Cim
Revision as of 11:31, 9 February 2022 by Roffe (talk | contribs) (Created page with "# SAAB 9-3 CIM Dorking MCU: M306NAFGTFP 10k RAM 256K ROM ## Starting it in bench ____________________________________________ | +B PH PL +15 | | 17 18 19 20 21 22 23 24 25 | | | | 1 2 3 4 5 6 7 8 9 11 12 14 15 | |+30 GND GND | |____________________________________________| PH P-bus CAN High PH P-bus CAN Lo...")
- SAAB 9-3 CIM Dorking
MCU: M306NAFGTFP
10k RAM 256K ROM
- Starting it in bench
____________________________________________ | +B PH PL +15 | | 17 18 19 20 21 22 23 24 25 | | | | 1 2 3 4 5 6 7 8 9 11 12 14 15 | |+30 GND GND | |____________________________________________|
PH P-bus CAN High PH P-bus CAN Low
- Power
12v to pin 1, 18 and 23, ground on pin 3 & 7
pin 18 is the "wakeup" signal to CIM from ISM, it's a switch that engages when a key is inserted pin 23 is the "key in on position" signal from ISM
if 18 and 23 is not powered the CIM will not start broadcasting on the pbus. unknown if it's listening with only +30 yet
- I-bus
All 3 I-bus pinns are connected to each other(!??)
- P-bus
- Broadcasted Message id's
0x0C1 0x0C5 0x180 0x1F5 0x380 audio RDS status? 0x381
- GlobalTIS binarys
Remove 20 first bytes from 176kb file to make all vector tables etc line up in IDA
- Header
5F 6E | 00 01 21 | 00 C3 7A E6 | 41 41 | 01 00 0D 00 00 | 00 02 BE 00 | ???? | same in | 12810982 | AA | write dest? same | 179712 size after 20b header | crc16?| all bins | module name | rev | in all bins | same in all bins |
- Memory layout
Dumping memory from CIM using $23 over GMLAN is possible for the following ranges
0x100000 - 0x1003FF 0x100400 - 0x1017FF 0x200000 - 0x20001A 0x800000 - 0x800110
0x8000A0 contains a power on counter
- Rs232 dumping
MCU is ID locked, ID is currently unknown
- EEPROM
CS connected to P50 CS0 DI to P49 CS1 DO to P39 RDY/CLKOUT SK/CLK to P51 DC to gnd
- Other
H000004457