Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America).
Post Reply
User avatar
RickHaleParker
Posts: 7087
Joined: 25 May 2015, 14:30
Year and Model: See Signature below.
Location: Kansas
Has thanked: 8 times
Been thanked: 917 times

Re: Vida CEM swapping

Post by RickHaleParker »

dikidera wrote: 28 Nov 2022, 14:17 I also got a bit more information. VIDA uses D2 protocol over CAN over J2534,
P1 - P3 D2 and/or GGD protocol.
P5 - P6 (SPA & CMA ) VDS protocol.

D2 – Volvo Diagnostics II
GGD – Generic Global Diagnostic Specification.
VDS – Volvo Diagnostics and Software download
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.

Quinten299
Posts: 1
Joined: 30 Nov 2022, 04:44
Year and Model: 2013 V40
Location: Zoetermeer

Post by Quinten299 »

Hello,

I don't know if this issue was mentioned before but I made the tool but I think it is not working correctly. As shown in the picture the CEM keeps exiting programmode and then entering it again. The car is a P3 Volvo V40 2013 (With start/stop button). When I connect the OBD connector the car goes into programmode and the decode starts but after a few seconds it stops and then starts over again.

The hardware i am using is:
Teensy 4.1 (4.0 is not for sale anymore)
2x sn65hvd230dr
and the rest of the needed hardware.

Does anyone know what the problem is or is it working correctly?
Attachments
Output_CEM_Decode.JPG
Output_CEM_Decode.JPG (75.25 KiB) Viewed 253 times

vtl
Posts: 3301
Joined: 16 Aug 2012, 13:35
Year and Model: 2005 XC70
Location: Boston
Has thanked: 39 times
Been thanked: 281 times

Post by vtl »

Copying a reply to the private message: "The car falls out of programming mode, the cracker puts it back and continues. You can try to tweak how often the keep alive message is sent here: https://github.com/vtl/volvo-cem-cracke ... .ino#L1141 Or even add a delay in the inner for cycle, some CEMs can't survive high speed cracking.

Or leave it as is, it is still making progress even with fall offs."
05 XC70, 19 Tundra, 22 Sequoia, 16 XC60 (sold), 05 XC70 (crashed), 02 V70 (sold)
P1+P2+P3 CEM PIN-code retrieval DIY thread

oscilloscope
Posts: 174
Joined: 20 May 2022, 16:12
Year and Model: 2005
Location: uk
Has thanked: 18 times
Been thanked: 8 times

Post by oscilloscope »

Folks I'm messing around with a eeprom dump off a p2 cem ( the older white style) , and trying to view the data. But it's encrypted of course. , it carries the 9s12 1k79X, I am aware IOT terminal and various tools can read this mcu and I believe can decrypt them too , , but I figured what the hell I'll mess around with it. , so I passed it through cyberchef and it's not exactly very clear how to decrypt the file. , any suggests for a learner?

oscilloscope
Posts: 174
Joined: 20 May 2022, 16:12
Year and Model: 2005
Location: uk
Has thanked: 18 times
Been thanked: 8 times

Post by oscilloscope »

oscilloscope wrote: 30 Nov 2022, 14:55 Folks I'm messing around with a eeprom dump off a p2 cem ( the older white style) , and trying to view the data. But it's encrypted of course. , it carries the 9s12 1k79X, I am aware IOT terminal and various tools can read this mcu and I believe can decrypt them too , , but I figured what the hell I'll mess around with it. , so I passed it through cyberchef and it's not exactly very clear how to decrypt the file. , any suggests for a learner?
doesn't really make much sense , i had another go with Ghidra "allegedly" it can read 9s12 mcu's but i can't see it in the drop downs

dikidera
Posts: 150
Joined: 15 Aug 2022, 09:59
Year and Model: S60 2005
Location: Galaxy far far away
Has thanked: 2 times
Been thanked: 11 times

Post by dikidera »

I modified the npkern bootloader to have it point _main as the entrypoint as opposed to the original stub which was there to move the code elsewhere, but this doesn't concern us as the Hilton commands show we can write our code anywhere in memory we want. I removed all references to code trying to enable flashing to the Sh7055 ROM as that is not my goal for now.

It is worth noting that I do not know how to check for the litography size of the Sh7055 MCU as there seem to be very slight differences depending on which year it was produced.

Rough guess, and it's a guess: 350nm older style with 250kbps speed and 180nm newer style e.g 2005+ with 500kbps speeds. A CPUID equivalent would have been nice.

I will be uploading the code soon, the only concerns I have is my inability to verify the state of the running code. Furthermore the Nissan ECUs seem to need a pin be toggled every few ms to alert the Watchdog Timer that the ECU has no crashed/deadlocked/whatever. This is an unknown whether we have something like that but it will become apparent if the ECU gets reset.

vtl
Posts: 3301
Joined: 16 Aug 2012, 13:35
Year and Model: 2005 XC70
Location: Boston
Has thanked: 39 times
Been thanked: 281 times

Post by vtl »

oscilloscope wrote: 30 Nov 2022, 14:55 Folks I'm messing around with a eeprom dump off a p2 cem ( the older white style) , and trying to view the data. But it's encrypted of course. , it carries the 9s12 1k79X, I am aware IOT terminal and various tools can read this mcu and I believe can decrypt them too , , but I figured what the hell I'll mess around with it. , so I passed it through cyberchef and it's not exactly very clear how to decrypt the file. , any suggests for a learner?
Right in this topic, a year ago ;) viewtopic.php?p=585009#p585009
05 XC70, 19 Tundra, 22 Sequoia, 16 XC60 (sold), 05 XC70 (crashed), 02 V70 (sold)
P1+P2+P3 CEM PIN-code retrieval DIY thread

oscilloscope
Posts: 174
Joined: 20 May 2022, 16:12
Year and Model: 2005
Location: uk
Has thanked: 18 times
Been thanked: 8 times

Post by oscilloscope »

vtl wrote: 01 Dec 2022, 09:05
oscilloscope wrote: 30 Nov 2022, 14:55 Folks I'm messing around with a eeprom dump off a p2 cem ( the older white style) , and trying to view the data. But it's encrypted of course. , it carries the 9s12 1k79X, I am aware IOT terminal and various tools can read this mcu and I believe can decrypt them too , , but I figured what the hell I'll mess around with it. , so I passed it through cyberchef and it's not exactly very clear how to decrypt the file. , any suggests for a learner?
Right in this topic, a year ago ;) viewtopic.php?p=585009#p585009
O wow! Thank you vtl for the forward , I'll pass that through cyberchef and see what goodies it comes back with.

oscilloscope
Posts: 174
Joined: 20 May 2022, 16:12
Year and Model: 2005
Location: uk
Has thanked: 18 times
Been thanked: 8 times

Post by oscilloscope »

vtl wrote: 01 Dec 2022, 09:05
oscilloscope wrote: 30 Nov 2022, 14:55 Folks I'm messing around with a eeprom dump off a p2 cem ( the older white style) , and trying to view the data. But it's encrypted of course. , it carries the 9s12 1k79X, I am aware IOT terminal and various tools can read this mcu and I believe can decrypt them too , , but I figured what the hell I'll mess around with it. , so I passed it through cyberchef and it's not exactly very clear how to decrypt the file. , any suggests for a learner?
Right in this topic, a year ago ;) viewtopic.php?p=585009#p585009
the small section of code works , now to try and figure out how to get it to work with a hex dump standalone file , and search it and decrypt it :D

dikidera
Posts: 150
Joined: 15 Aug 2022, 09:59
Year and Model: S60 2005
Location: Galaxy far far away
Has thanked: 2 times
Been thanked: 11 times

Post by dikidera »

So I experimented like so:
I sent 4 byte code via 7A9CFFFF0000 (jump to address).
Then I wrote the 4 bytes which were AFFB0009 which corrsponds to an empty while(1) { }, with the command 7AAEAFFB0009.
Then I did 7AA8(to set SBL bootloader end)
And then did 7A9CFFFF0000 and finally jump to code via 7AC0

This caused the ECU to reset. I am unsure if the command ran or not, but I can only hope and assume it did.

Post Reply
  • Similar Topics
    Replies
    Views
    Last post