Vida CEM swapping

Post by **RickHaleParker** » 08 Sep 2021, 13:20

vtl wrote: ↑08 Sep 2021, 12:47 Yeah, we need to read software version as well, not only part number. Somewhere back in this thread I think I found the CAN message to read the sw number.

mikeak2001 found it in DHA .. 50 B9 F5. Just change F0 to F5 in the hardware ID request and you got it.

The post is on page 83.

Post by **vtl** » 08 Sep 2021, 13:33

RickHaleParker wrote: ↑08 Sep 2021, 13:20 mikeak2001 found it in DHA .. 50 B9 F5. Just change F0 to F5 in the hardware ID request and you got it.

The post is on page 83.

Also page 69 when I first got the block by trial with the version numbers.

mikeak2001 · Post by **mikeak2001** » 08 Sep 2021, 13:48

vtl wrote: ↑08 Sep 2021, 09:24
mikeak2001 wrote: ↑07 Sep 2021, 11:47 Try this one.

If my guess is right, the cracker's pin order for this dump would be: 2, 4, 5, 0, 3, 1. Wanna give it a try?

Spot on, modified one of the shuffle orders. linked the part number in the cem params struct.
Below is the result with 3 bytes and 30 samples.

Post by **vtl** » 08 Sep 2021, 14:04

mikeak2001 wrote: ↑08 Sep 2021, 13:48 Spot on, modified one of the shuffle orders. linked the part number in the cem params struct.

Submit a pull request

swinokur · Post by **swinokur** » 08 Sep 2021, 15:25

Y'all are just awesome!

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           600000000
Execution Rate:          600 cycles/us
PIN bytes to measure:    3
Number of samples:       30
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
Part Number: 31327215
Searching P/N 31327215 in 49 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 2 4 5 0 3 1
CAN high-speed init done.
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
CAN_HS <--- ID=00000003 data=50 8e 00 00 31 32 72 15
Part Number: 31327215
Initialization done.
[...]
Candidate PIN 51 95 28 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 617 seconds
Progress: 0%..5%..10%..done

found PIN: 37 12 51 23 95 28
PIN is cracked in 636.58 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.

gooroo · Post by **gooroo** » 10 Sep 2021, 03:09

Can someone confirm that with the following R0E00008AKCE00 Renesas programmer that I can indeed read and write the flash of the M32C MCU on the 'L' shaped CEM from a 2005 XC70?

If the answer is yes, would I use the connections shown in the picture below even though this is for a Lonsdor programmer?

Do I have to remove the device highlighted in the blue square to read/write?
Do I need to lift any pins on the MCU to read/write?
Can I completely blank the MCU flash and then program it using a CEM reload using VIDA online?
If I do a reload after blanking the MCU flash can I ignore the 93c86 (reload will overwrite it anyway?)

I appreciate your advice guys,
Regards, Simon

Post by **vtl** » 10 Sep 2021, 06:15

I have an E8 (not E8a). It was able to read the chip, erase it and... fail on write. In effect bricking the CEM.

Then with T5Luke's help I learned how to use m16c-flasher.de and $2 USB-TTL adapter. Search this thread, it has instructions scattered across many pages.

I mean, E8a may work for you. Just don't attempt to write the dump back, or be prepared for potential troubles.

Don't touch the watchdog (in blue square). Don't lift any pins, just solder to TX, RX, CNVss, BUSY and GND/+5. E8 or m16c-flasher will not read the EEPROM, you have to do it separately in chip programmer. EEPROM content is encrypted, i.e. can't be used w/o a matching flash dump that has a key to decode/encode EEPROM.

For VIDA to reload the CEM the sw should be present in the flash and the PIN should be all 00s or FFs. Flash erase will put FFs everywhere, however the CEM will not respond to OBD requests as the sw is lost, so for VIDA it will be bricked, I think.

gooroo · Post by **gooroo** » 10 Sep 2021, 07:42

Thanks vtl, like this?

https://www.ebay.co.uk/itm/262285972686 ... Swj5Rgzklg

I can't see where CNVss and BUSY would connect to the adapter?

Regarding the eeprom, I can read it and have done already but all I want to do is install a donor CEM from another car, If I just blank the PIN in the flash with the M16C flasher will VIDA happily treat the CEM as "new" and allow me to perform a RELOAD which in turn will program the PIN and overwrite the eeprom with whatever "should" be in it?

Regards, Simon

Post by **vtl** » 10 Sep 2021, 08:02

Yes, adapter like that will work.

Use the search function up the page, this thread has all the info: how to connect the adapter, drop the CEM into boot mode and how to negotiate the baud rate with the CEM.

If you have your old EEPROM + Renesas flash contents, you can program it to a donor CEM and it will work. No dealer is required. I've done it a few times, no problem. Otherwise you need to read the donor flash, replace pin with 00 or FF, load it back to CEM.

gooroo · Post by **gooroo** » 10 Sep 2021, 08:26

I have tried searching, Is this what I am looking for?

viewtopic.php?p=572965#p572965
*****
When you have P2 on bench, connect pin 8 to +12V and pin 15 to +12V, this makes CEM stay in lock pos 1 and doesn't fall asleep, guess you need to find the same pins in P1.
Do you mean pins D:8 & D:15 which are power from the Ignition switch?
*****

viewtopic.php?p=575086#p575086
*****
That a clue, enabling a connection is a PIA.
What microcontroler profile are you using in settings? Trying to eliminate as many variables as possible.
Reset: I got all the connection pins soldered on then the Reset pad lifted. Moved the Rest connection pin to the cap and resistor in common with the pad. When the pad lifted it exposed what looks like a through hole. These may not be just pads.
Reset - +5V Move to GND and back +5V to reset.
Hold - GND
CNVss - +5V
*****

Regards.

Vida CEM swapping

Re: Vida CEM swapping