Cim

From Saab Wiki
Revision as of 17:45, 9 February 2022 by Roffe (talk | contribs)
Jump to navigation Jump to search

SAAB 9-3 CIM Dorking

MCU: M306NAFGTFP

10k RAM 256K ROM


Starting it in bench

    ____________________________________________
   |    +B       PH PL +15                      |
   | 17 18 19 20 21 22 23 24 25                 |
   |                                            |
   |  1  2  3  4  5  6  7  8  9   11 12  14 15  |
   |+30    GND         GND                      |
   |____________________________________________|

PH P-bus CAN High
PL P-bus CAN Low

Power

12v to pin 1, 18 and 23, ground on pin 3 & 7

pin 18 is the "wakeup" signal to CIM from ISM, it's a switch that engages when a key is inserted pin 23 is the "key in on position" signal from ISM

if 18 and 23 is not powered the CIM will not start broadcasting on the pbus. unknown if it's listening with only +30 yet

I-bus

All 3 I-bus pinns are connected to each other(!??)

P-bus

Broadcasted Message id's

   0x0C1
   0x0C5
   0x180
   0x1F5
   0x380 audio RDS status?
   0x381

GlobalTIS binarys

Remove 20 first bytes from 176kb file to make all vector tables etc line up in IDA

Header

   5F 6E | 00 01 21 | 00 C3 7A E6 | 41 41 | 01 00 0D 00 00   | 00 02 BE 00                  |
   ????  | same in  | 12810982    |  AA   | write dest? same | 179712 size after 20b header |
   crc16?| all bins | module name |  rev  | in all bins      | same in all bins             |

Memory layout

Dumping memory from CIM using $23 over GMLAN is possible for the following ranges

   0x100000 - 0x1003FF
   0x100400 - 0x1017FF
   0x200000 - 0x20001A
   0x800000 - 0x800110
   0x8000A0 contains a power on counter

Serial dumping

MCU is ID locked, ID is currently unknown

EEPROM

CS connected to P50 CS0
DI to P49 CS1
DO to P39 RDY/CLKOUT
SK/CLK to P51
DC to gnd

Other

H000004457