'99 Saturn Dissassembly

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: '99 Saturn Dissassembly

Post by antus »

i suggest taking 0->32k and 96->128K and appending them together to make a 64k image of bank 0 and 3 in memory, then disassembling and trace from the serial handler vector. From there you'll find the code that handles the various mode requests. I would expect the vector in bank 3 to jump in to bank 0, then back to bank 3 where the stuff happens.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

Already got it, it is in bank 3

Code: Select all

8271	L8271	brset	L0088, #%00100000, L8284
8275		brset	L0088, #%00010000, L82CC
8279		ldY	L1E7D
827D		ldaA	15, Y
8280		cmpA	#$AA
8282		beq	L8286; Is there something on the serial bus?
8284	L8284	jr	L82F0
;
8286	L8286	ldX	#$0383 ; where the serial handler starts
8289		ldaB	0, Y
828C		bitB	#%00000100
828E		bne	L82A2
8290		ldaA	0, Y
8293		andA	#%11011111
8295		staA	0, X
8297		ldaA	#$6B
8299		staA	1, X
829B		ldaA	LC251
829E		staA	2, X
82A0		jr	L82B1

Boy I love logic analyzers :)
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

this is a small section of the code steps it is taking right around the decision that there is something on the serial obd line
Attachments
mode19entry.txt
a few above and below the mode 19 entry as shown on the logic analyzer
(1.03 KiB) Downloaded 358 times
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

I was trying to fade off to sleep when it hit me how interesting it would be to run the stuff from the logic analyzer through a couple filters using the tednotepad. First finding the unique lines, then sort ascending. The results were very interesting. This popped right out for instance. Note when this snapshot was taken I was pinging away with mode 27 requests.
383 6C ; this looks like a formatted reply to an unsuccesfull mode 27 request
384 F1
385 10
386 67
387 2
388 36
389 39
38A 0
38B 0
38C 0
38D 0
38E 0
38F 0
390 0
Attachments
Mode27EntryTedFiltered.txt
something tells me this might be usefull for finding memory locations
(57.72 KiB) Downloaded 371 times
Mode19EntryTedFiltered.txt
smaller selection of lines but still interesting
(1.12 KiB) Downloaded 367 times
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: '99 Saturn Dissassembly

Post by antus »

So, the reply would be 6C F1 10 67 02 36 39? and in the bin its at bank 0, address 0x0383? Next then to look for references to 0x0383, or often in delco code often to a reference to another word containing 0x0380, something like ldaa 0x1234 where 0x01234 contains 0x0383. Although with that logic analyser, you might have more direct ways up your sleeve :thumbup:
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

yep that is the reply and it is in bank 0, as for code you need look no further away than the code fragment I listed above, the first line of code in the serial port trap section loads the x register as a pointer it would appear.

8286 L8286 ldX #$0383 ; where the serial handler starts


hmm just noticed they set the y location a few lines earlier

8279 ldY L1E7D
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: '99 Saturn Dissassembly

Post by antus »

reply length?
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
VL400
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
cars: VL Calais and Toyota Landcruiser. Plus some toys :)
Location: Perth, WA
Contact:

Re: '99 Saturn Dissassembly

Post by VL400 »

1E7D looks like RAM for the Tx or Rx buffer. The cmpa #AA is interesting, in the older PCMs AA is used for when a valid state is entered or requested.

There are some bytes written to 0x0383 - the masked value (#%11011111) for the priority byte, 0x6B (which i would have thought would be the ID of the destination) and LC251 (0x10 which is the PCMs ID) and at L82BC it shows a byte write routine to move the payload data from the serial buffer to RAM
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

OK well I think I have isolated the jump table for enhanced modes, though it has an offset from that number in the table of 4. For instance the 8f 22 at $8805 plus the offset of 4 is jumping to mode $10 at $18f26.

Code: Select all

87F5		db	$88, $DF, $89, $17, $89, $5D, $89, $EF, $8A, $03
87FF		db	$8B, $B0, $8D, $F8, $8E, $93, $8F, $22, $00, $00 
8809		db	$8F, $E4, $90, $FF, $91, $DE, $00, $00, $00, $00
8813		db	$91, $F5, $94, $69, $96, $4A, $00, $00, $00, $00
881D		db	$00, $00, $00, $00, $00, $00, $00, $00, $98, $A8
8827		db	$00, $00, $98, $D9, $99, $18, $00, $00, $99, $5F
8831		db	$00, $00, $99, $6D, $99, $F6, $9A, $40, $9A, $4E
883B		db	$9C, $24, $9C, $78, $00, $00, $00, $00, $00, $00
8845		db	$00, $00, $9D, $F2, $9D, $F2, $9D, $F2, $9E, $40
884F		db	$9E, $A2, $00, $00, $00, $00, $00, $00, $00, $00
8859		db	$00, $00, $A4, $B2, $A4, $B2, $00, $00, $00, $00
8863		db	$A8, $C9, $A8, $D3, $A8, $EA, $00, $00, $00, $00
886D		db	$00, $00, $00, $00, $00, $00, $00, $00, $A9, $04
8877		db	$00, $00, $00, $00, $00, $00, $00, $00, $A9, $12
8881		db	$A9, $1D
These were some of the actual locations it jumped to according to the logic analyzer
18f26 beginning mode 10
191e2 beginning mode 14
191f9 beginning mode 17
1946d beginning mode 18
1964e beginning mode 19
198ac beginning mode 20
198dd beginning mode 22
1991c beginning mode 23
19971 beginning mode 27
1a4b6 beginning mode 3c

and this is the point that it was making the indirect branch through the jump table

Code: Select all

88A8	L88A8	subB	#$90
88AA		bcs	L88D9
88AC		cmpB	#$0E
88AE		bhi	L88D9
88B0		ldX	#$8865
88B3	L88B3	aBX	
88B4		aBX	
88B5		ldX	0, X
88B7		beq	L88D9
88B9		brset	L0088, #%00010000, L88D5
88BD		ldaB	L1E7F
88C0		cmpB	0, X
88C2		bhi	L88C8
88C4		cmpB	1, X
88C6		bcc	L88D0
88C8	L88C8	cmpA	#$10
88CA		bcs	L8899
88CC		ldaA	#$12
88CE		jr	L88DB
;
88D0	L88D0	bset	L0088, #%00010000
88D3		jmp	4, X ; Jumps from this address
;
88D5	L88D5	ldX	2, X
88D7		jmp	0, X
;
88D9	L88D9	ldaA	#$11
88DB	L88DB	jmp	LAF77

sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: '99 Saturn Dissassembly

Post by sabercatpuck »

which implies this as the basic entry points for most major enhanced mode points (in the 3rd upper memory). The interesting thing is that following the table out would imply there are some numbers in the $40's which would be highly irregular I would think.

10 $8F26
12 $8FE8
13 $9103
14 $91e2
17 $91F9
18 $946d
19 $964e
20 $98Ac
22 $98Dd
23 $991c
25 $9963
27 $9971
28 $99Fa
29 $9A44
2a $9A42
2b $9C28
2c $9C7c
31 $9DF6
32 $9DF6
33 $9DF6
34 $9E44
35 $9EA6
3b $A4B6
3c $A4B6
3f $A8Cd
Post Reply