'99 Saturn Dissassembly

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Fri Jan 22, 2010 1:53 am

Well this took awhile so I am not planning on doing it much (unless I build a program to do it for me) but I merged a section out of the code with data from the logic analyzer so that you can actually step through it and see what is happening, while it is happening. This goes from initial check through return to the main loop. I went with a mode 22 request since that would give me hopefully some insight into how the PID's are set up too.
Code: Select all
Send 6c 10 f1 22 11 01 01
Recv 6C F1 10 62 11 01 A1 FA

18190   ldY   L1E3A; 1E3A = $1df8
18194   ldaA   15, Y; 1E07 = $AA
18197   cmpA   #$AA
18199   beq   L819E
1819E   ldaB   0, Y ; 1DF8 = $6C
181A1   xorB   #%00001000
181A3   bitB   #%00011000
181A5   beq   L81AA
181AA   cmpB   #$E0
181AC   bcs   L81B1
181B1   bitB   #%00000100
181B3   bne   L81C2
181C2   ldaA   1, Y ; 1DF9 = $10
181C5   cmpA   #$FE
181C7   bne   L81E3
181E3   cmpA   LC251 ; 1C251 = $10
181E6   beq   L81F8
181F8   ldX   L1E7B ; 1E7B = $1E, 1E7C = $5B
181FB   ldaA   15, X ; 1E6A = $00
181FD   cmpA   #$AA
181FF   bne   L820B
1820B   ldD   0, Y ; 1DF8 = $6C, 1DF9 = $10
1820E   stD   0, X ; 1E5B = $6C, 1E5C = $10
18210   ldD   2, Y ; 1DFA = $F1, 1DFB = $22
18213   stD   2, X ; 1E5D = $F1, 1E5E = $22
18215   ldD   4, Y ; 1DFC = $11, 1DFD = $01
18218   stD   4, X ; 1E5F = $11, 1E60 = $01
1821A   ldD   6, Y ; 1DFE = $01, 1DFF = $01
1821D   stD   6, X ; 1E61 = $01, 1E62 = $01
1821F   ldD   8, Y ; 1E00 = $12, 1E01 = $00
18222   stD   8, X ; 1E63 = $12, 1E64 = $00
18224   ldD   10, Y; 1E02 = $00, 1E03 = $00
18227   stD   10, X; 1E65 = $00, 1E66 = $00
18229   ldD   12, Y; 1E04 = $1D, 1E05 = $FF
1822C   stD   12, X; 1E67 = $1D, 1E68 = $FF
1822E   ldD   14, Y; 1E06 = $00, 1E07 = $AA
18231   stD   14, X; 1E69 = $00, 1E6A = $AA
18233   ldD   12, Y; 1E04 = $1D, 1E05 = $FF
18236   subD   L1E3A; 1E3A = $1D, 1E3B = $F8
18239   aBX
1823A   ldY   L1E7B; 1E7B = $1E, 1E7C = $5B
1823E   stX   12, Y; 1E67 = $1E, 1E68 = $62
18241   ldD   L1E7B; 1E7B = $1E, 1E7C = $5B
18244   addD   #$0010
18247   cmpD   #$1E7B
1824B   bcs   L8250
18250   stD   L1E7B; 1E7B = $1E, 1E7C = $6B
18253   ldY   L1E3A; 1E3A = $1D, 1E3B = $F8
18257   ldaA   #$00
18259   staA   15, Y; 1E07 = $00
1825C   ldD   L1E3A; 1E3A = $1D, 1E3B = $F8
1825F   addD   #$0010
18262   cmpD   #$1E38
18266   bcs   L826B
1826B   stD   L1E3A; 1E3A = $1E, 1E3B = $08
1826E   jmp   E8190
18190   ldY   L1E3A; 1E3A = $1E, 1E3B = $08
18194   ldaA   15, Y; 1E17 = $00
18197   cmpA   #$AA
18199   beq   L819E
1819B   jmp   L8271
18271   brset   L0088, #%00100000, L8284; 88 = $02
18275   brset   L0088, #%00010000, L82CC; 88 = $02
18279   ldY   L1E7D; 1E7D = $1E, 1E7E = $5B
1827D   ldaA   15, Y; 1E6A = $AA
18280   cmpA   #$AA
18282   beq   L8286
18286   ldX   #$0383
18289   ldaB   0, Y; 1E5B = $6C
1828C   bitB   #%00000100
1828E   bne   L82A2
182A2   ldaA   0, Y; 1E5B = $6C
182A5   staA   0, X; 383 = $6C
182A7   ldaA   2, Y; 1E5D = $F1
182AA   staA   1, X; 384 = $F1
182AC   ldaA   LC251; 1C251 = $10
182AF   staA   2, X; 385 = $10
182B1   ldD   12, Y; 1E67 = $1E, 1E68 = $62
182B4   subD   L1E7D; 1E7D - $1E, 1E7E = $5B
182B7   subB   #$03
182B9   staB   L1E7F; 1E7F = $04
182BC   ldaA   3, Y; 1E5E = $22
182BF   staA   3, X; 386 = $22
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E5F = $11
182BF   staA   3, X; 387 = $11
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E60 = $01
182BF   staA   3, X; 388 = $01
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E61 = $01
182BF   staA   3, X; 389 = $01
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182C7   ldaA   #$01
182C9   staA   L1E82; 1E82 = $01
182CC   call   L8883; 3FA = $CF, 3F9 = $82
18883   ldaB   L0386; 386 = $22
18886   andB   #%10111111
18888   tBA
18889   beq   L8899
1888B   cmpB   #$08
1888D   bhi   L8895
18895   subB   #$10
18897   bcc   L889F
1889F   cmpB   #$2F; actually $3f
188A1   bhi   L88A8
188A3   ldX   #$8805
188A6   jr   L88B3
188B3   aBX
188B4   aBX
188B5   ldX   0, X; 18829 = $98, 1882A = $D9
188B7   beq   L88D9
188B9   brset   L0088, #%00010000, L88D5; 88 =$02
188BD   ldaB   L1E7F; 1E7F = $04
188C0   cmpB   0, X; 198D9 = $04
188C2   bhi   L88C8
188C4   cmpB   1, X; 198DA = $04
188C6   bcc   L88D0
188D0   bset   L0088, #%00010000; 88 = $02, 88 = $12
188D3   jmp   4, X
198DD   ldY   #$0386
198E1   ldaA   3, Y; 389 = $01
198E4   cmpA   #$01
198E6   beq   L98EC
198EC   ldD   1, Y; 387 = $11, 388 = $01
198EF   call   LB158; 3F8 = $F2, 3F7 = $98
1B158   cmpA   #$11
1B15A   beq   LB170; TRAP FIRST TWO DIGITS
1B170   ldX   #$B1E4
1B173   jr   LB197
1B197   aBX
1B198   aBX
1B199   ldX   0, X; 1B1E6 = $B6, 1B1E7 = $D8
1B19B   cmpX   #$FFFF
1B19E   jr   LB1A1
1B1A1   ret; 3F6 = $E1, 3F7 = $98, 3F8 = $F2
198F2   bcc   L98E8
198F4   ldaB   #$03
198F6   aBY
198F8   cmpX   #$B58A
198FB   bcs   L9906
198FD   cmpX   #$B958
19900   bhi   L9906
19902   call   1, X; 3F8 = $04, 3F7 = $99
1B6D9   clrA
1B6DA   ldaB   L0054; 54 = $10
1B6DC   bitB   #%00010000
1B6DE   beq   LB6E2
1B6E0   oraA   #%00000001
1B6E2   ldaB   L0058; 58 = $0C
1B6E4   bitB   #%10000000
1B6E6   beq   LB6EA
1B6EA   ldaB   L005F; 5F = $00
1B6EC   bitB   #%10000000
1B6EE   beq   LB6F2
1B6F2   bitB   #%00010000
1B6F4   beq   LB6F8
1B6F8   ldaB   L0058; 58 = $0C
1B6FA   bitB   #%00000010
1B6FC   beq   LB700
1B700   ldaB   L1802; 1802 = $C1
1B703   bitB   #%00000001
1B705   beq   LB709
1B707   oraA   #%00100000
1B709   ldaB   L0071; 71 = $10
1B70B   bitB   #%00001000
1B70D   beq   LB711
1B711   ldaB   L005A; 5A = $18
1B713   bitB   #%00001000
1B715   beq   LB719
1B717   oraA   #%10000000
1B719   jmp   LB969
1B969   staA   0, Y; 389 = $A1
1B96C   ldaB   #$01
1B96E   aBY
1B970   ret; 3F6 = $E1, 3F7 = $99, 3F8 = $04
19904   jr   L990D
1990D   ldaA   #$03
1990F   aBA
19910   jr   L9912
19912   jmp   LAF9F
1AF9F   bclr   L0088, #%00010000; 88 = $12, 88 = $02
1AFA2   tstA
1AFA3   beq   LAFA8
1AFA5   staA   L1E7F; 1E7F = $04
1AFA8   ldaA   L0386; 386 = $22
1AFAB   oraA   #%01000000
1AFAD   staA   L0386; 386 = $62
1AFB0   ldX   #$C603
1AFB3   call   LBD43; 3F8 = $B6, 3F7 = $AF
1BD43   ldaB   16, X; 1C613 = $00
1BD45   ldY   #$1F9A
1BD49   aBY
1BD4B   tPA
1BD4C   di
1BD4D   ldaB   15, X; 1C612 = $01
1BD4F   oraB   0, Y; 1F9A = $04
1BD52   staB   0, Y; 1F9A = $05
1BD55   tAP
1BD56   ret; 3F6 = $E1, 3F7 = $AF, 3F8 = $B6
1AFB6   bset   L0088, #%00100000; 88 = $02, 88 = $22
1AFB9   clrA
1AFBA   brclr   L0088, #%00010000, LAFBF; 88 = $22
1AFBF   ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF   tstA
182D0   bne   L82F0
182D2   ldY   L1E7D; 1E7D = $1E, 1E7E = $5B
182D6   ldaA   #$00
182D8   staA   15, Y; 1E6A = $00
182DB   ldD   L1E7D; 1E7D = $1E, 1E7E = $5B
182DE   addD   #$0010
182E1   cmpD   #$1E7B
182E5   bcs   L82EA
182EA   stD   L1E7D; 1E7D = $1E, 1E7E = $6B
182ED   jmp   L8271
18271   brset   L0088, #%00100000, L8284; 88 = $22
18284   jr   L82F0
182F0   ret; 3FA = $CF, 3FB = $56, 3FC = $7B


Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Sat Jan 23, 2010 3:15 pm

Since I am making an effort to learn the mode 35 stuff so I can hopefully use it in the future I went ahead and slogged through that section of the memory. At this point I don't seem to be getting something right with the mode 35 request though. I am sending 35 01 00 06 00 50 00 and getting 75 01 51 back, which should be theoretically giving me back 6 bytes of data from location $5000 but I dont seem to be getting that. Note when I took the snapshot below I was trying a different number on the mode 35 request, but same result.

Code: Select all
18190   ldY   L1E3A; 1E3A = $1E, 1E3B = $08
18194   ldaA   15, Y; 1E17 = $AA
18197   cmpA   #$AA
18199   beq   L819E
1819E   ldaB   0, Y; 1E08 = $6C
181A1   xorB   #%00001000
181A3   bitB   #%00011000
181A5   beq   L81AA
181AA   cmpB   #$E0
181AC   bcs   L81B1
181B1   bitB   #%00000100
181B3   bne   L81C2
181C2   ldaA   1, Y; 1E09 = $10
181C5   cmpA   #$FE
181C7   bne   L81E3
181E3   cmpA   LC251; 1C251 = $10
181E6   beq   L81F8
181F8   ldX   L1E7B; 1E7B = $1E, 1E7C = $4B
181FB   ldaA   15, X; 1E5A = $00
181FD   cmpA   #$AA
181FF   bne   L820B
1820B   ldD   0, Y; 1E08 = $6C, 1E09 = $10
1820E   stD   0, X; 1E4B = $6C, 1E4C = $10
18210   ldD   2, Y; 1E0A = $F1, 1E0B = $35
18213   stD   2, X; 1E4D = $F1, 1E4E = $35
18215   ldD   4, Y; 1E0C = $01, 1E0D = $20
18218   stD   4, X; 1E4F = $01, 1E50 = $20
1821A   ldD   6, Y; 1E0E = $00, 1E0F = $00
1821D   stD   6, X; 1E51 = $00, 1E52 = $00
1821F   ldD   8, Y; 1E10 = $30, 1E11 = $05
18222   stD   8, X; 1E53 = $30, 1E54 = $05
18224   ldD   10, Y; 1E12 = $00, 1E13 = $00
18227   stD   10, X; 1E55 = $00, 1E56 = $00
18229   ldD   12, Y; 1E14 = $1E, 1E15 = $12
1822C   stD   12, X; 1E57 = $1E, 1E58 = $12
1822E   ldD   14, Y; 1E16 = $00, 1E17 = $AA
18231   stD   14, X; 1E59 = $00, 1E5A = $AA
18233   ldD   12, Y; 1E14 = $1E, 1E15 = $12
18236   subD   L1E3A; 1E3A = $1E, 1E3B = $08
18239   aBX
1823A   ldY   L1E7B; 1E7B = $1E, 1E7C = $4B
1823E   stX   12, Y; 1E57 = $1E, 1E58 = $55
18241   ldD   L1E7B; 1E7B = $1E, 1E7C = $4B
18244   addD   #$0010
18247   cmpD   #$1E7B
1824B   bcs   L8250
18250   stD   L1E7B; 1E7B $1E, 1E7C = $5B
18253   ldY   L1E3A; 1E3A = $1E, 1E3B = $08
18257   ldaA   #$00
18259   staA   15, Y; 1E17 = $00
1825C   ldD   L1E3A; 1E3A = $1E, 1E3B = $08
1825F   addD   #$0010
18262   cmpD   #$1E38
18266   bcs   L826B
1826B   stD   L1E3A; 1E3A = $1E, 1E3B = $18
1826E   jmp   E8190
18190   ldY   L1E3A; 1E3A = $1E, 1E3B = $18
18194   ldaA   15, Y; 1E27 = $00,
18197   cmpA   #$AA
18199   beq   L819E
1819B   jmp   L8271
18271   brset   L0088, #%00100000, L8284; 88 = $02
18275   brset   L0088, #%00010000, L82CC; 88 = $02
18279   ldY   L1E7D; 1E7D = $1E, 1E7E = $4B
1827D   ldaA   15, Y; 1E5A = $AA
18280   cmpA   #$AA
18282   beq   L8286
18286   ldX   #$0383
18289   ldaB   0, Y; 1E4B = $6C
1828C   bitB   #%00000100
1828E   bne   L82A2
182A2   ldaA   0, Y; 1E4B = $6C
182A5   staA   0, X; 383 = $6C
182A7   ldaA   2, Y; 1E4D = $F1
182AA   staA   1, X; 384 = $F1
182AC   ldaA   LC251; 1C251 = $10
182AF   staA   2, X; 385 = $10
182B1   ldD   12, Y; 1E57 = $1E, 1E58 = $55
182B4   subD   L1E7D; 1E7D = $1E, 1E7E = $4B
182B7   subB   #$03
182B9   staB   L1E7F; 1E7F = $07
182BC   ldaA   3, Y; 1E4E = $35
182BF   staA   3, X; 386 = $35
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E4F = $01
182BF   staA   3, X; 387 = $01
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E50 = $20
182BF   staA   3, X; 388 = $20
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E51 = $00
182BF   staA   3, X; 389 = $00
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E52 = $00
182BF   staA   3, X; 38A = $00
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E53 = $30
182BF   staA   3, X; 38B = $30
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 1E54 = $05
182BF   staA   3, X; 38C = $05
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182C7   ldaA   #$01
182C9   staA   L1E82; 1E82 = $01
182CC   call   L8883; 3FA = $CF, 3F9 = $82
18883   ldaB   L0386; 386 = $35
18886   andB   #%10111111
18888   tBA
18889   beq   L8899
1888B   cmpB   #$08
1888D   bhi   L8895
18895   subB   #$10
18897   bcc   L889F
1889F   cmpB   #$2F
188A1   bhi   L88A8
188A3   ldX   #$8805
188A6   jr   L88B3
188B3   aBX
188B4   aBX
188B5   ldX   0, X; 1884F = $9E, 18850 = $A2
188B7   beq   L88D9
188B9   brset   L0088, #%00010000, L88D5; 88 = $02
188BD   ldaB   L1E7F; 1E7F = $07
188C0   cmpB   0, X; 19EA2 = $07
188C2   bhi   L88C8
188C4   cmpB   1, X; 19EA3 = $07
188C6   bcc   L88D0
188D0   bset   L0088, #%00010000; 88 = $02, 88 = $12
188D3   jmp   4, X
19EA6   ldX   #$0386
19EA9   call   LB00D; 3F8 = $AC, 3F7 = $9E
1B00D   brset   L007A, #%00001000, LB036; 7A = $80
1B011   tst   L1B91; 1B91 = $00
1B014   bne   LB036
1B016   ldaB   L3B01; 3B01 = $1E
1B019   bitB   #%00000001
1B01B   bne   LB042
1B01D   pushX; 3F6 = $86, 3F5 = $03
1B01E   ldX   L200A; 200A = $E5, 200B = $7F
1B021   cmpX   #$DEAD
1B024   popX; 3F4 = $00, 3F5 = $03, 3F6 = $86
1B025   beq   LB042
1B027   ldaB   L3B04; 3B04 = $00
1B02A   incB
1B02B   beq   LB042
1B02D   tst   L0E3D; E3D = $00
1B030   bne   LB042
1B032   brset   L008C, #%00000001, LB042; 8C = $01
1B042   clrA
1B043   ret; 3F6 = $86, 3F7 = $9E, 3F8 = $AC
19EAC   tstA
19EAD   beq   L9EB2
19EB2   ldD   2, X; 388 = $20, 389 = $00
19EB4   cmpD   #$0480
19EB8   bls   L9EBE
19EBA   ldaA   #$53
19EBC   jr   L9F00
19F00   staA   2, X; 388 = $53
19F02   ldaA   #$03
19F04   jmp   LAF9F
1AF9F   bclr   L0088, #%00010000; 88 = $12, 88 = $02
1AFA2   tstA
1AFA3   beq   LAFA8
1AFA5   staA   L1E7F; 1E7F = $03
1AFA8   ldaA   L0386; 386 = $35
1AFAB   oraA   #%01000000
1AFAD   staA   L0386; 386 = $75
1AFB0   ldX   #$C603
1AFB3   call   LBD43; 3F8 = $B6, 3F7 = $AF
1BD43   ldaB   16, X; 1C613 = $00
1BD45   ldY   #$1F9A
1BD49   aBY
1BD4B   tPA
1BD4C   di
1BD4D   ldaB   15, X; 1C612 = $01
1BD4F   oraB   0, Y; 1F9A = $04
1BD52   staB   0, Y; 1F9A = $05
1BD55   tAP
1BD56   ret; 3F6 = $86, 3F7 = $AF, 3F8 = $B6
1AFB6   bset   L0088, #%00100000; 88 = $02, 88 = $22
1AFB9   clrA
1AFBA   brclr   L0088, #%00010000, LAFBF; 88 = $22
1AFBF   ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF   tstA
182D0   bne   L82F0
182D2   ldY   L1E7D; 1E7D = $1E, 1E7E = $4B
182D6   ldaA   #$00
182D8   staA   15, Y; 1E5A = $00
182DB   ldD   L1E7D; 1E7D = $1E, 1E7E = $4B
182DE   addD   #$0010
182E1   cmpD   #$1E7B
182E5   bcs   L82EA
182EA   stD   L1E7D; 1E7D = $1E, 1E7E = $5B
182ED   jmp   L8271
18271   brset   L0088, #%00100000, L8284; 88 = $22
18284   jr   L82F0
182F0   ret; 3FA = $CF, 3FB = $56, 3FC = $7B

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Sun Jan 24, 2010 1:39 am

and here we have first the mode 27 01 get seed, and the followup 27 02 send key

Code: Select all
address   data
19971   ldaA   L0387; 387 = $01
19974   bitA   #%00000001
19976   beq   L99B1
19978   ldaB   L3B01; 3B01 = $1E
1997B   bitB   #%00000001
1997D   bne   L999F
1997F   ldaB   L3B04; 3B04 = $00
19982   incB
19983   beq   L999F
19985   tst   L0E3D; E3D = $00
19988   bne   L999F
1998A   ldX   L200A; 200A = $E5, 200B = $7F
1998D   cmpX   #$DEAD
19990   beq   L999F
19992   tst   L1E93; 1E93 = $00
19995   beq   L999B
1999B   brclr   L008C, #%00000001, L99A4; 8C = $00
199A4   ldX   L0E00; E00 = $63, E01 = $AC
199A7   stX   L0388; 388 = $63, 389 = $AC
199AA   bset   L008C, #%00000100; 8C = $00, 8C = $04
199AD   ldaA   #$04
199AF   jr   L99F3
199F3   jmp   LAF9F
1AF9F   bclr   L0088, #%00010000; 88 = $12, 88 = $02
1AFA2   tstA
1AFA3   beq   LAFA8
1AFA5   staA   L1E7F; 1E7F = $04
1AFA8   ldaA   L0386; 386 = $27
1AFAB   oraA   #%01000000
1AFAD   staA   L0386; 386 = $67
1AFB0   ldX   #$C603
1AFB4   call   LBD43; 3F8 = $B6, 3F7 = $AF
1BD43   ldaB   16, X; 1C613 = $00
1BD45   ldY   #$1F9A
1BD49   aBY
1BD4B   tPA
1BD4C   di
1BD4D   ldaB   15, X; 1C612 = $01
1BD4F   oraB   0, Y; 1F9A = $00
1BD52   staB   0, Y; 1F9A = $01
1BD55   tAP
1BD56   ret; 3F6 = $B8, 3F7 = $AF, 3F8 = $B6
1AFB6   bset   L0088, #%00100000; 88 = $02, 88 = $22
1AFB9   clrA
1AFBA   brclr   L0088, #%00010000, LAFBF, 88 = $22
1AFBF   ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF   tstA
182D0   bne   L82F0
182D2   ldY   L1E7D; 1E7D = $1E, 1E7E = $4B
182D6   ldaA   #$00
182D8   staA   15, Y; 1E5A = $00
182DB   ldD   L1E7D; 1E7D = $1E. 1E7E = $4B
182DE   addD   #$0010
182E1   cmpD   #$1E7B
182E5   bcs   L82EA
182EA   stD   L1E7D; 1E7D = $1E. 1E7E = $5B
182ED   jmp   L8271
18271   brset   L0088, #%00100000, L8284; 88 = $22
18284   jr   L82F0
182F0   ret; 3FA = $CF, 3FB = $56, 3FC = $7B

address   data
19971   ldaA   L0387; 387 = $02
19974   bitA   #%00000001
19976   beq   L99B1
199B1   tst   L1E93; 1E93 = $00
199B4   beq   L99BF
199BF   brset   L008C, #%00000100, L99C7; 8C = $04
199C7   bclr   L008C, #%00000100; 8C = $04, 8C = $00
199CA   ldX   L0388; 388 = $1E, 389 = $7C
199CD   cmpX   L0E02; E02 = $1E, E03 = $7C
199D0   beq   L99E9
199E9   bset   L008C, #%00000001; 8C = $00, 8C = $01
199EC   ldaA   #$34
199EE   jr   L99B8
199B8   staA   L0388; 388 = $34
199BB   ldaA   #$03
199BD   jr   L99F3
199F3   jmp   LAF9F
1AF9F   bclr   L0088, #%00010000; 88 = $12, 88 = $02
1AFA2   tstA
1AFA3   beq   LAFA8
1AFA5   staA   L1E7F; 1E7F = $03
1AFA8   ldaA   L0386; 386 = $27
1AFAB   oraA   #%01000000
1AFAD   staA   L0386; 386 = $67
1AFB0   ldX   #$C603
1AFB3   call   LBD43; 3F8 = $B6, 3F7 = $AF
1BD43   ldaB   16, X; 1C613 = $00
1BD49   aBY
1BD4B   tPA
1BD4C   di
1BD4D   ldaB   15, X; 1C612 = $01
1BD4F   oraB   0, Y; 1F9A = $00
1BD52   staB   0, Y; 1F9A = $01
1BD55   tAP
1BD56   ret; 3F6 = $00, 37F7 = $AF, 3F8 = $B6
1AFB6   bset   L0088, #%00100000; 88 = $02, 88 = $22
1AFB9   clrA
1AFBA   brclr   L0088, #%00010000, LAFBF; 88 = $22
1AFBF   ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF
182CF   tstA
182D0   bne   L82F0
182D2   ldY   L1E7D; 1E7D = $1E, 1E7E = $5B
182D6   ldaA   #$00
182D8   staA   15, Y; 1E6A = $00
182DB   ldD   L1E7D; 1E7D = $1E, 1E7E = $5B
182DE   addD   #$0010
182E1   cmpD   #$1E7B
182E5   bcs   L82EA
182EA   stD   L1E7D; 1E7D = $1E, 1E7E = $6B
182ED   jmp   L8271
18271   brset   L0088, #%00100000, L8284; 88 = $22
18284   jr   L82F0
182F0   ret; 3FA = $CF, 3FB = $56, 3FC = $7B

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Sat Jan 30, 2010 3:31 am

Well now that I have my board together to make reflashing the memory easier, I satarted looking at the rom sanity check area for ways to easily disable it without totally blowing it out of the water. It looks to me like there are 2 (looks like the checksum at $200A may be the sections that are vehicle specific, and $4009 are for the main code that is common to all) or more main areas that it treats seperatly with the main code being treated as a single mass, but wierdly it is checked twice. If I see things right I can probably disable the main rom routine by simply changing these two bytes:
change 04136 from 27 (beq) to 20 (bra, jr)
change 07947 from 27 (beq) to 20 (bra, jr)
That would mean that no matter what was in the main program memory it would procede on as if there were no problems (it will be nice after I have things the way I want them as well since I can just look at the what it is comparing after it finished adding things up and put that in rather than having to figure it out myself). I also think looking through some of the code fragments that they may have a trap for development or a new board (or both) because there are several places in there where it will go off and do something different if the memory locations for the checksums is instead reading $DEAD.(quick edit I see now even in the code above for mode 27 that it traps out $DEAD)

Below are a few of the code snippets arorund the actual comparison points, the rest is still available in the files posted earlier:
Code: Select all
4009   L4009:   dw   $EDC4
 
411C   L411C   ldD   #$0000
411F      stD   L03AE
4122      stD   L1810
4125      ldaA   L0176
4128      bitA   #%00100001
412A      bne   L4144
412C      bset   L0003, #%01000000
412F      call   L7989
4132      cmpY   L4009
4136      beq   L4144
4138      ldD   L4009
413B      cmpD   #$DEAD
413F      beq   L4144
4141      jmp   L4197

793D   L793D   bset   L0065, #%00100000
7940      ldD   L4009
7943      cmpD   L1D3C
7947      beq   L794F
7949      cmpD   #$DEAD
794D      bne   L795C

41A0   L41A0   ldX   #$200C
41A3      call   LECA8
41A6      ldX   L200A
41A9      cmpX   #$DEAD
41AC      beq   L41BC
41AE      ldaA   HPRIO
41B1      andA   #%11101111
41B3      staA   HPRIO
41B6      cmpY   L200A
41BA      bne   L41C7
41BC   L41BC   ldaA   L2009
41BF      cmpA   #$67
41C1      beq   L41CF
41C3      cmpA   #$AA
41C5      beq   L41CF
41C7   L41C7   ldX   L0187

43BA   L43BA   call   L592F
43BD      call   LECE2
43C0      ldX   L200A
43C3      cmpX   #$DEAD
43C6      beq   L43D9
43C8      cmpA   L0E3A
43CB      beq   L43D1
43CD      ldaA   #$01
43CF      jr   L43D2

4B50   E4b50:
4B50      ldD   L200A
4B53      cmpD   #$DEAD
4B57      bne   L4B73
4B59      ldD   TCNThi
4B5C      subD   L1D5E
4B5F      xgDY   
4B61      ldX   #$1D3E
4B64      ldaB   L0000
4B66      andB   #%00001111
4B68      lslB   
4B69      aBX   

Last edited by sabercatpuck on Mon Feb 01, 2010 1:53 am, edited 1 time in total.

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Sat Jan 30, 2010 7:47 am

Hmm interesting. I made the two changes above and it worked, I can now make changes to the source code at will without it faulting out. What is interesting is that I then added a small snippet of program to try and read in the ram areas of memory from $0000 to $2000 whenever I would run the mode $27 security access (I figure'd if I could be sure that I would not mess anything up it would be right after I passed security access). When it got to memory location $00669 it spontaniously reset. I thought I must have hit the COP timelimit so I added a couple calls to memory locations that seem to be there to reset the COP while it is doing extended memory reads, but no dice. As near as I can tell right now reading memory location $00669 will cause a reset.
Code: Select all
lbackup = $3

   ldx #$0000
lbackup   ldaa 0,x
   incx
   cmpx #$0600
   bne lbackup
   call 5834
   call 5840
(repeat as needed)
                 jmp 8271 (back to where I was when I intercepted it)


182ee d6 00

1d600 CE 00 00 A6 00 08 8C 06 00 26 F8 bd 58 34 bd 58 40
16611 CE 06 00 A6 00 08 8C 0c 00 26 F8 bd 58 34 bd 58 40
16622 CE 0c 00 A6 00 08 8C 12 00 26 F8 bd 58 34 bd 58 40
1d633 CE 12 00 A6 00 08 8C 18 00 26 F8 bd 58 34 bd 58 40
1d644 CE 18 00 A6 00 08 8C 1e 00 26 F8 bd 58 34 bd 58 40
1d655 CE 00 00 A6 00 08 8C 06 00 26 F8 bd 58 34 bd 58 40

7E 82 71

Site Admin
User avatar
Posts: 6394
Joined: Sat Feb 28, 2009 8:34 pm

Re: '99 Saturn Dissassembly

Postby antus » Sat Jan 30, 2010 12:16 pm

for the first check, what happens if you write DEAD to 0x4009 instead of patching the code? That might be the official 'no checksum test' method, like setting the program id to AA in the OBD1 ecms
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Sat Jan 30, 2010 12:56 pm

I wanted to make sure I had the memory (especially the eeprom) mapped out before I started messing arround with things that might put it into a mode where it is looking for something and would wipe out the eeprom on me. Now that I have that... Here are the pertinate numbers from my eeprom section, everything after that is $FF. You can see the seed key pair glairing back at me from $e00 to $E04:
Code: Select all
00E00   63 Seed
00E01   AC
00E02   1E Key
00E03   7C
00E04   00 PCM # (3c 04)
00E05   F7
00E06   E6
00E07   4E
00E08   34 (3c 05)
00E09   51
00E0A   4A
00E0B   44
00E0C   41 (3c 06)
00E0D   4A
00E0E   38
00E0F   33
00E10   31 (3c 07)
00E11   34
00E12   03
00E13   03
00E14   21
00E15   02
00E16   39
00E17   40
00E18   21 (3c 09)
00E19   00
00E1A   89
00E1B   32
00E1C   FF
00E1D   FF
00E1E   FF
00E1F   FF
00E20   21 (3c 08)
00E21   00
00E22   89
00E23   20
00E24   FF
00E25   31 VIN part 1 (3c 01)
00E26   47
00E27   38
00E28   5A
00E29   4B
00E2A   35 VIN part 2 (3c 02)
00E2B   32
00E2C   37
00E2D   38
00E2E   58
00E2F   5A
00E30   32 VIN part 3 (3c 03)
00E31   31
00E32   31
00E33   31
00E34   31
00E35   30
00E36   7F
00E37   04
00E38   DC
00E39   6D
00E3A   A2
00E3B   FF
00E3C   FF
00E3D   00
00E3E   FF
00E3F   FF
00E40   00
00E41   00
00E42   00
00E43   00
00E44   00
00E45   F0
00E46   00
00E47   34
00E48   01
00E49   FF
00E4A   FF
00E4B   FF
00E4C   FF
00E4D   FF
00E4E   FF
00E4F   20

By the way, apparently this chest cold I have is fogging my brain a little, I needed to make sure to shut off the interrupts first, I was running into the TOC4 interrupt, after I included the SEI and CLI into the code, it worked much better.
Last edited by sabercatpuck on Sun Jan 31, 2010 4:54 pm, edited 2 times in total.

Site Admin
User avatar
Posts: 6394
Joined: Sat Feb 28, 2009 8:34 pm

Re: '99 Saturn Dissassembly

Postby antus » Sat Jan 30, 2010 1:14 pm

i wonder if the ecu code is vulnerable to some kind of malformed ALDL request to an unlocked mode to make it to return the key from eeprom in the locked state? hmmm
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Mon Feb 01, 2010 4:01 am

well quick look through the code shows that there are things that it will do different if $200A = $DEAD in mode $27 (security access), $2C(define diagnostic data packet), $34(request download), $35(request upload), and $3F(test device present). Seems likely this is some sort of developer mode, or the way that the ECM's come when there is nothing loaded in them (or both)

User avatar
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
Location: Perth, WA

Re: '99 Saturn Dissassembly

Postby VL400 » Mon Feb 01, 2010 4:54 am

The mode 34 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.

Edit: Corrected mode

PreviousNext

Return to Disassembly and Reassembly

Who is online

Users browsing this forum: No registered users and 1 guest