'99 Saturn Dissassembly

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Site Admin
User avatar
Posts: 6510
Joined: Sat Feb 28, 2009 8:34 pm

Re: '99 Saturn Dissassembly

Postby antus » Wed Jan 20, 2010 12:54 pm

i suggest taking 0->32k and 96->128K and appending them together to make a 64k image of bank 0 and 3 in memory, then disassembling and trace from the serial handler vector. From there you'll find the code that handles the various mode requests. I would expect the vector in bank 3 to jump in to bank 0, then back to bank 3 where the stuff happens.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Wed Jan 20, 2010 2:30 pm

Already got it, it is in bank 3
Code: Select all
8271   L8271   brset   L0088, #%00100000, L8284
8275      brset   L0088, #%00010000, L82CC
8279      ldY   L1E7D
827D      ldaA   15, Y
8280      cmpA   #$AA
8282      beq   L8286; Is there something on the serial bus?
8284   L8284   jr   L82F0
;
8286   L8286   ldX   #$0383 ; where the serial handler starts
8289      ldaB   0, Y
828C      bitB   #%00000100
828E      bne   L82A2
8290      ldaA   0, Y
8293      andA   #%11011111
8295      staA   0, X
8297      ldaA   #$6B
8299      staA   1, X
829B      ldaA   LC251
829E      staA   2, X
82A0      jr   L82B1


Boy I love logic analyzers :)

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Wed Jan 20, 2010 3:03 pm

this is a small section of the code steps it is taking right around the decision that there is something on the serial obd line
Attachments
mode19entry.txt
a few above and below the mode 19 entry as shown on the logic analyzer
(1.03 KiB) Downloaded 244 times

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Wed Jan 20, 2010 4:52 pm

I was trying to fade off to sleep when it hit me how interesting it would be to run the stuff from the logic analyzer through a couple filters using the tednotepad. First finding the unique lines, then sort ascending. The results were very interesting. This popped right out for instance. Note when this snapshot was taken I was pinging away with mode 27 requests.
383 6C ; this looks like a formatted reply to an unsuccesfull mode 27 request
384 F1
385 10
386 67
387 2
388 36
389 39
38A 0
38B 0
38C 0
38D 0
38E 0
38F 0
390 0
Attachments
Mode27EntryTedFiltered.txt
something tells me this might be usefull for finding memory locations
(57.72 KiB) Downloaded 249 times
Mode19EntryTedFiltered.txt
smaller selection of lines but still interesting
(1.12 KiB) Downloaded 249 times

Site Admin
User avatar
Posts: 6510
Joined: Sat Feb 28, 2009 8:34 pm

Re: '99 Saturn Dissassembly

Postby antus » Wed Jan 20, 2010 5:11 pm

So, the reply would be 6C F1 10 67 02 36 39? and in the bin its at bank 0, address 0x0383? Next then to look for references to 0x0383, or often in delco code often to a reference to another word containing 0x0380, something like ldaa 0x1234 where 0x01234 contains 0x0383. Although with that logic analyser, you might have more direct ways up your sleeve :thumbup:
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Wed Jan 20, 2010 5:18 pm

yep that is the reply and it is in bank 0, as for code you need look no further away than the code fragment I listed above, the first line of code in the serial port trap section loads the x register as a pointer it would appear.

8286 L8286 ldX #$0383 ; where the serial handler starts


hmm just noticed they set the y location a few lines earlier

8279 ldY L1E7D

Site Admin
User avatar
Posts: 6510
Joined: Sat Feb 28, 2009 8:34 pm

Re: '99 Saturn Dissassembly

Postby antus » Wed Jan 20, 2010 5:59 pm

reply length?
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

User avatar
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
Location: Perth, WA

Re: '99 Saturn Dissassembly

Postby VL400 » Wed Jan 20, 2010 6:57 pm

1E7D looks like RAM for the Tx or Rx buffer. The cmpa #AA is interesting, in the older PCMs AA is used for when a valid state is entered or requested.

There are some bytes written to 0x0383 - the masked value (#%11011111) for the priority byte, 0x6B (which i would have thought would be the ID of the destination) and LC251 (0x10 which is the PCMs ID) and at L82BC it shows a byte write routine to move the payload data from the serial buffer to RAM

Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Thu Jan 21, 2010 1:15 am

OK well I think I have isolated the jump table for enhanced modes, though it has an offset from that number in the table of 4. For instance the 8f 22 at $8805 plus the offset of 4 is jumping to mode $10 at $18f26.
Code: Select all
87F5      db   $88, $DF, $89, $17, $89, $5D, $89, $EF, $8A, $03
87FF      db   $8B, $B0, $8D, $F8, $8E, $93, $8F, $22, $00, $00
8809      db   $8F, $E4, $90, $FF, $91, $DE, $00, $00, $00, $00
8813      db   $91, $F5, $94, $69, $96, $4A, $00, $00, $00, $00
881D      db   $00, $00, $00, $00, $00, $00, $00, $00, $98, $A8
8827      db   $00, $00, $98, $D9, $99, $18, $00, $00, $99, $5F
8831      db   $00, $00, $99, $6D, $99, $F6, $9A, $40, $9A, $4E
883B      db   $9C, $24, $9C, $78, $00, $00, $00, $00, $00, $00
8845      db   $00, $00, $9D, $F2, $9D, $F2, $9D, $F2, $9E, $40
884F      db   $9E, $A2, $00, $00, $00, $00, $00, $00, $00, $00
8859      db   $00, $00, $A4, $B2, $A4, $B2, $00, $00, $00, $00
8863      db   $A8, $C9, $A8, $D3, $A8, $EA, $00, $00, $00, $00
886D      db   $00, $00, $00, $00, $00, $00, $00, $00, $A9, $04
8877      db   $00, $00, $00, $00, $00, $00, $00, $00, $A9, $12
8881      db   $A9, $1D

These were some of the actual locations it jumped to according to the logic analyzer
18f26 beginning mode 10
191e2 beginning mode 14
191f9 beginning mode 17
1946d beginning mode 18
1964e beginning mode 19
198ac beginning mode 20
198dd beginning mode 22
1991c beginning mode 23
19971 beginning mode 27
1a4b6 beginning mode 3c

and this is the point that it was making the indirect branch through the jump table
Code: Select all
88A8   L88A8   subB   #$90
88AA      bcs   L88D9
88AC      cmpB   #$0E
88AE      bhi   L88D9
88B0      ldX   #$8865
88B3   L88B3   aBX   
88B4      aBX   
88B5      ldX   0, X
88B7      beq   L88D9
88B9      brset   L0088, #%00010000, L88D5
88BD      ldaB   L1E7F
88C0      cmpB   0, X
88C2      bhi   L88C8
88C4      cmpB   1, X
88C6      bcc   L88D0
88C8   L88C8   cmpA   #$10
88CA      bcs   L8899
88CC      ldaA   #$12
88CE      jr   L88DB
;
88D0   L88D0   bset   L0088, #%00010000
88D3      jmp   4, X ; Jumps from this address
;
88D5   L88D5   ldX   2, X
88D7      jmp   0, X
;
88D9   L88D9   ldaA   #$11
88DB   L88DB   jmp   LAF77


Posts: 67
Joined: Thu Jan 14, 2010 1:03 am

Re: '99 Saturn Dissassembly

Postby sabercatpuck » Thu Jan 21, 2010 1:39 am

which implies this as the basic entry points for most major enhanced mode points (in the 3rd upper memory). The interesting thing is that following the table out would imply there are some numbers in the $40's which would be highly irregular I would think.

10 $8F26
12 $8FE8
13 $9103
14 $91e2
17 $91F9
18 $946d
19 $964e
20 $98Ac
22 $98Dd
23 $991c
25 $9963
27 $9971
28 $99Fa
29 $9A44
2a $9A42
2b $9C28
2c $9C7c
31 $9DF6
32 $9DF6
33 $9DF6
34 $9E44
35 $9EA6
3b $A4B6
3c $A4B6
3f $A8Cd

PreviousNext

Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 0 guests