Vida CEM swapping

[RickHaleParker]

If the PIN is 85 20 47 55 20 00 and the shuffle order is 3 1 5 0 2 4 should the detection order be 55 20 20 -- -- -- not 55 20 00 -- -- -- ?

85 20 47 55 20 00
03 01 05 00 02 04
------------------------
55 20 20 85 00 47

Could it be printing the PIN number in the wrong sequence? I have not been able to get the PIN numbers to work in DHA. Up to now, I just assumed that was something in DHA now I'm not so sure.


From the log:
PIN shuffle order: 3 1 5 0 2 4

pin[2] choose candidate: 00
Candidate PIN 55 20 00 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 645 seconds
Progress: 0%..5%..10%..15%..20%..done

found PIN: 85 20 47 55 20 00
PIN is cracked in 1564.96 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

[aaivar]

bin file code 85 20 47 55 20 00

need write SDA 55 20 20 85 00 47

Pin code write for P2 Platform xc90 4 2 5 1 6 3

DHa have another pin code

[RickHaleParker]

bin file code 85 20 47 55 20 00

need write SDA 55 20 20 85 00 47

Pin code write for P2 Platform xc90 4 2 5 1 6 3

DHa have another pin code

Are You saying:
1. The PIN number 85 20 47 55 20 00 is the unencrypted PIN not the encrypted PIN need to unlock the CEM?
2. A completely different PIN code needed for DHA?

Do you know why the Transposition order ( Shuffle ) does not match up?
How would one use the PIN code write?

[RickHaleParker]

There are people here from the former Soviet Union states. If you cannot express something in English use Russian instead. Somebody will translate it to English.

Здесь есть люди из стран бывшего Советского Союза. Если вы не можете выразить что-то по-английски, используйте русский. Кто-нибудь переведет на английский.

[vtl]

I haven't used DHA. Maybe it's asking for EEPROM encryption key?

When the cracker says "PIN verified" it sends the displayed pin over network in exactly that form, and CEM accepts it. The sw does not even use cem unlock routine that is used for pin cracking, just to rule out a possibility of bug in the code.

[RickHaleParker]

I haven't used DHA. Maybe it's asking for EEPROM encryption key?

When the cracker says "PIN verified" it sends the displayed pin over network in exactly that form, and CEM accepts it. The sw does not even use cem unlock routine that is used for pin cracking, just to rule out a possibility of bug in the code.

Would this be correct for unlocking the CEM with PIN 85 20 47 55 20 00 on CAN-HS? : 50 A3 02 85 20 47 55 20 00

[vtl]

Would this be correct for unlocking the CEM with PIN 85 20 47 55 20 00 on CAN-HS? : 50 A3 02 85 20 47 55 20 00

Code: Select all

 0  1  2  3  4  5  6  7
50 BE 85 20 47 55 20 00
|  |  ------ pin ------
|  | unlock cmd
| ECU id (CEM)

[RickHaleParker]

Code: Select all

 0  1  2  3  4  5  6  7
50 BE 85 20 47 55 20 00
|  |  ------ pin ------
|  | unlock cmd
| ECU id (CEM)

Must be something wrong with the DHA setup or some short coming in my Chinese DiCE unit.

Tester -> CEM: 50 BE 85 20 47 55 20 00/ /Data= BE 85 20 47 55 20 00
Complete Response: 7F BE 11
Error, Service not supported

Anybody know a way to send it in VIDA ... or some other software that can be use as a terminal for the DiCE?

[vtl]

What car is it? Also is it sending the message over CAN HS? CEM has ECU id 0x40 on CAN LS.

[aaivar]

bin file code 85 20 47 55 20 00

need write SDA 55 20 20 85 00 47

Pin code write for P2 Platform xc90 4 2 5 1 6 3

DHa have another pin code

Are You saying:
1. The PIN number 85 20 47 55 20 00 is the unencrypted PIN not the encrypted PIN need to unlock the CEM?
2. A completely different PIN code needed for DHA?

Do you know why the Transposition order ( Shuffle ) does not match up?
How would one use the PIN code write?

Flash pin code need for SDA change Flash or config car . DHA make eeprom data