Vida CEM swapping

T5Luke · Post by **T5Luke** » 31 Mar 2021, 15:34

The CEM reads the transponder and if transponder is valid it comunicates with ECM. An idea would be to turn the transponder check routine into a false positive or always positive check routine to allow always starting.

MaxDenisov · Post by **MaxDenisov** » 31 Mar 2021, 16:01

blasaab wrote: ↑31 Mar 2021, 15:03 I have cloned my key. Only remote dosent work but can unlock with the blade.

I already have cut the blade of new key and ready for sw config. Just mentioned above that I am a bit lazy to remove CEM from the car to use Xprog or other solutions for eeprom editing.
Better to find OBDii soluton

Post by **RickHaleParker** » 31 Mar 2021, 16:20

vtl wrote: ↑31 Mar 2021, 14:35 My only key (well, ID48 pill) is glued to the immobilizer antenna

Have you checked with your local locksmith? ID48 transponders can be cloned. The CEM would not be able to tell one clone from the other.

Post by **vtl** » 31 Mar 2021, 16:34

RickHaleParker wrote: ↑31 Mar 2021, 16:20 Have you checked with your local locksmith? ID48 transponders can be cloned. The CEM would not be able to tell one clone from the other.

If I remember correctly, our ID48 has an actual (semi)random key that is locked. There was a research paper a few years ago that most of Megamos Cryptos can be hijacked because of dumb and lazy automotive vendors, but Volvo was not affected. IIRC.

Also I want to be able to start my car with just a screwdriver. I take it to places where any help is days away, so need a car in the most reliable shape as it can be. Security-schmecurity...

blasaab · Post by **blasaab** » 31 Mar 2021, 23:24

Hoppfully i get the box and teensy today. The rest off the build is waiting.

T5Luke · Post by **T5Luke** » 01 Apr 2021, 07:07

I make progress in flashing by own sbl, a flasher could be an easter egg in this forum, so wait a few days and keep your pincodes and dice units ready

Post by **vtl** » 01 Apr 2021, 07:10

That's awesome!

Post by **RickHaleParker** » 01 Apr 2021, 07:49

vtl wrote: ↑31 Mar 2021, 16:34 If I remember correctly, our ID48 has an actual (semi)random key that is locked.

Cannot be:

Our first attack, which comprises all vehicles using
Megamos Crypto, exploits the following weaknesses.
• The transponder lacks a pseudo-random number
generator, which makes the authentication protocol
vulnerable to replay attacks.

vtl wrote: ↑31 Mar 2021, 16:34 There was a research paper a few years ago that most of Megamos Cryptos can be hijacked because of dumb and lazy automotive vendors, but Volvo was not affected. IIRC.

A collaboration between Radboud University Nijmegen, The Netherlands and University of Birmingham, UK. Research paper is Here.

"Our third attack is based on the following observation.
Many of the keys that we recovered using the previous
attack had very low entropy and exhibit a well defined
pattern, i.e., the first 32 bits of the key are all zeros. This
attack consists of a time-memory trade-off that exploits
this weakness to recover the secret key, within a fewminutes,
from two authentication traces. This attack requires
storage of a 1.5 terabyte rainbowtable."

I take that Volvo is one that did not reduce the 96bit key to 64bits and issue the keys in a well defined pattern. This might be your "(semi) random key" .

MaxDenisov · Post by **MaxDenisov** » 02 Apr 2021, 14:05

any success on sbl?
Just found Volha Bordyk study : https://publications.lib.chalmers.se/re ... 156295.pdf

MaxDenisov · Post by **MaxDenisov** » 02 Apr 2021, 15:25

Remote diagnostics sw
https://github.com/Griccoder/flash

Vida CEM swapping

Re: Vida CEM swapping