Vida CEM swapping

[Skavac]

Trying to crack CEM L (31314468) on bench, can't seem to get it started. I am getting the following

Build Date: Jul 26 2024 02:15:05
CPU Maximum Frequency: 600000000
CPU Frequency: 180000000
Execution Rate: 180 cycles/us
PIN bytes to measure: 3
CAN low-speed init done.
CAN high-speed init done.
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
Part Number: 0
Unknown CEM part number 0. Don't know what to do.
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

My setup

+12V on D:8 and D:15
GND: D6

CAN HS from Teensy: D:33 and D:48
CAN LS from Teensy: D40 and D:55

120 ohm between D:31 and D:46
120 ohm between D:34 and D:49

Running latest code with CEM_PN_AUTODETECT commented out
Double, triple checked all connections, nothing changed.

I notice this when running the code without CEM_PN_AUTODETECT Commented Out

CAN_LS <--- ID=00e01008 data=03 60 10 00 00 00 4c 00
CAN_LS <--- ID=0381526c data=00 01 05 00 07 ff 00 00
CAN_LS <--- ID=03a04004 data=00 20 ff ff ff ff ff ff
CAN_LS <--- ID=03c01428 data=80 80 00 00 02 00 00 00
CAN_LS <--- ID=00217ffc data=03 4b 00 10 e8 00 00 00
CAN_LS <--- ID=0131726c data=00 00 00 76 00 00 00 3f
CAN_LS <--- ID=00800003 data=09 68 20 20 41 31 37 64
Part Number: 31314468
Searching P/N 31314468 in 50 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 3 1 5 0 2 4
CAN high-speed init done.
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
Part Number: 0
Initialization done.

Profiling CEM

At which point it stops. So it can get PN from CAN_LS, but not CAN_HS

What am I missing?

[oscilloscope]

Trying to crack CEM L (31314468) on bench, can't seem to get it started. I am getting the following

Build Date: Jul 26 2024 02:15:05
CPU Maximum Frequency: 600000000
CPU Frequency: 180000000
Execution Rate: 180 cycles/us
PIN bytes to measure: 3
CAN low-speed init done.
CAN high-speed init done.
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
Part Number: 0
Unknown CEM part number 0. Don't know what to do.
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

My setup

+12V on D:8 and D:15
GND: D6

CAN HS from Teensy: D:33 and D:48
CAN LS from Teensy: D40 and D:55

120 ohm between D:31 and D:46
120 ohm between D:34 and D:49

Running latest code with CEM_PN_AUTODETECT commented out
Double, triple checked all connections, nothing changed.

I notice this when running the code without CEM_PN_AUTODETECT Commented Out

CAN_LS <--- ID=00e01008 data=03 60 10 00 00 00 4c 00
CAN_LS <--- ID=0381526c data=00 01 05 00 07 ff 00 00
CAN_LS <--- ID=03a04004 data=00 20 ff ff ff ff ff ff
CAN_LS <--- ID=03c01428 data=80 80 00 00 02 00 00 00
CAN_LS <--- ID=00217ffc data=03 4b 00 10 e8 00 00 00
CAN_LS <--- ID=0131726c data=00 00 00 76 00 00 00 3f
CAN_LS <--- ID=00800003 data=09 68 20 20 41 31 37 64
Part Number: 31314468
Searching P/N 31314468 in 50 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 3 1 5 0 2 4
CAN high-speed init done.
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
Part Number: 0
Initialization done.

Profiling CEM

At which point it stops. So it can get PN from CAN_LS, but not CAN_HS

What am I missing?

Does the cem audibly 'click' while the program is running ?
I have had It quite afew times where the cem simply hasn't even responded too the request. I have had to reset the cem and the Teensy simultaneously for it too go into be seen.

[Skavac]

Yes, the CEM doea click audibly. When powered on and when the message "sending into programming mode"

[vtl]

You need to terminate HS and LS, too

[vtl]

Remove autodetect, start the cracker, within 5 seconds apply power to CEM.

[myname]

Ive still not gotten the obd program to work. Tried 2 computers and 2 Dice units.
Its an 07 XC70. Its a cem H - 30786890 . that cem # has come up here before too on page 147 and 149, they were having trouble with it too.
All I can think of is there's a module somewhere on the car causing problems.
If theres anyone in or around Montreal - Ottawa that can help me, PM me. Thanks

[Arty]

Hey, guys, everybody. I've tried about five times to read the pin code from my car (S60 2005), but I have absolutely no luck. I wait for about 30 minutes, but the result is the same. What could be the problem?

[alevol]

Here get your UDS code by this:
https://filetransfer.io/data-package/sdnEjW7j#link

After that download your CEMs data, a full dump of your CPU flash by this:
https://filetransfer.io/data-package/FEduKEfj#link

DICE-206751, a charger for your computer and a charger for your car, can take up to 32h, depends where your code is...
Disconnect battery of your car for 10s to return into normal operating mode...

Is it possible, to share the software again, please.

[kestraly]

@T5Luke - Thank you for putting up the tools.

I ran the crack and got PIN 0000B80CFB (After 8+ hours)

The UDS was harder and it would not complete due to an error
Done 99.97%
MESSAGE ERROR: 165
Computer or DICE is to slow to capture all can frames, try on other HW/SW setup

Used the PowerShell Technique

"Run via POWERSHELL
cmd (Press Enter)
UDScrack.exe > logcrack.txt
Enter your pin
Enter File name"

After multiple failed attempts (no pin code at 4e000 etc) trying the PowerShell technique, I analysed several bin dumps looking for a pattern.

In a previous post I downloaded the UDSnomana dump (on this thread) and found
98 C2 FF 00 9E C2 FF 00 A4 C2 FF 00 AA C2 FF 00 preceeded the pin code, which was also present in each of my dumps.

Straight after that I had the following digits 24 89 99 98 56 08 at lines 4F5F0 in one dump and 4F5D0 in another, followed be FF FF FF FF etc

B3 B1 B5 B0 B2 B4
24 89 99 98 56 08

Did the pin rejig and got PIN

B0 B1 B2 B3 B4 B5
98 89 56 24 08 99

[kestraly]

When you unzip this, you'll need to place the parameters.txt, CEMtool.exe and your flash.bin file in the same directory.

If you don't do that, it will not open. (At least it did not for me)

Now to figure out what value will give me power folding mirrors with memory or power folding mirrors without memory.

Anyone have any pointers on values?

This works on all CEMs to MY 2004, 10th place of VIN Y, 1, 2, 3 or 4. Read cem by arduino once, place it back into car and change how often you like by dice.

screenshot.2 CEM tool.jpg

Read CEM by arduino nano or UNO by this:

Code: Select all

#define BKPT 4
#define RESET 5
#define FREEZE 6
#define DSI 7
#define DSO 8

static word CMD_READ = 0x1940;
static word CMD_GO = 0x0C00;
static word CMD_WRITEM = 0x1840;

char command;
int n_line;

void setup() {
  // put your setup code here, to run once:
  pinMode(BKPT, OUTPUT);
  digitalWrite(BKPT, HIGH);
  pinMode(RESET, OUTPUT);
  digitalWrite(RESET, LOW);
  pinMode(FREEZE, INPUT);
  pinMode(DSI, OUTPUT);
  digitalWrite(DSI, LOW);
  pinMode(DSO, INPUT);
  Serial.begin(57600);
  while(!Serial){
  }
  Serial.println(F("Arduino CEM Reader, press:"));
  Serial.println();
  Serial.println(F("e: enter BDM Mode"));
  Serial.println(F("l: leave BDM (experimental)"));
  Serial.println(F("r: read complete memory"));
  Serial.println(F("b: read Boot 0-3FFF"));
  Serial.println(F("s: read security block 4000-7FFF"));
  Serial.println(F("d: read car data 8000-1FFFF"));
  Serial.println(F("f: read firmware 20000-7FFFF"));
  Serial.println(F("c: BD32 Command Mode")); 
  
  

}

void loop() {
  // put your main code here, to run repeatedly:
    if (Serial.available()) {
      command = Serial.read();
      switch (command)
      {
        case 'e':
        Serial.println("Enter BDM");
        digitalWrite(BKPT, LOW);
        delay(10);
        digitalWrite(RESET, HIGH);
        delay(100);
        Serial.println(digitalRead(FREEZE));
        break;

        case 'l':
        Serial.println("leave BDM");
        shift_BKPT_up();
        digitalWrite(RESET, LOW);
        delay(10);
        digitalWrite(RESET, HIGH);
        wait_openchannel();
        bdm_command(CMD_GO);
        digitalWrite(DSO, LOW);
        shift_BKPT_up();

        
        Serial.println(digitalRead(FREEZE));
        break;

        case 'r':
        Serial.println("Read FLASH");
       
        for (unsigned long offset = 0x0000; offset<=0x7FFFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'b':
        Serial.println(F("Read bootblock"));
       
        for (unsigned long offset = 0x0000; offset<=0x3FFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 's':
        Serial.println(F("Read securityblock"));
       
        for (unsigned long offset = 0x4000; offset<=0x7FFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'd':
        Serial.println(F("Read cardata"));
       
        for (unsigned long offset = 0x8000; offset<=0x1FFFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'f':
        Serial.println(F("Read firmware"));
       
        for (unsigned long offset = 0x10000; offset<=0x7FFFF; offset = offset + 0x02)
        {
           shiftRWord(offset);
        }
        break;

        case 'c':
        Serial.println(F("BD32 Command Mode"));

        serialFlush();
        while(!Serial.available());
        {
        }
        break;

        default:
        break;

        case 'i':
        Serial.println("wipe");
        for (int i=0; i<=250; i++)
        {
          digitalWrite(BKPT, LOW);
          delay(1);
          digitalWrite(BKPT, HIGH);
          delay(1);
        }
        break;
      }
    }

}


void shiftRWord(unsigned long val)
{
    word i;
    word lowbyte = val;
    word hibyte = val >> 16;

    //Wait for DSO to get 0 => gets ready
   wait_openchannel();

    bdm_command(CMD_READ);
    shift_BKPT_up();
    shift_BKPT_up();
    


     for (i = 0; i < 16; i++)  {  //HighByte


        digitalWrite(DSI, !!(hibyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
        digitalWrite(DSI, LOW);
        delayMicroseconds(1);
        shift_BKPT_up();



     for (i = 0; i < 16; i++)  {  //LowByte


        digitalWrite(DSI, !!(lowbyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
    digitalWrite(DSI, LOW);
    delayMicroseconds(1);


    word W_Read;

    for (i= 0; i < 1; i++)   //Read Status Byte
    {
      //digitalWrite(BKPT, HIGH);
      //delayMicroseconds(1);
      digitalWrite(BKPT, LOW);
      delayMicroseconds(1);
      //Serial.print(digitalRead(DSO));
    }

    for (i= 0; i < 16; i++) //Read back
    {
      digitalWrite(BKPT, HIGH);
      delayMicroseconds(1);
      digitalWrite(BKPT, LOW);
      delayMicroseconds(1);
      //Serial.print(digitalRead(DSO));
       bitWrite(W_Read,(15-i),digitalRead(DSO));
    }

    check_lzero(W_Read);

    if (n_line <=6)
    {        
       Serial.print(W_Read,HEX);
       Serial. print(" ");
       n_line++;
    }else{
      Serial.println(W_Read,HEX);
      n_line = 0;
    }

   
    //return W_Read;
}


 void write_Register(word cmd, unsigned long addr)
 {
    word lowbyte = addr;
    word hibyte = addr >> 16;

    wait_openchannel(); //Wait for DSO to get 0 => gets ready
    bdm_command2(cmd);
    shift_BKPT_up();

    for (int i = 0; i < 16; i++)  {  //HighByte OFFSET
        digitalWrite(DSI, !!(hibyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
    digitalWrite(DSI, LOW);
    delayMicroseconds(1);
    shift_BKPT_up();

    for (int i = 0; i < 16; i++)  {  //LowByte OFFSET
        digitalWrite(DSI, !!(lowbyte & (1 << (15 - i))));
        shift_BKPT_up();
    }
    digitalWrite(DSI, LOW);
    delayMicroseconds(1);
 }
 

 void check_lzero(word W_Read){
      if (W_Read < 0x10)
      {
        Serial.print("000");
        return;
      }
        
      if (W_Read < 0x100)
      {
        Serial.print("00");
        return;
      }
      if (W_Read < 0x1000)
      {
        Serial.print("0");
        return;
      }
     }

 void shift_BKPT_up()
 {
      digitalWrite(BKPT, LOW);
      delayMicroseconds(1);
      digitalWrite(BKPT, HIGH);
      delayMicroseconds(1);
 }

 void wait_openchannel()
 {
      while(digitalRead(DSO)!=0)
    {
      shift_BKPT_up();
    }
     while(digitalRead(DSO)!=1)
    {
      shift_BKPT_up();
    }
 }

 void bdm_command(word command)
 {
  for (int i = 0; i < 15; i++)  {  
        digitalWrite(DSI, !!(command & (1 << (15 - i))));
        shift_BKPT_up();
    }
  digitalWrite(DSI, LOW);
 }

  void bdm_command2(word command)
 {
  for (int i = 0; i < 16; i++)  {  
        digitalWrite(DSI, !!(command & (1 << (15 - i))));
        shift_BKPT_up();
    }
  digitalWrite(DSI, LOW);
 }

 void serialFlush(){
  while(Serial.available() > 0) {
    char t = Serial.read();
  }
}   

BKPT to D4
RESET to D5
FREEZE to D6
DSI to D7
DSO to D8

2 options, connect the 5V line at the capacitor, or connect the 12V at the CEMs main connector. Both connections 5V and +12V are not needed together...

Masse means GND
If you use 12V power supply connect GND from it also to arduios GND, so they should have common GND.

Copy content to HXD and save to BIN file.

Open bin file by this tool, make the changes you like and write this data back to cem by DICE-206751.
It would be nice to get paramter file fills up by the community if you need this tool...

As everything by me it is free, also free to analyze and build your own tools out of it...

Self i test this tools tomorrow, if it has bugs i will fix them... Have fun...