GM 16216588 - Hacking

[quadstar87]

I the checksum is stored at $2004 and the Calibration Area is $2006-$#### . Still figuring out how it grabs the bytes from bank 2

Code: Select all

    ; ----------------------------------------------------
    ; --         Checksum  Stuff                        --
    ; --         Stored @ $2004                         --
    ; --         Checksum is 0x2006 to 0x????           --
    ; --         Quadstar87 - Pcmhacking.net            --
    ; ----------------------------------------------------
63A4	B6 10 02        L63A4	ldaA	PORTG
63A7	36              	pushA	
63A8	CE 10 02        	ldX	#$1002
63AB	1D 00 08        	bclr	0, X, #%00001000
63AE	CE 20 06        	ldX	#$2006 ;cal start address
63B1	BD 68 EE        	call	L68EE ;do some math
63B4	18 3C           	pushY	
63B6	CE 10 02        	ldX	#$1002
63B9	1C 00 08        	bset	0, X, #%00001000
63BC	CE 80 00        	ldX	#$8000 ;cal end address?
63BF	BD 68 EE        	call	L68EE
63C2	18 8F           	xgDY	
63C4	30              	tSX	
63C5	E3 00           	addD	0, X
63C7	18 8F           	xgDY	
63C9	38              	popX	
63CA	CE 10 02        	ldX	#$1002
63CD	32              	popA	
63CE	84 08           	andA	#%00001000
63D0	27 05           	beq	L63D7 ;branch if
63D2	1C 00 08        	bset	0, X, #%00001000
63D5	20 03           	jr	L63DA
;
63D7	1D 00 08        L63D7	bclr	0, X, #%00001000
63DA	B6 20 06        L63DA	ldaA	L2006 ;cal start address
63DD	18 3C           	pushY	
63DF	18 38           	popY	
63E1	18 BC 20 04     	cmpY	L2004 ;checksum store address
63E5	26 13           	bne	L63FA ;branch if not done
63E7	81 A4           	cmpA	#$A4
63E9	26 0F           	bne	L63FA ;branch to compare?
63EB	B6 18 57        	ldaA	L1857
63EE	27 0E           	beq	L63FE
63F0	4F              	clrA	
63F1	18 CE 51 E7     	ldY	#$51E7
63F5	BD 7D A9        	call	L7DA9
63F8	20 13           	jr	L640D
;
63FA	81 AA           L63FA	cmpA	#$AA ; compare to $AA
63FC	27 0F           	beq	L640D ; Exit - Branch for development mode
63FE	86 01           L63FE	ldaA	#$01
6400	18 CE 51 E7     	ldY	#$51E7
6404	BD 7D A9        	call	L7DA9 ;call sub
6407	BD 62 A8        	call	L62A8 ;call sub
640A	7F 18 57        	clr	L1857
640D	39              L640D	ret	
;
;---68EE is the CheckSum math---
;
68EE	18 CE 00 00     L68EE:	ldY	#$0000
68F2	3C              	pushX	
68F3	32              	popA	
68F4	32              	popA	
68F5	5F              	clrB	
68F6	04              	lsrD	
68F7	04              	lsrD	
68F8	04              	lsrD	
68F9	5D              	tstB	
68FA	27 0D           	beq	L6909
68FC	4C              	incA	
68FD	36              	pushA	
68FE	17              	tBA	;get # bytes to handle
68FF	E6 00           L68FF	ldaB	0, X ;get byte
6901	18 3A           	aBY	;add to checksum
6903	08              	incX	;increment
6904	8B 20           	addA	#$20 ;add 32 (20dec=32hex)
6906	26 F7           	bne	L68FF ;Branch If Not Done 
6908	32              	popA	
6909	C6 08           L6909	ldaB	#$08
690B	18 8F           L690B	xgDY	
690D	EB 00           	addB	0, X ;add each 8 bytes to checksum
690F	89 00           	adcA	#$00
6911	EB 01           	addB	1, X
6913	89 00           	adcA	#$00
6915	EB 02           	addB	2, X
6917	89 00           	adcA	#$00
6919	EB 03           	addB	3, X
691B	89 00           	adcA	#$00
691D	EB 04           	addB	4, X
691F	89 00           	adcA	#$00
6921	EB 05           	addB	5, X
6923	89 00           	adcA	#$00
6925	EB 06           	addB	6, X
6927	89 00           	adcA	#$00
6929	EB 07           	addB	7, X
692B	89 00           	adcA	#$00
692D	18 8F           	xgDY	
692F	3A              	aBX	
6930	4C              	incA	;increment counter
6931	26 D8           	bne	L690B ; Branch if Not Zero and Continue With Checksum Calculation
6933	86 55           	ldaA	#$55
6935	B7 10 3A        	staA	COPRST
6938	B7 18 06        	staA	L1806
693B	43              	comA	
693C	B7 10 3A        	staA	COPRST
693F	B7 18 06        	staA	L1806
6942	4F              	clrA	;Start counter
6943	8C 00 00        	cmpX	#$0000 ;check if finished
6946	26 C3           	bne	L690B ;else branch to next location
6948	39              	ret	
;
;Few calls to 7DA9 
;
7DA9	F6 10 02        L7DA9:	ldaB	PORTG
7DAC	37              	pushB	
7DAD	CE 10 02        	ldX	#$1002
7DB0	1C 00 08        	bset	0, X, #%00001000
7DB3	BD F8 EB        	call	LF8EB
7DB6	CE 10 02        	ldX	#$1002
7DB9	33              	popB	
7DBA	C4 08           	andB	#%00001000
7DBC	27 05           	beq	L7DC3
7DBE	1C 00 08        	bset	0, X, #%00001000
7DC1	20 03           	jr	L7DC6
;

[quadstar87]

The checksum for this looks like it uses the OBD-I algo because of the cmp to $AA (what i'm thinking)

So I can make the educated guess that it's saved @ $2004-$2005 as a sum. Just need to flip back an forth with a couple different memory ranges in TP to see if I get back to the stock cheksum.

Here's what the OBD-I checksum was like. It was a 64k bin

[antus]

Ive found an error with the original read. Probably because prog11 doesnt know about GM proprietry bank switching, it didnt switch. The second 64k of the input file is identical to the first. So without the missing 18000->1FFFF your probably not going to find a match.

You might need to socket a PCM and read the bin directly. My address bus fixing code should work on the bin you'll get, and its easy to turn it in to a scrambler to create something you can put on the chip which should work in the car.

Maybe I need to port it to windows and put a nice UI on it....

[quadstar87]

Ive found an error with the original read. Probably because prog11 doesnt know about GM proprietry bank switching, it didnt switch. The second 64k of the input file is identical to the first. So without the missing 18000->1FFFF your probably not going to find a match.

You might need to socket a PCM and read the bin directly. My address bus fixing code should work on the bin you'll get, and its easy to turn it in to a scrambler to create something you can put on the chip which should work in the car.

Maybe I need to port it to windows and put a nice UI on it....

That's good information to have! Explains the duplicate tables probably.

So we know:

• Where the checksum is saved
• Size of checksum
• checksum algo (sum)
• Start of checksum data range

[slewinson]

Looking at the checksum routine, the bset and bclr appear to be the bank swaps. The second go calling b68EE probably is the bank switched top half of the ROM. First pass starts after checksum and second starts at 8000...

Simon

[antus]

That sounds right. So the sum would be a 16 bit sum @ 2004, of 2006->FFFF then 8000->FFFF. Will be good to confirm this after we can get a good bin read. And you've picked the bank swap to boot! Well done

[quadstar87]

Looking at the checksum routine, the bset and bclr appear to be the bank swaps. The second go calling b68EE probably is the bank switched top half of the ROM. First pass starts after checksum and second starts at 8000...

Simon

Thanks for the tip That 8000 was really throwing me off but I wasn't thinking of it from the perspective of "start at 8000 in Bank2"

[slewinson]

Looking at the checksum routine, the bset and bclr appear to be the bank swaps. The second go calling b68EE probably is the bank switched top half of the ROM. First pass starts after checksum and second starts at 8000...

Simon

Thanks for the tip That 8000 was really throwing me off but I wasn't thinking of it from the perspective of "start at 8000 in Bank2"

You could confirm this by setting the bit before reading the ROM. Don't know how best to do this - can prog11 do it?

Simon

[quadstar87]

Looking at the checksum routine, the bset and bclr appear to be the bank swaps. The second go calling b68EE probably is the bank switched top half of the ROM. First pass starts after checksum and second starts at 8000...

Simon

Thanks for the tip That 8000 was really throwing me off but I wasn't thinking of it from the perspective of "start at 8000 in Bank2"

You could confirm this by setting the bit before reading the ROM. Don't know how best to do this - can prog11 do it?

Simon

We have unofficially verified it. Thanks a lot for reading and sharing your knowledge. I'll try to get an update up on Monday to show the checksum working with the two banks merged in hex viewer.

[slewinson]

Cool. Glad to have been able to help out. From the sound you were able to set the bit with prog11.

Simon