SAAB 9-3 CIM

MCU: M306NAFGTFP
RAM: 10k
ROM: 256k

Starting it in bench

    ____________________________________________
   |    +B       PH PL +15                      |
   | 17 18 19 20 21 22 23 24 25                 |
   |                                            |
   |  1  2  3  4  5  6  7  8  9   11 12  14 15  |
   |+30    GND         GND                      |
   |____________________________________________|

PH P-bus CAN High
PL P-bus CAN Low

Power

12v to pin 1, 18 and 23, ground on pin 3 & 7

pin 18 is the "wakeup" signal to CIM from ISM, it's a switch that engages when a key is inserted pin 23 is the "key in on position" signal from ISM

if 18 and 23 is not powered the CIM will not start broadcasting on the p-bus. unknown if it's listening with only +30 yet

I-bus

All 3 I-bus pinns are connected to each other(!??)

P-bus

Broadcasted Message id's

   0x0C1
   0x0C5
   0x180
   0x1F5
   0x380 audio RDS status?
   0x381

GlobalTIS binarys

Remove 20 first bytes from 176kb file to make all vector tables etc line up in IDA

Header

   5F 6E | 00 01 21 | 00 C3 7A E6 | 41 41 | 01 00 0D 00 00   | 00 02 BE 00                  |
   ????  | same in  | 12810982    |  AA   | write dest? same | 179712 size after 20b header |
   crc16?| all bins | module name |  rev  | in all bins      | same in all bins             |

CAN

CIM listens to 0x245 on p and i-bus and replies on 0x645

Memory layout

Dumping memory from CIM using $23 over GMLAN is possible for the following ranges

   0x100000 - 0x1003FF
   0x100400 - 0x1017FF
   0x200000 - 0x20001A
   0x800000 - 0x800110

   0x8000A0 contains a power on counter

Serial dumping

MCU is ID locked, ID is currently unknown

EEPROM

   CS connected to P50 CS0
   DI to P49 CS1
   DO to P39 RDY/CLKOUT
   SK/CLK to P51
   DC to GND

Other

H000004457