Vida CEM swapping

oscilloscope · Post by **oscilloscope** » 28 Aug 2024, 14:33

x119 wrote: ↑20 Aug 2024, 07:59
brobert wrote: ↑18 Aug 2024, 10:49
xiaofei204716 wrote: ↑17 Aug 2024, 07:39 I'll give you the code in a minute. No VIDA required
A quick search of your posts on MVS reveals a trend of PIN offers and secrecy.
So I know how this is done, it's certainly not going to be shared here or in public generally as it'd cease to exist pretty quickly. What I can say is that it's entirely possible to get the PIN without connecting physically to the car.

If xiaofei204716 is going to charge more than $100 I'd look elsewhere

I'll have too adjust my price list for dump for pin price list

al1Volvo · Post by **al1Volvo** » 29 Aug 2024, 16:10

Hi all, like I said previously, I share with you my work on SBL for P1.
With this software running on raspberry Pi and a dual CAN board I was able to dump (EEPROM and Flash) the CEM on High Speed and Low Speed CAN bus line and also the DIM on both on bench and in car. I was able to flash eeprom and flash with this tool to.

They are also included in this git the Secondary Boot Loader code inj C that I wrote from scratch for both 9S12 and 9S12X MCU.
They are many thing to do (code optimization, cleanup and so...) but for now it is in working state.

The SBL will allow you to :
Dump/Write page or full chip of Flash/EEPROM.
Read and write MCU register.
Erase sectors.

Take extreme caution when using it as it can totally brick your car. It is not made to be use by people who don't have solid skill on SBL and programing and I will not take any responsibility of what can happen, using it is your choice. It is not an official software from Volvo.

If it is not a good idea to share it there or not "legal", administrator please, can you remove the link ?

https://github.com/Alain94W/VolvoSBLUploaderTool.git

Some functionality :

Code: Select all

Entering into SBL...Done
Done
Waiting for SBL to be Alive 

Done, SBL Ready, Chip id 0xC411 Memsize0: C0, Memsize1: 00
 Configuring the SBL, ECU id : FF...
 SBL Up Set and Running
 EEPROM PROT :FF, EEPROM DIVIDER IS SET:00, EEPROM CLKDIV: 84
 FLASH PROT :FF, FLASH DIVIDER IS SET:00, FLASH CLKDIV: 84.


====== SBL Menu ======
1  - Dump Flash by Program Page and address to a file
2  - Dump EEPROM by EEPROM Page and address to a file
3  - Dump all the Flash to a file
4  - Dump all the EEPROM to a file
5  - Erase and Program Flash Page from file
6  - Erase Flash sectors
7  - Erase and Program EEPROM Page from file
8  - Erase and Program EEPROM Words to Page
9  - Erase and Program FULL FLASH from file
10 - Erase and Program Full EEPROM from file
11 - Read register
12 - Write register
19 - Exit SBL Menu

I hope this will help and once again, if you have a CEM dump with TPMS for P1 to share please share it with me !

If you are using this tool, can you also share your experience with it please ?

xiaofei204716 · Post by **xiaofei204716** » 06 Sep 2024, 00:40

The price is 100usd
I can't reveal too much,Otherwise it's easy to shut up.

Skavac · Post by **Skavac** » 17 Sep 2024, 09:14

Anyone have a working link to T5Luke's CEM cracking software using the DiCE unit? Trying to crack an '09 S60 with DiCE but I can't find a link that still works

Thanks in advance!

dikidera · Post by **dikidera** » 19 Sep 2024, 09:21

After grueling hours, days and weeks into fixing my car to run on CNG again I am back to resume my work on the TCM. I can see people writing open source kernels for the CEM, very nice.

I will be looking for a TCM which I will experiment on, the goal, to write an SBL for it for flashing purposes.

al1Volvo · Post by **al1Volvo** » 19 Sep 2024, 09:42

Is it a 9S12 MCU inside ? If yes you can edit my SBL to do this job

dikidera · Post by **dikidera** » 19 Sep 2024, 09:47

No it's completely different architecture and MCU. SH7055

I am curious if your SBL works for CEM-L on facelift P2 cars? I havent an idea what it runs, but that is what I have and even bought one unit that has sat for 2 years on a table waiting for me to experiment on.

al1Volvo · Post by **al1Volvo** » 19 Sep 2024, 10:49

I don't have a P2 CEM so I don't know what MCU is inside but if it is a 9S12, chances are high for this to work with maybe some modifications.

Skavac · Post by **Skavac** » 19 Sep 2024, 21:57

P2 CEM L Serial Number starting with 4 (00004xxxxx) will have MCU M30835F (512 kb Flash)
Serial Number starting with 5 (00005xxxxx) or higher will have MCU M30855F (320 kb Flash)

al1Volvo · Post by **al1Volvo** » 20 Sep 2024, 02:05

Ok, my SBL will not work for that MCU, don't even try as it can have unknown effect on the CEM, in the better case just reboot it, in the worth case burn it by setting a wrong configuration on the MCU. I don't know the register architecture and opcode on M30855F.

Regarding the xiaofei204716's method to find PIN from VIN, I think he will not compute the PIN from the VIN directly but instead make a call to the volvocars's server. This is my opinion when I read the CEM Software Upload documentation from VIDA :

"The PIN codes are downloaded automatically in the order procedure available in VIDA. The PIN codes are retrieved from the Volvo central database and are sent in the software package when software is ordered for the new control module. "

This is probably an API call then he get back a software package where the PIN are stored in.

Pure assumption but relatively possible.

A wireshark dump of the network when the order operation is started can maybe help to check this (of course do not do it if it is not allowed in your country).

Vida CEM swapping

Re: Vida CEM swapping