SaturnFans.com
saturnfans.com - classifieds - forums - webmail


Go Back   SaturnFans.com Forums > Models > Saturn S-Series > S-Series Tech

Reply
 
Thread Tools Display Modes
Old 08-06-2011, 12:40 PM   #1
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Breaking the code

Ok, OldNuc made a mention of a bin dump that SabercatPuck posted from a 1999 Saturn S-series Auto, and I've been playing with it in IDA Pro.


My old thread that started getting into this topic: http://www.saturnfans.com/forums/sho...168108&page=29
SabercatPuck's thread on delcohacking: http://delcohacking.net/forums/viewt...t=377&start=50
SabercatPuck's post of the dump files that I'm using: http://www.saturnfans.com/forums/sho...5&postcount=67

Link to the freeware version of the software I'm using: http://www.hex-rays.com/idapro/idadownfreeware.htm
You need to change load signatures for the Motorola XC68HC11F1 that is being used in the PCM.
My software version is IDA Pro v5.5

I'm still getting basses covered, but I've already uncovered something that SabercatPuck didn't make mention of at physical address 10000 (very start of the ROM section).
Here is a taste of it:
Code:
ROM:10000                 idiv                    ; Integer divide 16 by 16
ROM:10001                 suba    #0              ; Subtract
ROM:10003                 ldaa    word_14E2       ; Load accumulator from memory
ROM:10006                 ldd     word_14E2       ; Load double accumulator
ROM:10009                 anda    #$7F ; ''      ; Logical AND
ROM:1000B                 std     word_14E2       ; Store accumulators in memory
ROM:1000E                 std     word_1872       ; Store accumulators in memory
ROM:10011                 jsr     sub_5834        ; Jump to subroutine
ROM:10014                 jsr     sub_80F9        ; Jump to subroutine
ROM:10017                 jsr     sub_8117        ; Jump to subroutine
ROM:1001A                 jsr     sub_5834        ; Jump to subroutine
ROM:1001D                 jsr     sub_5840        ; Jump to subroutine
ROM:10020                 jsr     sub_815E        ; Jump to subroutine
ROM:10023                 jsr     sub_8184        ; Jump to subroutine
ROM:10026                 jsr     loc_81D7+1      ; Jump to subroutine
ROM:10029                 jsr     sub_81EB        ; Jump to subroutine
ROM:1002C                 jsr     loc_81FA+1      ; Jump to subroutine
ROM:1002F                 jsr     loc_8215        ; Jump to subroutine
ROM:10032                 jsr     sub_8232        ; Jump to subroutine
ROM:10035                 jsr     loc_8286+1      ; Jump to subroutine
ROM:10038                 jsr     loc_8313        ; Jump to subroutine
ROM:1003B                 jsr     sub_5834        ; Jump to subroutine
ROM:1003E                 jsr     sub_5840        ; Jump to subroutine
ROM:10041                 ldaa    word_14E2       ; Load accumulator from memory
ROM:10044                 ldd     word_14E2       ; Load double accumulator
ROM:10047                 andb    #$BF ; '+'      ; Logical AND
ROM:10049                 std     word_14E2       ; Store accumulators in memory
ROM:1004C                 std     word_1872       ; Store accumulators in memory
ROM:1004F                 brset   byte_6B 2 unk_81 ; Branch if bit (n) in memory set
ROM:10053                 jsr     sub_7105        ; Jump to subroutine
ROM:10056                 ldaa    byte_6C         ; Load accumulator from memory
ROM:10058                 anda    #$FE ; ''      ; Logical AND
ROM:1005A                 staa    byte_6C         ; Store accumulator in memory
ROM:1005C                 ldx     #$193A          ; Load index register from memory
ROM:1005F                 ldaa    #0              ; Load accumulator from memory
What is even more interesting to me is the decent number of incrementing loops after this section in the function.
There are no cross-refs to this function either.

The USER_VEC Segment seems to be a form of exportable function table.
Code:
USER_VEC:FFD6                 fdb SCISS               ; SCI Serial System
USER_VEC:FFD8                 fdb SPIE                ; SPI Serial Transfer Complete
USER_VEC:FFDA                 fdb PAII                ; Pulse Accumulator Input Edge
USER_VEC:FFDC                 fdb PAOVI               ; Pulse Accumulator Overflow
USER_VEC:FFDE                 fdb TOI                 ; Timer Overflow
USER_VEC:FFE0                 fdb I4_I5               ; Timer Input Capture 4 / Output Compare 5
USER_VEC:FFE2                 fdb OC4I                ; Timer Output Compare 4
USER_VEC:FFE4                 fdb OC3I                ; Timer Output Compare 3
USER_VEC:FFE6                 fdb OC2I                ; Timer Output Compare 2
USER_VEC:FFE8                 fdb OC1I                ; Timer Output Compare 1
USER_VEC:FFEA                 fdb IC3I                ; Timer Input Capture 3
USER_VEC:FFEC                 fdb IC2I                ; Timer Input Capture 2
USER_VEC:FFEE                 fdb IC1I                ; Timer Input Capture 1
USER_VEC:FFF0                 fdb RTII                ; Real Time Interrupt
USER_VEC:FFF2                 fdb IRQ                 ; IRQ
USER_VEC:FFF4                 fdb XIRQ                ; XIRQ Pin
USER_VEC:FFF6                 fdb SOFT                ; Software Interrupt
USER_VEC:FFF8                 fdb OPC                 ; Illegal Opcode Trap
USER_VEC:FFFA                 fdb NOCOP               ; COP Failure
USER_VEC:FFFC                 fdb CME                 ; Clock Monitor Fail
USER_VEC:FFFE off_FFFE:       fdb __RESET             ; DATA XREF: RESERVED:loc_602w
USER_VEC:FFFE                                         ; RESERVED:0605w ...
USER_VEC:FFFE ; end of 'USER_VEC'                     ; Processor reset
The more code I find, the more data I find is not code but gradient tables (TPS, MAP, etc etc), which I'm cranking up the Coheed and Cambria and cracking through.
Thisita is offline   Reply With Quote
SaturnFans.com Sponsored Links
Old 08-06-2011, 12:49 PM   #2
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Here is the first array I found:
Code:
RESERVED:EDE8 Array1:         fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FA, $F2, $EB, $E5
RESERVED:EDE8                 fcb $DF, $DB, $D6, $D2, $CE, $CB, $C8, $C5, $C2, $C0, $BD
RESERVED:EDE8                 fcb $BB, $B8, $B6, $B4, $B2, $B1, $AF, $AD, $AB, $AA, $A8
RESERVED:EDE8                 fcb $A7, $A5, $A4, $A2, $A1, $A0, $9F, $9D, $9C, $9B, $9A
RESERVED:EDE8                 fcb $99, $98, $97, $96, $95, $94, $93, $92, $91, $90, $8F
RESERVED:EDE8                 fcb $8E, $8D, $8C, $8B, $8B, $8A, $89, $88, $87, $87, $86
RESERVED:EDE8                 fcb $85, $84, $84, $83, $82, $81, $81, $80, $7F, $7F, $7E
RESERVED:EDE8                 fcb $7D, $7D, $7C, $7B, $7B, $7A, $79, $79, $78, $78, $77
RESERVED:EDE8                 fcb $76, $76, $75, $75, $74, $73, $73, $72, $72, $71, $71
RESERVED:EDE8                 fcb $70, $70, $6F, $6E, $6E, $6D, $6D, $6C, $6C, $6B, $6B
RESERVED:EDE8                 fcb $6A, $6A, $69, $69, $68, $68, $67, $67, $66, $65, $65
RESERVED:EDE8                 fcb $64, $64, $63, $63, $62, $62, $61, $61, $60, $60, $60
RESERVED:EDE8                 fcb $5F, $5F, $5E, $5E, $5D, $5D, $5C, $5C, $5B, $5B, $5A
RESERVED:EDE8                 fcb $5A, $59, $59, $58, $58, $57, $57, $56, $56, $55, $55
RESERVED:EDE8                 fcb $54, $54, $53, $53, $52, $52, $51, $51, $50, $50, $4F
RESERVED:EDE8                 fcb $4F, $4E, $4E, $4D, $4D, $4C, $4C, $4B, $4B, $4A, $4A
RESERVED:EDE8                 fcb $49, $49, $48, $48, $47, $47, $46, $45, $45, $44, $44
RESERVED:EDE8                 fcb $43, $43, $42, $42, $41, $40, $40, $3F, $3F, $3E, $3E
RESERVED:EDE8                 fcb $3D, $3C, $3C, $3B, $3A, $3A, $39, $39, $38, $37, $37
RESERVED:EDE8                 fcb $36, $35, $34, $34, $33, $32, $31, $31, $30, $2F, $2E
RESERVED:EDE8                 fcb $2E, $2D, $2C, $2B, $2A, $29, $28, $27, $26, $25, $24
RESERVED:EDE8                 fcb $23, $22, $21, $20, $1F, $1D, $1C, $1B, $19, $18, $16
RESERVED:EDE8                 fcb $14, $13, $11, $F, $C, $A, 7, 4, 1, 0, 0, 0, 0, 0
And here are two others that I discovered SabercatPuck found already and mention was made that the graphs for these look like hp/torque graphs.

Code:
ROM:12C9D Array2:         fcb $FF, $FF, $FF, $FF, $F3, $E6, $DC, $D4, $CD, $C7, $C2
ROM:12C9D                 fcb $BD, $B9, $B5, $B1, $AE, $AB, $A8, $A6, $A3, $A1, $9F
ROM:12C9D                 fcb $9D, $9B, $99, $97, $95, $94, $92, $91, $8F, $8E, $8C
ROM:12C9D                 fcb $8B, $8A, $88, $87, $86, $85, $84, $83, $82, $81, $80
ROM:12C9D                 fcb $7F, $7E, $7D, $7C, $7B, $7A, $79, $78, $77, $77, $76
ROM:12C9D                 fcb $75, $74, $73, $73, $72, $71, $70, $70, $6F, $6E, $6E
ROM:12C9D                 fcb $6D, $6C, $6B, $6B, $6A, $6A, $69, $68, $68, $67, $66
ROM:12C9D                 fcb $66, $65, $65, $64, $63, $63, $62, $62, $61, $61, $60
ROM:12C9D                 fcb $60, $5F, $5E, $5E, $5D, $5D, $5C, $5C, $5B, $5B, $5A
ROM:12C9D                 fcb $5A, $59, $59, $58, $58, $57, $57, $56, $56, $55, $55
ROM:12C9D                 fcb $54, $54, $53, $53, $52, $52, $52, $51, $51, $50, $50
ROM:12C9D                 fcb $4F, $4F, $4E, $4E, $4D, $4D, $4C, $4C, $4C, $4B, $4B
ROM:12C9D                 fcb $4A, $4A, $49, $49, $48, $48, $47, $47, $47, $46, $46
ROM:12C9D                 fcb $45, $45, $44, $44, $43, $43, $43, $42, $42, $41, $41
ROM:12C9D                 fcb $40, $40, $3F, $3F, $3E, $3E, $3E, $3D, $3D, $3C, $3C
ROM:12C9D                 fcb $3B, $3B, $3A, $3A, $39, $39, $38, $38, $38, $37, $37
ROM:12C9D                 fcb $36, $36, $35, $35, $34, $34, $33, $33, $32, $32, $31
ROM:12C9D                 fcb $31, $30, $30, $2F, $2F, $2E, $2D, $2D, $2C, $2C, $2B
ROM:12C9D                 fcb $2B, $2A, $2A, $29, $28, $28, $27, $27, $26, $25, $25
ROM:12C9D                 fcb $24, $23, $23, $22, $21, $21, $20, $1F, $1F, $1E, $1D
ROM:12C9D                 fcb $1C, $1C, $1B, $1A, $19, $18, $18, $17, $16, $15, $14
ROM:12C9D                 fcb $13, $12, $11, $10, $E, $D, $C, $B, 9, 8, 6, 5, 3
ROM:12C9D                 fcb 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
ROM:12D9D Array3:         fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:12D9D                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:12D9D                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:12D9D                 fcb $FD, $FB, $F9, $F7, $F5, $F4, $F2, $F0, $EE, $ED, $EB
ROM:12D9D                 fcb $EA, $E8, $E7, $E5, $E4, $E2, $E1, $E0, $DE, $DD, $DC
ROM:12D9D                 fcb $DB, $D9, $D8, $D7, $D6, $D5, $D4, $D3, $D2, $D1, $CF
ROM:12D9D                 fcb $CE, $CD, $CC, $CB, $CA, $CA, $C9, $C8, $C7, $C6, $C5
ROM:12D9D                 fcb $C4, $C3, $C2, $C1, $C1, $C0, $BF, $BE, $BD, $BC, $BC
ROM:12D9D                 fcb $BB, $BA, $B9, $B8, $B8, $B7, $B6, $B5, $B5, $B4, $B3
ROM:12D9D                 fcb $B2, $B2, $B1, $B0, $AF, $AF, $AE, $AD, $AD, $AC, $AB
ROM:12D9D                 fcb $AB, $AA, $A9, $A9, $A8, $A7, $A6, $A6, $A5, $A5, $A4
ROM:12D9D                 fcb $A3, $A3, $A2, $A1, $A1, $A0, $9F, $9F, $9E, $9D, $9D
ROM:12D9D                 fcb $9C, $9B, $9B, $9A, $9A, $99, $98, $98, $97, $96, $96
ROM:12D9D                 fcb $95, $95, $94, $93, $93, $92, $91, $91, $90, $90, $8F
ROM:12D9D                 fcb $8E, $8E, $8D, $8C, $8C, $8B, $8B, $8A, $89, $89, $88
ROM:12D9D                 fcb $87, $87, $86, $85, $85, $84, $83, $83, $82, $82, $81
ROM:12D9D                 fcb $80, $80, $7F, $7E, $7E, $7D, $7C, $7B, $7B, $7A, $79
ROM:12D9D                 fcb $79, $78, $77, $77, $76, $75, $74, $74, $73, $72, $71
ROM:12D9D                 fcb $71, $70, $6F, $6E, $6E, $6D, $6C, $6B, $6A, $69, $69
ROM:12D9D                 fcb $68, $67, $66, $65, $64, $63, $62, $61, $60, $5F, $5E
ROM:12D9D                 fcb $5D, $5C, $5B, $5A, $59, $58, $57, $56, $54, $53, $52
ROM:12D9D                 fcb $51, $4F, $4E, $4C, $4B, $49, $47, $46, $44, $42, $40
ROM:12D9D                 fcb $3E, $3C, $39, $36, $34, $30, $2D, $29, $24, $1F, $18
ROM:12D9D                 fcb $F, 0, 0
All of these are Array[256]
Thisita is offline   Reply With Quote
Old 08-06-2011, 01:12 PM   #3
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 66,694
 

1998 SC2
Default Re: Breaking the code

The original microcomputer OS loaded vectors into low RAM for firmware BIOS access for the basic I/O. Don't see why that would have changed much as it is still a semi-standard embedded processor architecture.
OldNuc is offline   Reply With Quote
Old 08-06-2011, 01:13 PM   #4
campus189
Member
campus189 is on a distinguished road
 
campus189's Avatar
 
Join Date: Jul 2010
Location: Kingsport Tennessee
Posts: 397

1997 SL1
1997 SL2
Default Re: Breaking the code

Just curious.
Is this a rom or eeprom ?
Reason that im asking is, if its an eeprom, then we can reprogram it for ourself.
How many pins is it?
I'm too lazy to crack mine open and look
...
1997 Saturn SL2 144,000 Miles
1997 Saturn SL1 254,000 Miles
1997 Saturn SL1 157,000 Miles
1996 Saturn SL1 97,000 Miles

Also known as FiremanCV on YouTube
campus189 is offline   Reply With Quote
Old 08-06-2011, 01:20 PM   #5
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
The original microcomputer OS loaded vectors into low RAM for firmware BIOS access for the basic I/O. Don't see why that would have changed much as it is still a semi-standard embedded processor architecture.
Yep, that would be the norm for basics.

Quote:
Just curious.
Is this a rom or eeprom ?
Reason that im asking is, if its an eeprom, then we can reprogram it for ourself.
How many pins is it?
I'm too lazy to crack mine open and look
I believe it is ROM+EEPROM
Sabercatpuck has pics here http://delcohacking.net/forums/viewt...t=377&start=10
He actually desoldered the flashable portion and put it in a nice socket, that way he could also fix the "encryption" issue of the 4 switched address pins.
Thisita is offline   Reply With Quote
Old 08-06-2011, 01:25 PM   #6
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 66,694
 

1998 SC2
Default Re: Breaking the code

It is an EEPROM as the initial code is loaded remotely. There is a flash enable line in the data link connector.
OldNuc is offline   Reply With Quote
Old 08-06-2011, 01:40 PM   #7
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
It is an EEPROM as the initial code is loaded remotely. There is a flash enable line in the data link connector.
That will make this a lot easier :nod:

Found another gradient in the ROM segment. It doesn't fit a standard size for percentage (256 or 512), looks like 350 elements (256+64+30)

Code:
ROM:1C4A7                 fcb 0, 0, 0, 0, 0, 1, 1, 7, 7, 8, 8, $B, $B, $C, $C, $12
ROM:1C4A7                 fcb $12, $16, $16, $19, $19, $1A, $1A, $1D, $1D, $1E, $1E
ROM:1C4A7                 fcb $21, $21, $22, $22, $22, $22, $23, $23, $23, $23, $24
ROM:1C4A7                 fcb $24, $24, $24, $25, $25, $25, $25, $26, $26, $26, $26
ROM:1C4A7                 fcb $27, $27, $27, $27, $28, $28, $28, $28, $29, $29, $29
ROM:1C4A7                 fcb $29, $2A, $2A, $2A, $2A, $2B, $2B, $2B, $2B, $2C, $2C
ROM:1C4A7                 fcb $2C, $2C, $2D, $2D, $2D, $2D, $2E, $2E, $2E, $2E, $2F
ROM:1C4A7                 fcb $2F, $2F, $2F, $30, $30, $30, $30, $31, $31, $31, $31
ROM:1C4A7                 fcb $32, $32, $32, $32, $33, $33, $33, $33, $34, $34, $34
ROM:1C4A7                 fcb $34, $35, $35, $35, $35, $36, $36, $36, $36, $37, $37
ROM:1C4A7                 fcb $37, $37, $38, $38, $38, $38, $39, $39, $39, $39, $3A
ROM:1C4A7                 fcb $3A, $3A, $3A, $3B, $3B, $3B, $3B, $3C, $3C, $3C, $3C
ROM:1C4A7                 fcb $3D, $3D, $3D, $3D, $3E, $3E, $3E, $3E, $3F, $3F, $3F
ROM:1C4A7                 fcb $3F, $40, $40, $40, $40, $41, $41, $41, $41, $42, $42
ROM:1C4A7                 fcb $42, $42, $43, $43, $43, $43, $44, $44, $44, $44, $45
ROM:1C4A7                 fcb $45, $45, $45, $46, $46, $46, $46, $47, $47, $47, $47
ROM:1C4A7                 fcb $48, $48, $48, $48, $49, $49, $49, $49, $4A, $4A, $4A
ROM:1C4A7                 fcb $4A, $4B, $4B, $4B, $4B, $4C, $4C, $4C, $4C, $4D, $4D
ROM:1C4A7                 fcb $4D, $4D, $4E, $4E, $4E, $4E, $4F, $4F, $4F, $4F, $50
ROM:1C4A7                 fcb $50, $50, $50, $51, $51, $51, $51, $52, $52, $52, $52
ROM:1C4A7                 fcb $53, $53, $53, $53, $54, $54, $54, $54, $55, $55, $55
ROM:1C4A7                 fcb $55, $56, $56, $56, $56, $57, $57, $57, $57, $58, $58
ROM:1C4A7                 fcb $58, $58, $59, $59, $59, $59, $5A, $5A, $5A, $5A, $FF
ROM:1C4A7                 fcb $6C, $C6, $A7, $6E, $C6, $55, $FF, $6C, $C6, $D0, $FF
ROM:1C4A7                 fcb $6C, $C6, $F9, $6E, $C6, $7E, $FE, $C7, $9D, $FF, $6C
ROM:1C4A7                 fcb $C7, $22, $FF, $6C, $C7, $4B, $FF, $6C, $C7, $74, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF, $FF
ROM:1C4A7                 fcb $FF, $FF, $FF, $FF
EDIT: I'm trying to graph it... looks like it is another 16x16 grid actually, but the data afterwards seems to fit in a way <.<
Thisita is offline   Reply With Quote
Old 08-07-2011, 03:33 AM   #8
1996SL11.9L
Senior Member
1996SL11.9L has a spectacular aura about1996SL11.9L has a spectacular aura about
 
1996SL11.9L's Avatar
 
Join Date: Sep 2009
Location: Stouchsburg, PA
Posts: 1,968
 

2002 SL1
Default Re: Breaking the code

I found the trans temp for autos by just looking a memory locations and picking a few that looked like winners then watched them and disconnected the sensor to find the correct one.
1996SL11.9L is offline   Reply With Quote
Old 08-07-2011, 09:07 AM   #9
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
Did you see the section relating to Non-standard PIDs? This is the entire problem.
Yes I did, but I can see the known ones which help me find the master table of PID handling.
Quote:
I found the trans temp for autos by just looking a memory locations and picking a few that looked like winners then watched them and disconnected the sensor to find the correct one.
Guess and check is always fun lol
Looks like mode 22 requests will be for Tech2's (and explain why Sabercatpuck was so interested in them)

OldNuc you mentioned you use the USB->OBD adapter, but what software do you use? If it is opensource I can work of its code and understand both sides without physical hacking.
I'm more interested in the packet layout than the protocol for sending it, because they should be formatted roughly the same afterwards.
Thisita is offline   Reply With Quote
Old 08-07-2011, 09:22 AM   #10
1996SL11.9L
Senior Member
1996SL11.9L has a spectacular aura about1996SL11.9L has a spectacular aura about
 
1996SL11.9L's Avatar
 
Join Date: Sep 2009
Location: Stouchsburg, PA
Posts: 1,968
 

2002 SL1
Default Re: Breaking the code

I knew the math was correct....so all I needed to do was clock through the memory untill the readings looked real and go from there.The scangaugeII is by-directional. I poled the PCM for supported PID's and the 96 doesn't support much.

The coveted data are things like the trans temp, knock retard, slip ratio in trans, etc. All the parameters my MAC Mentor / OTC Genniss displays....

I can give you the memory address if it will help. Or search me and trans temp and scangaugeII
1996SL11.9L is offline   Reply With Quote
Old 08-07-2011, 10:52 AM   #11
David R
Advanced Member
David R is on a distinguished road
 
Join Date: Nov 2003
Location: McKellar
Posts: 514

2009 Astra XE
1997 SW2
Default Re: Breaking the code

There is a lot of free software out there for ELM chips, but not much Open Source, and most are no longer being developed. Try these sites and start drilling down. In particular the last one. The ZIP files actually have some source code. Might help.

Excellent efforts.

http://scantool.imechatronics.com/downloads.htm
http://www.obdtester.com/obd2-free-software
http://www.obd2crazy.com/softbeta.html
http://www.easyobdii.com/
http://www.scantool.net/scantool/dow...stic-software/
...
~I'm not an authority on anything~

2009 Astra XE 5sp 225K km
2000 Honda Civic SI 5sp 172K km, AKA EX Coupe - Gone
1997 SW2 DOHC Auto 330K km - Parked, waiting for the value of scrape to go up
David R is offline   Reply With Quote
Old 08-08-2011, 12:45 PM   #12
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Going to be delayed for a day or two. Had a strange powerfailure that managed to get past the pure sine wave power conditioner to my main computer. Computer works but I have some corrupt data to fix that shouldn't take long.
Thisita is offline   Reply With Quote
Old 08-08-2011, 01:31 PM   #13
OldNuc
Super Member
OldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond reputeOldNuc has a reputation beyond repute
 
Join Date: Apr 2008
Location: Far Southwestern Iowa
Posts: 66,694
 

1998 SC2
Default Re: Breaking the code

Just hate that when it happens....
OldNuc is offline   Reply With Quote
Old 08-08-2011, 01:57 PM   #14
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Yeah, apparently a new *feature* of windows7 is for all the services to panic at boot if the log files are corrupt. Pretty much just a matter of forcing a rebuild.

Times I wish windows would instal on ext4 filesystems -.-
Thisita is offline   Reply With Quote
Old 08-14-2011, 07:23 PM   #15
aaron95sl2
Advanced Member
aaron95sl2 is on a distinguished road
 
aaron95sl2's Avatar
 
Join Date: Jun 2009
Location: Spokane, WA
Posts: 527

1995 SL2
Default Re: Breaking the code

Quote:
Originally Posted by Thisita View Post
Going to be delayed for a day or two. Had a strange powerfailure that managed to get past the pure sine wave power conditioner to my main computer. Computer works but I have some corrupt data to fix that shouldn't take long.
One reason all my comps are laptops now: BATTERIES! lol If you don't want to pay the premium for a laptop, buy used with broken screen and plug it into your monitor like I did.
...
1995 SL2 | Fully loaded | 165k on odometer |30k on new engine w/ KB-S pistons - not a single drop of oil lost so far!
aaron95sl2 is offline   Reply With Quote
Old 08-14-2011, 09:26 PM   #16
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
Is the 11 indirect addressing? Did that a lot with PLC's
In a sense, all of those numbers are nodes on a binary search tree that each load their own pointer to a memory location. These pointers are located on a data table nearby.

In C++ it would look like

Code:
switch(PID_XX)
{
     case 0x11:
         reg_x = &MemoryBase_A;
         break;
     case 0x12:
         reg_x = &MemoryBase_B;
         break;
// etc
     default:
         break;
}
reg_x += (2*PID_YY);
That is what the subroutine for deciphering the PID would look like in non-optimized (like I said, they used a binary search tree) code.
Before it exits it does a sanity check on the address (test for NULL case), when it gets back it checks where the address lies in a range and will either dump the contents of physical address stored in reg_x or it will jump to its location+1 (which I assume is for bit-coded data).
Thisita is offline   Reply With Quote
Old 08-11-2011, 06:31 PM   #17
1996SL11.9L
Senior Member
1996SL11.9L has a spectacular aura about1996SL11.9L has a spectacular aura about
 
1996SL11.9L's Avatar
 
Join Date: Sep 2009
Location: Stouchsburg, PA
Posts: 1,968
 

2002 SL1
Default Re: Breaking the code

Address 5401 is the ram address for trans temp if helps figure out how it's mapped.
1996SL11.9L is offline   Reply With Quote
Old 08-11-2011, 08:04 PM   #18
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Is 62C (143.6F) possible for tranny temp?

The problem with you sending that, is that it is the "encrypted" address.
5401, 15401, 4510, 14510, A208, 1A208, and D401 are all sections of code.
But, if you reverse each byte's bits, you get 2A80 which is a segment that I haven't the foggiest idea of what it is, and there are also no read/write references to the area. The particular byte is 66, which would translate to a temp of 62C

Here is the area:
Code:
RESERVED:2A44                 fcb   5
RESERVED:2A45                 fcb $30 ; 0
RESERVED:2A46                 fcb $40 ; @
RESERVED:2A47                 fcb   5
RESERVED:2A48                 fcb $7D ; }
RESERVED:2A49                 fcb $7D ; }
RESERVED:2A4A                 fcb $7D ; }
RESERVED:2A4B                 fcb $7D ; }
RESERVED:2A4C                 fcb $7D ; }
RESERVED:2A4D                 fcb $7D ; }
RESERVED:2A4E                 fcb $7D ; }
RESERVED:2A4F                 fcb $7D ; }
RESERVED:2A50                 fcb $7D ; }
RESERVED:2A51                 fcb $7D ; }
RESERVED:2A52                 fcb $72 ; r
RESERVED:2A53                 fcb $7D ; }
RESERVED:2A54                 fcb $7D ; }
RESERVED:2A55                 fcb $7D ; }
RESERVED:2A56                 fcb $7D ; }
RESERVED:2A57                 fcb $72 ; r
RESERVED:2A58                 fcb $7D ; }
RESERVED:2A59                 fcb $7D ; }
RESERVED:2A5A                 fcb $7D ; }
RESERVED:2A5B                 fcb $7D ; }
RESERVED:2A5C                 fcb $72 ; r
RESERVED:2A5D                 fcb $7A ; z
RESERVED:2A5E                 fcb $7A ; z
RESERVED:2A5F                 fcb $7A ; z
RESERVED:2A60                 fcb $7A ; z
RESERVED:2A61                 fcb $72 ; r
RESERVED:2A62                 fcb $7A ; z
RESERVED:2A63                 fcb $7A ; z
RESERVED:2A64                 fcb $7A ; z
RESERVED:2A65                 fcb $7A ; z
RESERVED:2A66                 fcb $72 ; r
RESERVED:2A67                 fcb $77 ; w
RESERVED:2A68                 fcb $77 ; w
RESERVED:2A69                 fcb $77 ; w
RESERVED:2A6A                 fcb $77 ; w
RESERVED:2A6B                 fcb $72 ; r
RESERVED:2A6C                 fcb $72 ; r
RESERVED:2A6D                 fcb $72 ; r
RESERVED:2A6E                 fcb $72 ; r
RESERVED:2A6F                 fcb $72 ; r
RESERVED:2A70                 fcb $72 ; r
RESERVED:2A71                 fcb $72 ; r
RESERVED:2A72                 fcb $72 ; r
RESERVED:2A73                 fcb $72 ; r
RESERVED:2A74                 fcb $72 ; r
RESERVED:2A75                 fcb $72 ; r
RESERVED:2A76                 fcb $6C ; l
RESERVED:2A77                 fcb $6C ; l
RESERVED:2A78                 fcb $69 ; i
RESERVED:2A79                 fcb $69 ; i
RESERVED:2A7A                 fcb $66 ; f
RESERVED:2A7B                 fcb $66 ; f
RESERVED:2A7C                 fcb $66 ; f
RESERVED:2A7D                 fcb $61 ; a
RESERVED:2A7E                 fcb $61 ; a
RESERVED:2A7F                 fcb $66 ; f
RESERVED:2A80                 fcb $66 ; f
RESERVED:2A81                 fcb $66 ; f
RESERVED:2A82                 fcb $61 ; a
RESERVED:2A83                 fcb $61 ; a
RESERVED:2A84                 fcb $80 ; 
RESERVED:2A85                 fcb $80 ; 
RESERVED:2A86                 fcb $80 ; 
RESERVED:2A87                 fcb $80 ; 
RESERVED:2A88                 fcb $80 ; 
RESERVED:2A89                 fcb $80 ; 
RESERVED:2A8A                 fcb $80 ; 
RESERVED:2A8B                 fcb $80 ; 
RESERVED:2A8C                 fcb $80 ; 
RESERVED:2A8D byte_2A8D:      fcb $80                 ; DATA XREF: sub_93F3+3Br
RESERVED:2A8D                                         ; sub_93F3+5Er
RESERVED:2A8E byte_2A8E:      fcb $72                 ; DATA XREF: sub_EEE8+Ar
RESERVED:2A8F                 fcb $72 ; r
RESERVED:2A90                 fcb $72 ; r
RESERVED:2A91                 fcb $6C ; l
RESERVED:2A92                 fcb $69 ; i
RESERVED:2A93                 fcb $66 ; f
RESERVED:2A94 byte_2A94:      fcb $66                 ; DATA XREF: sub_EEE8+13r
As you can tell, towards the end of the section, but the function that accesses the data is very cryptic (aside from the first reference which is made by OC4I (Output Control for Interrupts iirc).
Thisita is offline   Reply With Quote
Old 08-11-2011, 09:05 PM   #19
Redhotftw!
Advanced Member
Redhotftw! will become famous soon enough
 
Join Date: Jul 2010
Posts: 647
Default Re: Breaking the code

I would be in love if the fuel tables and map could be cracked to support boost on the PCM
...
1998 "Red Hot" Sc2
Redhotftw! is offline   Reply With Quote
Old 08-11-2011, 10:32 PM   #20
Thisita
Member
Thisita is on a distinguished road
 
Join Date: Jun 2011
Location: Kentucky
Posts: 305

1996 SC2
Default Re: Breaking the code

Quote:
That temp seems real to me on a short drive....5401 is the memory location I have the scangaugeII poll for information. I believe it's a mode 22 request
Mode 22 == Request_Diag_Data_by_PID 8D

Ok, something you may want to try is to keep pinging "memory" locations, with the y byte set to 01

I'm looking at the code, and it pulls from the buffer, then loads the part of it and cmp's it to 01 Now we are getting somewhere, I'm going to keep tracing from there. The function it jumps into is NOT pretty.
Thisita is offline   Reply With Quote
Reply

Bookmarks

Tags
code, pcm, reverse engineering


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
breaking 14's? Diezeltitan08 S-Series Mods 8 10-22-2010 07:51 PM
Saturn keeps breaking down? Heirophantress S-Series General 29 04-25-2009 10:40 PM
98 SL2 Revs while breaking orlana S-Series Tech 9 01-04-2008 11:30 AM
Breaking in: the EFX spoiler BlueIonDriver Ion General 23 03-11-2004 11:07 PM
Breaking into your Saturn! Whelan General Saturn Discussion 10 12-11-2001 06:25 PM


All times are GMT -4. The time now is 02:31 PM.

Advanced Forum Search | Advanced Photo Search


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, vBulletin Solutions Inc.
SaturnFans.com. The Saturn Enthusiasts Site.