Vida CEM swapping

Post by **yagger** » 01 Oct 2020, 17:03

If relay only, yes... But relay issue is not so often. More often issues with water damages.

Post by **RickHaleParker** » 01 Oct 2020, 18:19

vtl wrote: ↑01 Oct 2020, 11:20 So the PIN is located at address 0xFFE000. Flash starts at address 0xFB0000, so when you get the dump the PIN is at offset 0x4E000 in the file. The PIN byte sequence in dump is not linear.

For example, this is PIN from my dump:

offset __ B3 B1 B5 B0 | B2 B4 XX XX |
0004E000| 53 38 03 21 │ 18 02 FF FF │

PIN = B0 B1 B2 B3 B4 B5
PIN is 21 38 18 53 02 03

This way you don't have to rely on the windows software to dig out the PIN.

A simple plain text transposition cipher? You can put a decipher in your code.

Post by **vtl** » 01 Oct 2020, 19:03

Tyco on ebay are made inChina. You may have a better luck (longer lifespan) with TE relay. TE acquired Tyco.

Post by **vtl** » 13 Oct 2020, 11:30

It was tough, but the Arduino cracks it under 5 minutes (can take longer, up to like 13-15 minutes, depends on last 3 bytes). I still asses reliability, but in a few runs it had the pin cracked correctly every time.

All hail math!

Post by **vtl** » 13 Oct 2020, 12:33

Post by **vtl** » 13 Oct 2020, 20:55

https://github.com/vtl/volvo-cem-cracker

Post by **RickHaleParker** » 15 Oct 2020, 19:27

vtl wrote: ↑13 Oct 2020, 11:30 It was tough, but the Arduino cracks it under 5 minutes (can take longer, up to like 13-15 minutes, depends on last 3 bytes). I still asses reliability, but in a few runs it had the pin cracked correctly every time.

All hail math!

Good you got it done and it cracks through the ODBII port.

A mark of any professional is making something accessible to people that would otherwise not be able to access something. A construction manual and a end user manual would make it accessible for a wider range of people. Not everybody has the time or wants to learn all that not in the current docs. Certainly nothing wrong with it. Apple's success is based on catering to people that did not want to learn computing. They just wanted to get things done. lots of non-techicnal professionals with deep pockets chose Apple for that reason. For example .. what is the output display in your video? The schematic does not include a display device.

On the last 3 bytes: By brute force you mean try a sets of three sequentially until you get it? The LSB never went higher then 0x02.

Post by **vtl** » 16 Oct 2020, 06:27

I'll be happy to assist anybody who is willing to go over this work and write the doc... I'm not good at writing the docs.

This is an Arduino IDE terminal window. Arduino is connected to my computer via USB cable and spits messages that are displayed on a monitor.

Brute forcing is going over all combinations of these 3 bytes. LSB never went higher than 0x02 because the correct PIN was found almost in the beginning of numeric space for these 3 bytes. In case when all 3 bytes are 0x99 0x99 0x99 it would take about 13-15 minutes.

Post by **RickHaleParker** » 16 Oct 2020, 11:18

vtl wrote: ↑16 Oct 2020, 06:27 Brute forcing is going over all combinations of these 3 bytes. LSB never went higher than 0x02 because the correct PIN was found almost in the beginning of numeric space for these 3 bytes. In case when all 3 bytes are 0x99 0x99 0x99 it would take about 13-15 minutes.

In the output, It looks like LSB 2 is counting ↓down↓ from 0x99.

Maybe this winter I'll build one. Too many pokers in the fire right now.

I wonder about adding a six digit display to the Arduino so it can be used without a PC.
Wonder if the algorithm will work on a P2 CEL-H ... P1 CEM ... P3 CEM.

Post by **vtl** » 16 Oct 2020, 12:00

It goes from 0 to 999999, spreading bits among 3 trailing bytes of pin code as needed.

Vida CEM swapping

Re: Vida CEM swapping