Vida CEM swapping

mikeak2001 · Post by **mikeak2001** » 07 Sep 2021, 11:47

vtl wrote: ↑07 Sep 2021, 08:24 Anyone with uncrackable P1 is willing to share his CEM flash files? I may have some time to disassemble it and find the pin compare routine.

Try this one.

https://mega.nz/file/mXwCESyL#vN2Q6POKI ... YEiTxFnq68

or this one.

https://mega.nz/file/ub5ylAZT#13rLJlIFz ... K_a9Th0HUs

Both on my Mega account.

Post by **vtl** » 08 Sep 2021, 05:15

mikeak2001 wrote: ↑07 Sep 2021, 11:47 Try this one.

https://mega.nz/file/mXwCESyL#vN2Q6POKI ... YEiTxFnq68

or this one.

https://mega.nz/file/ub5ylAZT#13rLJlIFz ... K_a9Th0HUs

Both on my Mega account.

Thanks! I also found another set of files on Swedespeed, their layout is different.

Post by **vtl** » 08 Sep 2021, 09:24

mikeak2001 wrote: ↑07 Sep 2021, 11:47 Try this one.

I did a blind grep session on the disassembled code and I think I found the routine. It looks a bit strange.

CEM compares if the PIN stored in its flash is all zeroes or the last byte is 0xff and jumps over/skips the XOR sequence. Otherwise it does the flash bytes XOR trickery before going to the compare part with what was sent over OBD. The pin in flash is probably "encrypted"?

If my guess is right, the cracker's pin order for this dump would be: 2, 4, 5, 0, 3, 1. Wanna give it a try?

Btw, I discovered https://onlinedisassembler.com, it supports TON of different CPU architectures, including MC9S12, and it's free! Highly recommend

Post by **vtl** » 08 Sep 2021, 10:25

For the P1 CEM dumps found on SwedeSpeed:

No XOR obfuscation, the order is 5 2 1 4 0 3, which we already know.

Using a slightly modified dis12 disassembler this time. It works fine and saves time clicking like mad on ODA's web site.

mikeak2001 · Post by **mikeak2001** » 08 Sep 2021, 12:37

vtl wrote: ↑08 Sep 2021, 09:24
mikeak2001 wrote: ↑07 Sep 2021, 11:47 Try this one.
I did a blind grep session on the disassembled code and I think I found the routine. It looks a bit strange.

Very interesting, So there is definitely different methods that Volvo used to store/access the pin. This now add's a little complexity to the project due to fact in my situation, if i need to crack different years I will need to keep changing the file on the teensy.

I have two p1 cem's. one from 2011'ish and one from 2007. Both report the same part number so there is a chance that if a vehicle has had dealer software updates the pin order may get changed. hmmm....

Will definitely take a look at the website.
Really want to get into this reversing business but don't know how to deal with the page files.

swinokur · Post by **swinokur** » 08 Sep 2021, 12:43

And I'm not sure that it is relevant, but I had my car in the shop for the "I just bought a used car should I keep it" inspection, and one of the things that they did was a software update.

If someone can let me know the 'right way' to pull all the software version numbers I'm happy to report them here. (I have 2014d, and vdash and a dice unit...)

mikeak2001 wrote: ↑08 Sep 2021, 12:37
vtl wrote: ↑08 Sep 2021, 09:24
mikeak2001 wrote: ↑07 Sep 2021, 11:47 Try this one.
I did a blind grep session on the disassembled code and I think I found the routine. It looks a bit strange.
Very interesting, So there is definitely different methods that Volvo used to store/access the pin. This now add's a little complexity to the project due to fact in my situation, if i need to crack different years I will need to keep changing the file on the teensy.

I have two p1 cem's. one from 2011'ish and one from 2007. Both report the same part number so there is a chance that if a vehicle has had dealer software updates the pin order may get changed. hmmm....

Will definitely take a look at the website.
Really want to get into this reversing business but don't know how to deal with the page files.

Post by **vtl** » 08 Sep 2021, 12:43

mikeak2001 wrote: ↑08 Sep 2021, 12:37 Very interesting, So there is definitely different methods that Volvo used to store/access the pin. This now add's a little complexity to the project due to fact in my situation, if i need to crack different years I will need to keep changing the file on the teensy.

Shouldn't be needed. Add another shuffle order: https://github.com/vtl/volvo-cem-cracke ... er.ino#L62 and update last column for appropriate CEMs: https://github.com/vtl/volvo-cem-cracke ... er.ino#L72 The cracker will read the P/N and use the appropriate shuffle order automatically.

Post by **vtl** » 08 Sep 2021, 12:47

mikeak2001 wrote: ↑08 Sep 2021, 12:37 I have two p1 cem's. one from 2011'ish and one from 2007. Both report the same part number so there is a chance that if a vehicle has had dealer software updates the pin order may get changed. hmmm....

Yeah, we need to read software version as well, not only part number. Somewhere back in this thread I think I found the CAN message to read the sw number.

Post by **vtl** » 08 Sep 2021, 12:58

swinokur wrote: ↑08 Sep 2021, 12:43 And I'm not sure that it is relevant, but I had my car in the shop for the "I just bought a used car should I keep it" inspection, and one of the things that they did was a software update.

If someone can let me know the 'right way' to pull all the software version numbers I'm happy to report them here. (I have 2014d, and vdash and a dice unit...)

VIDA shows all the hw/sw versions in the Diagnostic tab.

swinokur · Post by **swinokur** » 08 Sep 2021, 13:10

Ah great -- attached is the cached information from the other day when I had vida hooked up. (mine is the only car that this install of vida has ever seen, so I think it should be right?) The part number reported matches the part number that the cem-cracker reports.

vtl wrote: ↑08 Sep 2021, 12:58 VIDA shows all the hw/sw versions in the Diagnostic tab.

Vida CEM swapping

Re: Vida CEM swapping