Help! Trying to understand code written for the MC68336

[iblackford]

Hi All,

I'm looking for some help trying to disassemble and work my way through the code for a 3rd gen saturn s-series (2002). It's based on the MC68336, which is very similar to the MC68332

Background: I did a manual swap on my car a few years ago, worked flawlessly. Emissions testing changed in my area and now my swap would cause me to fail as the PCM throws some transmission codes that are emissions related. I tried swapping in a manual PCM, and unfortunately I can't get this to marry to the BCM through any method, including trying with GM's own software & an MDI. Through the same MDI & software I *can* reprogram a manual PCM to be an automatic...still doesn't help me though.

Tools acquired:
-eeprom programmer & sockets
-MDI
-IDA pro

Goals:
I have both manual and auto bins read, they differ by only a few blocks of code. What I'd like to do is disassemble an auto bin and change it just enough to turn it into an a manual bin. Conversely, I could just change the passkey information of a manual bin to "force" it to be married to the bcm.

Requests:
-can anyone point me to some 68332 full bins (not just cals) that I can try to look at? I've found some links, but they seem to have all dried up.
-are there any IDA experts in here that can provide a little one-on-one assistance in disassembling? I'm sure it's a powerful tool, but it's my first time using it for anything, including this task.

I'm an EE btw, mainly high speed digital design, but I have some experience with programming in assembly on simpler 8bit MCU's.

Thanks for any help you can provide.
Ivan

[04colyZQ8]

I've done some Ida disassembly, but it just spits out move, add computer language, machine code, no comments or cheats to be found that I can tell, so the disassembly was pretty much useless

[rolls]

I've done some Ida disassembly, but it just spits out move, add computer language, machine code, no comments or cheats to be found that I can tell, so the disassembly was pretty much useless

If you can't get hold of any manafacturer data you can still reverse engineer it the oldschool way.

• First find the UDS/OBD command handler in the assembler by searching for case statement with the various OBD commands, this shouldn't take you more than an hour with some simple regex.
• Once you find that trace through until you find the OBD PID command handler. This can be difficult as it might require tracing through 20+ subroutines that are easy to get lost in.
• From the PID command handler you can find the relationship of RAM address to PID number. This will require some knowledge of stack pointers and stack offsets.
• With the relationship above defined you can now start commenting the assembler RAM addresses (some of them) and from there deduce what specific routines do.

This method relies on you having a significant amount of PIDs for the areas you are interested in, bonus if you can sniff some DMR/RAM addresses from manufacturer tools. Remember that every single firmware image will have different addresses, so you need to do this per car.

I managed to decipher the VCT/spark algorithm (in spanish oak fords) using the above technique. Once you get manufacturer data it becomes a walk in the park though as you can comment thousands of variables with some simple IDA scripting. It is pretty hard to motivate yourself to do it the oldschool way when you see what the commented asm looks like using manafacturer data.