Vida CEM swapping

blasaab · Post by **blasaab** » 14 May 2022, 00:52

Hi I have had help cracking and modding my p3 from https://www.auxadapter.se/?page_id=758 . Cem code was cracked throu dice.

Post by **charlie13** » 18 May 2022, 11:25

Hello.
I have problem with pin enumeration on CEM P2 L 30728356. Attached file

Post by **vtl** » 18 May 2022, 11:36

That seems to be your own Frankenstein version of the cracker speaking - a mix of P3 branch and some real old master? You are the developer, you are in charge now

Post by **charlie13** » 18 May 2022, 12:23

vtl wrote: ↑18 May 2022, 11:36 That seems to be your own Frankenstein version of the cracker speaking - a mix of P3 branch and some real old master? You are the developer, you are in charge now

167678054057 THIS real pin was close. I wanted to turn off the pin in P2 without uploading a new program and turned off line 13 #define P3
CPU Maximum Frequency: 600000000
CPU Frequency: 180000000
Execution Rate: 180 cycles/us
PIN bytes to measure: 3
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
Can't find part number on CAN-LS, trying CAN-HS at 500 Kbps
CAN high-speed init done.
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS <--- ID=0042406c data=60 00 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=10400020 data=60 1c 00 60 00 00 00 00
CAN_HS <--- ID=11100024 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=11220028 data=00 00 00 14 00 00 01 22
CAN_HS <--- ID=11a00020 data=60 00 00 00 00 00 00 00
CAN_HS <--- ID=0042406c data=80 88 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=01200003 data=09 56 20 20 41 30 72 81
CAN_HS <--- ID=0042406c data=c0 a8 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=0042406c data=00 88 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=01200003 data=4c 01 20 20 41 00 00 00
CAN_HS <--- ID=10400020 data=80 1c 40 60 00 00 00 00
CAN_HS <--- ID=0042406c data=40 28 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=0042406c data=80 88 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=11100024 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=0042406c data=c0 a8 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=10400020 data=c0 1c 40 60 00 00 00 00
CAN_HS <--- ID=11220028 data=01 60 00 14 00 00 01 22
CAN_HS <--- ID=0042406c data=00 88 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=0042406c data=40 a8 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=0042406c data=80 88 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=10400020 data=00 1c 40 60 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS <--- ID=0042406c data=c0 a8 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=01200003 data=8f 50 f9 f0 00 30 72 83
CAN_HS <--- ID=11100024 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=0042406c data=00 88 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 00 00 00 00 00
CAN_HS <--- ID=01200003 data=09 56 20 20 41 30 72 81
Part Number: 30728356
Searching P/N 30728356 in 50 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 3 1 5 0 2 4
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Initialization done.

Calculating bytes 0-2
1000 pins in 617 ms, 1620 pins/s, average response: 60 us, histogram 30 to 90 us
range 100, samples 10
candidates short list: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 (+ 50 more)

...
pin[2] choose candidate: 57
Candidate PIN 05 76 57 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 617 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..done

found PIN: 16 76 78 05 40 57
PIN is cracked in 1624.15 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

Post by **vtl** » 18 May 2022, 12:28

Makes sense: November 2021 when p3 support branched off.

Someone needs to merge all the pieces together... Sirloin's p1, p3 and manage not breaking p2

I'm trying to be pretending that someone is not me.

Post by **charlie13** » 18 May 2022, 12:41

I only know about C ++ what I learned from you here. 0.000000000000000001% is my level of knowledge of C ++ I can only substitute and try. Who asks not stray. You can't learn anything without asking questions. Another problem is whether anyone will have the time and willingness to answer these questions. But thanks to you, I started reading about C ++ programming. Thank you very much for every hint

Post by **gnalan** » 18 May 2022, 18:01

C++ is a fun programming language. It's my top choice. I recently learned Python, and use it now for quick check of code before writing it in C++, which is a little easier to work with but a lot slower.

If I had all the pieces I'd try to put the puzzle together. I have no way of testing anything though since I have the CEM-B.

Post by **vtl** » 18 May 2022, 18:54

The cracker code is written in plain C. Well, perhaps with some deviations allowed by GCC (compiler used by Arduino). It is basically a portable assembly language, which makes it more time consuming to write software, but in my experience it is far easier to debug large projects (think, Linux kernel), because, unlike C++, it has very little things happening under cover, and what you see in the code is what you get when running it.

I used to be a C++ fanboy long ago, but as a high level language it was tramped to death by the might of Common Lisp, which I learned later. So, all I needed to write my software ever since is 3 languages: assembler, C and CL.

jamesphijak · Post by **jamesphijak** » 21 May 2022, 13:04

Hello,

I would like to ask, I have try to use my Teensy and CF160 to crack my CEM

I tried with Volvo XC90 2.5T 2006 (CEM-L) completed and can get PIN

but when i try with my Volvo XC70 2.5T 2003 (8688434)
The log show "Unknown CEM part number 0"

I have check my circuit are correct.

Post by **vtl** » 21 May 2022, 18:27

jamesphijak wrote: ↑21 May 2022, 13:04 The log show "Unknown CEM part number 0".

Double, triple-check everything.

Vida CEM swapping

Re: Vida CEM swapping