Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America). P2 platform.
Post Reply
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 604 times

Re: Vida CEM swapping

Post by vtl »

T5Luke wrote: 28 Apr 2021, 17:40 CB 50 B9 F7 would give you the serial number in normal operation mode, maybe it is enough.
Nope... Read B9 F6 too, out of curiosity.

What B9 opcode stands for?

Code: Select all

CAN_HS ---> ID=000ffffe data=cb 50 b9 f7 00 00 00 00
CAN_HS <--- ID=01000003 data=cc 50 7f b9 22 00 00 00

CAN_HS ---> ID=000ffffe data=cb 50 b9 f6 00 00 00 00
CAN_HS <--- ID=01000003 data=cc 50 7f b9 12 00 00 00
This is a brick-shaped CEM.
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 604 times

Post by vtl »

B9 FB gets lot of data, VIN included. Found it in my old DiCE logs:

Code: Select all

02:42:50,578 0100 000004 PassThruWriteMsgs() msg[0].Data = [0x00, 0xf, 0xff, 0xfe, 0xcb, 0x50, 0xb9, 0xfb, 0x00, 0x00, 0x00, 0x00]
02:42:50,640 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x8f, 0x50, 0xf9, 0xfb, 0x57, 0x00, 0x30, 0x66]
02:42:50,640 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x09, 0x70, 0x28, 0x30, 0x30, 0x35, 0x0d, 0x0a]
02:42:50,640 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x0a, 0x59, 0x56, 0x31, 0x53, 0x5a, 0x35, 0x39]
02:42:50,656 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x0b, 0x32, 0x32, 0x35, 0x31, 0x31, 0x39, 0x38]
02:42:50,671 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x0c, 0x36, 0x32, 0x35, 0x0d, 0x0a, 0x32, 0x35]
02:42:50,687 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x0d, 0x31, 0x35, 0x36, 0x38, 0x39, 0x35, 0x32]
02:42:50,687 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x0e, 0x0d, 0x0a, 0x32, 0x39, 0x35, 0x0d, 0x0a]
02:42:50,703 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0xf, 0x31, 0x39, 0x38, 0x36, 0x32, 0x35, 0x0d]
02:42:50,718 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x08, 0x0a, 0x32, 0x31, 0x0d, 0x0a, 0x32, 0x30]
02:42:50,734 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x09, 0x30, 0x35, 0x31, 0x32, 0x0d, 0x0a, 0x30]
02:42:50,750 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x0a, 0x30, 0x30, 0x30, 0x34, 0x33, 0x33, 0x38]
02:42:50,765 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x0b, 0x36, 0x30, 0x34, 0x30, 0x38, 0x32, 0x32]
02:42:50,781 0100 000004 PassThruReadMsgs() msg[0].Data = [0x01, 0x20, 0x00, 0x03, 0x4f, 0x30, 0x36, 0x39, 0x33, 0x31, 0x0d, 0x0a]
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 604 times

Post by vtl »

vtl wrote: 28 Apr 2021, 19:12 What B9 opcode stands for?
Service B9 == Read Data Block By Offset?
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 604 times

Post by vtl »

The part number:

Code: Select all


CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS <--- ID=01000003 data=8f 50 f9 f0 00 08 68 85
CAN_HS <--- ID=01000003 data=09 13 20 20 41 30 65 70
CAN_HS <--- ID=01000003 data=4c 24 20 20 41 00 00 00
First byte in reply is a technical field, like rolling counter, start (0x80)/end(0x40 flag of the multipart message, etc. The P/N is:

08 68 85 13 == 8688513
Top
User avatar
RickHaleParker
Posts: 7129
Joined: 25 May 2015
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 958 times

Post by RickHaleParker »

vtl wrote: 28 Apr 2021, 19:12
What B9 opcode stands for?

Code: Select all

CAN_HS ---> ID=000ffffe data=cb 50 b9 f7 00 00 00 00
CAN_HS <--- ID=01000003 data=cc 50 7f b9 22 00 00 00

CAN_HS ---> ID=000ffffe data=cb 50 b9 f6 00 00 00 00
CAN_HS <--- ID=01000003 data=cc 50 7f b9 12 00 00 00
This is a brick-shaped CEM.
From Olaf's blog.

A1 No Operation Performed (keep alive)
A3 Security Access Mode
A5 Read Current Data By Offset
A6 Read Current Data By Identifier
A7 Read Current Data By Address
A8 Set Data Transmission
A9 Stop Data Transmission
AA Dynamically Define Record
AB Read Freeze Frame Data By Offset
AC Read Freeze Frame
AD Read Freeze Frame By DTC
AE Read DTC
AF Clear DTC

B0 Input Output Control By Offset
B1 Input Output Control By Identifier
B2 Control Routine By Offset
B4 Define Read Write ECU data
B8 Write Data Block By Offset
B9 Read Data Block By Offset
BA Write Data Block By Address
BB Read Data Block By Address
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 604 times

Post by vtl »

RickHaleParker wrote: 28 Apr 2021, 20:57 From Olaf's blog.
Yeah, I could not remember where I saw that and had to fire up the VM w/ VIDA and find the description in MSSQL DB.

Unfortunately, B9 is served only on CAN-HS :( CB 40 B9 F0 does nothing on CAN-LS. Ah, stupid me, the reply comes from different ID. Need to sleep more.
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 604 times

Post by vtl »

Cracking session with CEM type autodetected (no more ifdefs):

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           600000000
Execution Rate:          600 cycles/us
PIN bytes to measure:    3
Number of samples:       30
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
Part Number: 8688513
Searching P/N 8688513 in 49 known CEMs
CAN HS baud rate: 250000
PIN shuffle order: 0 1 2 3 4 5
CAN high-speed init done.
Putting all ECUs on CAN_HS into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
CAN_HS <--- ID=00000003 data=50 8e 00 00 08 68 85 13
Part Number: 8688513
Initialization done.

Calculating bytes 0-2
1000 pins in 1356 ms, 737 pins/s, average response: 255 us, histogram 127 to 382 us 
                   us:   247   248   249   250   251   252   253   254   255   256   257   258   259   260   261   262   263   264   265   266 
[ 00 -- -- -- -- -- ]:     0  1051     0     0     0     0     0     0     0   430     0     0     0     0     0     0     0  1518     0     0 :     390607; best 00 is less than 00 by 390607
[ 01 -- -- -- -- -- ]:     0  1756     0     0     0     0     0     0     0   448     0     0     0     0     0     0     0   796     0     0 :     379320; best 00 is greater than 01 by 11287
[ 02 -- -- -- -- -- ]:     0  1700     0     0     0     0     0     0     0   462     0     0     0     0     0     0     0   836     0     0 :     379830; best 00 is greater than 02 by 10777
I pushed the WIP changes into branch "rework" if anybody is interested. It has no ifdefs, no MCP2515 support, no Teensy 3.x support.
Top
bosse
Posts: 19
Joined: 15 January 2021
Year and Model: V50 -11
Location: Limmared
Has thanked: 8 times
Been thanked: 1 time

Post by bosse »

In dha there is all comands and can adresses.
But i guess you all have it already.
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 604 times

Post by vtl »

What is dha?
Top
lukas743
Posts: 2
Joined: 7 November 2019
Year and Model: S60 2002
Location: Polska
Has thanked: 1 time

Post by lukas743 »

vtl wrote: 29 Apr 2021, 04:59What is dha?
It is mini version of VIDA :) with visible CAN Bus frames.

Last post has download link:
Top
Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “XC90 1st gen 2003-2014”