Vida CEM swapping

[vtl]

Here's a pin from 2005 XC70 dump (327680 bytes), at offset 0x4E000:

1.png (5.79 KiB) Viewed 633 times

[TonyToronto]

Here's a pin from 2005 XC70 dump (327680 bytes), at offset 0x4E000:

1.png

Thank you. Address 0x4E000 blank, all FF's. This CEM has MC32 MCU, can't seem to find the location for those. I used Autel programmer, VVDI failing to read this mcu. I have feeling it doesn't do a complete read. I've read 2 different CEM's and both read the same way. Seems to be enough to make keys, but maybe not enough to read CEM pin, or i just missed it, period.

thanks again.
edit: 0x4e000 not blank, just doesn't seem to contain pin, sorry, lack of sleep

[vtl]

Here's a pin from 2005 XC70 dump (327680 bytes), at offset 0x4E000:

1.png

Thank you. Address 0x4E000 blank, all FF's. This CEM has MC32 MCU, can't seem to find the location for those. I used Autel programmer, VVDI failing to read this mcu. I have feeling it doesn't do a complete read. I've read 2 different CEM's and both read the same way. Seems to be enough to make keys, but maybe not enough to read CEM pin, or i just missed it, period.

thanks again.

Check at 0x7e000.

[TonyToronto]

Here's a pin from 2005 XC70 dump (327680 bytes), at offset 0x4E000:

1.png

Thank you. Address 0x4E000 blank, all FF's. This CEM has MC32 MCU, can't seem to find the location for those. I used Autel programmer, VVDI failing to read this mcu. I have feeling it doesn't do a complete read. I've read 2 different CEM's and both read the same way. Seems to be enough to make keys, but maybe not enough to read CEM pin, or i just missed it, period.

thanks again.

Check at 0x7e000.

When you know, you know!! yup, it's there.

Thank you so much, you may have just avoided a perfectly good XC90 from going to the crusher!

[rkam]

M32C comes in different Flash sizes.

320kB starts at 0xFB0000 with size 0x50000
384kB starts at 0xFA0000 with size 0x60000
512kB starts at 0xF80000 with size 0x80000

From the CPUs point of view, the pin is typically 0x2000 from the end at 0xFFE000.

[TonyToronto]

Hi, is the pin sequence as displayed, or like on some other ones, there's a sequence to it? can't find much info with M32c

EDIT: i found the answer in the volvo-cem-cracker. If helps anyone: (p=position in flash file)
p[3] = pin[0];
p[1] = pin[1];
p[5] = pin[2];
p[0] = pin[3];
p[2] = pin[4];
p[4] = pin[5];

After having the right sequence and proper passwords was able to read Flash and EEprom of the damaged CEM and Clone it to a used CEM.
Thank You guys so much,
tony

[vtl]

Yes. Find a line with your CEM number in sources, last number in array would indicate a shuffle order.

Code: Select all

  { 30795115, CAN_500KBPS, 1 }, <== 1 is shuffle order

Shuffle orders are kept in

Code: Select all

unsigned char  shuffle_orders[4][PIN_LEN] = { { 0, 1, 2, 3, 4, 5 }, { 3, 1, 5, 0, 2, 4 }, {5, 2, 1, 4, 0, 3}, { 2, 4, 5, 0, 3, 1} };

Indexing starts from 0. So for shuffle order 1 the order is 3, 1, 5, 0, 2, 4.

[dikidera]

In 2005+ models with the L-shaped CEM, is it still possible to emulate PHM module and write to the DIM?
Look at end of post for L-shaped CEM and PHM.

I do

send_can_message3([0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05], arbid=0x0220200E) #announce PHM

then I also do

send_can_message3([0xA7, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06], arbid=0x00C00008) #start writing
send_can_message3([0x21, 0x07, 0x08, 0x09, 0xA, 0xB, 0xC, 0xD], arbid=0x00C00008)
send_can_message3([0x65, 0x07, 0x08, 0x09, 0xA, 0xB, 0x00, 0x00], arbid=0x00C00008) #end writing

Alas, nothing.
I am sending on low speed bus with 30ms delay between messages unfortunately nothing is happening.

Unless of course this is a limitation of the bifuel model and PHM is disabled by CEM configuration.

Addendum:
I decided to look for config dumps and found a bunch from the S60r standalone DIM cluster.

When using the CEM config message ID 1017FFC, I managed to figure out various config stuff

send_can_message3([0x13, 0x01, 0x01, 0x01, 0x01, 0x02, 0x03, 0x03], arbid=0x01017FFC)

0x13
0x01
0x01
0x01
0x02
0x03 - By changing this byte between 0x01 and 0x04 I can enable Instant Fuel Consumption, AVG fuel consumption and AVG speed. This was previously not possible on BIFUEL models according to Volvo Dealer information
0x03

Still wasn't able to write to the DIM though.

Addendum 2:
After googling I found this https://www.swedespeed.com/threads/cust ... im.659433/ and this https://github.com/larslego/Volvo-PHM/b ... isplay.cpp claiming to work on 2005-2009 models .

And it works.

[oscilloscope]

Folks is there volvo v50 sid803a config & vin
editor ?

[oscilloscope]

Furthering on from my investigation with this Siemens sid803a , I wanted to see if I could decode the flash. And see the config (if any) I took a dump of the flash and could see somthing which looked remarkably like a VIN number. I will note it down and see if its genuine. , I did some very basic searches for the ecu and suspected config data and I couldn't find anything of any substance. My search continues , any suggestions on what I can use to decode it into readable format I'm all ears.