Vida CEM swapping

porcupine7655 · Post by **porcupine7655** » 17 Jul 2025, 09:24

I don't to 100% understand how you run and where you load SBL.

The ones I have worked with (denso ecu and cem-l p2) I load SBL to ram.

There are some requirements that must be fulfilled
1. SBL loaded to RAM so it don't execute from flash
2. SBL must not use any functions/code that are in flash, such as helper functions etc.
3. Interrupt must be turned off OR if you use interrupts within your SBL reroute interrupts vectors to RAM and fill in needed vectors. Keep in mind that all code, even from interrupts, must be from RAM.

If follow this rules it should works in most cases, in some cases it can be OK to break some of this rules but it depends on what flash and cpu is used. It can also be cases when there is needed more requirements dependent on cpu used. For example if cache exists.

Yariy · Post by **Yariy** » 17 Jul 2025, 10:55

porcupine7655 wrote: ↑17 Jul 2025, 09:24 I don't to 100% understand how you run and where you load SBL.

The ones I have worked with (denso ecu and cem-l p2) I load SBL to ram.

There are some requirements that must be fulfilled
1. SBL loaded to RAM so it don't execute from flash
2. SBL must not use any functions/code that are in flash, such as helper functions etc.
3. Interrupt must be turned off OR if you use interrupts within your SBL reroute interrupts vectors to RAM and fill in needed vectors. Keep in mind that all code, even from interrupts, must be from RAM.

If follow this rules it should works in most cases, in some cases it can be OK to break some of this rules but it depends on what flash and cpu is used. It can also be cases when there is needed more requirements dependent on cpu used. For example if cache exists.

I'm sorry, I may have described the problem incorrectly in previous posts. CEMB has all the functions of reading, erasing and writing a flash in PBL. You can read the entire flash except for the area of $4000-$8000 (EEPROM). The EEPROM area is protected from reading.
I know the whole SBL download process.
1. Enter Programm mode.
2. Transfer the valid Pin code.
3. Transfer the address in the RAM of the SBL boot start.
4. Load the SBL into RAM.
5. Send the SBL start address.
6. Send the SBL launch command.
All this works only under one condition, if you have a valid Pin code equal to FF. If the valid pin code is not FF, then SBL download is prohibited! The current PIN code can only be changed if it is FF. You can change it to any other one, but you can't change it back to FF. I change the pin code to FF using BDM and can download and run SBL. My test SBL works and copies the entire flash.
Now I'm looking for workarounds to change the PIN code to FF via CAN. Since the main program area is not protected from reading and writing, I came up with the idea to make a substitution - start the main program on my SBL and it works. But I think this is not an option. Because you have to erase the entire area of the flash.

Treur · Post by **Treur** » 17 Jul 2025, 11:31

Yariy wrote: ↑17 Jul 2025, 10:55
porcupine7655 wrote: ↑17 Jul 2025, 09:24 I don't to 100% understand how you run and where you load SBL.

The ones I have worked with (denso ecu and cem-l p2) I load SBL to ram.

There are some requirements that must be fulfilled
1. SBL loaded to RAM so it don't execute from flash
2. SBL must not use any functions/code that are in flash, such as helper functions etc.
3. Interrupt must be turned off OR if you use interrupts within your SBL reroute interrupts vectors to RAM and fill in needed vectors. Keep in mind that all code, even from interrupts, must be from RAM.

If follow this rules it should works in most cases, in some cases it can be OK to break some of this rules but it depends on what flash and cpu is used. It can also be cases when there is needed more requirements dependent on cpu used. For example if cache exists.
I'm sorry, I may have described the problem incorrectly in previous posts. CEMB has all the functions of reading, erasing and writing a flash in PBL. You can read the entire flash except for the area of $4000-$8000 (EEPROM). The EEPROM area is protected from reading.
I know the whole SBL download process.
1. Enter Programm mode.
2. Transfer the valid Pin code.
3. Transfer the address in the RAM of the SBL boot start.
4. Load the SBL into RAM.
5. Send the SBL start address.
6. Send the SBL launch command.
All this works only under one condition, if you have a valid Pin code equal to FF. If the valid pin code is not FF, then SBL download is prohibited! The current PIN code can only be changed if it is FF. You can change it to any other one, but you can't change it back to FF. I change the pin code to FF using BDM and can download and run SBL. My test SBL works and copies the entire flash.
Now I'm looking for workarounds to change the PIN code to FF via CAN. Since the main program area is not protected from reading and writing, I came up with the idea to make a substitution - start the main program on my SBL and it works. But I think this is not an option. Because you have to erase the entire area of the flash.

Ну тут дело такое, не ты один с этим столкнулся, тот же IO-terminal работает с этим кирпичом только после "патча" дампа, который и заключается в FF вместо пина. Я тож долго глаза круглил на то, что цем вмеcто заглатывания данных SBL начинает тупо отвечать на каждое посланное сообщение. Так, что дело тут вовсе не в SBL.

Yariy · Post by **Yariy** » 17 Jul 2025, 13:51

[/quote]
Ну тут дело такое, не ты один с этим столкнулся, тот же IO-terminal работает с этим кирпичом только после "патча" дампа, который и заключается в FF вместо пина. Я тож долго глаза круглил на то, что цем вмеcто заглатывания данных SBL начинает тупо отвечать на каждое посланное сообщение. Так, что дело тут вовсе не в SBL.
[/quote]

I didn't know that IoTerminal already supports CEMB. Their website doesn't say anything about brick CEM. I've already done tricks with patching the dump of the main program and PBL, but I'm not satisfied with that yet and I'm looking for even better options.

Yariy · Post by **Yariy** » 17 Jul 2025, 14:00

[/quote]
Я тож долго глаза круглил на то, что цем вмеcто заглатывания данных SBL начинает тупо отвечать на каждое посланное сообщение. Так, что дело тут вовсе не в SBL.
[/quote]
Can I take a closer look from this place?

Yariy · Post by **Yariy** » 17 Jul 2025, 14:32

And that's why I'm leaning towards SBL for CEMB, because for example, in diagnostic mode, you can read the entire flash (512Kbytes), but it takes at least 20 minutes, and reading from the address in programm mode takes many times more. My test SBL reads the flash in 1 minute and 20 seconds, but so far without any checksums, etc. Well, it doesn't matter yet.

Treur · Post by **Treur** » 18 Jul 2025, 06:26

Yariy wrote: ↑17 Jul 2025, 14:32 And that's why I'm leaning towards SBL for CEMB, because for example, in diagnostic mode, you can read the entire flash (512Kbytes), but it takes at least 20 minutes, and reading from the address in programm mode takes many times more. My test SBL reads the flash in 1 minute and 20 seconds, but so far without any checksums, etc. Well, it doesn't matter yet.

Так бесполезно читать в диагностической сессии, ну прочитали, а записать всё равно в ней не можем. Вот если мы можем переписать кусок с пином/пропатчить основную программу и PBL, то был бы смысл. Я не особо даже рассматриваю уже этот металлолом ибо тачки на них уже в стадии вымирания.
По части терминала - они далеко не всё вывесили на сайте. Я уже поимел их SBL, но CEM его принимает только при пин FF, и я честно то говоря не очень понимаю мышление шведов - мы пишем только новый блок. Тут рождается логичный вопрос - приехал к дилеру клиент на скажем дооснащение ииии????

WhizzMan · Post by **WhizzMan** » 18 Jul 2025, 06:29

Yariy wrote: ↑17 Jul 2025, 14:32 And that's why I'm leaning towards SBL for CEMB, because for example, in diagnostic mode, you can read the entire flash (512Kbytes), but it takes at least 20 minutes, and reading from the address in programm mode takes many times more. My test SBL reads the flash in 1 minute and 20 seconds, but so far without any checksums, etc. Well, it doesn't matter yet.

Not sure if I am interpreting this correctly.
Would it be able to only read the PIN code in diagnostics (or program) mode (so not waste a lot of time reading everything) and then reboot and use SBL with the PIN code to do a full read?

So IOTerminal goes around the PIN code problem by overwriting the original PIN code? That would make it hard(er) to restore the entire CEM to factory settings if you don't have the original PIN code. That may not matter, unless you want to take the car to a Volvo dealer later.

Am I to conclude that a "virgin" CEMB has FF FF FF FF FF as a pin code and that is what I have to put in a used CEM to be able to put it in another car using only VIDA?

Treur · Post by **Treur** » 18 Jul 2025, 06:33

WhizzMan wrote: ↑18 Jul 2025, 06:29
Yariy wrote: ↑17 Jul 2025, 14:32 And that's why I'm leaning towards SBL for CEMB, because for example, in diagnostic mode, you can read the entire flash (512Kbytes), but it takes at least 20 minutes, and reading from the address in programm mode takes many times more. My test SBL reads the flash in 1 minute and 20 seconds, but so far without any checksums, etc. Well, it doesn't matter yet.
Not sure if I am interpreting this correctly.
Would it be able to only read the PIN code in diagnostics (or program) mode (so not waste a lot of time reading everything) and then reboot and use SBL with the PIN code to do a full read?

So IOTerminal goes around the PIN code problem by overwriting the original PIN code? That would make it hard(er) to restore the entire CEM to factory settings if you don't have the original PIN code. That may not matter, unless you want to take the car to a Volvo dealer later.

Am I to conclude that a "virgin" CEMB has FF FF FF FF FF as a pin code and that is what I have to put in a used CEM to be able to put it in another car using only VIDA?

The problem is that Io-terminal and others cannot load SBL with a pin other than FF.

WhizzMan · Post by **WhizzMan** » 18 Jul 2025, 06:45

Treur wrote: ↑18 Jul 2025, 06:26 Так бесполезно читать в диагностической сессии, ну прочитали, а записать всё равно в ней не можем. Вот если мы можем переписать кусок с пином/пропатчить основную программу и PBL, то был бы смысл. Я не особо даже рассматриваю уже этот металлолом ибо тачки на них уже в стадии вымирания.
По части терминала - они далеко не всё вывесили на сайте. Я уже поимел их SBL, но CEM его принимает только при пин FF, и я честно то говоря не очень понимаю мышление шведов - мы пишем только новый блок. Тут рождается логичный вопрос - приехал к дилеру клиент на скажем дооснащение ииии????

It is easier if we stick to English, now I have to copy/paste to Google translate to read.

The logic of the Swedes is not too difficult to understand

1. New car on production line: put config in CEM, put pin codes in for security, how you write bits and bytes is irrelevant.
2. Broken car: replace CEM with virgin, download full config from Volvo headquarters, write full config and pin in new hardware, see "New Car" on how.
3. Changed config in car: Update config in Database at Volvo headquarters, generate new config file on Volvo Headquarters database, see "broken car" for the rest.

All of these scenarios work by assuming that VIDA is used and all car configuration changes are initiated using the central configuration database at Volvo headquarters. All scenarios work by replacing the CEM if it is not working, no repairs done to the CEM themselves.
All scenarios work by assuming that a replacement CEM is a virgin. No other scenarios are possible for Volvo Dealers, because they don't put in 2nd hand parts.

From a manufacturer and dealer perspective, this makes perfect sense. "Monkeys can program a new CEM in car", "Monkeys can replace a CEM in the field", "Monkeys can reprogram a CEM in the field". For people wanting to work on their own car, it is not so easy, but even before the year 2000, manufacturers stopped caring about that.

Vida CEM swapping

Re: Vida CEM swapping