Vida CEM swapping

[jcdillin]

This is really amazing, I'm so glad this is available. Great work!

Curious as to why your schematic connects to both high and low-speed busses, wouldn't you do this all over just the high speed?

I design PCB's as a side job, i'm thinking of making something without all the sheilds that would allow those that want to unlock the CEM to use it with programs like D5T5.

[vtl]

You need to send all modules into programming mode, on both CAN-buses. I don't shut slow-speed bus yet, but it will be necessary with the CEM mounted in the car, not laying on the desk.

[jcdillin]

Interesting, thanks!

[RickHaleParker]

I'll be happy to assist anybody who is willing to go over this work and write the doc... I'm not good at writing the docs.

How about adding to the Doc folder the signal specs and the CEM Command set or any part of the Command set you have. That will give anybody who wants to contribute to the project a better head start.

[vtl]

There's a problem with ESP32, with it's conditional jump opcode. It seems that it is a "complex" instruction for ESP32 core and it is handled in microcode (trap on opcode, jump to subroutine in ucode), with associated latency. It was found that any condition in the code adds latency in 500 ticks increments, and that comes from the conditional jump.

That kills the idea of sampling CEM latency with ESP32, it needs something better. Ideally, small FPGA First will try Teensy 4.x that runs at 600 MHz and has ARM ISA, if that fails it will be a time to continue my abandoned Verilog journey.

[RickHaleParker]

That kills the idea of sampling CEM latency with ESP32, it needs something better. Ideally, small FPGA First will try Teensy 4.x that runs at 600 MHz and has ARM ISA, if that fails it will be a time to continue my abandoned Verilog journey.

A Microchips PIC Microcontroller might be an option.
The PIC in Microchips PIC Microcontrollers originally stood for "Programmable Interface Controller". The highly successful EML327 OBDII interface was developed on a PIC18F2480. Some of the chips have a integrated LCD driver which can come in handy.

[JmJ75]

I'll be happy to assist anybody who is willing to go over this work and write the doc... I'm not good at writing the docs.

This is an Arduino IDE terminal window. Arduino is connected to my computer via USB cable and spits messages that are displayed on a monitor.

Brute forcing is going over all combinations of these 3 bytes. LSB never went higher than 0x02 because the correct PIN was found almost in the beginning of numeric space for these 3 bytes. In case when all 3 bytes are 0x99 0x99 0x99 it would take about 13-15 minutes.

This is very interesting project! If i understand right. So you can read and crack example: Volvo S60 P2 CEM pin directly by OBD2 port? And this is possible to using only next components: Arduino, ESP32, MCP2515 and serial-OBD cable? If this is right i can try to do this. Im not expert with Arduino but i have software development background +10 years. I believe i can also document these phases. Would you give some hints/helps if i try to repeat what you are done with this? I think with Arduino i will need it. Is it possible to send private messages with this forum? If not, i can give my email address...

[vtl]

ESP32 has problems with its opcodes latency.

Teensy 4.0 (32-bit ARM running at 600 MHz), 2x MCP2515, CYT1072 (level shifter), OBD-II cable. I'll make it work with Teensy soon.

[RickHaleParker]

I been looking at a some code on git hub that adds a timestamp to serial communications. Maximum resolution is 1 ms.

Would it not be possible and easier to write a program that logs timestamped sends and receives from the serial port, then uses data from the logs to do the calculations?

If so, a cheap plentiful USB OBDII cable might do as the hardware. The J2534 function in the DiCE units or any other J2534 interface might do. Might not be as fast but it would be easy to implement and accessible to a lot more people. Keep in mind D5T5's Vdash P3 CEM PIN cracker can take as long as 24 hours and people still use it without complaint.

On Github look up TS (TimeStamp) in moreutils.

JmJ75 If it determined this is a solution could you code a cross platform app? Mac, Linux and Windows.

PS: It looks like J2534 (ISO15765) PassThru has timestamps for send and received messages.

[vtl]

For the extra CMP command for a good byte in PIN-code Renesas spends 4 more cycles at 30 MHz clock rate. That translates to 133 ns (nanoseconds) extra latency that I'm trying to detect. Millisecond resolution is at least 10,000 times less precise than needed.

This is Arduino solution: it can be compiled/uploaded to the device on any platform supported by Arduino IDE/CLI.