I thought mode 34 and 35 were from the modules perspective so 34 would send things to the module and 35 would get stuff backVL400 wrote:The mode 35 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.
'99 Saturn Dissassembly
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
This is so I don't loose this site again . lots of good info, but the page indexed is for ECM pinouts.
http://www.saturnwiki.net/index.php/PCM_connectors
http://www.saturnwiki.net/index.php/PCM_connectors
- VL400
- Posts: 4991
- Joined: Sun Mar 01, 2009 2:54 pm
- cars: VL Calais and Toyota Landcruiser. Plus some toys :)
- Location: Perth, WA
- Contact:
Re: '99 Saturn Dissassembly
Sorry, yeah that is correct - mode 34 to upload a routine.sabercatpuck wrote:I thought mode 34 and 35 were from the modules perspective so 34 would send things to the module and 35 would get stuff backVL400 wrote:The mode 35 is used to upload routines and then execute them, can use it for uploading a bin dumper routine or a flash erase/write routine.
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Although I am trying to work through the logistics of the format for mode $35. What I have so far is that it should be 35 00 xx xx yy yy yy. I do know that xx xx cannot be greater than $0480. I am not sure if the ELM is capable of this one though. This is what I have so far piecing together the code:
Code: Select all
18190 ldY L1E3A; 01E3A = 1D, 01E3B = E8
18194 ldaA 15, Y; 01DF7 = AA
18197 cmpA #$AA
18199 beq L819E
1819E ldaB 0, Y; 01DE8 = 6C
181A1 xorB #%00001000
181A3 bitB #%00011000
181A5 beq L81AA
181AA cmpB #$E0
181AC bcs L81B1
181B1 bitB #%00000100
181B3 bne L81C2
181C2 ldaA 1, Y; 01DE9 = 10
181C5 cmpA #$FE
181C7 bne L81E3
181E3 cmpA LC251; 1C251 = 10
181E6 beq L81F8
181F8 ldX L1E7B; 01E7B = 1E, 01E7C = 6B
181FB ldaA 15, X; 01E7A = 00
181FD cmpA #$AA
181FF bne L820B
1820B ldD 0, Y; 01DE8 = 6C, 01DE9 = 10
1820E stD 0, X; 01E6B = 6C, 01E6C = 10
18210 ldD 2, Y; 01DEA = F1, 01DEB = 35
18213 stD 2, X; 01E6D = F1, 01E6E = 35
18215 ldD 4, Y; 01DEC = 00, 01DED = 00
18218 stD 4, X; 01E6F = 00, 01E70 = 00
1821A ldD 6, Y; 01DEE = 04, 01DEF = 00
1821D stD 6, X; 01E71 = 04, 01E72 = 00
1821F ldD 8, Y; 01DF0 = 0E, 01DF1 = 00
18222 stD 8, X; 01E73 = 0E, 01E74 = 00
18224 ldD 10, Y; 01DF2 = 00, 01DF3 = 00
18227 stD 10, X; 01E75 = 00, 01E76 = 00
18229 ldD 12, Y; 01DF4 = 1D, 01DF5 = F2
1822C stD 12, X, 01E77 = 1D, 01E78 = F2
1822E ldD 14, Y; 01DF6 = 00, 01DF7 = AA
18231 stD 14, X; 01E79 = 00, 01E7A = AA
18233 ldD 12, Y; 01DF4 = 1D, 01DF5 = F2
18236 subD L1E3A; 01E3A = 1D, 01E3B = E8
18239 aBX
1823A ldY L1E7B; 01E7B = 1E, 01E7C = 6B
1823E stX 12, Y; 01E77 = 1E, 01E78 = 75
18241 ldD L1E7B; 01E7B = 1E, 01E7C = 6B
18244 addD #$0010
18247 cmpD #$1E7B
1824B bcs L8250
1824D ldD #$1E4B
18250 stD L1E7B; 01E7B = 1E, 01E7C = 4B
18253 ldY L1E3A; 01E3A = 1D, 01E3B = E8
18257 ldaA #$00
18259 staA 15, Y; 01DF7 = 00
1825C ldD L1E3A; 01E3A = 1D, 01E3B = E8
1825F addD #$0010
18262 cmpD #$1E38
18266 bcs L826B
1826B stD L1E3A; 01E3A = 1D, 01E3B = F8
1826E jmp E8190
18190 ldY L1E3A; 01E3A = 1D, 01E3B = F8
18194 ldaA 15, Y; 01E07 = 00
18197 cmpA #$AA
18199 beq L819E
1819B jmp L8271
18271 brset L0088, #%00100000, L8284; 00088 = 02
18275 brset L0088, #%00010000, L82CC; 00088 = 02
18279 ldY L1E7D; 01E7D = 1E, 01E7E = 6B
1827D ldaA 15, Y; 01E7A = AA
18280 cmpA #$AA
18282 beq L8286
18286 ldX #$0383
18289 ldaB 0, Y; 01E6B = 6C
1828C ldaB 0, Y
1828E bne L82A2
182A2 ldaA 0, Y; 01E6B = 6C
182A5 staA 0, X; 00383 = 6C
182A7 ldaA 2, Y; 01E6D = F1
182AA staA 1, X; 00384 = F1
182AC ldaA LC251; 1C251 = 10
182AF staA 2, X; 00385 = 10
182B1 ldD 12, Y; 01E77 = 1E, 01E78 = 75
182B4 subD L1E7D; 01E7D = 1E, 01E7E = 6B
182B7 subB #$03
182B9 staB L1E7F; 01E7F = 07
182BC ldaA 3, Y; 01E6E = 35
182BF staA 3, X; 00386 = 35
182C1 incX
182C2 incY
182C4 decB
182C5 bne L82BC
182BC ldaA 3, Y; 01E6F = 00
182BF staA 3, X; 00387 = 00
182C1 incX
182C2 incY
182C4 decB
182C5 bne L82BC
182BC ldaA 3, Y; 01E70 = 00
182BF staA 3, X; 00388 = 00
182C1 incX
182C2 incY
182C4 decB
182C5 bne L82BC
182BC ldaA 3, Y; 01E71 = 04
182BF staA 3, X; 00389 = 04
182C1 incX
182C2 incY
182C4 decB
182C5 bne L82BC
182BC ldaA 3, Y; 01E72 = 00
182BF staA 3, X; 0038A = 00
182C1 incX
182C2 incY
182C4 decB
182C5 bne L82BC
182BC ldaA 3, Y; 01E73 = 0E
182BF staA 3, X; 0038B = 0E
182C1 incX
182C2 incY
182C4 decB
182C5 bne L82BC
182BC ldaA 3, Y; 01E74 = 00
182BF staA 3, X; 0038C = 00
182C1 incX
182C2 incY
182C4 decB
182C5 bne L82BC
182C7 ldaA #$01
182C9 staA L1E82; 01E82 = 01
182CC call L8883; 003FA = CF, 003F9 = 82, 18883 = F6
18883 ldaB L0386; 00386 = 35
18886 andB #%10111111
18888 tBA
18889 beq L8899
1888B cmpB #$08
1888D bhi L8895
18895 subB #$10
18897 bcc L889F
1889F cmpB #$2F
188A1 bhi L88A8
188A3 ldX #$8805
188A6 jr L88B3
188B3 aBX
188B4 aBX
188B5 ldX 0, X; 1884F = 9E, 18850 = A2
188B7 beq L88D9
188B9 brset L0088, #%00010000, L88D5; 00088 = 02
188BD ldaB L1E7F; 01E7F = 07
188C0 cmpB 0, X; 19EA2 = 07
188C2 bhi L88C8
188C4 cmpB 1, X; 19EA3 = 07
188C6 bcc L88D0
188D0 bset L0088, #%00010000; 00088 = 02, 00088 = 12
188D3 jmp 4, X
19EA6 ldX #$0386
19EA9 call LB00D; 003F8 = AC, 003F7 = 9E
1B00D brset L007A, #%00001000, LB036; 0007A = 80
1B011 tst L1B91; 01B91 = 00
1B014 bne LB036
1B016 ldaB L3B01; 03B01 = 1E
1B019 bitB #%00000001
1B01B bne LB042
1B01D pushX; 003F6 = 86, 003F5 = 03
1B01E ldX L200A; 0200A = E5, 0200B = 7F
1B021 cmpX #$DEAD
1B024 popX; 003F4 = 00, 003F5 = 03, 003F6 = 86
1B025 beq LB042
1B027 ldaB L3B04; 03B04 = 00
1B02A incB
1B02B beq LB042
1B02D tst L0E3D; 00E3D = 00
1B030 bne LB042
1B032 brset L008C, #%00000001, LB042; 0008C = 01
1B042 clrA
1B043 ret; 003F6 = 86, 003F7 = 9E, 003F8 = AC
19EAC tstA
19EAD beq L9EB2
19EB2 ldD 2, X; 00388 = 00, 00389 = 04
19EB4 cmpD #$0480
19EB8 bls L9EBE ; check that xx xx is less than $0480
19EBE ldaA #$51; preload error code "improper upload type"
19EC0 ldaB 1, X; 00387 = 00
19EC2 bne L9F00
19EC4 tst 4, X; 0038A = 00
19EC6 bne L9ED9
19EC8 ldD 5, X; 0038B = 0E, 0038C = 00
19ECA bpl L9ED0
19ED0 addD 2, X; 00388 = 00, 00389 = 04
19ED2 subD #$0001
19ED5 bpl L9EEA
19EEA ldaA 2, X; 00388 = 00
19EEC pushA; 003F8 = 00
19EED ldaA #$54; load message "ready for upload"
19EEF staA 2, X; 00388 = 54
19EF1 ldaA #$03
19EF3 call LAF9F; 003F7 = F6, 003F6 = 9E
1AF9F bclr L0088, #%00010000; 00088 = 12, 00088 = 02
1AFA2 tstA
1AFA3 beq LAFA8
1AFA5 staA L1E7F; 01E7F = 03
1AFA8 ldaA L0386; 00386 = 35
1AFAB oraA #%01000000
1AFAD staA L0386; 00386 = 75 Put 75 in outgoing message good response
1AFB0 ldX #$C603
1AFB3 call LBD43; 003F5 = B6, 003F4 = AF
1BD43 ldaB 16, X; 1C613 = 00
1BD45 ldY #$1F9A
1BD49 aBY
1BD4B tPA
1BD4C di
1BD4D ldaB 15, X; 1C612 = 01
1BD4F oraB 0, Y; 01F9A = 00
1BD52 staB 0, Y; 01F9A = 01
1BD55 tAP
1BD56 ret; 003F3 = 31, 003F4 = AF, 003F5 = B6
1AFB6 bset L0088, #%00100000; 00088 = 02, 00088 = 22
1AFB9 clrA
1AFBA brclr L0088, #%00010000, LAFBF; 00088 = 22
1AFBF ret; 003F5 = B6, 003F6 = 9E, 003F7 = F6
19EF6 call LBDFA; 003F7 = F9, 003F6 = 9E
1BDFA ldaA L1F87; 01F87 = 00
1BDFD beq LBE06
1BE06 ldaA L1B8D; 01B8D = 76
1BE09 cmpA LC253; 1C253 = 00
1BE0C bcs LBE13
1BE0E cmpA LC254; 1C254 = F5
1BE11 bcs LBE16
1BE16 brclr L0089, #%00010000, LBE1D; 00089 = 09
1BE1D di
1BE1E ldaA L0C00; 00C00 = 10
1BE21 ldaB L1F7B; 01F7B = 10
1BE24 staA L1F7B; 01F7B = 10
1BE27 bitA #%00001000
1BE29 beq LBE5B
1BE5B ei
1BE5C call LBEEA; 003F5 = 5F, 003F4 = BE
1BEEA ldaA L1F93; 01F93 = 00
1BEED beq LBEF8
1BEF8 ldX #$1FAA
1BEFB ldaB #$08
1BEFD ldaA #$FF
1BEFF aBX
1BF00 di
1BF01 decX
1BF02 staA 0, X; 01FB1 = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF01 decX
1BF02 staA 0, X; 01FB0 = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF01 decX
1BF02 staA 0, X; 01FAF = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF01 decX
1BF02 staA 0, X; 01FAE = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF01 decX
1BF02 staA 0, X; 01FAD = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF01 decX
1BF02 staA 0, X; 01FAC = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF01 decX
1BF02 staA 0, X; 01FAB = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF01 decX
1BF02 staA 0, X; 01FAA = FF
1BF04 cmpX #$1FAA
1BF07 bne LBF01
1BF09 ei
1BF0A brset L0089, #%00001000, LBF11; 00089 = 09
1BF11 brclr L0089, #%00000001, LBF34; 00089 = 09
1BF15 ldX #$C231
1BF18 ldY #$1FAA
1BF1C ldaB #$08
1BF1E aBX
1BF1F aBY
1BF21 di
1BF22 decX
1BF23 decY
1BF25 ldaA 0, X; 1C238 = 00
1BF27 andA 0, Y; 01FB1 = FF
1BF2A staA 0, Y; 01FB1 = 00
1BF2D cmpY #$1FAA
1BF31 bne LBF22
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Well, I am starting to think that it automatically switches to 4x mode because unlike the usual message buffer in the $00383 area, in this case it is ultimately using a single location at 00c01 for sending the data out so I imagine it is switching to a different channel for coms. There seems to be a long timeout associated with it as well. It appears that $00c00 will get set to $03 when the data is pulled, or after the timeout.
Code: Select all
A039 LA039 staA L0C01
A03C bclr 1, X, #%00010000
A03F ldY 10, X; get location of bytes to dump
A042 LA042 call LA072
A045 ldD 7, X; get how many bytes to dump
A047 beq LA05D
A049 subD #$0001
A04C stD 7, X
A04E clrA
A04F ldaB 0, Y; get memory for mode 35
A052 staB L0C01
A055 addD 16, X
A057 stD 16, X
A059 incY
A05B jr LA042
;
A05D LA05D ldaA 16, X
A05F staA L0C01
A062 call LA072
A065 ldaA 17, X
A067 LA067 ldaB #$0C
A069 staB L0C00
A06C staA L0C01
A06F clr 43, X
A071 LA071 ret
;
A072 LA072: ldaA L0C00
A075 andA #%00000011
A077 cmpA #$03; had data been retrieved?
A079 bne LA083; yes : return and get the next character
A07B call L5834; no : reset COP timer and try again
A07E call L5840
A081 jr LA072
;
A083 LA083 ret
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Well since it looks like I may hit a wall untill I have a 4x connection, I figure'd I would take a step back and start going over the memory map a bit better. First thing was the class 2 buffer. There seems to be 2, I think one with the pointer at $01e3a/b and the second at $01e7b/c. Each buffer segment is exactly 16 bytes large and will appear in specific locations of :
01e4b output buffers
01e5b
01e6b
01de8 input buffers
01df8
01e08
01e18
01e28
01e4b output buffers
01e5b
01e6b
01de8 input buffers
01df8
01e08
01e18
01e28
Re: '99 Saturn Dissassembly
This is where I am, waiting for hardware capable of 4X Vpw
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
This is the complete entry point map for all modes supported on this ECM. All are in the 3rd upper memory block, so mode $01 would start physically at $188E3.
01 $88E3; Request Current Powertrain Diagnostic Data
02 $891B; Request Powertrain Freeze Frame Data
03 $8961; Request Powertrain Diagnostic Trouble Codes
04 $89F3; Request to Clear/Reset Diagnostic Trouble Codes
05 $8A07; Request O2 Sensor Monitoring Test Results
06 $8BB4; Request On-Board monitoring Test Results
07 $8DFC; Request Pending Powertrain Diagnostic Trouble Codes
08 $8E97; Request Device Control
10 $8F26; Initiate Diagnostic Operation
12 $8FE8; Request Diagnostic Freeze Frame Data
13 $9103; Request Diagnostic Trouble Code Information
14 $91e2; Clear Diagnostic Trouble Code Information
17 $91F9; Request Status of Diagnostic Trouble Codes
18 $946d; Request Diagnostic Trouble Codes by Status
19 $964e; Request Diagnostic Trouble Codes by Status
20 $98Ac; Return to Normal Operation
22 $98Dd; Request Diagnostic Data by PID
23 $991c; Request Diagnostic Data by Memory Address
25 $9963; Request to Stop Transmitting Data
27 $9971; Data Link Security Access
28 $99Fa; Disable Normal Message Transmission
29 $9A44; Enable Normal Message Transmission
2A $9A42; Request Diagnostic Data Packets
2B $9C28; Define Diagnostic Data Packet by Offset
2C $9C7c; Define Diagnostic Data Packet
31 $9DF6; Request Start Diagnostic Routine by Test Number
32 $9DF6; Request Stop Diagnostic Routine by Test Number
33 $9DF6; Request Diagnostic Routine Results by Test Number
34 $9E44; Request Download - tool to module
35 $9EA6; Request Upload - module to tool
3b $A4B6; Write Data Block
3c $A4B6; Read Data Block
3F $A8Cd; Test Device Present - No Operation Performed
A0 $A8D7; Request High Speed Mode
A1 $A8EE; Begin High Speed Mode
A8 $A908
AD $A916
AE $A921; Request Device Control
01 $88E3; Request Current Powertrain Diagnostic Data
02 $891B; Request Powertrain Freeze Frame Data
03 $8961; Request Powertrain Diagnostic Trouble Codes
04 $89F3; Request to Clear/Reset Diagnostic Trouble Codes
05 $8A07; Request O2 Sensor Monitoring Test Results
06 $8BB4; Request On-Board monitoring Test Results
07 $8DFC; Request Pending Powertrain Diagnostic Trouble Codes
08 $8E97; Request Device Control
10 $8F26; Initiate Diagnostic Operation
12 $8FE8; Request Diagnostic Freeze Frame Data
13 $9103; Request Diagnostic Trouble Code Information
14 $91e2; Clear Diagnostic Trouble Code Information
17 $91F9; Request Status of Diagnostic Trouble Codes
18 $946d; Request Diagnostic Trouble Codes by Status
19 $964e; Request Diagnostic Trouble Codes by Status
20 $98Ac; Return to Normal Operation
22 $98Dd; Request Diagnostic Data by PID
23 $991c; Request Diagnostic Data by Memory Address
25 $9963; Request to Stop Transmitting Data
27 $9971; Data Link Security Access
28 $99Fa; Disable Normal Message Transmission
29 $9A44; Enable Normal Message Transmission
2A $9A42; Request Diagnostic Data Packets
2B $9C28; Define Diagnostic Data Packet by Offset
2C $9C7c; Define Diagnostic Data Packet
31 $9DF6; Request Start Diagnostic Routine by Test Number
32 $9DF6; Request Stop Diagnostic Routine by Test Number
33 $9DF6; Request Diagnostic Routine Results by Test Number
34 $9E44; Request Download - tool to module
35 $9EA6; Request Upload - module to tool
3b $A4B6; Write Data Block
3c $A4B6; Read Data Block
3F $A8Cd; Test Device Present - No Operation Performed
A0 $A8D7; Request High Speed Mode
A1 $A8EE; Begin High Speed Mode
A8 $A908
AD $A916
AE $A921; Request Device Control
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
Well I have lots of stuff around the house to try and get done now that I am feeling a little bit better so it may be awhile before any more updates, but I thought I would post some of the commenting that I am putting together in the 3rd quadrent (focussing on that first because I can control what it is doing easier).
Code: Select all
8190 E8190:
8190 ldY Cl2InputBufPtr; load y with current input buffer pointer
8194 ldaA 15, Y; check last byte
8197 cmpA #$AA; if it is $AA then it is a new message
8199 beq L819E
819B jmp L8271
;
819E L819E ldaB 0, Y; load first byte of incoming message
81A1 xorB #%00001000
81A3 bitB #%00011000; check for 1 byte headder and IFR required
81A5 beq L81AA; if so go here
81A7 jmp L8253; if not go here (should go here more often)
;
81AA L81AA cmpB #$E0; check low pri, 1 byte head, IFR req, Func addr, IFR type 2, func
81AC bcs L81B1
81AE clr L1F7E
81B1 L81B1 bitB #%00000100
81B3 bne L81C2
81B5 ldaA 1, Y
81B8 cmpA #$6A; is it a functional request info packet
81BA beq L81F8
81BC call L82F1
81BF jmp L8253
;
81C2 L81C2 ldaA 1, Y
81C5 cmpA #$FE
81C7 bne L81E3
81C9 ldaB 3, Y
81CC bitB #%01000000
81CE beq L81D3
81D0 jmp L8253
;
81D3 L81D3 ldaB L3B01
81D6 bitB #%00000010
81D8 beq L81F8
81DA pushY
81DC call LC87B
81DF popY
81E1 jr L81F8
;
81E3 L81E3 cmpA ModuleIDNum
81E6 beq L81F8
81E8 cmpA #$18
81EA bne L8253
81EC ldaB L3B01
81EF bitB #%00000010
81F1 beq L8253
81F3 call LC87B
81F6 jr L8253
;
81F8 L81F8 ldX Cl2OutputBufPtr; load current output buffer pointer
81FB ldaA 15, X; load last byte of current output buffer
81FD cmpA #$AA; should be $00 if buffer is cleared
81FF bne L820B
8201 ldaA L1E80
8204 oraA #%00001000
8206 staA L1E80
8209 jr L8253
;
820B L820B ldD 0, Y; load first two numbers from the current input buffer
820E stD 0, X; store first two numbers in the current output buffer
8210 ldD 2, Y; group 2 in
8213 stD 2, X; group 2 out
8215 ldD 4, Y; group 3 in
8218 stD 4, X; group 3 out
821A ldD 6, Y; group 4 in
821D stD 6, X; group 4 out
821F ldD 8, Y; group 5 in
8222 stD 8, X; group 5 out
8224 ldD 10, Y; group 6 in
8227 stD 10, X; group 6 out
8229 ldD 12, Y; group 7 in
822C stD 12, X; group 7 out
822E ldD 14, Y; group 8 in
8231 stD 14, X; group 8 out
8233 ldD 12, Y; load location of last real message byte
8236 subD Cl2InputBufPtr; how long is the message (headder included)
8239 aBX; set x to location of last message byte in the output buffer
823A ldY Cl2OutputBufPtr; load y with current output buffer
823E stX 12, Y; save last message byte location in output current buffer
8241 ldD Cl2OutputBufPtr; load d with current output buffer location
8244 addD #$0010; add $10 to current location (set to next buffer location)
8247 cmpD #$1E7B; is it at the end of the range for the output buffer?
824B bcs L8250; if not, jump
824D ldD #$1E4B; if so, then reset output buffer to $01e4b
8250 L8250 stD Cl2OutputBufPtr; store new output buffer location in pointer
8253 L8253 ldY Cl2InputBufPtr; load y with current input buffer location
8257 ldaA #$00
8259 staA 15, Y; clear the $AA, make this buffer clear for new message
825C ldD Cl2InputBufPtr; load d with current input buffer location
825F addD #$0010; add $10 (set to next buffer)
8262 cmpD #$1E38; is it at the upper end of the buffer
8266 bcs L826B; if not jump
8268 ldD #$1DE8; if it is reset to the lower limit
826B L826B stD Cl2InputBufPtr; store the new input buffer location to the pointer
826E jmp E8190
;
8271 L8271 brset L0088, #%00100000, L8284
8275 brset L0088, #%00010000, L82CC
8279 ldY Cl2WorkOutBufPtr
827D ldaA 15, Y
8280 cmpA #$AA; valid current message?
8282 beq L8286
8284 L8284 jr L82F0
;
8286 L8286 ldX #$0383
8289 ldaB 0, Y; get first byte
828C bitB #%00000100; functional or physical addressing?
828E bne L82A2; jump if physical addressing
8290 ldaA 0, Y
8293 andA #%11011111
8295 staA 0, X
8297 ldaA #$6B
8299 staA 1, X
829B ldaA ModuleIDNum
829E staA 2, X
82A0 jr L82B1
;
82A2 L82A2 ldaA 0, Y; load first byte
82A5 staA 0, X; store in ram scratch pad $00383
82A7 ldaA 2, Y; load 3rd byte
82AA staA 1, X; store in 2nd byte location
82AC ldaA ModuleIDNum; location of module id #
82AF staA 2, X; store in 3rd byte location (reply message format)
82B1 L82B1 ldD 12, Y; load message length including headder
82B4 subD Cl2WorkOutBufPtr; subtract out message pointer, leaving just bytes in Breg
82B7 subB #$03; subtract the 3 byte headder leaving just number of message bytes
82B9 staB L1E7F; store working message length - headder
82BC L82BC ldaA 3, Y; load message byte from 3 +Y
82BF staA 3, X; store message byte to 3 + X
82C1 incX
82C2 incY
82C4 decB
82C5 bne L82BC; keep doing until complete message loaded in ram
82C7 ldaA #$01
82C9 staA L1E82
82CC L82CC call L8883
82CF tstA
82D0 bne L82F0
82D2 ldY Cl2WorkOutBufPtr
82D6 ldaA #$00
82D8 staA 15, Y
82DB ldD Cl2WorkOutBufPtr
82DE addD #$0010
82E1 cmpD #$1E7B
82E5 bcs L82EA
82E7 ldD #$1E4B
82EA L82EA stD Cl2WorkOutBufPtr
82ED jmp L8271
87F5 dw $88DF, $8917, $895D, $89EF, $8A03; Mode $01 TO $05 Entry Point
87FF dw $8BB0, $8DF8, $8E93; Mode $06 TO $08 Entry Point
8805 dw $8F22, $0000, $8FE4, $90FF, $91DE; Mode $10 TO $14 Entry Point
880F dw $0000, $0000, $91F5, $9469, $964A; Mode $15 TO $19 Entry Point
8819 dw $0000, $0000, $0000, $0000, $0000; Mode $1A TO $1E Entry Point
8823 dw $0000, $98A8, $0000, $98D9, $9918; Mode $1F TO $23 Entry Point
882D dw $0000, $995F, $0000, $996D, $99F6; Mode $24 TO $28 Entry Point
8837 dw $9A40, $9A4E, $9C24, $9C78, $0000; Mode $29 TO $2D Entry Point
8841 dw $0000, $0000, $0000, $9DF2, $9DF2; Mode $2E TO $32 Entry Point
884B dw $9DF2, $9E40, $9EA2, $0000, $0000; Mode $33 TO $37 Entry Point
8855 dw $0000, $0000, $0000, $A4B2, $A4B2; Mode $38 TO $3C Entry Point
885F dw $0000, $0000, $A8C9; Mode $3D TO $3F Entry Point
8865 dw $A8D3, $A8EA, $0000, $0000, $0000; Mode $A0 TO $A4 Entry Point
886F dw $0000, $0000, $0000, $A904, $0000; Mode $A5 TO $A9 Entry Point
8879 dw $0000, $0000, $0000, $A912, $A91D; Mode $AA TO $AE Entry Point
;
8883 L8883: ldaB L0386; what mode number?
8886 andB #%10111111
8888 tBA
8889 beq L8899
888B cmpB #$08
888D bhi L8895; if mode 8 or more jump
888F ldX #$87F5; Load vector table for mode $01 to $08
8892 decB ; set so mode 1 is the 0 position in the vector table etc.
8893 jr L88B3
;
8895 L8895 subB #$10; subtract $10 for formatting to for jump table
8897 bcc L889F; should jump unless mode 9
8899 L8899 bclr L0088, #%00010000
889C jmp LAFB9
;
889F L889F cmpB #$2F; check if mode $10 to $3f is selected
88A1 bhi L88A8; jump if not
88A3 ldX #$8805; location of the vector table for mode $10 to 3F
88A6 jr L88B3
;
88A8 L88A8 subB #$90; is it mode $Ax
88AA bcs L88D9
88AC cmpB #$0E
88AE bhi L88D9
88B0 ldX #$8865; location of vector table for mode $A0 to $AE
88B3 L88B3 aBX ; add modified mode number twice to get jump vector
88B4 aBX
88B5 ldX 0, X
88B7 beq L88D9; branch if mode not supported
88B9 brset L0088, #%00010000, L88D5
88BD ldaB L1E7F; check that message has the correct packet length
88C0 cmpB 0, X
88C2 bhi L88C8; jump if message is too long
88C4 cmpB 1, X
88C6 bcc L88D0; jump if message is not too short
88C8 L88C8 cmpA #$10
88CA bcs L8899
88CC ldaA #$12
88CE jr L88DB
;
88D0 L88D0 bset L0088, #%00010000
88D3 jmp 4, X; jump to extended mode entry at 4 + (Vect(2x(Mode-$10) + $8805))
99A4 L99A4 ldX L0E00 ; load the seed from memory
99A7 L99A7 stX L0388 ; put the seed in the outgoing message
99AA bset L008C, #%00000100
99AD ldaA #$04
99AF jr L99F3
;
99B1 L99B1 tst L1E93
99B4 beq L99BF
99B6 ldaA #$37
99B8 L99B8 staA L0388 ; store respone code (33, 34, 35, 36, 37)
99BB ldaA #$03
99BD jr L99F3
;
99BF L99BF brset L008C, #%00000100, L99C7
99C3 ldaA #$33
99C5 jr L99B8
;
99C7 L99C7 bclr L008C, #%00000100
99CA ldX L0388 ; load the key being tried
99CD cmpX L0E02 ; compare to one in memory
99D0 beq L99E9 ; branch if it is the correct key
99D2 brset L008C, #%00000010, L99DD
99D6 bset L008C, #%00000010
99D9 ldaA #$35 ; set error code 35, bad key 1st try
99DB jr L99B8
-
- Posts: 67
- Joined: Thu Jan 14, 2010 1:03 am
- cars: 1999 Saturn SL1
2003 Monte Carlo
Re: '99 Saturn Dissassembly
I figured I would put in a quick update. I have gotten some of the other projects somewhat more under control so hopefully I will be able to work on this again soon (although we are now moving into spring and that means mowing the lawn will be in the mix soon too), but I have not been totally idle, I have been learning VBA for Excel so I could better learn to manipulate the data coming back from the logic analyzer. See a code snippet below for some of what I have put together, this starts by arrainging the data better, then I move into a reverse assembler so I can put thae data back together as readable assembly code with better information. When I get this done I will post it in the tools section.
Code: Select all
Private Sub CommandButton1_Click()
Dim hextext As String
Dim hexlen As Integer
Dim x As Long
If Range("a1") = "Time" Then
Columns("a:b").Select
Selection.Delete Shift:=xlToLeft
Rows("1:1").Select
Selection.Delete Shift:=xlUp
Columns("a:b").Select
Selection.NumberFormat = "@"
End If
If Application.Sheets.Count = 1 Then Sheets.Add After:=ActiveSheet
Worksheets("Sheet2").Columns("A:A").ColumnWidth = 20
AddIns("Analysis ToolPak").Installed = True
AddIns("Analysis ToolPak - VBA").Installed = True
For x = 1 To ThisWorkbook.Worksheets(1).UsedRange.Rows.Count
hextext = Range("a" & CStr(x))
hexlen = Len(hextext)
If hexlen = 5 Then
hextext = hextext
ElseIf hexlen = 4 Then
hextext = "0" + hextext
ElseIf hexlen = 3 Then
hextext = "00" + hextext
ElseIf hexlen = 2 Then
hextext = "000" + hextext
ElseIf hexlen = 1 Then
hextext = "0000" + hextext
ElseIf hexlen = 0 Then
hextext = "00000" + hextext
End If
Range("a" & CStr(x)) = UCase(hextext)
Next x
For x = 1 To ThisWorkbook.Worksheets(1).UsedRange.Rows.Count
hextext = Range("b" & CStr(x))
hexlen = Len(hextext)
If hexlen = 2 Then
hextext = hextext
ElseIf hexlen = 1 Then
hextext = "0" + hextext
ElseIf hexlen = 0 Then
hextext = "00" + hextext
End If
Range("b" & CStr(x)) = UCase(hextext)
Next x
End Sub
Private Sub CommandButton2_Click()
Dim x As Long
x = 1
Select Case Range("b" & CStr(x))
Case "FC"
LDD_FC
Case "B3"
SUBD_B3
End Select
End Sub
Private Sub LDD_FC()
Dim disa As String
Dim addr As Long
Dim x As Long
Dim op As String
Dim op1 As String
Dim op2 As String
Dim hhll As String
Dim hhll1 As String
Dim hh As String
Dim ll As String
x = 1
disa = "LDD #"
addr = WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value)
x = x + 1
addr = addr + 1
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 5)
x = x + 1
Loop
If x = 5 Then Exit Sub
hh = Range("b" & CStr(x))
x = x + 1
addr = addr + 1
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 6)
x = x + 1
Loop
If x = 6 Then Exit Sub
ll = Range("b" & CStr(x))
hhll = hh & ll
x = x + 1
addr = WorksheetFunction.Hex2Dec(hhll)
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or (x = 7))
x = x + 1
Loop
If x = 7 Then Exit Sub
hh = Range("b" & CStr(x))
x = x + 1
addr = addr + 1
hhll1 = WorksheetFunction.Dec2Hex(addr)
Do While (addr <> WorksheetFunction.Hex2Dec(Range("a" & CStr(x)).Value) Or x = 8)
x = x + 1
Loop
If x = 8 Then Exit Sub
ll = Range("b" & CStr(x))
Worksheets("Sheet2").Range("a1") = "LDD #" & hhll & " ;" & hhll & " = $" & hh & ", " & hhll1 & " = $" & ll
End Sub
Private Sub SUBD_B3()
Worksheets("Sheet2").Range("a2") = "SUBD"
End Sub
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
End Sub