Vida CEM swapping

scaro · Post by **scaro** » 02 Dec 2024, 07:24

Cemcracker get 6byte Cem 04b ->
Cemtool old p2 Cem-"B" 99->04a
UDSread with 3byte Cem 2006->
UDSread with 6byte Cem 2006->
UDScrack get 3byte Cem 2006->

This is what i think the programs is for but could be wrong

As said, want to get the data out of mcu try to decrypt eeprom

Treur wrote: ↑02 Dec 2024, 04:38 UDS pin is not real pin. You can’t read with this version of UDSread. Use version for real pin.

Tried UDSread with 6byte, is there another? I got the 6byte with Teensy (cemcracker says correct one). Know i have early 2005 CEM-L and it could be without UDS or its needed more connections for it to work.

Treur wrote: ↑02 Dec 2024, 04:53 I'm really interested in whether it's possible to implement a timing attack via dice

Think Dice will not do timing attack because its to slow??

Post by **vtl** » 02 Dec 2024, 07:25

Treur wrote: ↑02 Dec 2024, 04:53 I'm really interested in whether it's possible to implement a timing attack via dice

No, it's too slow. The cracker hw senses voltage level transitions on CAN wire directly.

Treur · Post by **Treur** » 02 Dec 2024, 08:02

vtl wrote: ↑02 Dec 2024, 07:25
Treur wrote: ↑02 Dec 2024, 04:53 I'm really interested in whether it's possible to implement a timing attack via dice
No, it's too slow. The cracker hw senses voltage level transitions on CAN wire directly.

It's interesting that Smok can. True, it works with its own cable, and somehow I doubt that they implemented this at the cable firmware level.

Post by **vtl** » 02 Dec 2024, 08:07

Treur wrote: ↑02 Dec 2024, 08:02 It's interesting that Smok can. True, it works with its own cable, and somehow I doubt that they implemented this at the cable firmware level.

When T5Luke and I started the project in 2020 there was no one cracking the pin via timing attack. Shortly after we opensourced the code and schematics, they suddenly all got it working. Draw the lines between points yourself

Treur · Post by **Treur** » 02 Dec 2024, 08:18

vtl wrote: ↑02 Dec 2024, 08:07
Treur wrote: ↑02 Dec 2024, 08:02 It's interesting that Smok can. True, it works with its own cable, and somehow I doubt that they implemented this at the cable firmware level.
When T5Luke and I started the project in 2020 there was no one cracking the pin via timing attack. Shortly after we opensourced the code and schematics, they suddenly all got it working. Draw the lines between points yourself

Well, this is not news, I know this very well. That is why I do not disclose my developments to strangers. I can help a smart person, but nothing more.

I also partially used your developments for searching for pins on the p3 platform by rewriting the function in C#, but you showed me the function itself personally on Drive2

Post by **vtl** » 02 Dec 2024, 08:28

Treur wrote: ↑02 Dec 2024, 08:18 Well, this is not news, I know this very well. That is why I do not disclose my developments to strangers. I can help a smart person, but nothing more.

I also partially used your developments for searching for pins on the p3 platform by rewriting the function in C#, but you showed me the function itself personally on Drive2

I have no problem with open source been doing it all my life. Knowledge and work sharing is the way to go for humanity.

Treur · Post by **Treur** » 02 Dec 2024, 08:59

Maybe yes, maybe not. That's philosophy.

Not all information can be shared. For example, if you share information about immobilizers, be prepared for guys in uniform to come to you and change your place of residence.

Treur · Post by **Treur** » 03 Dec 2024, 01:58

vtl wrote: ↑02 Dec 2024, 07:25
Treur wrote: ↑02 Dec 2024, 04:53 I'm really interested in whether it's possible to implement a timing attack via dice
No, it's too slow. The cracker hw senses voltage level transitions on CAN wire directly.

is the problem only in speed?

Post by **vtl** » 03 Dec 2024, 04:54

Treur wrote: ↑03 Dec 2024, 01:58 is the problem only in speed?

Anything doing timing attack needs to measure time between last bit sent and the first bit received, without internal buffering, etc. I don't know if DiCE is capable of precise timestamping that may constitute for missing CAN-L sensing that cracker has.

Treur · Post by **Treur** » 03 Dec 2024, 05:17

vtl wrote: ↑03 Dec 2024, 04:54
Treur wrote: ↑03 Dec 2024, 01:58 is the problem only in speed?
Anything doing timing attack needs to measure time between last bit sent and the first bit received, without internal buffering, etc. I don't know if DiCE is capable of precise timestamping that may constitute for missing CAN-L sensing that cracker has.

This is where things get more complicated. It is possible to measure only between the moment a message is sent to USB and the response from the receive buffer. I tried, and the numbers are in parrots. The response to the same request is ~950-1400ns. And this is in the range from μ to -2σ

So far I have only one idiotic idea in my head - to add the j2534 protocol to your cracker.

Vida CEM swapping

Re: Vida CEM swapping