Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America). P2 platform.
Post Reply
bosse
Posts: 19
Joined: 15 January 2021
Year and Model: V50 -11
Location: Limmared
Has thanked: 8 times
Been thanked: 1 time

Re: Vida CEM swapping

Post by bosse »

P1 cem 30756015 Always find same candidate. 23 74 43 no matter what version i use.
But it's not getting the pin. So that one is tricky.
I'll se if i can find the time to open it up and read it.
Top
User avatar
RickHaleParker
Posts: 7129
Joined: 25 May 2015
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 958 times

Post by RickHaleParker »

bosse wrote: 05 Aug 2021, 01:17 P1 cem 30756015 Always find same candidate. 23 74 43 no matter what version i use.
Have you tried switching from ( Latency only ) to ( Latency + Std )?
180 Mhz vs 600 Mhz ?
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Top
User avatar
RickHaleParker
Posts: 7129
Joined: 25 May 2015
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 958 times

Post by RickHaleParker »

Wish list: Abort command which can be sent from the serial terminal. So when cracking in car and you know it is not going to crack. You can abort the crack and reset the CEM. Saving ten + minutes per attempt or the need to disconnect the battery cables in order to get the CEM out of program mode.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Top
User avatar
RickHaleParker
Posts: 7129
Joined: 25 May 2015
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 958 times

Post by RickHaleParker »

alevol wrote: 05 Aug 2021, 01:13 Is there a way to disassemble the file or send it to somebody to disassemble it and check the PIN byte order?
VTL covered that on page 7. It is a simple plain text transposition cipher. At the least you can see what the six values are. Which could be used to generate a short list ( the 720 Permutations ) and use to determine the transposition order.

Permutations, nPr = 6!/(6 - 6)! = 720

There a side project for someone that can code. A Sketch that take the six pin bytes from a dump in the order they are found, generates a short list from the six bytes, then brute forces the short list to find the transposition order. If somebody does this, it could be added to the Master distribution. Say add subdirectories Tools\Transposition\TranspositionDecipher.ino

VTL and I see the transposition order a little different. VLT considers the order in the bin file to be encrypted and the order you send the pin to the CEM plain text. The way I see it is: You send messages encrypted, therefore the order in the bin file is plain text and the order sent to the CEM is encrypted. Upon receipt the CEM decrypts the message.

In VTL's example below I see it this way:

offset __ B0 B1 B2 B3 | B4 B5 XX XX |
0004E000| 53 38 03 21 │ 18 02 FF FF │

PIN = B3 B1 B4 B0 B5 B2
PIN is 21 38 18 53 02 03
vtl wrote: 01 Oct 2020, 11:20 So the PIN is located at address 0xFFE000. Flash starts at address 0xFB0000, so when you get the dump the PIN is at offset 0x4E000 in the file. The PIN byte sequence in dump is not linear.

For example, this is PIN from my dump:

offset __ B3 B1 B5 B0 | B2 B4 XX XX |
0004E000| 53 38 03 21 │ 18 02 FF FF │

PIN = B0 B1 B2 B3 B4 B5
PIN is 21 38 18 53 02 03

This way you don't have to rely on the windows software to dig out the PIN.
Last edited by RickHaleParker on 05 Aug 2021, 09:46, edited 5 times in total.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Top
gooroo
Posts: 9
Joined: 28 July 2021
Year and Model: XC70 2005
Location: Portsmouth

Post by gooroo »

I have the eeprom dumps already as I tried to fill the eeprom on the replacement CEM with FF and resoldered to the CEM in the hope that VIDA would think the CEM was new but no go....

So with IOTerminal and the eeprom dump do I need CEM cracker at all? Maybe I should be asking IOTerminal but as mentioned on their website the CEM R/W procedure is vague other than mentioning the pin codes will be needed.

Here is the dump from the original CEM 93c86 if any use to anyone?

Regards, Simon

Code: Select all

ffffffffffffffffffffffffffffffffffffffffffffffff73eecb7a0945c1dfc98436566b83650dffffffffffffffffffffffff784faa20cd5377b73de8ea2becaae6b13a4adf2cc9f031771a8cb7f1a13b2852e0bf817cff8707288ca7abc04059ae6dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff006845d9695c282389f5f4467c2b9636f793288124b7f17dcfd2ee1bd32ee57058920f5d3e1cf8fa398f8b500bcaf740616ed802620372ae97f261f254305ef0e4998f1c8440fbf6e8b6d6b1e66b36c4ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecc279f9d752aa8461849508e383ace3cd374b754b6522bae78ced47ae153781e0db80ed9895733e81055bc6a6f0144749063f0c3146206ef40db62ffb429b445e94e852e359781611e2fa6b39a5e6c46dc3e04087cb1eec0c074492d217e5e89a8e1777ffffffffffffffff0e1ce5134d34846b042826fd4abfd94793aa897c41d67a4ffb619059bde23d73d9fc60efd209f59e1a178a14085bf7cd97fa8e82672895144af577990654628c2dee2354356fe51ca831e45da2bb759bdd80f7486925c08beb792ab6f4d77fd1f15196da08fa1b115385c400f3fe8b9e2086a3e8de9bea415cbc1c0e16535c2548142b0609d2649082dda29bb84dcf623cc9c852403ba6dc4a9dbd383f4ce193123a4d319a2239fcc6fc2d7bbdb0561ba22751e9215d62903527167cccf86a41fd229996d56c183a46a9c5bf64f50fc063cddc15cc13a6e06ee6c7f0a0ec39cb032c22ebf732e9c11d2346417f53e9f714fc1693152138ea720b5905131b589cd30cc538e184ae02b26649d9f84457bb98c7f804d6d66dde0aaf31a99facfbc77a75d0b3644ac8a06e05bdaf67fa9bcc017667b5fd40ef6b1c52cc595b80397da798572efaa5d76d652e365930235d9dd6982354d474b797fb4bc63156a6e6b52e235643d457d23ffd396592860bb8731b1de3f88df6c873ea3186734e3455f1a32ac40edf46ff2695dc137fdb656e29aba206bb214acad378c3c608d5931a2a563769677fc8ec42683edb8b87c9f1c2d684ff2cc05f2ce934e1a7fc924f0b54269e00f6d7243dafff6220028209370aa389943ad3b54eda3bcc3f324750516fd3a210570e8185fe2e508b9393866c73daf1fc2690677629566cf2f38710c83d14aaa14185b64beb165f422f1c313f55d4cf40dec595844a703964c3fadc0fd68077a9bccd9b90dfe6d7e99ffbb625d9a6dde51f4d7097d2487c6582abaf16a61387d04c0f2f852a0ba8662f3e2e226bd25d37006d46e6648fa8c49326f310bba746ecfa278026f9812f9bd5b032afa8245df7592f5b9021f69102988bf14f14eff0a320af735d156c2074fa2c3db7a408706805777ab5dc44264ca00715f8c4717d6c34baea5b8243351fc613e8554c9c731f64366a7f60a01706f811cea5ec05e818bc890574c5f4fa4b5c48b18a766277530891dca71101aa2e33ffffffffffffffff29e8f7ce22998e3d5289ff450101c06b12069b10ff3710b3309ab36cffffffffffffffffffffffffffffffffffffffffffffffffd2bfb3fcc5d8cbbca6e87a83fb8021253f70b17ad41c3703b29cef484ce3b32f6c60e7496ece014d5b4bde69ce4e00e1f8624ed5fb1df3d65602aa4bd7245d058194fa14e0ecb308a17a26392b74e33013e6391d956183aae8d0277841bc6f6fd567b2953b0c84f1c419a7c06d570d621418fb890accd04d3264a8dfcf1c556af5deb391b30917ba6ed72833ff11513178c201dc8d7e85a6a43981d0f15e8456ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc0e4b368cba938672ba153afcd5a97f476eccd05316e51a35470d1fe5872721a9e81089583d862462b4e3036d09d78d3fe63025bb3e0eba59fad9ce889c15fa5138241e61607c327623d1287cbbbb44f5ac6960a576bca6c40ec3666af41a0aae73171b45a4b87b08a32a0d9672c5ef5f708a1bbafe6f491df9fa08d855ee91c1350968d30c1496bb14658deccb79b5d7e9e7940e5cbdf454a3da1a429b7b55c5668875f2827de8f36b374700d46bef0ffb038ba9cf78edc46bf1d3e73f00f16ce36732ff7e7c6a8ad5c46d4841b587adf7250f23279f45884b4f62077a5575986398721b9ca7b3e4ce4f819bcadb7f0f8868c8eb69b944ff63e1d423d0429e1ee78a15455cfdca6ecb38d708aaf0b247f54a7ce4c55db455f0d938ac0acd8d5337ec6421b86e6b05507094780b37104632db44df76f8812a8f07e91d48bf9436d0304f7ee7e2cb1abaaa1aded06dd875afcdacd51c6c702f0fd889d24821869db9cec4603c1c2720a041778222ad2e2417c0af6ecb3ccf5c93c01964ebbbb203248fda29c6198bc187ef1b5921f5e4eca544f1cb78dd7bacfc22569d0540a97f7a147141a1d0e526115733fa55cf37ea41de2fb34db9bc1ae08354740b360396af640a43d90b311d69a5bbd5b5113c58540b7bfd7de7cc65c2d55dbaa01e8cff101417242b89a257c
Top
alevol
Posts: 31
Joined: 4 August 2021
Year and Model: 2005 S60
Location: Finland
Has thanked: 6 times
Been thanked: 3 times

Post by alevol »

RickHaleParker wrote: 05 Aug 2021, 07:59
VTL covered that on page 7.
Thanks. Today got the same CEM cracked with Samples = 20. Maybe got bad wiring yesterday. So the byte order is correct.
Top
User avatar
RickHaleParker
Posts: 7129
Joined: 25 May 2015
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 958 times

Post by RickHaleParker »

alevol wrote: 05 Aug 2021, 10:26 Maybe got bad wiring yesterday.
If it is Solderless breadboard, connections can get flakey. Also watch out for rails pushing out the bottom side if you don't have it bolted to a ridge board. I lost my first prototype when rails pushed out the bottom side and shorted.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Top
SelmaAdam
Posts: 1
Joined: 6 August 2021
Year and Model: 2014 XC90
Location: Finland

Post by SelmaAdam »

Total Auto Check worked for me.
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 605 times

Post by vtl »

alevol wrote: 05 Aug 2021, 01:13 Hi. Got CEM-L 2007 with serial 700xxx. Tried samples from 40 to 100, tried LAT only and LAT+STD modes. No luck to crack it. Today will try to downclock the Teensy to 180MHz. I got the CEM on bench, so i can read the software with programmer.
Is there a way to disassemble the file or send it to somebody to disassemble it and check the PIN byte order?
Thanks
Byte order is the same, however the displacement/alignment of the pin compare routine in memory is different. I saw a 3 different displacements in various CEM-Ls. Can have a look if you email your dump.
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 605 times

Post by vtl »

bosse wrote: 05 Aug 2021, 01:17 P1 cem 30756015 Always find same candidate. 23 74 43 no matter what version i use.
But it's not getting the pin. So that one is tricky.
I'll se if i can find the time to open it up and read it.
That really smells like the byte order in the pin is different.
Top
Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “XC90 1st gen 2003-2014”