Vida CEM swapping

[T5Luke]

How is one ment to over write the entry if its already been converted to machine language. ?

No, this is stored as normal text string, machine won't interpret it...
Just search and replace...

[duzi]

it seems that the "SMOK UHDS" gentleman also reads this branch. L (H) cem pin reading added in new update,True, with the year 2002 he was mistaken ..Guys you make the world a better place t.y

[Bryt]

Here have fun with it:

Code: Select all

#define BKPT 4
#define RESET 5
#define FREEZE 6
#define DSI 7
#define DSO 8

static word CMD_READ = 0x1940;
static word CMD_GO = 0x0C00;
static word CMD_WRITEM = 0x1840;

char command;
int n_line;

void setup() {
  // put your setup code here, to run once:
  pinMode(BKPT, OUTPUT);
  digitalWrite(BKPT, HIGH);
  pinMode(RESET, OUTPUT);
  digitalWrite(RESET, LOW);
  pinMode(FREEZE, INPUT);
  pinMode(DSI, OUTPUT);
  digitalWrite(DSI, LOW);
  pinMode(DSO, INPUT);
  Serial.begin(57600);
  while(!Serial){
  }
  Serial.println(F("Arduino CEM Reader, press:"));
  Serial.println();
  Serial.println(F("e: enter BDM Mode"));
  Serial.println(F("l: leave BDM (experimental)"));
  Serial.println(F("r: read complete memory"));
  Serial.println(F("b: read Boot 0-3FFF"));
  Serial.println(F("s: read security block 4000-7FFF"));
  Serial.println(F("d: read car data 8000-1FFFF"));
  Serial.println(F("f: read firmware 20000-7FFFF"));
  Serial.println(F("c: BD32 Command Mode")); 
  
  

}

void loop() {
  // put your main code here, to run repeatedly:
    if (Serial.available()) {
      command = Serial.read();
      switch (command)
      {
        case 'e':
        Serial.println("Enter BDM");
        digitalWrite(BKPT, LOW);
        delay(10);
        digitalWrite(RESET, HIGH);
        delay(100);
        Serial.println(digitalRead(FREEZE));
        break;

        case 'l':
        Serial.println("leave BDM");
        shift_BKPT_up();
        digitalWrite(RESET, LOW);
        delay(10);
        digitalWrite(RESET, HIGH);
        wait_openchannel();
        bdm_command(CMD_GO);
        digitalWrite(DSO, LOW);
        shift_BKPT_up();

        
        Serial.println(digitalRead(FREEZE));
        break;

        case 'r':
        Serial.println("Read FLASH");
       
        for (unsigned long offset = 0x0000; offset<=0x7FFFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'b':
        Serial.println(F("Read bootblock"));
       
        for (unsigned long offset = 0x0000; offset<=0x3FFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 's':
        Serial.println(F("Read securityblock"));
       
        for (unsigned long offset = 0x4000; offset<=0x7FFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'd':
        Serial.println(F("Read cardata"));
       
        for (unsigned long offset = 0x8000; offset<=0x1FFFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'f':
        Serial.println(F("Read firmware"));
       
        for (unsigned long offset = 0x10000; offset<=0x7FFFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'c':
        Serial.println(F("BD32 Command Mode"));

        serialFlush();
        while(!Serial.available());
        {
        }
        break;

        default:
        break;

        case 'i':
        Serial.println("wipe");
        for (int i=0; i<=250; i++)
        {
          digitalWrite(BKPT, LOW);
          delay(1);
          digitalWrite(BKPT, HIGH);
          delay(1);
        }
        break;
      }
    }

}


void shiftRWord(unsigned long val)
{
    word i;
    word lowbyte = val;
    word hibyte = val >> 16;

    //Wait for DSO to get 0 => gets ready
   wait_openchannel();

    bdm_command(CMD_READ);
    shift_BKPT_up();
    shift_BKPT_up();
    


     for (i = 0; i < 16; i++)  {  //HighByte


        digitalWrite(DSI, !!(hibyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
        digitalWrite(DSI, LOW);
        delayMicroseconds(1);
        shift_BKPT_up();



     for (i = 0; i < 16; i++)  {  //LowByte


        digitalWrite(DSI, !!(lowbyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
    digitalWrite(DSI, LOW);
    delayMicroseconds(1);


    word W_Read;

    for (i= 0; i < 1; i++)   //Read Status Byte
    {
      //digitalWrite(BKPT, HIGH);
      //delayMicroseconds(1);
      digitalWrite(BKPT, LOW);
      delayMicroseconds(1);
      //Serial.print(digitalRead(DSO));
    }

    for (i= 0; i < 16; i++) //Read back
    {
      digitalWrite(BKPT, HIGH);
      delayMicroseconds(1);
      digitalWrite(BKPT, LOW);
      delayMicroseconds(1);
      //Serial.print(digitalRead(DSO));
       bitWrite(W_Read,(15-i),digitalRead(DSO));
    }

    check_lzero(W_Read);

    if (n_line <=6)
    {        
       Serial.print(W_Read,HEX);
       Serial. print(" ");
       n_line++;
    }else{
      Serial.println(W_Read,HEX);
      n_line = 0;
    }

   
    //return W_Read;
}


 void write_Register(word cmd, unsigned long addr)
 {
    word lowbyte = addr;
    word hibyte = addr >> 16;

    wait_openchannel(); //Wait for DSO to get 0 => gets ready
    bdm_command2(cmd);
    shift_BKPT_up();

    for (int i = 0; i < 16; i++)  {  //HighByte OFFSET
        digitalWrite(DSI, !!(hibyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
    digitalWrite(DSI, LOW);
    delayMicroseconds(1);
    shift_BKPT_up();

    for (int i = 0; i < 16; i++)  {  //LowByte OFFSET
        digitalWrite(DSI, !!(lowbyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
    digitalWrite(DSI, LOW);
    delayMicroseconds(1);
 }
 

 void check_lzero(word W_Read){
      if (W_Read < 0x10)
      {
        Serial.print("000");
        return;
      }
        
      if (W_Read < 0x100)
      {
        Serial.print("00");
        return;
      }
      if (W_Read < 0x1000)
      {
        Serial.print("0");
        return;
      }
     }

 void shift_BKPT_up()
 {
      digitalWrite(BKPT, LOW);
      delayMicroseconds(1);
      digitalWrite(BKPT, HIGH);
      delayMicroseconds(1);
 }

 void wait_openchannel()
 {
      while(digitalRead(DSO)!=0)
    {
      shift_BKPT_up();
    }
     while(digitalRead(DSO)!=1)
    {
      shift_BKPT_up();
    }
 }

 void bdm_command(word command)
 {
  for (int i = 0; i < 15; i++)  {  
        digitalWrite(DSI, !!(command & (1 << (15 - i))));
        shift_BKPT_up();
    }
  digitalWrite(DSI, LOW);
 }

  void bdm_command2(word command)
 {
  for (int i = 0; i < 16; i++)  {  
        digitalWrite(DSI, !!(command & (1 << (15 - i))));
        shift_BKPT_up();
    }
  digitalWrite(DSI, LOW);
 }

 void serialFlush(){
  while(Serial.available() > 0) {
    char t = Serial.read();
  }
}   

Does anyone have schematic for the pins?

[T5Luke]

Here...

2 options, connect the 5V line at the capacitor, or connect the 12V at the CEMs main connector. Both connections 5V and +12V are not needed together...

Masse means GND
If you use 12V power supply connect GND from it also to arduios GND, so they should have common GND.

[Bryt]

Thanks T5Luke!

[urosm]

it seems that the "SMOK UHDS" gentleman also reads this branch. L (H) cem pin reading added in new update,True, with the year 2002 he was mistaken ..Guys you make the world a better place t.y

SMOK UHDS works easily.
I tried last night to read the PIN from some CEM I have at service.

2 of 3 are read without problem on the bench. 1st is read in 10 minutes, the second one in 5 minutes.
The second one has a flash from 2012/2013 XC90.
From 3rd won't read PIN, but I think some corrupted flash written into it.
And the last one I tried in my 2008 XC90 thru OBD. In 5 minutes PIN was found.

[oscilloscope]

it seems that the "SMOK UHDS" gentleman also reads this branch. L (H) cem pin reading added in new update,True, with the year 2002 he was mistaken ..Guys you make the world a better place t.y

SMOK UHDS works easily.
I tried last night to read the PIN from some CEM I have at service.

2 of 3 are read without problem on the bench. 1st is read in 10 minutes, the second one in 5 minutes.
The second one has a flash from 2012/2013 XC90.
From 3rd won't read PIN, but I think some corrupted flash written into it.
And the last one I tried in my 2008 XC90 thru OBD. In 5 minutes PIN was found.

I was talking to the dev at SMOK and I wanted to know if the 0012 add on works on bench. As it can read all sorts of ecus. Sid807evo , Edc16c34 , newer cems to copy the info for cloning , which might be handy for pin reading.

[duzi]

what's the point, of reading a pin if it doesn't read the flash or config...without ioterminal, still have to remove the module

[oscilloscope]

what's the point, of reading a pin if it doesn't read the flash or config...without ioterminal, still have to remove the module

Eh ? You don't need iot , you can use xprog , carprog , orange5 (not all mcu is covered) , etl iprog , vvdi things like that. , but if you mean for convince its not always easy. To just plug in and it makes it all happen. Is that what you mean?

[vtl]

what's the point, of reading a pin if it doesn't read the flash or config...without ioterminal, still have to remove the module

The main point was I needed something to fight my boring job a few years ago, to do something fun and brain-involved.