourself before you jump back in==
![[Main Page]](http://www.eurasia.nu/images/svico_t.gif)