Vida CEM swapping

[vtl]

The order is: 5, 2, 1, 4, 0, 3

Will fix with termination better. Right know it was easy to just remove Front2 connector.
I just put my pincode in the correct order as "validatetest" in the end and forced "pincracked" to always be true. I think that way it tests that pincode instead of the wrong one it finds. Its saying its validated. If i change to something else it says not validated. Think it works doing like that. Its not nice but works.

Pack the Arduino sketches you are using in a zip file and attach it. So the coders can see the code you are using.

Ohh, I forgot about that... Do we know when the cut off happened? I.e. which P1 CEMs have this shuffle order? With the new software it is pretty easy to define a new order and associate CEM P/N with it: https://github.com/vtl/volvo-cem-cracke ... er.ino#L69

[RickHaleParker]

Perhaps some profiler software to collect data on CEM that have already been cracked.
User enters correct CEM PIN.
Collect CEM part number.
Collect minimum samples for each byte. ( Start off with samples = 1 then work up until detection is reliable ).
Collect shuffle or no shuffle on P1.
Output to a report that can be added to a database.

Client side software that grabs the report and up loads it to a database would be nice.

Anybody know how to get the CEM to spat out the CEM software id?

[mikeak2001]

Perhaps some profiler software to collect data on CEM that have already been cracked.
User enters correct CEM PIN.
Collect CEM part number.
Collect minimum samples for each byte. ( Start off with samples = 1 then work up until detection is reliable ).
Collect shuffle or no shuffle on P1.
Output to a report that can be added to a database.

Client side software that grabs the report and up loads it to a database would be nice.

Anybody know how to get the CEM to spat out the CEM software id?

CEM software ID can be accessed using 50 B9 F5 can command as apposed to hardware part number command of 50 B9 F0.



I'm having trouble where I have flash and eeprom from two known good P1 CEM's and the pin code is not in the location of FBEF8 as some are suggesting.
I am wondering if there is a difference in the CEM flash between the different versions of P1 CEM's. From cloning bad ones for customers there is an early version PCB and a newer version PCB. Denoted by the solder pads that we use to read/write.

If anyone would like to help me reverse the firmware I have please inbox me, always been interested in reverse engineering so now is a good excuse to learn. I am using Ghidra.

[RickHaleParker]

CEM software ID can be accessed using 50 B9 F5 can command as apposed to hardware part number command of 50 B9 F0.

I did not think to look in DHA.

Looks like XX B9 F5 will work on any Control module where XX = the address id. Data type and format???

I almost have a DHA database built for the 2005 P2 XC90 but cannot get the CAN-LS ( ID 40 ) to respond.
Start off with the S80 database ( P26 ). From a electrical point of view the XC90 and S80 are the same network.

This does not work on the 2005 XC90.

[Alucard666]

Hello all! Is it possible to find out pin code with volvo-cem-cracker on s60 P2 2001 year through ODB connector? And can I get married used CCM with ECM?

[RickHaleParker]

Hello all! Is it possible to find out pin code with volvo-cem-cracker on s60 P2 2001 year through ODB connector?

Not yet if ever. 2001 would be a CEM-B ( K-line ).

[scaro]

Ohh, I forgot about that... Do we know when the cut off happened? I.e. which P1 CEMs have this shuffle order? With the new software it is pretty easy to define a new order and associate CEM P/N with it: https://github.com/vtl/volvo-cem-cracke ... er.ino#L69

I have no clue, got a couple of cems laying and i can get more rather easy. Its a bit more difficult than usual because of Covid, scrapyards is closed nearby. The one i test on right now is 8690720. Added 5, 2, 1, 4, 0, 3 to "shuffleorders" and put 2 behind that cem to make it use that but dont find pin anyway.

I'm having trouble where I have flash and eeprom from two known good P1 CEM's and the pin code is not in the location of FBEF8 as some are suggesting.
I am wondering if there is a difference in the CEM flash between the different versions of P1 CEM's. From cloning bad ones for customers there is an early version PCB and a newer version PCB. Denoted by the solder pads that we use to read/write.

If anyone would like to help me reverse the firmware I have please inbox me, always been interested in reverse engineering so now is a good excuse to learn. I am using Ghidra.

It could be that the locations isnt FBEF8 because of i and maybee others have read it with X-prog? Test 3FEF8 instead? Yes its a couple of differences on pcb, Think i have seen 3 ? Cant tell for sure.

[scaro]

Hello all! Is it possible to find out pin code with volvo-cem-cracker on s60 P2 2001 year through ODB connector?

Not yet if ever. 2001 would be a CEM-B ( K-line ).

Heard it before and know this could maybee be written some where in the thread, but what is the main problem to crack the code on early P2? Is it not that type of bug on that MCU/soft? K.line only needs sending "keepalive" to get to the canbus, or from "inside canbus" instead?

[vtl]

Heard it before and know this could maybee be written some where in the thread, but what is the main problem to crack the code on early P2? Is it not that type of bug on that MCU/soft? K.line only needs sending "keepalive" to get to the canbus, or from "inside canbus" instead?

K-line is supported in the latest code. The CAN-bus on OBD is kept open, however the algo can't crack the pin. I don't know enough about early P2 CEMs to figure out why.

[blasaab]

Hi all i have done about 10 reads off my car. 3-4 Times i have got verified pin see photo is this correct?