SaturnFans.com
what's new (beta) - classifieds - forums - photos


Go Back   SaturnFans.com Forums > Models > Saturn S-Series > S-Series Tech
Register FAQ Members List Groups Calendar Chat Room Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 08-06-2011, 11:40 AM   #1
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Breaking the code

Ok, OldNuc made a mention of a bin dump that SabercatPuck posted from a 1999 Saturn S-series Auto, and I've been playing with it in IDA Pro.


My old thread that started getting into this topic: http://www.saturnfans.com/forums/sho...168108&page=29
SabercatPuck's thread on delcohacking: http://delcohacking.net/forums/viewt...t=377&start=50
SabercatPuck's post of the dump files that I'm using: http://www.saturnfans.com/forums/sho...5&postcount=67

Link to the freeware version of the software I'm using: http://www.hex-rays.com/idapro/idadownfreeware.htm
You need to change load signatures for the Motorola XC68HC11F1 that is being used in the PCM.
My software version is IDA Pro v5.5

I'm still getting basses covered, but I've already uncovered something that SabercatPuck didn't make mention of at physical address 10000 (very start of the ROM section).
Here is a taste of it:
Code:
ROM:10000                 idiv                    ; Integer divide 16 by 16
ROM:10001                 suba    #0              ; Subtract
ROM:10003                 ldaa    word_14E2       ; Load accumulator from memory
ROM:10006                 ldd     word_14E2       ; Load double accumulator
ROM:10009                 anda    #$7F ; ''      ; Logical AND
ROM:1000B                 std     word_14E2       ; Store accumulators in memory
ROM:1000E                 std     word_1872       ; Store accumulators in memory
ROM:10011                 jsr     sub_5834        ; Jump to subroutine
ROM:10014                 jsr     sub_80F9        ; Jump to subroutine
ROM:10017                 jsr     sub_8117        ; Jump to subroutine
ROM:1001A                 jsr     sub_5834        ; Jump to subroutine
ROM:1001D                 jsr     sub_5840        ; Jump to subroutine
ROM:10020                 jsr     sub_815E        ; Jump to subroutine
ROM:10023                 jsr     sub_8184        ; Jump to subroutine
ROM:10026                 jsr     loc_81D7+1      ; Jump to subroutine
ROM:10029                 jsr     sub_81EB        ; Jump to subroutine
ROM:1002C                 jsr     loc_81FA+1      ; Jump to subroutine
ROM:1002F                 jsr     loc_8215        ; Jump to subroutine
ROM:10032                 jsr     sub_8232        ; Jump to subroutine
ROM:10035                 jsr     loc_8286+1      ; Jump to subroutine
ROM:10038                 jsr     loc_8313        ; Jump to subroutine
ROM:1003B                 jsr     sub_5834        ; Jump to subroutine
ROM:1003E                 jsr     sub_5840        ; Jump to subroutine
ROM:10041                 ldaa    word_14E2       ; Load accumulator from memory
ROM:10044                 ldd     word_14E2       ; Load double accumulator
ROM:10047                 andb    #$BF ; '+'      ; Logical AND
ROM:10049                 std     word_14E2       ; Store accumulators in memory
ROM:1004C                 std     word_1872       ; Store accumulators in memory
ROM:1004F                 brset   byte_6B 2 unk_81 ; Branch if bit (n) in memory set
ROM:10053                 jsr     sub_7105        ; Jump to subroutine
ROM:10056                 ldaa    byte_6C         ; Load accumulator from memory
ROM:10058                 anda    #$FE ; ''      ; Logical AND
ROM:1005A                 staa    byte_6C         ; Store accumulator in memory
ROM:1005C                 ldx     #$193A          ; Load index register from memory
ROM:1005F                 ldaa    #0              ; Load accumulator from memory
What is even more interesting to me is the decent number of incrementing loops after this section in the function.
There are no cross-refs to this function either.

The USER_VEC Segment seems to be a form of exportable function table.
Code:
USER_VEC:FFD6                 fdb SCISS               ; SCI Serial System
USER_VEC:FFD8                 fdb SPIE                ; SPI Serial Transfer Complete
USER_VEC:FFDA                 fdb PAII                ; Pulse Accumulator Input Edge
USER_VEC:FFDC                 fdb PAOVI               ; Pulse Accumulator Overflow
USER_VEC:FFDE                 fdb TOI                 ; Timer Overflow
USER_VEC:FFE0                 fdb I4_I5               ; Timer Input Capture 4 / Output Compare 5
USER_VEC:FFE2                 fdb OC4I                ; Timer Output Compare 4
USER_VEC:FFE4                 fdb OC3I                ; Timer Output Compare 3
USER_VEC:FFE6                 fdb OC2I                ; Timer Output Compare 2
USER_VEC:FFE8                 fdb OC1I                ; Timer Output Compare 1
USER_VEC:FFEA                 fdb IC3I                ; Timer Input Capture 3
USER_VEC:FFEC                 fdb IC2I                ; Timer Input Capture 2
USER_VEC:FFEE                 fdb IC1I                ; Timer Input Capture 1
USER_VEC:FFF0                 fdb RTII                ; Real Time Interrupt
USER_VEC:FFF2                 fdb IRQ                 ; IRQ
USER_VEC:FFF4                 fdb XIRQ                ; XIRQ Pin
USER_VEC:FFF6                 fdb SOFT                ; Software Interrupt
USER_VEC:FFF8                 fdb OPC                 ; Illegal Opcode Trap
USER_VEC:FFFA                 fdb NOCOP               ; COP Failure
USER_VEC:FFFC                 fdb CME                 ; Clock Monitor Fail
USER_VEC:FFFE off_FFFE:       fdb __RESET             ; DATA XREF: RESERVED:loc_602w
USER_VEC:FFFE                                         ; RESERVED:0605w ...
USER_VEC:FFFE ; end of 'USER_VEC'                     ; Processor reset
The more code I find, the more data I find is not code but gradient tables (TPS, MAP, etc etc), which I'm cranking up the Coheed and Cambria and cracking through.

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
SaturnFans.com Sponsored Links
Old 08-06-2011, 11:49 AM   #2
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Here is the first array I found:
Code:
RESERVED:EDE8 Array1:         fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FA, $F2, $EB, $E5
RESERVED:EDE8                 fcb $DF, $DB, $D6, $D2, $CE, $CB, $C8, $C5, $C2, $C0, $BD
RESERVED:EDE8                 fcb $BB, $B8, $B6, $B4, $B2, $B1, $AF, $AD, $AB, $AA, $A8
RESERVED:EDE8                 fcb $A7, $A5, $A4, $A2, $A1, $A0, $9F, $9D, $9C, $9B, $9A
RESERVED:EDE8                 fcb $99, $98, $97, $96, $95, $94, $93, $92, $91, $90, $8F
RESERVED:EDE8                 fcb $8E, $8D, $8C, $8B, $8B, $8A, $89, $88, $87, $87, $86
RESERVED:EDE8                 fcb $85, $84, $84, $83, $82, $81, $81, $80, $7F, $7F, $7E
RESERVED:EDE8                 fcb $7D, $7D, $7C, $7B, $7B, $7A, $79, $79, $78, $78, $77
RESERVED:EDE8                 fcb $76, $76, $75, $75, $74, $73, $73, $72, $72, $71, $71
RESERVED:EDE8                 fcb $70, $70, $6F, $6E, $6E, $6D, $6D, $6C, $6C, $6B, $6B
RESERVED:EDE8                 fcb $6A, $6A, $69, $69, $68, $68, $67, $67, $66, $65, $65
RESERVED:EDE8                 fcb $64, $64, $63, $63, $62, $62, $61, $61, $60, $60, $60
RESERVED:EDE8                 fcb $5F, $5F, $5E, $5E, $5D, $5D, $5C, $5C, $5B, $5B, $5A
RESERVED:EDE8                 fcb $5A, $59, $59, $58, $58, $57, $57, $56, $56, $55, $55
RESERVED:EDE8                 fcb $54, $54, $53, $53, $52, $52, $51, $51, $50, $50, $4F
RESERVED:EDE8                 fcb $4F, $4E, $4E, $4D, $4D, $4C, $4C, $4B, $4B, $4A, $4A
RESERVED:EDE8                 fcb $49, $49, $48, $48, $47, $47, $46, $45, $45, $44, $44
RESERVED:EDE8                 fcb $43, $43, $42, $42, $41, $40, $40, $3F, $3F, $3E, $3E
RESERVED:EDE8                 fcb $3D, $3C, $3C, $3B, $3A, $3A, $39, $39, $38, $37, $37
RESERVED:EDE8                 fcb $36, $35, $34, $34, $33, $32, $31, $31, $30, $2F, $2E
RESERVED:EDE8                 fcb $2E, $2D, $2C, $2B, $2A, $29, $28, $27, $26, $25, $24
RESERVED:EDE8                 fcb $23, $22, $21, $20, $1F, $1D, $1C, $1B, $19, $18, $16
RESERVED:EDE8                 fcb $14, $13, $11, $F, $C, $A, 7, 4, 1, 0, 0, 0, 0, 0
And here are two others that I discovered SabercatPuck found already and mention was made that the graphs for these look like hp/torque graphs.

Code:
ROM:12C9D Array2:         fcb $FF, $FF, $FF, $FF, $F3, $E6, $DC, $D4, $CD, $C7, $C2
ROM:12C9D                 fcb $BD, $B9, $B5, $B1, $AE, $AB, $A8, $A6, $A3, $A1, $9F
ROM:12C9D                 fcb $9D, $9B, $99, $97, $95, $94, $92, $91, $8F, $8E, $8C
ROM:12C9D                 fcb $8B, $8A, $88, $87, $86, $85, $84, $83, $82, $81, $80
ROM:12C9D                 fcb $7F, $7E, $7D, $7C, $7B, $7A, $79, $78, $77, $77, $76
ROM:12C9D                 fcb $75, $74, $73, $73, $72, $71, $70, $70, $6F, $6E, $6E
ROM:12C9D                 fcb $6D, $6C, $6B, $6B, $6A, $6A, $69, $68, $68, $67, $66
ROM:12C9D                 fcb $66, $65, $65, $64, $63, $63, $62, $62, $61, $61, $60
ROM:12C9D                 fcb $60, $5F, $5E, $5E, $5D, $5D, $5C, $5C, $5B, $5B, $5A
ROM:12C9D                 fcb $5A, $59, $59, $58, $58, $57, $57, $56, $56, $55, $55
ROM:12C9D                 fcb $54, $54, $53, $53, $52, $52, $52, $51, $51, $50, $50
ROM:12C9D                 fcb $4F, $4F, $4E, $4E, $4D, $4D, $4C, $4C, $4C, $4B, $4B
ROM:12C9D                 fcb $4A, $4A, $49, $49, $48, $48, $47, $47, $47, $46, $46
ROM:12C9D                 fcb $45, $45, $44, $44, $43, $43, $43, $42, $42, $41, $41
ROM:12C9D                 fcb $40, $40, $3F, $3F, $3E, $3E, $3E, $3D, $3D, $3C, $3C
ROM:12C9D                 fcb $3B, $3B, $3A, $3A, $39, $39, $38, $38, $38, $37, $37
ROM:12C9D                 fcb $36, $36, $35, $35, $34, $34, $33, $33, $32, $32, $31
ROM:12C9D                 fcb $31, $30, $30, $2F, $2F, $2E, $2D, $2D, $2C, $2C, $2B
ROM:12C9D                 fcb $2B, $2A, $2A, $29, $28, $28, $27, $27, $26, $25, $25
ROM:12C9D                 fcb $24, $23, $23, $22, $21, $21, $20, $1F, $1F, $1E, $1D
ROM:12C9D                 fcb $1C, $1C, $1B, $1A, $19, $18, $18, $17, $16, $15, $14
ROM:12C9D                 fcb $13, $12, $11, $10, $E, $D, $C, $B, 9, 8, 6, 5, 3
ROM:12C9D                 fcb 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
ROM:12D9D Array3:         fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:12D9D                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:12D9D                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:12D9D                 fcb $FD, $FB, $F9, $F7, $F5, $F4, $F2, $F0, $EE, $ED, $EB
ROM:12D9D                 fcb $EA, $E8, $E7, $E5, $E4, $E2, $E1, $E0, $DE, $DD, $DC
ROM:12D9D                 fcb $DB, $D9, $D8, $D7, $D6, $D5, $D4, $D3, $D2, $D1, $CF
ROM:12D9D                 fcb $CE, $CD, $CC, $CB, $CA, $CA, $C9, $C8, $C7, $C6, $C5
ROM:12D9D                 fcb $C4, $C3, $C2, $C1, $C1, $C0, $BF, $BE, $BD, $BC, $BC
ROM:12D9D                 fcb $BB, $BA, $B9, $B8, $B8, $B7, $B6, $B5, $B5, $B4, $B3
ROM:12D9D                 fcb $B2, $B2, $B1, $B0, $AF, $AF, $AE, $AD, $AD, $AC, $AB
ROM:12D9D                 fcb $AB, $AA, $A9, $A9, $A8, $A7, $A6, $A6, $A5, $A5, $A4
ROM:12D9D                 fcb $A3, $A3, $A2, $A1, $A1, $A0, $9F, $9F, $9E, $9D, $9D
ROM:12D9D                 fcb $9C, $9B, $9B, $9A, $9A, $99, $98, $98, $97, $96, $96
ROM:12D9D                 fcb $95, $95, $94, $93, $93, $92, $91, $91, $90, $90, $8F
ROM:12D9D                 fcb $8E, $8E, $8D, $8C, $8C, $8B, $8B, $8A, $89, $89, $88
ROM:12D9D                 fcb $87, $87, $86, $85, $85, $84, $83, $83, $82, $82, $81
ROM:12D9D                 fcb $80, $80, $7F, $7E, $7E, $7D, $7C, $7B, $7B, $7A, $79
ROM:12D9D                 fcb $79, $78, $77, $77, $76, $75, $74, $74, $73, $72, $71
ROM:12D9D                 fcb $71, $70, $6F, $6E, $6E, $6D, $6C, $6B, $6A, $69, $69
ROM:12D9D                 fcb $68, $67, $66, $65, $64, $63, $62, $61, $60, $5F, $5E
ROM:12D9D                 fcb $5D, $5C, $5B, $5A, $59, $58, $57, $56, $54, $53, $52
ROM:12D9D                 fcb $51, $4F, $4E, $4C, $4B, $49, $47, $46, $44, $42, $40
ROM:12D9D                 fcb $3E, $3C, $39, $36, $34, $30, $2D, $29, $24, $1F, $18
ROM:12D9D                 fcb $F, 0, 0
All of these are Array[256]

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 12:12 PM   #3
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

The original microcomputer OS loaded vectors into low RAM for firmware BIOS access for the basic I/O. Don't see why that would have changed much as it is still a semi-standard embedded processor architecture.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Old 08-06-2011, 12:13 PM   #4
campus189
Member
campus189 is on a distinguished road
 
campus189's Avatar
 
Join Date: Jul 2010
Location: Kingsport Tennessee
Posts: 397

1997 SL1
1997 SL2
Default Re: Breaking the code

Just curious.
Is this a rom or eeprom ?
Reason that im asking is, if its an eeprom, then we can reprogram it for ourself.
How many pins is it?
I'm too lazy to crack mine open and look

...
1997 Saturn SL2 144,000 Miles
1997 Saturn SL1 254,000 Miles
1997 Saturn SL1 157,000 Miles
1996 Saturn SL1 97,000 Miles

Also known as FiremanCV on YouTube

REWARD EXCELLENCE!

Add to campus189's Reputation
Rate the quality of this post and help campus189 reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
campus189 is offline   Reply With Quote
Old 08-06-2011, 12:20 PM   #5
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
The original microcomputer OS loaded vectors into low RAM for firmware BIOS access for the basic I/O. Don't see why that would have changed much as it is still a semi-standard embedded processor architecture.
Yep, that would be the norm for basics.

Quote:
Just curious.
Is this a rom or eeprom ?
Reason that im asking is, if its an eeprom, then we can reprogram it for ourself.
How many pins is it?
I'm too lazy to crack mine open and look
I believe it is ROM+EEPROM
Sabercatpuck has pics here http://delcohacking.net/forums/viewt...t=377&start=10
He actually desoldered the flashable portion and put it in a nice socket, that way he could also fix the "encryption" issue of the 4 switched address pins.

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 12:25 PM   #6
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

It is an EEPROM as the initial code is loaded remotely. There is a flash enable line in the data link connector.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Old 08-06-2011, 12:40 PM   #7
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
It is an EEPROM as the initial code is loaded remotely. There is a flash enable line in the data link connector.
That will make this a lot easier :nod:

Found another gradient in the ROM segment. It doesn't fit a standard size for percentage (256 or 512), looks like 350 elements (256+64+30)

Code:
ROM:1C4A7                 fcb 0, 0, 0, 0, 0, 1, 1, 7, 7, 8, 8, $B, $B, $C, $C, $12
ROM:1C4A7                 fcb $12, $16, $16, $19, $19, $1A, $1A, $1D, $1D, $1E, $1E
ROM:1C4A7                 fcb $21, $21, $22, $22, $22, $22, $23, $23, $23, $23, $24
ROM:1C4A7                 fcb $24, $24, $24, $25, $25, $25, $25, $26, $26, $26, $26
ROM:1C4A7                 fcb $27, $27, $27, $27, $28, $28, $28, $28, $29, $29, $29
ROM:1C4A7                 fcb $29, $2A, $2A, $2A, $2A, $2B, $2B, $2B, $2B, $2C, $2C
ROM:1C4A7                 fcb $2C, $2C, $2D, $2D, $2D, $2D, $2E, $2E, $2E, $2E, $2F
ROM:1C4A7                 fcb $2F, $2F, $2F, $30, $30, $30, $30, $31, $31, $31, $31
ROM:1C4A7                 fcb $32, $32, $32, $32, $33, $33, $33, $33, $34, $34, $34
ROM:1C4A7                 fcb $34, $35, $35, $35, $35, $36, $36, $36, $36, $37, $37
ROM:1C4A7                 fcb $37, $37, $38, $38, $38, $38, $39, $39, $39, $39, $3A
ROM:1C4A7                 fcb $3A, $3A, $3A, $3B, $3B, $3B, $3B, $3C, $3C, $3C, $3C
ROM:1C4A7                 fcb $3D, $3D, $3D, $3D, $3E, $3E, $3E, $3E, $3F, $3F, $3F
ROM:1C4A7                 fcb $3F, $40, $40, $40, $40, $41, $41, $41, $41, $42, $42
ROM:1C4A7                 fcb $42, $42, $43, $43, $43, $43, $44, $44, $44, $44, $45
ROM:1C4A7                 fcb $45, $45, $45, $46, $46, $46, $46, $47, $47, $47, $47
ROM:1C4A7                 fcb $48, $48, $48, $48, $49, $49, $49, $49, $4A, $4A, $4A
ROM:1C4A7                 fcb $4A, $4B, $4B, $4B, $4B, $4C, $4C, $4C, $4C, $4D, $4D
ROM:1C4A7                 fcb $4D, $4D, $4E, $4E, $4E, $4E, $4F, $4F, $4F, $4F, $50
ROM:1C4A7                 fcb $50, $50, $50, $51, $51, $51, $51, $52, $52, $52, $52
ROM:1C4A7                 fcb $53, $53, $53, $53, $54, $54, $54, $54, $55, $55, $55
ROM:1C4A7                 fcb $55, $56, $56, $56, $56, $57, $57, $57, $57, $58, $58
ROM:1C4A7                 fcb $58, $58, $59, $59, $59, $59, $5A, $5A, $5A, $5A, $FF
ROM:1C4A7                 fcb $6C, $C6, $A7, $6E, $C6, $55, $FF, $6C, $C6, $D0, $FF
ROM:1C4A7                 fcb $6C, $C6, $F9, $6E, $C6, $7E, $FE, $C7, $9D, $FF, $6C
ROM:1C4A7                 fcb $C7, $22, $FF, $6C, $C7, $4B, $FF, $6C, $C7, $74, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF
EDIT: I'm trying to graph it... looks like it is another 16x16 grid actually, but the data afterwards seems to fit in a way <.<

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 01:08 PM   #8
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Here is a graph of the newest array.
http://dl.dropbox.com/u/3746724/Array%204.png

Array size is 16x22 (256+64+32)

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 01:56 PM   #9
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

Any idea what accesses the table?

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Old 08-06-2011, 02:24 PM   #10
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

For my ref:
sub_AE37 xrefed by only requestdevicecontrol and returntonormoperation, request DTCs jumps into the halfway mark.

And I have no idea, it is a little past the middle of the ROM section.
I can tell that most of the ROM section is code, but I need to figure out EPs for these subroutines. There is no hard cross-refs to these ROM functions because they have to be paged over by the sub5666 routine.
Subroutines are found by pure guesswork for me (no logic analyzer like Sabercat because I don't have an extra pcm) in situations like this. Once the code is found near this table (because it is quite obvious that they leave some variable space in between these subroutines) we can start analyzing it.
Sabercat found a jump table, but he didn't post all of it (it is how I found all of the scanner functions) because he didn't think anything else would be useful, but when you look at the code vs undefined in the ROM area only about 8 to 10% is covered by this.

The ROM subroutines do reference where these tables end up, but I can't automatically find them because they aren't directly referenced (because of the need for a pager). So far, none of my current found code table references it.

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 02:38 PM   #11
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

What does you local pick-and-pull get for a DOHC manual PCM? Gen-2 vintage?

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Old 08-06-2011, 03:00 PM   #12
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
What does you local pick-and-pull get for a DOHC manual PCM? Gen-2 vintage?
Money I won't have for 3.5 weeks as University says I have to wait and I still have to pay 500 for books real soon.
Off top of my head I think it is 30 bucks, but most of my area doesn't have anything left out of the dohc's.

I went tracing odd sections in RAM for access, and I keep be kicked back into sub10000 (start of ROM I found). Something tells me I might find some gold in here for code.

UPDATE: Found a nice looking function that spans between the reserved sector and the ROM <.<

Declare code section at ROM:17FD9

UPDATE: WHOA! It jumps back into the middle of what I thought was interesting earlier: sub_AE37

Last edited by Thisita; 08-06-2011 at 03:12 PM..

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 03:17 PM   #13
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

When you want one they all become extremely scarce....

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Old 08-06-2011, 03:29 PM   #14
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

Was going to grab a used MT DOHC box for testing purposes. They seem to have become very scarce for some reason.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Old 08-06-2011, 04:26 PM   #15
fetchitfido
Super Member
fetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud offetchitfido has much to be proud of
 
fetchitfido's Avatar
 
Join Date: May 2006
Posts: 13,495
 

2001 SC2
Default Re: Breaking the code

I've got 2 2nd gen PCMs I was saving for 5spd swap kits for permanently fixing any autotragic I come across again. Ones from a '97 SL2, ABS, no cruise, and the other was from either a '97 SC2 or '98 SL2, no abs & has cruise.

...
The proper way to fix a S-Series automatic is to replace it with a 5spd O:)

REWARD EXCELLENCE!

Add to fetchitfido's Reputation
Rate the quality of this post and help fetchitfido reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
fetchitfido is offline   Reply With Quote
Old 08-06-2011, 06:17 PM   #16
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Ok, I found out that I have to hand do the jumps while in ROM. It didn't dawn on me that my auto-tracer would understand that... that means there is a lot of bad code sections right now lol, but this will allow for things to make sense now lol

Having to deal with a pager is getting the best of me.
*pulls out drawing board* Not any more, I'm kicking this old school

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 06:38 PM   #17
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Yep, this is starting to make a lot more sense now XDDD
I'm thinking about undefining my entire RESERVED sector as I'm pretty sure it is all bogus data now.

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 06:55 PM   #18
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

Check with Fetchitfido above and see if he will part with one of those manual boxes. Then you can socket the chip and run the thing on the bench. Being able to disable some of those irritating tests and set the monitors to forever passed would be handy, to say the least. EGR and Secondary AIR system top the list.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Old 08-06-2011, 09:56 PM   #19
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Completed code finding. Anything else so unreferenced it would be unreal.

Reserved code isn't bogus, but I have no clue what most of it is for until I start doing serious tracing. There are also still some chunks of data that I can't tell if it is code or not.

Those are in the reserved areas, which where typically contiguous code.

There is only one gradient in the reserved area.
Quote:
EDE8 FF FF FF FF FF FF FF FA F2 EB E5 DF DB D6 D2 CE
EDF8 CB C8 C5 C2 C0 BD BB B8 B6 B4 B2 B1 AF AD AB AA
EE08 A8 A7 A5 A4 A2 A1 A0 9F 9D 9C 9B 9A 99 98 97 96
EE18 95 94 93 92 91 90 8F 8E 8D 8C 8B 8B 8A 89 88 87
EE28 87 86 85 84 84 83 82 81 81 80 7F 7F 7E 7D 7D 7C
EE38 7B 7B 7A 79 79 78 78 77 76 76 75 75 74 73 73 72
EE48 72 71 71 70 70 6F 6E 6E 6D 6D 6C 6C 6B 6B 6A 6A
EE58 69 69 68 68 67 67 66 65 65 64 64 63 63 62 62 61
EE68 61 60 60 60 5F 5F 5E 5E 5D 5D 5C 5C 5B 5B 5A 5A
EE78 59 59 58 58 57 57 56 56 55 55 54 54 53 53 52 52
EE88 51 51 50 50 4F 4F 4E 4E 4D 4D 4C 4C 4B 4B 4A 4A
EE98 49 49 48 48 47 47 46 45 45 44 44 43 43 42 42 41
EEA8 40 40 3F 3F 3E 3E 3D 3C 3C 3B 3A 3A 39 39 38 37
EEB8 37 36 35 34 34 33 32 31 31 30 2F 2E 2E 2D 2C 2B
EEC8 2A 29 28 27 26 25 24 23 22 21 20 1F 1D 1C 1B 19
EED8 18 16 14 13 11 0F 0C 0A 07 04 01 00 00 00 00 00
Here is a picture of it:
http://dl.dropbox.com/u/3746724/Array%201.png

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-06-2011, 10:08 PM   #20
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,546
 

1998 SC2
Default Re: Breaking the code

That almost looks like an advance curve...

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is online now   Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
breaking 14's? Diezeltitan08 S-Series Mods 8 10-22-2010 06:51 PM
Saturn keeps breaking down? Heirophantress S-Series General 29 04-25-2009 09:40 PM
98 SL2 Revs while breaking orlana S-Series Tech 9 01-04-2008 10:30 AM
Breaking in: the EFX spoiler BlueIonDriver Ion General 23 03-11-2004 10:07 PM
Breaking into your Saturn! Whelan General Saturn Discussion 10 12-11-2001 05:25 PM


All times are GMT -5. The time now is 12:39 PM.

Advanced Forum Search | Advanced Photo Search


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
SaturnFans.com. The Saturn Enthusiasts Site.