Vida CEM swapping

WhizzMan · Post by **WhizzMan** » 15 Aug 2021, 04:01

As long as no solution has been found for < 2005 CEM-B, maybe someone could put in a fall back brute force algorithm? At least there would be some way for us to get our pin code.

Post by **vtl** » 15 Aug 2021, 08:33

For 250 KBaud CAN bus the direct attack on 6 bytes would take up to 42 years.

Post by **RickHaleParker** » 15 Aug 2021, 12:16

WhizzMan wrote: ↑15 Aug 2021, 04:01 As long as no solution has been found for < 2005 CEM-B, maybe someone could put in a fall back brute force algorithm? At least there would be some way for us to get our pin code.

100E6 = 1E12 possible pins.
1E12 / 750 pins per second = 1,333,333,333.333 seconds.
1,333,333,333.333 seconds / 60 = 22,222,222.222 minutes.
22,222,222.222 minutes / 60 = 370,370.370 hours.
370,370.370 hours / 168 = 2,204.586 weeks.
2,204.586 weeks / 52 = 42.396 years.
If you lose power you will need to start over again.

Time to brute force at 750 pins per second by number of bytes.

# of bytes --- Time
1 100E1 / 750 = 0.133 s
2 100E2 / 750 = 13.333 s
3 100E3 / 750 = 1333.33 s
4 100E4 / 750 = 133,333.333 s
5 100E5 / 750 = 13,333,333.333 s
6 100E6 / 750 = 1,333,333,333.333 s

The cracker figures the first three bytes by analyzing the response behavior. It is analogous to playing Poker with a MCU. You deduce what "cards" it holding by observing superficial behavior characteristics. With three known bytes, brute force time is reduced to the time for 3 bytes.

mikeak2001 · Post by **mikeak2001** » 15 Aug 2021, 13:14

File reverse engineering

Hi everyone, wondering if anyone can help.
I am having major trouble trying to crack the pin on the p1 cem that I have.

I have checked, double checked and tripple checked my pcb. I have analyzed it many times with picoscope etc. I have full comms on the bench, reads the part number, calculates an average latency of 66us, it go's through all the motions but then fails at the end.

I have tried everything from latency only to both latency and std, I have tried everything from 10 samples all the way to 100 samples.

Has anyone used Ghidra to reverse engineer the 9s12 files? I have reversed x86 in the past but never dealt with page files. This is throwing me off. A pointer would be awesome so that I can push my own learning experience. If I can get the pincode then I can try and send that code, If it still doesn't work then I know its my setup.

I have uploaded the binary files that I read off the cem with Xprog.
If anyone could flash a p1 cem and try to crack this file it would then confirm that it's my setup.
This thread has provided locations of the pin code however my files do not match up. I do know the files to be correct though because they have been flashed to a vehicle needing a second hand cem.

C30CemFiles.rar

Post by **RickHaleParker** » 15 Aug 2021, 14:16

mikeak2001 wrote: ↑15 Aug 2021, 13:14 I have uploaded the binary files that I read off the cem with Xprog.
If anyone could flash a p1 cem and try to crack this file it would then confirm that it's my setup.

Go to page 12. Sirloins shows where the PIN is located in a P1 bin file.

mikeak2001 · Post by **mikeak2001** » 15 Aug 2021, 14:44

RickHaleParker wrote: ↑15 Aug 2021, 14:16Go to page 12. Sirloins shows where the PIN is located in a P1 bin file.

Thanks for the pointer, I saw this but it doesn't seem to apply to my file.
This is what I have at location FBEF8.

Post by **RickHaleParker** » 15 Aug 2021, 14:58

mikeak2001 wrote: ↑15 Aug 2021, 14:44 Thanks for the pointer, I saw this but it doesn't seem to apply to my file.
This is what I have at location FBEF8.

Can't be right. The bytes are 8 bit BCD. The byte range is 00 - 99. What is at FBEF8 in the other files?

mikeak2001 · Post by **mikeak2001** » 15 Aug 2021, 15:31

RickHaleParker wrote: ↑15 Aug 2021, 14:58
mikeak2001 wrote: ↑15 Aug 2021, 14:44 Thanks for the pointer, I saw this but it doesn't seem to apply to my file.
This is what I have at location FBEF8.
Can't be right. The bytes are 8 bit BCD. The byte range is 00 - 99. What is at FBEF8 in the other files?

Just been doing some analysis.

I have early files up to 2009
I also have files from 2010 on.
This is a file from 2009

Can anyone else please check files from 2010 on in a p1? It appears to me the pin code is not in that position in the 2010 on files. I can't crack any of the files from 2010 on.

Post by **RickHaleParker** » 15 Aug 2021, 15:52

mikeak2001 wrote: ↑15 Aug 2021, 15:31 Can anyone else please check files from 2010 on in a p1? It appears to me the pin code is not in that position in the 2010 on files. I can't crack any of the files from 2010 on.

I have a vague memory of somebody saying the later P1s have a different transposition order ( shuffle order ) for encrypting the PIN. That could be why 2010- is not cracking.

I think some of the P1s have no transposition order for encrypting the PIN ( 0,1,2,3,4,5 = 0, 1,2,3,4,5 ) .

Post by **vtl** » 15 Aug 2021, 20:25

mikeak2001 wrote: ↑15 Aug 2021, 15:31 Can anyone else please check files from 2010 on in a p1? It appears to me the pin code is not in that position in the 2010 on files. I can't crack any of the files from 2010 on.

Any of these BCD sequences look like a pin?

Code: Select all

$ gcc -o pin pin.c && ./pin 1M84E\ Secured\ Flash.bin 2 | egrep -a " fb[0-9a-f]+"
offset fb000: 48 50 41 50 47 34 : HPAPG4
offset fb10c: 48 49 48 41 00 00 : HIHA
offset fb120: 36 01 00 01 00 50 : 6P
offset fb9a4: 23 01 20 03 18 69 : # i
offset fbe64: 32 35 34 37 35 30 : 254750
offset fbe68: 35 30 20 41 44 00 : 50 AD
offset fbeb4: 31 25 47 49 00 00 : 1%GI
offset fbeb8: 00 00 09 39 30 85 : 	90�
offset fbebc: 30 85 00 31 25 47 : 0�1%G

The full dump is rather long, but you may want to look at it if none of the above sequences are your pin.

Vida CEM swapping

Re: Vida CEM swapping