Vida CEM swapping

[vitalik2134]

Can somebody check my .bin file for the pincode? I found the code using hxd in 0004E000.

Did a swap following:

Example:
offset _ B3 B1 B5 B0 │ B2 B4 XX XX
04E000 53 38 03 21 │ 18 02 FF FF

PIN = B0 B1 B2 B3 B4 B5
PIN is 21 38 18 53 02 03

But when I admit it to Vdash through its website the options for configuration change remain greyed out? So I thought, maybe I used the wrong pin.

03-01-04-00-05-02

[wxp73]

I still need to know where the offsets

Maybe information in attached file here:viewtopic.php?p=642437&#p642437 will help you

It would be nice to get paramter file fills up by the community if you need this tool...

I filled some parameters in this file, if anyone still needed that

[dikidera]

It has been a long while, but here is an updated IDB of Denso reverse engineering progress. It contains the memory map stitched as seen by the ECU, as well as 1000 named functions/variables/items. Some may be wrongly named, some have a question mark meaning I am unsure.

The RE was done on software version

"PGMPROJ:BIFU,PGMNAME:XBD,PGMDBID:XBD.SET" This means software revision XBD. There's tons of variants, Z7D, Z9D, WAD, etc.

Requires IDA 7.7

[ricked]

Question for everyone. What info do you know is stored in the CEM?
For now I know where VIN, Keys, Crypt Key, ECM Sync and PIN is. I am making a tool to make it easy to change any of these elements when you already have a CEM dump.

The tool is also able to sync ECM and CEM. Currently this is only for CEM-B (28F400 / 95P08), but, there are plans to make it work with CEM-L and CEM H (M30835 / 95080 or M30855 / 95080 as well)

I will include changing CEM config as well. But, I still need to know where the offsets are for a more complete version. Things like ICM ID offset, ABS ID offset, etc. If anyone would like to share it with me, please do let me know. I'll add it to the tool, and I'll share it here once it is complete.

For now, here is a small screenshot

CEMEdit.png

does it do also the checksum after editing?

[wxp73]

does it do also the checksum after editing?

The checksum correction for the CEM dump don't needed.

[Skavac]

Question for everyone. What info do you know is stored in the CEM?
For now I know where VIN, Keys, Crypt Key, ECM Sync and PIN is. I am making a tool to make it easy to change any of these elements when you already have a CEM dump.

The tool is also able to sync ECM and CEM. Currently this is only for CEM-B (28F400 / 95P08), but, there are plans to make it work with CEM-L and CEM H (M30835 / 95080 or M30855 / 95080 as well)

I will include changing CEM config as well. But, I still need to know where the offsets are for a more complete version. Things like ICM ID offset, ABS ID offset, etc. If anyone would like to share it with me, please do let me know. I'll add it to the tool, and I'll share it here once it is complete.

For now, here is a small screenshot

CEMEdit.png

does it do also the checksum after editing?

The config checksum, yes. I am sure the ECM sync does not need checksum

[oscilloscope]

Hi all is the link still active for the p3cemtool? Or the git repository?

[Scoloo]

So, i have a brand new CEM H on the bench right now. With part number : 31394157 can i assume that there is no pass on it? If yes, can i read it directly with io terminal?

If not, i tried to read it with the cracker but no part number found.

[oscilloscope]

So, i have a brand new CEM H on the bench right now. With part number : 31394157 can i assume that there is no pass on it? If yes, can i read it directly with io terminal?

If not, i tried to read it with the cracker but no part number found.

You might be better off using xprog and gaining access too the pin code , that way then passing it through iot to install the binaries via obd or getting the pin through that way too

[Scoloo]

So, i have a brand new CEM H on the bench right now. With part number : 31394157 can i assume that there is no pass on it? If yes, can i read it directly with io terminal?

If not, i tried to read it with the cracker but no part number found.

You might be better off using xprog and gaining access too the pin code , that way then passing it through iot to install the binaries via obd or getting the pin through that way too

Ok, thanks. Strange thing is that the cracker also not recognises the part number. Unfortunately I don't have access to x-prog.

I thought I have read somewhere in this topic that the password is part of Volvo's software. And not from renesas itself. This way I thought maybe it's really completely empty. Like only FF. And that way the cracker doesn't recognises the part number anyway.