Cim: Difference between revisions

From Saab Wiki
Jump to navigation Jump to search
(Created page with "# SAAB 9-3 CIM Dorking MCU: M306NAFGTFP 10k RAM 256K ROM ## Starting it in bench ____________________________________________ | +B PH PL +15 | | 17 18 19 20 21 22 23 24 25 | | | | 1 2 3 4 5 6 7 8 9 11 12 14 15 | |+30 GND GND | |____________________________________________| PH P-bus CAN High PH P-bus CAN Lo...")
 
No edit summary
 
(34 intermediate revisions by the same user not shown)
Line 1: Line 1:
# SAAB 9-3 CIM Dorking
<h1>Saab 9-3 CIM Column Integrated Module</h1>


MCU: M306NAFGTFP
[[file: cim.jpeg|450px|]]


10k RAM
<b>MCU</b>: M306NAFGTFP<br>
256K ROM
<b>RAM:</b> 10k<br>
<b>ROM:</b> 256k<br>


[[file: Cim mcu.jpeg|450px]]


## Starting it in bench
<h2>Starting it in bench</h2>
     ____________________________________________
     ____________________________________________
     |    +B      PH PL +15                      |
     |    +B      PH PL +15                      |
Line 16: Line 18:
     |____________________________________________|
     |____________________________________________|


PH P-bus CAN High
PH P-bus CAN High<br>
PH P-bus CAN Low
PL P-bus CAN Low<br>


### Power
<h3>Power</h3>
12v to pin 1, 18 and 23, ground on pin 3 & 7
12v to pin 1, 18 and 23, ground on pin 3 & 7


pin 18 is the "wakeup" signal to CIM from ISM, it's a switch that engages when a key is inserted
pin 18 is the "wakeup" signal to CIM from ISM, it's a switch that engages when a key is inserted<br>
pin 23 is the "key in on position" signal from ISM
pin 23 is the "key in on position" signal from ISM<br>
<br>
if 18 and 23 is not powered the CIM will not start broadcasting on the p-bus. unknown if it's listening with only +30 yet<br>


if 18 and 23 is not powered the CIM will not start broadcasting on the pbus. unknown if it's listening with only +30 yet
<h2>I-bus</h2>
 
## I-bus
All 3 I-bus pinns are connected to each other(!??)
All 3 I-bus pinns are connected to each other(!??)


## P-bus
<h2>P-bus</h2>


### Broadcasted Message id's
<h3>Broadcasted Message id's</h3>


     0x0C1
     0x0C1
Line 41: Line 43:
     0x381
     0x381


## GlobalTIS binarys
<h2>GlobalTIS binarys</h2>
Remove 20 first bytes from 176kb file to make all vector tables etc line up in IDA
Remove 20 first bytes from 176kb file to make all vector tables etc line up in IDA


### Header
<h3>Header</h3>
     5F 6E | 00 01 21 | 00 C3 7A E6 | 41 41 | 01 00 0D 00 00  | 00 02 BE 00                  |
     5F 6E | 00 01 21 | 00 C3 7A E6 | 41 41 | 01 00 0D 00 00  | 00 02 BE 00                  |
     ????  | same in  | 12810982    |  AA  | write dest? same | 179712 size after 20b header |
     ????  | same in  | 12810982    |  AA  | write dest? same | 179712 size after 20b header |
     crc16?| all bins | module name |  rev  | in all bins      | same in all bins            |
     crc16?| all bins | module name |  rev  | in all bins      | same in all bins            |


## Memory layout
<h2>CAN</h2>
CIM listens to 0x245 on p and i-bus and replies on 0x645
 
<h2>Memory layout</h2>


Dumping memory from CIM using $23 over GMLAN is possible for the following ranges
Dumping memory from CIM using $23 over GMLAN is possible for the following ranges
Line 60: Line 65:
     0x8000A0 contains a power on counter
     0x8000A0 contains a power on counter


## Rs232 dumping
<h2>Serial dumping</h2>
MCU is ID locked, ID is currently unknown
MCU is ID locked, ID is currently unknown


## EEPROM
<h2>EEPROM</h2>
 
'''Type:''' 93LC66A-I<br>
'''Packaging:''' SOP8<br>
 
 
[[file: Cim eeprom.jpeg|450px|]]
 
    CS connected to P50 CS0
    DI to P49 CS1
    DO to P39 RDY/CLKOUT
    SK/CLK to P51
    DC to GND
 
== UART ==
 
    USART 0 -> "K-Line 1"    < SCL (Steering Column Lock)  >
    USART 1 ->              < SAS (Steering Angle Sensor)  > (blue connector)
    USART 2 -> "K-Line 2"    < ISM (Ignition Switch Module) >
 
 
<h2>Other</h2>
 
<pre>
bojer:Random note: CIM eeprom addresses 0x65 to 0x72 must be bit map of dtc errors presen
bojer: bits represent errors and if you count 1s you get number of dtcs present
bojer: as in flipping bit 29 will get you B3598 04
Only variable is sas - it has additional data section at the end  of eeprom file
 
bojer: Side note on transponder - for cim to think it is valid key it needs to have isk locked AND protect write user pages (PWUP) flag on
bojer: as in: page 3 first byte needs to be 0x96
 
chriva: Found what I wanted to know. If 0F_BE03 is not set to 0x8f it's simply not going to jump to the main firmware.
As for how it knows where to enter the main firmware:  That's a tribyte-address stored at 0F_BDED
 
chriva: The utility program is to be stored at EXACTLY address 0x614 and up. All those weird bytes finally made sense
 
uart2 goes to pin 17 of CIM (comm with ISM)
 
UART0 - SCL communication
UART1 - SAS + bootloader
UART2 - ISM communication
0 and 2 are multiplexed
 
I think in normal conditions all of them run at 9600
12V tx and rx on same line


CS connected to P50 CS0
I suspect 0xc3 might be CIM options
DI to P49 CS1
add/remove sensonic steering wheel controls changes here c2 87 to e2 87
DO to P39 RDY/CLKOUT
and I can confirm that in those same two bytes is also stored info about cruise control
SK/CLK to P51
  PM]bojer: I think it will be 8080
DC to gnd
[10:57 PM]bojer: Or at least 8000
[10:57 PM]bojer: 0x0080 might be steering buttons


## Other


H000004457
[8:25 PM]bojer: Note to self and others: cim is picky about what you have stored in P3 of key transponder (one with config bits) - there are 3 bytes left that MUST match
[8:29 PM]bojer: In  working added key it should be: 96AA4854, no problem. my key for some reason (bit flip?) had 96AA4855 and CIM refused to accept key
[8:35 PM]bojer: new key should have 06AA4854
</pre>

Latest revision as of 20:35, 5 February 2023

Saab 9-3 CIM Column Integrated Module

Cim.jpeg

MCU: M306NAFGTFP
RAM: 10k
ROM: 256k

Cim mcu.jpeg

Starting it in bench

    ____________________________________________
   |    +B       PH PL +15                      |
   | 17 18 19 20 21 22 23 24 25                 |
   |                                            |
   |  1  2  3  4  5  6  7  8  9   11 12  14 15  |
   |+30    GND         GND                      |
   |____________________________________________|

PH P-bus CAN High
PL P-bus CAN Low

Power

12v to pin 1, 18 and 23, ground on pin 3 & 7

pin 18 is the "wakeup" signal to CIM from ISM, it's a switch that engages when a key is inserted
pin 23 is the "key in on position" signal from ISM

if 18 and 23 is not powered the CIM will not start broadcasting on the p-bus. unknown if it's listening with only +30 yet

I-bus

All 3 I-bus pinns are connected to each other(!??)

P-bus

Broadcasted Message id's

   0x0C1
   0x0C5
   0x180
   0x1F5
   0x380 audio RDS status?
   0x381

GlobalTIS binarys

Remove 20 first bytes from 176kb file to make all vector tables etc line up in IDA

Header

   5F 6E | 00 01 21 | 00 C3 7A E6 | 41 41 | 01 00 0D 00 00   | 00 02 BE 00                  |
   ????  | same in  | 12810982    |  AA   | write dest? same | 179712 size after 20b header |
   crc16?| all bins | module name |  rev  | in all bins      | same in all bins             |

CAN

CIM listens to 0x245 on p and i-bus and replies on 0x645

Memory layout

Dumping memory from CIM using $23 over GMLAN is possible for the following ranges

   0x100000 - 0x1003FF
   0x100400 - 0x1017FF
   0x200000 - 0x20001A
   0x800000 - 0x800110
   0x8000A0 contains a power on counter

Serial dumping

MCU is ID locked, ID is currently unknown

EEPROM

Type: 93LC66A-I
Packaging: SOP8


Cim eeprom.jpeg

   CS connected to P50 CS0
   DI to P49 CS1
   DO to P39 RDY/CLKOUT
   SK/CLK to P51
   DC to GND

UART

   USART 0 -> "K-Line 1"    < SCL (Steering Column Lock)   >
   USART 1 ->               < SAS (Steering Angle Sensor)  > (blue connector)
   USART 2 -> "K-Line 2"    < ISM (Ignition Switch Module) >


Other

bojer:Random note: CIM eeprom addresses 0x65 to 0x72 must be bit map of dtc errors presen
bojer: bits represent errors and if you count 1s you get number of dtcs present
bojer: as in flipping bit 29 will get you B3598 04
Only variable is sas - it has additional data section at the end  of eeprom file

bojer: Side note on transponder - for cim to think it is valid key it needs to have isk locked AND protect write user pages (PWUP) flag on
bojer: as in: page 3 first byte needs to be 0x96

chriva: Found what I wanted to know. If 0F_BE03 is not set to 0x8f it's simply not going to jump to the main firmware.
As for how it knows where to enter the main firmware:  That's a tribyte-address stored at 0F_BDED

chriva: The utility program is to be stored at EXACTLY address 0x614 and up. All those weird bytes finally made sense

uart2 goes to pin 17 of CIM (comm with ISM)

UART0 - SCL communication
UART1 - SAS + bootloader
UART2 - ISM communication
0 and 2 are multiplexed

I think in normal conditions all of them run at 9600
12V tx and rx on same line

I suspect 0xc3 might be CIM options
add/remove sensonic steering wheel controls changes here c2 87 to e2 87
and I can confirm that in those same two bytes is also stored info about cruise control
 PM]bojer: I think it will be 8080
[10:57 PM]bojer: Or at least 8000
[10:57 PM]bojer: 0x0080 might be steering buttons


[8:25 PM]bojer: Note to self and others: cim is picky about what you have stored in P3 of key transponder (one with config bits) - there are 3 bytes left that MUST match
[8:29 PM]bojer: In  working added key it should be: 96AA4854, no problem. my key for some reason (bit flip?) had 96AA4855 and CIM refused to accept key
[8:35 PM]bojer: new key should have 06AA4854