'99 Saturn Dissassembly

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Well this took awhile so I am not planning on doing it much (unless I build a program to do it for me) but I merged a section out of the code with data from the logic analyzer so that you can actually step through it and see what is happening, while it is happening. This goes from initial check through return to the main loop. I went with a mode 22 request since that would give me hopefully some insight into how the PID's are set up too.

Code: Select all

Send 6c 10 f1 22 11 01 01
Recv 6C F1 10 62 11 01 A1 FA

18190	ldY	L1E3A; 1E3A = $1df8
18194	ldaA	15, Y; 1E07 = $AA
18197	cmpA	#$AA
18199	beq	L819E
1819E	ldaB	0, Y ; 1DF8 = $6C
181A1	xorB	#%00001000
181A3	bitB	#%00011000
181A5	beq	L81AA
181AA	cmpB	#$E0
181AC	bcs	L81B1
181B1	bitB	#%00000100
181B3	bne	L81C2
181C2	ldaA	1, Y ; 1DF9 = $10
181C5	cmpA	#$FE
181C7	bne	L81E3
181E3	cmpA	LC251 ; 1C251 = $10
181E6	beq	L81F8
181F8	ldX	L1E7B ; 1E7B = $1E, 1E7C = $5B
181FB	ldaA	15, X ; 1E6A = $00
181FD	cmpA	#$AA
181FF	bne	L820B
1820B	ldD	0, Y ; 1DF8 = $6C, 1DF9 = $10
1820E	stD	0, X ; 1E5B = $6C, 1E5C = $10
18210	ldD	2, Y ; 1DFA = $F1, 1DFB = $22
18213	stD	2, X ; 1E5D = $F1, 1E5E = $22
18215	ldD	4, Y ; 1DFC = $11, 1DFD = $01
18218	stD	4, X ; 1E5F = $11, 1E60 = $01
1821A	ldD	6, Y ; 1DFE = $01, 1DFF = $01
1821D	stD	6, X ; 1E61 = $01, 1E62 = $01
1821F	ldD	8, Y ; 1E00 = $12, 1E01 = $00
18222	stD	8, X ; 1E63 = $12, 1E64 = $00
18224	ldD	10, Y; 1E02 = $00, 1E03 = $00
18227	stD	10, X; 1E65 = $00, 1E66 = $00
18229	ldD	12, Y; 1E04 = $1D, 1E05 = $FF
1822C	stD	12, X; 1E67 = $1D, 1E68 = $FF
1822E	ldD	14, Y; 1E06 = $00, 1E07 = $AA
18231	stD	14, X; 1E69 = $00, 1E6A = $AA
18233	ldD	12, Y; 1E04 = $1D, 1E05 = $FF
18236	subD	L1E3A; 1E3A = $1D, 1E3B = $F8
18239	aBX
1823A	ldY	L1E7B; 1E7B = $1E, 1E7C = $5B
1823E	stX	12, Y; 1E67 = $1E, 1E68 = $62
18241	ldD	L1E7B; 1E7B = $1E, 1E7C = $5B
18244	addD	#$0010
18247	cmpD	#$1E7B
1824B	bcs	L8250
18250	stD	L1E7B; 1E7B = $1E, 1E7C = $6B
18253	ldY	L1E3A; 1E3A = $1D, 1E3B = $F8
18257	ldaA	#$00
18259	staA	15, Y; 1E07 = $00
1825C	ldD	L1E3A; 1E3A = $1D, 1E3B = $F8
1825F	addD	#$0010
18262	cmpD	#$1E38
18266	bcs	L826B
1826B	stD	L1E3A; 1E3A = $1E, 1E3B = $08
1826E	jmp	E8190
18190	ldY	L1E3A; 1E3A = $1E, 1E3B = $08
18194	ldaA	15, Y; 1E17 = $00
18197	cmpA	#$AA
18199	beq	L819E
1819B	jmp	L8271
18271	brset	L0088, #%00100000, L8284; 88 = $02
18275	brset	L0088, #%00010000, L82CC; 88 = $02
18279	ldY	L1E7D; 1E7D = $1E, 1E7E = $5B
1827D	ldaA	15, Y; 1E6A = $AA
18280	cmpA	#$AA
18282	beq	L8286
18286	ldX	#$0383
18289	ldaB	0, Y; 1E5B = $6C
1828C	bitB	#%00000100
1828E	bne	L82A2
182A2	ldaA	0, Y; 1E5B = $6C
182A5	staA	0, X; 383 = $6C
182A7	ldaA	2, Y; 1E5D = $F1
182AA	staA	1, X; 384 = $F1
182AC	ldaA	LC251; 1C251 = $10
182AF	staA	2, X; 385 = $10
182B1	ldD	12, Y; 1E67 = $1E, 1E68 = $62
182B4	subD	L1E7D; 1E7D - $1E, 1E7E = $5B
182B7	subB	#$03
182B9	staB	L1E7F; 1E7F = $04
182BC	ldaA	3, Y; 1E5E = $22
182BF	staA	3, X; 386 = $22
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E5F = $11
182BF	staA	3, X; 387 = $11
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E60 = $01
182BF	staA	3, X; 388 = $01
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E61 = $01
182BF	staA	3, X; 389 = $01
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182C7	ldaA	#$01
182C9	staA	L1E82; 1E82 = $01
182CC	call	L8883; 3FA = $CF, 3F9 = $82
18883	ldaB	L0386; 386 = $22
18886	andB	#%10111111
18888	tBA
18889	beq	L8899
1888B	cmpB	#$08
1888D	bhi	L8895
18895	subB	#$10
18897	bcc	L889F
1889F	cmpB	#$2F; actually $3f 
188A1	bhi	L88A8
188A3	ldX	#$8805
188A6	jr	L88B3
188B3	aBX
188B4	aBX
188B5	ldX	0, X; 18829 = $98, 1882A = $D9
188B7	beq	L88D9
188B9	brset	L0088, #%00010000, L88D5; 88 =$02
188BD	ldaB	L1E7F; 1E7F = $04
188C0	cmpB	0, X; 198D9 = $04
188C2	bhi	L88C8
188C4	cmpB	1, X; 198DA = $04
188C6	bcc	L88D0
188D0	bset	L0088, #%00010000; 88 = $02, 88 = $12
188D3	jmp	4, X
198DD	ldY	#$0386
198E1	ldaA	3, Y; 389 = $01
198E4	cmpA	#$01
198E6	beq	L98EC
198EC	ldD	1, Y; 387 = $11, 388 = $01
198EF	call	LB158; 3F8 = $F2, 3F7 = $98
1B158	cmpA	#$11
1B15A	beq	LB170; TRAP FIRST TWO DIGITS
1B170	ldX	#$B1E4
1B173	jr	LB197
1B197	aBX
1B198	aBX
1B199	ldX	0, X; 1B1E6 = $B6, 1B1E7 = $D8
1B19B	cmpX	#$FFFF
1B19E	jr	LB1A1
1B1A1	ret; 3F6 = $E1, 3F7 = $98, 3F8 = $F2
198F2	bcc	L98E8
198F4	ldaB	#$03
198F6	aBY
198F8	cmpX	#$B58A
198FB	bcs	L9906
198FD	cmpX	#$B958
19900	bhi	L9906
19902	call	1, X; 3F8 = $04, 3F7 = $99
1B6D9	clrA
1B6DA	ldaB	L0054; 54 = $10
1B6DC	bitB	#%00010000
1B6DE	beq	LB6E2
1B6E0	oraA	#%00000001
1B6E2	ldaB	L0058; 58 = $0C
1B6E4	bitB	#%10000000
1B6E6	beq	LB6EA
1B6EA	ldaB	L005F; 5F = $00
1B6EC	bitB	#%10000000
1B6EE	beq	LB6F2
1B6F2	bitB	#%00010000
1B6F4	beq	LB6F8
1B6F8	ldaB	L0058; 58 = $0C
1B6FA	bitB	#%00000010
1B6FC	beq	LB700
1B700	ldaB	L1802; 1802 = $C1
1B703	bitB	#%00000001
1B705	beq	LB709
1B707	oraA	#%00100000
1B709	ldaB	L0071; 71 = $10
1B70B	bitB	#%00001000
1B70D	beq	LB711
1B711	ldaB	L005A; 5A = $18
1B713	bitB	#%00001000
1B715	beq	LB719
1B717	oraA	#%10000000
1B719	jmp	LB969
1B969	staA	0, Y; 389 = $A1
1B96C	ldaB	#$01
1B96E	aBY
1B970	ret; 3F6 = $E1, 3F7 = $99, 3F8 = $04
19904	jr	L990D
1990D	ldaA	#$03
1990F	aBA
19910	jr	L9912
19912	jmp	LAF9F
1AF9F	bclr	L0088, #%00010000; 88 = $12, 88 = $02
1AFA2	tstA
1AFA3	beq	LAFA8
1AFA5	staA	L1E7F; 1E7F = $04
1AFA8	ldaA	L0386; 386 = $22
1AFAB	oraA	#%01000000
1AFAD	staA	L0386; 386 = $62
1AFB0	ldX	#$C603
1AFB3	call	LBD43; 3F8 = $B6, 3F7 = $AF
1BD43	ldaB	16, X; 1C613 = $00
1BD45	ldY	#$1F9A
1BD49	aBY
1BD4B	tPA
1BD4C	di
1BD4D	ldaB	15, X; 1C612 = $01
1BD4F	oraB	0, Y; 1F9A = $04
1BD52	staB	0, Y; 1F9A = $05
1BD55	tAP
1BD56	ret; 3F6 = $E1, 3F7 = $AF, 3F8 = $B6
1AFB6	bset	L0088, #%00100000; 88 = $02, 88 = $22
1AFB9	clrA
1AFBA	brclr	L0088, #%00010000, LAFBF; 88 = $22
1AFBF	ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF	tstA
182D0	bne	L82F0
182D2	ldY	L1E7D; 1E7D = $1E, 1E7E = $5B
182D6	ldaA	#$00
182D8	staA	15, Y; 1E6A = $00
182DB	ldD	L1E7D; 1E7D = $1E, 1E7E = $5B
182DE	addD	#$0010
182E1	cmpD	#$1E7B
182E5	bcs	L82EA
182EA	stD	L1E7D; 1E7D = $1E, 1E7E = $6B
182ED	jmp	L8271
18271	brset	L0088, #%00100000, L8284; 88 = $22
18284	jr	L82F0
182F0	ret; 3FA = $CF, 3FB = $56, 3FC = $7B

sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Since I am making an effort to learn the mode 35 stuff so I can hopefully use it in the future I went ahead and slogged through that section of the memory. At this point I don't seem to be getting something right with the mode 35 request though. I am sending 35 01 00 06 00 50 00 and getting 75 01 51 back, which should be theoretically giving me back 6 bytes of data from location $5000 but I dont seem to be getting that. Note when I took the snapshot below I was trying a different number on the mode 35 request, but same result.

Code: Select all

18190	ldY	L1E3A; 1E3A = $1E, 1E3B = $08
18194	ldaA	15, Y; 1E17 = $AA
18197	cmpA	#$AA
18199	beq	L819E
1819E	ldaB	0, Y; 1E08 = $6C
181A1	xorB	#%00001000
181A3	bitB	#%00011000
181A5	beq	L81AA
181AA	cmpB	#$E0
181AC	bcs	L81B1
181B1	bitB	#%00000100
181B3	bne	L81C2
181C2	ldaA	1, Y; 1E09 = $10
181C5	cmpA	#$FE
181C7	bne	L81E3
181E3	cmpA	LC251; 1C251 = $10
181E6	beq	L81F8
181F8	ldX	L1E7B; 1E7B = $1E, 1E7C = $4B
181FB	ldaA	15, X; 1E5A = $00
181FD	cmpA	#$AA
181FF	bne	L820B
1820B	ldD	0, Y; 1E08 = $6C, 1E09 = $10
1820E	stD	0, X; 1E4B = $6C, 1E4C = $10
18210	ldD	2, Y; 1E0A = $F1, 1E0B = $35
18213	stD	2, X; 1E4D = $F1, 1E4E = $35
18215	ldD	4, Y; 1E0C = $01, 1E0D = $20
18218	stD	4, X; 1E4F = $01, 1E50 = $20
1821A	ldD	6, Y; 1E0E = $00, 1E0F = $00
1821D	stD	6, X; 1E51 = $00, 1E52 = $00
1821F	ldD	8, Y; 1E10 = $30, 1E11 = $05
18222	stD	8, X; 1E53 = $30, 1E54 = $05
18224	ldD	10, Y; 1E12 = $00, 1E13 = $00
18227	stD	10, X; 1E55 = $00, 1E56 = $00
18229	ldD	12, Y; 1E14 = $1E, 1E15 = $12
1822C	stD	12, X; 1E57 = $1E, 1E58 = $12
1822E	ldD	14, Y; 1E16 = $00, 1E17 = $AA
18231	stD	14, X; 1E59 = $00, 1E5A = $AA
18233	ldD	12, Y; 1E14 = $1E, 1E15 = $12
18236	subD	L1E3A; 1E3A = $1E, 1E3B = $08
18239	aBX
1823A	ldY	L1E7B; 1E7B = $1E, 1E7C = $4B
1823E	stX	12, Y; 1E57 = $1E, 1E58 = $55
18241	ldD	L1E7B; 1E7B = $1E, 1E7C = $4B
18244	addD	#$0010
18247	cmpD	#$1E7B
1824B	bcs	L8250
18250	stD	L1E7B; 1E7B $1E, 1E7C = $5B
18253	ldY	L1E3A; 1E3A = $1E, 1E3B = $08
18257	ldaA	#$00
18259	staA	15, Y; 1E17 = $00
1825C	ldD	L1E3A; 1E3A = $1E, 1E3B = $08
1825F	addD	#$0010
18262	cmpD	#$1E38
18266	bcs	L826B
1826B	stD	L1E3A; 1E3A = $1E, 1E3B = $18
1826E	jmp	E8190
18190	ldY	L1E3A; 1E3A = $1E, 1E3B = $18
18194	ldaA	15, Y; 1E27 = $00, 
18197	cmpA	#$AA
18199	beq	L819E
1819B	jmp	L8271
18271	brset	L0088, #%00100000, L8284; 88 = $02
18275	brset	L0088, #%00010000, L82CC; 88 = $02
18279	ldY	L1E7D; 1E7D = $1E, 1E7E = $4B
1827D	ldaA	15, Y; 1E5A = $AA
18280	cmpA	#$AA
18282	beq	L8286
18286	ldX	#$0383
18289	ldaB	0, Y; 1E4B = $6C
1828C	bitB	#%00000100
1828E	bne	L82A2
182A2	ldaA	0, Y; 1E4B = $6C
182A5	staA	0, X; 383 = $6C
182A7	ldaA	2, Y; 1E4D = $F1
182AA	staA	1, X; 384 = $F1
182AC	ldaA	LC251; 1C251 = $10
182AF	staA	2, X; 385 = $10
182B1	ldD	12, Y; 1E57 = $1E, 1E58 = $55
182B4	subD	L1E7D; 1E7D = $1E, 1E7E = $4B
182B7	subB	#$03
182B9	staB	L1E7F; 1E7F = $07
182BC	ldaA	3, Y; 1E4E = $35
182BF	staA	3, X; 386 = $35
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E4F = $01
182BF	staA	3, X; 387 = $01
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E50 = $20
182BF	staA	3, X; 388 = $20
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E51 = $00
182BF	staA	3, X; 389 = $00
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E52 = $00
182BF	staA	3, X; 38A = $00
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E53 = $30
182BF	staA	3, X; 38B = $30
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182BC	ldaA	3, Y; 1E54 = $05
182BF	staA	3, X; 38C = $05
182C1	incX
182C2	incY
182C4	decB
182C5	bne	L82BC
182C7	ldaA	#$01
182C9	staA	L1E82; 1E82 = $01
182CC	call	L8883; 3FA = $CF, 3F9 = $82
18883	ldaB	L0386; 386 = $35
18886	andB	#%10111111
18888	tBA
18889	beq	L8899
1888B	cmpB	#$08
1888D	bhi	L8895
18895	subB	#$10
18897	bcc	L889F
1889F	cmpB	#$2F
188A1	bhi	L88A8
188A3	ldX	#$8805
188A6	jr	L88B3
188B3	aBX
188B4	aBX
188B5	ldX	0, X; 1884F = $9E, 18850 = $A2
188B7	beq	L88D9
188B9	brset	L0088, #%00010000, L88D5; 88 = $02
188BD	ldaB	L1E7F; 1E7F = $07
188C0	cmpB	0, X; 19EA2 = $07
188C2	bhi	L88C8
188C4	cmpB	1, X; 19EA3 = $07
188C6	bcc	L88D0
188D0	bset	L0088, #%00010000; 88 = $02, 88 = $12
188D3	jmp	4, X
19EA6	ldX	#$0386
19EA9	call	LB00D; 3F8 = $AC, 3F7 = $9E
1B00D	brset	L007A, #%00001000, LB036; 7A = $80
1B011	tst	L1B91; 1B91 = $00
1B014	bne	LB036
1B016	ldaB	L3B01; 3B01 = $1E
1B019	bitB	#%00000001
1B01B	bne	LB042
1B01D	pushX; 3F6 = $86, 3F5 = $03
1B01E	ldX	L200A; 200A = $E5, 200B = $7F
1B021	cmpX	#$DEAD
1B024	popX; 3F4 = $00, 3F5 = $03, 3F6 = $86
1B025	beq	LB042
1B027	ldaB	L3B04; 3B04 = $00
1B02A	incB
1B02B	beq	LB042
1B02D	tst	L0E3D; E3D = $00
1B030	bne	LB042
1B032	brset	L008C, #%00000001, LB042; 8C = $01
1B042	clrA
1B043	ret; 3F6 = $86, 3F7 = $9E, 3F8 = $AC
19EAC	tstA
19EAD	beq	L9EB2
19EB2	ldD	2, X; 388 = $20, 389 = $00
19EB4	cmpD	#$0480
19EB8	bls	L9EBE
19EBA	ldaA	#$53
19EBC	jr	L9F00
19F00	staA	2, X; 388 = $53
19F02	ldaA	#$03
19F04	jmp	LAF9F
1AF9F	bclr	L0088, #%00010000; 88 = $12, 88 = $02
1AFA2	tstA
1AFA3	beq	LAFA8
1AFA5	staA	L1E7F; 1E7F = $03
1AFA8	ldaA	L0386; 386 = $35
1AFAB	oraA	#%01000000
1AFAD	staA	L0386; 386 = $75
1AFB0	ldX	#$C603
1AFB3	call	LBD43; 3F8 = $B6, 3F7 = $AF
1BD43	ldaB	16, X; 1C613 = $00
1BD45	ldY	#$1F9A
1BD49	aBY
1BD4B	tPA
1BD4C	di
1BD4D	ldaB	15, X; 1C612 = $01
1BD4F	oraB	0, Y; 1F9A = $04
1BD52	staB	0, Y; 1F9A = $05
1BD55	tAP
1BD56	ret; 3F6 = $86, 3F7 = $AF, 3F8 = $B6
1AFB6	bset	L0088, #%00100000; 88 = $02, 88 = $22
1AFB9	clrA
1AFBA	brclr	L0088, #%00010000, LAFBF; 88 = $22
1AFBF	ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF	tstA
182D0	bne	L82F0
182D2	ldY	L1E7D; 1E7D = $1E, 1E7E = $4B
182D6	ldaA	#$00
182D8	staA	15, Y; 1E5A = $00
182DB	ldD	L1E7D; 1E7D = $1E, 1E7E = $4B
182DE	addD	#$0010
182E1	cmpD	#$1E7B
182E5	bcs	L82EA
182EA	stD	L1E7D; 1E7D = $1E, 1E7E = $5B
182ED	jmp	L8271
18271	brset	L0088, #%00100000, L8284; 88 = $22
18284	jr	L82F0
182F0	ret; 3FA = $CF, 3FB = $56, 3FC = $7B
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

and here we have first the mode 27 01 get seed, and the followup 27 02 send key

Code: Select all

address	data
19971	ldaA	L0387; 387 = $01
19974	bitA	#%00000001
19976	beq	L99B1
19978	ldaB	L3B01; 3B01 = $1E
1997B	bitB	#%00000001
1997D	bne	L999F
1997F	ldaB	L3B04; 3B04 = $00
19982	incB
19983	beq	L999F
19985	tst	L0E3D; E3D = $00
19988	bne	L999F
1998A	ldX	L200A; 200A = $E5, 200B = $7F
1998D	cmpX	#$DEAD
19990	beq	L999F
19992	tst	L1E93; 1E93 = $00
19995	beq	L999B
1999B	brclr	L008C, #%00000001, L99A4; 8C = $00
199A4	ldX	L0E00; E00 = $63, E01 = $AC
199A7	stX	L0388; 388 = $63, 389 = $AC
199AA	bset	L008C, #%00000100; 8C = $00, 8C = $04
199AD	ldaA	#$04
199AF	jr	L99F3
199F3	jmp	LAF9F
1AF9F	bclr	L0088, #%00010000; 88 = $12, 88 = $02
1AFA2	tstA
1AFA3	beq	LAFA8
1AFA5	staA	L1E7F; 1E7F = $04
1AFA8	ldaA	L0386; 386 = $27
1AFAB	oraA	#%01000000
1AFAD	staA	L0386; 386 = $67
1AFB0	ldX	#$C603
1AFB4	call	LBD43; 3F8 = $B6, 3F7 = $AF
1BD43	ldaB	16, X; 1C613 = $00
1BD45	ldY	#$1F9A
1BD49	aBY
1BD4B	tPA
1BD4C	di
1BD4D	ldaB	15, X; 1C612 = $01
1BD4F	oraB	0, Y; 1F9A = $00
1BD52	staB	0, Y; 1F9A = $01
1BD55	tAP
1BD56	ret; 3F6 = $B8, 3F7 = $AF, 3F8 = $B6
1AFB6	bset	L0088, #%00100000; 88 = $02, 88 = $22
1AFB9	clrA
1AFBA	brclr	L0088, #%00010000, LAFBF, 88 = $22
1AFBF	ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF	tstA
182D0	bne	L82F0
182D2	ldY	L1E7D; 1E7D = $1E, 1E7E = $4B
182D6	ldaA	#$00
182D8	staA	15, Y; 1E5A = $00
182DB	ldD	L1E7D; 1E7D = $1E. 1E7E = $4B
182DE	addD	#$0010
182E1	cmpD	#$1E7B
182E5	bcs	L82EA
182EA	stD	L1E7D; 1E7D = $1E. 1E7E = $5B
182ED	jmp	L8271
18271	brset	L0088, #%00100000, L8284; 88 = $22
18284	jr	L82F0
182F0	ret; 3FA = $CF, 3FB = $56, 3FC = $7B

address	data
19971	ldaA	L0387; 387 = $02
19974	bitA	#%00000001
19976	beq	L99B1
199B1	tst	L1E93; 1E93 = $00
199B4	beq	L99BF
199BF	brset	L008C, #%00000100, L99C7; 8C = $04
199C7	bclr	L008C, #%00000100; 8C = $04, 8C = $00
199CA	ldX	L0388; 388 = $1E, 389 = $7C
199CD	cmpX	L0E02; E02 = $1E, E03 = $7C
199D0	beq	L99E9
199E9	bset	L008C, #%00000001; 8C = $00, 8C = $01
199EC	ldaA	#$34
199EE	jr	L99B8
199B8	staA	L0388; 388 = $34
199BB	ldaA	#$03
199BD	jr	L99F3
199F3	jmp	LAF9F
1AF9F	bclr	L0088, #%00010000; 88 = $12, 88 = $02
1AFA2	tstA
1AFA3	beq	LAFA8
1AFA5	staA	L1E7F; 1E7F = $03
1AFA8	ldaA	L0386; 386 = $27
1AFAB	oraA	#%01000000
1AFAD	staA	L0386; 386 = $67
1AFB0	ldX	#$C603
1AFB3	call	LBD43; 3F8 = $B6, 3F7 = $AF
1BD43	ldaB	16, X; 1C613 = $00
1BD49	aBY
1BD4B	tPA
1BD4C	di
1BD4D	ldaB	15, X; 1C612 = $01
1BD4F	oraB	0, Y; 1F9A = $00
1BD52	staB	0, Y; 1F9A = $01
1BD55	tAP
1BD56	ret; 3F6 = $00, 37F7 = $AF, 3F8 = $B6
1AFB6	bset	L0088, #%00100000; 88 = $02, 88 = $22
1AFB9	clrA
1AFBA	brclr	L0088, #%00010000, LAFBF; 88 = $22
1AFBF	ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF	tstA
182D0	bne	L82F0
182D2	ldY	L1E7D; 1E7D = $1E, 1E7E = $5B
182D6	ldaA	#$00
182D8	staA	15, Y; 1E6A = $00
182DB	ldD	L1E7D; 1E7D = $1E, 1E7E = $5B
182DE	addD	#$0010
182E1	cmpD	#$1E7B
182E5	bcs	L82EA
182EA	stD	L1E7D; 1E7D = $1E, 1E7E = $6B
182ED	jmp	L8271
18271	brset	L0088, #%00100000, L8284; 88 = $22
18284	jr	L82F0
182F0	ret; 3FA = $CF, 3FB = $56, 3FC = $7B
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Well now that I have my board together to make reflashing the memory easier, I satarted looking at the rom sanity check area for ways to easily disable it without totally blowing it out of the water. It looks to me like there are 2 (looks like the checksum at $200A may be the sections that are vehicle specific, and $4009 are for the main code that is common to all) or more main areas that it treats seperatly with the main code being treated as a single mass, but wierdly it is checked twice. If I see things right I can probably disable the main rom routine by simply changing these two bytes:
change 04136 from 27 (beq) to 20 (bra, jr)
change 07947 from 27 (beq) to 20 (bra, jr)
That would mean that no matter what was in the main program memory it would procede on as if there were no problems (it will be nice after I have things the way I want them as well since I can just look at the what it is comparing after it finished adding things up and put that in rather than having to figure it out myself). I also think looking through some of the code fragments that they may have a trap for development or a new board (or both) because there are several places in there where it will go off and do something different if the memory locations for the checksums is instead reading $DEAD.(quick edit I see now even in the code above for mode 27 that it traps out $DEAD)

Below are a few of the code snippets arorund the actual comparison points, the rest is still available in the files posted earlier:

Code: Select all

4009	L4009:	dw	$EDC4
 
411C	L411C	ldD	#$0000
411F		stD	L03AE
4122		stD	L1810
4125		ldaA	L0176
4128		bitA	#%00100001
412A		bne	L4144
412C		bset	L0003, #%01000000
412F		call	L7989
4132		cmpY	L4009
4136		beq	L4144
4138		ldD	L4009
413B		cmpD	#$DEAD
413F		beq	L4144
4141		jmp	L4197

793D	L793D	bset	L0065, #%00100000
7940		ldD	L4009
7943		cmpD	L1D3C
7947		beq	L794F
7949		cmpD	#$DEAD
794D		bne	L795C

41A0	L41A0	ldX	#$200C
41A3		call	LECA8
41A6		ldX	L200A
41A9		cmpX	#$DEAD
41AC		beq	L41BC
41AE		ldaA	HPRIO
41B1		andA	#%11101111
41B3		staA	HPRIO
41B6		cmpY	L200A
41BA		bne	L41C7
41BC	L41BC	ldaA	L2009
41BF		cmpA	#$67
41C1		beq	L41CF
41C3		cmpA	#$AA
41C5		beq	L41CF
41C7	L41C7	ldX	L0187

43BA	L43BA	call	L592F
43BD		call	LECE2
43C0		ldX	L200A
43C3		cmpX	#$DEAD
43C6		beq	L43D9
43C8		cmpA	L0E3A
43CB		beq	L43D1
43CD		ldaA	#$01
43CF		jr	L43D2

4B50	E4b50:
4B50		ldD	L200A
4B53		cmpD	#$DEAD
4B57		bne	L4B73
4B59		ldD	TCNThi
4B5C		subD	L1D5E
4B5F		xgDY	
4B61		ldX	#$1D3E
4B64		ldaB	L0000
4B66		andB	#%00001111
4B68		lslB	
4B69		aBX	

Last edited by sabercatpuck on Mon Feb 01, 2010 1:53 am, edited 1 time in total.
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Hmm interesting. I made the two changes above and it worked, I can now make changes to the source code at will without it faulting out. What is interesting is that I then added a small snippet of program to try and read in the ram areas of memory from $0000 to $2000 whenever I would run the mode $27 security access (I figure'd if I could be sure that I would not mess anything up it would be right after I passed security access). When it got to memory location $00669 it spontaniously reset. I thought I must have hit the COP timelimit so I added a couple calls to memory locations that seem to be there to reset the COP while it is doing extended memory reads, but no dice. As near as I can tell right now reading memory location $00669 will cause a reset.

Code: Select all

lbackup = $3

	ldx #$0000
lbackup	ldaa 0,x
	incx
	cmpx #$0600
	bne lbackup
	call 5834
	call 5840
(repeat as needed)
                 jmp 8271 (back to where I was when I intercepted it)


182ee d6 00

1d600 CE 00 00 A6 00 08 8C 06 00 26 F8 bd 58 34 bd 58 40
16611 CE 06 00 A6 00 08 8C 0c 00 26 F8 bd 58 34 bd 58 40
16622 CE 0c 00 A6 00 08 8C 12 00 26 F8 bd 58 34 bd 58 40
1d633 CE 12 00 A6 00 08 8C 18 00 26 F8 bd 58 34 bd 58 40
1d644 CE 18 00 A6 00 08 8C 1e 00 26 F8 bd 58 34 bd 58 40
1d655 CE 00 00 A6 00 08 8C 06 00 26 F8 bd 58 34 bd 58 40

7E 82 71
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: '99 Saturn Dissassembly

Post by antus »

for the first check, what happens if you write DEAD to 0x4009 instead of patching the code? That might be the official 'no checksum test' method, like setting the program id to AA in the OBD1 ecms
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

I wanted to make sure I had the memory (especially the eeprom) mapped out before I started messing arround with things that might put it into a mode where it is looking for something and would wipe out the eeprom on me. Now that I have that... Here are the pertinate numbers from my eeprom section, everything after that is $FF. You can see the seed key pair glairing back at me from $e00 to $E04:

Code: Select all

00E00	63 Seed
00E01	AC
00E02	1E Key
00E03	7C
00E04	00 PCM # (3c 04)
00E05	F7
00E06	E6
00E07	4E
00E08	34 (3c 05)
00E09	51
00E0A	4A
00E0B	44
00E0C	41 (3c 06)
00E0D	4A
00E0E	38
00E0F	33
00E10	31 (3c 07)
00E11	34
00E12	03
00E13	03
00E14	21
00E15	02
00E16	39
00E17	40
00E18	21 (3c 09)
00E19	00
00E1A	89
00E1B	32
00E1C	FF
00E1D	FF
00E1E	FF
00E1F	FF
00E20	21 (3c 08)
00E21	00
00E22	89
00E23	20
00E24	FF
00E25	31 VIN part 1 (3c 01)
00E26	47
00E27	38
00E28	5A
00E29	4B
00E2A	35 VIN part 2 (3c 02)
00E2B	32
00E2C	37
00E2D	38
00E2E	58
00E2F	5A
00E30	32 VIN part 3 (3c 03)
00E31	31
00E32	31
00E33	31
00E34	31
00E35	30
00E36	7F
00E37	04
00E38	DC
00E39	6D
00E3A	A2
00E3B	FF
00E3C	FF
00E3D	00
00E3E	FF
00E3F	FF
00E40	00
00E41	00
00E42	00
00E43	00
00E44	00
00E45	F0
00E46	00
00E47	34
00E48	01
00E49	FF
00E4A	FF
00E4B	FF
00E4C	FF
00E4D	FF
00E4E	FF
00E4F	20
By the way, apparently this chest cold I have is fogging my brain a little, I needed to make sure to shut off the interrupts first, I was running into the TOC4 interrupt, after I included the SEI and CLI into the code, it worked much better.
Last edited by sabercatpuck on Sun Jan 31, 2010 4:54 pm, edited 2 times in total.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: '99 Saturn Dissassembly

Post by antus »

i wonder if the ecu code is vulnerable to some kind of malformed ALDL request to an unlocked mode to make it to return the key from eeprom in the locked state? hmmm
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

well quick look through the code shows that there are things that it will do different if $200A = $DEAD in mode $27 (security access), $2C(define diagnostic data packet), $34(request download), $35(request upload), and $3F(test device present). Seems likely this is some sort of developer mode, or the way that the ECM's come when there is nothing loaded in them (or both)
User avatar
VL400
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
cars: VL Calais and Toyota Landcruiser. Plus some toys :)
Location: Perth, WA
Contact:

Re: '99 Saturn Dissassembly

Post by VL400 »

The mode 34 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.

Edit: Corrected mode
Post Reply