SaturnFans.com
what's new (beta) - classifieds - forums - photos


Go Back   SaturnFans.com Forums > Models > Saturn S-Series > S-Series Tech
Register FAQ Members List Groups Calendar Chat Room Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 08-13-2011, 04:10 PM   #61
OldNuc
Super Member
OldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant future
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,233
 

1998 SC2
Default Re: Breaking the code

Are you asking Thisita that question?

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is offline   Reply With Quote
SaturnFans.com Sponsored Links
Old 08-13-2011, 08:55 PM   #62
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
That is why I had to walk through the addresses looking for trans temp, Internet info was wrong....at least for saturn's.
Yeah, I kinda figured that would be the case. Still stepping through have had some delays
Quote:
Saturn is unique except for the small set of FED mandated codes. Makes almost everything you find on the interwebs wrong.
But thank goodness we have the FED mandated ones, makes my job tracking through this easier by having known standards to compare to

Yes, I think the actual calculations are metric system.
Thanks for confirming that.
Quote:
I have a general question about the process.

Are you using a Datacom Analyzer to record a Tech 2 scanner session?
I wish I had a tech2 or the tech2 firmware I think we all do <.<
I wonder if anyone has had the heart to crack one of those beasts open <.<

Currently this is what has happened:
Sabercatpuck:
- Used a generic ROM dumper to download the firmware code
- He worked with the actual SAE docs and a 32-ch logic analyzer to watch pings from his scantool which is much like the new scangauge. He used this info to track down what code was actually being ran in the processes (malformed mode 22 requests)
Myself:
- Took his binary dumps and imported them into IDA pro which is an interactive disassembler using standards for the processor to map the binary
- Used the jump table Sabercatpuck found (and named via SAE list) to for starting entrypoints in the 2nd and 3rd portions of the firmware.
- I then laid out the rest of the code that he didn't map or hadn't mapped yet. Found 2 extra data tables.
- I'm now using SAE standards, knowledge of the RAM location of the formatted reply packet, and 1996SL11.9L's known mode-22 PID to trace through the mode 22 function by hand in IDA.
Sorry for the delay guys, had to clean house a bit. Literally <.<
House, car (prolly about 40lbs lighter now), bad relationships go poof, etc etc

Ok, I set a data structure for the formatted reply area and I saw fireworks 8D
- A nice juicy list of data cross-refs (this means direct memory access) from the FED required areas
- I think it will get even more interesting when I find all the pointer locations. The mode-22 function uses a pointer to the memory location (makes auto-mapping it a little more time consuming), and I'm guessing all the other non-standard modes as well. Tracing through mode-22 is obviously first priority, though.

#offtopic# As a side-bar, some dude in a auto, body-kitted, CAI'ed civic challenged me at a light today... Beat him driving normally -.- His poor exhaust sounded like it was going to fall off (if he had one... a lot of people around here saw them off first thing). *shakes head* Brightened my day a little bit, but goodness those guys annoy me...
And on a happier note, saw a custom pain, no-spoiler (tear) 98 sc2 yesterday
And even happier, I checked my current mpg rating and I'm around 38ish mpg. I was getting about 31ish (sometimes 33 with good gas/weather) before the timing kit.

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-13-2011, 09:19 PM   #63
OldNuc
Super Member
OldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant future
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,233
 

1998 SC2
Default Re: Breaking the code

Excellent gas mileage and blowing off rice burners makes it all worth it.

As to cracking into a Tech-2 I suspect that it has not been done or if it has it is not being announced as with all the GM/user group etc money grubbing for the codes breaking into a product would cause lawyers to rain from the sky. The Federal laws on the availability of the code is what will let you get away with what you are doing or what ScanGauge has probably done.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is offline   Reply With Quote
Old 08-13-2011, 10:57 PM   #64
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

......
Quote:
Excellent gas mileage and blowing off rice burners makes it all worth it.
You bet Although, not near as gratifying as riding in my uncle's mustang, all ~1000hp of it (I'm not exaggerating, it has a parachute) as he moved it. I see why my dad loved his 500+ hp cars when he was a kid, there is nothing like that. Obviously my uncle wouldn't let me drive it Sidekicking was more than fun though lol

As to cracking into a Tech-2 I suspect that it has not been done or if it has it is not being announced as with all the GM/user group etc money grubbing for the codes breaking into a product would cause lawyers to rain from the sky. The Federal laws on the availability of the code is what will let you get away with what you are doing or what ScanGauge has probably done.
It is 1500 for a tech2 iirc, I'm sure GM/Delco could cough up a nice multiplier of that for zipping ones lips depending on how clean the hacker's work is. I always remember something being said about a "super"carburetor that would get min of 50mpg but the leak was hidden by cash <.<
Reminds me of when those MIT grad kids got jacked by the DoD for publishing a paper on family of trap-door functions
Don't you love capitalist politics? XD Makes the world very interesting

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-14-2011, 12:10 AM   #65
OldNuc
Super Member
OldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant future
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,233
 

1998 SC2
Default Re: Breaking the code

Lots of things go down the memory hole. The real Tech-2 is over $2000 and there is a membership fee to get access to the information that is contained in the Tech-2. I think you posted the link to the supposed central repository of the DTC info. It all works the same way as the SAE, ANSI, ASME and IEEE papers and standards -- send money. If you want access to all that you pay by the publication or you join the group for big bucks/year.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is offline   Reply With Quote
Old 08-14-2011, 01:30 AM   #66
1996SL11.9L
Senior Member
1996SL11.9L has a spectacular aura about1996SL11.9L has a spectacular aura about
 
1996SL11.9L's Avatar
 
Join Date: Sep 2009
Location: Stouchsburg, PA
Posts: 1,659
 

2002 SL1
Default Re: Breaking the code

My brother and I scored a MAC Mentor/OTC Geniss for 450 dollars updated to 2008.

The garage needed to upgrade for newer cars and the MAC man aroundhere is a jerk.....practically nothing for a trade in.

Some people give up information freely....others want compensated for it ....what your attempting is one of the things that I wish I went for a EE or something to help tie my desires with knowledge. (ever since processor theory school inthe navy). Have lots of ideas in my head where I use to work I could play, now. I works for a big Corp and they have engineers doing all the programing and machinery upgrades........they have no concept for reality.

REWARD EXCELLENCE!

Add to 1996SL11.9L's Reputation
Rate the quality of this post and help 1996SL11.9L reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
1996SL11.9L is offline   Reply With Quote
Old 08-14-2011, 08:02 AM   #67
OldNuc
Super Member
OldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant future
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,233
 

1998 SC2
Default Re: Breaking the code

They do not actually teach how to hack proprietary firmware anywhere. It is one of those skills you have to develop on your own. Hacking proprietary programs that are run through an OS are easier than the low level firmware because very few places ever get down to the hardware level -- how does this hardware actually functions and you need this basic knowledge to unravel the code.

A recent example is the Stuxnet worm.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is offline   Reply With Quote
Old 08-14-2011, 04:16 PM   #68
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
They do not actually teach how to hack proprietary firmware anywhere. It is one of those skills you have to develop on your own. Hacking proprietary programs that are run through an OS are easier than the low level firmware because very few places ever get down to the hardware level -- how does this hardware actually functions and you need this basic knowledge to unravel the code.
Which is why a few people find my resume hobbies quiet interesting
I only hack soft on the asm level which is pretty close to hardware especially if it is ring0. I like the control.
Ok... If my tracing is correct the actual memory address for PID 1154 is at B73B

The first number is a ENUM listing, as the code checks for 11, 12, 13, and few other oddballs, and loads a physical address (from a pointer) into the index register
Then it does some math with it and accumulator B (which has second part of the pid in it, or 54 in this case).

So I believe physical address is B73B +/- a digit or two
There was a lot of oddball jumps in this math o.O

After that it uses this physical location and dumps it in the data packet, does some bitwise ORs (to make the packet a reply) and jumps off to the middle of the Request upload function.

So, it looks like we have guess and check for the what the part B is, and that will take a group effort and knowing what we want.
Only possible first PID bytes are:
11
12
13
1C
51
59
CF
F4

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-14-2011, 04:24 PM   #69
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Looking at the code in that area, there is a function I say starts at that address <.< I can't really tell if it is bad code or not.
Doubtless it looks different when paged over though <.<

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-14-2011, 04:25 PM   #70
OldNuc
Super Member
OldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant future
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,233
 

1998 SC2
Default Re: Breaking the code

There are very few people who are even the least interested in ROM firmware development.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is offline   Reply With Quote
Old 08-14-2011, 04:27 PM   #71
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
There are very few people who are even the least interested in ROM firmware development.
I've always found it quiet interesting <.< Especially the new lightweight firmwares for bluetooth/RFID/WiFi honeypotting. Always wanted to crack one of those custom hacktools open

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-14-2011, 05:16 PM   #72
OldNuc
Super Member
OldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant future
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,233
 

1998 SC2
Default Re: Breaking the code

The code for those may be floating around in the wild.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is offline   Reply With Quote
Old 08-14-2011, 05:44 PM   #73
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
The code for those may be floating around in the wild.
Data is always in the wild, it is just a matter of how far you are willing to go to get it. Just like that designer worm you mentioned

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-14-2011, 06:21 PM   #74
1996SL11.9L
Senior Member
1996SL11.9L has a spectacular aura about1996SL11.9L has a spectacular aura about
 
1996SL11.9L's Avatar
 
Join Date: Sep 2009
Location: Stouchsburg, PA
Posts: 1,659
 

2002 SL1
Default Re: Breaking the code

Is the 11 indirect addressing? Did that a lot with PLC's

REWARD EXCELLENCE!

Add to 1996SL11.9L's Reputation
Rate the quality of this post and help 1996SL11.9L reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
1996SL11.9L is offline   Reply With Quote
Old 08-14-2011, 06:23 PM   #75
aaron95sl2
Advanced Member
aaron95sl2 is on a distinguished road
 
aaron95sl2's Avatar
 
Join Date: Jun 2009
Location: Spokane, WA
Posts: 526

1995 SL2
Default Re: Breaking the code

Quote:
Originally Posted by Thisita View Post
Going to be delayed for a day or two. Had a strange powerfailure that managed to get past the pure sine wave power conditioner to my main computer. Computer works but I have some corrupt data to fix that shouldn't take long.
One reason all my comps are laptops now: BATTERIES! lol If you don't want to pay the premium for a laptop, buy used with broken screen and plug it into your monitor like I did.

...
1995 SL2 | Fully loaded | 165k on odometer |30k on new engine w/ KB-S pistons - not a single drop of oil lost so far!

REWARD EXCELLENCE!

Add to aaron95sl2's Reputation
Rate the quality of this post and help aaron95sl2 reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
aaron95sl2 is offline   Reply With Quote
Old 08-14-2011, 08:26 PM   #76
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
Is the 11 indirect addressing? Did that a lot with PLC's
In a sense, all of those numbers are nodes on a binary search tree that each load their own pointer to a memory location. These pointers are located on a data table nearby.

In C++ it would look like

Code:
switch(PID_XX)
{
     case 0x11:
         reg_x = &MemoryBase_A;
         break;
     case 0x12:
         reg_x = &MemoryBase_B;
         break;
// etc
     default:
         break;
}
reg_x += (2*PID_YY);
That is what the subroutine for deciphering the PID would look like in non-optimized (like I said, they used a binary search tree) code.
Before it exits it does a sanity check on the address (test for NULL case), when it gets back it checks where the address lies in a range and will either dump the contents of physical address stored in reg_x or it will jump to its location+1 (which I assume is for bit-coded data).

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 08-14-2011, 10:20 PM   #77
diame
New Member
diame is on a distinguished road
 
Join Date: Aug 2011
Posts: 5
Default Re: Breaking the code

something I need to reseach about that.

REWARD EXCELLENCE!

Add to diame's Reputation
Rate the quality of this post and help diame reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
diame is offline   Reply With Quote
Old 09-02-2011, 05:33 AM   #78
1996SL11.9L
Senior Member
1996SL11.9L has a spectacular aura about1996SL11.9L has a spectacular aura about
 
1996SL11.9L's Avatar
 
Join Date: Sep 2009
Location: Stouchsburg, PA
Posts: 1,659
 

2002 SL1
Default Re: Breaking the code

The baro PID you asked me to try may be baro after all. After I said it doesn't change I noticed it varying a few points. during the hurricane it went it's lowest. But the numbers are off.

Can you tell me how many bits ( like 0 to 255 )and possibly what bit other return word it starts. I show 738ish. 721 was during storm. I'm off a bit or two on the LSB end I think.

REWARD EXCELLENCE!

Add to 1996SL11.9L's Reputation
Rate the quality of this post and help 1996SL11.9L reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
1996SL11.9L is offline   Reply With Quote
Old 09-02-2011, 06:40 AM   #79
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

One byte, so that is 8 bits...
Hmm
738 inches of mercury = 362.43 psi
That sounds a lot like the high side of the a/c to me, but I don't know much about them. That would also be affected by the ambient pressure.

I'm trying to think of what would be under that high of pressure....

REWARD EXCELLENCE!

Add to Thisita's Reputation
Rate the quality of this post and help Thisita reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
Thisita is offline   Reply With Quote
Old 09-02-2011, 08:13 AM   #80
OldNuc
Super Member
OldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant futureOldNuc has a brilliant future
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 63,233
 

1998 SC2
Default Re: Breaking the code

Can not think of anything that is actually monitored.

REWARD EXCELLENCE!

Add to OldNuc's Reputation
Rate the quality of this post and help OldNuc reputation points. Click the reputation button near the bottom left corner of this message box. Thank you!
OldNuc is offline   Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
breaking 14's? Diezeltitan08 S-Series Mods 8 10-22-2010 06:51 PM
Saturn keeps breaking down? Heirophantress S-Series General 29 04-25-2009 09:40 PM
98 SL2 Revs while breaking orlana S-Series Tech 9 01-04-2008 10:30 AM
Breaking in: the EFX spoiler BlueIonDriver Ion General 23 03-11-2004 10:07 PM
Breaking into your Saturn! Whelan General Saturn Discussion 10 12-11-2001 05:25 PM


All times are GMT -5. The time now is 01:04 AM.

Advanced Forum Search | Advanced Photo Search


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
SaturnFans.com. The Saturn Enthusiasts Site.