Vida CEM swapping

Rvolvos · Post by **Rvolvos** » 04 Mar 2019, 11:08

yagger wrote: ↑22 Jun 2018, 17:54 Alas, my English is not the best and I, unfortunately, could not quite correctly read the rules of the forum, if I did not follow them, I ask the moderators not to treat me strictly, but simply delete my message. Thank you for understanding.

I'm not sure that the "light rays came together" only on one company (I mean Canadian specialists). There are much cheaper and faster options for solving problems with Volvo electronics. For example, you can try to use Total Auto Tech from CA. There is very strong experience for repair volvo electronics, can program and clone modules, diagnosis and check any systems... There is a own bench test equipment and own soft for test and programming any modules. You can ask me about it if interesting. ))

Can you please share the address of Total auto tech? The link doesn’t work for me.
Thanks!

Post by **abscate** » 05 Mar 2019, 11:56

OP - we have had several people come on with substantial experience in tuning and programming who insist they have cloned a VIN specific module on Volvo then disappear into oblivion after they fail. The equipment to do it will make it an un-economical path for someone not doing this as a service.

Maybe it is just fair to say the info isnt here, perhaps one of the other Fora has it.

Yagger and Doublebug are exceptions - if they can do it they will tell you.

Post by **yagger** » 05 Mar 2019, 17:11

Rvolvos wrote: ↑04 Mar 2019, 11:08 Can you please share the address of Total auto tech? The link doesn’t work for me.
Thanks!

TotalAutoTech
225 San Jose Ave
San Jose, CA 95125

Be sure, they can do everything for Volvo.
Any electronics issues, any programming stuff...
Keys, Remotes, cloning any modules...
I guarantee.

Post by **precopster** » 06 Mar 2019, 02:25

This is my understanding of the current situation. Vida can reload a module ONLY if you have a licensed subscription to Vida and you buy the software for each reload individually. As far as I know the Volvo corporate site can now pick a real Dice from a clone so even if you buy a subscription you need a genuine Dice costing over $1,000.

The way the software works is if key data or configuration is already on the used CEM from a different vehicle other than the one the CEM is fitted to it won't reload it so you can't just bring a used CEM to a dealer and have it reprogrammed. The dealers will ONLY program new CEMs or perform a CEM reload if it is the original CEM belonging to the vehicle.

Which leaves you in the good hands of the guys mentioned above who CAN erase key data without Vida and then erase the ROM and reload data from another CEM.

Post by **vtl** » 24 Jun 2020, 15:11

I'm sorry for kicking an old thread...

VIDA Online (for those of us in Northern America) works fine with a Chinese forged DiCE. Every operation in official VIDA is expensive, of course.

2005+ (speaking about P2) has an L-shaped CEM that runs on Renesas M32C. This chip has a built-in flash that is read/write protected by ID. Only Volvo knows this ID for your vehicle. Without ID it is not possible to read the flash or even overwrite it. Dealer can't flash a new software into a used CEM that you've got cheap from ebay or junkyard.

EEPROM in these CEMs is still old good standalone 93C86. However, its content is encrypted. The encryption key is hidden in M32C's flash. You can desolder the EEPROM and read it in a programmer, but the dump will be of a very little use, because it can't be modified.

Renesas states in the datasheet that even with flash locked it is still possible to erase the flash, thus bringing CEM a "clean" state that the dealer can work with. To do so you need a E8 or E8a software emulator from Renesas that costs anywhere from $30 to $250 on ebay. Or make a do-it-yourself solution with MCU board like Arduino that will send the erase code to the M32C. Information is googleable. I think this is how "reconditioned" empty CEMs make their way to ebay.

With a DIY hw tool you can also try to hack the ID code by enumerating every possible combination in 7 bytes sequence. That takes ton of time, but at the end you'll be able to do the clone. Maybe the ID sequence used by Volvo does not span the whole possible dimension, and knowing the ranges you can hack the code much quicker by avoiding sequences that do not exist, for Volvo.

Also, M16 family (M32C is M16 family) has a bug, or, rather, a nuance that allows to shorten the hacking process by light years using timing attack on the BUSY line. It turned out that the chip holds the BUSY line for slightly longer period of time when the software sends the byte that is the right byte for this position in ID code. Hmm...

I think it is possible to crack the ID code in those Renesas-equipped CEMs using a cheap, but mighty MCU board, like ESP32. The latency for reading a digital pin seems to be well below microsecond, this is probably enough to see the jitter on BUSY line. ESP32 is real cheap, $10 delivered to your door. Hmm...

Post by **RickHaleParker** » 24 Jun 2020, 17:32

vtl wrote: ↑24 Jun 2020, 15:11 I think it is possible to crack the ID code in those Renesas-equipped CEMs using a cheap, but mighty MCU board, like ESP32.

It has been done.

There is a program out that will calculate the CEM pin from the bin file. The link below is a program said to calculate the CEM pin from a 2005 - 2009 Volvo CEM bin file. I have not tried it because I never bought a programmer to to extract the bin file. A good source tells me a Orange 5 programmer works real well for extracting the bin files.

https://mega.nz/file/WoEiTCSS#FdV5x3yhk ... ZCh%20L2YY

Post by **yagger** » 24 Jun 2020, 17:58

What are you talking about, guys?
Everything cracked at least 8 years ago. We work through OBD with L-shaped CEMs around 8 years.
And Data transfer service is not so expensive. There is sens to buy equipment and start to learn how to transfer software if you are going to work with this constantly I think. In other way it is not so effective.

Post by **RickHaleParker** » 24 Jun 2020, 19:37

yagger wrote: ↑24 Jun 2020, 17:58 There is sense to buy equipment and start to learn how to transfer software if you are going to work with this constantly I think. In other way it is not so effective.

That is why I never bought the Orange 5 programmer.

Vdash cannot do the P2 CEM crack through DiCE or the OBDII port. Have you considered making a better program/service to directly compete with Vdash?

Post by **vtl** » 24 Jun 2020, 19:57

RickHaleParker wrote: ↑24 Jun 2020, 17:32 It has been done.

There is a program out that will calculate the CEM pin from the bin file. The link below is a program said to calculate the CEM pin from a 2005 - 2009 Volvo CEM bin file. I have not tried it because I never bought a programmer to to extract the bin file. A good source tells me a Orange 5 programmer works real well for extracting the bin files.

https://mega.nz/file/WoEiTCSS#FdV5x3yhk ... ZCh%20L2YY

Yeah, seen that. I don't really understand what this software does. The problem is to read the flash from the chip. Once you read it, the ID is in last bytes of the image (bin file), as per datasheet. But to read the flash you need to unlock it first with the ID.

Post by **vtl** » 24 Jun 2020, 19:59

yagger wrote: ↑24 Jun 2020, 17:58 What are you talking about, guys?
Everything cracked at least 8 years ago. We work through OBD with L-shaped CEMs around 8 years.
And Data transfer service is not so expensive. There is sens to buy equipment and start to learn how to transfer software if you are going to work with this constantly I think. In other way it is not so effective.

Are you saying you can crack the ID code remotely via OBD? Maybe it's some dumb barely randomized sequence, so brute force enumeration is quick? Wonder why VDASH cracks the ID for P3, but not for P2...

Actually, if you are able to convince CEM to run your custom bootloader the things are much simpler.

Vida CEM swapping

Re: Vida CEM swapping