Vida CEM swapping

Treur · Post by **Treur** » 18 Jan 2026, 05:10

Brute-force speed is highly dependent on hardware resources. Brute-force execution on a microcontroller is one thing, but on a PC (J2534 devices) it's quite another. If we're brute-forcing on a bench, a CEM will yield 300/500 pins/s depending on the CEM. If we're brute-forcing in car, the speed drops significantly.

p3 can't do ff 86, the other blocks are not silent during the process, this loads the bus

Post by **vtl** » 18 Jan 2026, 12:07

Treur wrote: ↑18 Jan 2026, 05:10 p3 can't do ff 86, the other blocks are not silent during the process, this loads the bus

Why so? I don't have a real P3 anymore, but if I remember correctly, when I was recovering my bricked 2016 XC60, it was silent on both buses once VIDA started rewriting the CEM. I had a CAN traffic sniffer attached to car.

Treur · Post by **Treur** » 18 Jan 2026, 12:09

vtl wrote: ↑18 Jan 2026, 12:07
Treur wrote: ↑18 Jan 2026, 05:10 p3 can't do ff 86, the other blocks are not silent during the process, this loads the bus
Why so? I don't have a real P3 anymore, but if I remember correctly, when I was recovering my bricked 2016 XC60, it was silent on both buses once VIDA started rewriting the CEM. I had a CAN traffic sniffer attached to car.

When you rewrite, you use SBL, it's a another mode.
Anyway CEM is silent, but not other car modules

prometey1982 · Post by **prometey1982** » 19 Jan 2026, 08:30

Treur wrote: ↑18 Jan 2026, 12:09 When you rewrite, you use SBL, it's a another mode.
Anyway CEM is silent, but not other car modules

This command https://github.com/prometey1982/VolvoTo ... ps.cpp#L53
pass all ECUs to sleep mode.

Antonio2404 · Post by **Antonio2404** » 19 Jan 2026, 08:43

Hello everyone!
I've been following this topic for a while now and managed to create this device for myself.
P1 and P2 work like clockwork.
When working with P3, there's an unresolved issue with exiting programming mode...
I also added the ability to start from a previous point, in case the process stops.

What peculiarities have I noticed when working with P3:
1) If working on a table without any external blocks, there's no exit from programming mode, and the speed reaches 843, and the pin is found in about 5-6 hours.
2) If you use auto selection, you exit programming mode, as a colleague described above.

If you're interested, I can provide the connection diagram to the author of the VTL.

Post by **vtl** » 19 Jan 2026, 11:48

Antonio2404 wrote: ↑19 Jan 2026, 08:43 Hello everyone!
I've been following this topic for a while now and managed to create this device for myself.
P1 and P2 work like clockwork.
When working with P3, there's an unresolved issue with exiting programming mode...
I also added the ability to start from a previous point, in case the process stops.

What peculiarities have I noticed when working with P3:
1) If working on a table without any external blocks, there's no exit from programming mode, and the speed reaches 843, and the pin is found in about 5-6 hours.
2) If you use auto selection, you exit programming mode, as a colleague described above.

If you're interested, I can provide the connection diagram to the author of the VTL.

Nice work, send a pull request!

dikidera · Post by **dikidera** » 19 Jan 2026, 14:10

Since I am analyzing the TF80SC firmware, no I havent found any maps yet (beyond gear ratio tables etc). The firmware I am analyzing is vastly more different than AW55, completely rewritten control stack. I believe the firmware I have is from 2016+ and is written as Gen 2 TF80. I was confused as prometey once said that TF80 and AW55 are plug and play software-wise, but perhaps he was talking about P2 TF80 and the P3 has different codebase.

In any case, after failing to find Current -> PWM conversion register accesses, even after finding all SH2 trickery.

Get this. It loads an address FFFFFFF5 and does an 8 bit left shift, this becomes FFFFF500 to which it adds offsets to access ATUI members. But there was nothing, nowhere where it accessed duty cycle registers.
According to claude opus 4.5, the TF80 Gen 2 tcm might be using an external PWM generator controlled via serial? I would've never guessed this so early on, it was going all over the place and just when I was about to interrupt it, it found that singular clue.

Anyway, I was wondering if there are any PCB shots of the TCMs. My dump comes from 31361502 part number.

The AW55 firmware is nearly completely understood by me, but TF80 Gen 2 is almost completely rewritten.

ghettob · Post by **ghettob** » 19 Jan 2026, 16:05

Antonio2404 wrote: ↑19 Jan 2026, 08:43 Hello everyone!
I've been following this topic for a while now and managed to create this device for myself.
P1 and P2 work like clockwork.
When working with P3, there's an unresolved issue with exiting programming mode...
I also added the ability to start from a previous point, in case the process stops.

What peculiarities have I noticed when working with P3:
1) If working on a table without any external blocks, there's no exit from programming mode, and the speed reaches 843, and the pin is found in about 5-6 hours.
2) If you use auto selection, you exit programming mode, as a colleague described above.

If you're interested, I can provide the connection diagram to the author of the VTL.

Holy moly your adapter is some next level voodoo compared to my million wires to a breadboard

I managed to get my p3 with display setup to work better and get it to finish calculation in under 3 hours, but i stumbled to another setback!

The pin printed to the display is far from the one i got in p3tool. Am i getting the hash numbers on the display or am i missing something?

Treur · Post by **Treur** » 19 Jan 2026, 23:27

vtl wrote: ↑19 Jan 2026, 11:48
Antonio2404 wrote: ↑19 Jan 2026, 08:43 Hello everyone!
I've been following this topic for a while now and managed to create this device for myself.
P1 and P2 work like clockwork.
When working with P3, there's an unresolved issue with exiting programming mode...
I also added the ability to start from a previous point, in case the process stops.

What peculiarities have I noticed when working with P3:
1) If working on a table without any external blocks, there's no exit from programming mode, and the speed reaches 843, and the pin is found in about 5-6 hours.
2) If you use auto selection, you exit programming mode, as a colleague described above.

If you're interested, I can provide the connection diagram to the author of the VTL.
Nice work, send a pull request!

It looks pretty good. But personally, I'd consider porting it to something like the STM32H743. It's much cheaper and more compact.

Post by **vtl** » 20 Jan 2026, 04:57

Treur wrote: ↑19 Jan 2026, 23:27 It looks pretty good. But personally, I'd consider porting it to something like the STM32F743. It's much cheaper and more compact.

Cracker needs more MHz than this thing has. Some CEMs won't crack with Teensy running at 180 MHz, for example. Also it needs a built-in CAN, external CAN controller via SPI is too slow.

Teensy 4.0 is $23.80 at Sparkfun, I doubt a comparable STM32 board can be cheaper.

Vida CEM swapping

Re: Vida CEM swapping