Vida CEM swapping

[vtl]

Teensy 4.0 (ARM Cortex-M7) is great!



Had a couple of doubts that were oscilloscoped out. As a consequence, the code was completely rewritten. It technically can run on ESP32, but it won't work properly, because ESP32's single conditional jump command takes almost two microseconds - far away from the required precision.

Next step is to simplify the hw part: use a 3.3v CAN transceiver (Teensy has a built-in CAN-controller) and get rid of bi-directional 3.3v<>5v level shifter (CYT1072).

[3r1k]

Just found this thread, awesome work you have done vtl! Personally I am into the P1 Volvo CEMs and more specific changing the car configuration as I have retrofitted many goodies to my car. Right now my way to go is to solder into the MC9S12 (which has a flash and EEPROM) and manually changing the bit(s), as installing software as Volvo says is equivalent to just activating that feature in the CEMs car config as the software is already in the module from the factory.

I am right now seeking how to do this via the canbus and what I am missing is where the PIN is stored/or how to crack and what commands has to be sent over the can network. This picture shows the block responsible for the car configuration that on P1 cars, it is in the flash.



I know this looks the same on P2 2005-2007 (downloaded a random dump and confirmed this) on the 2000-2004 the only difference I can see is that the Checksum and size of the carconfig has flipped order, In the dump above this is located at, Size = 0x3c100 and Checksum = 0x3c101, in 2000-2004 P2 this is flipped. If you read out the car via VIDA, the order VIDA displays the carconfiguration is the same order as you see it in the flash. It is also possible to decode this using some information from the VIDA databases where you can find what each specific offset is equivalent to and what different configurations means.

[vtl]

I don't know anything about PIN in P1 CEM, but if the principle is similar to P2 - it can be cracked by a similar timing attack.

[3r1k]

Yeah I will for sure try digging into that. Btw, Have you tried dealing anything with the car configuration on your P2 CEM using your PIN?

[vtl]

This is not my PIN - I play with the spare donor CEM on my desk. I knew the PIN up front by reading the Renesas M32C via serial port, that helped a lot with steering the algorithm.

Yeah, I'm planning to do some configuration changes... Thinking about mating XC70 and its engine to the frame and the rest of drivetrain from 4th gen Toyota 4Runner =)

[RickHaleParker]

Thinking about mating XC70 and its engine to the frame and the rest of drivetrain from 4th gen Toyota 4Runner =)

Sounds like your about to bite off almost as much as I have. Retrofitting a Volvo V8 into a 2004 S60R.

[vtl]

Sounds like your about to bite off almost as much as I have. Retrofitting a Volvo V8 into a 2004 S60R.

Yeah, I "follow" your thread Nice!

[sirloins]

Just wanted to chime in and say awesome work!

I am just getting started looking at the P1 platform like 3r1k.

[RickHaleParker]

I am missing is where the PIN is stored/or how to crack and what commands has to be sent over the can network.

You might find some clues to where the PIN is in bin file by reading the Block users guide for that specific version of the MC9S12.

Block User Guide for your MC9S12 is FTSxxxK where xxx is the numbers on the end of the device name.

For example:
MC9S12C32 get Block User Guide FTS32K.
MC9S12C128 get Block User Guide FTS128K

[vtl]

You might find some clues to where the PIN is in bin file by reading the Block users guide for that specific version of the MC9S12.

Block User Guide for your MC9S12 is FTSxxxK where xxx is the numbers on the end of the device name.

Volvo does not use ID code of the device (the one that does a physical read access restriction for the flash), as it turned out. Instead it uses its own PIN code that Volvo implements in its own protocol. That PIN is just a few bytes in the dump, you still need to look for them in a car/platform-specific location.