Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America). P2 platform.
Post Reply
jcdillin
Posts: 196
Joined: 30 October 2014
Year and Model: 06 V70R
Location: Jacksonville Florida
Been thanked: 3 times

Re: Vida CEM swapping

Post by jcdillin »

I was looking through the flashing code for the CAN ECU flasher. It appears they made a function that relays the messages.


From https://github.com/prometey1982/VolvoTo ... lasher.cpp

Code: Select all

void Flasher::canGoToSleep(unsigned long protocolId, unsigned long flags) {
  unsigned long channel1MsgId;
  unsigned long channel2MsgId;
  _channel1->startPeriodicMsg(
      common::CanMessages::goToSleepCanRequest.toPassThruMsg(protocolId, flags),
      channel1MsgId, 5);
  if (_channel2) {
    _channel2->startPeriodicMsg(
        common::CanMessages::goToSleepCanRequest.toPassThruMsg(
            protocolId, CAN_29BIT_CHANNEL2),
        channel2MsgId, 5);
  }
  std::this_thread::sleep_for(std::chrono::seconds(3));
  if (_channel2) {
    _channel2->stopPeriodicMsg(channel2MsgId);
  }
  _channel1->stopPeriodicMsg(channel1MsgId);
}
This one is interesting too

https://github.com/prometey1982/VolvoTo ... essage.cpp
Top
vtl
Posts: 4727
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 606 times

Post by vtl »

"Every 5 ms send a 'go to sleep' message for 3 second". We do that.
Top
jcdillin
Posts: 196
Joined: 30 October 2014
Year and Model: 06 V70R
Location: Jacksonville Florida
Been thanked: 3 times

Post by jcdillin »

Right, but why are they wrapping it into the passthrough function? Maybe that's to get to other units on the network?
Top
vtl
Posts: 4727
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 606 times

Post by vtl »

This is the core of J2534 - the pass-through mode a.k.a. "nothing special" ;)

"J2534 is a concept that enables flash programming of an emission related ECU regardless of the communication protocol that is used by the ECU. The purpose is that only one tool (hardware device), often referred to as the pass-thru device, should be needed for all kind of ECUs".

If you happen to open DiCE log on your laptop - you'll see lots of these:

02:58:01,078 0103 000000 PassThruWriteMsgs() enter
02:58:01,078 0100 000005 PassThruWriteMsgs() In parameter ChannelID = 5
02:58:01,078 0100 000005 PassThruWriteMsgs() msg[0].ProtocolID = CAN_XON_XOFF
02:58:01,078 0100 000005 PassThruWriteMsgs() msg[0].RxStatus = 0
02:58:01,078 0100 000005 PassThruWriteMsgs() msg[0].TxFlags = 256
02:58:01,078 0100 000005 PassThruWriteMsgs() msg[0].Timestamp = 0
02:58:01,078 0100 000005 PassThruWriteMsgs() msg[0].ExtraDataIndex = 0
02:58:01,078 0100 000005 PassThruWriteMsgs() msg[0].DataSize = 12
02:58:01,078 0100 000005 PassThruWriteMsgs() msg[0].Data = [0x00, 0xf, 0xff, 0xfe, 0xcd, 0x7a, 0xa6, 0x15, 0x83, 0x01, 0x00, 0x00]
02:58:01,078 0100 000005 PassThruWriteMsgs() In/out parameter pNumMsgs = 1
02:58:01,078 0100 000005 PassThruWriteMsgs() In parameter Timeout = 2000
02:58:01,109 0100 000005 PassThruWriteMsgs() In/out parameter pNumMsgs = 1
02:58:01,109 0104 000005 PassThruWriteMsgs() exit
02:58:01,109 0103 000000 PassThruReadMsgs() enter
02:58:01,109 0100 000005 PassThruReadMsgs() In parameter ChannelID = 5
02:58:01,109 0100 000005 PassThruReadMsgs() In/out parameter pNumMsgs = 1
02:58:01,109 0100 000005 PassThruReadMsgs() In parameter Timeout = 50
02:58:01,125 0000 000000 XonXoffChannel::Handle() Message received
02:58:01,125 0100 000005 PassThruReadMsgs() In/out parameter pNumMsgs = 1
02:58:01,125 0100 000005 PassThruReadMsgs() msg[0].ProtocolID = CAN_XON_XOFF
02:58:01,125 0100 000005 PassThruReadMsgs() msg[0].RxStatus = 256
02:58:01,125 0100 000005 PassThruReadMsgs() msg[0].TxFlags = 0
02:58:01,125 0100 000005 PassThruReadMsgs() msg[0].Timestamp = 1098492400
02:58:01,125 0100 000005 PassThruReadMsgs() msg[0].ExtraDataIndex = 0
02:58:01,125 0100 000005 PassThruReadMsgs() msg[0].DataSize = 12
02:58:01,125 0100 000005 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x21, 0xce, 0x7a, 0xe6, 0x15, 0x83, 0xff, 0xff, 0x00]
02:58:01,125 0104 000005 PassThruReadMsgs() exit

Plain data sent over CAN, nothing more. We do the same.
Top
jcdillin
Posts: 196
Joined: 30 October 2014
Year and Model: 06 V70R
Location: Jacksonville Florida
Been thanked: 3 times

Post by jcdillin »

Ahh, ok, that makes sense, thanks!
Top
jcdillin
Posts: 196
Joined: 30 October 2014
Year and Model: 06 V70R
Location: Jacksonville Florida
Been thanked: 3 times

Post by jcdillin »

Just for giggles I tried again tonight. I pulled the fuse on the REM, ECM, TCM, ETM, BCM and the UEM with the same response. Just 99's as the first 3 codes. I'm going to bring home my bench cable that I used on the out of the car CEM to see if I can just plug that in without removing it from the car.
Top
vtl
Posts: 4727
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 606 times

Post by vtl »

Was it with MCP or built-in? Sorry if you said it already, I can't track anymore who used what.
Top
vtl
Posts: 4727
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 606 times

Post by vtl »

Ok... As seen on TV... Soldered it for the built-in CAN-controllers, made no changes to software besides selecting TEENSY_CAN_HW, opened up a beer and it cracked in 10.5 minutes in the very first pass.

Image

Image

Image

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           180000000
Execution Rate:          180 cycles/us
Minimum CEM Reply Time:  30us
Platform:                P2
PIN bytes to measure:    3
Number of samples:       30
Number of loops:         1000

CAN high-speed init done.
CAN low-speed init done.
Initialization done.

Putting all ECUs into programming mode.
---> ID=000ffffe data=ff 86 00 00 00 00 00 00
---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50
---> ID=000ffffe data=50 88 00 00 00 00 00 00
<--- ID=00000003 data=50 8e 00 00 30 72 85 42
Part Number: 000030728542
Calculating bytes 0-2
1000 pins in 657 ms, 1522 pins/s, average response: 86
[ 00 -- -- -- -- -- ]: 000 000 000 008 186 064 1263 081 1237 006 155 000 000 000 000 : 260733
[ 01 -- -- -- -- -- ]: 000 000 000 009 181 072 1280 072 1195 008 183 000 000 000 000 : 260757
[ 02 -- -- -- -- -- ]: 000 000 000 009 156 074 1307 077 1181 009 187 000 000 000 000 : 260801
...
Candidate PIN 0x68 0x96 0x24 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 657 seconds
Progress: 0%..5%..done

found PIN: 0x38 0x96 0x83 0x68 0x07 0x24
PIN is cracked in 635.54 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.
---> ID=000ffffe data=ff c8 00 00 00 00 00 00
---> ID=000ffffe data=ff c8 00 00 00 00 00 00
The only thing remaining is clearing the DTCs with VIDA/DiCE.
Top
jcdillin
Posts: 196
Joined: 30 October 2014
Year and Model: 06 V70R
Location: Jacksonville Florida
Been thanked: 3 times

Post by jcdillin »

Well that's cool and frustrating at the same time :)

Did you run it without termination?

I'm using a teensy just like that with 2 external can transceivers, which the setup works great on the bench.

Verifying the process.

1. Attach teensy to ODB port
2. Wait for serial monitor to show text
3. turn key to pos II
Top
MaxDenisov
Posts: 36
Joined: 6 March 2021
Year and Model: XC90 2010
Location: Moscow
Has thanked: 2 times

Post by MaxDenisov »

@Vtl.
very good.
Well, I just need to patch my hands)
Do i need to make changes to schematics(is it correct)?
Attachments
Schematic_Volvo CEM Cracker M_2021-02-28(1).png
Schematic_Volvo CEM Cracker M_2021-02-28(1).png (30.82 KiB) Viewed 9617 times
Top
Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “XC90 1st gen 2003-2014”