A way to validate the hex file burned into device against the result (hex) of original source code

What?:) You can only validate binary against binary so you can dump the flash (assuming it isn't protected against read-back) and compare to some external binary (typical HEX file). If you want to reverse HEX file into source code and then get glimps if the source code reminds some other existing C/ASM project then good luck, this is very unlikely. Even if you are magician with tools like IDA Pro and disassemble the binary into some pseudo source code it will be so different from any human readable/written C source code that it will be almost impossible to guess if it matches some specific source files. Every compiler and linker produces different binary, very usually different versions of compilers like GCC or Keil or IAR produce different binary, there are countless options to set different behavior of compiler so from one source code you can produce many different binaries (and many of them might even work quite the same way!).

The only conditions where I've seen such exercise completed are:

• You have some HEX file (either you have it archived or you can dump it from some device).
• You have source code or several versions of source code project but not more then few.
• Finally you have some limited options of what compilation chain and settings might be used.

Then you simply compile all the options and compare results with HEX binary one by one. It's almost trial and error one by one, sometimes you can see that certain parts start to match which might hint that e.g. your compilation chain is correct just source code project version is different or vice versa.

What?:) You can only validate binary against binary so you can dump the flash (assuming it isn't protected against read-back) and compare to some external binary (typical HEX file). If you want to reverse HEX file into source code and then get glimps if the source code reminds some other existing C/ASM project then good luck, this is very unlikely. Even if you are magician with tools like IDA Pro and disassemble the binary into some pseudo source code it will be so different from any human readable/written C source code that it will be almost impossible to guess if it matches some specific source files. Every compiler and linker produces different binary, very usually different versions of compilers like GCC or Keil or IAR produce different binary, there are countless options to set different behavior of compiler so from one source code you can produce many different binaries (and many of them might even work quite the same way!).

The only conditions where I've seen such exercise completed are:

• You have some HEX file (either you have it archived or you can dump it from some device).
• You have source code or several versions of source code project but not more then few.
• Finally you have some limited options of what compilation chain and settings might be used.

Then you simply compile all the options and compare results with HEX binary one by one. It's almost trial and error one by one, sometimes you can see that certain parts start to match which might hint that e.g. your compilation chain is correct just source code project version is different or vice versa.

Thanks for your response. I know the shortcomings of comparing source code against binary, but I see it doable as you mentioned by comparing the result (hex) of source code against the hex file I read-back from the device.

Actually, now I see the hex file read-back from the device is not same with the hex file compiled from the source code. It seems the device-hex is much bigger and includes other data.

I just want to prove that the hex file compiled from the source code really matches the program section of the device-hex file. Where can I find the structure of the hex file extracted from the device?

Well if you know the shortcomings then you are there;) HEX file is format which contains both binary itself and memory address where each chunk of that binary is loaded. Note that just by formatting the same binary differently you can get several HEX files which look like not matching. So comparing actual binaries just dumped from/compiled for certain address looks like better idea. If they still don't match then well, either source code or compilation chain isn't the same. But that is all you get, only YES/NO answers of compare.

The hex files (at least from keil) are written in the intel hex format. The data field of the data records are the instructions stored in flash, and should correspond with the hex file you dump from the chip. At least in theory, I haven't actually tried this myself.