PDA

View Full Version : 99 Saturn crack log



sabercatpuck
December 24th, 2009, 10:11 AM
I decided to start a thread to document things as I move allong in cracking the ECU of a '99 Saturn. The specific type I pulled from the JY was from a 1.9L DOHC Auto tranny. I have it sitting on a computer with a script running to try to find the seed/key pair. There are 2 halves to this board, one primarily for the engine side and one for the tranny. I have socketed the 28F010 flash ROM's and pulled both the straight image and one that has the address lines straightened out (the A1-A13, 2-A12, A3-A11, and A10-A14 lines were swapped). With the decoded image I have mostly made it through the decoding of the tranny side chip, it is fairly straightforward with only the lower 64K of the chip used. The engine side chip is a little more tricky. It has several routines near $5666 for bank switching the between the lower and upper halves of the flash (128K flash) using port G on the 68HC11F1 processor.

The only other thing at the moment that I have is that there is a 40 header on the board which accesses many of the address and data lines :
A4 1 2
A3 3 4 Ground
A2 5 6
7 8 A1
9 10 A0
11 12 A5
A6 13 14 A8
A7 15 16 A9
A10 17 18 D7
A11 19 20 D6
A12 21 22 D5
A13 23 24 D4
A14 24 25 D0
A15 27 28 D1
R/W 29 30 D2
Reset 31 32 D3
Moda/LIR 33 34 PD1/TXTD
PD1/RXD 35 36 E
ModB/Vstby 37 38 ground
XIRQ 39 40

I did the ohm checks on the tranny side and I have not yet compared them the the engine side, I would suspect at least adding support for A16.

Well that is where I am for now. I will keep things up to date when I learn them.

sabercatpuck
December 25th, 2009, 05:35 AM
Here is a couple code snippets arround the Port G memory bank switch routine and a couple of the entry points. Note, was dissasembled with DHC11.exe so a few of the pneumonics may be slightly different.

55FE tovfrtn:
55FE ldaA #$80
5600 staA TFLG2
5603 ldaA >L00EE
5606 incA
5607 bne L560A
5609 decA
560A L560A staA >L00EE
560D reti
;
560E L560E: tPA
560F pushA
5610 di
5611 ldaA PortG
5614 andA #%00000011
5616 pushA
5617 ldaA PortG
561A andA #%11111100
561C tstB
561D beq L5622
561F decB
5620 bne L5626
5622 L5622 oraA #%00000000
5624 jr L562F
;
5626 L5626 decB
5627 bne L562D
5629 oraA #%00000011
562B jr L562F
;
562D L562D oraA #%00000010
562F L562F staA PortG
5632 popB
5633 popA
5634 pushB
5635 tAP
5636 call 0, X
5638 tPA
5639 di
563A ldaB PortG
563D andB #%11111100
563F tSX
5640 oraB 0, X
5642 staB PortG
5645 popB
5646 tAP
5647 ret
;
5648 L5648: tPA
5649 pushA
564A di
564B ldaA PortG
564E tAB
564F andB #%00000011
5651 andA #%11111100
5653 oraA #%00000000
5655 jr L5673
;
5657 L5657: tPA
5658 pushA
5659 di
565A ldaA PortG
565D tAB
565E andB #%00000011
5660 andA #%11111100
5662 oraA #%00000011
5664 jr L5673
;
5666 L5666: tPA
5667 pushA
5668 di
5669 ldaA PortG
566C tAB
566D andB #%00000011
566F andA #%11111100
5671 oraA #%00000010
5673 L5673 staA PortG
5676 popA
5677 pushB
5678 tAP
5679 call 0, X
567B tPA
567C di
567D ldaB PortG
5680 andB #%11111100
5682 tSX
5683 oraB 0, X
5685 staB PortG
5688 popB
5689 tAP
568A ret

620A L620A staA 31, X
620C ldD 0, Y
620F stD 32, X
6211 pushY
6213 pushX
6214 pushX
6215 popY
6217 ldX #$BA48
621A call L5666
621D popX
621E popY
6220 popA
6221 tAP

671E stD 8, X
6720 stY 10, X
6723 ldaA #$0A
6725 staA 22, X
6727 bset 1, X, #%00010000
672A bset 0, X, #%00010100
672D ldX #$A383
6730 call L5666
6733 ldX #$9FAD
6736 call L5666
6739 ret

joecar
December 25th, 2009, 10:03 AM
You're having too much fun...

What's tPA, tAP...? Does it swap two registers...?

What's di...?

Mr. P.
December 25th, 2009, 12:25 PM
Gawd the last time I looked at assembler must have been over 20 years ago LOL

Mr. P. :)

sabercatpuck
December 25th, 2009, 12:27 PM
You're having too much fun...

What's tPA, tAP...? Does it swap two registers...?

What's di...?
Tap and tpa move bytes between the a and the
condition register. The cr is where several flags are kept like carry zero etc. Di disables the interupts.
As for having fun, yep, been awhile since I had a goodi reason to do assembly language stuff. Put it this way, other than a couple classes in college the last time i worker something like this I was messing around with a commodore 64, and they were still fashionable for home computers at the time. In other words something fun to do.

sabercatpuck
December 25th, 2009, 12:47 PM
Gawd the last time I looked at assembler must have been over 20 years ago LOL

Mr. P. :)
Last serious stuff I did was in the 80's on 6502. Although some of the page swapping stuff I did back then could be usefull for this little project. That's what I get for seeing someone say it can't be done. Just had to see for myself.

GMPX
December 25th, 2009, 02:55 PM
I was messing around with a commodore 64, and they were still fashionable for home computers at the time. In other words something fun to do.Now we're talking, resident Commodore fan reporting for duty :hihi:

On the HC11 they do need to do some bank swapping as it can only access a 64K address space. I remember looking at this on some old circa 95 PCM's, I don't remember the exact routine that was used when swapping banks, but usually they just save some register states then enable/disable a port pin to switch banks.

Cheers,
Ross

sabercatpuck
December 29th, 2009, 02:30 PM
OK finally figured out what they are doing with the bank switching. I thought it was wierd how the lower half was easy to decypher but the upper half was being very problematic. It is because they dont use port g to bank in the upper half, as a whole, they use port g to bank in three seperate upper halfs of memory with some other device doing the decoding based on the inputs from A15 and the two ports of Port G.
So to make a long story short, looks like I will have to disassemble 3 memory maps, not just two on the engine side, and another one on the tranny side (almost done with that one though). I will have to break out the hex editor to properly merge the three parts together first.

Cougar281
December 29th, 2009, 03:18 PM
From what little I've done playing around with PIC microprocessors, some of that code (or how it functions, such as the Tap and tpa) seem very similar to the PIC programming...

scdyne
December 29th, 2009, 03:30 PM
If I'm not mistaken Chris White has (in the past) offered calibration services for '99-'02 S-series Saturn's. Hopefully he can chime in with a little help if he frequents this forum.


I look forward to seeing how far you can get with this..

sabercatpuck
December 30th, 2009, 05:23 AM
So I was thinking about the memory map this morning and it dawned on me that the biggest section of memory that I did not know what was going just so happened to be about $1100 to $1fff. There is something else. That fits those numbers very well, the mode $22 pid list. I have a feeling the pid's fit into those locations directly.

sabercatpuck
December 31st, 2009, 02:58 PM
So is it just me or does this look like the kind of table that would make one of those pretty 3d graphs.

AC9D db $FF, $FF, $FF, $FF, $F3, $E6, $DC, $D4, $CD, $C7
ACA7 db $C2, $BD, $B9, $B5, $B1, $AE, $AB, $A8, $A6, $A3
ACB1 db $A1, $9F, $9D, $9B, $99, $97, $95, $94, $92, $91
ACBB db $8F, $8E, $8C, $8B, $8A, $88, $87, $86, $85, $84
ACC5 db $83, $82, $81, $80, $7F, $7E, $7D, $7C, $7B, $7A
ACCF db $79, $78, $77, $77, $76, $75, $74, $73, $73, $72
ACD9 db $71, $70, $70, $6F, $6E, $6E, $6D, $6C, $6B, $6B
ACE3 db $6A, $6A, $69, $68, $68, $67, $66, $66, $65, $65
ACED db $64, $63, $63, $62, $62, $61, $61, $60, $60, $5F
ACF7 db $5E, $5E, $5D, $5D, $5C, $5C, $5B, $5B, $5A, $5A
AD01 db $59, $59, $58, $58, $57, $57, $56, $56, $55, $55
AD0B db $54, $54, $53, $53, $52, $52, $52, $51, $51, $50
AD15 db $50, $4F, $4F, $4E, $4E, $4D, $4D, $4C, $4C, $4C
AD1F db $4B, $4B, $4A, $4A, $49, $49, $48, $48, $47, $47
AD29 db $47, $46, $46, $45, $45, $44, $44, $43, $43, $43
AD33 db $42, $42, $41, $41, $40, $40, $3F, $3F, $3E, $3E
AD3D db $3E, $3D, $3D, $3C, $3C, $3B, $3B, $3A, $3A, $39
AD47 db $39, $38, $38, $38, $37, $37, $36, $36, $35, $35
AD51 db $34, $34, $33, $33, $32, $32, $31, $31, $30, $30
AD5B db $2F, $2F, $2E, $2D, $2D, $2C, $2C, $2B, $2B, $2A
AD65 db $2A, $29, $28, $28, $27, $27, $26, $25, $25, $24
AD6F db $23, $23, $22, $21, $21, $20, $1F, $1F, $1E, $1D
AD79 db $1C, $1C, $1B, $1A, $19, $18, $18, $17, $16, $15
AD83 db $14, $13, $12, $11, $10, $0E, $0D, $0C, $0B, $09
AD8D db $08, $06, $05, $03, $01, $00, $00, $00, $00, $00
AD97 db $00, $00, $00, $00, $00, $00, $FF, $FF, $FF, $FF
ADA1 fill $FF, 29
ADBE db $FD, $FB, $F9, $F7, $F5, $F4, $F2, $F0, $EE, $ED
ADC8 db $EB, $EA, $E8, $E7, $E5, $E4, $E2, $E1, $E0, $DE
ADD2 db $DD, $DC, $DB, $D9, $D8, $D7, $D6, $D5, $D4, $D3
ADDC db $D2, $D1, $CF, $CE, $CD, $CC, $CB, $CA, $CA, $C9
ADE6 db $C8, $C7, $C6, $C5, $C4, $C3, $C2, $C1, $C1, $C0
ADF0 db $BF, $BE, $BD, $BC, $BC, $BB, $BA, $B9, $B8, $B8
ADFA db $B7, $B6, $B5, $B5, $B4, $B3, $B2, $B2, $B1, $B0
AE04 db $AF, $AF, $AE, $AD, $AD, $AC, $AB, $AB, $AA, $A9
AE0E db $A9, $A8, $A7, $A6, $A6, $A5, $A5, $A4, $A3, $A3
AE18 db $A2, $A1, $A1, $A0, $9F, $9F, $9E, $9D, $9D, $9C
AE22 db $9B, $9B, $9A, $9A, $99, $98, $98, $97, $96, $96
AE2C db $95, $95, $94, $93, $93, $92, $91, $91, $90, $90
AE36 db $8F, $8E, $8E, $8D, $8C, $8C, $8B, $8B, $8A, $89
AE40 db $89, $88, $87, $87, $86, $85, $85, $84, $83, $83
AE4A db $82, $82, $81, $80, $80, $7F, $7E, $7E, $7D, $7C
AE54 db $7B, $7B, $7A, $79, $79, $78, $77, $77, $76, $75
AE5E db $74, $74, $73, $72, $71, $71, $70, $6F, $6E, $6E
AE68 db $6D, $6C, $6B, $6A, $69, $69, $68, $67, $66, $65
AE72 db $64, $63, $62, $61, $60, $5F, $5E, $5D, $5C, $5B
AE7C db $5A, $59, $58, $57, $56, $54, $53, $52, $51, $4F
AE86 db $4E, $4C, $4B, $49, $47, $46, $44, $42, $40, $3E
AE90 db $3C, $39, $36, $34, $30, $2D, $29, $24, $1F, $18
AE9A db $0F, $00, $00


Happy New Year eveyone.

sabercatpuck
January 1st, 2010, 08:51 AM
So I suppose now that I have gotten to this point, I should ask the EFILive guy's what info do you need to start supporting these ECM's. I will do what I can to work tward that.

GMPX
January 1st, 2010, 11:45 PM
Sorry sabercatpuck, you're on your own on this one, we are pretty much mapped out for 2010 with 'new' controllers. Going back to 68HC11 stuff does nothing for me, sorry.

Cheers,
Ross

sabercatpuck
January 2nd, 2010, 01:48 AM
At least I know I won't be stepping on your toes since it would be bad of me to thieve your business on your own forum.
There is some salivating going on on the Saturnfans forum for this though. of course most of them are thinking os mods and mpg gains rather than HP.

Cougar281
January 2nd, 2010, 03:39 AM
Sorry sabercatpuck, you're on your own on this one, we are pretty much mapped out for 2010 with 'new' controllers. Going back to 68HC11 stuff does nothing for me, sorry.

Cheers,
Ross

I assume that means no hope for 2004+ 3800 Series III PCM's? :frown:

GMPX
January 2nd, 2010, 02:02 PM
I assume that means no hope for 2004+ 3800 Series III PCM's? :frown:I don't know about no hope, but the release of them would be met with 'custom OS' cries, much like what is happening with Tunercat, HPT, DHP and whoever else currently supports them. What GM has in there doesn't seem to be good enough for what people want to do with that engine.

You did remind me though, we have all the read bootloaders done for those PCM's (like 3 years ago), I should put them out for BBR.

Cheers,
Ross

GMPX
January 2nd, 2010, 02:06 PM
At least I know I won't be stepping on your toes since it would be bad of me to thieve your business on your own forum.
Go for it, I hope you succeed in what you are trying to do. You should see if the DIYEFI forum is still going.

Cougar281
January 2nd, 2010, 09:07 PM
I don't know about no hope, but the release of them would be met with 'custom OS' cries, much like what is happening with Tunercat, HPT, DHP and whoever else currently supports them. What GM has in there doesn't seem to be good enough for what people want to do with that engine.

You did remind me though, we have all the read bootloaders done for those PCM's (like 3 years ago), I should put them out for BBR.

Cheers,
Ross

I'm not quite sure what kind of Custom OS people want for it :nixweiss:; Personally, I'd love just read/flash (full/cal) and basic tuning. I'm probably going to be doing some kind of supercharged swap in an 04 Grand Prix GT around April/May, and while I can flash a GTP cal into the PCM with my Tech2, but if we just swap the motor or heads, the gear ration will be wrong.

If you add the bootloader and want files, I have access to one, as well as 5 or 6 02-05 4-cyl PCM's that the tune tool doesn't know what to do with.

scdyne
January 3rd, 2010, 11:19 AM
You did remind me though, we have all the read bootloaders done for those PCM's (like 3 years ago), I should put them out for BBR.

Cheers,
Ross

Yes, Please...

joecar
January 3rd, 2010, 03:42 PM
Ross, do you have one for the 3.4L V6 LA1 engine...?

GMPX
January 3rd, 2010, 06:43 PM
Probably Joe, I think we did Read bootloaders for all V6's from late 90's up.
But even so, you will have ctd files but nothing to do with them, almost like getting a new toy with no batteries.

joecar
January 4th, 2010, 04:33 AM
Ross, I understand... LOL, but at least I will be able to say "I have read the PCM"... :hihi:

sabercatpuck
January 4th, 2010, 12:32 PM
Well I have just about finished up with disassembling the source code. I want to make another pass through it to make sure I got all of the code found. What are the rules on posting the files on here?

Hopefully the logic analyzer should be here soon and once I get that hooked up I will be able to try and zoom in on segments of the code, for instance I can run the seed/key bully program and I should be able to target where the section of code that runs the Mode $27 stuff is and how it gets there. I figure once I have a few of those then I can go from there. I will need to find all of the tables (shouldn't be too hard they stick out like a sore thumb against the code now), where they are loaded in memory, and what they are tables for. Now the real work beginns.

joecar
January 4th, 2010, 07:18 PM
It's fine to post your files here... I like reading assembly/disassembly... please go ahead.... :)

scdyne
January 5th, 2010, 03:17 AM
We can compare with other known code and it will help identify tables. It may be a Saturn, but chances are most of the code is the same as in this ECU as it is with other GM ECUs. Even as far back as OBDI Saturn ECUs I found a lot of the code to be the same as the LT1 diss and used that to find the good stuff.

sabercatpuck
January 5th, 2010, 01:10 PM
These are the two original bin files for the engine and tranny sides of the ECM (I don't know if calling them that is strictly correct yet, but most of the IO on the tranny side goes to the tranny and most of the IO on the engine side goes to the engine, so that is what I am going with for now). Note this is after decoding the address lines, so do not try to write this directly to the flash cause it wont work so well for you.

sabercatpuck
January 5th, 2010, 01:12 PM
There looks like some wierd stuff tward the end that I am not sure of yet but otherwise this is mostly disassembled.

sabercatpuck
January 5th, 2010, 01:13 PM
This is the engine side lower 64K. Note the area near location $5666, there are several entry points that control a couple bit's on Port G. This is how it bankswitches in the other two sections of upper memory. It loads the destination address into the x register, calls the appropriate subroutine to bank in the right section of memory, then does an inderect jump to get to the new section of code.

sabercatpuck
January 5th, 2010, 01:14 PM
This is bank 2, it physically resides on the flash from 10000 to 17fff

sabercatpuck
January 5th, 2010, 01:15 PM
This is bank 3, it resides on the flash from 18000 to 1ffff

sabercatpuck
January 5th, 2010, 01:41 PM
By the way, these are some of the numbers on the IC's on the board just in case it helps:
185
16196452
e87j (this is the 68hc11F1)

18391m64
66285
delco 466

a8372y25
39194
delco 466

a8393p53
51862
delco 466

16132083
a 9832 736 (date code?)
m832316apa

flash
AN28f010 (the flash rom)

185
16185984
2e79n (68hc56fn, the dlc I/O device)

16132083
a 9833 736 (date code?)
m83309apa

18412r31
66285
delco 466

a8403m42
51862
delco

05799
t8383655
466

sabercatpuck
January 7th, 2010, 01:57 PM
Well my agilent logicwave logic analyzers will hopefully show up tomorrow. Probably will take a bit to work the bugs out since they do not have cables (what can you expect for cheap :) ) but hopefully I can have them hooked up and reading by the end of the month. Then I should be able to start making heads and tails of the code. I think the biggest questionmark is really what do the tables mean (scaling etc) and what ends up in any given memory address. At some point I will have to figure out how to get the stuff out of the eeprom on the CPU as well.

joecar
January 7th, 2010, 02:11 PM
Acquiring the Agilent is cool...:cheers:

I acquired an old HP (before Agilent) and an old Tektronix (I asked my work if I could have them since they were being thrown out, and my work said yes)...

so now I need (for LS1):
- to get the card out of a spare PCM,
- a way to read the raw bin from it,
- a 68332 disassembler (preferably free).

:hihi:

sabercatpuck
January 7th, 2010, 02:57 PM
Took a quick run arround the net and did not pull up a free dissasembler, IDA is supposed to be good for many processors, but it isn't free.

BTW I do think I have a way of getting the stuff off of the eeprom, once I have the logicwave's hooked up, I just write a small section of code that will set the appropriate register bits then pick a spot and read and write them on the databus, the logic analyzer will pick up the code just fine. Eventually I should be able to do it with just mode $27 stuff I would think, but my early attempts to make that work have been less than fruitfull. At least I have made it past getting the seed/key pair though.

sabercatpuck
January 14th, 2010, 12:18 PM
Well I officially have the logic analyers up and working. Just need to make the connections and away I go.

sabercatpuck
January 20th, 2010, 04:02 AM
Well for those of you playing the home game :) I have some info from logic analyzer world. The major enhanced mode entry points. This is all in the 3rd upper memory block.

10 $8F26
12 $8FE8
13 $9103
14 $91e2
17 $91F9
18 $946d
19 $964e
20 $98Ac
22 $98Dd
23 $991c
25 $9963
27 $9971
28 $99Fa
29 $9A44
2a $9A42
2b $9C28
2c $9C7c
31 $9DF6
32 $9DF6
33 $9DF6
34 $9E44
35 $9EA6
3b $A4B6
3c $A4B6
3f $A8Cd

The jump table that access these actually shows 4 digits lower, but when the indirect call is made it adds 4 to the address.

Dust
November 11th, 2010, 06:53 PM
Have you gotten any further with this?

sabercatpuck
December 21st, 2010, 02:54 PM
I have been off on honeydo projects for awhile. If things go relatively well this winter I am hoping to have a chance to go at it some more.

N0DIH
January 4th, 2012, 11:32 AM
Any chance the honeydo projects have subsided? :)

sabercatpuck
February 19th, 2012, 10:57 AM
I am currently well on my way to having at least the basic shell together for a
68hc11 reverse assembler (based in windows excel vba) so I can quickly take the data dumps from the logic analyzers and convert it into readable assembly code. I have moved over to a different diy board