Vida CEM swapping

[5ft24]

Thank you. Will go give it a try!

[T5Luke]

Negative myths seem to spread so fast in this form, whats going on?

Sorry, we live in different time zones +6h and i also need to sleep.

I have no intention to spread an viruses, maybe the filehoster modified my file ot it is just a false alert of a bruteforce attac.

I rechecked my a file after download and it seems to be clean.

All P2 cars (V70, S60, S80, XC90) from 2006 and newer seem to support UDS and this cracking method...

[GVI]

Not trying to hijack the thread, but does anyone have links to the "Car Config Editor" software? Successfully read the flash from my '05 XC90 CEM-H, and I'd like to change some parameters.

Thanks in advance!

[RickHaleParker]

Negative myths seem to spread so fast in this form, whats going on?

In this case, a cheap Microsoft knockoff happened again. DOS means Dirty Operating System, that is what Timothy Paterson the originator of Microsoft DOS named it QDOS ( Quick Dirty Operating System ). Bill Gates bought QDOS and shorten it to DOS then claimed it stood for Disk Operating System. Perhaps Windows Defender should be renamed Windows Offender as it offends other people's good work.

I have no intention to spread an viruses, maybe the file hoster modified my file ot it is just a false alert of a brute force attack.

I rechecked my a file after download and it seems to be clean.

It is clean. I ran it thorough 15 other virus checkers and they all say it is clean. Only Microsoft Defender Offender got it wrong.

All P2 cars (V70, S60, S80, XC90) from 2006 and newer seem to support UDS and this cracking method...

It will put my 2005 XC90 T6 serial number 1188434 in programing mode. Then error error error error error error ... when it tries to do UDS. Had to disconnect battery to get it out of programing mode.

If you are right about 2006 + being UDS compatible. We can do 2006+ with UDS and -2005 with timing side attack.

I wounder if the 2006+ P1s are UDS compatible.

[RickHaleParker]

SPA platform doesn't have V8 engine That screenshot looks like P3 or P4

SPA (P5) is all inline 4 cylinder engines.
P4 was under development when Ford sold Volvo to Geely. Geely and Volvo abandoned the P4 and it was never put into production. Geely and Volvo also abandoned the V8 along with the I5 & I6 engines. The Volvo V8 lives on as a series of Yamaha V8 outboard marine engines.

[RickHaleParker]

Not trying to hijack the thread, but does anyone have links to the "Car Config Editor" software? Successfully read the flash from my '05 XC90 CEM-H, and I'd like to change some parameters.

Thanks in advance!

Volvo Car Config Editor V2.5 does not read flash files. With VCCE you need a .vbf file, a .ini file and a PIN code. I have sample VBFs and INIs for P1 & P3 but none for P2.

A hex editor will work for you once you figure out the locations and the values.

[viper]

Who still searches his pincode and has a P2 car from model year 2006-

Just a DICE-206751 is enough to crack pin and dump full flash without any risk.

(or 2005- CEM with series number starting by 0000491...)

How it possible to get? Intrested for v8 xc90 2008MY

[T5Luke]

It is clean. I ran it thorough 15 other virus checkers and they all say it is clean. Only Microsoft Defender Offender got it wrong.

Defender shows me nothing. Don't know why you get something...

I develop this things on a Windows 7 VM where i try and use other "car software from the internet". From time to time there are not so clean files so i can't give guarantees like nobody can give when he don't know where all his software is from.

Also this quick files hosters often put some malware on this files to earn also some money...

I do this just for fun and i dont know where this project leads to...
I guess we will quickly notice how this company from Czech catches up and offers a UDS attac for P2, they will get the last cent out of this...

It will put my 2005 XC90 T6 serial number 1188434 in programing mode. Then error error error error error error ... when it tries to do UDS. Had to disconnect battery to get it out of programing mode.

If you are right about 2006 + being UDS compatible. We can do 2006+ with UDS and -2005 with timing side attack.

I wounder if the 2006+ P1s are UDS compatible.

This shaped cem entered market with MY 2005, 10th place of VIN is 5 for a quick check...

The first versions had a 512kb flash CPU with a different bootloader.

With the CEM starting at series number 0000491... (late MY2005 models) they replaced this CPU by the 320kb version and wrote a different bootloader. This bootloader supports UDS and P2. In all normal P2s it works in P2 mode and in V8 or 3.2 engine it changes to UDS mode on engine bus.

About P1 i don't know mouch, i have no interests, but i have seens some later models which use UDS. Take a can logger like your teensy and find out...

[RickHaleParker]

This bootloader supports UDS and P2.

A P2 bootloader that can read and write is high on VTL's wish list but he listing a 2005 XC70.
So far we have not gotten past the PIN crack on a P2. I do recall you said you had one but decided to wait until the PIN crack was finished.

We got a P1 bootloader that sort of works, not ready for prime time. It has bricked some of the test P1 CEMs. They where recovered by wiring the PCB to a programmer and and flashing a copy of the original dump.

[T5Luke]

This bootloader supports UDS and P2.

No, you misunderstood, the can devices in car all have primary bootloaders (PBL), at boot this loader runs and waits a few ms for can frames to turn the device into programming mode. If there come no msgs in, the bootloader jumps into the main programm for normal operation mode. The primary bootloader keeps the device ready to reprog even if the main programm is missing. A secondary bootloader is loaded into ram by this primary bootloader and can be executed for further tasks like reprogramming. The secondary bootloader normaly should not be able to erase the primary bootloader from flash.

The primary bootloader also handles the authorisation, it checks the code and allows on a right pin to upload the second bootloader into ram. The bootloader of the newer cems allow authorisation by P2 msgs and by UDS msgs...

Yes i worked on a loader, i can read the entire flash and eeprom by can bus without any prob in any p2 device, but i had problems if i call the erase command with my bootloader, it sometimes works, but sometimes it brings the device in an unstable state, it erases the primary bootloader and crashes. I also needed to recover by manual connection. I do this as a free project for fun and maybe i can get it working when i come to this.

We got a P1 bootloader that sort of works, not ready for prime time.

Cool who is involved in this?