'99 Saturn Dissassembly

by **sabercatpuck** » Fri Jan 22, 2010 1:53 am

Well this took awhile so I am not planning on doing it much (unless I build a program to do it for me) but I merged a section out of the code with data from the logic analyzer so that you can actually step through it and see what is happening, while it is happening. This goes from initial check through return to the main loop. I went with a mode 22 request since that would give me hopefully some insight into how the PID's are set up too.

Code: Select all: Send 6c 10 f1 22 11 01 01 Recv 6C F1 10 62 11 01 A1 FA 18190 ldY L1E3A; 1E3A = $1df8 18194 ldaA 15, Y; 1E07 = $AA 18197 cmpA #$AA 18199 beq L819E 1819E ldaB 0, Y ; 1DF8 = $6C 181A1 xorB #%00001000 181A3 bitB #%00011000 181A5 beq L81AA 181AA cmpB #$E0 181AC bcs L81B1 181B1 bitB #%00000100 181B3 bne L81C2 181C2 ldaA 1, Y ; 1DF9 = $10 181C5 cmpA #$FE 181C7 bne L81E3 181E3 cmpA LC251 ; 1C251 = $10 181E6 beq L81F8 181F8 ldX L1E7B ; 1E7B = $1E, 1E7C = $5B 181FB ldaA 15, X ; 1E6A = $00 181FD cmpA #$AA 181FF bne L820B 1820B ldD 0, Y ; 1DF8 = $6C, 1DF9 = $10 1820E stD 0, X ; 1E5B = $6C, 1E5C = $10 18210 ldD 2, Y ; 1DFA = $F1, 1DFB = $22 18213 stD 2, X ; 1E5D = $F1, 1E5E = $22 18215 ldD 4, Y ; 1DFC = $11, 1DFD = $01 18218 stD 4, X ; 1E5F = $11, 1E60 = $01 1821A ldD 6, Y ; 1DFE = $01, 1DFF = $01 1821D stD 6, X ; 1E61 = $01, 1E62 = $01 1821F ldD 8, Y ; 1E00 = $12, 1E01 = $00 18222 stD 8, X ; 1E63 = $12, 1E64 = $00 18224 ldD 10, Y; 1E02 = $00, 1E03 = $00 18227 stD 10, X; 1E65 = $00, 1E66 = $00 18229 ldD 12, Y; 1E04 = $1D, 1E05 = $FF 1822C stD 12, X; 1E67 = $1D, 1E68 = $FF 1822E ldD 14, Y; 1E06 = $00, 1E07 = $AA 18231 stD 14, X; 1E69 = $00, 1E6A = $AA 18233 ldD 12, Y; 1E04 = $1D, 1E05 = $FF 18236 subD L1E3A; 1E3A = $1D, 1E3B = $F8 18239 aBX 1823A ldY L1E7B; 1E7B = $1E, 1E7C = $5B 1823E stX 12, Y; 1E67 = $1E, 1E68 = $62 18241 ldD L1E7B; 1E7B = $1E, 1E7C = $5B 18244 addD #$0010 18247 cmpD #$1E7B 1824B bcs L8250 18250 stD L1E7B; 1E7B = $1E, 1E7C = $6B 18253 ldY L1E3A; 1E3A = $1D, 1E3B = $F8 18257 ldaA #$00 18259 staA 15, Y; 1E07 = $00 1825C ldD L1E3A; 1E3A = $1D, 1E3B = $F8 1825F addD #$0010 18262 cmpD #$1E38 18266 bcs L826B 1826B stD L1E3A; 1E3A = $1E, 1E3B = $08 1826E jmp E8190 18190 ldY L1E3A; 1E3A = $1E, 1E3B = $08 18194 ldaA 15, Y; 1E17 = $00 18197 cmpA #$AA 18199 beq L819E 1819B jmp L8271 18271 brset L0088, #%00100000, L8284; 88 = $02 18275 brset L0088, #%00010000, L82CC; 88 = $02 18279 ldY L1E7D; 1E7D = $1E, 1E7E = $5B 1827D ldaA 15, Y; 1E6A = $AA 18280 cmpA #$AA 18282 beq L8286 18286 ldX #$0383 18289 ldaB 0, Y; 1E5B = $6C 1828C bitB #%00000100 1828E bne L82A2 182A2 ldaA 0, Y; 1E5B = $6C 182A5 staA 0, X; 383 = $6C 182A7 ldaA 2, Y; 1E5D = $F1 182AA staA 1, X; 384 = $F1 182AC ldaA LC251; 1C251 = $10 182AF staA 2, X; 385 = $10 182B1 ldD 12, Y; 1E67 = $1E, 1E68 = $62 182B4 subD L1E7D; 1E7D - $1E, 1E7E = $5B 182B7 subB #$03 182B9 staB L1E7F; 1E7F = $04 182BC ldaA 3, Y; 1E5E = $22 182BF staA 3, X; 386 = $22 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E5F = $11 182BF staA 3, X; 387 = $11 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E60 = $01 182BF staA 3, X; 388 = $01 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E61 = $01 182BF staA 3, X; 389 = $01 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182C7 ldaA #$01 182C9 staA L1E82; 1E82 = $01 182CC call L8883; 3FA = $CF, 3F9 = $82 18883 ldaB L0386; 386 = $22 18886 andB #%10111111 18888 tBA 18889 beq L8899 1888B cmpB #$08 1888D bhi L8895 18895 subB #$10 18897 bcc L889F 1889F cmpB #$2F; actually $3f 188A1 bhi L88A8 188A3 ldX #$8805 188A6 jr L88B3 188B3 aBX 188B4 aBX 188B5 ldX 0, X; 18829 = $98, 1882A = $D9 188B7 beq L88D9 188B9 brset L0088, #%00010000, L88D5; 88 =$02 188BD ldaB L1E7F; 1E7F = $04 188C0 cmpB 0, X; 198D9 = $04 188C2 bhi L88C8 188C4 cmpB 1, X; 198DA = $04 188C6 bcc L88D0 188D0 bset L0088, #%00010000; 88 = $02, 88 = $12 188D3 jmp 4, X 198DD ldY #$0386 198E1 ldaA 3, Y; 389 = $01 198E4 cmpA #$01 198E6 beq L98EC 198EC ldD 1, Y; 387 = $11, 388 = $01 198EF call LB158; 3F8 = $F2, 3F7 = $98 1B158 cmpA #$11 1B15A beq LB170; TRAP FIRST TWO DIGITS 1B170 ldX #$B1E4 1B173 jr LB197 1B197 aBX 1B198 aBX 1B199 ldX 0, X; 1B1E6 = $B6, 1B1E7 = $D8 1B19B cmpX #$FFFF 1B19E jr LB1A1 1B1A1 ret; 3F6 = $E1, 3F7 = $98, 3F8 = $F2 198F2 bcc L98E8 198F4 ldaB #$03 198F6 aBY 198F8 cmpX #$B58A 198FB bcs L9906 198FD cmpX #$B958 19900 bhi L9906 19902 call 1, X; 3F8 = $04, 3F7 = $99 1B6D9 clrA 1B6DA ldaB L0054; 54 = $10 1B6DC bitB #%00010000 1B6DE beq LB6E2 1B6E0 oraA #%00000001 1B6E2 ldaB L0058; 58 = $0C 1B6E4 bitB #%10000000 1B6E6 beq LB6EA 1B6EA ldaB L005F; 5F = $00 1B6EC bitB #%10000000 1B6EE beq LB6F2 1B6F2 bitB #%00010000 1B6F4 beq LB6F8 1B6F8 ldaB L0058; 58 = $0C 1B6FA bitB #%00000010 1B6FC beq LB700 1B700 ldaB L1802; 1802 = $C1 1B703 bitB #%00000001 1B705 beq LB709 1B707 oraA #%00100000 1B709 ldaB L0071; 71 = $10 1B70B bitB #%00001000 1B70D beq LB711 1B711 ldaB L005A; 5A = $18 1B713 bitB #%00001000 1B715 beq LB719 1B717 oraA #%10000000 1B719 jmp LB969 1B969 staA 0, Y; 389 = $A1 1B96C ldaB #$01 1B96E aBY 1B970 ret; 3F6 = $E1, 3F7 = $99, 3F8 = $04 19904 jr L990D 1990D ldaA #$03 1990F aBA 19910 jr L9912 19912 jmp LAF9F 1AF9F bclr L0088, #%00010000; 88 = $12, 88 = $02 1AFA2 tstA 1AFA3 beq LAFA8 1AFA5 staA L1E7F; 1E7F = $04 1AFA8 ldaA L0386; 386 = $22 1AFAB oraA #%01000000 1AFAD staA L0386; 386 = $62 1AFB0 ldX #$C603 1AFB3 call LBD43; 3F8 = $B6, 3F7 = $AF 1BD43 ldaB 16, X; 1C613 = $00 1BD45 ldY #$1F9A 1BD49 aBY 1BD4B tPA 1BD4C di 1BD4D ldaB 15, X; 1C612 = $01 1BD4F oraB 0, Y; 1F9A = $04 1BD52 staB 0, Y; 1F9A = $05 1BD55 tAP 1BD56 ret; 3F6 = $E1, 3F7 = $AF, 3F8 = $B6 1AFB6 bset L0088, #%00100000; 88 = $02, 88 = $22 1AFB9 clrA 1AFBA brclr L0088, #%00010000, LAFBF; 88 = $22 1AFBF ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF 182CF tstA 182D0 bne L82F0 182D2 ldY L1E7D; 1E7D = $1E, 1E7E = $5B 182D6 ldaA #$00 182D8 staA 15, Y; 1E6A = $00 182DB ldD L1E7D; 1E7D = $1E, 1E7E = $5B 182DE addD #$0010 182E1 cmpD #$1E7B 182E5 bcs L82EA 182EA stD L1E7D; 1E7D = $1E, 1E7E = $6B 182ED jmp L8271 18271 brset L0088, #%00100000, L8284; 88 = $22 18284 jr L82F0 182F0 ret; 3FA = $CF, 3FB = $56, 3FC = $7B

by **sabercatpuck** » Sat Jan 23, 2010 3:15 pm

Since I am making an effort to learn the mode 35 stuff so I can hopefully use it in the future I went ahead and slogged through that section of the memory. At this point I don't seem to be getting something right with the mode 35 request though. I am sending 35 01 00 06 00 50 00 and getting 75 01 51 back, which should be theoretically giving me back 6 bytes of data from location $5000 but I dont seem to be getting that. Note when I took the snapshot below I was trying a different number on the mode 35 request, but same result.

Code: Select all: 18190 ldY L1E3A; 1E3A = $1E, 1E3B = $08 18194 ldaA 15, Y; 1E17 = $AA 18197 cmpA #$AA 18199 beq L819E 1819E ldaB 0, Y; 1E08 = $6C 181A1 xorB #%00001000 181A3 bitB #%00011000 181A5 beq L81AA 181AA cmpB #$E0 181AC bcs L81B1 181B1 bitB #%00000100 181B3 bne L81C2 181C2 ldaA 1, Y; 1E09 = $10 181C5 cmpA #$FE 181C7 bne L81E3 181E3 cmpA LC251; 1C251 = $10 181E6 beq L81F8 181F8 ldX L1E7B; 1E7B = $1E, 1E7C = $4B 181FB ldaA 15, X; 1E5A = $00 181FD cmpA #$AA 181FF bne L820B 1820B ldD 0, Y; 1E08 = $6C, 1E09 = $10 1820E stD 0, X; 1E4B = $6C, 1E4C = $10 18210 ldD 2, Y; 1E0A = $F1, 1E0B = $35 18213 stD 2, X; 1E4D = $F1, 1E4E = $35 18215 ldD 4, Y; 1E0C = $01, 1E0D = $20 18218 stD 4, X; 1E4F = $01, 1E50 = $20 1821A ldD 6, Y; 1E0E = $00, 1E0F = $00 1821D stD 6, X; 1E51 = $00, 1E52 = $00 1821F ldD 8, Y; 1E10 = $30, 1E11 = $05 18222 stD 8, X; 1E53 = $30, 1E54 = $05 18224 ldD 10, Y; 1E12 = $00, 1E13 = $00 18227 stD 10, X; 1E55 = $00, 1E56 = $00 18229 ldD 12, Y; 1E14 = $1E, 1E15 = $12 1822C stD 12, X; 1E57 = $1E, 1E58 = $12 1822E ldD 14, Y; 1E16 = $00, 1E17 = $AA 18231 stD 14, X; 1E59 = $00, 1E5A = $AA 18233 ldD 12, Y; 1E14 = $1E, 1E15 = $12 18236 subD L1E3A; 1E3A = $1E, 1E3B = $08 18239 aBX 1823A ldY L1E7B; 1E7B = $1E, 1E7C = $4B 1823E stX 12, Y; 1E57 = $1E, 1E58 = $55 18241 ldD L1E7B; 1E7B = $1E, 1E7C = $4B 18244 addD #$0010 18247 cmpD #$1E7B 1824B bcs L8250 18250 stD L1E7B; 1E7B $1E, 1E7C = $5B 18253 ldY L1E3A; 1E3A = $1E, 1E3B = $08 18257 ldaA #$00 18259 staA 15, Y; 1E17 = $00 1825C ldD L1E3A; 1E3A = $1E, 1E3B = $08 1825F addD #$0010 18262 cmpD #$1E38 18266 bcs L826B 1826B stD L1E3A; 1E3A = $1E, 1E3B = $18 1826E jmp E8190 18190 ldY L1E3A; 1E3A = $1E, 1E3B = $18 18194 ldaA 15, Y; 1E27 = $00, 18197 cmpA #$AA 18199 beq L819E 1819B jmp L8271 18271 brset L0088, #%00100000, L8284; 88 = $02 18275 brset L0088, #%00010000, L82CC; 88 = $02 18279 ldY L1E7D; 1E7D = $1E, 1E7E = $4B 1827D ldaA 15, Y; 1E5A = $AA 18280 cmpA #$AA 18282 beq L8286 18286 ldX #$0383 18289 ldaB 0, Y; 1E4B = $6C 1828C bitB #%00000100 1828E bne L82A2 182A2 ldaA 0, Y; 1E4B = $6C 182A5 staA 0, X; 383 = $6C 182A7 ldaA 2, Y; 1E4D = $F1 182AA staA 1, X; 384 = $F1 182AC ldaA LC251; 1C251 = $10 182AF staA 2, X; 385 = $10 182B1 ldD 12, Y; 1E57 = $1E, 1E58 = $55 182B4 subD L1E7D; 1E7D = $1E, 1E7E = $4B 182B7 subB #$03 182B9 staB L1E7F; 1E7F = $07 182BC ldaA 3, Y; 1E4E = $35 182BF staA 3, X; 386 = $35 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E4F = $01 182BF staA 3, X; 387 = $01 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E50 = $20 182BF staA 3, X; 388 = $20 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E51 = $00 182BF staA 3, X; 389 = $00 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E52 = $00 182BF staA 3, X; 38A = $00 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E53 = $30 182BF staA 3, X; 38B = $30 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182BC ldaA 3, Y; 1E54 = $05 182BF staA 3, X; 38C = $05 182C1 incX 182C2 incY 182C4 decB 182C5 bne L82BC 182C7 ldaA #$01 182C9 staA L1E82; 1E82 = $01 182CC call L8883; 3FA = $CF, 3F9 = $82 18883 ldaB L0386; 386 = $35 18886 andB #%10111111 18888 tBA 18889 beq L8899 1888B cmpB #$08 1888D bhi L8895 18895 subB #$10 18897 bcc L889F 1889F cmpB #$2F 188A1 bhi L88A8 188A3 ldX #$8805 188A6 jr L88B3 188B3 aBX 188B4 aBX 188B5 ldX 0, X; 1884F = $9E, 18850 = $A2 188B7 beq L88D9 188B9 brset L0088, #%00010000, L88D5; 88 = $02 188BD ldaB L1E7F; 1E7F = $07 188C0 cmpB 0, X; 19EA2 = $07 188C2 bhi L88C8 188C4 cmpB 1, X; 19EA3 = $07 188C6 bcc L88D0 188D0 bset L0088, #%00010000; 88 = $02, 88 = $12 188D3 jmp 4, X 19EA6 ldX #$0386 19EA9 call LB00D; 3F8 = $AC, 3F7 = $9E 1B00D brset L007A, #%00001000, LB036; 7A = $80 1B011 tst L1B91; 1B91 = $00 1B014 bne LB036 1B016 ldaB L3B01; 3B01 = $1E 1B019 bitB #%00000001 1B01B bne LB042 1B01D pushX; 3F6 = $86, 3F5 = $03 1B01E ldX L200A; 200A = $E5, 200B = $7F 1B021 cmpX #$DEAD 1B024 popX; 3F4 = $00, 3F5 = $03, 3F6 = $86 1B025 beq LB042 1B027 ldaB L3B04; 3B04 = $00 1B02A incB 1B02B beq LB042 1B02D tst L0E3D; E3D = $00 1B030 bne LB042 1B032 brset L008C, #%00000001, LB042; 8C = $01 1B042 clrA 1B043 ret; 3F6 = $86, 3F7 = $9E, 3F8 = $AC 19EAC tstA 19EAD beq L9EB2 19EB2 ldD 2, X; 388 = $20, 389 = $00 19EB4 cmpD #$0480 19EB8 bls L9EBE 19EBA ldaA #$53 19EBC jr L9F00 19F00 staA 2, X; 388 = $53 19F02 ldaA #$03 19F04 jmp LAF9F 1AF9F bclr L0088, #%00010000; 88 = $12, 88 = $02 1AFA2 tstA 1AFA3 beq LAFA8 1AFA5 staA L1E7F; 1E7F = $03 1AFA8 ldaA L0386; 386 = $35 1AFAB oraA #%01000000 1AFAD staA L0386; 386 = $75 1AFB0 ldX #$C603 1AFB3 call LBD43; 3F8 = $B6, 3F7 = $AF 1BD43 ldaB 16, X; 1C613 = $00 1BD45 ldY #$1F9A 1BD49 aBY 1BD4B tPA 1BD4C di 1BD4D ldaB 15, X; 1C612 = $01 1BD4F oraB 0, Y; 1F9A = $04 1BD52 staB 0, Y; 1F9A = $05 1BD55 tAP 1BD56 ret; 3F6 = $86, 3F7 = $AF, 3F8 = $B6 1AFB6 bset L0088, #%00100000; 88 = $02, 88 = $22 1AFB9 clrA 1AFBA brclr L0088, #%00010000, LAFBF; 88 = $22 1AFBF ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF 182CF tstA 182D0 bne L82F0 182D2 ldY L1E7D; 1E7D = $1E, 1E7E = $4B 182D6 ldaA #$00 182D8 staA 15, Y; 1E5A = $00 182DB ldD L1E7D; 1E7D = $1E, 1E7E = $4B 182DE addD #$0010 182E1 cmpD #$1E7B 182E5 bcs L82EA 182EA stD L1E7D; 1E7D = $1E, 1E7E = $5B 182ED jmp L8271 18271 brset L0088, #%00100000, L8284; 88 = $22 18284 jr L82F0 182F0 ret; 3FA = $CF, 3FB = $56, 3FC = $7B

by **sabercatpuck** » Sun Jan 24, 2010 1:39 am

and here we have first the mode 27 01 get seed, and the followup 27 02 send key

Code: Select all: address data 19971 ldaA L0387; 387 = $01 19974 bitA #%00000001 19976 beq L99B1 19978 ldaB L3B01; 3B01 = $1E 1997B bitB #%00000001 1997D bne L999F 1997F ldaB L3B04; 3B04 = $00 19982 incB 19983 beq L999F 19985 tst L0E3D; E3D = $00 19988 bne L999F 1998A ldX L200A; 200A = $E5, 200B = $7F 1998D cmpX #$DEAD 19990 beq L999F 19992 tst L1E93; 1E93 = $00 19995 beq L999B 1999B brclr L008C, #%00000001, L99A4; 8C = $00 199A4 ldX L0E00; E00 = $63, E01 = $AC 199A7 stX L0388; 388 = $63, 389 = $AC 199AA bset L008C, #%00000100; 8C = $00, 8C = $04 199AD ldaA #$04 199AF jr L99F3 199F3 jmp LAF9F 1AF9F bclr L0088, #%00010000; 88 = $12, 88 = $02 1AFA2 tstA 1AFA3 beq LAFA8 1AFA5 staA L1E7F; 1E7F = $04 1AFA8 ldaA L0386; 386 = $27 1AFAB oraA #%01000000 1AFAD staA L0386; 386 = $67 1AFB0 ldX #$C603 1AFB4 call LBD43; 3F8 = $B6, 3F7 = $AF 1BD43 ldaB 16, X; 1C613 = $00 1BD45 ldY #$1F9A 1BD49 aBY 1BD4B tPA 1BD4C di 1BD4D ldaB 15, X; 1C612 = $01 1BD4F oraB 0, Y; 1F9A = $00 1BD52 staB 0, Y; 1F9A = $01 1BD55 tAP 1BD56 ret; 3F6 = $B8, 3F7 = $AF, 3F8 = $B6 1AFB6 bset L0088, #%00100000; 88 = $02, 88 = $22 1AFB9 clrA 1AFBA brclr L0088, #%00010000, LAFBF, 88 = $22 1AFBF ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF 182CF tstA 182D0 bne L82F0 182D2 ldY L1E7D; 1E7D = $1E, 1E7E = $4B 182D6 ldaA #$00 182D8 staA 15, Y; 1E5A = $00 182DB ldD L1E7D; 1E7D = $1E. 1E7E = $4B 182DE addD #$0010 182E1 cmpD #$1E7B 182E5 bcs L82EA 182EA stD L1E7D; 1E7D = $1E. 1E7E = $5B 182ED jmp L8271 18271 brset L0088, #%00100000, L8284; 88 = $22 18284 jr L82F0 182F0 ret; 3FA = $CF, 3FB = $56, 3FC = $7B address data 19971 ldaA L0387; 387 = $02 19974 bitA #%00000001 19976 beq L99B1 199B1 tst L1E93; 1E93 = $00 199B4 beq L99BF 199BF brset L008C, #%00000100, L99C7; 8C = $04 199C7 bclr L008C, #%00000100; 8C = $04, 8C = $00 199CA ldX L0388; 388 = $1E, 389 = $7C 199CD cmpX L0E02; E02 = $1E, E03 = $7C 199D0 beq L99E9 199E9 bset L008C, #%00000001; 8C = $00, 8C = $01 199EC ldaA #$34 199EE jr L99B8 199B8 staA L0388; 388 = $34 199BB ldaA #$03 199BD jr L99F3 199F3 jmp LAF9F 1AF9F bclr L0088, #%00010000; 88 = $12, 88 = $02 1AFA2 tstA 1AFA3 beq LAFA8 1AFA5 staA L1E7F; 1E7F = $03 1AFA8 ldaA L0386; 386 = $27 1AFAB oraA #%01000000 1AFAD staA L0386; 386 = $67 1AFB0 ldX #$C603 1AFB3 call LBD43; 3F8 = $B6, 3F7 = $AF 1BD43 ldaB 16, X; 1C613 = $00 1BD49 aBY 1BD4B tPA 1BD4C di 1BD4D ldaB 15, X; 1C612 = $01 1BD4F oraB 0, Y; 1F9A = $00 1BD52 staB 0, Y; 1F9A = $01 1BD55 tAP 1BD56 ret; 3F6 = $00, 37F7 = $AF, 3F8 = $B6 1AFB6 bset L0088, #%00100000; 88 = $02, 88 = $22 1AFB9 clrA 1AFBA brclr L0088, #%00010000, LAFBF; 88 = $22 1AFBF ret; 3F8 = $B6, 3F9 = $82, 3FA = $CF 182CF tstA 182D0 bne L82F0 182D2 ldY L1E7D; 1E7D = $1E, 1E7E = $5B 182D6 ldaA #$00 182D8 staA 15, Y; 1E6A = $00 182DB ldD L1E7D; 1E7D = $1E, 1E7E = $5B 182DE addD #$0010 182E1 cmpD #$1E7B 182E5 bcs L82EA 182EA stD L1E7D; 1E7D = $1E, 1E7E = $6B 182ED jmp L8271 18271 brset L0088, #%00100000, L8284; 88 = $22 18284 jr L82F0 182F0 ret; 3FA = $CF, 3FB = $56, 3FC = $7B

by **sabercatpuck** » Sat Jan 30, 2010 3:31 am

Well now that I have my board together to make reflashing the memory easier, I satarted looking at the rom sanity check area for ways to easily disable it without totally blowing it out of the water. It looks to me like there are 2 (looks like the checksum at $200A may be the sections that are vehicle specific, and $4009 are for the main code that is common to all) or more main areas that it treats seperatly with the main code being treated as a single mass, but wierdly it is checked twice. If I see things right I can probably disable the main rom routine by simply changing these two bytes:
change 04136 from 27 (beq) to 20 (bra, jr)
change 07947 from 27 (beq) to 20 (bra, jr)
That would mean that no matter what was in the main program memory it would procede on as if there were no problems (it will be nice after I have things the way I want them as well since I can just look at the what it is comparing after it finished adding things up and put that in rather than having to figure it out myself). I also think looking through some of the code fragments that they may have a trap for development or a new board (or both) because there are several places in there where it will go off and do something different if the memory locations for the checksums is instead reading $DEAD.(quick edit I see now even in the code above for mode 27 that it traps out $DEAD)

Below are a few of the code snippets arorund the actual comparison points, the rest is still available in the files posted earlier:

Code: Select all: 4009 L4009: dw $EDC4 411C L411C ldD #$0000 411F stD L03AE 4122 stD L1810 4125 ldaA L0176 4128 bitA #%00100001 412A bne L4144 412C bset L0003, #%01000000 412F call L7989 4132 cmpY L4009 4136 beq L4144 4138 ldD L4009 413B cmpD #$DEAD 413F beq L4144 4141 jmp L4197 793D L793D bset L0065, #%00100000 7940 ldD L4009 7943 cmpD L1D3C 7947 beq L794F 7949 cmpD #$DEAD 794D bne L795C 41A0 L41A0 ldX #$200C 41A3 call LECA8 41A6 ldX L200A 41A9 cmpX #$DEAD 41AC beq L41BC 41AE ldaA HPRIO 41B1 andA #%11101111 41B3 staA HPRIO 41B6 cmpY L200A 41BA bne L41C7 41BC L41BC ldaA L2009 41BF cmpA #$67 41C1 beq L41CF 41C3 cmpA #$AA 41C5 beq L41CF 41C7 L41C7 ldX L0187 43BA L43BA call L592F 43BD call LECE2 43C0 ldX L200A 43C3 cmpX #$DEAD 43C6 beq L43D9 43C8 cmpA L0E3A 43CB beq L43D1 43CD ldaA #$01 43CF jr L43D2 4B50 E4b50: 4B50 ldD L200A 4B53 cmpD #$DEAD 4B57 bne L4B73 4B59 ldD TCNThi 4B5C subD L1D5E 4B5F xgDY 4B61 ldX #$1D3E 4B64 ldaB L0000 4B66 andB #%00001111 4B68 lslB 4B69 aBX

by **sabercatpuck** » Sat Jan 30, 2010 7:47 am

Hmm interesting. I made the two changes above and it worked, I can now make changes to the source code at will without it faulting out. What is interesting is that I then added a small snippet of program to try and read in the ram areas of memory from $0000 to $2000 whenever I would run the mode $27 security access (I figure'd if I could be sure that I would not mess anything up it would be right after I passed security access). When it got to memory location $00669 it spontaniously reset. I thought I must have hit the COP timelimit so I added a couple calls to memory locations that seem to be there to reset the COP while it is doing extended memory reads, but no dice. As near as I can tell right now reading memory location $00669 will cause a reset.

Code: Select all: lbackup = $3 ldx #$0000 lbackup ldaa 0,x incx cmpx #$0600 bne lbackup call 5834 call 5840 (repeat as needed) jmp 8271 (back to where I was when I intercepted it) 182ee d6 00 1d600 CE 00 00 A6 00 08 8C 06 00 26 F8 bd 58 34 bd 58 40 16611 CE 06 00 A6 00 08 8C 0c 00 26 F8 bd 58 34 bd 58 40 16622 CE 0c 00 A6 00 08 8C 12 00 26 F8 bd 58 34 bd 58 40 1d633 CE 12 00 A6 00 08 8C 18 00 26 F8 bd 58 34 bd 58 40 1d644 CE 18 00 A6 00 08 8C 1e 00 26 F8 bd 58 34 bd 58 40 1d655 CE 00 00 A6 00 08 8C 06 00 26 F8 bd 58 34 bd 58 40 7E 82 71

by **antus** » Sat Jan 30, 2010 12:16 pm

for the first check, what happens if you write DEAD to 0x4009 instead of patching the code? That might be the official 'no checksum test' method, like setting the program id to AA in the OBD1 ecms

by **sabercatpuck** » Sat Jan 30, 2010 12:56 pm

I wanted to make sure I had the memory (especially the eeprom) mapped out before I started messing arround with things that might put it into a mode where it is looking for something and would wipe out the eeprom on me. Now that I have that... Here are the pertinate numbers from my eeprom section, everything after that is $FF. You can see the seed key pair glairing back at me from $e00 to $E04:

Code: Select all: 00E00 63 Seed 00E01 AC 00E02 1E Key 00E03 7C 00E04 00 PCM # (3c 04) 00E05 F7 00E06 E6 00E07 4E 00E08 34 (3c 05) 00E09 51 00E0A 4A 00E0B 44 00E0C 41 (3c 06) 00E0D 4A 00E0E 38 00E0F 33 00E10 31 (3c 07) 00E11 34 00E12 03 00E13 03 00E14 21 00E15 02 00E16 39 00E17 40 00E18 21 (3c 09) 00E19 00 00E1A 89 00E1B 32 00E1C FF 00E1D FF 00E1E FF 00E1F FF 00E20 21 (3c 08) 00E21 00 00E22 89 00E23 20 00E24 FF 00E25 31 VIN part 1 (3c 01) 00E26 47 00E27 38 00E28 5A 00E29 4B 00E2A 35 VIN part 2 (3c 02) 00E2B 32 00E2C 37 00E2D 38 00E2E 58 00E2F 5A 00E30 32 VIN part 3 (3c 03) 00E31 31 00E32 31 00E33 31 00E34 31 00E35 30 00E36 7F 00E37 04 00E38 DC 00E39 6D 00E3A A2 00E3B FF 00E3C FF 00E3D 00 00E3E FF 00E3F FF 00E40 00 00E41 00 00E42 00 00E43 00 00E44 00 00E45 F0 00E46 00 00E47 34 00E48 01 00E49 FF 00E4A FF 00E4B FF 00E4C FF 00E4D FF 00E4E FF 00E4F 20

By the way, apparently this chest cold I have is fogging my brain a little, I needed to make sure to shut off the interrupts first, I was running into the TOC4 interrupt, after I included the SEI and CLI into the code, it worked much better.

by **antus** » Sat Jan 30, 2010 1:14 pm

i wonder if the ecu code is vulnerable to some kind of malformed ALDL request to an unlocked mode to make it to return the key from eeprom in the locked state? hmmm

by **sabercatpuck** » Mon Feb 01, 2010 4:01 am

well quick look through the code shows that there are things that it will do different if $200A = $DEAD in mode $27 (security access), $2C(define diagnostic data packet), $34(request download), $35(request upload), and $3F(test device present). Seems likely this is some sort of developer mode, or the way that the ECM's come when there is nothing loaded in them (or both)

by **VL400** » Mon Feb 01, 2010 4:54 am

The mode 34 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.

Edit: Corrected mode

'99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Re: '99 Saturn Dissassembly

Who is online