'99 Saturn Dissassembly

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Mon Feb 01, 2010 10:19 am

VL400 wrote:The mode 35 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.

I thought mode 34 and 35 were from the modules perspective so 34 would send things to the module and 35 would get stuff back

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Mon Feb 01, 2010 12:11 pm

This is so I don't loose this site again :). lots of good info, but the page indexed is for ECM pinouts.

http://www.saturnwiki.net/index.php/PCM_connectors

User avatar
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
Location: Perth, WA

Re: '99 Saturn Dissassembly

Postby VL400 » Mon Feb 01, 2010 3:38 pm

sabercatpuck wrote:
VL400 wrote:The mode 35 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.

I thought mode 34 and 35 were from the modules perspective so 34 would send things to the module and 35 would get stuff back


Sorry, yeah that is correct - mode 34 to upload a routine.

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Tue Feb 02, 2010 3:27 am

Although I am trying to work through the logistics of the format for mode $35. What I have so far is that it should be 35 00 xx xx yy yy yy. I do know that xx xx cannot be greater than $0480. I am not sure if the ELM is capable of this one though. This is what I have so far piecing together the code:
Code: Select all
18190   ldY   L1E3A; 01E3A = 1D, 01E3B = E8
18194   ldaA   15, Y; 01DF7 = AA
18197   cmpA   #$AA
18199   beq   L819E
1819E   ldaB   0, Y; 01DE8 = 6C
181A1   xorB   #%00001000
181A3   bitB   #%00011000
181A5   beq   L81AA
181AA   cmpB   #$E0
181AC   bcs   L81B1
181B1   bitB   #%00000100
181B3   bne   L81C2
181C2   ldaA   1, Y; 01DE9 = 10
181C5   cmpA   #$FE
181C7   bne   L81E3
181E3   cmpA   LC251; 1C251 = 10
181E6   beq   L81F8
181F8   ldX   L1E7B; 01E7B = 1E, 01E7C = 6B
181FB   ldaA   15, X; 01E7A = 00
181FD   cmpA   #$AA
181FF   bne   L820B
1820B   ldD   0, Y; 01DE8 = 6C, 01DE9 = 10
1820E   stD   0, X; 01E6B = 6C, 01E6C = 10
18210   ldD   2, Y; 01DEA = F1, 01DEB = 35
18213   stD   2, X; 01E6D = F1, 01E6E = 35
18215   ldD   4, Y; 01DEC = 00, 01DED = 00
18218   stD   4, X; 01E6F = 00, 01E70 = 00
1821A   ldD   6, Y; 01DEE = 04, 01DEF = 00
1821D   stD   6, X; 01E71 = 04, 01E72 = 00
1821F   ldD   8, Y; 01DF0 = 0E, 01DF1 = 00
18222   stD   8, X; 01E73 = 0E, 01E74 = 00
18224   ldD   10, Y; 01DF2 = 00, 01DF3 = 00
18227   stD   10, X; 01E75 = 00, 01E76 = 00
18229   ldD   12, Y; 01DF4 = 1D, 01DF5 = F2
1822C   stD   12, X, 01E77 = 1D, 01E78 = F2
1822E   ldD   14, Y; 01DF6 = 00, 01DF7 = AA
18231   stD   14, X; 01E79 = 00, 01E7A = AA
18233   ldD   12, Y; 01DF4 = 1D, 01DF5 = F2
18236   subD   L1E3A; 01E3A = 1D, 01E3B = E8
18239   aBX
1823A   ldY   L1E7B; 01E7B = 1E, 01E7C = 6B
1823E   stX   12, Y; 01E77 = 1E, 01E78 = 75
18241   ldD   L1E7B; 01E7B = 1E, 01E7C = 6B
18244   addD   #$0010
18247   cmpD   #$1E7B
1824B   bcs   L8250
1824D   ldD   #$1E4B
18250   stD   L1E7B; 01E7B = 1E, 01E7C = 4B
18253   ldY   L1E3A; 01E3A = 1D, 01E3B = E8
18257   ldaA   #$00
18259   staA   15, Y; 01DF7 = 00
1825C   ldD   L1E3A; 01E3A = 1D, 01E3B = E8
1825F   addD   #$0010
18262   cmpD   #$1E38
18266   bcs   L826B
1826B   stD   L1E3A; 01E3A = 1D, 01E3B = F8
1826E   jmp   E8190
18190   ldY   L1E3A; 01E3A = 1D, 01E3B = F8
18194   ldaA   15, Y; 01E07 = 00
18197   cmpA   #$AA
18199   beq   L819E
1819B   jmp   L8271
18271   brset   L0088, #%00100000, L8284; 00088 = 02
18275   brset   L0088, #%00010000, L82CC; 00088 = 02
18279   ldY   L1E7D; 01E7D = 1E, 01E7E = 6B
1827D   ldaA   15, Y; 01E7A = AA
18280   cmpA   #$AA
18282   beq   L8286
18286   ldX   #$0383
18289   ldaB   0, Y; 01E6B = 6C
1828C   ldaB   0, Y
1828E   bne   L82A2
182A2   ldaA   0, Y; 01E6B = 6C
182A5   staA   0, X; 00383 = 6C
182A7   ldaA   2, Y; 01E6D = F1
182AA   staA   1, X; 00384 = F1
182AC   ldaA   LC251; 1C251 = 10
182AF   staA   2, X; 00385 = 10
182B1   ldD   12, Y; 01E77 = 1E, 01E78 = 75
182B4   subD   L1E7D; 01E7D = 1E, 01E7E = 6B
182B7   subB   #$03
182B9   staB   L1E7F; 01E7F = 07
182BC   ldaA   3, Y; 01E6E = 35
182BF   staA   3, X; 00386 = 35
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 01E6F = 00
182BF   staA   3, X; 00387 = 00
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 01E70 = 00
182BF   staA   3, X; 00388 = 00
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 01E71 = 04
182BF   staA   3, X; 00389 = 04
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 01E72 = 00
182BF   staA   3, X; 0038A = 00
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 01E73 = 0E
182BF   staA   3, X; 0038B = 0E
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182BC   ldaA   3, Y; 01E74 = 00
182BF   staA   3, X; 0038C = 00
182C1   incX
182C2   incY
182C4   decB
182C5   bne   L82BC
182C7   ldaA   #$01
182C9   staA   L1E82; 01E82 = 01
182CC   call   L8883; 003FA = CF, 003F9 = 82, 18883 = F6
18883   ldaB   L0386; 00386 = 35
18886   andB   #%10111111
18888   tBA
18889   beq   L8899
1888B   cmpB   #$08
1888D   bhi   L8895
18895   subB   #$10
18897   bcc   L889F
1889F   cmpB   #$2F
188A1   bhi   L88A8
188A3   ldX   #$8805
188A6   jr   L88B3
188B3   aBX
188B4   aBX
188B5   ldX   0, X; 1884F = 9E, 18850 = A2
188B7   beq   L88D9
188B9   brset   L0088, #%00010000, L88D5; 00088 = 02
188BD   ldaB   L1E7F; 01E7F = 07
188C0   cmpB   0, X; 19EA2 = 07
188C2   bhi   L88C8
188C4   cmpB   1, X; 19EA3 = 07
188C6   bcc   L88D0
188D0   bset   L0088, #%00010000; 00088 = 02, 00088 = 12
188D3   jmp   4, X
19EA6   ldX   #$0386
19EA9   call   LB00D; 003F8 = AC, 003F7 = 9E
1B00D   brset   L007A, #%00001000, LB036; 0007A = 80
1B011   tst   L1B91; 01B91 = 00
1B014   bne   LB036
1B016   ldaB   L3B01; 03B01 = 1E
1B019   bitB   #%00000001
1B01B   bne   LB042
1B01D   pushX; 003F6 = 86, 003F5 = 03
1B01E   ldX   L200A; 0200A = E5, 0200B = 7F
1B021   cmpX   #$DEAD
1B024   popX; 003F4 = 00, 003F5 = 03, 003F6 = 86
1B025   beq   LB042
1B027   ldaB   L3B04; 03B04 = 00
1B02A   incB
1B02B   beq   LB042
1B02D   tst   L0E3D; 00E3D = 00
1B030   bne   LB042
1B032   brset   L008C, #%00000001, LB042; 0008C = 01
1B042   clrA
1B043   ret; 003F6 = 86, 003F7 = 9E, 003F8 = AC
19EAC   tstA
19EAD   beq   L9EB2
19EB2   ldD   2, X; 00388 = 00, 00389 = 04
19EB4   cmpD   #$0480
19EB8   bls   L9EBE ; check that xx xx is less than $0480
19EBE   ldaA   #$51; preload error code "improper upload type"
19EC0   ldaB   1, X; 00387 = 00
19EC2   bne   L9F00
19EC4   tst   4, X; 0038A = 00
19EC6   bne   L9ED9
19EC8   ldD   5, X; 0038B = 0E, 0038C = 00
19ECA   bpl   L9ED0
19ED0   addD   2, X; 00388 = 00, 00389 = 04
19ED2   subD   #$0001
19ED5   bpl   L9EEA
19EEA   ldaA   2, X; 00388 = 00
19EEC   pushA; 003F8 = 00
19EED   ldaA   #$54; load message "ready for upload"
19EEF   staA   2, X; 00388 = 54
19EF1   ldaA   #$03
19EF3   call   LAF9F; 003F7 = F6, 003F6 = 9E
1AF9F   bclr   L0088, #%00010000; 00088 = 12, 00088 = 02
1AFA2   tstA
1AFA3   beq   LAFA8
1AFA5   staA   L1E7F; 01E7F = 03
1AFA8   ldaA   L0386; 00386 = 35
1AFAB   oraA   #%01000000
1AFAD   staA   L0386; 00386 = 75 Put 75 in outgoing message good response
1AFB0   ldX   #$C603
1AFB3   call   LBD43; 003F5 = B6, 003F4 = AF
1BD43   ldaB   16, X; 1C613 = 00
1BD45   ldY   #$1F9A
1BD49   aBY
1BD4B   tPA
1BD4C   di
1BD4D   ldaB   15, X; 1C612 = 01
1BD4F   oraB   0, Y; 01F9A = 00
1BD52   staB   0, Y; 01F9A = 01
1BD55   tAP
1BD56   ret; 003F3 = 31, 003F4 = AF, 003F5 = B6
1AFB6   bset   L0088, #%00100000; 00088 = 02, 00088 = 22
1AFB9   clrA
1AFBA   brclr   L0088, #%00010000, LAFBF; 00088 = 22
1AFBF   ret; 003F5 = B6, 003F6 = 9E, 003F7 = F6
19EF6   call   LBDFA; 003F7 = F9, 003F6 = 9E
1BDFA   ldaA   L1F87; 01F87 = 00
1BDFD   beq   LBE06
1BE06   ldaA   L1B8D; 01B8D = 76
1BE09   cmpA   LC253; 1C253 = 00
1BE0C   bcs   LBE13
1BE0E   cmpA   LC254; 1C254 = F5
1BE11   bcs   LBE16
1BE16   brclr   L0089, #%00010000, LBE1D; 00089 = 09
1BE1D   di
1BE1E   ldaA   L0C00; 00C00 = 10
1BE21   ldaB   L1F7B; 01F7B = 10
1BE24   staA   L1F7B; 01F7B = 10
1BE27   bitA   #%00001000
1BE29   beq   LBE5B
1BE5B   ei
1BE5C   call   LBEEA; 003F5 = 5F, 003F4 = BE
1BEEA   ldaA   L1F93; 01F93 = 00
1BEED   beq   LBEF8
1BEF8   ldX   #$1FAA
1BEFB   ldaB   #$08
1BEFD   ldaA   #$FF
1BEFF   aBX
1BF00   di
1BF01   decX
1BF02   staA   0, X; 01FB1 = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF01   decX
1BF02   staA   0, X; 01FB0 = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF01   decX
1BF02   staA   0, X; 01FAF = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF01   decX
1BF02   staA   0, X; 01FAE = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF01   decX
1BF02   staA   0, X; 01FAD = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF01   decX
1BF02   staA   0, X; 01FAC = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF01   decX
1BF02   staA   0, X; 01FAB = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF01   decX
1BF02   staA   0, X; 01FAA = FF
1BF04   cmpX   #$1FAA
1BF07   bne   LBF01
1BF09   ei
1BF0A   brset   L0089, #%00001000, LBF11; 00089 = 09
1BF11   brclr   L0089, #%00000001, LBF34; 00089 = 09
1BF15   ldX   #$C231
1BF18   ldY   #$1FAA
1BF1C   ldaB   #$08
1BF1E   aBX
1BF1F   aBY
1BF21   di
1BF22   decX
1BF23   decY
1BF25   ldaA   0, X; 1C238 = 00
1BF27   andA   0, Y; 01FB1 = FF
1BF2A   staA   0, Y; 01FB1 = 00
1BF2D   cmpY   #$1FAA
1BF31   bne   LBF22

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Wed Feb 03, 2010 6:55 am

Well, I am starting to think that it automatically switches to 4x mode because unlike the usual message buffer in the $00383 area, in this case it is ultimately using a single location at 00c01 for sending the data out so I imagine it is switching to a different channel for coms. There seems to be a long timeout associated with it as well. It appears that $00c00 will get set to $03 when the data is pulled, or after the timeout.
Code: Select all
A039   LA039   staA   L0C01
A03C      bclr   1, X, #%00010000
A03F      ldY   10, X; get location of bytes to dump
A042   LA042   call   LA072
A045      ldD   7, X; get how many bytes to dump
A047      beq   LA05D
A049      subD   #$0001
A04C      stD   7, X
A04E      clrA   
A04F      ldaB   0, Y; get memory for mode 35
A052      staB   L0C01
A055      addD   16, X
A057      stD   16, X
A059      incY   
A05B      jr   LA042
;
A05D   LA05D   ldaA   16, X
A05F      staA   L0C01
A062      call   LA072
A065      ldaA   17, X
A067   LA067   ldaB   #$0C
A069      staB   L0C00
A06C      staA   L0C01
A06F      clr   43, X
A071   LA071   ret   
;
A072   LA072:   ldaA   L0C00
A075      andA   #%00000011
A077      cmpA   #$03; had data been retrieved?
A079      bne   LA083; yes : return and get the next character
A07B      call   L5834; no : reset COP timer and try again
A07E      call   L5840
A081      jr   LA072
;
A083   LA083   ret   

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Wed Feb 03, 2010 10:46 am

Well since it looks like I may hit a wall untill I have a 4x connection, I figure'd I would take a step back and start going over the memory map a bit better. First thing was the class 2 buffer. There seems to be 2, I think one with the pointer at $01e3a/b and the second at $01e7b/c. Each buffer segment is exactly 16 bytes large and will appear in specific locations of :
01e4b output buffers
01e5b
01e6b

01de8 input buffers
01df8
01e08
01e18
01e28

Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: '99 Saturn Dissassembly

Postby planethax » Wed Feb 03, 2010 12:02 pm

This is where I am, waiting for hardware capable of 4X Vpw

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Thu Feb 04, 2010 5:23 am

This is the complete entry point map for all modes supported on this ECM. All are in the 3rd upper memory block, so mode $01 would start physically at $188E3.

01 $88E3; Request Current Powertrain Diagnostic Data
02 $891B; Request Powertrain Freeze Frame Data
03 $8961; Request Powertrain Diagnostic Trouble Codes
04 $89F3; Request to Clear/Reset Diagnostic Trouble Codes
05 $8A07; Request O2 Sensor Monitoring Test Results
06 $8BB4; Request On-Board monitoring Test Results
07 $8DFC; Request Pending Powertrain Diagnostic Trouble Codes
08 $8E97; Request Device Control

10 $8F26; Initiate Diagnostic Operation
12 $8FE8; Request Diagnostic Freeze Frame Data
13 $9103; Request Diagnostic Trouble Code Information
14 $91e2; Clear Diagnostic Trouble Code Information
17 $91F9; Request Status of Diagnostic Trouble Codes
18 $946d; Request Diagnostic Trouble Codes by Status
19 $964e; Request Diagnostic Trouble Codes by Status
20 $98Ac; Return to Normal Operation
22 $98Dd; Request Diagnostic Data by PID
23 $991c; Request Diagnostic Data by Memory Address
25 $9963; Request to Stop Transmitting Data
27 $9971; Data Link Security Access
28 $99Fa; Disable Normal Message Transmission
29 $9A44; Enable Normal Message Transmission
2A $9A42; Request Diagnostic Data Packets
2B $9C28; Define Diagnostic Data Packet by Offset
2C $9C7c; Define Diagnostic Data Packet
31 $9DF6; Request Start Diagnostic Routine by Test Number
32 $9DF6; Request Stop Diagnostic Routine by Test Number
33 $9DF6; Request Diagnostic Routine Results by Test Number
34 $9E44; Request Download - tool to module
35 $9EA6; Request Upload - module to tool
3b $A4B6; Write Data Block
3c $A4B6; Read Data Block
3F $A8Cd; Test Device Present - No Operation Performed

A0 $A8D7; Request High Speed Mode
A1 $A8EE; Begin High Speed Mode
A8 $A908
AD $A916
AE $A921; Request Device Control

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Sat Feb 06, 2010 10:05 am

Well I have lots of stuff around the house to try and get done now that I am feeling a little bit better so it may be awhile before any more updates, but I thought I would post some of the commenting that I am putting together in the 3rd quadrent (focussing on that first because I can control what it is doing easier).
Code: Select all
8190   E8190:
8190      ldY   Cl2InputBufPtr; load y with current input buffer pointer
8194      ldaA   15, Y; check last byte
8197      cmpA   #$AA; if it is $AA then it is a new message
8199      beq   L819E
819B      jmp   L8271
;
819E   L819E   ldaB   0, Y; load first byte of incoming message
81A1      xorB   #%00001000
81A3      bitB   #%00011000; check for 1 byte headder and IFR required
81A5      beq   L81AA; if so go here
81A7      jmp   L8253; if not go here (should go here more often)
;
81AA   L81AA   cmpB   #$E0; check low pri, 1 byte head, IFR req, Func addr, IFR type 2, func
81AC      bcs   L81B1
81AE      clr   L1F7E
81B1   L81B1   bitB   #%00000100
81B3      bne   L81C2
81B5      ldaA   1, Y
81B8      cmpA   #$6A; is it a functional request info packet
81BA      beq   L81F8
81BC      call   L82F1
81BF      jmp   L8253
;
81C2   L81C2   ldaA   1, Y
81C5      cmpA   #$FE
81C7      bne   L81E3
81C9      ldaB   3, Y
81CC      bitB   #%01000000
81CE      beq   L81D3
81D0      jmp   L8253
;
81D3   L81D3   ldaB   L3B01
81D6      bitB   #%00000010
81D8      beq   L81F8
81DA      pushY   
81DC      call   LC87B
81DF      popY   
81E1      jr   L81F8
;
81E3   L81E3   cmpA   ModuleIDNum
81E6      beq   L81F8
81E8      cmpA   #$18
81EA      bne   L8253
81EC      ldaB   L3B01
81EF      bitB   #%00000010
81F1      beq   L8253
81F3      call   LC87B
81F6      jr   L8253
;
81F8   L81F8   ldX   Cl2OutputBufPtr; load current output buffer pointer
81FB      ldaA   15, X; load last byte of current output buffer
81FD      cmpA   #$AA; should be $00 if buffer is cleared
81FF      bne   L820B
8201      ldaA   L1E80
8204      oraA   #%00001000
8206      staA   L1E80
8209      jr   L8253
;
820B   L820B   ldD   0, Y; load first two numbers from the current input buffer
820E      stD   0, X; store first two numbers in the current output buffer
8210      ldD   2, Y; group 2 in
8213      stD   2, X; group 2 out
8215      ldD   4, Y; group 3 in
8218      stD   4, X; group 3 out
821A      ldD   6, Y; group 4 in
821D      stD   6, X; group 4 out
821F      ldD   8, Y; group 5 in
8222      stD   8, X; group 5 out
8224      ldD   10, Y; group 6 in
8227      stD   10, X; group 6 out
8229      ldD   12, Y; group 7 in
822C      stD   12, X; group 7 out
822E      ldD   14, Y; group 8 in
8231      stD   14, X; group 8 out
8233      ldD   12, Y; load location of last real message byte
8236      subD   Cl2InputBufPtr; how long is the message (headder included)
8239      aBX; set x to location of last message byte in the output buffer   
823A      ldY   Cl2OutputBufPtr; load y with current output buffer
823E      stX   12, Y; save last message byte location in output current buffer
8241      ldD   Cl2OutputBufPtr; load d with current output buffer location
8244      addD   #$0010; add $10 to current location (set to next buffer location)
8247      cmpD   #$1E7B; is it at the end of the range for the output buffer?
824B      bcs   L8250; if not, jump
824D      ldD   #$1E4B; if so, then reset output buffer to $01e4b
8250   L8250   stD   Cl2OutputBufPtr; store new output buffer location in pointer
8253   L8253   ldY   Cl2InputBufPtr; load y with current input buffer location
8257      ldaA   #$00
8259      staA   15, Y; clear the $AA, make this buffer clear for new message
825C      ldD   Cl2InputBufPtr; load d with current input buffer location
825F      addD   #$0010; add $10 (set to next buffer)
8262      cmpD   #$1E38; is it at the upper end of the buffer
8266      bcs   L826B; if not jump
8268      ldD   #$1DE8; if it is reset to the lower limit
826B   L826B   stD   Cl2InputBufPtr; store the new input buffer location to the pointer
826E      jmp   E8190
;
8271   L8271   brset   L0088, #%00100000, L8284
8275      brset   L0088, #%00010000, L82CC
8279      ldY   Cl2WorkOutBufPtr
827D      ldaA   15, Y
8280      cmpA   #$AA; valid current message?
8282      beq   L8286
8284   L8284   jr   L82F0
;
8286   L8286   ldX   #$0383
8289      ldaB   0, Y; get first byte
828C      bitB   #%00000100; functional or physical addressing?
828E      bne   L82A2; jump if physical addressing
8290      ldaA   0, Y
8293      andA   #%11011111
8295      staA   0, X
8297      ldaA   #$6B
8299      staA   1, X
829B      ldaA   ModuleIDNum
829E      staA   2, X
82A0      jr   L82B1
;
82A2   L82A2   ldaA   0, Y; load first byte
82A5      staA   0, X; store in ram scratch pad $00383
82A7      ldaA   2, Y; load 3rd byte
82AA      staA   1, X; store in 2nd byte location
82AC      ldaA   ModuleIDNum; location of module id #
82AF      staA   2, X; store in 3rd byte location (reply message format)
82B1   L82B1   ldD   12, Y; load message length including headder
82B4      subD   Cl2WorkOutBufPtr; subtract out message pointer, leaving just bytes in Breg
82B7      subB   #$03; subtract the 3 byte headder leaving just number of message bytes
82B9      staB   L1E7F; store working message length - headder
82BC   L82BC   ldaA   3, Y; load message byte from 3 +Y
82BF      staA   3, X; store message byte to 3 + X
82C1      incX   
82C2      incY   
82C4      decB   
82C5      bne   L82BC; keep doing until complete message loaded in ram
82C7      ldaA   #$01
82C9      staA   L1E82
82CC   L82CC   call   L8883
82CF      tstA   
82D0      bne   L82F0
82D2      ldY   Cl2WorkOutBufPtr
82D6      ldaA   #$00
82D8      staA   15, Y
82DB      ldD   Cl2WorkOutBufPtr
82DE      addD   #$0010
82E1      cmpD   #$1E7B
82E5      bcs   L82EA
82E7      ldD   #$1E4B
82EA   L82EA   stD   Cl2WorkOutBufPtr
82ED      jmp   L8271


87F5      dw   $88DF, $8917, $895D, $89EF, $8A03; Mode $01 TO $05 Entry Point
87FF      dw   $8BB0, $8DF8, $8E93; Mode $06 TO $08 Entry Point
8805      dw   $8F22, $0000, $8FE4, $90FF, $91DE; Mode $10 TO $14 Entry Point
880F      dw   $0000, $0000, $91F5, $9469, $964A; Mode $15 TO $19 Entry Point
8819      dw   $0000, $0000, $0000, $0000, $0000; Mode $1A TO $1E Entry Point
8823      dw   $0000, $98A8, $0000, $98D9, $9918; Mode $1F TO $23 Entry Point
882D      dw   $0000, $995F, $0000, $996D, $99F6; Mode $24 TO $28 Entry Point
8837      dw   $9A40, $9A4E, $9C24, $9C78, $0000; Mode $29 TO $2D Entry Point
8841      dw   $0000, $0000, $0000, $9DF2, $9DF2; Mode $2E TO $32 Entry Point
884B      dw   $9DF2, $9E40, $9EA2, $0000, $0000; Mode $33 TO $37 Entry Point
8855      dw   $0000, $0000, $0000, $A4B2, $A4B2; Mode $38 TO $3C Entry Point
885F      dw   $0000, $0000, $A8C9; Mode $3D TO $3F Entry Point
8865      dw   $A8D3, $A8EA, $0000, $0000, $0000; Mode $A0 TO $A4 Entry Point
886F      dw   $0000, $0000, $0000, $A904, $0000; Mode $A5 TO $A9 Entry Point
8879      dw   $0000, $0000, $0000, $A912, $A91D; Mode $AA TO $AE Entry Point

;
8883   L8883:   ldaB   L0386; what mode number?
8886      andB   #%10111111
8888      tBA   
8889      beq   L8899
888B      cmpB   #$08
888D      bhi   L8895; if mode 8 or more jump
888F      ldX   #$87F5; Load vector table for mode $01 to $08
8892      decB   ; set so mode 1 is the 0 position in the vector table etc.
8893      jr   L88B3
;
8895   L8895   subB   #$10; subtract $10 for formatting to for jump table
8897      bcc   L889F; should jump unless mode 9
8899   L8899   bclr   L0088, #%00010000
889C      jmp   LAFB9
;
889F   L889F   cmpB   #$2F; check if mode $10 to $3f is selected
88A1      bhi   L88A8; jump if not
88A3      ldX   #$8805; location of the vector table for mode $10 to 3F
88A6      jr   L88B3
;
88A8   L88A8   subB   #$90; is it mode $Ax
88AA      bcs   L88D9
88AC      cmpB   #$0E
88AE      bhi   L88D9
88B0      ldX   #$8865; location of vector table for mode $A0 to $AE
88B3   L88B3   aBX   ; add modified mode number twice to get jump vector
88B4      aBX   
88B5      ldX   0, X
88B7      beq   L88D9; branch if mode not supported
88B9      brset   L0088, #%00010000, L88D5
88BD      ldaB   L1E7F; check that message has the correct packet length
88C0      cmpB   0, X
88C2      bhi   L88C8; jump if message is too long
88C4      cmpB   1, X
88C6      bcc   L88D0; jump if message is not too short
88C8   L88C8   cmpA   #$10
88CA      bcs   L8899
88CC      ldaA   #$12
88CE      jr   L88DB
;
88D0   L88D0   bset   L0088, #%00010000
88D3      jmp   4, X; jump to extended mode entry at 4 + (Vect(2x(Mode-$10) + $8805))


99A4   L99A4   ldX   L0E00 ; load the seed from memory
99A7   L99A7   stX   L0388 ; put the seed in the outgoing message
99AA      bset   L008C, #%00000100
99AD      ldaA   #$04
99AF      jr   L99F3
;
99B1   L99B1   tst   L1E93
99B4      beq   L99BF
99B6      ldaA   #$37
99B8   L99B8   staA   L0388 ; store respone code (33, 34, 35, 36, 37)
99BB      ldaA   #$03
99BD      jr   L99F3
;
99BF   L99BF   brset   L008C, #%00000100, L99C7
99C3      ldaA   #$33
99C5      jr   L99B8
;
99C7   L99C7   bclr   L008C, #%00000100
99CA      ldX   L0388 ; load the key being tried
99CD      cmpX   L0E02 ; compare to one in memory
99D0      beq   L99E9 ; branch if it is the correct key
99D2      brset   L008C, #%00000010, L99DD
99D6      bset   L008C, #%00000010
99D9      ldaA   #$35 ;  set error code 35, bad key 1st try
99DB      jr   L99B8

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Fri Mar 26, 2010 10:09 pm

I figured I would put in a quick update. I have gotten some of the other projects somewhat more under control so hopefully I will be able to work on this again soon (although we are now moving into spring and that means mowing the lawn will be in the mix soon too), but I have not been totally idle, I have been learning VBA for Excel so I could better learn to manipulate the data coming back from the logic analyzer. See a code snippet below for some of what I have put together, this starts by arrainging the data better, then I move into a reverse assembler so I can put thae data back together as readable assembly code with better information. When I get this done I will post it in the tools section.
Code: Select all
Private Sub CommandButton1_Click()
Dim hextext As String
Dim hexlen As Integer
Dim x As Long
If Range("a1") = "Time" Then
Columns("a:b").Select
    Selection.Delete Shift:=xlToLeft
Rows("1:1").Select
    Selection.Delete Shift:=xlUp
Columns("a:b").Select
    Selection.NumberFormat = "@"
End If
If Application.Sheets.Count = 1 Then Sheets.Add After:=ActiveSheet
Worksheets("Sheet2").Columns("A:A").ColumnWidth = 20
AddIns("Analysis ToolPak").Installed = True
AddIns("Analysis ToolPak - VBA").Installed = True
For x = 1 To ThisWorkbook.Worksheets(1).UsedRange.Rows.Count
hextext = Range("a" & CStr(x))
hexlen = Len(hextext)
If hexlen = 5 Then
    hextext = hextext
ElseIf hexlen = 4 Then
    hextext = "0" + hextext
ElseIf hexlen = 3 Then
    hextext = "00" + hextext
ElseIf hexlen = 2 Then
    hextext = "000" + hextext
ElseIf hexlen = 1 Then
    hextext = "0000" + hextext
ElseIf hexlen = 0 Then
    hextext = "00000" + hextext
End If
Range("a" & CStr(x)) = UCase(hextext)
Next x
For x = 1 To ThisWorkbook.Worksheets(1).UsedRange.Rows.Count
hextext = Range("b" & CStr(x))
hexlen = Len(hextext)
If hexlen = 2 Then
    hextext = hextext
ElseIf hexlen = 1 Then
    hextext = "0" + hextext
ElseIf hexlen = 0 Then
    hextext = "00" + hextext
End If
Range("b" & CStr(x)) = UCase(hextext)
Next x
End Sub


Private Sub CommandButton2_Click()
Dim x As Long
x = 1
Select Case Range("b" & CStr(x))
    Case "FC"
        LDD_FC
    Case "B3"
        SUBD_B3
    End Select
   

End Sub
Private Sub LDD_FC()
Dim disa As String
Dim addr As Long
Dim x As Long
Dim op As String
Dim op1 As String
Dim op2 As String
Dim hhll As String
Dim hhll1 As String
Dim hh As String
Dim ll As String

x = 1
disa = "LDD #"
addr = WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value)
x = x + 1
addr = addr + 1
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 5)
    x = x + 1
    Loop
If x = 5 Then Exit Sub
hh = Range("b" & CStr(x))
x = x + 1
addr = addr + 1
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 6)
    x = x + 1
    Loop
If x = 6 Then Exit Sub
ll = Range("b" & CStr(x))
hhll = hh & ll
x = x + 1
addr = WorksheetFunction.Hex2Dec(hhll)
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or (x = 7))
    x = x + 1
    Loop
If x = 7 Then Exit Sub
hh = Range("b" & CStr(x))
x = x + 1
addr = addr + 1
hhll1 = WorksheetFunction.Dec2Hex(addr)
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 8)
    x = x + 1
    Loop
If x = 8 Then Exit Sub
ll = Range("b" & CStr(x))
Worksheets("Sheet2").Range("a1") = "LDD #" & hhll & " ;" & hhll & " = $" & hh & ", " & hhll1 & " = $" & ll
End Sub
Private Sub SUBD_B3()
Worksheets("Sheet2").Range("a2") = "SUBD"
End Sub
Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

PreviousNext

Return to Disassembly and Reassembly

Who is online

Users browsing this forum: No registered users and 1 guest