Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America). P2 platform.
Post Reply
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 605 times

Re: Vida CEM swapping

Post by vtl »

Canadian Moose wrote: 01 Jan 2022, 15:24 That's a good catch. I must've changed that setting manually last year when I was messing with my 2002 CEM and never changed it back. Gonna try to start at third position and see if it's able to do it. Looks like first 3 are 79 92 and 97.
-2004 won't crack. I found the pin comparison code, it is "buggy": yields only a couple of CPU ticks of difference, which is not possible to detect over CAN.

You CEM-L has a "bad" code placement in flash memory. I speculated a few dozen pages back why some CEMs are harder to crack than others, that may be due to CPU executing code from flash, which has memory row/line access latency. On some CEMs the third byte compare routine does not yield extra latency, or enough extra latency to be detected over CAN.

You can always stock up enough beer and crack with CALC_BYTES 2, not 3. Within like 18 hours it will crack with brute-forcing the last 4 bytes.
Top
User avatar
RickHaleParker
Posts: 7129
Joined: 25 May 2015
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 958 times

Post by RickHaleParker »

vtl wrote: 01 Jan 2022, 16:56 You can always stock up enough beer and crack with CALC_BYTES 2, not 3. Within like 18 hours it will crack with brute-forcing the last 4 bytes.
Perhaps an additional routine that will execute only when the CEM fails to crack: Brute force using top candidate for B0 & B1 + cycle through a shortlist for B2. If B2 is making it into a shortlist it would take a lot less time then 18 hours.

Maximum time = B2 Shortlist range # * 10.72 minutes.

B2 Short range 3 : 3 * 10.72 minutes = 32.16 minutes.
B2 Short range 6 : 6 * 10.72 minutes = 64.32 minutes.
B2 Short range 12 : 12 * 10.72 minutes = 128.64 minutes.
.... ect.

Alternative: Use the shortlists to sort the long list of 100 B2 weights by probability. Maximum time would still be 18 hours but statistically the average time would be less then sequentially brute forcing the last four.
Last edited by RickHaleParker on 03 Jan 2022, 21:01, edited 1 time in total.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Top
Sh4rp
Posts: 28
Joined: 3 January 2022
Year and Model: See below.
Location: Braunschweig
Has thanked: 2 times
Been thanked: 1 time

Post by Sh4rp »

I’ve been reading since the morning and just finished the last page. It is truly amazing what you guys, especially vtl and rick are doing here. I already ordered the hw to crack my v50.

I wish I could contribute but sadly im from a whole other department… (automotive design) I already thought of hitting up my colleagues at geely but they know as little about this stuff as I do and will never have access to the resources I guess… :D

I’ve noticed that it got quiet around T5Luke and his Configuration Writer since a few months. It seems he was really close. Hope he’s just very busy but Is there maybe anything in development by the others or anything we could do to push this forward?

Best regards from Germany
2004 - V50 T5 AWD M66 - Flint Grey
1996 - 850 T-5R M56 - Dark Olive Pearl
Top
User avatar
RickHaleParker
Posts: 7129
Joined: 25 May 2015
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 958 times

Post by RickHaleParker »

opps!

By default CEM_PN_AUTODETECT is turned off. Turn this back on by removing //. Unless you are cracking a CEM-L on the bench or a car with a CEM-L and a defective DIM.


/* tunable parameters */

#define CALC_BYTES 3 /* how many PIN bytes to calculate (1 to 4), the rest is brute-forced */
//#define CEM_PN_AUTODETECT /* comment out for P2 CEM-L on the bench w/o DIM */
//#define DUMP_BUCKETS /* dump all buckets for debugging */

/* end of tunable parameters */


Corrected:

Code: Select all

/* tunable parameters */

#define CALC_BYTES     3     /* how many PIN bytes to calculate (1 to 4), the rest is brute-forced */
#define CEM_PN_AUTODETECT    /* comment out for P2 CEM-L on the bench w/o DIM */
//#define  DUMP_BUCKETS                               /* dump all buckets for debugging */

/* end of tunable parameters */
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Top
ZRimaZ
Posts: 77
Joined: 8 March 2009
Year and Model: XC60 MY2016 3.0 T6
Location: Lithuania, Kaunas
Has thanked: 23 times
Been thanked: 13 times

Post by ZRimaZ »

Hi to all again!

Today I tried one more CEM-H from XC90 MY2007, HW_PN 30786890. 2x the same CEM. Unfortunately, no luck :(
What is strange:
- first and second have completely different PIN candidates
- no one has any of real PIN bytes.

My hardware pictures are:
IMG_20220105_171708.jpg
IMG_20220105_171749.jpg
Log files are here:
PIN 30786890 Try1.txt
(122.69 KiB) Downloaded 76 times
PIN 30786890 Try2.txt
(121.25 KiB) Downloaded 68 times
Sketch is the latest one from vtl repo with

Code: Select all

#define CALC_BYTES     3     /* how many PIN bytes to calculate (1 to 4), the rest is brute-forced */
#define CEM_PN_AUTODETECT    /* comment out for P2 CEM-L on the bench w/o DIM */
//#define  DUMP_BUCKETS                               /* dump all buckets for debugging */
The car has left my shop, so I have no chance to try with this car one more test. CEM files I do have, if any.

Any ideas?
Have a nice day,

ZRimaZ
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 605 times

Post by vtl »

The response time is very wrong

Code: Select all

1000 pins in 572 ms, 1748 pins/s, average response: 21 us, histogram 10 to 31 us
Do you have a logic analyzer or digital oscilloscope that can capture one request-response sequence?
Top
ZRimaZ
Posts: 77
Joined: 8 March 2009
Year and Model: XC60 MY2016 3.0 T6
Location: Lithuania, Kaunas
Has thanked: 23 times
Been thanked: 13 times

Post by ZRimaZ »

I do have Rigol DS1054Z. But the car is already left my garage :(
Have a nice day,

ZRimaZ
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 605 times

Post by vtl »

ZRimaZ wrote: 05 Jan 2022, 08:57 I do have Rigol DS1054Z. But the car is already left my garage :(
Next time plz capture the signal when the latency is way off.
Top
ZRimaZ
Posts: 77
Joined: 8 March 2009
Year and Model: XC60 MY2016 3.0 T6
Location: Lithuania, Kaunas
Has thanked: 23 times
Been thanked: 13 times

Post by ZRimaZ »

Which moment exactly?
Have a nice day,

ZRimaZ
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 605 times

Post by vtl »

ZRimaZ wrote: 05 Jan 2022, 09:05 Which moment exactly?
Unlock message sent, replied received. Especially the gap between those two CAN messages.

Where do you connect CAN_L_PIN to? RX of the transceiver or directly to CAN-L?
Top
Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “XC90 1st gen 2003-2014”