Vida CEM swapping

volvofrank · Post by **volvofrank** » 21 May 2023, 02:42

@vtl: Do you know if it's possible to retrieve / brute force / time attack the Immobilizer Code as well?
Or do you know the steps needed....?

I am on a Volvo P1.

sunjacobc · Post by **sunjacobc** » 26 May 2023, 02:00

Who can directly obtain the vehicle PIN through the VIN and contact me

oscilloscope · Post by **oscilloscope** » 26 May 2023, 15:53

sunjacobc wrote: ↑26 May 2023, 02:00 Who can directly obtain the vehicle PIN through the VIN and contact me

as far as i know its not possible. you have to have a dump of the cem to gain the pin or crack it.

Post by **vtl** » 30 May 2023, 18:18

volvofrank wrote: ↑21 May 2023, 02:42 @vtl: Do you know if it's possible to retrieve / brute force / time attack the Immobilizer Code as well?
Or do you know the steps needed....?

I am on a Volvo P1.

Perhaps, yes? If it uses the same principle like CEM pin code.

nikemen · Post by **nikemen** » 08 Jun 2023, 14:11

Hello there !

I'm sorry if what I asked was answered before, I searched it but didn't find it.
I got the PCB from https://www.pcbway.com/project/sharepro ... 037d5.html and soldered the Teensy and the CF160 chips.
All I get is this, no matter in what position the car's key is in:

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           180000000
Execution Rate:          180 cycles/us
PIN bytes to measure:    3
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
Can't find part number on CAN-LS, trying CAN-HS at 500 Kbps
CAN high-speed init done.
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
Unknown CEM part number 0. Don't know what to do.
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

I'm thinking the problem is the lack of R1 and R2 in the PCB design. I wrote to the designer but got no answer.
I'm a total newbie, can someone help me get this running ?

PS: My car is a 2012 C30 T5.

Post by **vtl** » 08 Jun 2023, 17:00

nikemen wrote: ↑08 Jun 2023, 14:11 I'm thinking the problem is the lack of R1 and R2 in the PCB design. I wrote to the designer but got no answer.
I'm a total newbie, can someone help me get this running ?

PS: My car is a 2012 C30 T5.

Try to comment out CEM_PN_AUTODETECT: https://github.com/vtl/volvo-cem-cracke ... er.ino#L14

Also if I remember correctly, P1 cracks without key inserted. You may want to try that first.

oscilloscope · Post by **oscilloscope** » 10 Jun 2023, 10:20

Folks I know this thread is regarding the cem cracker.

Now in the background I have been looking to reverse engineer the old synchro software which was avaliable from Codecard for the sid807evo with the white cem 2. It has not been easy I had to inlist some help from a developer who more about the encrypted data which was shielding certain parts of the program. , anyway further digging it was discovered that the program is no more then a glorified gateway and none of the synchronisation is performed locally it's performed on a remote server or even a human does it who knows , since the software has been discontinued there is no chance of finding this out

Now My next question is , if I where to go it alone and Try to make my own software which performs this task. My guess is I can capture the packets from DiCE via vidia. , and "see" what or how it is performed on a test mule vehicle. And then analyse the bin file before and after.

Firstly what tools should I use ?
I'm guessing a CAN bus capture oscilloscope, or a logic analyzer, directly connected too the ram on the cem & ecu or the mcu of both modules.

Thoughts , suggestions , ideas , whatever cool beans

prometey1982 · Post by **prometey1982** » 10 Jun 2023, 16:25

oscilloscope wrote: ↑10 Jun 2023, 10:20 Folks I know this thread is regarding the cem cracker.

Now in the background I have been looking to reverse engineer the old synchro software which was avaliable from Codecard for the sid807evo with the white cem 2. It has not been easy I had to inlist some help from a developer who more about the encrypted data which was shielding certain parts of the program. , anyway further digging it was discovered that the program is no more then a glorified gateway and none of the synchronisation is performed locally it's performed on a remote server or even a human does it who knows , since the software has been discontinued there is no chance of finding this out

Now My next question is , if I where to go it alone and Try to make my own software which performs this task. My guess is I can capture the packets from DiCE via vidia. , and "see" what or how it is performed on a test mule vehicle. And then analyse the bin file before and after.

Firstly what tools should I use ?
I'm guessing a CAN bus capture oscilloscope, or a logic analyzer, directly connected too the ram on the cem & ecu or the mcu of both modules.

Thoughts , suggestions , ideas , whatever cool beans

You need to use CAN sniffing software like CAN hacker. It's very strange to use oscilloscope to analyze CAN packets.

Post by **vtl** » 10 Jun 2023, 17:53

oscilloscope wrote: ↑10 Jun 2023, 10:20 Folks I know this thread is regarding the cem cracker.

Now in the background I have been looking to reverse engineer the old synchro software which was avaliable from Codecard for the sid807evo with the white cem 2. It has not been easy I had to inlist some help from a developer who more about the encrypted data which was shielding certain parts of the program. , anyway further digging it was discovered that the program is no more then a glorified gateway and none of the synchronisation is performed locally it's performed on a remote server or even a human does it who knows , since the software has been discontinued there is no chance of finding this out

Now My next question is , if I where to go it alone and Try to make my own software which performs this task. My guess is I can capture the packets from DiCE via vidia. , and "see" what or how it is performed on a test mule vehicle. And then analyse the bin file before and after.

Firstly what tools should I use ?
I'm guessing a CAN bus capture oscilloscope, or a logic analyzer, directly connected too the ram on the cem & ecu or the mcu of both modules.

Get a cheap logic analyzer, capture the CAN traffic. Most likely your software uses standard protocol. Then you'll see what it writes to which addresses.

Post by **vtl** » 10 Jun 2023, 17:56

prometey1982 wrote: ↑10 Jun 2023, 16:25 You need to use CAN sniffing software like CAN hacker. It's very strange to use oscilloscope to analyze CAN packets.

Modern digital oscilloscopes have packet analyzers. My not the most expensive Rigol DS2072A does it, and I bought it a decade ago. It is not the most convenient, especially without control software on a PC. I prefer a dedicated logic analyzer.

Vida CEM swapping

Re: Vida CEM swapping