Vida CEM swapping

Post by **vtl** » 18 Oct 2021, 10:54

RickHaleParker wrote: ↑18 Oct 2021, 10:25 Do you need Firmata?
Can't you exchange information, instructions and data with the sketch over the serial with Serial.read() and Serial.print() ?

I don't want to do more than I absolutely have to. My beard grew way too long to have joy from things like bringing up the board (that's why Arduino, not programming the chip in its native SDK) and writing yet another RPC-like communication protocol

Actually, there was a typo in the hash speed computation... It was 5M/s, not 0.05M/s. And I sped up the code further, so it is crunching at 7.3M/s. This brings the whole pin space time to ~20 minutes, which is low enough to avoid messing up with the host.

Post by **vtl** » 18 Oct 2021, 11:29

Hmmm... For my PIN there's 646 candidate that produced the hash collision for the same seed/key pair, however when I go over these PINs and send them to CEM one by one, asking for a new seed every time, all of them matches. Either I screwed something up, or we don't need to do this trickery, and the first PIN that produced a hash collision would be a valid pin.

Post by **RickHaleParker** » 18 Oct 2021, 11:32

vtl wrote: ↑18 Oct 2021, 10:54 Actually, there was a typo in the hash speed computation... It was 5M/s, not 0.05M/s. And I sped up the code further, so it is crunching at 7.3M/s. This brings the whole pin space time to ~20 minutes, which is low enough to avoid messing up with the host.

20 minutes or about the same amount of time it takes to brute force the last three bytes of a P1 or P2. Good enough! The bottle neck is still getting the first accepted hash.

Post by **RickHaleParker** » 18 Oct 2021, 11:46

vtl wrote: ↑18 Oct 2021, 11:29 Hmmm... For my PIN there's 646 candidate that produced the hash collision for the same seed/key pair, however when I go over these PINs and send them to CEM one by one, asking for a new seed every time, all of them matches. Either I screwed something up, or we don't need to do this trickery, and the first PIN that produced a hash collision would be a valid pin.

646 / 100^5 X 100% = .00000646 % ( 64.6ppb ) ... possible that they are all good.

Post by **RickHaleParker** » 18 Oct 2021, 12:04

In a previous post I suggested doing a PIN check before wasting time searching for collisions. Perhaps for the finial version. There is a lot that can be learned from "wasted" time. It is called experimentation. A lot of discoveries come from chance encounters when doing experiments and making mistakes.

A durable light bulb came from doing over 300 failed experiments.
Vulcanized rubber came from accidentally spilling a mixture of rubber with sulfur on a hot frying pan.

mikeak2001 · Post by **mikeak2001** » 21 Oct 2021, 13:39

Hi everyone,
In a bit of a pickle.
Personally I have only messed with the P1 CEM's, so need to ask a quick question to anyone dealing with P2 CEM L's.

I have a friend who has random fault's through the vehicle (S60), after digging into it, the cem has taken in water (standard in the UK).

Looking to clone into a spare, am I correct in saying I have to clone both flash and eeprom from M32C M30835 and the 93lc86 eeprom?
Out of all the equipment I have, the only M32C I don't list is the M30835 for some reason. Can it be read as any other chip models?
Looking online, there are loads of random comments like "if you try to read M30835 then it will erase iteself" - anyone heard of this?

Are we at any stage where we can read/write P2 through OBD? I do have genuine Volvo Dice if it helps.

I am willing to do a chip transplant like i've done before on other brands but due to the coating i'm a little worried a chip leg is going to break.

Post by **vtl** » 21 Oct 2021, 13:50

I did a clone with m16c-flasher.de to read the dump and write it into the donor, and clone EEPROM by desoldering it and working with TL866A.

Renesas has a way to erase the chip, yes, however this feature is not enabled in Volvo (flash is not locked).

mikeak2001 · Post by **mikeak2001** » 21 Oct 2021, 14:50

vtl wrote: ↑21 Oct 2021, 13:50 I did a clone with m16c-flasher.de to read the dump and write it into the donor, and clone EEPROM by desoldering it and working with TL866A.

Renesas has a way to erase the chip, yes, however this feature is not enabled in Volvo (flash is not locked).

Thanks for this, As a quick check. I remembered I have a USB > TTL device, it seems to be picked up by m16c-Flasher. Would you mind sharing the connections if you remember them?
On my device, if it works I have these connections available if its correct:
5V
3V3
TXD
RXD
GND
CTS
RTS

Or am I barking up the wrong tree?

Post by **vtl** » 21 Oct 2021, 17:03

I have a very b limited internet access for week. Search "m16c-flasher" in this topic, you'll find all the instructions.

Post by **RickHaleParker** » 31 Oct 2021, 06:36

aaivar wrote: ↑18 Oct 2021, 04:57

RickHaleParker wrote: ↑18 Oct 2021, 07:27
Here is the next test set.

1. Run EEPROM_Null.bin with Flash 49.bin , Name the Decrypt file D49.bin.
2. Run EEPROM_Null with Flash 61.bin , Name the Decrypt file D61.bin.
3. Run EEPROM_Null with Flash 256.bin , Name the Decrypt file D256.bin.
4. Upload files D49.bin, D61.bin and D256.bin .

Did you run these test files?

Vida CEM swapping

Re: Vida CEM swapping