.text:1000836F call    sub_10001E50
A1 communication (u8DetectCmd)
	.text:10001F01 call    sub_10001820 send out
	.text:10001F4D call    sub_100019A0 get response

.text:10008431 call    sub_10002E60
A7 communication (u8IdCmd)
	response located in Stack[00000CC8]:01B6EE3C db 0A7h 

.text:10008542 call    sub_1000A160
check later.
.text:100085A0 call    sub_100067F0
check later.

.text:10008637 loc_10008637:
seems family check 11~15

.text:10008688 call    sub_100032F0

.text:100087B1 call    sub_10003160
A8 communication (u8InitCmd)

.text:10008815 call    sub_10002E60
A7 communication (u8IdCmd)
	
.text:10008972 call    sub_10002B20
A3 communication
	
	before call 	.text:1000896D mov     edi, [esp+50h+arg_0]
			.text:10008971 push    edi
			0,0,0,0,58,11
			
	.text:10002BC1 call    sub_1000AB70
		Key generated inside.
		ebx+193h ebx+194h, seems checking device and family ID
		.text:1000ABEF jb      short loc_1000ABCA this 1E times loop just put 0 into mem as we hacked the tick call
		.text:1000ABF5 mov     al, [ebx+194h]  value is 12, maybe family ID
		.text:1000AC00 lea     edi, [esp+1Ch+var_8]  Not sure what for
		.text:1000AC3B loc_1000AC3B: calculate key, the sum of ID and family ID seems not changed. But the sum of ID is 8 bytes!		

	.text:10002C5C call    sub_10001820
	send A3, step over will crash, seems A3 command is located in [esp+28h]
	modify [esp+28h] will change the send A3 command
				

2c27? send A3

.text:10008A19 call    sub_1000A160

.text:10008A39 call    sub_10002960
A4 communication (u8EraseCmd)

call    sub_1000A160

.text:10008C64 call    sub_1000A160

.text:10008C98 call    sub_100027D0
A5 communication 
	.text:10002899 call    sub_1000AB30 
		seems 3D get ready before calling, unencrypted data loaded.
		encryption seems happening here!

		.text:1000AB4F loc_1000AB4F: 
		XOR happens here. Key is 8 bytes long, send with address esp+4+arg_8
		if we go outside, sent by push ecx, lea ecx, [ebp+1Ch], saved_fp+1ch. Which is static

.text:10001623 call    ds:CreateFileA