Vida CEM swapping

jcdillin · Post by **jcdillin** » 09 Mar 2021, 10:27

Woohoo, success! Setting it to 60 samples and changing calc_bytes to 4.

Of course now the fun part of actually changing the configuration

Post by **vtl** » 09 Mar 2021, 11:04

Congrats!

Why calculate the 4th byte? Was brute-forcing the 3 remaining bytes taking longer?

MaxDenisov · Post by **MaxDenisov** » 09 Mar 2021, 11:40

a bit failed for me again:

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           180000000
Execution Rate:          180 cycles/us
Minimum CEM Reply Time:  30us
Platform:                P2
PIN bytes to measure:    3
Number of samples:       30
Number of loops:         1000

CAN high-speed init done.
CAN low-speed init done.
Initialization done.

Putting all ECUs into programming mode.
---> ID=000ffffe data=ff 86 00 00 00 00 00 00
---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50
---> ID=000ffffe data=50 88 00 00 00 00 00 00
<--- ID=00000003 data=50 8e 00 00 31 31 44 68
Part Number: 000031314468
Calculating bytes 0-2
1000 pins in 657 ms, 1522 pins/s, average response: 197
[ 00 -- -- -- -- -- ]: 000 000 000 002 072 011 440 010 353 002 042 003 012 003 005 : 469526

......

Candidate PIN 0x70 0x88 0x74 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 657 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..55%..60%..65%..70%..75%..80%..85%..90%..95%..
PIN is NOT cracked in 1233.20 seconds
done
Resetting all ECUs.
---> ID=000ffffe data=ff c8 00 00 00 00 00 00
---> ID=000ffffe data=ff c8 00 00 00 00 00 00

Post by **vtl** » 09 Mar 2021, 11:43

Increase SAMPLES.

Does it give the first two bytes correctly every time?

MaxDenisov · Post by **MaxDenisov** » 09 Mar 2021, 11:50

vtl wrote: ↑09 Mar 2021, 11:43 Increase SAMPLES.

Does it give the first two bytes correctly every time?

Made second attempt with increased samples:
Bytes different

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           180000000
Execution Rate:          180 cycles/us
Minimum CEM Reply Time:  30us
Platform:                P2
PIN bytes to measure:    4
Number of samples:       60
Number of loops:         1000

CAN high-speed init done.
CAN low-speed init done.
Initialization done.

Putting all ECUs into programming mode.
---> ID=000ffffe data=ff 86 00 00 00 00 00 00
---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50
---> ID=000ffffe data=50 88 00 00 00 00 00 00
<--- ID=00000003 data=50 8e 00 00 31 31 44 68
Part Number: 000031314468
Calculating bytes 0-3
1000 pins in 657 ms, 1522 pins/s, average response: 299

Candidate PIN 0x67 0x38 0x20

I interrupted this try on 4th figure occasionally

Post by **vtl** » 09 Mar 2021, 11:52

What kind of CEM is it? Is it based on Renesas?

jcdillin · Post by **jcdillin** » 09 Mar 2021, 11:53

How big is your wire? Do you have CAN HS L direct to pin 2 or to Can RX pin?

MaxDenisov · Post by **MaxDenisov** » 09 Mar 2021, 12:03

vtl wrote: ↑09 Mar 2021, 11:52 What kind of CEM is it? Is it based on Renesas?

How to check it without disassembling?

MaxDenisov · Post by **MaxDenisov** » 09 Mar 2021, 12:05

jcdillin wrote: ↑09 Mar 2021, 11:53 How big is your wire? Do you have CAN HS L direct to pin 2 or to Can RX pin?

from OBDii to DB9 is about 1 meter.

Post by **vtl** » 09 Mar 2021, 12:41

Try rerouting Teensy pin 2 to U1 pin 4 (CAN-HS transceiver's RX pin).

Vida CEM swapping

Re: Vida CEM swapping