'99 Saturn Dissassembly
Re: '99 Saturn Dissassembly
Very good info!
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Next up I am going to make a list of indirect memory pointers (where the x or y register is used as a moving pointer) such as is seen in this section of code in ES2:
the first couple lines imply that there is a section af data that is stored at $96c0 ans is going to be moved to RAM at location $1400. The CMPX later on says that the last byte of data would be $9ec0. so thusly this data:
Code: Select all
812D ldX #$96C0
8130 ldY #$1400
8134 L8134 ldD 0, X
8136 stD L16E0
8139 ldD 2, X
813B stD L16E2
813E ldD 4, X
8140 stD L16E4
8143 ldD 6, X
8145 stD L16E6
8148 stY 0, Y
814B incY
814D incY
814F ldaB #$08
8151 aBX
8152 cmpX #$9EC0
8155 bcs L8134
8157 ldD #$0000
815A stD L16F0
815D L815D ret
Code: Select all
96C0 db $00, $00, $86, $0A, $86, $12, $00, $DE, $00
96C9 db $00, $83, $6A, $80, $12, $00, $58, $00, $00, $81
96D3 db $10, $80, $02, $00, $88, $04, $41, $80, $20, $E8
96DD db $02, $80, $6A, $00, $00, $03, $78, $00, $02, $00
96E7 db $10, $00, $00, $02, $D0, $58, $E2, $00, $D9, $00
96F1 db $00, $02, $C0, $58, $02, $00, $D9, $00, $00, $02
96FB db $C0, $59, $A2, $00, $C9, $2B, $00, $03, $91, $58
9705 db $12, $00, $19, $00, $00, $00, $58, $59, $F2, $00
970F db $39, $00, $00, $02, $B0, $59, $C2, $00, $29, $00
9719 db $00, $02, $B0, $E0, $02, $88, $6A, $00, $00, $02
9723 db $D8, $00, $02, $F3, $10, $00, $00, $00, $72, $0D
972D db $02, $DA, $DF, $40, $00, $04, $19, $01, $F3, $00
9737 db $1A, $00, $00, $80, $80, $00, $02, $D0, $60, $80
9741 db $00, $03, $E0, $00, $E2, $D2, $10, $00, $00, $80
974B db $9A, $CF, $E2, $E3, $BB, $79, $00, $80, $8D, $C8
9755 db $12, $04, $7B, $00, $00, $82, $0A, $BE, $13, $04
975F db $CB, $79, $00, $00, $8B, $76, $52, $00, $19, $00
9769 db $00, $86, $BA, $B6, $13, $04, $CB, $00, $00, $86
9773 db $A8, $C8, $02, $00, $BB, $79, $00, $80, $B5, $C9
977D db $F2, $04, $7B, $00, $00, $02, $08, $00, $02, $00
9787 db $10, $19, $2D, $00, $C9, $00, $12, $00, $70, $19
9791 db $2D, $00, $D1, $00, $12, $40, $70, $19, $2D, $00
979B db $D9, $00, $12, $38, $70, $19, $2D, $00, $E1, $00
97A5 db $12, $78, $70, $00, $00, $84, $F8, $58, $02, $00
97AF db $39, $1D, $00, $04, $F9, $07, $D2, $00, $10, $00
97B9 db $00, $81, $08, $80, $02, $00, $88, $02, $86, $0E
97C3 db $38, $00, $00, $00, $10, $04, $41, $81, $10, $E8
97CD db $02, $B8, $6A, $D0, $00, $03, $71, $5C, $02, $00
97D7 db $1B, $00, $00, $01, $28, $59, $F2, $00, $39, $00
97E1 db $00, $01, $30, $59, $C2, $00, $29, $3A, $00, $04
97EB db $D1, $88, $02, $33, $19, $00, $00, $05, $20, $59
97F5 db $E2, $00, $39, $00, $00, $05, $20, $59, $B2, $00
97FF db $39, $F3, $00, $05, $1B, $7F, $62, $00, $1F, $00
9809 db $00, $81, $50, $E8, $02, $BC, $6A, $80, $00, $02
9813 db $EC, $06, $32, $D4, $60, $04, $41, $02, $E0, $00
981D db $02, $00, $10, $00, $00, $83, $2A, $57, $82, $00
9827 db $A9, $F9, $9E, $06, $23, $57, $80, $00, $19, $00
9831 db $00, $05, $AA, $0F, $B2, $00, $BF, $00, $00, $01
983B db $8A, $C6, $22, $00, $BF, $FB, $2A, $85, $A9, $06
9845 db $10, $00, $10, $63, $00, $03, $40, $78, $06, $00
984F db $19, $06, $40, $0B, $68, $00, $00, $00, $10, $00
9859 db $84, $76, $88, $00, $00, $00, $10, $00, $00, $76
9863 db $88, $00, $02, $00, $10, $50, $00, $04, $E9, $88
986D db $02, $00, $15, $00, $00, $86, $00, $04, $02, $00
9877 db $B0, $7F, $00, $86, $05, $FC, $02, $00, $4B, $7E
9881 db $00, $06, $01, $F0, $12, $00, $1B, $00, $00, $01
988B db $F0, $80, $02, $00, $88, $80, $00, $04, $00, $00
9895 db $F2, $D0, $70, $80, $00, $04, $00, $00, $E2, $00
989F db $10, $80, $00, $01, $CC, $04, $02, $D0, $60, $00
98A9 db $00, $01, $D0, $80, $02, $00, $88, $10, $00, $01
98B3 db $D1, $02, $02, $00, $10, $00, $00, $82, $0A, $06
98BD db $82, $E3, $FA, $40, $00, $81, $FD, $00, $12, $04
98C7 db $7A, $79, $00, $00, $A9, $70, $02, $00, $19, $3B
98D1 db $00, $02, $1F, $D7, $D2, $FB, $DB, $2D, $00, $04
98DB db $D9, $68, $12, $CB, $19, $FD, $9B, $00, $E9, $06
98E5 db $12, $00, $60, $80, $00, $82, $34, $06, $32, $D4
98EF db $60, $00, $00, $82, $3A, $FE, $12, $00, $DA, $04
98F9 db $41, $07, $40, $00, $02, $D6, $10, $00, $00, $05
9903 db $12, $8E, $F2, $00, $FF, $ED, $00, $02, $71, $60
990D db $02, $00, $1B, $00, $00, $05, $32, $C0, $32, $00
9917 db $5B, $78, $00, $05, $31, $00, $02, $00, $10, $02
9921 db $36, $0E, $C8, $00, $00, $DC, $60, $F3, $00, $05
992B db $3B, $97, $62, $00, $1F, $EE, $00, $05, $57, $66
9935 db $72, $00, $C9, $EE, $00, $05, $53, $70, $02, $00
993F db $1F, $EC, $00, $02, $81, $76, $CF, $00, $1F, $EC
9949 db $00, $02, $91, $06, $C6, $00, $10, $00, $00, $05
9953 db $5A, $66, $72, $00, $C9, $EC, $00, $05, $5B, $60
995D db $02, $00, $1F, $00, $00, $00, $48, $E0, $02, $90
9967 db $7A, $2F, $00, $00, $49, $07, $62, $00, $10, $00
9971 db $00, $02, $D8, $E0, $02, $8C, $6A, $00, $00, $02
997B db $D8, $00, $02, $F7, $10, $00, $00, $02, $D2, $0E
9985 db $B2, $00, $49, $2B, $06, $82, $D1, $00, $02, $00
998F db $10, $2B, $06, $82, $DD, $58, $12, $FB, $C9, $EB
9999 db $00, $05, $69, $08, $0A, $00, $19, $06, $42, $09
99A3 db $B0, $00, $00, $00, $10, $E3, $00, $02, $F1, $0E
99AD db $32, $D7, $10, $00, $00, $05, $72, $D6, $32, $00
99B7 db $BA, $E3, $00, $05, $71, $00, $02, $00, $10, $E2
99C1 db $00, $03, $01, $DE, $2F, $00, $19, $5F, $00, $85
99CB db $C9, $D6, $22, $00, $19, $00, $00, $85, $98, $E0
99D5 db $02, $84, $6A, $00, $00, $05, $92, $8F, $B2, $00
99DF db $2A, $00, $00, $01, $72, $E6, $13, $C4, $C8, $F8
99E9 db $00, $05, $A1, $DF, $52, $C7, $1A, $00, $00, $DD
99F3 db $BA, $52, $12, $CE, $30, $00, $00, $55, $B8, $00
99FD db $02, $CE, $10, $40, $00, $03, $40, $02, $07, $00
9A07 db $10, $E2, $00, $05, $E3, $A2, $02, $00, $1F, $E2
9A11 db $00, $03, $51, $7E, $2F, $00, $19, $FB, $00, $05
9A1B db $E9, $8E, $22, $00, $19, $02, $86, $0E, $30, $00
9A25 db $00, $00, $10, $00, $00, $06, $0A, $80, $12, $00
9A2F db $48, $00, $00, $81, $0A, $05, $02, $00, $A8, $C0
9A39 db $00, $03, $8B, $74, $02, $43, $1B, $00, $00, $86
9A43 db $1A, $04, $02, $42, $C8, $C0, $00, $03, $81, $0C
9A4D db $02, $00, $10, $31, $96, $04, $89, $07, $D2, $00
9A57 db $10, $40, $95, $05, $FE, $BF, $62, $CC, $6F, $FB
9A61 db $95, $05, $F9, $DA, $02, $00, $1F, $00, $00, $83
9A6B db $B0, $E8, $02, $B4, $7A, $E2, $00, $06, $49, $00
9A75 db $02, $00, $10, $E2, $00, $03, $B9, $DE, $2F, $00
9A7F db $19, $D0, $00, $06, $51, $D6, $22, $00, $19, $C0
9A89 db $00, $03, $DF, $06, $32, $00, $5A, $C0, $00, $03
9A93 db $D9, $34, $02, $00, $1F, $00, $00, $06, $42, $72
9A9D db $12, $00, $30, $20, $85, $03, $E8, $D0, $12, $DB
9AA7 db $1A, $00, $00, $00, $70, $00, $02, $D4, $70, $40
9AB1 db $00, $03, $F9, $00, $12, $00, $1A, $00, $00, $00
9ABB db $72, $06, $62, $00, $5A, $C0, $00, $04, $09, $0C
9AC5 db $02, $00, $10, $00, $00, $06, $62, $D4, $02, $00
9ACF db $FA, $C0, $00, $06, $61, $00, $02, $00, $10, $00
9AD9 db $00, $04, $28, $00, $02, $00, $CA, $D0, $00, $04
9AE3 db $29, $06, $12, $DB, $10, $00, $00, $04, $38, $82
9AED db $12, $00, $8E, $D0, $00, $04, $39, $0D, $02, $00
9AF7 db $10, $00, $00, $04, $4A, $80, $12, $00, $4E, $D0
9B01 db $00, $04, $4B, $15, $02, $00, $10, $40, $00, $01
9B0B db $E0, $05, $02, $D8, $70, $40, $00, $01, $E2, $72
9B15 db $12, $00, $10, $C0, $00, $86, $B7, $14, $02, $00
9B1F db $F0, $C0, $00, $06, $B7, $0C, $02, $00, $F0, $70
9B29 db $00, $87, $2D, $81, $E2, $00, $BB, $70, $00, $07
9B33 db $2D, $81, $F2, $00, $BB, $00, $00, $86, $D8, $E0
9B3D db $02, $A8, $6A, $00, $00, $06, $D8, $00, $02, $EB
9B47 db $10, $F6, $00, $04, $91, $08, $02, $00, $19, $F7
9B51 db $00, $04, $C9, $78, $02, $00, $19, $00, $00, $87
9B5B db $10, $00, $02, $00, $70, $60, $00, $07, $09, $06
9B65 db $12, $00, $70, $00, $00, $87, $20, $88, $02, $80
9B6F db $7B, $00, $00, $04, $A8, $00, $02, $42, $10, $00
9B79 db $00, $87, $30, $88, $02, $B8, $7B, $00, $00, $04
9B83 db $B8, $00, $02, $7A, $10, $2A, $00, $01, $19, $57
9B8D db $42, $00, $19, $F5, $8E, $02, $11, $50, $02, $00
9B97 db $19, $F3, $00, $04, $E3, $8F, $62, $00, $1F, $2C
9BA1 db $00, $04, $F1, $07, $12, $00, $10, $E1, $00, $01
9BAB db $A9, $0E, $12, $00, $10, $F1, $00, $05, $01, $07
9BB5 db $62, $00, $10, $00, $00, $02, $20, $00, $02, $00
9BBF db $70, $E7, $00, $02, $41, $07, $12, $00, $10, $21
9BC9 db $99, $00, $2B, $EF, $D2, $00, $18, $ED, $00, $02
9BD3 db $71, $68, $02, $00, $1B, $EF, $00, $02, $A9, $07
9BDD db $62, $00, $10, $EA, $00, $05, $29, $07, $D2, $00
9BE7 db $10, $78, $00, $02, $51, $C0, $12, $32, $1B, $80
9BF1 db $00, $02, $60, $C0, $02, $00, $1B, $F2, $00, $05
9BFB db $41, $07, $62, $00, $10, $E7, $00, $05, $49, $07
9C05 db $22, $00, $10, $2C, $00, $02, $71, $07, $12, $00
9C0F db $10, $67, $00, $02, $80, $06, $D2, $00, $10, $2F
9C19 db $00, $05, $61, $67, $22, $00, $1F, $EC, $00, $02
9C23 db $A1, $00, $02, $00, $10, $EB, $06, $85, $B1, $06
9C2D db $BA, $00, $10, $E2, $86, $05, $79, $00, $02, $00
9C37 db $10, $67, $00, $03, $00, $F0, $02, $00, $1A, $00
9C41 db $00, $05, $8A, $D6, $12, $03, $CF, $FC, $00, $03
9C4B db $11, $F6, $12, $00, $19, $FB, $00, $01, $71, $88
9C55 db $02, $CA, $1A, $00, $00, $03, $28, $00, $02, $C8
9C5F db $70, $F8, $00, $01, $61, $FF, $82, $CA, $1F, $00
9C69 db $00, $03, $32, $E6, $12, $02, $CF, $7A, $8D, $01
9C73 db $49, $D0, $02, $00, $19, $3D, $00, $05, $C1, $8E
9C7D db $F2, $00, $1F, $3D, $00, $05, $D1, $EF, $22, $00
9C87 db $19, $00, $00, $05, $80, $E0, $02, $00, $9A, $FA
9C91 db $00, $05, $D9, $EF, $B2, $00, $19, $FA, $00, $05
9C9B db $CB, $FF, $A2, $00, $19, $67, $00, $03, $52, $0F
9CA5 db $92, $00, $10, $FB, $00, $05, $F3, $E7, $B2, $CF
9CAF db $19, $1C, $2A, $83, $23, $47, $B0, $00, $10, $FA
9CB9 db $00, $81, $B1, $9F, $A2, $00, $1F, $C0, $00, $03
9CC3 db $61, $00, $02, $42, $10, $D0, $00, $06, $13, $04
9CCD db $02, $00, $18, $D0, $00, $00, $01, $85, $02, $00
9CD7 db $18, $D0, $00, $06, $29, $7E, $12, $00, $1B, $E2
9CE1 db $9D, $01, $79, $57, $F2, $00, $19, $00, $00, $00
9CEB db $FA, $86, $12, $00, $CE, $10, $00, $01, $91, $00
9CF5 db $12, $00, $10, $10, $00, $01, $91, $00, $02, $00
9CFF db $10, $80, $00, $03, $A8, $00, $F2, $D3, $10, $67
9D09 db $00, $03, $B8, $80, $02, $00, $18, $D0, $00, $06
9D13 db $5B, $75, $02, $00, $1B, $40, $00, $03, $C9, $00
9D1D db $02, $00, $18, $D0, $00, $00, $69, $DD, $02, $00
9D27 db $19, $C0, $00, $06, $77, $0C, $02, $00, $F0, $C0
9D31 db $00, $04, $5F, $05, $02, $42, $E8, $70, $00, $07
9D3B db $3D, $81, $F2, $00, $BB, $76, $00, $06, $91, $A7
9D45 db $D2, $00, $1B, $80, $00, $03, $A8, $00, $E2, $D2
9D4F db $10, $2E, $00, $06, $99, $90, $02, $00, $1B, $E5
9D59 db $00, $06, $A1, $98, $02, $00, $1B, $E8, $00, $00
9D63 db $99, $07, $E2, $00, $1A, $40, $00, $01, $F9, $06
9D6D db $52, $00, $1A, $C0, $00, $06, $6D, $01, $F2, $43
9D77 db $A8, $00, $35, $06, $C8, $00, $02, $DE, $10, $00
9D81 db $79, $06, $D2, $B6, $12, $E7, $CB, $77, $7A, $06
9D8B db $81, $AF, $D2, $DF, $1B, $00, $00, $06, $C2, $BE
9D95 db $12, $E7, $CB, $00, $00, $06, $E2, $C6, $A2, $00
9D9F db $28, $18, $00, $06, $E9, $06, $A2, $00, $10, $E4
9DA9 db $00, $06, $F1, $D6, $A2, $00, $18, $00, $00, $06
9DB3 db $FA, $26, $12, $27, $CF, $E4, $00, $07, $01, $DE
9DBD db $42, $00, $18, $00, $00, $04, $7A, $26, $12, $26
9DC7 db $CF, $30, $00, $07, $11, $80, $12, $00, $19, $50
9DD1 db $00, $07, $19, $06, $12, $00, $60, $20, $00, $04
9DDB db $A1, $00, $12, $00, $19, $00, $00, $04, $A8, $00
9DE5 db $02, $43, $10, $70, $00, $06, $7D, $51, $F2, $37
9DEF db $AB, $00, $00, $04, $B8, $00, $02, $7B, $10, $70
9DF9 db $00, $04, $6F, $56, $02, $36, $EB, $06, $42, $89
9E03 db $B0, $00, $00, $00, $10, $00, $00, $00, $00, $00
9E0D fill $00, 51
9E40 db $20, $00, $07, $8D, $01, $F6, $01, $69, $00, $00
9E4A db $07, $85, $00, $22, $01, $78, $D0, $00, $07, $9B
9E54 db $FD, $0A, $03, $67, $50, $00, $87, $91, $85, $02
9E5E db $02, $7A, $00, $00, $07, $A8, $00, $02, $C2, $70
9E68 db $00, $00, $07, $A0, $00, $02, $C3, $60, $30, $00
9E72 db $07, $BD, $80, $46, $41, $69, $10, $00, $07, $B5
9E7C db $80, $82, $41, $78, $C0, $00, $87, $C9, $54, $0A
9E86 db $43, $65, $40, $00, $07, $C1, $04, $02, $42, $7A
9E90 db $23, $43, $0F, $D8, $88, $02, $00, $1B, $E3, $00
9E9A db $87, $D9, $0E, $3F, $00, $1B, $E1, $00, $87, $E3
9EA4 db $16, $1F, $00, $1F, $84, $02, $87, $E8, $0A, $13
9EAE db $00, $10, $84, $01, $87, $F0, $0A, $13, $00, $10
9EB8 db $84, $41, $87, $F8, $0A, $13, $00, $10, $00, $9D
- antus
- Site Admin
- Posts: 8258
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: '99 Saturn Dissassembly
good to see your project is still alive and your still at it. keep up the good work
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Well starting to get back into this project now that the working prototype of the the reverse assembler is going (should be finished with the rough draft in the next couple days). I got the flash returned to stock and started getting new data sets from them and started adding in some of the comments that I had made before and a few new ones. The bit below is what I got back by sending 6a 68 f1 01 0b, which is a request for the intake manifold pressure. The interesting bit I need to investigate further is that it would appear that L01822 is where it gets the data from, but that location shows up at times in the code being written to so I am not sure where it gets it from ultimtely now. I did see another mystery I will need to track down. Near one of the references to the location I saw a JSR to L00602, which is well outside the flash ROM space, kinda odd. One other point, I decided it would be easiest to make the first digit the two bits making up the address lines 15 and 16 going to the flash that way you could see which quadrent it was in based on the first number so the first line is 05721 indicating it is in the 0 quadrent. Later on it moves into quadrent 3 or the upper memory one.
Code: Select all
05721 ADCA #$00, X L03560 = $1C
05723 BRA $06
0572B PULB B=$00
0572C PULX X=$3560
0572D RTS
1CFD7 STAA L01B99 A=$1C
1CFDA BRSET L00012, #%00001000, $4D L00012 = $00
1CFDE BRSET L0000B, #%00000001, $49 L0000B = $00
1CFE2 BRSET L0000C, #%00000010, $45 L0000C = $00
1CFE6 BRSET L0000C, #%00000001, $41 L0000C = $00
1CFEA LDAB L01BA0 B=$00
1CFED CMPB L035E1 B=$06
1CFF0 BCS $39
1D02B CLRA
1D02C STAA L01B9A A=$00
1D02F LDX L00155 X=$0000
1D032 CPX L035E2 L=$0004
1D035 BCC $05
1D037 LDD #$0000
1D03A BRA $37
1D073 STD L01B9B D=$0000
1D076 RTS
04A4F LDX #$8190
04A52 JSR L05666 RL = 4A55
05666 TPA
05667 PSHA A=$C9
05668 SEI
05669 LDAA L01002 A=$F0
0566C TAB
0566D ANDB #%00000011
0566F ANDA #%11111100
05671 ORAA #%00000010
05673 STAA L01002 A=$F2
05676 PULA A=$C9
05677 PSHB B=$00
05678 TAP
05679 JSR #$00,X RL = 567B
38190 LDY L01E3A Y=$1DE8 load y with current input buffer pointer
38194 LDAA #$0F, Y L01DF7 = $AA check last byte
38197 CMPA #$AA if it is $AA then it is a new message
38199 BEQ $03
3819E LDAB #$00, Y L01DE8=$68 load first byte of incoming message
381A1 EORB #%00001000
381A3 BITB #%00011000 check for 1 byte headder and IFR required
381A5 BEQ $03 if so go here
381AA CMPB #$E0 check low pri, 1 byte head, IFR req, Func addr, IFR type 2, func
381AC BCS $03
381B1 BITB #%00000100
381B3 BNE $0D
381B5 LDAA #$01, Y L01DE9 = $6A
381B8 CMPA #$6A is it a functional request info packet
381BA BEQ $3C
381F8 LDX L01E7B X=$1E4B load current output buffer pointer
381FB LDAA #$0F, X L01E5A = $00 load last byte of current output buffer
381FD CMPA #$AA should be $00 if buffer is cleared
381FF BNE $0A
3820B LDD #$00, Y L01DE8=$686A load first two numbers from the current input buffer
3820E STD #$00, X L01E4B=$686A store first two numbers in the current output buffer
38210 LDD #$02, Y L01DEA=$F101 group 2 in
38213 STD #$02, X L01E4D=$F101 group 2 out
38215 LDD #$04, Y L01DEC=$0B00 group 3 in
38218 STD #$04, X L01E4F=$0B00 group 3 out
3821A LDD #$06, Y L01DEE=$0000 group 4 in
3821D STD #$06, X L01E51=$0000 group 4 out
3821F LDD #$08, Y L01DF0=$0000 group 5 in
38222 STD #$08, X L01E53=$0000 group 5 out
38224 LDD #$0A, Y L01DF2=$0000 group 6 in
38227 STD #$0A, X L01E55=$0000 group 6 out
38229 LDD #$0C, Y L01DF4=$1DED group 7 in
3822C STD #$0C, X L01E57=$1DED group 7 out
3822E LDD #$0E, Y L01DF6=$00AA group 8 in
38231 STD #$0E, X L01E59=$00AA group 8 out
38233 LDD #$0C, Y L01DF4=$1DED load location of last real message byte
38236 SUBD L01E3A D=$1DE8 how long is the message (headder included)
38239 ABX set x to location of last message byte in the output buffer
3823A LDY L01E7B Y=$1E4B load y with current output buffer
3823E STX #$0C, Y L01E57=$1E50 save last message byte location in output current buffer
38241 LDD L01E7B D=$1E4B load d with current output buffer location
38244 ADDD #$0010 add $10 to current location (set to next buffer location)
38247 CPD #$1E7B is it at the end of the range for the output buffer?
3824B BCS $03 if not, jump
38250 STD L01E7B D=$1E5B store new output buffer location in pointer
38253 LDY L01E3A Y=$1DE8 load y with current input buffer location
38257 LDAA #$00
38259 STAA #$0F, Y L01DF7 = $00 clear the $AA, make this buffer clear for new message
3825C LDD L01E3A D=$1DE8 load d with current input buffer location
3825F ADDD #$0010 add $10 (set to next buffer)
38262 CPD #$1E38 is it at the upper end of the buffer
38266 BCS $03 if not jump
3826B STD L01E3A D=$1DF8 store the new input buffer location to the pointer
3826E JMP L8190
38190 LDY L01E3A Y=$1DF8 load y with current input buffer pointer
38194 LDAA #$0F, Y L01E07 = $00 check last byte
38197 CMPA #$AA if it is $AA then it is a new message
38199 BEQ $03
3819B JMP L8271
38271 BRSET L00088, #%00100000, $0F L00088 = $02
38275 BRSET L00088, #%00010000, $53 L00088 = $02
38279 LDY L01E7D Y=$1E4B
3827D LDAA #$0F, Y L01E5A = $AA
38280 CMPA #$AA valid current message?
38282 BEQ $02
38286 LDX #$0383
38289 LDAB #$00, Y L01E4B=$68 get first byte
3828C BITB #%00000100 functional or physical addressing?
3828E BNE $12 jump if physical addressing
38290 LDAA #$00, Y L01E4B = $68 begin formatting reply message
38293 ANDA #%11011111
38295 STAA #$00, X L00383 = $48
38297 LDAA #$6B
38299 STAA #$01, X L00384 = $6B
3829B LDAA L3C251 A=$10 Load $10, The name of the PCM
3829E STAA #$02, X L00385 = $10 Store it in the message
382A0 BRA $0F
382B1 LDD #$0C, Y L01E57=$1E50 load message length including headder
382B4 SUBD L01E7D D=$1E4B subtract out message pointer, leaving just bytes in Breg
382B7 SUBB #$03 subtract the 3 byte headder leaving just number of message bytes
382B9 STAB L01E7F B=$02 store working message length - headder
382BC LDAA #$03, Y L01E4E = $01 load message byte from 3 +Y
382BF STAA #$03, X L00386 = $01 store message byte to 3 + X
382C1 INX
382C2 INY
382C4 DECB
382C5 BNE $F5 keep doing until complete message loaded in ram
382BC LDAA #$03, Y L01E4F = $0B
382BF STAA #$03, X L00387 = $0B
382C1 INX
382C2 INY
382C4 DECB
382C5 BNE $F5 keep doing until complete message loaded in ram
382C7 LDAA #$01
382C9 STAA L01E82 A=$01
382CC JSR L38883 RL = 82CF
38883 LDAB L00386 B=$01 Load B with the mode #
38886 ANDB #%10111111 set bit 6 to 0
38888 TBA
38889 BEQ $0E Branch if it was mode Ax
3888B CMPB #$08
3888D BHI $06
3888F LDX #$87F5 L387f5 is where the mode vector table is
38892 DECB No mode 0
38893 BRA $1E
388B3 ABX
388B4 ABX
388B5 LDX #$00, X L387F5=$88DF
388B7 BEQ $20 branch if mode not supported
388B9 BRSET L00088, #%00010000, $18 L00088 = $02
388BD LDAB L01E7F B=$02 check that message has the correct packet length
388C0 CMPB #$00, X L388DF=$02
388C2 BHI $04 jump if message is too long
388C4 CMPB #$01, X L388E0=$02
388C6 BCC $08 jump if message is not too short
388D0 BSET L00088, #%00010000 L00088 = $12
388D3 JMP #$04, X jump to extended mode entry at 4 + (Vect(2x(Mode-$10) + $8805))
388E3 CLRA Mode $01 Entry
388E4 LDAB L00387 B=$0B
388E7 CMPB #$1C
388E9 BHI $26
388EB JSR L3B158 RL = 88EE
3B158 CMPA #$11
3B15A BEQ $14
3B15C CMPA #$12
3B15E BEQ $15
3B160 CMPA #$13
3B162 BEQ $23
3B164 TSTA
3B165 BNE $39
3B167 CMPB #$1C
3B169 BHI $35
3B16B LDX #$B1AA
3B16E BRA $27
3B197 ABX
3B198 ABX Vectors are 2 bytes long, add twice to get right number
3B199 LDX #$00, X L3B1C0=$B5E0 Load vector table
3B19B CPX #$FFFF Test if PID is supported
3B19E BRA $01
3B1A1 RTS
388EE BCC $21
388F0 CPX #$B58A
388F3 BCS $10
388F5 CPX #$B958
388F8 BHI $0B
388FA LDY #$0388
388FE JSR #$01,X RL = 8900
3B5E1 PSHX X=$B5E0 Start Intake Manifold Pressure routine
3B5E2 LDAA L01822 A=$02
3B5E5 CLRB
3B5E6 LSRD
3B5E7 LDX #$AD82
3B5EA FDIV
3B5EB XGDX
3B5EC LSRD
3B5ED ADDD #$0A55
3B5F0 PULX X=$B5E0
3B5F1 JMP LB969
3B969 STAA #$00, Y L00388 = $0B
3B96C LDAB #$01
3B96E ABY
3B970 RTS
38900 ADDB #$02
38902 TBA
38903 BRA $09
3890E JMP LAF9F
3AF9F BCLR L00088, #%00010000 L00088 = $02
3AFA2 TSTA
3AFA3 BEQ $03
3AFA5 STAA L01E7F A=$03
3AFA8 LDAA L00386 A=$01
3AFAB ORAA #%01000000
3AFAD STAA L00386 A=$41 Format message reply
3AFB0 LDX #$C603
3AFB3 JSR L3BD43 RL = AFB6
3BD43 LDAB #$10, X L3C613=$00
3BD45 LDY #$1F9A
3BD49 ABY
3BD4B TPA
3BD4C SEI
3BD4D LDAB #$0F, X L3C612=$01
3BD4F ORAB #$00, Y L01F9A=%00000000
3BD52 STAB #$00, Y L01F9A=$01
3BD55 TAP
3BD56 RTS
3AFB6 BSET L00088, #%00100000 L00088 = $22
3AFB9 CLRA
3AFBA BRCLR L00088, #%00010000, $01 L00088 = $22
3AFBF RTS
382CF TSTA
382D0 BNE $1E
382D2 LDY L01E7D Y=$1E4B
382D6 LDAA #$00
382D8 STAA #$0F, Y L01E5A = $00
382DB LDD L01E7D D=$1E4B
382DE ADDD #$0010
382E1 CPD #$1E7B
382E5 BCS $03
382EA STD L01E7D D=$1E5B
382ED JMP L8271
38271 BRSET L00088, #%00100000, $0F L00088 = $22
38284 BRA $6A
382F0 RTS
0567B TPA
0567C SEI
0567D LDAB L01002 B=$F2
05680 ANDB #%11111100
05682 TSX X=SP=$3FD
05683 ORAB #$00, X L003FD=%00000000
05685 STAB L01002 B=$F0
05688 PULB B=$00
05689 TAP
0568A RTS
- antus
- Site Admin
- Posts: 8258
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: '99 Saturn Dissassembly
good work
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: '99 Saturn Dissassembly
L01822 will just be a ram location where it stored the value from analog to digital converter.
there are usually a few variables for the same thing, one is used as an override value when it is in mode 4, one is the raw value, one is filtered etc.
have a look at all the places in the code where that ram location is written to, and you'll probably find some code that looks something similar to below. (this is from one of our australian PCMs 16233396)
there are usually a few variables for the same thing, one is used as an override value when it is in mode 4, one is the raw value, one is filtered etc.
have a look at all the places in the code where that ram location is written to, and you'll probably find some code that looks something similar to below. (this is from one of our australian PCMs 16233396)
Code: Select all
D8C4 IATv_INJv_BATTv: ; CODE XREF: __RESET:loc_6D26P
D8C4 ; MAJOR_9+20P
D8C4 tpa
D8C5 tab
D8C6 loc_D8C6:
D8C6 ldaa #0
D8C8 sei
D8C9 loc_D8C9: ; AA=0 (Inlet Air Temperature Sensor Voltage)
D8C9 jsr ADMUX1
6413 ; =============== S U B R O U T I N E =======================================
6413 ; DO A/D CONVERSION OF SPECIFIED CHANNEL
6413 ;
6413 ; ACCA = MUX1 CHANNEL TO READ
6413 ADMUX1: ; CODE XREF: SDLOGIC+74P
6413 ; EIP_MSG_REPLY+21P
6413 ; __RESET+1B1P
6413 ; __RESET+276P IRQ+26P
6413 ; SUB_AC_PRESS+DP ...
6413 pshb
6414 ldab PORTG ; Port G Data
6414 ; 01 A/D INPUT MUX
6414 ; 02 A/D INPUT MUX
6414 ; 04 A/D INPUT MUX
6414 ; 08
6414 ; 10
6414 ; 20
6414 ; 40 HIGH BANK SELECTOR BIT
6414 ; 80
6417 andb #0xF8 ; '°' ; A2D MUX MASK
6419 aba
641A staa PORTG ; Port G Data
641A ; 01 A/D INPUT MUX
641A ; 02 A/D INPUT MUX
641A ; 04 A/D INPUT MUX
641A ; 08
641A ; 10
641A ; 20
641A ; 40 HIGH BANK SELECTOR BIT
641A ; 80
641D clra
641E staa ADCTL ; A_D Control Register
641E ;
641E ; 0 *MUX Channel
641E ; 1 Force Motor Current
641E ; 2 Right Hand O2 Sensor Voltage
641E ; 3 Left Hand O2 Sensor Voltage
641E ; 4 KNOCK SENSOR INPUT
641E ; 5 Injector voltage
641E ; 6 Throttle Position Sensor Voltage
641E ; 7 Exhaust Gas Recirc. Valve Pos'n Sensor Voltage
641E ;
641E ; MUX1
641E ;
641E ; 0 Inlet Air Temperature Sensor Voltage
641E ; 1 Engine Coolant Temp. sensor Voltage
641E ; 2 Transmission Fluid Temperature Sensor Voltage
641E ; 3 ? DIAGNOSTIC PIN (F14)
641E ; 4 A/C Pressure Sensor Voltage
641E ; 5 ? BAROMETER INPUT
641E ; 6 Battery Voltage
641E ; 7
6421 mul
6422 mul
6423 mul
6424 pulb
6425 ldaa ADR1 ; A_D Result Register 1
6428 rts
6428 ; End of function ADMUX1
D8CC staa IAT_V_RAW_ALDL ;loc'n 0x190A
D8CF loc_D8CF:
D8CF coma
D8D0 staa IAT_V_inverse_raw ;loc'n 0x190B
D8D3 tba
D8D4 tap
D8D5 jsr SUB_DTC_23_25_26 ; DTC23 IAT VOLTS HIGH
D8D5 ; DTC25 IAT VOLTS LOW
D8D5 ; DTC26 IAT UNSTABLE
D8D5 ;
D8D8 ldaa IAT_V_inverse_raw ;loc'n 0x190B
D8DB ldx #IATVOLT2TEMP ; 0x6040
D8DE jsr P4LKUPQ ; "TWO DIMENSIONAL" TABLE LOOKUP
D8DE ; NO OFFSET, SPACED 16
D8DE ;
D8DE ; ACCA = LOOKUP VALUE
D8DE ; ACCB = UNCHANGED
D8DE ; IX = ADRESS OF TABLE
D8DE ;
D8DE ; RESULT IN ACCA
D8E1 loc_D8E1: ; AIR TEMP = (X * 0.75) - 40
D8E1 staa IAT_RAW_ALDL ;loc'n 0x190D
D8E4 brclr *FLAGS_35,#0x80,loc_D8ED ; 'Ç' ; 0x01 1 = ERROR FREE TRANSMISSION ON UART LINK
D8E4 ; 0x02 1 = ALDL XMIT NEEDED (RESPONSE TO A RX'D MSG)
D8E4 ; 0x04 1 = CLEAR MALF CODES
D8E4 ; 0x08 1 = ALDL MODE 8 DISABLE NORMAL COMMUNICATIONS
D8E4 ; 0x10 1 = DO CHECKSUM ONLY
D8E4 ; 0x20 1 = ALDL TESTER IN CONTROL OF LINK
D8E4 ; 0x40 1 = CLEAR NVRAM
D8E4 ; 0x80 1 = ALDL MODE 4 CONTROL
D8E4 ;
D8E8 ldaa IAT_V_inverse ;loc'n 0x190C
D8EB bra loc_D8FC
D8ED ; ---------------------------------------------------------------------------
D8ED loc_D8ED: ; CODE XREF: IATv_INJv_BATTv+20j
D8ED brclr *CURRENT_MALF_22_29,#0x58,loc_D8F6 ; 'X' ; 0x01 DTC29 EGR position fault
D8ED ; 0x02 DTC28 manual valve circuit fault
D8ED ; 0x04 DTC27 **not used**
D8ED ; 0x08 DTC26 IAT volts unstable
D8ED ; 0x10 DTC25 IAT volts low
D8ED ; 0x20 DTC24 VSS missing CEL
D8ED ; 0x40 DTC23 IAT volts high
D8ED ; 0x80 DTC22 TPS voltage low CEL
D8F1 ldaa DEF_INVERSE_IAT_V ;loc'n 0x592D
D8F4 loc_D8F4:
D8F4 bra loc_D8F9
D8F6 ; ---------------------------------------------------------------------------
D8F6 loc_D8F6: ; CODE XREF: IATv_INJv_BATTv:loc_D8EDj
D8F6 ldaa IAT_V_inverse_raw ;loc'n 0x190B
D8F9 loc_D8F9: ; CODE XREF: IATv_INJv_BATTv:loc_D8F4j
D8F9 staa IAT_V_inverse ;loc'n 0x190C
D8FC loc_D8FC: ; CODE XREF: IATv_INJv_BATTv+27j
D8FC ldx #IATVOLT2TEMP ; for IAT
D8FF jsr P4LKUPQ ; "TWO DIMENSIONAL" TABLE LOOKUP
D8FF ; NO OFFSET, SPACED 16
D8FF ;
D8FF ; ACCA = LOOKUP VALUE
D8FF ; ACCB = UNCHANGED
D8FF ; IX = ADRESS OF TABLE
D8FF ;
D8FF ; RESULT IN ACCA
D902 loc_D902: staa *IAT ;loc'n 0x0075
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Yep, It dawned on me that was probably it the other day on the way home from work, just was so busy putting the final touches on the reverse assembler to look. Looks like these are the areas in the lower memory that it is accessed, there is one where it is accessed in conjunction with A to D #1. Thanks for the reply though, there is some good snippets in the code you provided.
Code: Select all
4339 clrA
433A staA L1DDD
433D staA L1DDE
4340 ldaA #$04
4342 call L5858
4345 staA L1822
ADR1 = $1031 (A to D Register 1)
50B8 L50B8 ldaA #$04
50BA staA ADCTL
50BD bset L0069, #%00000001
50C0 ldaA L1462
50C3 ldD L1462
50C6 stD L1844
50C9 ldaA L18D3
50CC staA L18D4
50CF ldaA L18D2
50D2 staA L18D3
50D5 ldaB L1D1A
50D8 ldaA ADR1
50DB staA L1822
50DE bitB #%00100000
50E0 beq L50FB
50E2 bitB #%00000001
50E4 beq L50F8
50E6 ldaB L1D1B
50E9 bmi L50F2
50EB aBA
614D ldaB L1B12
6150 stD 10, X
6152 pushX
6153 ldaA L1822
6156 clrB
6157 lsrD
6158 ldX #$AD82
615B fdiv
615C xgDX
615D lsrD
615E addD #$0A55
6161 popX
6162 staA 12, X
6164 pushX
8829 L8829 cmpB L21AA
882C bcc L888B
882E L882E ldaA L19C6
8831 addA #$01
8833 sbcA #$00
8835 staA L19C6
8838 ldaB L1822
883B cmpB L21AC
883E bhi L885C
8840 ldaB L19C5
8843 andB #%11111110
8845 staB L19C5
8848 cmpA L21AE
884B bcs L888B
884D clrA
889D L889D cmpB L21B0
88A0 bls L88FF
88A2 L88A2 ldaA L19C8
88A5 addA #$01
88A7 sbcA #$00
88A9 staA L19C8
88AC ldaB L1822
88AF cmpB L21B2
88B2 bcs L88D0
88B4 ldaB L19C5
88B7 andB #%11111101
88B9 staB L19C5
88BC cmpA L21B4
88BF bcs L88FF
88C1 clrA
E1E6 LE1E6 bclr L0060, #%00000001
E1E9 LE1E9 brclr L0061, #%00000100, LE238
E1ED ldaA #$04
E1EF call L584A
E1F2 staA L1822
E1F5 staA L18D2
E1F8 staA L18D3
E1FB staA L18D4
E1FE ldaA L18D2
E201 ldaB L1D1A
E204 bitB #%00100000
E206 beq LE221
E208 bitB #%00000001
E20A beq LE21E
E20C ldaB L1D1B
E20F bmi LE218
E211 aBA
E212 bcc LE216
E214 ldaA #$FF
E216 LE216 jr LE221
-
- Posts: 1
- Joined: Mon Dec 17, 2012 2:58 am
- cars: 1987 Fiero GT
2004 Silverado SS
2017 Fusion Sport
Re: '99 Saturn Dissassembly
This looks quite interesting! I look forward to the day we may be able to re-flash our Saturn's! Keep up the good work.
Re: '99 Saturn Dissassembly
How are you making out with this?