Vida CEM swapping

[sirloins]

I just wanted to update, I haven't finished the changes for the P1 to submit into the git repo. I will try to do that soon though.

Here is an interesting thing I found. (If you want me to keep P1 stuff out of this let me know)

The P1 has two different PINs. One is the one we are talking about cracking here, the other is stored in eeprom. The P1 has two processors, the "left" and "right". One is a MC9S12x256 and the other is a MC9S12x128 (2004/5 MY). The pin stored in eeprom is used for the higher-level functions by requesting security access with the A3 02 service, it is 3-bytes long.

On the P1 CEM, the left MCU does not have a PIN to unlock the bootloader only the right one does - but both processors share the same higher-level PIN in eeprom. This means that on the P1, you can get the A3 02 PIN by just reading the PIN from eeprom on the unsecured left MCU.

Of course, the right mcu bootloader PIN is still required in order to read/write flash memory as far as I know (car config etc), but I believe you could do things like add/remove key with just this higher-level pin.

[RickHaleParker]

The one you have has a MC9S12x256 & MC9S12x128?
Did this guy get it wrong?

[gnalan]

Does this only work on 2005+ models? What about the early model P2s, like my 2001 S60?

[T5Luke]

At the moment the earlier models are not supportet. Technical it is a bit different and sending so much samples at a much slower bus makes this thing a bit difficult... But it won't mean it is not possible it just would take much longer...

[sirloins]

The one you have has a MC9S12x256 & MC9S12x128?
Did this guy get it wrong?

The one I am talking about is a P1 S40/V50 2004/2005 CEM, but yes it is MC9S12x128 on the left, and MC9S12x256 on the right side. Maybe they changed in the later models to just using one part for both (the 256).

[T5Luke]

They use alwas 2 cpus but they variate much between different size on modules with different part numbers.

[RickHaleParker]

Maybe they changed in the later models to just using one part for both (the 256).

Sometimes it is more cost effective to pay more for parts then it is to maintain two or more part numbers.

[RickHaleParker]

Does this only work on 2005+ models? What about the early model P2s, like my 2001 S60?

Your 2001 is a P2 CEM-H -2004. This has only been confirmed on a P2 CEM-L 2005- .

[T5Luke]

Your 2001 is a P2 CEM-H -2004. This has only been confirmed on a P2 CEM-L 2005- .

No there are 2 different types of CEMs, the one before 2005 with some 6800 CPU and the one from 2005 and newer with Renesas CPU.
The one from 2005 and newer exists as CEM L for cars without AWD and as CEM H for cars with AWD. Both have same CPU but the AWD versions has additional components. You can use a AWD version in an non AWD car but not the other way round. This software works on all CEMs from 2005 and above.

[RickHaleParker]

Cem_Crack_Output.PNG (36.98 KiB) Viewed 1757 times

Looks like the sequence after "found PIN" is the encrypted sequence stored in Rom, not the sequence that must be presented to unlock the CEM. Am I missing something? Is there a failure to communicate?