Vida CEM swapping

Post by **vtl** » 21 Feb 2022, 13:05

vtl wrote: ↑18 Feb 2022, 15:01 It sounds like you have too much fun alone with your 720. I think, two more beers and I'll convince myself I need that 720 CEM on ebay =)

Ok, I almost bought it, but ebay showed me an ad w/ cheap DSLogic Pro knock-off, so I bought one instead

I feel my 8MHz Saleae knock-off limits me and for sure I need a 400 MHz logic analyzer that works with sigrok

Post by **RickHaleParker** » 22 Feb 2022, 13:13

vtl wrote: ↑21 Feb 2022, 13:05 ebay showed me an ad w/ cheap DSLogic Pro knock-off, so I bought one instead

It might not be a knock off. A lot of name brands are generics with a expensive name on them. Today it is marketing hype not the product that often determines price.

Post by **vtl** » 22 Feb 2022, 13:34

RickHaleParker wrote: ↑22 Feb 2022, 13:13
vtl wrote: ↑21 Feb 2022, 13:05 ebay showed me an ad w/ cheap DSLogic Pro knock-off, so I bought one instead
It might not be a knock off. A lot of name brands are generics with a expensive name on them. Today it is marketing hype not the product that often determines price.

I know. Either a rebranded generic device, or authentic device unofficially manufactured during night shift

I liked a lot that with DSLogic you can easily write your own protocol dissector.

Post by **RickHaleParker** » 22 Feb 2022, 18:40

Sirloin took my hardware interrupt idea and ran with it. Added some of his own to the idea. It is getting good results.

Cracked with Calc_Bytes = 5, One range only, Samples = 10.

Candidate PIN 55 28 90 50 37 -- : brute forcing bytes 5 to 5 (1 bytes), will take up to 0 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..done

found PIN: 50 28 37 55 52 90
PIN is cracked in 1005.44 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

Post by **RickHaleParker** » 22 Feb 2022, 19:31

Calc_Bytes = 5 : 1005.44 seconds ( 16.75 minutes )
Calc_Bytes = 4 : 814.80 seconds ( 13.58 minutes ) <== Sweet Spot.
Calc_Bytes = 3 : 1658.67 seconds ( 27.64 minutes )

Post by **RickHaleParker** » 23 Feb 2022, 07:44

vtl wrote: ↑20 Feb 2022, 10:17 - latency accumulation is very visible when the right subsequence is sent. 1 or 2 bytes don't make a difference, but 3 and, especially, 4 totally triggers it. Of course, CALC_BYTES=4 would be very slow on a 250 Kbps,

This applies to the CEM-B ?

If so, the 1 million 3 byte strings ( 3 bytes at a time ) in 1 hour 6 minuites at 250 pins per second.

( 00 00 00 XX XX XX - 99 99 99 XX XX XX ) not ( 00 XX XX XX XX XX - 99 99 99 XX XX XX )

sirloins · Post by **sirloins** » 23 Feb 2022, 21:46

vtl wrote: ↑21 Feb 2022, 13:05 Ok, I almost bought it, but ebay showed me an ad w/ cheap DSLogic Pro knock-off, so I bought one instead I feel my 8MHz Saleae knock-off limits me and for sure I need a 400 MHz logic analyzer that works with sigrok

I have 3 P1 CEMs. I am sending one away, and I can send you one as well if you'd like. I have pretty much confirmed there is no difference between the 719 and 720 CEMs. I am happy to send you either a 719 or a 720. I think you can even flash a 719 with the files from a 720 without issue.

I do still plan to do the analysis with my logic analyzer, thanks for the sigrok reference, I had not seen that before. Although I have also mostly confirmed through trial and error that the timing issues all relate to the CAN interrupts, it would still be good to show once and for all.

Post by **vtl** » 23 Feb 2022, 21:48

sirloins wrote: ↑23 Feb 2022, 21:46 I am happy to send you either a 719 or a 720.

Thanks. I think it may be cheaper to buy it local.

Post by **RickHaleParker** » 23 Feb 2022, 23:48

RickHaleParker wrote: ↑22 Feb 2022, 19:31 Calc_Bytes = 5 : 1005.44 seconds ( 16.75 minutes )
Calc_Bytes = 4 : 814.80 seconds ( 13.58 minutes ) <== Sweet Spot.
Calc_Bytes = 3 : 1658.67 seconds ( 27.64 minutes )

Sirloin's code base keep getting faster and the reliability is looking good.

pin[3] choose candidate: 50
Candidate PIN 55 28 90 50 -- -- : brute forcing bytes 4 to 5 (2 bytes), will take up to 20 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..done

found PIN: 50 28 37 55 52 90
PIN is cracked in 493.06 seconds ( 8.22 minutes)
( 40% improvement in speed over the last one. )
Validating PIN
PIN verified.
done
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

Post by **vtl** » 24 Feb 2022, 07:05

Yes, the very first software version cracked my CEM in under 5 minutes. It is much longer now for a reason

Once we figure out what's going on, the change will be happily applied.

Vida CEM swapping

Re: Vida CEM swapping