Vida CEM swapping

3oh6 · Post by **3oh6** » 01 Aug 2023, 15:46

vtl wrote: ↑01 Aug 2023, 15:42
3oh6 wrote: ↑01 Aug 2023, 15:26 Oh cool, sounds interesting! So would it be like a ModUnlock type device?
Let's rephrase it according to truth: modunlock is a stolen cracker code, with a display.

I did wonder about that

Not cheap either!

Post by **vtl** » 01 Aug 2023, 15:46

3oh6 wrote: ↑01 Aug 2023, 15:18 So my question now, is there a way to read the CEM flash in the car over OBD on a P1? I tried T5Luke's CEM flash reader with my Dice, but it just displays tons of errors (I'm guessing it only works on the P2 CEM's?). It does accept my pin though

You minimally need a SBL (Secondary Boot Loader) for your platform/CEM. Volvo keeps it in secret, but CAN sniffer can spy it when the dealer (or indie here over the pond) updates CEM software. Flash addresses probably differ, too. It would be best to have an open source tool, with a config file, so you could point the tool to your SBL and your CEM address space configuration.

Post by **vtl** » 01 Aug 2023, 15:48

3oh6 wrote: ↑01 Aug 2023, 15:46 I did wonder about that Not cheap either!

Previously the guy stated on his web site that his work is based on our work, but now that mention has been removed. So 100% GPLv3 outlaw. Like a bunch of others crooks from Eastern Europe

blasaab · Post by **blasaab** » 01 Aug 2023, 15:55

Hi i have bougth a xc90 from 2003 with brick shaped cem. Was it possible to read this with vtl:s cracker? Dosent work with obd

Post by **vtl** » 01 Aug 2023, 15:58

blasaab wrote: ↑01 Aug 2023, 15:55 Hi i have bougth a xc90 from 2003 with brick shaped cem. Was it possible to read this with vtl:s cracker? Dosent work with obd

Nope, but T5Luke has an Arduino-based solution in this thread to read the flash with like 5 wires soldered to CEM. Then you can get you PIN out of CEM dump.

Post by **RickHaleParker** » 01 Aug 2023, 16:48

vtl wrote: ↑01 Aug 2023, 15:46 You minimally need a SBL (Secondary Boot Loader) for your platform/CEM. Volvo keeps it in secret, but CAN sniffer can spy it when the dealer (or indie here over the pond) updates CEM software.

If one can get a hold of a .VBF for that CEM, one can dig a SBL out of the payload.

dikidera · Post by **dikidera** » 01 Aug 2023, 17:31

While I am not worried of flashing an ECM, the CEM is a different story. One mistake there and the car dies for quite a while. An open source SBL would come a long way, even if the cars are old now. With all that keeps happening with my own car, I have not been able to even power on a CEM on the bench.

Now, unlike Denso, I would imagine these Motorola mcus(I am assuming that they are the main processors on most CEMs, so correct me if I am wrong) to have much more code out there that could potentially be re-used to flash stuff, again, hopefully. When I was examining the Denso ECU and how the original SBL was writing stuff, I discovered the MCU was pulsing external memory somehow, but I was unable to trace to the source pins.

As for STFT, I am guessing it could be reverse computed from Base Injection Time - Final injection time? Or perhaps, from AFR and 14.7 afr

Post by **RickHaleParker** » 02 Aug 2023, 05:07

dikidera wrote: ↑01 Aug 2023, 17:31 As for STFT, I am guessing it could be reverse computed from Base Injection Time - Final injection time? Or perhaps, from AFR and 14.7 afr

STFT = Current Injection time / Base Injection Time * 100%. STFT is a ratio.

dikidera · Post by **dikidera** » 11 Aug 2023, 15:49

rkam wrote: ↑13 Feb 2023, 11:09 Looks like the Denso has its own way of storing CAN IDs in the signal configuration.

Stored - CAN-ID
401E 020A - 0042 401E
401E 030A - 0062 401E
0021 0808 - 0100 0021
0002 0A08 - 0140 0002
0014 1008 - 0200 0014
0006 1408 - 0280 0006
0012 1708 - 02E0 0012

A little late, but thanks to emulation I have found at least one function that sets the CAN IDs now, with this I have found that each "signal" is described in a 32 byte structure.

ROM:00001B1C off_1B1C: .long 0x7080F00, unk_FFFFDEF0, unk_FFFFDF28, poweron
ROM:00001B1C ! DATA XREF: ROM:00001044↑o
ROM:00001B1C ! ROM:000010A4↑o ...
ROM:00001B2C off_1B2C: .long dword_30000, 0x401E020A, 0xFBFFBFFF, 0x3FFF5FFF

ID Obviously 0x401E020A

0x7080F00L The first byte 0x07 is both a record identifier signifying if this is the last signal or at least a main one, not sure yet. 0x08 is the DLC, as its being put in address E498 of the CAN module. 0x07 identifier can maybe sometimes be 0x04 which does an additional step in the ID setting function.

unk_FFFFDEF0 is still unknown as well the other address and 0xFBFFBFFF, 0x3FFF5FFF and dword_30000 but hey it's start.

Then I have identified the functions I have so named CANSend_Byte, word, dword etc.

They take two arguments, an offset and the value to send.

mov.w #0x1428, r4
jsr @r13 ! SendCANWord_sub_ACD8

0x1428 is a data structure offset, perhaps 24 bytes in length. It contains a few things(mostly unknown for now), one of which is the offset 1b1c, we can *maybe* infer that 1b1c is the CAN signal that will be used to transmit the message from id 0042 401E, in this case it was the Throttle Opening Angle.

Although one little tidbit is still unclear, my 80401E address is kind of missing in action but I will see.

Now, with this what we can do is dump the TCM firmware and see if a similar table exists, for e.g reading. I would expect the TCM to have the same addresses in it's signal configuration.

Post by **unicast** » 11 Aug 2023, 15:54

Hi all, thank you for creating this project, it's amazing! I've been monitoring it for a while but today I finally got my Teensy-powered breadboard assembled and I run it on my car. Unfortunately I got "PIN is NOT cracked" message at the end and I'm a bit puzzled what to do next. Any recommendations?
My CEM P/N is 31254317 which is in the list.
Here is the monitor output:

Code: Select all

CPU Maximum Frequency:   600000000
CPU Frequency:           180000000
Execution Rate:          180 cycles/us
PIN bytes to measure:    3
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS <--- ID=03c3f7fc data=fd 00 00 19 40 26 3f 15
CAN_LS <--- ID=04a0409e data=00 01 18 00 00 00 02 9e
CAN_LS <--- ID=05704000 data=40 20 00 00 00 00 00 00
CAN_LS <--- ID=12404002 data=16 16 00 00 8b 00 80 00
CAN_LS <--- ID=080030ae data=80 00 07 01 11 01 50 e9
CAN_LS <--- ID=0c505226 data=40 3a 00 00 00 00 00 b0
CAN_LS <--- ID=0730302e data=00 00 00 01 00 00 50 e8
CAN_LS <--- ID=0fb2509e data=00 00 00 00 00 07 c0 00
CAN_LS <--- ID=00600005 data=8f 40 f9 f0 00 31 25 43
CAN_LS <--- ID=08e2300e data=c0 02 28 a9 2f 0e 00 80
CAN_LS <--- ID=04301090 data=00 00 00 00 00 00 27 e0
CAN_LS <--- ID=09c050b8 data=6f 00 86 40 00 bf 00 4c
CAN_LS <--- ID=19f010f8 data=99 3c 00 60 81 d8 de 50
CAN_LS <--- ID=1320400a data=00 00 00 00 00 00 40 1c
CAN_LS <--- ID=02120498 data=10 00 00 00 00 00 00 00
CAN_LS <--- ID=03c3f7fc data=fd 00 00 19 40 26 3f 15
CAN_LS <--- ID=00600005 data=09 17 20 20 20 31 26 46
Part Number: 31254317
Searching P/N 31254317 in 50 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 0 1 2 3 4 5
CAN high-speed init done.
Putting all ECUs into programming mode.

<CUT>

...
pin[2] choose candidate: 99
Candidate PIN 26 86 99 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 702 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..55%..60%..65%..70%..75%..80%..85%..90%..95%..
PIN is NOT cracked in 2258.71 seconds
done
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

Vida CEM swapping

Re: Vida CEM swapping