What are these CEMs part numbers?oscilloscope wrote: ↑21 Oct 2022, 04:24 Unfortunately my other test cem was not able to be decoded. With the cracker. Which is disappointing, I have another cem to play around with I managed to score from ebay for £20 quid. I'll certainly will be trying it on that too
It managed to capture 6 numbers in total. Not the full amount, it tries to perform the bute force attack and then fails. , i still have it hooked up to my rig and I'll do afew passes to see.vtl wrote: ↑21 Oct 2022, 10:13What are these CEMs part numbers?oscilloscope wrote: ↑21 Oct 2022, 04:24 Unfortunately my other test cem was not able to be decoded. With the cracker. Which is disappointing, I have another cem to play around with I managed to score from ebay for £20 quid. I'll certainly will be trying it on that too
How about repeatability of the first two bytes in the pin, do you get the same numbers on every run?
Rick had problems with 31394157 as well, not sure of his resolution.oscilloscope wrote: ↑21 Oct 2022, 10:40 It managed to capture 6 numbers in total. Not the full amount, it tries to perform the bute force attack and then fails. , i still have it hooked up to my rig and I'll do afew passes to see.
Cem part number 31394157
Some CEMs are hard to crack. The cracker usually fails on third byte. I did analysis a few dozens of pages ago, and came to conclusion it happens because of the pin comparison code layout in memory. It seems the cracker sees a latency bump of CPU cache line being fetched from the flash, or something like that. Instructions executing within one cache line do add latency, but it is small and is hidden by the coarse CAN transfer. Going from line to line adds lot more latency. Which is still barely visible over the CAN, but visible.
For some odd reason my previous quoted messaged disappearedvtl wrote: ↑21 Oct 2022, 11:13Rick had problems with 31394157 as well, not sure of his resolution.oscilloscope wrote: ↑21 Oct 2022, 10:40 It managed to capture 6 numbers in total. Not the full amount, it tries to perform the bute force attack and then fails. , i still have it hooked up to my rig and I'll do afew passes to see.
Cem part number 31394157
Also is it from MY2006+ car? 2006+ can be cracked with P3 protocol. T5Luke posted his program to crack it via DiCE.
That is so flippin cool , I have been reading up on various topics regarding detection of transistor reaction times and the physical movement being detected and taken advantage of and how the doppler affects it. , It just reminded me of that.vtl wrote: ↑21 Oct 2022, 11:31Some CEMs are hard to crack. The cracker usually fails on third byte. I did analysis a few dozens of pages ago, and came to conclusion it happens because of the pin comparison code layout in memory. It seems the cracker sees a latency bump of CPU cache line being fetched from the flash, or something like that. Instructions executing within one cache line do add latency, but it is small and is hidden by the coarse CAN transfer. Going from line to line adds lot more latency. Which is still barely visible over the CAN, but visible.
157 is among those CEMs, which have its portion of the third byte comparison code living on the cache line where the second byte lives.
My own donor CEM is among those hard to crack, which explains why T5Luke and I have been stumbled for so long while finding a proper timing attack method. It finally gave up and revealed its pin. After that I've reloaded my CEM with other's "die hard" CEM softwares many times. At the end, all were able to crack.
The cracker is also very sensitive to the quality of a hw implementation. I use a thin 30 AWG copper wires for signals, 14 AWG for power, low noise power supply, etc. Building a stability benchmark using a 300 MHz oscilloscope and a specially crafted cracker software I saw my hw is very stable and runs in a very narrow detection range. It was able to catch a logic level shift in nanoseconds range with low deviation - more than enough for CEM cracking.
I don't know, maybe local beer differences kick in? British beer is not bitter enough? T5Luke's German beer is on a bitter side of Pilsners. I'm not even mentioning a typical American beer... Maybe order some Double IPAs from over the pond?oscilloscope wrote: ↑21 Oct 2022, 12:14 My power supply is a regulated on bench type , hopefully it's up too the job for this. , I am powering my teensy via USB through the computer. I don't have a purpose made 5v reg going into it to power it up.
vtl wrote: ↑21 Oct 2022, 12:38I don't know, maybe local beer differences kick on? British beer is not bitter enough? T5Luke's German beer is on a bitter side of Pilsners. I'm not even mentioning a typical American beer... Maybe order some Double IPAs from over the pond?oscilloscope wrote: ↑21 Oct 2022, 12:14 My power supply is a regulated on bench type , hopefully it's up too the job for this. , I am powering my teensy via USB through the computer. I don't have a purpose made 5v reg going into it to power it up.
eh ? 
