Vida CEM swapping

[RickHaleParker]

Volvo does not use ID code of the device (the one that does a physical read access restriction for the flash), as it turned out. Instead it uses its own PIN code that Volvo implements in its own protocol. That PIN is just a few bytes in the dump, you still need to look for them in a car/platform-specific location.

Thanks for the reminder. You did find the hardware unlocked.

If he where to get two dumps from different cars but same software revision and compare them for the differences that would narrow down the list of suspect addresses. The odds that the two have the same PIN is what .. 1 in 281474976710656. If he knew for certain the length of the P1 pin. He could narrow the location down further. Differences less then the length of the pin can be ruled out.

[vtl]

A second successful PIN crack was reported

[sirloins]

I have a P1, using a socketcan (can to USB) adapter I was able to send a few of the commands you listed to my CEM.

I was able to enter programming mode (all other canbus traffic stops). Also was able to read the part number.

May I ask where you found these commands to send? was it just something you logged, or are these commands listed somewhere (like in VIDA database etc).

I actually backed the Teensy kickstarter back in the day, but those are version 3.x. I just placed an order for a canbus shield + teensy 4.0 to see what happens.

[vtl]

The codes and more were sent to me by a fellow Volvo enthusiast who was interested in cracking PIN himself. That saved me months of research time. Otherwise I was going to purchase a CEM reload in VIDA Online and sniff all the CAN traffic. I did that once for ECM software update.

I thought I will need Teensy 4.0 because of its 600 MHz and 2 clocks per instruction after an ultimate failure with ESP32, but in reality everything turned out to be much simpler and the PIN can be cracked on a much slower hardware. 3.x would do it just fine. I even made a version that uses Teensy's built-in CAN controller + external transceiver and sampling via slow interrupt - it works as well, though more samples are needed for a good signal-to-noise ratio. Probably will share this version on github some time later.

[RickHaleParker]

The codes and more were sent to me by a fellow Volvo enthusiast who was interested in cracking PIN himself. That saved me months of research time. Otherwise I was going to purchase a CEM reload in VIDA Online and sniff all the CAN traffic. I did that once for ECM software update.

A ton of Volvo protocols, devices, timings, codes, identifiers and commands, are hidden in the VIDA database.
Here is a primer on the subject.

[vtl]

A ton of Volvo protocols, devices, timings, codes, identifiers and commands, are hidden in the VIDA database.
Here is a primer on the subject.

I know...

[sirloins]

Thanks, yep I have been knee-deep in those SQL tables haha.

Might have missed them, but I hadn't seen some of the commands used in the cem-cracker. Like enter programming mode, request part number.

I got the program working on the teensy 3.6 using the FlexCAN library though. I think either there is too much delay with this FlexCAN library, or the CEM I have is not susceptible to this.

I will try with the MCP 2515 SPI Can Controller as in the example and report back.

[vtl]

You may want to increase SAMPLES to 100. This all is in assumption you are working with Renesas-based CEM. Others are untested.

[vtl]

Been playing with VIDA SQL a few years back, ended up with this: https://github.com/vtl/volvo-ddd

[RickHaleParker]

Might have missed them, but I hadn't seen some of the commands used in the cem-cracker. Like enter programming mode, request part number.

I found a potential location "Reload CEM" but I have not been able to convert the Hex string in to a valid zip file.
When I try to open the zip it comes up invalid.