Vida CEM swapping

Post by **vtl** » 09 Dec 2021, 10:50

RickHaleParker wrote: ↑09 Dec 2021, 10:48 His known PINs are data matching what is found in the files. Shuffled like the P1 & P2. I am working off the assumption that his known PINs will solve the challenge and gain him access.

No, I mean the pins themselves could be generated using some car's data. I.e. it is not fully random numbers.

This is based on rumors that more advanced crackers can do it in under 5 minutes.

Post by **RickHaleParker** » 09 Dec 2021, 11:09

vtl wrote: ↑09 Dec 2021, 10:50 No, I mean the pins themselves could be generated using some car's data. I.e. it is not fully random numbers.

This is based on rumors that more advanced crackers can do it in under 5 minutes.

You mean how the seed is generated?

Post by **vtl** » 09 Dec 2021, 11:16

RickHaleParker wrote: ↑09 Dec 2021, 11:09 Do you mean how the seed is generated?

No. Take bytes from car's config data (static data), recombine the bits in some unknown to us way and here's your pin code. Something like that.

Post by **RickHaleParker** » 09 Dec 2021, 11:25

vtl wrote: ↑09 Dec 2021, 11:16 No. Take bytes from car's config data (static data), recombine the bits in some unknown to us way and here's your pin code. Something like that.

The 5 byte PIN is not assigned but instead auto generated using data such as the VIN or just the chassis number?

There is only a small number of configurations so some unique variable would be needed. I would thing the VIN number would be involved because it is unique for each car. That would keep the pins from conglomerating in a small subset.

.... Chassis number?

ZRimaZ · Post by **ZRimaZ** » 10 Dec 2021, 05:02

Short news (at least - for me

)

Checked P1 CEM with processor mask 0L01Y and found PIN @FBEF8 in order 4-2-1-5-3-0
PIN is 300377384764

: 2021-12-10_135709.jpg (253.36 KiB) Viewed 624 times

@ the same address PIN is located in P1 CEM with processor 1K79X mc9s12dt256 with the same byte order:

: 2021-12-10_140505.jpg (275.29 KiB) Viewed 624 times

Post by **RickHaleParker** » 10 Dec 2021, 10:11

ZRimaZ wrote: ↑10 Dec 2021, 05:02 Checked P1 CEM with processor mask 0L01Y and found PIN @FBEF8 in order 4-2-1-5-3-0
PIN is 300377384764

4-2-1-5-3-0 is the shuffle order for .bin to PIN. VTL uses shuffle order PIN to .bin in the Teensy code.
The Shuffle order is {5, 2, 1, 4, 0, 3} in the Teensy code. Which is only flagged for a P2 CEM-B in the code.

What are the Volvo part number of these CEMs ?
List them in this format: Volvo Part Number, PIN Number, PIN Number in .bin.

===============================================================================================

unsigned char shuffle_orders[4][PIN_LEN] = { { 0, 1, 2, 3, 4, 5 }, { 3, 1, 5, 0, 2, 4 }, {5, 2, 1, 4, 0, 3}, { 2, 4, 5, 0, 3, 1} };

unsigned char *shuffle_order;

struct _cem_params {
unsigned long part_number;
int baud;
int shuffle;
} cem_params[] = {
// P1
{ 8690719, CAN_500KBPS, 0 },
{ 8690720, CAN_500KBPS, 0 },
{ 8690721, CAN_500KBPS, 0 },
{ 8690722, CAN_500KBPS, 0 },
{ 30765471, CAN_500KBPS, 0 },
{ 30728906, CAN_500KBPS, 0 },
{ 30765015, CAN_500KBPS, 0 },
{ 31254317, CAN_500KBPS, 0 },
{ 31327215, CAN_500KBPS, 3 },
{ 31254749, CAN_500KBPS, 3 },
{ 31254903, CAN_500KBPS, 0 },
{ 31296881, CAN_500KBPS, 0 },

// P2 CEM-B (Brick shaped 1999-2004 with K-line)
{ 8645716, CAN_250KBPS, 0 },
{ 8645719, CAN_250KBPS, 0 },
{ 8688434, CAN_250KBPS, 0 },
{ 8688436, CAN_250KBPS, 0 },
{ 8688513, CAN_250KBPS, 2 },
{ 30657629, CAN_250KBPS, 0 },
{ 9494336, CAN_250KBPS, 0 },
{ 9494594, CAN_250KBPS, 0 },
{ 8645171, CAN_250KBPS, 0 },
{ 9452553, CAN_250KBPS, 0 },
{ 8645205, CAN_250KBPS, 0 },
{ 9452596, CAN_250KBPS, 0 },
{ 8602436, CAN_250KBPS, 0 },
{ 9469809, CAN_250KBPS, 0 },
{ 8645200, CAN_250KBPS, 0 },

// P2 CEM-L (L shaped and marked L 2005-2014)
{ 30682981, CAN_500KBPS, 1 },
{ 30682982, CAN_500KBPS, 1 },
{ 30728356, CAN_500KBPS, 1 },
{ 30728542, CAN_500KBPS, 1 },
{ 30765149, CAN_500KBPS, 1 },
{ 30765646, CAN_500KBPS, 1 },
{ 30786475, CAN_500KBPS, 1 },
{ 30786889, CAN_500KBPS, 1 },
{ 31282457, CAN_500KBPS, 1 },
{ 31314468, CAN_500KBPS, 1 },
{ 31394158, CAN_500KBPS, 1 },

// P2 CEM-H (L shaped and marked H 2005 - 2007)
{ 30786476, CAN_500KBPS, 1 },
{ 30728539, CAN_500KBPS, 1 },
{ 30682982, CAN_500KBPS, 1 },
{ 30728357, CAN_500KBPS, 1 },
{ 30765148, CAN_500KBPS, 1 },
{ 30765643, CAN_500KBPS, 1 },
{ 30786476, CAN_500KBPS, 1 },
{ 30786890, CAN_500KBPS, 1 },
{ 30795115, CAN_500KBPS, 1 },
{ 31282455, CAN_500KBPS, 1 },
{ 31394157, CAN_500KBPS, 1 },
{ 30786579, CAN_500KBPS, 1 },
};

ZRimaZ · Post by **ZRimaZ** » 10 Dec 2021, 10:15

I have to check, but looks like it is 30728906

Post by **RickHaleParker** » 10 Dec 2021, 11:06

ZRimaZ wrote: ↑10 Dec 2021, 10:15 I have to check, but looks like it is 30728906

If it is 30728906 something is not right.
List them in this format: Volvo Part Number, PIN Number, PIN Number in .bin and it will get sorted out.

Most of the activity has been on P2 CEM-L & P2 CEM-H. It would not surprise me if the P1 information has deficiencies. This is why we need people to report things.

Post by **vtl** » 10 Dec 2021, 11:12

RickHaleParker wrote: ↑10 Dec 2021, 11:06 Most of the activity has been on P2 CEM-L & P2 CEM-H. It would not surprise me if the P1 information has deficiencies.

You can be sure P1 is not correct everywhere

Post by **RickHaleParker** » 10 Dec 2021, 11:59

vtl wrote: ↑10 Dec 2021, 11:12 You can be sure P1 is not correct everywhere

ZRimaZ appears to have a large quantity of CEMs and .bin files. If he come back with a comprehensive list, the deficiencies can be rectified.

Vida CEM swapping

Re: Vida CEM swapping