|
Tickle the code out of the microcontroller |
You may recall that i had stated in the beginning of this project that if we could figure out the MCU we may be able to tickle the code out of it for further study. Consider the following sections copied from the data sheet.
2.2.3 Special Bootstrap Operating Mode The bootstrap mode is considered a special operating mode as distinguished from the normal single-chip operating mode. This is a very versatile operating mode since there are essentially no limitations on the special purpose program that can be loaded into the internal RAM. The boot loader program is contained in the 192 byte bootstrap ROM. This ROM is enabled only if the MCU is reset in special bootstrap operating mode, and appears as internal memory space at locations $BF40-$BFFF. The boot loader program will use the SCI to read a 256 byte program into on-chip RAM at locations $0000-$00FF. After the character for address $00FF is received, control is automatically passed to that program at location $0000. The MC68HC11A8 communicates through the SCI port. After reset in special bootstrap operating mode, the SCI is running at E clock/16 (7812 baud for E clock equal 2 MHz). If the security feature was specified and the security bit is set, $FF is output by the SCI transmitter. The EEPROM is then erased. If erasure is unsuccessful, $FF is output again and erasure is attempted again. Upon successful erasure of the EEPROM, all internal RAM is written over with $FF. The CONFIG register is then erased. The boot loader program now proceeds as though the part had not been in security mode. If the part is not in security mode (or has completed the above erase sequence), a break character is output by the SCI transmitter. For normal use of the boot loader program, the user sends $FF to the SCI receiver at either E clock/16 (7812 baud for E clock = 2 MHz) or E clock/104 (1200 baud for E clock = 2 MHz). NOTE This $FF is not echoed through the SCI transmitter. Now the user must download 256 bytes of program data to be put into RAM starting at location $0000. These characters are echoed through the transmitter. When loading is complete, the program jumps to location $0000 and begins executing that code. If the SCI transmitter pin is to be used, an external pull-up resistor is required because port D pins are configured for wire-OR operation. In special bootstrap operating mode the interrupt vectors are directed to RAM as shown in Table 2-3. This allows the user to use interrupts by way of a jump table. For example: to use the SWI interrupt, a jump instruction would be placed in RAM at locations $00F4, $00F5, and $00F6. When an SWI is encountered, the vector (which is in the boot loader ROM program) will direct program control to location $00F4 in RAM which in turn contains a JUMP instruction to the interrupt service routine.
Clock Output (E)
This is the output connection for the internally generated E clock which can be used
as a timing reference. The frequency of the E clock output is actually one fourth that
of the input frequency at the XTAL and EXTAL pins. When the E clock output is low
an internal process is taking place and, when high, data is being accessed. The E
clock signal is halted when the MCU is in STOP mode.
All of the IDMs that i have seen an 8mhz crystal. Taking the above information into consideration
we find:
8mhz / 4 = E clock output
E clock = 2mhz
So the IDM serial port uses the same baud as above. Either 7812, or 1200.
2.2.4 Additional Boot Loader Program Options The user may transmit a $55 (only at E clock/16) as the first character rather than the normal $FF. This will cause the program to jump directly to location $0000, skipping the download. The user may tie the receiver to the transmitter (with an external pull-up resistor). This will cause the program to jump directly to the beginning of EEPROM ($B600). Another way to cause the program to jump directly to EEPROM is to transmit either a break or $00 as the first character rather than the normal $FF. Note that none of these options bypass the security check and so do not compromise those customers using security. Keep in mind that upon entry to the downloaded program at location $0000, some registers have been changed from their reset states. The SCI transmitter and receiver are enabled which cause port D pins 0 and 1 to be dedicated to SCI use. Also port D is configured for wired-OR operation. It may be necessary for the user to write to the SCCR2 and SPCR registers to disable the SCI and/or port D wire-OR operation.
A few things need cleared up here since i tend to work with dozens of MCU architectures.
E is the clock in put divided by 4. E is divided by 16 for SCI, is SCI again divided 16?
I assume the E clock transitions are not counted
I'm not sure that the exact part number is MC68HC11E9, it may be another such as E7, A8 Below is an example of the differences between part numbers.
A few things to remember are that MCU must have a ROM since there are no external ROM chips inside the IDM. Looking at the table above we
see a number of devices with ROM. I'll assume the smallest RAM part with ADC which is the A8, 256 bytes of ram.
This is not much ram to work with and some of this is allocated for vectors. This creates a challenge but i still believe it may be possible to get the code out of the MCU.
Consider the SCI, the IDM does appear to have supporting circuitry for serial RX and TX. The IDM also has a configuration jumper to select the mode of which the MCU boots into.
|
|
|
|
Reference |
Left |
Right |
|
2.1 |
? |
? |
|
2.2 |
? |
GND |
|
2.3 |
MODB / VSTBY |
5 VDC |
|
2.4 |
? |
? |
|
2.5 |
GND |
MODA / LIR |
|
2.6 |
5 VDC |
MODA / LIR |
Since MODA is already hard wired to GND via 2.5 zero ohm jumper, all we need to do is jump 2.3
|
|
|
|
This is NOT in the archive yet.
