Vida CEM swapping

[emericaz]

I've never seen "cemtool". Is it what you can use with P2?

It’s made by T5Luke for config changes on P2 <MY04

[Skavac]

Quick question for everyone,

It seems there are 2 versions of P2 -04 CEM. One with PIN at 0x4000, the other with PIN at 0x6000. Are these interchangeable? Can I use a CEM with pin at 0x4000 to replace a CEM with 0x6000? Do I need to make any changes to the bin?

[vtl]

It is either one offset or another. You have PIN at one of them and FFs at the other.

[fmobile]

Hi there!

I just would like to express respect to Vitaly and other guys for their efforts and the final elegant solution. I have cracked the PIN of CEM-L 31314468 successfully.

During cracking I noticed that some convenient features could be helpful, so I added:
1) 'Abort' button to exit from cracking process with ECUs exiting from programming mode, if brute-force is aborted by button the last checked value will be shown, so next time you can use this last value as initial value to continue brute-forcing.
2) Allows you to run brute-forcing starting any value, it can be useful if you are brute-forcing 4 bytes, which could take up to 18 hours, so you can break it in parts.
3) i2c LCD support, I see that Mark has committed LCD support with HD44780 chip, no cons about it. Just I had an i2c LCD only, and my implementation is done in accordance with the two points above.

All details can be found here https://github.com/feodorr/volvo-cem-cracker
Maybe it can be useful to someone.

[dikidera]

Denso reverse engineering aside I decided to work on some Volvo instrument cluster reverse engineering.

My biggest hurdle is the memory map of a MC68HC912DG128 (ACPV) chip. I obtained some dumps, however they vary in size, some are 128KB others are 2 megabytes in size, I know the bigger one probably contains the translations/words. However these chips are not simple at all, they have many integrated memories inside the die, many modes of operation and different memory mapping based on those modes.

As such when I plug the binary into IDA, and select my chip, the layout is different probably because of the mode the chip was in when it was read, and whatever codes I could find seem to jump to incorrect memory offsets.

I was wondering if anyone had a hint on how to correct the layout of these chips so I can get accurate disassembly.

The goal is to figure out how the ECM or maybe CEM I am not sure, are reporting instantaneous/avg fuel consumption. My bifuel model because of it's configuration in the CEM cannot report this information which is honestly fairly valuable.

Specifically I want to see how and what changes this CAN configuration command affects in the instrument cluster

#send_can_message3([0x13, 0x01, 0x01, 0x01, 0x02, 0x02, 0x01, 0x04], arbid=0x01017FFC) #instant consumption, avg speed, fuel level
#send_can_message3([0x13, 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03], arbid=0x01017FFC) #instant consumption, avg speed, fuel level 7th byte is instant fuel in 0x01

From there I will trace how the code updates the state and figure out which module is sending the information and in what format so I can implement it in my tool.

Now logically, the DIM is on the low speed bus, while ECM is on hi-speed which means the CEM is the one reporting fuel consumption, but the question still remains whether it's retranslating some ECM messages or is the CEM calculating fuel consumption based on fuel pump activation.

[myname]

Does anyone know what to do if you get a dice unit that reads DICE-00000? I contacted the seller, and i got a partial refund on it already at least. anyway to fix it?
thanks

[yagger]

Actually, I fixed same issue by reprogram the DiCE.

[WhizzMan]

Actually, I fixed same issue by reprogram the DiCE.

But how? Assuming you need to set some serial number somehow?

[vtl]

Actually, I fixed same issue by reprogram the DiCE.

But how? Assuming you need to set some serial number somehow?

There's a DiCE firmware update tool. My DiCE is an early clone, it is actually a clone, not a fake pretend-to-be DiCE. It was not working in 64 bit Windows, so when time came for VIDA 2014D I had to update my DiCE. Apparently this method would not work for fake DiCE.

When my DiCE eventually dies, and I could not fix it, I'll get a JLR Mongoose, which has 2 CAN buses and works with VIDA. I have a single-bus Mongoose for Toyota, VIDA sees it out of the box and can make use of it, but of course it can't access the other CAN bus.

[yagger]

Actually, I fixed same issue by reprogram the DiCE.

But how? Assuming you need to set some serial number somehow?

There's a DiCE firmware update tool. My DiCE is an early clone, it is actually a clone, not a fake pretend-to-be DiCE. It was not working in 64 bit Windows, so when time came for VIDA 2014D I had to update my DiCE. Apparently this method would not work for fake DiCE.

When my DiCE eventually dies, and I could not fix it, I'll get a JLR Mongoose, which has 2 CAN buses and works with VIDA. I have a single-bus Mongoose for Toyota, VIDA sees it out of the box and can make use of it, but of course it can't access the other CAN bus.

I am not sure this tool can help to restore firmware completely. I downloaded FW from similar working DiCE and updated DiCE with issue by programmer.