Vida CEM swapping

Post by **RickHaleParker** » 24 Jun 2020, 20:20

vtl wrote: ↑24 Jun 2020, 19:57 Yeah, seen that. I don't really understand what this software does.

It gets the pin number needed to make changes in the CEM. Like software reloads, cloning ... ect.

Yagger can get the PIN through the OBDII port but like all the other services the CEM PIN is not shared with the customer. It is used by him to provide his services. VDASH does the same and it makes sense. If they gave out the CEM PIN. Idiots would messing with things and then try to blame the service provider in order to get their mess fixed for free. Fixing someone else's mess is not cheap.

If i recall correctly Yagger's method for the P2 requires hardware other than DiCE. Or like VDASH you can snail mail the CEM and he will put the CEM pin on file in your account information.

Post by **vtl** » 24 Jun 2020, 21:27

RickHaleParker wrote: ↑24 Jun 2020, 20:20 It gets the pin number needed to make changes in the CEM. Like software reloads, cloning ... ect.

It says:
"Read Processor Renesas M32C Flash file.
Browse file and get CEM PIN security CODE.

Enjoy GUSS"

As I said before, you can't do the first line without knowing PIN up front. At least, as per Renesas.

I "browsed" a random file (PNG picture) and it printed me a 00 00 00 00 00 00 code, that was at the offset where the PIN is stored in flash. I'd say, this is not a very useful "tool"

Post by **RickHaleParker** » 24 Jun 2020, 23:05

vtl wrote: ↑24 Jun 2020, 21:27 As I said before, you can't do the first line without knowing PIN up front. At least, as per Renesas.

You need to hard wire the programmer to the PC board. Read this. Your not after a chip pin. You are after a board pin or software key.

Note the third line in the comment section of the programmer software.

Post by **vtl** » 24 Jun 2020, 23:18

In the video they read unsecured/unlocked flash. To read the locked flash you need to know ID.

That programmer costs arm and a leg. My setup is $0 investment (everything was taken from parts bin)

Post by **yagger** » 25 Jun 2020, 11:18

RickHaleParker wrote: ↑24 Jun 2020, 19:37 Have you considered making a better program/service to directly compete with Vdash?

We have service similar like Vdash, but we have other philosophy. We work with people directly. WE WORK WITH CUSTOMER. )))
In case with Vdash, CUSTOMER WORK WITH SERVICE for own risk about result.
We work from 2010. But unfortunately, I think we are not good bisnessman's, we never advertise our service for world market like Vdash, but now, we start show our tech posibilites and they are very cool. Also, we try to work with shops only, because very often situations when regular customer do not has tech experience and we spend a loooot time for explain them what need to do. We lake to work with tech educated guys, they can check any things we ask them without additional spended time. Our service include diagnostic and recomendations except service itself. Sorry about my English, if need some additional explanation, better to text me PM... My be need to creat new topic about our service? ))

Post by **RickHaleParker** » 25 Jun 2020, 13:18

vtl wrote: ↑24 Jun 2020, 21:27 As I said before, you can't do the first line without knowing PIN up front. At least, as per Renesas.

Have you seen this document on programing R8C/M16C/M32C/R32C?

"To unlock the chip, we need to know the flash locking code that was last programmed into it. Most development tools use either all zeros or all ones (0xff) for the default key, so if you don't know the right key you can try those. Each chip reserves seven bytes near the end (high addresses) of the flash,which vary by family:"

Post by **vtl** » 25 Jun 2020, 13:24

Yes, and if the key is not all 0s or 1s the chip is locked and you can't make any progress until you know the key.

Post by **RickHaleParker** » 25 Jun 2020, 14:36

: MwAAAgPki-A-960.jpg (353.03 KiB) Viewed 7308 times

Post by **RickHaleParker** » 25 Jun 2020, 16:17

vtl wrote: ↑25 Jun 2020, 13:24 Yes, and if the key is not all 0s or 1s the chip is locked and you can't make any progress until you know the key.

Brute force: 16^14 +1 = 17,057,594,037,927,937 possibilities. How long would it take a cracker to try one, check the status then move on to the next one?

Post by **vtl** » 25 Jun 2020, 21:57

RickHaleParker wrote: ↑25 Jun 2020, 16:17
vtl wrote: ↑25 Jun 2020, 13:24 Yes, and if the key is not all 0s or 1s the chip is locked and you can't make any progress until you know the key.
Brute force: 16^14 +1 = 17,057,594,037,927,937 possibilities. How long would it take a cracker to try one, check the status then move on to the next one?

Few seconds. I've mentioned a possibility of a side-channel timing attack on BUSY line in my first comment to the thread.

Scroll down the slides, M16 portion is in the middle: http://q3k.org/slides-recon-2018.pdf

Vida CEM swapping

Re: Vida CEM swapping