Vida CEM swapping

[T5Luke]

The CEM H are just the CEMs for the XC90, they have a minimal hardware difference but no real software difference between the CEMs of the other cars. From your own statistics you cant tell much about the difference, worldwiede there are so many CEMs so it doesnt matter if you cracked 3 of this type or 3 of this type. Some bytes are harder to detect as others. Some bytes need more switching between 0 and 1 in the hardware which could take a few ns longer. You can clearly see in a not so noisy measurement you can detect more things wich indicate a right byte as in a noisy measurement. I can tell you from my own tries, cracking was easy on 5 normal CEMs but in my XC90 the CEM H was the hardest which needed the most tries.

[repair]

...... but in my XC90 the CEM H was the hardest which needed the most tries.

Attempts with the same specified data at Teensy or did you cheat on something there?

[T5Luke]

I have shown my minimalistic setup a few pages before. Just teensy, some jumper wires but i replaced mcp2515 on board by original one also i swapped crystall against a 16mhz version. I needed 70 samples to find code secure.

[vtl]

I'm working with the CEM dump that always fails to detect pin[1] and struggles with pin[2] (when I cut corner and start cracking from position 2, with first 2 bytes predefined). Here's two similar pin comparison routines from the dump that always cracks and from the dump that fails on pin[1].

FFCAC9 96B6F900E0FF CMP.B:G -7H[FB],FFE000H
FFCACF 9A29 JNE FFCAF9H
FFCAD1 96B6F701E0FF CMP.B:G -9H[FB],FFE001H
FFCAD7 9A21 JNE FFCAF9H
FFCAD9 96B6FB02E0FF CMP.B:G -5H[FB],FFE002H
FFCADF 9A19 JNE FFCAF9H
FFCAE1 96B6F603E0FF CMP.B:G -AH[FB],FFE003H
FFCAE7 9A11 JNE FFCAF9H
FFCAE9 96B6F804E0FF CMP.B:G -8H[FB],FFE004H
FFCAEF 9A09 JNE FFCAF9H
FFCAF1 96B6FA05E0FF CMP.B:G -6H[FB],FFE005H
FFCAF7 DA03 JEQ FFCAFBH


FFCAD0 96B6F900E0FF CMP.B:G -7H[FB],FFE000H
FFCAD6 9A29 JNE FFCB00H
FFCAD8 96B6F701E0FF CMP.B:G -9H[FB],FFE001H
FFCADE 9A21 JNE FFCB00H
FFCAE0 96B6FB02E0FF CMP.B:G -5H[FB],FFE002H
FFCAE6 9A19 JNE FFCB00H
FFCAE8 96B6F603E0FF CMP.B:G -AH[FB],FFE003H
FFCAEE 9A11 JNE FFCB00H
FFCAF0 96B6F804E0FF CMP.B:G -8H[FB],FFE004H
FFCAF6 9A09 JNE FFCB00H
FFCAF8 96B6FA05E0FF CMP.B:G -6H[FB],FFE005H
FFCAFE DA03 JEQ FFCB02H

As you see, it is all identical, besides the addresses. So I'm wondering if that gives that crack/no crack difference? Maybe because the code resides in flash, the CPU has to select the proper flash page and read it all into instructions decoder pipeline. And the execution latency of all simple instructions from that page are too close to be detected over CAN?

So, say, the page is 16 bytes. In the first case, bytes with the MCU code related to comparing PIN bytes in positions 0 and 1 are on different flash pages. Byte 3 is on the same page like 2, and it detects somewhat harder than byte 2.

In the second case, bytes 0 and 1 are in the same page. Byte 0 always detects, byte 1 never detects. Byte 2 is on the next page and had to be fetched, with higher latency.

What do you think, guys?

Maybe we need to crack two bytes combo at a time, or even be more creative and account for all possible code alignments.

[mikeak2001]

It seems there are a lot of counterfeight transceivers on the marked, 5V ICs which are sold as 3,3V ICs, they can only receive but not send by this voltage. If you use resistors (something around 2k) to pull up the rx line to 3,3V sending starts to work in some cases. I also had this fault in first tries, i even bought mcps and VP230 from big US distributor resoldered them and trouble was gone...

Thanks T5Luke,
Ordered new chips from RSonline last night. They got delivered today. Soldered in place now and I can now send and receive.
Pretty annoying when the counterfeit ones were more expensive (on ebay) than the genuine ones I just purchased.

Lessons learnt from the experience though.

[RickHaleParker]

The CEM H are just the CEMs for the XC90, they have a minimal hardware difference but no real software difference between the CEMs of the other cars.

The CEM-H is the K-line CEM used in all P2 cars from 1999 to 2004. CEM-H has a Motorola MC68386. It is called a CEM-H because it is physically shaped like a H. The CEM-L has a Renesas M32C and is physically shaped like a L.

[vtl]

FFCAC9 96B6F900E0FF CMP.B:G -7H[FB],FFE000H
FFCACF 9A29 JNE FFCAF9H
FFCAD1 96B6F701E0FF CMP.B:G -9H[FB],FFE001H
FFCAD7 9A21 JNE FFCAF9H
FFCAD9 96B6FB02E0FF CMP.B:G -5H[FB],FFE002H
FFCADF 9A19 JNE FFCAF9H

Well, actually every advance in pin position would require crossing the flash page boundary and fetching another one, which is even better. All in presumption that the theory with flash pages is right...

[T5Luke]

The CEM H are just the CEMs for the XC90, they have a minimal hardware difference but no real software difference between the CEMs of the other cars.

The CEM-H is the K-line CEM used in all P2 cars from 1999 to 2004. CEM-H has a Motorola MC68386. It is called a CEM-H because it is physically shaped like a H. The CEM-L has a Renesas M32C and is physically shaped like a L.

Ok, then tell me what is this?
https://www.ebay.com/itm/Volvo-XC90-CE ... SwPJFgcVJI

The XC90 have some extra ICs on the CEM and it is called CEM-H then

[MaxDenisov]

Today I was able to add a brand new remote(part of key) into my XC90 car using the found PIN and Vdash.
Half way passed - I can use the remote for lock and unlock the car now.
I still use a funny Thermapack bag to store my immo key and frozen berries during the day to be able to start the engine using broken immo(my key with ID48 works in low temp only)

I Hope soon I will find a way to add a new Immo key(blade with megamos ID48) into my car.

[RickHaleParker]

Ok, then tell me what is this?
https://www.ebay.com/itm/Volvo-XC90-CE ... SwPJFgcVJI

It is a CEM-L.
If you consider a eBay vendor with a super low 88.9% Positive feedback as good source of facts ... You are beyond help.


CEM-H P2 1999 - 2004.


CEM-L P2 2005 - 2014.