Page 1 of 5 123 ... LastLast
Results 1 to 10 of 41

Thread: 99 Saturn crack log

  1. #1
    Junior Member
    Join Date
    Dec 2009
    Posts
    22

    Default 99 Saturn crack log

    I decided to start a thread to document things as I move allong in cracking the ECU of a '99 Saturn. The specific type I pulled from the JY was from a 1.9L DOHC Auto tranny. I have it sitting on a computer with a script running to try to find the seed/key pair. There are 2 halves to this board, one primarily for the engine side and one for the tranny. I have socketed the 28F010 flash ROM's and pulled both the straight image and one that has the address lines straightened out (the A1-A13, 2-A12, A3-A11, and A10-A14 lines were swapped). With the decoded image I have mostly made it through the decoding of the tranny side chip, it is fairly straightforward with only the lower 64K of the chip used. The engine side chip is a little more tricky. It has several routines near $5666 for bank switching the between the lower and upper halves of the flash (128K flash) using port G on the 68HC11F1 processor.

    The only other thing at the moment that I have is that there is a 40 header on the board which accesses many of the address and data lines :
    A4 1 2
    A3 3 4 Ground
    A2 5 6
    7 8 A1
    9 10 A0
    11 12 A5
    A6 13 14 A8
    A7 15 16 A9
    A10 17 18 D7
    A11 19 20 D6
    A12 21 22 D5
    A13 23 24 D4
    A14 24 25 D0
    A15 27 28 D1
    R/W 29 30 D2
    Reset 31 32 D3
    Moda/LIR 33 34 PD1/TXTD
    PD1/RXD 35 36 E
    ModB/Vstby 37 38 ground
    XIRQ 39 40

    I did the ohm checks on the tranny side and I have not yet compared them the the engine side, I would suspect at least adding support for A16.

    Well that is where I am for now. I will keep things up to date when I learn them.

  2. #2
    Junior Member
    Join Date
    Dec 2009
    Posts
    22

    Default

    Here is a couple code snippets arround the Port G memory bank switch routine and a couple of the entry points. Note, was dissasembled with DHC11.exe so a few of the pneumonics may be slightly different.

    55FE tovfrtn:
    55FE ldaA #$80
    5600 staA TFLG2
    5603 ldaA >L00EE
    5606 incA
    5607 bne L560A
    5609 decA
    560A L560A staA >L00EE
    560D reti
    ;
    560E L560E: tPA
    560F pushA
    5610 di
    5611 ldaA PortG
    5614 andA #%00000011
    5616 pushA
    5617 ldaA PortG
    561A andA #%11111100
    561C tstB
    561D beq L5622
    561F decB
    5620 bne L5626
    5622 L5622 oraA #%00000000
    5624 jr L562F
    ;
    5626 L5626 decB
    5627 bne L562D
    5629 oraA #%00000011
    562B jr L562F
    ;
    562D L562D oraA #%00000010
    562F L562F staA PortG
    5632 popB
    5633 popA
    5634 pushB
    5635 tAP
    5636 call 0, X
    5638 tPA
    5639 di
    563A ldaB PortG
    563D andB #%11111100
    563F tSX
    5640 oraB 0, X
    5642 staB PortG
    5645 popB
    5646 tAP
    5647 ret
    ;
    5648 L5648: tPA
    5649 pushA
    564A di
    564B ldaA PortG
    564E tAB
    564F andB #%00000011
    5651 andA #%11111100
    5653 oraA #%00000000
    5655 jr L5673
    ;
    5657 L5657: tPA
    5658 pushA
    5659 di
    565A ldaA PortG
    565D tAB
    565E andB #%00000011
    5660 andA #%11111100
    5662 oraA #%00000011
    5664 jr L5673
    ;
    5666 L5666: tPA
    5667 pushA
    5668 di
    5669 ldaA PortG
    566C tAB
    566D andB #%00000011
    566F andA #%11111100
    5671 oraA #%00000010
    5673 L5673 staA PortG
    5676 popA
    5677 pushB
    5678 tAP
    5679 call 0, X
    567B tPA
    567C di
    567D ldaB PortG
    5680 andB #%11111100
    5682 tSX
    5683 oraB 0, X
    5685 staB PortG
    5688 popB
    5689 tAP
    568A ret

    620A L620A staA 31, X
    620C ldD 0, Y
    620F stD 32, X
    6211 pushY
    6213 pushX
    6214 pushX
    6215 popY
    6217 ldX #$BA48
    621A call L5666
    621D popX
    621E popY
    6220 popA
    6221 tAP

    671E stD 8, X
    6720 stY 10, X
    6723 ldaA #$0A
    6725 staA 22, X
    6727 bset 1, X, #%00010000
    672A bset 0, X, #%00010100
    672D ldX #$A383
    6730 call L5666
    6733 ldX #$9FAD
    6736 call L5666
    6739 ret

  3. #3
    Joe (Moderator) joecar's Avatar
    Join Date
    Apr 2003
    Posts
    27,752

    Default

    You're having too much fun...

    What's tPA, tAP...? Does it swap two registers...?

    What's di...?

  4. #4
    Lifetime Member Mr. P.'s Avatar
    Join Date
    May 2007
    Posts
    259

    Default

    Gawd the last time I looked at assembler must have been over 20 years ago LOL

    Mr. P.

  5. #5
    Junior Member
    Join Date
    Dec 2009
    Posts
    22

    Default

    Quote Originally Posted by joecar View Post
    You're having too much fun...

    What's tPA, tAP...? Does it swap two registers...?

    What's di...?
    Tap and tpa move bytes between the a and the
    condition register. The cr is where several flags are kept like carry zero etc. Di disables the interupts.
    As for having fun, yep, been awhile since I had a goodi reason to do assembly language stuff. Put it this way, other than a couple classes in college the last time i worker something like this I was messing around with a commodore 64, and they were still fashionable for home computers at the time. In other words something fun to do.

  6. #6
    Junior Member
    Join Date
    Dec 2009
    Posts
    22

    Default

    Quote Originally Posted by Mr. P. View Post
    Gawd the last time I looked at assembler must have been over 20 years ago LOL

    Mr. P.
    Last serious stuff I did was in the 80's on 6502. Although some of the page swapping stuff I did back then could be usefull for this little project. That's what I get for seeing someone say it can't be done. Just had to see for myself.

  7. #7
    Forum tyhee Site Admin GMPX's Avatar
    Join Date
    Apr 2003
    Posts
    12,767

    Default

    Quote Originally Posted by sabercatpuck View Post
    I was messing around with a commodore 64, and they were still fashionable for home computers at the time. In other words something fun to do.
    Now we're talking, resident Commodore fan reporting for duty

    On the HC11 they do need to do some bank swapping as it can only access a 64K address space. I remember looking at this on some old circa 95 PCM's, I don't remember the exact routine that was used when swapping banks, but usually they just save some register states then enable/disable a port pin to switch banks.

    Cheers,
    Ross
    Need official EFILive help, please go here.
    For tuning support please post your questions on this forum (or other auto forums).
    Sorry if I don't respond to your PM, don't take it personal.


  8. #8
    Junior Member
    Join Date
    Dec 2009
    Posts
    22

    Default

    OK finally figured out what they are doing with the bank switching. I thought it was wierd how the lower half was easy to decypher but the upper half was being very problematic. It is because they dont use port g to bank in the upper half, as a whole, they use port g to bank in three seperate upper halfs of memory with some other device doing the decoding based on the inputs from A15 and the two ports of Port G.
    So to make a long story short, looks like I will have to disassemble 3 memory maps, not just two on the engine side, and another one on the tranny side (almost done with that one though). I will have to break out the hex editor to properly merge the three parts together first.

  9. #9
    Lifetime Member Cougar281's Avatar
    Join Date
    Jan 2006
    Posts
    820

    Default

    From what little I've done playing around with PIC microprocessors, some of that code (or how it functions, such as the Tap and tpa) seem very similar to the PIC programming...

  10. #10
    Senior Member
    Join Date
    Dec 2007
    Posts
    134

    Default

    If I'm not mistaken Chris White has (in the past) offered calibration services for '99-'02 S-series Saturn's. Hopefully he can chime in with a little help if he frequents this forum.


    I look forward to seeing how far you can get with this..
    -Adam Chant
    Tune it or lose it!
    2007 Saturn SKY 2.4L Automatic - E67
    EFILive Tuned

Page 1 of 5 123 ... LastLast

Similar Threads

  1. 2004 Saturn Ion Scanning??????
    By BlkMax in forum IL4, 97-01 PCM and 02+ P11 PCM
    Replies: 11
    Last Post: November 18th, 2011, 09:55 AM
  2. Replies: 65
    Last Post: January 17th, 2010, 11:58 PM
  3. 2003 h2 and 04 saturn ion
    By blackdeath in forum General (Petrol, Gas, Ethanol)
    Replies: 3
    Last Post: February 17th, 2009, 04:09 PM
  4. GM to crack down on Aftermarket calibrated vehicles?
    By DrkPhx in forum General (Petrol, Gas, Ethanol)
    Replies: 6
    Last Post: March 28th, 2008, 02:15 PM
  5. Finally got my first crack at BBL
    By TAQuickness in forum FlashScan V2 BB Logging
    Replies: 7
    Last Post: December 9th, 2007, 11:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •