IPD sale XeMODeX - Experts in Volvo Electronics
Did you know? 🤔
Logged in users can get email notification of topic replies Log in or register (free).
Amazon Link Buy anything with this and it helps MVS!

Vida CEM swapping

Help, Advice, Owners' Discussion and DIY Tutorials on Volvo XC90s. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America).
User avatar
RickHaleParker
Posts: 4522
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 578 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Fri Jun 26, 2020 11:11 am

vtl wrote:
Thu Jun 25, 2020 9:57 pm

Few seconds. I've mentioned a possibility of a side-channel timing attack on BUSY line in my first comment to the thread.

Scroll down the slides, M16 portion is in the middle: http://q3k.org/slides-recon-2018.pdf

17,057,594,037,927,937 * 2 seconds = 34,115,188,075,855,874 seconds = 480,793,563.27 years.

3μs when you get one or more correct or 3μs for each one correct?

If it is 3μs for each one correct. One could get the value of all the bytes by trying strings all the same and then calculating how many are that value. From there it would be a matter of determining the correct order.
Last edited by RickHaleParker on Fri Jun 26, 2020 11:36 am, edited 2 times in total.
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1918
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 73 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Fri Jun 26, 2020 11:16 am

Jitter for a next matched byte. 256 * 7 with a good SNR. More rounds to accumulate entropy with a bad SNR, but still not years, days or even hours.
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

User avatar
RickHaleParker
Posts: 4522
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 578 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Fri Jun 26, 2020 12:50 pm

vtl wrote:
Fri Jun 26, 2020 11:16 am
Jitter for a next matched byte. 256 * 7 with a good SNR. More rounds to accumulate entropy with a bad SNR, but still not years, days or even hours.
For seven bytes a exploiting a phenomenon like that would not make much of a difference. But it is something to look for when cracking longer keys.
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1918
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 73 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Fri Jun 26, 2020 8:36 pm

I'm not sure I follow you. With a good signal-to-noise ratio (i.e. you can detect the BUSY anomaly right on spot) you need to do only up to 256 * 7 passes.
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

User avatar
RickHaleParker
Posts: 4522
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 578 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Fri Jun 26, 2020 11:26 pm

vtl wrote:
Fri Jun 26, 2020 8:36 pm
I'm not sure I follow you. With a good signal-to-noise ratio (i.e. you can detect the BUSY anomaly right on spot) you need to do only up to 256 * 7 passes.
RickHaleParker wrote:
Fri Jun 26, 2020 11:11 am
3μs when you get one or more correct or 3μs for each one correct?
If it is 3μs for each correct number. Try all 00, if the delay increase come out 6μs there are two 00s in the key and so on for all the other 255 numbers. You could determine what the seven members of the key set are in 256 passes or less.

If it is 3μs when you get one or more correct. You can still use this to detect the members of the Key set. Just keep in mind if there is repetition, detection will be less then 7. But that is not a problem you still know what the members of the Key set are.

This reduces the 256 in your calculation to 7 max. Now you know which numbers to try in each position. No wasting passes on at least 249 numbers that are not part of the key. Finding the correct permutation would take not more then 49 ( 7 * 7) passes. 256 + 49 = 305 passes max. A 83% reduction over 256 * 7 = 1792.
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1918
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 73 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Sat Jun 27, 2020 8:31 am

Delay exists only if there were no mismatched bytes sent yet. Each byte in ID has to be scanned potentially in the full range, 0 to 255. Up to 256 *7 scans per ID. Most probably, it would need many more scans for entropy, because I run Renesas at full speed, the delay/jitter will be real small. ESP32 can read IO every 0.2us in a tight loop, that would be it's maximum resolution.
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

User avatar
RickHaleParker
Posts: 4522
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 578 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Sat Jun 27, 2020 4:33 pm

vtl wrote:
Sat Jun 27, 2020 8:31 am
Delay exists only if there were no mismatched bytes sent yet.
You sure about that?

In the side attack description it looks like the author is sending six FF (255) along with the test byte. FF is a member of the 256 member set. FF is a potential match but will be a mismatch in most cases. This is what tipped me off to it might be 3μs for each correct byte.
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1918
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 73 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Sat Jun 27, 2020 5:02 pm

He measures delay after each byte sent, not sequence.
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

User avatar
RickHaleParker
Posts: 4522
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 578 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Sat Jun 27, 2020 9:16 pm

vtl wrote:
Sat Jun 27, 2020 5:02 pm
He measures delay after each byte sent, not sequence.
Boy I miss the Amiga programmers, Software engineers and Hackers. They were well versed in spoken languages also.

"Thus, we can enumerate all bytes of the key one by one, using the timing difference for each correct byte to reduce our search to just 0x100*7 checks. And we get the key."

How does he deal with repetition? The only thing I can come up with is he runs the test byte through like a Johnson ring counter.
Last edited by RickHaleParker on Sat Jun 27, 2020 9:27 pm, edited 1 time in total.
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1918
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 73 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Sat Jun 27, 2020 9:23 pm

The guy is from Poland, be merciful he speaks any English :)

My old CEM is not responding even to Renesas E8... :(
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

Post Reply
  • Similar Topics
    Replies
    Views
    Last post