Vida CEM swapping

dikidera · Post by **dikidera** » 27 Nov 2024, 07:10

Here is the kicker, if the device has encryption keys stored inside some secure enclave, without those keys the encryption cannot be broken unless they use custom crypto(which you should never do anyway). But if the decryption keys are part of this 2-3 stage payload, then it will be possible.

Treur · Post by **Treur** » 27 Nov 2024, 07:21

After load and run 1 part to CEM, it answer with message, that, I think, contain something like a key for encrypt.

Another way is connect debug to M32, load SBL with SMOK, then get RAM contents. But I have no SMOK, just CAN trace

SBL_835_Part1.zip: (2.2 KiB) Downloaded 73 times

dikidera · Post by **dikidera** » 27 Nov 2024, 12:22

This SBL is pure binary for execution, not with CAN frame output, right?

Treur · Post by **Treur** » 27 Nov 2024, 12:53

This one is binary data of SBL from CAN trace. So it's bin for execution.

It's load in RAM via CAN, and execute.Then this part send some code back, and decode incoming data.

dikidera · Post by **dikidera** » 27 Nov 2024, 13:55

It will take me a while as I familiarize myself with the M16C/M32C architecture and memory layout. There is certainly fairly readable code and what IDA disassembled as a chain of BRK instructions, which don't seem legit(though could be for one reason or another or could just be encrypted code or some form of data).

danthe88 · Post by **danthe88** » 27 Nov 2024, 14:00

Hello everyone, I’m having trouble extracting the CEM PIN.

Today, I received all the components and assembled them, but I’m encountering an issue when trying to extract the PIN. I’m getting the following error:

Code: Select all

 Unknown CEM part number 0. Don't know what to do.

CEM part number: 30765643

Does anyone know what might be causing this?

I read somewhere that the CEM PIN can’t be extracted using a Teensy 4 if the K-Line is not present on the OBD (which is the case for me). Can anyone offer advice on how to make this work?

Treur · Post by **Treur** » 27 Nov 2024, 14:09

dikidera wrote: ↑27 Nov 2024, 13:55 It will take me a while as I familiarize myself with the M16C/M32C architecture and memory layout. There is certainly fairly readable code and what IDA disassembled as a chain of BRK instructions, which don't seem legit(though could be for one reason or another or could just be encrypted code or some form of data).

As far as I know, the M32 processor itself does not have built-in cryptographic functions, so encryption is only possible through custom user code.

Treur · Post by **Treur** » 27 Nov 2024, 14:42

danthe88 wrote: ↑27 Nov 2024, 14:00 Hello everyone, I’m having trouble extracting the CEM PIN.

Today, I received all the components and assembled them, but I’m encountering an issue when trying to extract the PIN. I’m getting the following error:
Code: Select all
 Unknown CEM part number 0. Don't know what to do. 
CEM part number: 30765643

Does anyone know what might be causing this?

I read somewhere that the CEM PIN can’t be extracted using a Teensy 4 if the K-Line is not present on the OBD (which is the case for me). Can anyone offer advice on how to make this work?

IMG_0630.jpeg

Your CEM don't need K-line. Check connections/transceivers. In my case working with 5v transceivers with no problem.

danthe88 · Post by **danthe88** » 27 Nov 2024, 14:48

Thank you for your response. I’ve thoroughly checked the connections multiple times, and everything appears to be in order.

Regarding the transceivers, I’m not completely sure how to test them, but since they’re brand new, I would expect them to work correctly.

Just to clarify, are we certain this is strictly a hardware issue? Could there be any other factors contributing to the problem?

Treur · Post by **Treur** » 27 Nov 2024, 15:07

Replace the transceivers, I had new ones too. New does not mean working. Chinese 3v transceivers are 99% garbage.

Vida CEM swapping

Re: Vida CEM swapping