'99 Saturn Dissassembly

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
beyerch
Posts: 26
Joined: Sat May 22, 2010 8:36 am
cars: all kinds

Re: '99 Saturn Dissassembly

Post by beyerch »

Very good info!
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Next up I am going to make a list of indirect memory pointers (where the x or y register is used as a moving pointer) such as is seen in this section of code in ES2:

Code: Select all

812D		ldX	#$96C0
8130		ldY	#$1400
8134	L8134	ldD	0, X
8136		stD	L16E0
8139		ldD	2, X
813B		stD	L16E2
813E		ldD	4, X
8140		stD	L16E4
8143		ldD	6, X
8145		stD	L16E6
8148		stY	0, Y
814B		incY	
814D		incY	
814F		ldaB	#$08
8151		aBX	
8152		cmpX	#$9EC0
8155		bcs	L8134
8157		ldD	#$0000
815A		stD	L16F0
815D	L815D	ret	
the first couple lines imply that there is a section af data that is stored at $96c0 ans is going to be moved to RAM at location $1400. The CMPX later on says that the last byte of data would be $9ec0. so thusly this data:

Code: Select all

96C0		db	$00, $00, $86, $0A, $86, $12, $00, $DE, $00
96C9		db	$00, $83, $6A, $80, $12, $00, $58, $00, $00, $81
96D3		db	$10, $80, $02, $00, $88, $04, $41, $80, $20, $E8
96DD		db	$02, $80, $6A, $00, $00, $03, $78, $00, $02, $00
96E7		db	$10, $00, $00, $02, $D0, $58, $E2, $00, $D9, $00
96F1		db	$00, $02, $C0, $58, $02, $00, $D9, $00, $00, $02
96FB		db	$C0, $59, $A2, $00, $C9, $2B, $00, $03, $91, $58
9705		db	$12, $00, $19, $00, $00, $00, $58, $59, $F2, $00
970F		db	$39, $00, $00, $02, $B0, $59, $C2, $00, $29, $00
9719		db	$00, $02, $B0, $E0, $02, $88, $6A, $00, $00, $02
9723		db	$D8, $00, $02, $F3, $10, $00, $00, $00, $72, $0D
972D		db	$02, $DA, $DF, $40, $00, $04, $19, $01, $F3, $00
9737		db	$1A, $00, $00, $80, $80, $00, $02, $D0, $60, $80
9741		db	$00, $03, $E0, $00, $E2, $D2, $10, $00, $00, $80
974B		db	$9A, $CF, $E2, $E3, $BB, $79, $00, $80, $8D, $C8
9755		db	$12, $04, $7B, $00, $00, $82, $0A, $BE, $13, $04
975F		db	$CB, $79, $00, $00, $8B, $76, $52, $00, $19, $00
9769		db	$00, $86, $BA, $B6, $13, $04, $CB, $00, $00, $86
9773		db	$A8, $C8, $02, $00, $BB, $79, $00, $80, $B5, $C9
977D		db	$F2, $04, $7B, $00, $00, $02, $08, $00, $02, $00
9787		db	$10, $19, $2D, $00, $C9, $00, $12, $00, $70, $19
9791		db	$2D, $00, $D1, $00, $12, $40, $70, $19, $2D, $00
979B		db	$D9, $00, $12, $38, $70, $19, $2D, $00, $E1, $00
97A5		db	$12, $78, $70, $00, $00, $84, $F8, $58, $02, $00
97AF		db	$39, $1D, $00, $04, $F9, $07, $D2, $00, $10, $00
97B9		db	$00, $81, $08, $80, $02, $00, $88, $02, $86, $0E
97C3		db	$38, $00, $00, $00, $10, $04, $41, $81, $10, $E8
97CD		db	$02, $B8, $6A, $D0, $00, $03, $71, $5C, $02, $00
97D7		db	$1B, $00, $00, $01, $28, $59, $F2, $00, $39, $00
97E1		db	$00, $01, $30, $59, $C2, $00, $29, $3A, $00, $04
97EB		db	$D1, $88, $02, $33, $19, $00, $00, $05, $20, $59
97F5		db	$E2, $00, $39, $00, $00, $05, $20, $59, $B2, $00
97FF		db	$39, $F3, $00, $05, $1B, $7F, $62, $00, $1F, $00
9809		db	$00, $81, $50, $E8, $02, $BC, $6A, $80, $00, $02
9813		db	$EC, $06, $32, $D4, $60, $04, $41, $02, $E0, $00
981D		db	$02, $00, $10, $00, $00, $83, $2A, $57, $82, $00
9827		db	$A9, $F9, $9E, $06, $23, $57, $80, $00, $19, $00
9831		db	$00, $05, $AA, $0F, $B2, $00, $BF, $00, $00, $01
983B		db	$8A, $C6, $22, $00, $BF, $FB, $2A, $85, $A9, $06
9845		db	$10, $00, $10, $63, $00, $03, $40, $78, $06, $00
984F		db	$19, $06, $40, $0B, $68, $00, $00, $00, $10, $00
9859		db	$84, $76, $88, $00, $00, $00, $10, $00, $00, $76
9863		db	$88, $00, $02, $00, $10, $50, $00, $04, $E9, $88
986D		db	$02, $00, $15, $00, $00, $86, $00, $04, $02, $00
9877		db	$B0, $7F, $00, $86, $05, $FC, $02, $00, $4B, $7E
9881		db	$00, $06, $01, $F0, $12, $00, $1B, $00, $00, $01
988B		db	$F0, $80, $02, $00, $88, $80, $00, $04, $00, $00
9895		db	$F2, $D0, $70, $80, $00, $04, $00, $00, $E2, $00
989F		db	$10, $80, $00, $01, $CC, $04, $02, $D0, $60, $00
98A9		db	$00, $01, $D0, $80, $02, $00, $88, $10, $00, $01
98B3		db	$D1, $02, $02, $00, $10, $00, $00, $82, $0A, $06
98BD		db	$82, $E3, $FA, $40, $00, $81, $FD, $00, $12, $04
98C7		db	$7A, $79, $00, $00, $A9, $70, $02, $00, $19, $3B
98D1		db	$00, $02, $1F, $D7, $D2, $FB, $DB, $2D, $00, $04
98DB		db	$D9, $68, $12, $CB, $19, $FD, $9B, $00, $E9, $06
98E5		db	$12, $00, $60, $80, $00, $82, $34, $06, $32, $D4
98EF		db	$60, $00, $00, $82, $3A, $FE, $12, $00, $DA, $04
98F9		db	$41, $07, $40, $00, $02, $D6, $10, $00, $00, $05
9903		db	$12, $8E, $F2, $00, $FF, $ED, $00, $02, $71, $60
990D		db	$02, $00, $1B, $00, $00, $05, $32, $C0, $32, $00
9917		db	$5B, $78, $00, $05, $31, $00, $02, $00, $10, $02
9921		db	$36, $0E, $C8, $00, $00, $DC, $60, $F3, $00, $05
992B		db	$3B, $97, $62, $00, $1F, $EE, $00, $05, $57, $66
9935		db	$72, $00, $C9, $EE, $00, $05, $53, $70, $02, $00
993F		db	$1F, $EC, $00, $02, $81, $76, $CF, $00, $1F, $EC
9949		db	$00, $02, $91, $06, $C6, $00, $10, $00, $00, $05
9953		db	$5A, $66, $72, $00, $C9, $EC, $00, $05, $5B, $60
995D		db	$02, $00, $1F, $00, $00, $00, $48, $E0, $02, $90
9967		db	$7A, $2F, $00, $00, $49, $07, $62, $00, $10, $00
9971		db	$00, $02, $D8, $E0, $02, $8C, $6A, $00, $00, $02
997B		db	$D8, $00, $02, $F7, $10, $00, $00, $02, $D2, $0E
9985		db	$B2, $00, $49, $2B, $06, $82, $D1, $00, $02, $00
998F		db	$10, $2B, $06, $82, $DD, $58, $12, $FB, $C9, $EB
9999		db	$00, $05, $69, $08, $0A, $00, $19, $06, $42, $09
99A3		db	$B0, $00, $00, $00, $10, $E3, $00, $02, $F1, $0E
99AD		db	$32, $D7, $10, $00, $00, $05, $72, $D6, $32, $00
99B7		db	$BA, $E3, $00, $05, $71, $00, $02, $00, $10, $E2
99C1		db	$00, $03, $01, $DE, $2F, $00, $19, $5F, $00, $85
99CB		db	$C9, $D6, $22, $00, $19, $00, $00, $85, $98, $E0
99D5		db	$02, $84, $6A, $00, $00, $05, $92, $8F, $B2, $00
99DF		db	$2A, $00, $00, $01, $72, $E6, $13, $C4, $C8, $F8
99E9		db	$00, $05, $A1, $DF, $52, $C7, $1A, $00, $00, $DD
99F3		db	$BA, $52, $12, $CE, $30, $00, $00, $55, $B8, $00
99FD		db	$02, $CE, $10, $40, $00, $03, $40, $02, $07, $00
9A07		db	$10, $E2, $00, $05, $E3, $A2, $02, $00, $1F, $E2
9A11		db	$00, $03, $51, $7E, $2F, $00, $19, $FB, $00, $05
9A1B		db	$E9, $8E, $22, $00, $19, $02, $86, $0E, $30, $00
9A25		db	$00, $00, $10, $00, $00, $06, $0A, $80, $12, $00
9A2F		db	$48, $00, $00, $81, $0A, $05, $02, $00, $A8, $C0
9A39		db	$00, $03, $8B, $74, $02, $43, $1B, $00, $00, $86
9A43		db	$1A, $04, $02, $42, $C8, $C0, $00, $03, $81, $0C
9A4D		db	$02, $00, $10, $31, $96, $04, $89, $07, $D2, $00
9A57		db	$10, $40, $95, $05, $FE, $BF, $62, $CC, $6F, $FB
9A61		db	$95, $05, $F9, $DA, $02, $00, $1F, $00, $00, $83
9A6B		db	$B0, $E8, $02, $B4, $7A, $E2, $00, $06, $49, $00
9A75		db	$02, $00, $10, $E2, $00, $03, $B9, $DE, $2F, $00
9A7F		db	$19, $D0, $00, $06, $51, $D6, $22, $00, $19, $C0
9A89		db	$00, $03, $DF, $06, $32, $00, $5A, $C0, $00, $03
9A93		db	$D9, $34, $02, $00, $1F, $00, $00, $06, $42, $72
9A9D		db	$12, $00, $30, $20, $85, $03, $E8, $D0, $12, $DB
9AA7		db	$1A, $00, $00, $00, $70, $00, $02, $D4, $70, $40
9AB1		db	$00, $03, $F9, $00, $12, $00, $1A, $00, $00, $00
9ABB		db	$72, $06, $62, $00, $5A, $C0, $00, $04, $09, $0C
9AC5		db	$02, $00, $10, $00, $00, $06, $62, $D4, $02, $00
9ACF		db	$FA, $C0, $00, $06, $61, $00, $02, $00, $10, $00
9AD9		db	$00, $04, $28, $00, $02, $00, $CA, $D0, $00, $04
9AE3		db	$29, $06, $12, $DB, $10, $00, $00, $04, $38, $82
9AED		db	$12, $00, $8E, $D0, $00, $04, $39, $0D, $02, $00
9AF7		db	$10, $00, $00, $04, $4A, $80, $12, $00, $4E, $D0
9B01		db	$00, $04, $4B, $15, $02, $00, $10, $40, $00, $01
9B0B		db	$E0, $05, $02, $D8, $70, $40, $00, $01, $E2, $72
9B15		db	$12, $00, $10, $C0, $00, $86, $B7, $14, $02, $00
9B1F		db	$F0, $C0, $00, $06, $B7, $0C, $02, $00, $F0, $70
9B29		db	$00, $87, $2D, $81, $E2, $00, $BB, $70, $00, $07
9B33		db	$2D, $81, $F2, $00, $BB, $00, $00, $86, $D8, $E0
9B3D		db	$02, $A8, $6A, $00, $00, $06, $D8, $00, $02, $EB
9B47		db	$10, $F6, $00, $04, $91, $08, $02, $00, $19, $F7
9B51		db	$00, $04, $C9, $78, $02, $00, $19, $00, $00, $87
9B5B		db	$10, $00, $02, $00, $70, $60, $00, $07, $09, $06
9B65		db	$12, $00, $70, $00, $00, $87, $20, $88, $02, $80
9B6F		db	$7B, $00, $00, $04, $A8, $00, $02, $42, $10, $00
9B79		db	$00, $87, $30, $88, $02, $B8, $7B, $00, $00, $04
9B83		db	$B8, $00, $02, $7A, $10, $2A, $00, $01, $19, $57
9B8D		db	$42, $00, $19, $F5, $8E, $02, $11, $50, $02, $00
9B97		db	$19, $F3, $00, $04, $E3, $8F, $62, $00, $1F, $2C
9BA1		db	$00, $04, $F1, $07, $12, $00, $10, $E1, $00, $01
9BAB		db	$A9, $0E, $12, $00, $10, $F1, $00, $05, $01, $07
9BB5		db	$62, $00, $10, $00, $00, $02, $20, $00, $02, $00
9BBF		db	$70, $E7, $00, $02, $41, $07, $12, $00, $10, $21
9BC9		db	$99, $00, $2B, $EF, $D2, $00, $18, $ED, $00, $02
9BD3		db	$71, $68, $02, $00, $1B, $EF, $00, $02, $A9, $07
9BDD		db	$62, $00, $10, $EA, $00, $05, $29, $07, $D2, $00
9BE7		db	$10, $78, $00, $02, $51, $C0, $12, $32, $1B, $80
9BF1		db	$00, $02, $60, $C0, $02, $00, $1B, $F2, $00, $05
9BFB		db	$41, $07, $62, $00, $10, $E7, $00, $05, $49, $07
9C05		db	$22, $00, $10, $2C, $00, $02, $71, $07, $12, $00
9C0F		db	$10, $67, $00, $02, $80, $06, $D2, $00, $10, $2F
9C19		db	$00, $05, $61, $67, $22, $00, $1F, $EC, $00, $02
9C23		db	$A1, $00, $02, $00, $10, $EB, $06, $85, $B1, $06
9C2D		db	$BA, $00, $10, $E2, $86, $05, $79, $00, $02, $00
9C37		db	$10, $67, $00, $03, $00, $F0, $02, $00, $1A, $00
9C41		db	$00, $05, $8A, $D6, $12, $03, $CF, $FC, $00, $03
9C4B		db	$11, $F6, $12, $00, $19, $FB, $00, $01, $71, $88
9C55		db	$02, $CA, $1A, $00, $00, $03, $28, $00, $02, $C8
9C5F		db	$70, $F8, $00, $01, $61, $FF, $82, $CA, $1F, $00
9C69		db	$00, $03, $32, $E6, $12, $02, $CF, $7A, $8D, $01
9C73		db	$49, $D0, $02, $00, $19, $3D, $00, $05, $C1, $8E
9C7D		db	$F2, $00, $1F, $3D, $00, $05, $D1, $EF, $22, $00
9C87		db	$19, $00, $00, $05, $80, $E0, $02, $00, $9A, $FA
9C91		db	$00, $05, $D9, $EF, $B2, $00, $19, $FA, $00, $05
9C9B		db	$CB, $FF, $A2, $00, $19, $67, $00, $03, $52, $0F
9CA5		db	$92, $00, $10, $FB, $00, $05, $F3, $E7, $B2, $CF
9CAF		db	$19, $1C, $2A, $83, $23, $47, $B0, $00, $10, $FA
9CB9		db	$00, $81, $B1, $9F, $A2, $00, $1F, $C0, $00, $03
9CC3		db	$61, $00, $02, $42, $10, $D0, $00, $06, $13, $04
9CCD		db	$02, $00, $18, $D0, $00, $00, $01, $85, $02, $00
9CD7		db	$18, $D0, $00, $06, $29, $7E, $12, $00, $1B, $E2
9CE1		db	$9D, $01, $79, $57, $F2, $00, $19, $00, $00, $00
9CEB		db	$FA, $86, $12, $00, $CE, $10, $00, $01, $91, $00
9CF5		db	$12, $00, $10, $10, $00, $01, $91, $00, $02, $00
9CFF		db	$10, $80, $00, $03, $A8, $00, $F2, $D3, $10, $67
9D09		db	$00, $03, $B8, $80, $02, $00, $18, $D0, $00, $06
9D13		db	$5B, $75, $02, $00, $1B, $40, $00, $03, $C9, $00
9D1D		db	$02, $00, $18, $D0, $00, $00, $69, $DD, $02, $00
9D27		db	$19, $C0, $00, $06, $77, $0C, $02, $00, $F0, $C0
9D31		db	$00, $04, $5F, $05, $02, $42, $E8, $70, $00, $07
9D3B		db	$3D, $81, $F2, $00, $BB, $76, $00, $06, $91, $A7
9D45		db	$D2, $00, $1B, $80, $00, $03, $A8, $00, $E2, $D2
9D4F		db	$10, $2E, $00, $06, $99, $90, $02, $00, $1B, $E5
9D59		db	$00, $06, $A1, $98, $02, $00, $1B, $E8, $00, $00
9D63		db	$99, $07, $E2, $00, $1A, $40, $00, $01, $F9, $06
9D6D		db	$52, $00, $1A, $C0, $00, $06, $6D, $01, $F2, $43
9D77		db	$A8, $00, $35, $06, $C8, $00, $02, $DE, $10, $00
9D81		db	$79, $06, $D2, $B6, $12, $E7, $CB, $77, $7A, $06
9D8B		db	$81, $AF, $D2, $DF, $1B, $00, $00, $06, $C2, $BE
9D95		db	$12, $E7, $CB, $00, $00, $06, $E2, $C6, $A2, $00
9D9F		db	$28, $18, $00, $06, $E9, $06, $A2, $00, $10, $E4
9DA9		db	$00, $06, $F1, $D6, $A2, $00, $18, $00, $00, $06
9DB3		db	$FA, $26, $12, $27, $CF, $E4, $00, $07, $01, $DE
9DBD		db	$42, $00, $18, $00, $00, $04, $7A, $26, $12, $26
9DC7		db	$CF, $30, $00, $07, $11, $80, $12, $00, $19, $50
9DD1		db	$00, $07, $19, $06, $12, $00, $60, $20, $00, $04
9DDB		db	$A1, $00, $12, $00, $19, $00, $00, $04, $A8, $00
9DE5		db	$02, $43, $10, $70, $00, $06, $7D, $51, $F2, $37
9DEF		db	$AB, $00, $00, $04, $B8, $00, $02, $7B, $10, $70
9DF9		db	$00, $04, $6F, $56, $02, $36, $EB, $06, $42, $89
9E03		db	$B0, $00, $00, $00, $10, $00, $00, $00, $00, $00
9E0D		fill	$00, 51
9E40		db	$20, $00, $07, $8D, $01, $F6, $01, $69, $00, $00
9E4A		db	$07, $85, $00, $22, $01, $78, $D0, $00, $07, $9B
9E54		db	$FD, $0A, $03, $67, $50, $00, $87, $91, $85, $02
9E5E		db	$02, $7A, $00, $00, $07, $A8, $00, $02, $C2, $70
9E68		db	$00, $00, $07, $A0, $00, $02, $C3, $60, $30, $00
9E72		db	$07, $BD, $80, $46, $41, $69, $10, $00, $07, $B5
9E7C		db	$80, $82, $41, $78, $C0, $00, $87, $C9, $54, $0A
9E86		db	$43, $65, $40, $00, $07, $C1, $04, $02, $42, $7A
9E90		db	$23, $43, $0F, $D8, $88, $02, $00, $1B, $E3, $00
9E9A		db	$87, $D9, $0E, $3F, $00, $1B, $E1, $00, $87, $E3
9EA4		db	$16, $1F, $00, $1F, $84, $02, $87, $E8, $0A, $13
9EAE		db	$00, $10, $84, $01, $87, $F0, $0A, $13, $00, $10
9EB8		db	$84, $41, $87, $F8, $0A, $13, $00, $10, $00, $9D
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: '99 Saturn Dissassembly

Post by antus »

good to see your project is still alive and your still at it. keep up the good work :thumbup:
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Well starting to get back into this project now that the working prototype of the the reverse assembler is going (should be finished with the rough draft in the next couple days). I got the flash returned to stock and started getting new data sets from them and started adding in some of the comments that I had made before and a few new ones. The bit below is what I got back by sending 6a 68 f1 01 0b, which is a request for the intake manifold pressure. The interesting bit I need to investigate further is that it would appear that L01822 is where it gets the data from, but that location shows up at times in the code being written to so I am not sure where it gets it from ultimtely now. I did see another mystery I will need to track down. Near one of the references to the location I saw a JSR to L00602, which is well outside the flash ROM space, kinda odd. One other point, I decided it would be easiest to make the first digit the two bits making up the address lines 15 and 16 going to the flash that way you could see which quadrent it was in based on the first number so the first line is 05721 indicating it is in the 0 quadrent. Later on it moves into quadrent 3 or the upper memory one.

Code: Select all

05721	ADCA #$00, X	L03560 = $1C	
05723	BRA $06		
0572B	PULB	B=$00	
0572C	PULX	X=$3560	
0572D	RTS		
1CFD7	STAA L01B99	A=$1C	
1CFDA	BRSET L00012, #%00001000, $4D	L00012 = $00	
1CFDE	BRSET L0000B, #%00000001, $49	L0000B = $00	
1CFE2	BRSET L0000C, #%00000010, $45	L0000C = $00	
1CFE6	BRSET L0000C, #%00000001, $41	L0000C = $00	
1CFEA	LDAB L01BA0	B=$00	
1CFED	CMPB L035E1	B=$06	
1CFF0	BCS $39		
1D02B	CLRA		
1D02C	STAA L01B9A	A=$00	
1D02F	LDX L00155	X=$0000	
1D032	CPX L035E2	L=$0004	
1D035	BCC $05		
1D037	LDD #$0000		
1D03A	BRA $37		
1D073	STD L01B9B	D=$0000	
1D076	RTS		
04A4F	LDX #$8190		
04A52	JSR L05666	RL = 4A55	
05666	TPA		
05667	PSHA	A=$C9	
05668	SEI		
05669	LDAA L01002	A=$F0	
0566C	TAB		
0566D	ANDB #%00000011		
0566F	ANDA #%11111100		
05671	ORAA #%00000010		
05673	STAA L01002	A=$F2	
05676	PULA	A=$C9	
05677	PSHB	B=$00	
05678	TAP		
05679	JSR #$00,X	RL = 567B	
38190	LDY L01E3A	Y=$1DE8	load y with current input buffer pointer
38194	LDAA #$0F, Y	L01DF7 = $AA	check last byte
38197	CMPA #$AA		if it is $AA then it is a new message
38199	BEQ $03		
3819E	LDAB #$00, Y	L01DE8=$68	load first byte of incoming message
381A1	EORB #%00001000		
381A3	BITB #%00011000		check for 1 byte headder and IFR required
381A5	BEQ $03		if so go here
381AA	CMPB #$E0		check low pri, 1 byte head, IFR req, Func addr, IFR type 2, func
381AC	BCS $03		
381B1	BITB #%00000100		
381B3	BNE $0D		
381B5	LDAA #$01, Y	L01DE9 = $6A	
381B8	CMPA #$6A		is it a functional request info packet
381BA	BEQ $3C		
381F8	LDX L01E7B	X=$1E4B	load current output buffer pointer
381FB	LDAA #$0F, X	L01E5A = $00	load last byte of current output buffer
381FD	CMPA #$AA		should be $00 if buffer is cleared
381FF	BNE $0A		
3820B	LDD #$00, Y	L01DE8=$686A	load first two numbers from the current input buffer
3820E	STD #$00, X	L01E4B=$686A	store first two numbers in the current output buffer
38210	LDD #$02, Y	L01DEA=$F101	group 2 in
38213	STD #$02, X	L01E4D=$F101	group 2 out
38215	LDD #$04, Y	L01DEC=$0B00	group 3 in
38218	STD #$04, X	L01E4F=$0B00	group 3 out
3821A	LDD #$06, Y	L01DEE=$0000	group 4 in
3821D	STD #$06, X	L01E51=$0000	group 4 out
3821F	LDD #$08, Y	L01DF0=$0000	group 5 in
38222	STD #$08, X	L01E53=$0000	group 5 out
38224	LDD #$0A, Y	L01DF2=$0000	group 6 in
38227	STD #$0A, X	L01E55=$0000	group 6 out
38229	LDD #$0C, Y	L01DF4=$1DED	group 7 in
3822C	STD #$0C, X	L01E57=$1DED	group 7 out
3822E	LDD #$0E, Y	L01DF6=$00AA	group 8 in
38231	STD #$0E, X	L01E59=$00AA	group 8 out
38233	LDD #$0C, Y	L01DF4=$1DED	load location of last real message byte
38236	SUBD L01E3A	D=$1DE8	how long is the message (headder included)
38239	ABX		set x to location of last message byte in the output buffer 
3823A	LDY L01E7B	Y=$1E4B	load y with current output buffer
3823E	STX #$0C, Y	L01E57=$1E50	save last message byte location in output current buffer
38241	LDD L01E7B	D=$1E4B	load d with current output buffer location
38244	ADDD #$0010		add $10 to current location (set to next buffer location)
38247	CPD #$1E7B		is it at the end of the range for the output buffer?
3824B	BCS $03		if not, jump
38250	STD L01E7B	D=$1E5B	store new output buffer location in pointer
38253	LDY L01E3A	Y=$1DE8	load y with current input buffer location
38257	LDAA #$00		
38259	STAA #$0F, Y	L01DF7 = $00	clear the $AA, make this buffer clear for new message
3825C	LDD L01E3A	D=$1DE8	load d with current input buffer location
3825F	ADDD #$0010		add $10 (set to next buffer)
38262	CPD #$1E38		is it at the upper end of the buffer
38266	BCS $03		if not jump
3826B	STD L01E3A	D=$1DF8	store the new input buffer location to the pointer
3826E	JMP L8190		
38190	LDY L01E3A	Y=$1DF8	load y with current input buffer pointer
38194	LDAA #$0F, Y	L01E07 = $00	check last byte
38197	CMPA #$AA		if it is $AA then it is a new message
38199	BEQ $03		
3819B	JMP L8271		
38271	BRSET L00088, #%00100000, $0F	L00088 = $02	
38275	BRSET L00088, #%00010000, $53	L00088 = $02	
38279	LDY L01E7D	Y=$1E4B	
3827D	LDAA #$0F, Y	L01E5A = $AA	
38280	CMPA #$AA		valid current message?
38282	BEQ $02		
38286	LDX #$0383		
38289	LDAB #$00, Y	L01E4B=$68	get first byte
3828C	BITB #%00000100		functional or physical addressing?
3828E	BNE $12		jump if physical addressing
38290	LDAA #$00, Y	L01E4B = $68	begin formatting reply message
38293	ANDA #%11011111		
38295	STAA #$00, X	L00383 = $48	
38297	LDAA #$6B		
38299	STAA #$01, X	L00384 = $6B	
3829B	LDAA L3C251	A=$10	Load $10, The name of the PCM
3829E	STAA #$02, X	L00385 = $10	Store it in the message
382A0	BRA $0F		
382B1	LDD #$0C, Y	L01E57=$1E50	load message length including headder
382B4	SUBD L01E7D	D=$1E4B	subtract out message pointer, leaving just bytes in Breg
382B7	SUBB #$03		subtract the 3 byte headder leaving just number of message bytes
382B9	STAB L01E7F	B=$02	store working message length - headder
382BC	LDAA #$03, Y	L01E4E = $01	load message byte from 3 +Y
382BF	STAA #$03, X	L00386 = $01	store message byte to 3 + X
382C1	INX		
382C2	INY		
382C4	DECB		
382C5	BNE $F5		keep doing until complete message loaded in ram
382BC	LDAA #$03, Y	L01E4F = $0B	
382BF	STAA #$03, X	L00387 = $0B	
382C1	INX		
382C2	INY		
382C4	DECB		
382C5	BNE $F5		keep doing until complete message loaded in ram
382C7	LDAA #$01		
382C9	STAA L01E82	A=$01	
382CC	JSR L38883	RL = 82CF	
38883	LDAB L00386	B=$01	Load B with the mode #
38886	ANDB #%10111111		set bit 6 to 0
38888	TBA		
38889	BEQ $0E		Branch if it was mode Ax
3888B	CMPB #$08		
3888D	BHI $06		
3888F	LDX #$87F5		L387f5 is where the mode vector table is
38892	DECB		No mode 0
38893	BRA $1E		
388B3	ABX		
388B4	ABX		
388B5	LDX #$00, X	L387F5=$88DF	
388B7	BEQ $20		branch if mode not supported
388B9	BRSET L00088, #%00010000, $18	L00088 = $02	
388BD	LDAB L01E7F	B=$02	check that message has the correct packet length
388C0	CMPB #$00, X	L388DF=$02	
388C2	BHI $04		jump if message is too long
388C4	CMPB #$01, X	L388E0=$02	
388C6	BCC $08		jump if message is not too short
388D0	BSET L00088, #%00010000	L00088 = $12	
388D3	JMP #$04, X		jump to extended mode entry at 4 + (Vect(2x(Mode-$10) + $8805))
388E3	CLRA		Mode $01 Entry
388E4	LDAB L00387	B=$0B	
388E7	CMPB #$1C		
388E9	BHI $26		
388EB	JSR L3B158	RL = 88EE	
3B158	CMPA #$11		
3B15A	BEQ $14		
3B15C	CMPA #$12		
3B15E	BEQ $15		
3B160	CMPA #$13		
3B162	BEQ $23		
3B164	TSTA		
3B165	BNE $39		
3B167	CMPB #$1C		
3B169	BHI $35		
3B16B	LDX #$B1AA		
3B16E	BRA $27		
3B197	ABX		
3B198	ABX		Vectors are 2 bytes long, add twice to get right number
3B199	LDX #$00, X	L3B1C0=$B5E0	Load vector table
3B19B	CPX #$FFFF		Test if PID is supported
3B19E	BRA $01		
3B1A1	RTS		
388EE	BCC $21		
388F0	CPX #$B58A		
388F3	BCS $10		
388F5	CPX #$B958		
388F8	BHI $0B		
388FA	LDY #$0388		
388FE	JSR #$01,X	RL = 8900	
3B5E1	PSHX	X=$B5E0	Start Intake Manifold Pressure routine
3B5E2	LDAA L01822	A=$02	
3B5E5	CLRB		
3B5E6	LSRD		
3B5E7	LDX #$AD82		
3B5EA	FDIV		
3B5EB	XGDX		
3B5EC	LSRD		
3B5ED	ADDD #$0A55		
3B5F0	PULX	X=$B5E0	
3B5F1	JMP LB969		
3B969	STAA #$00, Y	L00388 = $0B	
3B96C	LDAB #$01		
3B96E	ABY		
3B970	RTS		
38900	ADDB #$02		
38902	TBA		
38903	BRA $09		
3890E	JMP LAF9F		
3AF9F	BCLR L00088, #%00010000	L00088 = $02	
3AFA2	TSTA		
3AFA3	BEQ $03		
3AFA5	STAA L01E7F	A=$03	
3AFA8	LDAA L00386	A=$01	
3AFAB	ORAA #%01000000		
3AFAD	STAA L00386	A=$41	Format message reply
3AFB0	LDX #$C603		
3AFB3	JSR L3BD43	RL = AFB6	
3BD43	LDAB #$10, X	L3C613=$00	
3BD45	LDY #$1F9A		
3BD49	ABY		
3BD4B	TPA		
3BD4C	SEI		
3BD4D	LDAB #$0F, X	L3C612=$01	
3BD4F	ORAB #$00, Y	L01F9A=%00000000	
3BD52	STAB #$00, Y	L01F9A=$01	
3BD55	TAP		
3BD56	RTS		
3AFB6	BSET L00088, #%00100000	L00088 = $22	
3AFB9	CLRA		
3AFBA	BRCLR L00088, #%00010000, $01	L00088 = $22	
3AFBF	RTS		
382CF	TSTA		
382D0	BNE $1E		
382D2	LDY L01E7D	Y=$1E4B	
382D6	LDAA #$00		
382D8	STAA #$0F, Y	L01E5A = $00	
382DB	LDD L01E7D	D=$1E4B	
382DE	ADDD #$0010		
382E1	CPD #$1E7B		
382E5	BCS $03		
382EA	STD L01E7D	D=$1E5B	
382ED	JMP L8271		
38271	BRSET L00088, #%00100000, $0F	L00088 = $22	
38284	BRA $6A		
382F0	RTS		
0567B	TPA		
0567C	SEI		
0567D	LDAB L01002	B=$F2	
05680	ANDB #%11111100		
05682	TSX	X=SP=$3FD	
05683	ORAB #$00, X	L003FD=%00000000	
05685	STAB L01002	B=$F0	
05688	PULB	B=$00	
05689	TAP		
0568A	RTS		
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: '99 Saturn Dissassembly

Post by antus »

good work :thumbup:
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
charlay86
Posts: 584
Joined: Thu Sep 17, 2009 2:00 pm
cars: VT S1 SS (L67)
Location: Perth, WA

Re: '99 Saturn Dissassembly

Post by charlay86 »

L01822 will just be a ram location where it stored the value from analog to digital converter.
there are usually a few variables for the same thing, one is used as an override value when it is in mode 4, one is the raw value, one is filtered etc.

have a look at all the places in the code where that ram location is written to, and you'll probably find some code that looks something similar to below. (this is from one of our australian PCMs 16233396)


Code: Select all

D8C4 IATv_INJv_BATTv:                                  ; CODE XREF: __RESET:loc_6D26P
D8C4                                                   ; MAJOR_9+20P
D8C4         tpa
D8C5         tab
D8C6 loc_D8C6:
D8C6         ldaa    #0
D8C8         sei
D8C9 loc_D8C9:                                         ; AA=0 (Inlet Air Temperature Sensor Voltage)
D8C9         jsr     ADMUX1

6413 ; =============== S U B R O U T I N E =======================================
6413 ; DO A/D CONVERSION OF SPECIFIED CHANNEL
6413 ;
6413 ; ACCA = MUX1 CHANNEL TO READ
6413 ADMUX1:                                           ; CODE XREF: SDLOGIC+74P
6413                                                   ; EIP_MSG_REPLY+21P
6413                                                   ; __RESET+1B1P
6413                                                   ; __RESET+276P IRQ+26P
6413                                                   ; SUB_AC_PRESS+DP ...
6413         pshb
6414         ldab    PORTG                             ; Port G Data
6414                                                   ; 01 A/D INPUT MUX
6414                                                   ; 02 A/D INPUT MUX
6414                                                   ; 04 A/D INPUT MUX
6414                                                   ; 08
6414                                                   ; 10
6414                                                   ; 20
6414                                                   ; 40 HIGH BANK SELECTOR BIT
6414                                                   ; 80
6417         andb    #0xF8 ; '°'                       ; A2D MUX MASK
6419         aba
641A         staa    PORTG                             ; Port G Data
641A                                                   ; 01 A/D INPUT MUX
641A                                                   ; 02 A/D INPUT MUX
641A                                                   ; 04 A/D INPUT MUX
641A                                                   ; 08
641A                                                   ; 10
641A                                                   ; 20
641A                                                   ; 40 HIGH BANK SELECTOR BIT
641A                                                   ; 80
641D         clra
641E         staa    ADCTL                             ; A_D Control Register
641E                                                   ;
641E                                                   ; 0  *MUX Channel
641E                                                   ; 1  Force Motor Current
641E                                                   ; 2  Right Hand O2 Sensor Voltage
641E                                                   ; 3  Left Hand O2 Sensor Voltage
641E                                                   ; 4  KNOCK SENSOR INPUT
641E                                                   ; 5  Injector voltage
641E                                                   ; 6  Throttle Position Sensor Voltage
641E                                                   ; 7  Exhaust Gas Recirc. Valve Pos'n Sensor Voltage
641E                                                   ;
641E                                                   ; MUX1
641E                                                   ;
641E                                                   ; 0  Inlet Air Temperature Sensor Voltage
641E                                                   ; 1  Engine Coolant Temp. sensor Voltage
641E                                                   ; 2  Transmission Fluid Temperature Sensor Voltage
641E                                                   ; 3  ? DIAGNOSTIC PIN (F14)
641E                                                   ; 4  A/C Pressure Sensor Voltage
641E                                                   ; 5  ? BAROMETER INPUT
641E                                                   ; 6  Battery Voltage
641E                                                   ; 7
6421         mul
6422         mul
6423         mul
6424         pulb
6425         ldaa    ADR1                              ; A_D Result Register 1
6428         rts
6428 ; End of function ADMUX1


D8CC         staa    IAT_V_RAW_ALDL						;loc'n 0x190A
D8CF loc_D8CF:
D8CF         coma
D8D0         staa    IAT_V_inverse_raw					;loc'n 0x190B
D8D3         tba
D8D4         tap
D8D5         jsr     SUB_DTC_23_25_26                  ; DTC23 IAT VOLTS HIGH
D8D5                                                   ; DTC25 IAT VOLTS LOW
D8D5                                                   ; DTC26 IAT UNSTABLE
D8D5                                                   ;
D8D8         ldaa    IAT_V_inverse_raw		           ;loc'n 0x190B
D8DB         ldx     #IATVOLT2TEMP                     ; 0x6040   
D8DE         jsr     P4LKUPQ                           ; "TWO DIMENSIONAL" TABLE LOOKUP
D8DE                                                   ; NO OFFSET, SPACED 16
D8DE                                                   ;
D8DE                                                   ; ACCA = LOOKUP VALUE
D8DE                                                   ; ACCB = UNCHANGED
D8DE                                                   ; IX = ADRESS OF TABLE
D8DE                                                   ;
D8DE                                                   ; RESULT IN ACCA
D8E1 loc_D8E1:                                         ; AIR TEMP = (X * 0.75) - 40
D8E1         staa    IAT_RAW_ALDL						;loc'n 0x190D
D8E4         brclr   *FLAGS_35,#0x80,loc_D8ED ; 'Ç'    ; 0x01 1 = ERROR FREE TRANSMISSION ON UART LINK
D8E4                                                   ; 0x02 1 = ALDL XMIT NEEDED (RESPONSE TO A RX'D MSG)
D8E4                                                   ; 0x04 1 = CLEAR MALF CODES
D8E4                                                   ; 0x08 1 = ALDL MODE 8 DISABLE NORMAL COMMUNICATIONS
D8E4                                                   ; 0x10 1 = DO CHECKSUM ONLY
D8E4                                                   ; 0x20 1 = ALDL TESTER IN CONTROL OF LINK
D8E4                                                   ; 0x40 1 = CLEAR NVRAM
D8E4                                                   ; 0x80 1 = ALDL MODE 4 CONTROL
D8E4                                                   ;
D8E8         ldaa    IAT_V_inverse					;loc'n 0x190C
D8EB         bra     loc_D8FC
D8ED ; ---------------------------------------------------------------------------
D8ED loc_D8ED:                                         ; CODE XREF: IATv_INJv_BATTv+20j
D8ED         brclr   *CURRENT_MALF_22_29,#0x58,loc_D8F6 ; 'X' ; 0x01  DTC29  EGR position fault
D8ED                                                   ; 0x02  DTC28  manual valve circuit fault
D8ED                                                   ; 0x04  DTC27  **not used**
D8ED                                                   ; 0x08  DTC26  IAT volts unstable
D8ED                                                   ; 0x10  DTC25  IAT volts low
D8ED                                                   ; 0x20  DTC24  VSS missing   CEL
D8ED                                                   ; 0x40  DTC23  IAT volts high
D8ED                                                   ; 0x80  DTC22  TPS voltage low   CEL
D8F1         ldaa    DEF_INVERSE_IAT_V					;loc'n 0x592D
D8F4 loc_D8F4:
D8F4         bra     loc_D8F9
D8F6 ; ---------------------------------------------------------------------------
D8F6 loc_D8F6:                                         ; CODE XREF: IATv_INJv_BATTv:loc_D8EDj
D8F6         ldaa    IAT_V_inverse_raw				;loc'n 0x190B
D8F9 loc_D8F9:                                         ; CODE XREF: IATv_INJv_BATTv:loc_D8F4j
D8F9         staa    IAT_V_inverse					;loc'n 0x190C
D8FC loc_D8FC:                                         ; CODE XREF: IATv_INJv_BATTv+27j
D8FC         ldx     #IATVOLT2TEMP                     ; for IAT
D8FF         jsr     P4LKUPQ                           ; "TWO DIMENSIONAL" TABLE LOOKUP
D8FF                                                   ; NO OFFSET, SPACED 16
D8FF                                                   ;
D8FF                                                   ; ACCA = LOOKUP VALUE
D8FF                                                   ; ACCB = UNCHANGED
D8FF                                                   ; IX = ADRESS OF TABLE
D8FF                                                   ;
D8FF                                                   ; RESULT IN ACCA
D902 loc_D902:  staa    *IAT							;loc'n 0x0075
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Yep, It dawned on me that was probably it the other day on the way home from work, just was so busy putting the final touches on the reverse assembler to look. Looks like these are the areas in the lower memory that it is accessed, there is one where it is accessed in conjunction with A to D #1. Thanks for the reply though, there is some good snippets in the code you provided.

Code: Select all

4339		clrA	
433A		staA	L1DDD
433D		staA	L1DDE
4340		ldaA	#$04
4342		call	L5858
4345		staA	L1822

ADR1	=	$1031 (A to D Register 1)

50B8	L50B8	ldaA	#$04
50BA		staA	ADCTL
50BD		bset	L0069, #%00000001
50C0		ldaA	L1462
50C3		ldD	L1462
50C6		stD	L1844
50C9		ldaA	L18D3
50CC		staA	L18D4
50CF		ldaA	L18D2
50D2		staA	L18D3
50D5		ldaB	L1D1A
50D8		ldaA	ADR1
50DB		staA	L1822
50DE		bitB	#%00100000
50E0		beq	L50FB
50E2		bitB	#%00000001
50E4		beq	L50F8
50E6		ldaB	L1D1B
50E9		bmi	L50F2
50EB		aBA	


614D		ldaB	L1B12
6150		stD	10, X
6152		pushX	
6153		ldaA	L1822
6156		clrB	
6157		lsrD	
6158		ldX	#$AD82
615B		fdiv	
615C		xgDX	
615D		lsrD	
615E		addD	#$0A55
6161		popX	
6162		staA	12, X
6164		pushX	


8829	L8829	cmpB	L21AA
882C		bcc	L888B
882E	L882E	ldaA	L19C6
8831		addA	#$01
8833		sbcA	#$00
8835		staA	L19C6
8838		ldaB	L1822
883B		cmpB	L21AC
883E		bhi	L885C
8840		ldaB	L19C5
8843		andB	#%11111110
8845		staB	L19C5
8848		cmpA	L21AE
884B		bcs	L888B
884D		clrA	



889D	L889D	cmpB	L21B0
88A0		bls	L88FF
88A2	L88A2	ldaA	L19C8
88A5		addA	#$01
88A7		sbcA	#$00
88A9		staA	L19C8
88AC		ldaB	L1822
88AF		cmpB	L21B2
88B2		bcs	L88D0
88B4		ldaB	L19C5
88B7		andB	#%11111101
88B9		staB	L19C5
88BC		cmpA	L21B4
88BF		bcs	L88FF
88C1		clrA	

E1E6	LE1E6	bclr	L0060, #%00000001
E1E9	LE1E9	brclr	L0061, #%00000100, LE238
E1ED		ldaA	#$04
E1EF		call	L584A
E1F2		staA	L1822
E1F5		staA	L18D2
E1F8		staA	L18D3
E1FB		staA	L18D4
E1FE		ldaA	L18D2
E201		ldaB	L1D1A
E204		bitB	#%00100000
E206		beq	LE221
E208		bitB	#%00000001
E20A		beq	LE21E
E20C		ldaB	L1D1B
E20F		bmi	LE218
E211		aBA	
E212		bcc	LE216
E214		ldaA	#$FF
E216	LE216	jr	LE221
arbartz
Posts: 1
Joined: Mon Dec 17, 2012 2:58 am
cars: 1987 Fiero GT
2004 Silverado SS
2017 Fusion Sport

Re: '99 Saturn Dissassembly

Post by arbartz »

This looks quite interesting! I look forward to the day we may be able to re-flash our Saturn's! Keep up the good work.
chrispel
Posts: 1
Joined: Fri Apr 12, 2013 11:26 pm
cars: 98 Saturn SC2
99 Corvette

Re: '99 Saturn Dissassembly

Post by chrispel »

How are you making out with this?
Post Reply