Vida CEM swapping

[wxp73]

your dump can be byte swapped or not

I tried both (swapped and not), the CEMTool still said, that the PIN isn't correct.

[V70user]

CEMTool is , let's say, incomplete and in that state won't work. But it can be fixed by using two subprograms.
Car must be sent into programming mode and then click "Program" button in CEMTool's window.
After writing car must be pulled to normal mode, by sending reset commands.

[Yariy]

Hello everyone I am writing a CEMB configuration modification program using the J2534 adapter (Scanmatik 2 Pro). Using the BDM programmer, I read the full firmware of the 28F400. I read the configuration using J2534 and can change it, enter CEM-B into programming mode and exit programming mode. Now I have a few questions.
1. Based on the dataset 28F400, to write the configuration to CEM-B, you need to send commands to erase and write the entire memory area #8000 - #20000. It's very slow. Are there no other options?
2. I read the VIN area (#8000 - #8057) and the configuration area (#8100 - #818D) using the J2534 adapter. Does anyone know what lies in the areas (#8200 - #821F) and (#10000 - #10099) 28F400.
I will be very grateful for your help.

[dikidera]

No other way around it, I haven't benchmarked but writing is slow(on other similar chips), if it's only one block it will be fast but still will take a few minutes per block.

[Yariy]

No other way around it, I haven't benchmarked but writing is slow(on other similar chips), if it's only one block it will be fast but still will take a few minutes per block.

Thank you for your reply. I'll keep it in mind.
I want to change the configuration with only a PIN code. To do this, I need to know how to count over the CAN area starting from #8200 and from #10000 in order to write the entire area from #8000 to #20000. I'll try to figure it out.

[Treur]

In general, I wrote a pin search for L and H CEM via UDS by j2534 (dice, skanmatik….). Pin is found. SBL is needed for further work. I have one from io-terminal, but it is encrypted. And I have one from Smok (I can write config, but don't know other commands).

I also tried to make a time attack, but it is unlikely to be implemented using J2534

[Dudde]

In general, I wrote a pin search for L and H CEM via UDS by j2534 (dice, skanmatik….). Pin is found. SBL is needed for further work. I have one from io-terminal, but it is encrypted. And I have one from Smok (I can write config, but don't know other commands).

What commands do you need or what do you need to do?
It is possible to read/write cem eeprom, i can get you canbus log if you want.

[Treur]

In general, I wrote a pin search for L and H CEM via UDS by j2534 (dice, skanmatik….). Pin is found. SBL is needed for further work. I have one from io-terminal, but it is encrypted. And I have one from Smok (I can write config, but don't know other commands).

What commands do you need or what do you need to do?
It is possible to read/write cem eeprom, i can get you canbus log if you want.

I need adequate SBL.
Log from what device? I think, if I have logs from Smok it may help

Via SBL possible read/write all cpu contents, and eprom. I can read/write P1/P2/P3 DIM, ICM, SRS, CCM, UEM

[dikidera]

In general, I wrote a pin search for L and H CEM via UDS by j2534 (dice, skanmatik….). Pin is found. SBL is needed for further work. I have one from io-terminal, but it is encrypted. And I have one from Smok (I can write config, but don't know other commands).

I also tried to make a time attack, but it is unlikely to be implemented using J2534

If you can share SBL perhaps I can help with reverse engineering? The CEM mcu is not something I am familiar with, but I do learn quickly.

[Treur]

In general, I wrote a pin search for L and H CEM via UDS by j2534 (dice, skanmatik….). Pin is found. SBL is needed for further work. I have one from io-terminal, but it is encrypted. And I have one from Smok (I can write config, but don't know other commands).

I also tried to make a time attack, but it is unlikely to be implemented using J2534

If you can share SBL perhaps I can help with reverse engineering? The CEM mcu is not something I am familiar with, but I do learn quickly.

I can give you a CAN trace, it contains 1 part not encoded SBL, this part decode next 2 parts of SBL that’s is coded. All 3 parts in this trace. I have also SBL for other P3 modules. As I see, the algoritm is same.

I can convert 1 no encoded part to .bin It contain algoritm for decode other parts.