Vida CEM swapping

[vtl]

I am happy to send you either a 719 or a 720.

Thanks. I think it may be cheaper to buy it local.

Bought 719 locally.

[sirloins]

Bought 719 locally.

Awesome! Here it is $30 + $10 core fee (CDN) at the pick 'n pull for one.

Here is my experimental branch if you want to take a look https://github.com/cmolson/volvo-cem-cr ... er-attempt

It has all the changes I've made so far, not ideal for a pull request I don't think.

I was able to get a CEM-B yesterday to keep on my bench, so that should be interesting.

[RickHaleParker]

Yes, the very first software version cracked my CEM in under 5 minutes. It is much longer now for a reason

I recall why and there is a reason I should.
This one is doing 100s of samples without the speed reduction. He saying he can make it faster.

[blasaab]

Bought 719 locally.

Awesome! Here it is $30 + $10 core fee (CDN) at the pick 'n pull for one.

Here is my experimental branch if you want to take a look https://github.com/cmolson/volvo-cem-cr ... er-attempt

It has all the changes I've made so far, not ideal for a pull request I don't think.

I was able to get a CEM-B yesterday to keep on my bench, so that should be interesting.

Tested this and cracked direct. i tested 3 times and got same result

[vtl]

Tested this and cracked direct. i tested 3 times and got same result

Thanks.

My 719 is on the way. Once we understand the issue, come up with a proper patch and confirm that the rest of use cases still work, the change will fly right in.

[vtl]

@sirloins any tricks in wiring the 719? I see messages from ID 0x7de up powering it up, however it does not react to the read p/n requests.

[x119]

I appreciate this is very P1-3 focussed thread; but is there interest in SPA?

It's Seed and Key based..

I'm aware certain commercial outfits can do it with a VIDA log file only, thus it's possible. Just can't find ANY discussion online at all.

I have all the necessary tools at my disposal i.e I can trigger seed reqs etc. just need knowledge that is currently lacking! Also have tools to enable testing of the key for success. All offline - no servers req

Any pointers or direction is appreciated without derailing too much - I've read all 173 pages over the last few nights and your efforts are valiant for the other platform guises!

[RickHaleParker]

It's Seed and Key based..

Do you have any clue what the SPA/CMA challenge algorithm is?

If I recall correctly, it would take way to long to crack the SPA/CMA through the OBD connector because there is something like a 5 -10 second timeout after three failed attempts.

60/10 * 3 = 18 attempts per minute.

There is a rumor that the Keys can be calculated from accessible data but it just a rumor until somebody can prove otherwise.

[vtl]

@sirloins any tricks in wiring the 719? I see messages from ID 0x7de up powering it up, however it does not react to the read p/n requests.

So, this makes the cracker work with 719 CEM:

Code: Select all

@@ -405,6 +405,8 @@ bool cemUnlock (uint8_t *pin, uint8_t *pinUsed, uint32_t *latency, bool verbose)
 
   /* a reply of 0x00 indicates CEM was unlocked */
 
+  delay(2);
+
   return reply[2] == 0x00;
 }
 

Apparently CEM needs a quiet time to be crackable (time for what? flush instruction caches?) Sirloins' branch allows more time between crack requests and that substitutes for "quiet time".

[vtl]

Something is up with Teensy: it's TSC is not stable. The more Teensy sleeps, the better is the latency detection. The slower the clock, the better it works. Running Teensy at 24 MHz gave the best results.

I ended up going sirloins'/RichHaleParker's way and driving CAN_L_PIN state transition via interrupt handler while running at full 600 MHz (to reduce the impact of interrupt handler). It is super-stable, can detect the right byte in position reliably in one pass:

Code: Select all

Candidate PIN 13 49 64 01 -- -- : brute forcing bytes 4 to 5 (2 bytes), will take up to 7 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..55%..60%..65%..70%..75%..80%..85%..done

found PIN: 13 49 64 01 39 88
PIN is cracked in 34.60 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.

Will test with other CEMs I have and push the code to github branch for testing.