'99 Saturn Dissassembly
- antus
- Site Admin
- Posts: 8251
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: '99 Saturn Dissassembly
i suggest taking 0->32k and 96->128K and appending them together to make a 64k image of bank 0 and 3 in memory, then disassembling and trace from the serial handler vector. From there you'll find the code that handles the various mode requests. I would expect the vector in bank 3 to jump in to bank 0, then back to bank 3 where the stuff happens.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Already got it, it is in bank 3
Boy I love logic analyzers
Code: Select all
8271 L8271 brset L0088, #%00100000, L8284
8275 brset L0088, #%00010000, L82CC
8279 ldY L1E7D
827D ldaA 15, Y
8280 cmpA #$AA
8282 beq L8286; Is there something on the serial bus?
8284 L8284 jr L82F0
;
8286 L8286 ldX #$0383 ; where the serial handler starts
8289 ldaB 0, Y
828C bitB #%00000100
828E bne L82A2
8290 ldaA 0, Y
8293 andA #%11011111
8295 staA 0, X
8297 ldaA #$6B
8299 staA 1, X
829B ldaA LC251
829E staA 2, X
82A0 jr L82B1
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
this is a small section of the code steps it is taking right around the decision that there is something on the serial obd line
- Attachments
-
- mode19entry.txt
- a few above and below the mode 19 entry as shown on the logic analyzer
- (1.03 KiB) Downloaded 362 times
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
I was trying to fade off to sleep when it hit me how interesting it would be to run the stuff from the logic analyzer through a couple filters using the tednotepad. First finding the unique lines, then sort ascending. The results were very interesting. This popped right out for instance. Note when this snapshot was taken I was pinging away with mode 27 requests.
383 6C ; this looks like a formatted reply to an unsuccesfull mode 27 request
384 F1
385 10
386 67
387 2
388 36
389 39
38A 0
38B 0
38C 0
38D 0
38E 0
38F 0
390 0
383 6C ; this looks like a formatted reply to an unsuccesfull mode 27 request
384 F1
385 10
386 67
387 2
388 36
389 39
38A 0
38B 0
38C 0
38D 0
38E 0
38F 0
390 0
- Attachments
-
- Mode27EntryTedFiltered.txt
- something tells me this might be usefull for finding memory locations
- (57.72 KiB) Downloaded 373 times
-
- Mode19EntryTedFiltered.txt
- smaller selection of lines but still interesting
- (1.12 KiB) Downloaded 367 times
- antus
- Site Admin
- Posts: 8251
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: '99 Saturn Dissassembly
So, the reply would be 6C F1 10 67 02 36 39? and in the bin its at bank 0, address 0x0383? Next then to look for references to 0x0383, or often in delco code often to a reference to another word containing 0x0380, something like ldaa 0x1234 where 0x01234 contains 0x0383. Although with that logic analyser, you might have more direct ways up your sleeve
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
yep that is the reply and it is in bank 0, as for code you need look no further away than the code fragment I listed above, the first line of code in the serial port trap section loads the x register as a pointer it would appear.
8286 L8286 ldX #$0383 ; where the serial handler starts
hmm just noticed they set the y location a few lines earlier
8279 ldY L1E7D
8286 L8286 ldX #$0383 ; where the serial handler starts
hmm just noticed they set the y location a few lines earlier
8279 ldY L1E7D
- antus
- Site Admin
- Posts: 8251
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: '99 Saturn Dissassembly
reply length?
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
- VL400
- Posts: 4991
- Joined: Sun Mar 01, 2009 2:54 pm
- cars: VL Calais and Toyota Landcruiser. Plus some toys :)
- Location: Perth, WA
- Contact:
Re: '99 Saturn Dissassembly
1E7D looks like RAM for the Tx or Rx buffer. The cmpa #AA is interesting, in the older PCMs AA is used for when a valid state is entered or requested.
There are some bytes written to 0x0383 - the masked value (#%11011111) for the priority byte, 0x6B (which i would have thought would be the ID of the destination) and LC251 (0x10 which is the PCMs ID) and at L82BC it shows a byte write routine to move the payload data from the serial buffer to RAM
There are some bytes written to 0x0383 - the masked value (#%11011111) for the priority byte, 0x6B (which i would have thought would be the ID of the destination) and LC251 (0x10 which is the PCMs ID) and at L82BC it shows a byte write routine to move the payload data from the serial buffer to RAM
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
OK well I think I have isolated the jump table for enhanced modes, though it has an offset from that number in the table of 4. For instance the 8f 22 at $8805 plus the offset of 4 is jumping to mode $10 at $18f26.
These were some of the actual locations it jumped to according to the logic analyzer
18f26 beginning mode 10
191e2 beginning mode 14
191f9 beginning mode 17
1946d beginning mode 18
1964e beginning mode 19
198ac beginning mode 20
198dd beginning mode 22
1991c beginning mode 23
19971 beginning mode 27
1a4b6 beginning mode 3c
and this is the point that it was making the indirect branch through the jump table
Code: Select all
87F5 db $88, $DF, $89, $17, $89, $5D, $89, $EF, $8A, $03
87FF db $8B, $B0, $8D, $F8, $8E, $93, $8F, $22, $00, $00
8809 db $8F, $E4, $90, $FF, $91, $DE, $00, $00, $00, $00
8813 db $91, $F5, $94, $69, $96, $4A, $00, $00, $00, $00
881D db $00, $00, $00, $00, $00, $00, $00, $00, $98, $A8
8827 db $00, $00, $98, $D9, $99, $18, $00, $00, $99, $5F
8831 db $00, $00, $99, $6D, $99, $F6, $9A, $40, $9A, $4E
883B db $9C, $24, $9C, $78, $00, $00, $00, $00, $00, $00
8845 db $00, $00, $9D, $F2, $9D, $F2, $9D, $F2, $9E, $40
884F db $9E, $A2, $00, $00, $00, $00, $00, $00, $00, $00
8859 db $00, $00, $A4, $B2, $A4, $B2, $00, $00, $00, $00
8863 db $A8, $C9, $A8, $D3, $A8, $EA, $00, $00, $00, $00
886D db $00, $00, $00, $00, $00, $00, $00, $00, $A9, $04
8877 db $00, $00, $00, $00, $00, $00, $00, $00, $A9, $12
8881 db $A9, $1D
18f26 beginning mode 10
191e2 beginning mode 14
191f9 beginning mode 17
1946d beginning mode 18
1964e beginning mode 19
198ac beginning mode 20
198dd beginning mode 22
1991c beginning mode 23
19971 beginning mode 27
1a4b6 beginning mode 3c
and this is the point that it was making the indirect branch through the jump table
Code: Select all
88A8 L88A8 subB #$90
88AA bcs L88D9
88AC cmpB #$0E
88AE bhi L88D9
88B0 ldX #$8865
88B3 L88B3 aBX
88B4 aBX
88B5 ldX 0, X
88B7 beq L88D9
88B9 brset L0088, #%00010000, L88D5
88BD ldaB L1E7F
88C0 cmpB 0, X
88C2 bhi L88C8
88C4 cmpB 1, X
88C6 bcc L88D0
88C8 L88C8 cmpA #$10
88CA bcs L8899
88CC ldaA #$12
88CE jr L88DB
;
88D0 L88D0 bset L0088, #%00010000
88D3 jmp 4, X ; Jumps from this address
;
88D5 L88D5 ldX 2, X
88D7 jmp 0, X
;
88D9 L88D9 ldaA #$11
88DB L88DB jmp LAF77
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
which implies this as the basic entry points for most major enhanced mode points (in the 3rd upper memory). The interesting thing is that following the table out would imply there are some numbers in the $40's which would be highly irregular I would think.
10 $8F26
12 $8FE8
13 $9103
14 $91e2
17 $91F9
18 $946d
19 $964e
20 $98Ac
22 $98Dd
23 $991c
25 $9963
27 $9971
28 $99Fa
29 $9A44
2a $9A42
2b $9C28
2c $9C7c
31 $9DF6
32 $9DF6
33 $9DF6
34 $9E44
35 $9EA6
3b $A4B6
3c $A4B6
3f $A8Cd
10 $8F26
12 $8FE8
13 $9103
14 $91e2
17 $91F9
18 $946d
19 $964e
20 $98Ac
22 $98Dd
23 $991c
25 $9963
27 $9971
28 $99Fa
29 $9A44
2a $9A42
2b $9C28
2c $9C7c
31 $9DF6
32 $9DF6
33 $9DF6
34 $9E44
35 $9EA6
3b $A4B6
3c $A4B6
3f $A8Cd