'99 Saturn Dissassembly

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

VL400 wrote:The mode 35 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.
I thought mode 34 and 35 were from the modules perspective so 34 would send things to the module and 35 would get stuff back
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

This is so I don't loose this site again :). lots of good info, but the page indexed is for ECM pinouts.

http://www.saturnwiki.net/index.php/PCM_connectors
User avatar
VL400
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
cars: VL Calais and Toyota Landcruiser. Plus some toys :)
Location: Perth, WA
Contact:

Re: '99 Saturn Dissassembly

Post by VL400 »

sabercatpuck wrote:
VL400 wrote:The mode 35 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.
I thought mode 34 and 35 were from the modules perspective so 34 would send things to the module and 35 would get stuff back
Sorry, yeah that is correct - mode 34 to upload a routine.
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Although I am trying to work through the logistics of the format for mode $35. What I have so far is that it should be 35 00 xx xx yy yy yy. I do know that xx xx cannot be greater than $0480. I am not sure if the ELM is capable of this one though. This is what I have so far piecing together the code:

Code: Select all

18190	ldY	L1E3A; 01E3A = 1D, 01E3B = E8
18194	ldaA	15, Y; 01DF7 = AA
18197	cmpA	#$AA
18199	beq	L819E
1819E	ldaB	0, Y; 01DE8 = 6C
181A1	xorB	#%00001000
181A3	bitB	#%00011000
181A5	beq	L81AA
181AA	cmpB	#$E0
181AC	bcs	L81B1
181B1	bitB	#%00000100
181B3	bne	L81C2
181C2	ldaA	1, Y; 01DE9 = 10
181C5	cmpA	#$FE
181C7	bne	L81E3
181E3	cmpA	LC251; 1C251 = 10
181E6	beq	L81F8
181F8	ldX	L1E7B; 01E7B = 1E, 01E7C = 6B
181FB	ldaA	15, X; 01E7A = 00
181FD	cmpA	#$AA
181FF	bne	L820B
1820B	ldD	0, Y; 01DE8 = 6C, 01DE9 = 10
1820E	stD	0, X; 01E6B = 6C, 01E6C = 10
18210	ldD	2, Y; 01DEA = F1, 01DEB = 35
18213	stD	2, X; 01E6D = F1, 01E6E = 35
18215	ldD	4, Y; 01DEC = 00, 01DED = 00
18218	stD	4, X; 01E6F = 00, 01E70 = 00
1821A	ldD	6, Y; 01DEE = 04, 01DEF = 00
1821D	stD	6, X; 01E71 = 04, 01E72 = 00
1821F	ldD	8, Y; 01DF0 = 0E, 01DF1 = 00
18222	stD	8, X; 01E73 = 0E, 01E74 = 00
18224	ldD	10, Y; 01DF2 = 00, 01DF3 = 00
18227	stD	10, X; 01E75 = 00, 01E76 = 00
18229	ldD	12, Y; 01DF4 = 1D, 01DF5 = F2
1822C	stD	12, X, 01E77 = 1D, 01E78 = F2
1822E	ldD	14, Y; 01DF6 = 00, 01DF7 = AA
18231	stD	14, X; 01E79 = 00, 01E7A = AA
18233	ldD	12, Y; 01DF4 = 1D, 01DF5 = F2
18236	subD	L1E3A; 01E3A = 1D, 01E3B = E8
18239	aBX
1823A	ldY	L1E7B; 01E7B = 1E, 01E7C = 6B
1823E	stX	12, Y; 01E77 = 1E, 01E78 = 75
18241	ldD	L1E7B; 01E7B = 1E, 01E7C = 6B
18244	addD	#$0010
18247	cmpD	#$1E7B
1824B	bcs	L8250
1824D	ldD	#$1E4B
18250	stD	L1E7B; 01E7B = 1E, 01E7C = 4B
18253	ldY	L1E3A; 01E3A = 1D, 01E3B = E8
18257	ldaA	#$00
18259	staA	15, Y; 01DF7 = 00
1825C	ldD	L1E3A; 01E3A = 1D, 01E3B = E8
1825F	addD	#$0010
18262	cmpD	#$1E38
18266	bcs	L826B
1826B	stD	L1E3A; 01E3A = 1D, 01E3B = F8
1826E	jmp	E8190
18190	ldY	L1E3A; 01E3A = 1D, 01E3B = F8
18194	ldaA	15, Y; 01E07 = 00
18197	cmpA	#$AA
18199	beq	L819E
1819B	jmp	L8271
18271	brset	L0088, #%00100000, L8284; 00088 = 02
18275	brset	L0088, #%00010000, L82CC; 00088 = 02
18279	ldY	L1E7D; 01E7D = 1E, 01E7E = 6B
1827D	ldaA	15, Y; 01E7A = AA
18280	cmpA	#$AA
18282	beq	L8286
18286	ldX	#$0383
18289	ldaB	0, Y; 01E6B = 6C
1828C	ldaB	0, Y
1828E	bne	L82A2
182A2	ldaA	0, Y; 01E6B = 6C
182A5	staA	0, X; 00383 = 6C
182A7	ldaA	2, Y; 01E6D = F1
182AA	staA	1, X; 00384 = F1
182AC	ldaA	LC251; 1C251 = 10
182AF	staA	2, X; 00385 = 10
182B1	ldD	12, Y; 01E77 = 1E, 01E78 = 75
182B4	subD	L1E7D; 01E7D = 1E, 01E7E = 6B
182B7	subB	#$03
182B9	staB	L1E7F; 01E7F = 07
182BC	ldaA	3, Y; 01E6E = 35
182BF	staA	3, X; 00386 = 35
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 01E6F = 00
182BF	staA	3, X; 00387 = 00
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 01E70 = 00
182BF	staA	3, X; 00388 = 00
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 01E71 = 04
182BF	staA	3, X; 00389 = 04
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 01E72 = 00
182BF	staA	3, X; 0038A = 00
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 01E73 = 0E
182BF	staA	3, X; 0038B = 0E
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 01E74 = 00
182BF	staA	3, X; 0038C = 00
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182C7	ldaA	#$01
182C9	staA	L1E82; 01E82 = 01
182CC	call	L8883; 003FA = CF, 003F9 = 82, 18883 = F6
18883	ldaB	L0386; 00386 = 35
18886	andB	#%10111111
18888	tBA
18889	beq	L8899
1888B	cmpB	#$08
1888D	bhi	L8895
18895	subB	#$10
18897	bcc	L889F
1889F	cmpB	#$2F
188A1	bhi	L88A8
188A3	ldX	#$8805
188A6	jr	L88B3
188B3	aBX
188B4	aBX
188B5   ldX	0, X; 1884F = 9E, 18850 = A2
188B7	beq	L88D9
188B9	brset	L0088, #%00010000, L88D5; 00088 = 02
188BD	ldaB	L1E7F; 01E7F = 07
188C0	cmpB	0, X; 19EA2 = 07
188C2	bhi	L88C8
188C4	cmpB	1, X; 19EA3 = 07
188C6	bcc	L88D0
188D0	bset	L0088, #%00010000; 00088 = 02, 00088 = 12
188D3	jmp	4, X
19EA6	ldX	#$0386
19EA9	call	LB00D; 003F8 = AC, 003F7 = 9E
1B00D	brset	L007A, #%00001000, LB036; 0007A = 80
1B011	tst	L1B91; 01B91 = 00
1B014	bne	LB036
1B016	ldaB	L3B01; 03B01 = 1E
1B019	bitB	#%00000001
1B01B	bne	LB042
1B01D	pushX; 003F6 = 86, 003F5 = 03
1B01E	ldX	L200A; 0200A = E5, 0200B = 7F
1B021	cmpX	#$DEAD
1B024	popX; 003F4 = 00, 003F5 = 03, 003F6 = 86
1B025	beq	LB042
1B027	ldaB	L3B04; 03B04 = 00
1B02A	incB
1B02B	beq	LB042
1B02D	tst	L0E3D; 00E3D = 00
1B030	bne	LB042
1B032	brset	L008C, #%00000001, LB042; 0008C = 01
1B042	clrA
1B043	ret; 003F6 = 86, 003F7 = 9E, 003F8 = AC
19EAC	tstA
19EAD	beq	L9EB2
19EB2	ldD	2, X; 00388 = 00, 00389 = 04
19EB4	cmpD	#$0480
19EB8	bls	L9EBE ; check that xx xx is less than $0480
19EBE	ldaA	#$51; preload error code "improper upload type"
19EC0	ldaB	1, X; 00387 = 00
19EC2	bne	L9F00
19EC4	tst	4, X; 0038A = 00
19EC6	bne	L9ED9
19EC8	ldD	5, X; 0038B = 0E, 0038C = 00
19ECA	bpl	L9ED0
19ED0	addD	2, X; 00388 = 00, 00389 = 04
19ED2	subD	#$0001
19ED5	bpl	L9EEA
19EEA	ldaA	2, X; 00388 = 00
19EEC	pushA; 003F8 = 00
19EED	ldaA	#$54; load message "ready for upload"
19EEF	staA	2, X; 00388 = 54
19EF1	ldaA	#$03
19EF3	call	LAF9F; 003F7 = F6, 003F6 = 9E
1AF9F	bclr	L0088, #%00010000; 00088 = 12, 00088 = 02
1AFA2	tstA
1AFA3	beq	LAFA8
1AFA5	staA	L1E7F; 01E7F = 03
1AFA8	ldaA	L0386; 00386 = 35
1AFAB	oraA	#%01000000
1AFAD	staA	L0386; 00386 = 75 Put 75 in outgoing message good response
1AFB0	ldX	#$C603
1AFB3	call	LBD43; 003F5 = B6, 003F4 = AF
1BD43	ldaB	16, X; 1C613 = 00
1BD45	ldY	#$1F9A
1BD49	aBY
1BD4B	tPA
1BD4C	di
1BD4D	ldaB	15, X; 1C612 = 01
1BD4F	oraB	0, Y; 01F9A = 00
1BD52	staB	0, Y; 01F9A = 01
1BD55	tAP
1BD56	ret; 003F3 = 31, 003F4 = AF, 003F5 = B6
1AFB6	bset	L0088, #%00100000; 00088 = 02, 00088 = 22
1AFB9	clrA
1AFBA	brclr	L0088, #%00010000, LAFBF; 00088 = 22
1AFBF	ret; 003F5 = B6, 003F6 = 9E, 003F7 = F6
19EF6	call	LBDFA; 003F7 = F9, 003F6 = 9E
1BDFA	ldaA	L1F87; 01F87 = 00
1BDFD	beq	LBE06
1BE06	ldaA	L1B8D; 01B8D = 76
1BE09	cmpA	LC253; 1C253 = 00
1BE0C	bcs	LBE13
1BE0E	cmpA	LC254; 1C254 = F5
1BE11	bcs	LBE16
1BE16	brclr	L0089, #%00010000, LBE1D; 00089 = 09
1BE1D	di
1BE1E	ldaA	L0C00; 00C00 = 10
1BE21	ldaB	L1F7B; 01F7B = 10
1BE24	staA	L1F7B; 01F7B = 10
1BE27	bitA	#%00001000
1BE29	beq	LBE5B
1BE5B	ei
1BE5C	call	LBEEA; 003F5 = 5F, 003F4 = BE
1BEEA	ldaA	L1F93; 01F93 = 00
1BEED	beq	LBEF8
1BEF8	ldX	#$1FAA
1BEFB	ldaB	#$08
1BEFD	ldaA	#$FF
1BEFF	aBX
1BF00	di
1BF01	decX
1BF02	staA	0, X; 01FB1 = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF01	decX
1BF02	staA	0, X; 01FB0 = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF01	decX
1BF02	staA	0, X; 01FAF = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF01	decX
1BF02	staA	0, X; 01FAE = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF01	decX
1BF02	staA	0, X; 01FAD = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF01	decX
1BF02	staA	0, X; 01FAC = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF01	decX
1BF02	staA	0, X; 01FAB = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF01	decX
1BF02	staA	0, X; 01FAA = FF
1BF04	cmpX	#$1FAA
1BF07	bne	LBF01
1BF09	ei
1BF0A	brset	L0089, #%00001000, LBF11; 00089 = 09
1BF11	brclr	L0089, #%00000001, LBF34; 00089 = 09
1BF15	ldX	#$C231
1BF18	ldY	#$1FAA
1BF1C	ldaB	#$08
1BF1E	aBX
1BF1F	aBY
1BF21	di
1BF22	decX
1BF23	decY
1BF25	ldaA	0, X; 1C238 = 00
1BF27	andA	0, Y; 01FB1 = FF
1BF2A	staA	0, Y; 01FB1 = 00
1BF2D	cmpY	#$1FAA
1BF31	bne	LBF22
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Well, I am starting to think that it automatically switches to 4x mode because unlike the usual message buffer in the $00383 area, in this case it is ultimately using a single location at 00c01 for sending the data out so I imagine it is switching to a different channel for coms. There seems to be a long timeout associated with it as well. It appears that $00c00 will get set to $03 when the data is pulled, or after the timeout.

Code: Select all

A039	LA039	staA	L0C01
A03C		bclr	1, X, #%00010000
A03F		ldY	10, X; get location of bytes to dump
A042	LA042	call	LA072
A045		ldD	7, X; get how many bytes to dump
A047		beq	LA05D
A049		subD	#$0001
A04C		stD	7, X
A04E		clrA	
A04F		ldaB	0, Y; get memory for mode 35
A052		staB	L0C01
A055		addD	16, X
A057		stD	16, X
A059		incY	
A05B		jr	LA042
;
A05D	LA05D	ldaA	16, X
A05F		staA	L0C01
A062		call	LA072
A065		ldaA	17, X
A067	LA067	ldaB	#$0C
A069		staB	L0C00
A06C		staA	L0C01
A06F		clr	43, X
A071	LA071	ret	
;
A072	LA072:	ldaA	L0C00
A075		andA	#%00000011
A077		cmpA	#$03; had data been retrieved?
A079		bne	LA083; yes : return and get the next character
A07B		call	L5834; no : reset COP timer and try again
A07E		call	L5840
A081		jr	LA072
;
A083	LA083	ret	
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Well since it looks like I may hit a wall untill I have a 4x connection, I figure'd I would take a step back and start going over the memory map a bit better. First thing was the class 2 buffer. There seems to be 2, I think one with the pointer at $01e3a/b and the second at $01e7b/c. Each buffer segment is exactly 16 bytes large and will appear in specific locations of :
01e4b output buffers
01e5b
01e6b

01de8 input buffers
01df8
01e08
01e18
01e28
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: '99 Saturn Dissassembly

Post by planethax »

This is where I am, waiting for hardware capable of 4X Vpw
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

This is the complete entry point map for all modes supported on this ECM. All are in the 3rd upper memory block, so mode $01 would start physically at $188E3.

01 $88E3; Request Current Powertrain Diagnostic Data
02 $891B; Request Powertrain Freeze Frame Data
03 $8961; Request Powertrain Diagnostic Trouble Codes
04 $89F3; Request to Clear/Reset Diagnostic Trouble Codes
05 $8A07; Request O2 Sensor Monitoring Test Results
06 $8BB4; Request On-Board monitoring Test Results
07 $8DFC; Request Pending Powertrain Diagnostic Trouble Codes
08 $8E97; Request Device Control

10 $8F26; Initiate Diagnostic Operation
12 $8FE8; Request Diagnostic Freeze Frame Data
13 $9103; Request Diagnostic Trouble Code Information
14 $91e2; Clear Diagnostic Trouble Code Information
17 $91F9; Request Status of Diagnostic Trouble Codes
18 $946d; Request Diagnostic Trouble Codes by Status
19 $964e; Request Diagnostic Trouble Codes by Status
20 $98Ac; Return to Normal Operation
22 $98Dd; Request Diagnostic Data by PID
23 $991c; Request Diagnostic Data by Memory Address
25 $9963; Request to Stop Transmitting Data
27 $9971; Data Link Security Access
28 $99Fa; Disable Normal Message Transmission
29 $9A44; Enable Normal Message Transmission
2A $9A42; Request Diagnostic Data Packets
2B $9C28; Define Diagnostic Data Packet by Offset
2C $9C7c; Define Diagnostic Data Packet
31 $9DF6; Request Start Diagnostic Routine by Test Number
32 $9DF6; Request Stop Diagnostic Routine by Test Number
33 $9DF6; Request Diagnostic Routine Results by Test Number
34 $9E44; Request Download - tool to module
35 $9EA6; Request Upload - module to tool
3b $A4B6; Write Data Block
3c $A4B6; Read Data Block
3F $A8Cd; Test Device Present - No Operation Performed

A0 $A8D7; Request High Speed Mode
A1 $A8EE; Begin High Speed Mode
A8 $A908
AD $A916
AE $A921; Request Device Control
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Well I have lots of stuff around the house to try and get done now that I am feeling a little bit better so it may be awhile before any more updates, but I thought I would post some of the commenting that I am putting together in the 3rd quadrent (focussing on that first because I can control what it is doing easier).

Code: Select all

8190	E8190:
8190		ldY	Cl2InputBufPtr; load y with current input buffer pointer
8194		ldaA	15, Y; check last byte
8197		cmpA	#$AA; if it is $AA then it is a new message
8199		beq	L819E
819B		jmp	L8271
;
819E	L819E	ldaB	0, Y; load first byte of incoming message
81A1		xorB	#%00001000
81A3		bitB	#%00011000; check for 1 byte headder and IFR required
81A5		beq	L81AA; if so go here
81A7		jmp	L8253; if not go here (should go here more often)
;
81AA	L81AA	cmpB	#$E0; check low pri, 1 byte head, IFR req, Func addr, IFR type 2, func
81AC		bcs	L81B1
81AE		clr	L1F7E
81B1	L81B1	bitB	#%00000100
81B3		bne	L81C2
81B5		ldaA	1, Y
81B8		cmpA	#$6A; is it a functional request info packet
81BA		beq	L81F8
81BC		call	L82F1
81BF		jmp	L8253
;
81C2	L81C2	ldaA	1, Y
81C5		cmpA	#$FE
81C7		bne	L81E3
81C9		ldaB	3, Y
81CC		bitB	#%01000000
81CE		beq	L81D3
81D0		jmp	L8253
;
81D3	L81D3	ldaB	L3B01
81D6		bitB	#%00000010
81D8		beq	L81F8
81DA		pushY	
81DC		call	LC87B
81DF		popY	
81E1		jr	L81F8
;
81E3	L81E3	cmpA	ModuleIDNum
81E6		beq	L81F8
81E8		cmpA	#$18
81EA		bne	L8253
81EC		ldaB	L3B01
81EF		bitB	#%00000010
81F1		beq	L8253
81F3		call	LC87B
81F6		jr	L8253
;
81F8	L81F8	ldX	Cl2OutputBufPtr; load current output buffer pointer
81FB		ldaA	15, X; load last byte of current output buffer
81FD		cmpA	#$AA; should be $00 if buffer is cleared
81FF		bne	L820B
8201		ldaA	L1E80
8204		oraA	#%00001000
8206		staA	L1E80
8209		jr	L8253
;
820B	L820B	ldD	0, Y; load first two numbers from the current input buffer
820E		stD	0, X; store first two numbers in the current output buffer
8210		ldD	2, Y; group 2 in
8213		stD	2, X; group 2 out
8215		ldD	4, Y; group 3 in
8218		stD	4, X; group 3 out
821A		ldD	6, Y; group 4 in
821D		stD	6, X; group 4 out
821F		ldD	8, Y; group 5 in
8222		stD	8, X; group 5 out
8224		ldD	10, Y; group 6 in 
8227		stD	10, X; group 6 out
8229		ldD	12, Y; group 7 in
822C		stD	12, X; group 7 out
822E		ldD	14, Y; group 8 in
8231		stD	14, X; group 8 out
8233		ldD	12, Y; load location of last real message byte
8236		subD	Cl2InputBufPtr; how long is the message (headder included)
8239		aBX; set x to location of last message byte in the output buffer	
823A		ldY	Cl2OutputBufPtr; load y with current output buffer
823E		stX	12, Y; save last message byte location in output current buffer
8241		ldD	Cl2OutputBufPtr; load d with current output buffer location
8244		addD	#$0010; add $10 to current location (set to next buffer location)
8247		cmpD	#$1E7B; is it at the end of the range for the output buffer?
824B		bcs	L8250; if not, jump
824D		ldD	#$1E4B; if so, then reset output buffer to $01e4b
8250	L8250	stD	Cl2OutputBufPtr; store new output buffer location in pointer
8253	L8253	ldY	Cl2InputBufPtr; load y with current input buffer location
8257		ldaA	#$00
8259		staA	15, Y; clear the $AA, make this buffer clear for new message
825C		ldD	Cl2InputBufPtr; load d with current input buffer location
825F		addD	#$0010; add $10 (set to next buffer)
8262		cmpD	#$1E38; is it at the upper end of the buffer
8266		bcs	L826B; if not jump
8268		ldD	#$1DE8; if it is reset to the lower limit
826B	L826B	stD	Cl2InputBufPtr; store the new input buffer location to the pointer
826E		jmp	E8190
;
8271	L8271	brset	L0088, #%00100000, L8284
8275		brset	L0088, #%00010000, L82CC
8279		ldY	Cl2WorkOutBufPtr
827D		ldaA	15, Y
8280		cmpA	#$AA; valid current message?
8282		beq	L8286
8284	L8284	jr	L82F0
;
8286	L8286	ldX	#$0383
8289		ldaB	0, Y; get first byte
828C		bitB	#%00000100; functional or physical addressing?
828E		bne	L82A2; jump if physical addressing
8290		ldaA	0, Y
8293		andA	#%11011111
8295		staA	0, X
8297		ldaA	#$6B
8299		staA	1, X
829B		ldaA	ModuleIDNum
829E		staA	2, X
82A0		jr	L82B1
;
82A2	L82A2	ldaA	0, Y; load first byte
82A5		staA	0, X; store in ram scratch pad $00383
82A7		ldaA	2, Y; load 3rd byte
82AA		staA	1, X; store in 2nd byte location
82AC		ldaA	ModuleIDNum; location of module id #
82AF		staA	2, X; store in 3rd byte location (reply message format)
82B1	L82B1	ldD	12, Y; load message length including headder
82B4		subD	Cl2WorkOutBufPtr; subtract out message pointer, leaving just bytes in Breg
82B7		subB	#$03; subtract the 3 byte headder leaving just number of message bytes
82B9		staB	L1E7F; store working message length - headder
82BC	L82BC	ldaA	3, Y; load message byte from 3 +Y
82BF		staA	3, X; store message byte to 3 + X
82C1		incX	
82C2		incY	
82C4		decB	
82C5		bne	L82BC; keep doing until complete message loaded in ram
82C7		ldaA	#$01
82C9		staA	L1E82
82CC	L82CC	call	L8883
82CF		tstA	
82D0		bne	L82F0
82D2		ldY	Cl2WorkOutBufPtr
82D6		ldaA	#$00
82D8		staA	15, Y
82DB		ldD	Cl2WorkOutBufPtr
82DE		addD	#$0010
82E1		cmpD	#$1E7B
82E5		bcs	L82EA
82E7		ldD	#$1E4B
82EA	L82EA	stD	Cl2WorkOutBufPtr
82ED		jmp	L8271


87F5		dw	$88DF, $8917, $895D, $89EF, $8A03; Mode $01 TO $05 Entry Point
87FF		dw	$8BB0, $8DF8, $8E93; Mode $06 TO $08 Entry Point
8805		dw	$8F22, $0000, $8FE4, $90FF, $91DE; Mode $10 TO $14 Entry Point
880F		dw	$0000, $0000, $91F5, $9469, $964A; Mode $15 TO $19 Entry Point
8819		dw	$0000, $0000, $0000, $0000, $0000; Mode $1A TO $1E Entry Point
8823		dw	$0000, $98A8, $0000, $98D9, $9918; Mode $1F TO $23 Entry Point
882D		dw	$0000, $995F, $0000, $996D, $99F6; Mode $24 TO $28 Entry Point
8837		dw	$9A40, $9A4E, $9C24, $9C78, $0000; Mode $29 TO $2D Entry Point
8841		dw	$0000, $0000, $0000, $9DF2, $9DF2; Mode $2E TO $32 Entry Point
884B		dw	$9DF2, $9E40, $9EA2, $0000, $0000; Mode $33 TO $37 Entry Point
8855		dw	$0000, $0000, $0000, $A4B2, $A4B2; Mode $38 TO $3C Entry Point
885F		dw	$0000, $0000, $A8C9; Mode $3D TO $3F Entry Point
8865		dw	$A8D3, $A8EA, $0000, $0000, $0000; Mode $A0 TO $A4 Entry Point
886F		dw	$0000, $0000, $0000, $A904, $0000; Mode $A5 TO $A9 Entry Point
8879		dw	$0000, $0000, $0000, $A912, $A91D; Mode $AA TO $AE Entry Point

;
8883	L8883:	ldaB	L0386; what mode number?
8886		andB	#%10111111
8888		tBA	
8889		beq	L8899
888B		cmpB	#$08
888D		bhi	L8895; if mode 8 or more jump
888F		ldX	#$87F5; Load vector table for mode $01 to $08
8892		decB	; set so mode 1 is the 0 position in the vector table etc.
8893		jr	L88B3
;
8895	L8895	subB	#$10; subtract $10 for formatting to for jump table
8897		bcc	L889F; should jump unless mode 9
8899	L8899	bclr	L0088, #%00010000
889C		jmp	LAFB9
;
889F	L889F	cmpB	#$2F; check if mode $10 to $3f is selected
88A1		bhi	L88A8; jump if not
88A3		ldX	#$8805; location of the vector table for mode $10 to 3F
88A6		jr	L88B3
;
88A8	L88A8	subB	#$90; is it mode $Ax
88AA		bcs	L88D9
88AC		cmpB	#$0E
88AE		bhi	L88D9
88B0		ldX	#$8865; location of vector table for mode $A0 to $AE
88B3	L88B3	aBX	; add modified mode number twice to get jump vector
88B4		aBX	
88B5		ldX	0, X
88B7		beq	L88D9; branch if mode not supported
88B9		brset	L0088, #%00010000, L88D5
88BD		ldaB	L1E7F; check that message has the correct packet length
88C0		cmpB	0, X
88C2		bhi	L88C8; jump if message is too long
88C4		cmpB	1, X
88C6		bcc	L88D0; jump if message is not too short
88C8	L88C8	cmpA	#$10
88CA		bcs	L8899
88CC		ldaA	#$12
88CE		jr	L88DB
;
88D0	L88D0	bset	L0088, #%00010000
88D3		jmp	4, X; jump to extended mode entry at 4 + (Vect(2x(Mode-$10) + $8805))


99A4	L99A4	ldX	L0E00 ; load the seed from memory
99A7	L99A7	stX	L0388 ; put the seed in the outgoing message
99AA		bset	L008C, #%00000100
99AD		ldaA	#$04
99AF		jr	L99F3
;
99B1	L99B1	tst	L1E93
99B4		beq	L99BF
99B6		ldaA	#$37
99B8	L99B8	staA	L0388 ; store respone code (33, 34, 35, 36, 37)
99BB		ldaA	#$03
99BD		jr	L99F3
;
99BF	L99BF	brset	L008C, #%00000100, L99C7
99C3		ldaA	#$33
99C5		jr	L99B8
;
99C7	L99C7	bclr	L008C, #%00000100
99CA		ldX	L0388 ; load the key being tried
99CD		cmpX	L0E02 ; compare to one in memory
99D0		beq	L99E9 ; branch if it is the correct key
99D2		brset	L008C, #%00000010, L99DD
99D6		bset	L008C, #%00000010
99D9		ldaA	#$35 ;  set error code 35, bad key 1st try
99DB		jr	L99B8
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

I figured I would put in a quick update. I have gotten some of the other projects somewhat more under control so hopefully I will be able to work on this again soon (although we are now moving into spring and that means mowing the lawn will be in the mix soon too), but I have not been totally idle, I have been learning VBA for Excel so I could better learn to manipulate the data coming back from the logic analyzer. See a code snippet below for some of what I have put together, this starts by arrainging the data better, then I move into a reverse assembler so I can put thae data back together as readable assembly code with better information. When I get this done I will post it in the tools section.

Code: Select all

Private Sub CommandButton1_Click()
Dim hextext As String
Dim hexlen As Integer
Dim x As Long
If Range("a1") = "Time" Then
Columns("a:b").Select
    Selection.Delete Shift:=xlToLeft
Rows("1:1").Select
    Selection.Delete Shift:=xlUp
Columns("a:b").Select
    Selection.NumberFormat = "@"
End If
If Application.Sheets.Count = 1 Then Sheets.Add After:=ActiveSheet
Worksheets("Sheet2").Columns("A:A").ColumnWidth = 20
AddIns("Analysis ToolPak").Installed = True
AddIns("Analysis ToolPak - VBA").Installed = True
For x = 1 To ThisWorkbook.Worksheets(1).UsedRange.Rows.Count
hextext = Range("a" & CStr(x))
hexlen = Len(hextext)
If hexlen = 5 Then
    hextext = hextext
ElseIf hexlen = 4 Then
    hextext = "0" + hextext
ElseIf hexlen = 3 Then
    hextext = "00" + hextext
ElseIf hexlen = 2 Then
    hextext = "000" + hextext
ElseIf hexlen = 1 Then
    hextext = "0000" + hextext
ElseIf hexlen = 0 Then
    hextext = "00000" + hextext
End If
Range("a" & CStr(x)) = UCase(hextext)
Next x
For x = 1 To ThisWorkbook.Worksheets(1).UsedRange.Rows.Count
hextext = Range("b" & CStr(x))
hexlen = Len(hextext)
If hexlen = 2 Then
    hextext = hextext
ElseIf hexlen = 1 Then
    hextext = "0" + hextext
ElseIf hexlen = 0 Then
    hextext = "00" + hextext
End If
Range("b" & CStr(x)) = UCase(hextext)
Next x
End Sub


Private Sub CommandButton2_Click()
Dim x As Long
x = 1
Select Case Range("b" & CStr(x))
    Case "FC"
        LDD_FC
    Case "B3"
        SUBD_B3
    End Select
    

End Sub
Private Sub LDD_FC()
Dim disa As String
Dim addr As Long
Dim x As Long
Dim op As String
Dim op1 As String
Dim op2 As String
Dim hhll As String
Dim hhll1 As String
Dim hh As String
Dim ll As String

x = 1
disa = "LDD #"
addr = WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value)
x = x + 1
addr = addr + 1
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 5)
    x = x + 1
    Loop
If x = 5 Then Exit Sub
hh = Range("b" & CStr(x))
x = x + 1
addr = addr + 1
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 6)
    x = x + 1
    Loop
If x = 6 Then Exit Sub
ll = Range("b" & CStr(x))
hhll = hh & ll
x = x + 1
addr = WorksheetFunction.Hex2Dec(hhll)
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or (x = 7))
    x = x + 1
    Loop
If x = 7 Then Exit Sub
hh = Range("b" & CStr(x))
x = x + 1
addr = addr + 1
hhll1 = WorksheetFunction.Dec2Hex(addr)
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 8)
    x = x + 1
    Loop
If x = 8 Then Exit Sub
ll = Range("b" & CStr(x))
Worksheets("Sheet2").Range("a1") = "LDD #" & hhll & " ;" & hhll & " = $" & hh & ", " & hhll1 & " = $" & ll
End Sub
Private Sub SUBD_B3()
Worksheets("Sheet2").Range("a2") = "SUBD"
End Sub
Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub
Post Reply