Vida CEM swapping

Post by **RickHaleParker** » 01 May 2021, 11:52

vtl wrote: ↑01 May 2021, 11:20 CAN sniffer, that's it? Only a few lines of Arduino code...

A DHA database would be good for .... ?

5ft24 · Post by **5ft24** » 01 May 2021, 12:19

I'm stupid and missed it... it's in the RAR file quite a few of them. just not in the DHA program directory where I was looking. That will teach me not to play with software after an 18 hour day with 4 hours sleep the night before...

Post by **RickHaleParker** » 01 May 2021, 12:31

5ft24 wrote: ↑01 May 2021, 12:19 I'm stupid and missed it... it's in the RAR file quite a few of them. just not in the DHA program directory where I was looking. That will teach me not to play with software after an 18 hour day with 4 hours sleep the night before...

And to think some people believe you need chemicals to get in a altered state. Some of us can get stupid naturally.

Are there any CEM databases in there?

5ft24 · Post by **5ft24** » 01 May 2021, 12:45

quite a bit of stuff! Here is the car config sequence file:

50 B9 FB;P2006 (D2):0620 TO1/CEM/Read Data Block By Offset/Vehicle Information Section/
50 B9 FC;P2006 (D2):0620 TO1/CEM/Read Data Block By Offset/FC - Vehicle Configuration Parameters/

each module has a sequence file with all the info and comments as to what it does.

TCM sequence file:

6E B9 F2 ;TCM Software Version
6E B9 F0 ;TCM part number and Diagnostic SW number
6E B9 F5 ;TCM SW part number and their start adresses, Can and Flash information
6E B9 F8 ;TCM Hardware Serial number
6E AE 11 ;TCM Read Diagnostic Trouble Codes
6E AE 1B ;TCM Read Trouble Codes with Counters #3...#8
6E AC 10 00 00 ;TCM Read Freeze Frame Information
6E AE 1A ;TCM All Implemented 2 byte DTCs
6E AE 17 01 ;TCM Read Status Identifier #1
6E AE 17 02 ;TCM Read Status Identifier #2
6E AE 17 03 ;TCM Read Status Identifier #3
6E AE 17 04 ;TCM Read Status Identifier #4
6E AE 17 08 ;TCM Read Status Identifier #8
6E A5 03 01 ;Egrpm EgrpmQF TCMText
6E A5 0C 01 ;OT Oiltemp
6E A5 12 01 ;QuickshiftMode WinterMode TCMDiagnosticInfo
6E A5 16 01 ;ECMIgnitionOn EngineRunning EngineTemp EngineTempQF
6E A5 17 01 ;EgTorqueQF IgnitionKeyPos IgnitionKeyPosQF
6E A5 40 01 ;MIL IND LastDetect nDetections
6E A5 A6 01 ;Expected Checksum
6E A5 A7 01 ;Calculated Checksum
6E A5 80 01 ;General Data

5ft24 · Post by **5ft24** » 01 May 2021, 12:50

going into advanced mode, selecting the proper module (CEM included) you pull up a tree of supported functions. for CEM, security access is one... when you select it, you get a popup to enter the PIN... it will stay unlocked until it power cycles or you select "relock CEM"

5ft24 · Post by **5ft24** » 01 May 2021, 12:52

It supports DICE, VC2000 and LAPCAN interfaces

Post by **RickHaleParker** » 01 May 2021, 12:53

vtl wrote: ↑29 Apr 2021, 04:59What is dha?

GGD-DHA ( Generic Global Diagnostic - Diagnostic Host Application ) .

"GGD DHA is a system used when developing systems in cars. This program contains all
variables that are transferred within the car. It can access all variables and commands allowing
reading and/or writing to these variables. It is also possible to read DTCs, part numbers,
upload new software to the different modules etc. This system is useful when testing new
systems since in VIDA you do not have access to all variables, which you have in GGD DHA,
but in GGD DHA you do not get access to the technical description of how you replace parts,
troubleshooting etc. However, in GGD DHA it is possible to create automatic sequences that
read or write to the variables making it unnecessary to be at the computer all the time. When
writing to a variable, it is possible to set the sensor values to the required values making it
possible to simulate different conditions in a car even if the conditions have not occurred."

Investigation of technical and communicational problems with the remote key for Volvo cars problems with the remote key for Volvo cars.

Master of Science Thesis in the Master Degree Programme
Communication Engineering
PER OLSSON
Department of Signals and Systems
Division of Communication Systems, Information Theory and Antennas
CHALMERS UNIVERSITY OF TECHNOLOGY
Göteborg, Sweden, 2013
Report No. EX012/2013

Post by **RickHaleParker** » 02 May 2021, 08:20

Has anybody deciphered the DHA database file naming format?

"Diagnostic protocols

In VIDA, the vehicle communication methods differ depending on what diagnostic protocol a vehicle model is using. Also, the diagnostic protocols provide different possibilities in terms of how the vehicle model can be diagnosed in VIDA. Because of this, the approach to diagnosis under the Diagnostics tab is slightly different, depending on what protocol the diagnosed vehicle is using.

The vehicle models handled in VIDA are divided into the following two main groups, based on diagnostic protocols:
VDS protocol-based vehicle models (used in all vehicles on the new electrical platform, starting with XC90 model year 2016).
D2 and GGD protocol-based vehicle models (used by all vehicles on all other existing platforms). "

Post by **vtl** » 02 May 2021, 19:50

Previously uncrackable CEM:

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           600000000
Execution Rate:          600 cycles/us
PIN bytes to measure:    3
Number of samples:       30
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
Can't find part number on CAN-LS, trying CAN-HS at 500 Kbps
CAN high-speed init done.
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
Part Number: 31394158
Searching P/N 31394158 in 49 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 3 1 5 0 2 4
Putting all ECUs on CAN_HS into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Initialization done.

Calculating bytes 0-2
1000 pins in 640 ms, 1562 pins/s, average response: 87 us, histogram 43 to 130 us 
                   us:    79    80    81    82    83    84    85    86    87    88    89    90    91    92    93    94    95    96    97    98 
[ 00 -- -- -- -- -- ]:     0     0     0     0     0     0     0  1354     0  1389     0   257     0     0     0     0     0     0     0     0 : latency     132806; std 411.02
[ 01 -- -- -- -- -- ]:     0     0     0     0     0     0     0  1382     0  1297     0   318     0     0     0     0     0     0     0     0 : latency     132737; std 402.75
...
[ 98 -- -- -- -- -- ]:     0     0     0     0     0     0     0  1087     0  1422     0   491     0     0     0     0     0     0     0     0 : latency     133808; std 386.96
[ 99 -- -- -- -- -- ]:     0     0     0     0     0     0     0  1062     0  1384     0   554     0     0     0     0     0     0     0     0 : latency     133984; std 380.80
best candidates ordered by latency:
0: 61 lat = 134948
1: 59 lat = 134076
2: 94 lat = 134074
3: 84 lat = 134072
4: 75 lat = 134068

best candidates ordered by std:
0: 00 std = 411.02
1: 30 std = 409.90
2: 10 std = 408.72
3: 20 std = 404.51
4: 01 std = 402.75

lat_k 0.65%, std_k 0.27%
pin[0] choose candidate: 61 based on latency
                   us:    79    80    81    82    83    84    85    86    87    88    89    90    91    92    93    94    95    96    97    98 
[ 61 00 -- -- -- -- ]:     0     0     0     0     0     0     0   746     0  1412     0   839     0     0     0     0     0     0     0     0 : latency     135051; std 374.51
[ 61 01 -- -- -- -- ]:     0     0     0     0     0     0     0   783     0  1349     0   868     0     0     0     0     0     0     0     0 : latency     135170; std 369.89
...
[ 61 98 -- -- -- -- ]:     0     0     0     0     0     0     0   748     0  1331     0   921     0     0     0     0     0     0     0     0 : latency     135346; std 369.41
[ 61 99 -- -- -- -- ]:     0     0     0     0     0     0     0   893     0  1308     0   799     0     0     0     0     0     0     0     0 : latency     134812; std 367.20
best candidates ordered by latency:
0: 28 lat = 135466
1: 08 lat = 135450
2: 10 lat = 135436
3: 58 lat = 135394
4: 98 lat = 135346

best candidates ordered by std:
0: 45 std = 379.09
1: 00 std = 374.51
2: 04 std = 370.43
3: 47 std = 370.37
4: 78 std = 370.25

lat_k 0.01%, std_k 1.22%
pin[1] choose candidate: 45 based on std
                   us:    79    80    81    82    83    84    85    86    87    88    89    90    91    92    93    94    95    96    97    98 
[ 61 45 00 -- -- -- ]:     0     0     0     0     0     0     0   647     0  1340     0  1010     0     0     0     0     0     0     0     0 : latency     135591; std 373.18
[ 61 45 01 -- -- -- ]:     0     0     0     0     0     0     0   815     0  1403     0   782     0     0     0     0     0     0     0     0 : latency     134934; std 373.78
...
[ 61 45 98 -- -- -- ]:     0     0     0     0     0     0     0   765     0  1490     0   745     0     0     0     0     0     0     0     0 : latency     134960; std 381.47
[ 61 45 99 -- -- -- ]:     0     0     0     0     0     0     0   825     0  1427     0   748     0     0     0     0     0     0     0     0 : latency     134846; std 375.93
best candidates ordered by latency:
0: 00 lat = 135591
1: 83 lat = 135092
2: 95 lat = 135079
3: 94 lat = 135070
4: 53 lat = 135058

best candidates ordered by std:
0: 98 std = 381.47
1: 35 std = 382.08
2: 70 std = 382.87
3: 15 std = 380.36
4: 54 std = 380.69

lat_k 0.37%, std_k -0.16%
pin[2] choose candidate: 00 based on latency
Candidate PIN 0x61 0x45 0x00 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 640 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..55%..60%..done

found PIN: 0x89 0x45 0x43 0x61 0x62 0x00
PIN is cracked in 981.30 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

The code is in the "rework" branch. Please test and give your feedback along with the logs, good or bad.

Post by **RickHaleParker** » 02 May 2021, 23:19

vtl wrote: ↑02 May 2021, 19:50 The code is in the "rework" branch. Please test and give your feedback along with the logs, good or bad.

Got the rework loaded on mine. Will run it in both of my P2s tomorrow. With the Main, one is crackable the other is not. Will post all four logs for comparison.

Vida CEM swapping

Re: Vida CEM swapping