Vida CEM swapping

[sunjacobc]

Who can directly obtain the vehicle PIN through the VIN and contact me

[oscilloscope]

Who can directly obtain the vehicle PIN through the VIN and contact me

as far as i know its not possible. you have to have a dump of the cem to gain the pin or crack it.

[vtl]

@vtl: Do you know if it's possible to retrieve / brute force / time attack the Immobilizer Code as well?
Or do you know the steps needed....?

I am on a Volvo P1.

Perhaps, yes? If it uses the same principle like CEM pin code.

[nikemen]

Hello there !

I'm sorry if what I asked was answered before, I searched it but didn't find it.
I got the PCB from https://www.pcbway.com/project/sharepro ... 037d5.html and soldered the Teensy and the CF160 chips.
All I get is this, no matter in what position the car's key is in:

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           180000000
Execution Rate:          180 cycles/us
PIN bytes to measure:    3
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
Can't find part number on CAN-LS, trying CAN-HS at 500 Kbps
CAN high-speed init done.
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
Unknown CEM part number 0. Don't know what to do.
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

I'm thinking the problem is the lack of R1 and R2 in the PCB design. I wrote to the designer but got no answer.
I'm a total newbie, can someone help me get this running ?

PS: My car is a 2012 C30 T5.

[vtl]

I'm thinking the problem is the lack of R1 and R2 in the PCB design. I wrote to the designer but got no answer.
I'm a total newbie, can someone help me get this running ?

PS: My car is a 2012 C30 T5.

Try to comment out CEM_PN_AUTODETECT: https://github.com/vtl/volvo-cem-cracke ... er.ino#L14

Also if I remember correctly, P1 cracks without key inserted. You may want to try that first.

[oscilloscope]

Folks I know this thread is regarding the cem cracker.

Now in the background I have been looking to reverse engineer the old synchro software which was avaliable from Codecard for the sid807evo with the white cem 2. It has not been easy I had to inlist some help from a developer who more about the encrypted data which was shielding certain parts of the program. , anyway further digging it was discovered that the program is no more then a glorified gateway and none of the synchronisation is performed locally it's performed on a remote server or even a human does it who knows , since the software has been discontinued there is no chance of finding this out

Now My next question is , if I where to go it alone and Try to make my own software which performs this task. My guess is I can capture the packets from DiCE via vidia. , and "see" what or how it is performed on a test mule vehicle. And then analyse the bin file before and after.

Firstly what tools should I use ?
I'm guessing a CAN bus capture oscilloscope, or a logic analyzer, directly connected too the ram on the cem & ecu or the mcu of both modules.

Thoughts , suggestions , ideas , whatever cool beans

[prometey1982]

Folks I know this thread is regarding the cem cracker.

Now in the background I have been looking to reverse engineer the old synchro software which was avaliable from Codecard for the sid807evo with the white cem 2. It has not been easy I had to inlist some help from a developer who more about the encrypted data which was shielding certain parts of the program. , anyway further digging it was discovered that the program is no more then a glorified gateway and none of the synchronisation is performed locally it's performed on a remote server or even a human does it who knows , since the software has been discontinued there is no chance of finding this out

Now My next question is , if I where to go it alone and Try to make my own software which performs this task. My guess is I can capture the packets from DiCE via vidia. , and "see" what or how it is performed on a test mule vehicle. And then analyse the bin file before and after.

Firstly what tools should I use ?
I'm guessing a CAN bus capture oscilloscope, or a logic analyzer, directly connected too the ram on the cem & ecu or the mcu of both modules.

Thoughts , suggestions , ideas , whatever cool beans

You need to use CAN sniffing software like CAN hacker. It's very strange to use oscilloscope to analyze CAN packets.

[vtl]

Folks I know this thread is regarding the cem cracker.

Now in the background I have been looking to reverse engineer the old synchro software which was avaliable from Codecard for the sid807evo with the white cem 2. It has not been easy I had to inlist some help from a developer who more about the encrypted data which was shielding certain parts of the program. , anyway further digging it was discovered that the program is no more then a glorified gateway and none of the synchronisation is performed locally it's performed on a remote server or even a human does it who knows , since the software has been discontinued there is no chance of finding this out

Now My next question is , if I where to go it alone and Try to make my own software which performs this task. My guess is I can capture the packets from DiCE via vidia. , and "see" what or how it is performed on a test mule vehicle. And then analyse the bin file before and after.

Firstly what tools should I use ?
I'm guessing a CAN bus capture oscilloscope, or a logic analyzer, directly connected too the ram on the cem & ecu or the mcu of both modules.

Get a cheap logic analyzer, capture the CAN traffic. Most likely your software uses standard protocol. Then you'll see what it writes to which addresses.

[vtl]

You need to use CAN sniffing software like CAN hacker. It's very strange to use oscilloscope to analyze CAN packets.

Modern digital oscilloscopes have packet analyzers. My not the most expensive Rigol DS2072A does it, and I bought it a decade ago. It is not the most convenient, especially without control software on a PC. I prefer a dedicated logic analyzer.

[oscilloscope]

You need to use CAN sniffing software like CAN hacker. It's very strange to use oscilloscope to analyze CAN packets.

Modern digital oscilloscopes have packet analyzers. My not the most expensive Rigol DS2072A does it, and I bought it a decade ago. It is not the most convenient, especially without control software on a PC. I prefer a dedicated logic analyzer.

I do have a oscilloscope but not the logic analyzer add-on , i think it's probably time to buy the add on...