Vida CEM swapping

[ZRimaZ]

Has anyone tried this on the CEM-B to read the eeprom to get the pin from the .bin file?

This one https://www.usbjtag.com/jtagnt/ulinknt.php is working very well without desoldering of flash chip

[gnalan]

This one https://www.usbjtag.com/jtagnt/ulinknt.php is working very well without desoldering of flash chip

I haven't taken my CEM apart, or any CEM, so I don't know exactly what's inside. How are the connections made? For $65 that doesn't seem to be a bad price to get the CEM pin. Thanks for the info.

[ZRimaZ]

I haven't taken my CEM apart, or any CEM, so I don't know exactly what's inside. How are the connections made? For $65 that doesn't seem to be a bad price to get the CEM pin. Thanks for the info.

It is very easy - all info you can find on their forum https://www.usbjtag.com/phpbb3/viewtopi ... =22&t=9339

[RickHaleParker]

It does not crack mine (difficult third byte).

What is the part number?

I got a bench 31314468 that is being a PITA on the third byte.

[vtl]

It does not crack mine (difficult third byte).

What is the part number?

I got a bench 31314468 that is being a PITA on the third byte.

Part Number: 30728542

Don't remember the original P/N, my CEM was reflashed many times.

[RickHaleParker]

Don't remember the original P/N, my CEM was reflashed many times.

I cannot draw any conclusions from that, it is P/N Heinz 57.

[RickHaleParker]

@sirloins any tricks in wiring the 719? I see messages from ID 0x7de up powering it up, however it does not react to the read p/n requests.

Did you ever git the 719 to fired up? I got one of Sirloin's 719 on my bench.

30-supply to E20 - E23.
Power Ground A28.
Signal Ground A14.

HS-H B11
HS-L B12
LS-L B15
LS-H B16

VTL:Main
CPU Maximum Frequency: 600000000
CPU Frequency: 180000000
Execution Rate: 180 cycles/us
PIN bytes to measure: 3
CAN low-speed init done.
CAN high-speed init done.
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
Part Number: 0
Unknown CEM part number 0. Don't know what to do.
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

Faster-attempt
CPU Maximum Frequency: 600000000
CPU Frequency: 180000000
Execution Rate: 180 cycles/us
PIN bytes to measure: 4
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
Can't find part number on CAN-LS, trying CAN-HS at 500 Kbps
CAN high-speed init done.
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
Unknown CEM part number 0. Don't know what to do.
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

[vtl]

@sirloins any tricks in wiring the 719? I see messages from ID 0x7de up powering it up, however it does not react to the read p/n requests.

Did you ever git the 719 to fired up? I got one of Sirloin's 719 on my bench.

30-supply to E20 - E23.
Power Ground A28.
Signal Ground A14.

HS-H B11
HS-L B12
LS-L B15
LS-H B16

Yes.

+12 to Front-1:21
GND to Cockpit-1:28

CAN pins are correct.

[vtl]

Speaking about 719/720 and sirloin's new code. I tried to power it up after sitting idle for a couple of weeks:

Code: Select all

$ git remote -v
origin	https://github.com/cmolson/volvo-cem-cracker.git (fetch)
origin	https://github.com/cmolson/volvo-cem-cracker.git (push)
$ git status --short
$

It did all 3 permitted iteration on pin[2] with a different outcome on every run:

Code: Select all

best candidates ordered by latency:
0: 09 lat = 2614209, prev: -100.0000%, best: -0.0000%
1: 43 lat = 2612765, prev: -0.0552%, best: -0.0552%
...
best candidates ordered by latency:
0: 90 lat = 7786689, prev: -100.0000%, best: -0.0000%
1: 47 lat = 7785527, prev: -0.0149%, best: -0.0149%
...
best candidates ordered by latency:
0: 64 lat = 15572173, prev: -100.0000%, best: -0.0000%
1: 22 lat = 15486240, prev: -0.5518%, best: -0.5518%

As a consequence, it failed to crack:

Code: Select all

Candidate PIN 13 49 64 15 -- -- : brute forcing bytes 4 to 5 (2 bytes), will take up to 20 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..55%..60%..65%..70%..75%..80%..85%..90%..95%..
PIN is NOT cracked in 165.84 seconds
done

Weeks ago, when I tried to crack it, it was able to do so. As stated previously in the thread, the master branch runs for so long for a good reason. It is possible to cut corners here and there, it will crack your CEM, but will fail others.

[RickHaleParker]

30-supply to E20 - E23
Power Ground A28.
Signal Ground A14.

HS-H B11
HS-L B12
LS-L B15
LS-H B16

Never mind I got it. For some reason it does not work if you connect E20

This works:
30-supply to E21 - E23 E20 - E23.
Power Ground A28.
Signal Ground A14.

HS-H B11
HS-L B12
LS-L B15
LS-H B16