Vida CEM swapping

[vtl]

Hello

I have build volvo cem cracker teensy work good on p1 p2 but not on p3

I use p3 script


Thanks Have nice day

CEM power off. Run the cracker. Wait till it says "you have 5 seconds to apply CEM power". Apply power to CEM within 5 seconds.

[alfons38]

I have try this, anyone have pinout, maybe i have wrong pins?

[dikidera]

In ghidra, there is no M32C instruction set implemented, so m16c/80 is used. A common instruction missing in m16c/60 and m16c/80 is a SHLNC.L instruction.

With below Ghidra SLEIGH functions which are copy pasted from SHL.L we add those to be decoded

Code: Select all

# (2) :SHLNC.L #imm, Ax
:SHLNC.L srcSimm8, dst5Ax              is ((b1_0407=0x8 & b1_size_0=0; b2_0005=0x21) & $(DST5AX)); srcSimm8 {
    # Unable to pattern match on sign bit due to interior ellipses
    shift:1 = srcSimm8;
    val:4 = zext(dst5Ax);
    if (shift s> 0) goto <shiftLeft>;
    shift = -shift;
    tmp:4 = val >> shift;
    dst5Ax = tmp:3;
    goto inst_next;
    <shiftLeft>
    tmp = val << shift;
    dst5Ax = tmp:3;
# No flags set
}
:SHLNC.L srcSimm8, dst5L               is ((b1_0407=0x8 & b1_size_0=0; b2_0005=0x21) ... & $(DST5L)); srcSimm8 {
    # Unable to pattern match on sign bit due to interior ellipses
    shift:1 = srcSimm8;
    val:4 = dst5L;
    if (shift s> 0) goto <shiftLeft>;
    shift = -shift;
    tmp:4 = val >> shift;
    dst5L = tmp;
    goto inst_next;
    <shiftLeft>
    tmp = val << shift;
    dst5L = tmp;
}

Add to the slaspec files of each processor and recompile. Note, the behaviour of the SHLNC instruction is slightly different and these function are not modified to handle this slight difference. The only thing I've modified is the flags not being set(since there is a carry and the result has a different semantic value)

This instruction logically shifts
dest left or right the number of bits indicated by
src.
• The direction of shift is determined by the sign of
src. When
src is positive, bits are shifted left; when
negative, bits are shifted right. Data which are compensated for shift are 0, regardless of the sign of
src.
• The number of shifts is -32 to +32. You cannot set values less than -32, equal to 0, or greater than +32.
• When
dest is the address register (A0, A1),
dest is zero-extended to be treated as 32-bit data for the
operation. The 24 low-order bits of the operation result are stored in
dest.

[oscilloscope]

hi all a while ago someone on here was making some synchro software which covered most of them i was curious how far they got as i have some other ecu & bcm , such as sid807 & p1 cem

[Dudde]

hi all a while ago someone on here was making some synchro software which covered most of them i was curious how far they got as i have some other ecu & bcm , such as sid807 & p1 cem

I'm working on software (not nearly done), if you have dumps from cars i can add them to the software

[dikidera]

Today I finally resolved the issue with GhidraEmu and emulating certain M16/m32c instructions. Instructions like INDEXBS were totally ignored. The real reason was that GhidraEmu was overwriting an internal SLEIGH context which affected how opcodes were executed. With the implementation of SHLNC I have solved two my most critical bugs allowing me to proceed further.

[vtl]

Today I finally resolved the issue with GhidraEmu and emulating certain M16/m32c instructions. Instructions like INDEXBS were totally ignored. The real reason was that GhidraEmu was overwriting an internal SLEIGH context which affected how opcodes were executed. With the implementation of SHLNC I have solved two my most critical bugs allowing me to proceed further.

INDEX is no longer a BS?

[dikidera]

There are several INDEX instructions, INDEXB, BS, BD, XL, XLS, W, WD, WS . basically many.

But yes, no longer a pain in the aaaaaa

[regula]

I need help with getting cem pin from P2 2006. Cem number 30786889.
Using quality components i built the Teensy hardware by vtl diagram and it communicates with the cem with no problems. Only thing is that only the 0 byte (first pin number) is showing up with consistency. Byte [1] and [2] are always random and the pin is not cracked.
What could be wrong?
First try pin candidates: 84 93 - - -
second try: 84 62 - - -
third try: 84 71
etc.
(skipped some lines in code because serial monitor wont let you select all and copy paste)

Code: Select all

Build Date:              Feb 17 2025 07:03:34
CPU Maximum Frequency:   600000000
CPU Frequency:           600000000
Execution Rate:          600 cycles/us
PIN bytes to measure:    3
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
Can't find part number on CAN-LS, trying CAN-HS at 500 Kbps
CAN high-speed init done.
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=cb 50 b9 f0 00 00 00 00
CAN_HS <--- ID=0042406c data=60 00 00 00 60 00 00 00
CAN_HS <--- ID=01000020 data=00 00 00 01 b0 04 c0 00
CAN_HS <--- ID=10400020 data=21 2a 00 60 00 00 0d fe
CAN_HS <--- ID=11100024 data=00 00 00 1c 7d ed 00 00
CAN_HS <--- ID=01200003 data=09 89 20 20 41 31 39 41
Part Number: 30786889
Searching P/N 30786889 in 50 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 3 1 5 0 2 4
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Initialization done.

Profiling CEM
1000 pins in 640 ms, 1562 pins/s, average response: 86 us, histogram 43 to 129 us 
Calculating bytes 0-2
range 100, samples 10
candidates short list: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49  (+ 50 more)
[ 79 -- -- -- -- -- ]:     0     0     0     0     0     0    54     0   443     0   465     0    38     0     0     0     0     0     0     0 : latency      86974; std 61.65
[ 80 -- -- -- -- -- ]:     0     0     0     0     0     0    61     0   454     0   437     0    48     0     0     0     0     0     0     0 : latency      86944; std 60.34
[ 81 -- -- -- -- -- ]:     0     0     0     0     0     0    59     0   472     0   427     0    42     0     0     0     0     0     0     0 : latency      86904; std 61.03
[ 82 -- -- -- -- -- ]:     0     0     0     0     0     0    54     0   452     0   447     0    45     0     0     0     0     0     0     0 : latency      86880; std 61.15
[ 83 -- -- -- -- -- ]:     0     0     0     0     0     0    65     0   459     0   445     0    31     0     0     0     0     0     0     0 : latency      86884; std 61.37
[ 84 -- -- -- -- -- ]:     0     0     0     0     0     0    24     0   433     0   459     0    84     0     0     0     0     0     0     0 : latency      87206; std 60.60
[ 85 -- -- -- -- -- ]:     0     0     0     0     0     0    55     1   455     0   449     0    40     0     0     0     0     0     0     0 : latency      86947; std 61.55
[ 86 -- -- -- -- -- ]:     0     0     0     0     0     0    63     0   455     0   430     0    52     0     0     0     0     0     0     0 : latency      86942; std 59.90
[ 87 -- -- -- -- -- ]:     0     0     0     0     0     0    61     0   424     1   461     0    53     0     0     0     0     0     0     0 : latency      87013; std 60.17
[ 88 -- -- -- -- -- ]:     0     0     0     0     0     0    46     0   495     0   417     0    42     0     0     0     0     0     0     0 : latency      86910; std 62.21
[ 89 -- -- -- -- -- ]:     0     0     0     0     0     0    59     0   468     0   438     0    35     0     0     0     0     0     0     0 : latency      86898; std 61.53
[ 90 -- -- -- -- -- ]:     0     0     0     0     0     0    45     0   476     0   429     0    50     0     0     0     0     0     0     0 : latency      86968; std 61.49
[ 91 -- -- -- -- -- ]:     0     0     0     0     0     0    51     0   488     0   418     0    43     0     0     0     0     0     0     0 : latency      86906; std 61.69
[ 92 -- -- -- -- -- ]:     0     0     0     0     0     0    60     0   442     0   455     0    43     0     0     0     0     0     0     0 : latency      86962; std 60.79
[ 93 -- -- -- -- -- ]:     0     0     0     0     0     0    67     0   438     0   447     0    46     0     0     0     0     0     0     0 : latency      86858; std 60.11
[ 94 -- -- -- -- -- ]:     0     0     0     0     0     0    68     0   457     0   431     0    44     0     0     0     0     0     0     0 : latency      86902; std 60.15
[ 95 -- -- -- -- -- ]:     0     0     0     0     0     0    65     0   440     0   448     0    47     0     0     0     0     0     0     0 : latency      86954; std 60.11
[ 96 -- -- -- -- -- ]:     0     0     0     0     0     0    61     0   472     0   416     0    51     0     0     0     0     0     0     0 : latency      86914; std 60.25
[ 97 -- -- -- -- -- ]:     0     0     0     0     0     0    70     0   452     0   433     0    45     0     0     0     0     0     0     0 : latency      86906; std 59.91
[ 98 -- -- -- -- -- ]:     0     0     0     0     0     0    45     0   474     0   434     0    47     0     0     0     0     0     0     0 : latency      86966; std 61.69
[ 99 -- -- -- -- -- ]:     0     0     0     0     0     0    64     0   419     0   476     0    41     0     0     0     0     0     0     0 : latency      86988; std 60.80
best candidates ordered by latency:
0: 84 lat = 87206
1: 28 lat = 87046
2: 87 lat = 87013
3: 59 lat = 87008
4: 74 lat = 87005
5: 14 lat = 87004
6: 47 lat = 87002
7: 10 lat = 86990
8: 99 lat = 86988
9: 06 lat = 86984
10: 45 lat = 86982
11: 18 lat = 86980
12: 46 lat = 86980
13: 79 lat = 86974
14: 09 lat = 86974
15: 58 lat = 86968
16: 90 lat = 86968
17: 11 lat = 86966
range 3, samples 300
candidates short list: 77 27 58 
                   us:    78    79    80    81    82    83    84    85    86    87    88    89    90    91    92    93    94    95    96    97 
[ 84 62 77 -- -- -- ]:     0     0     0     0     0     0  1313     0 14312     0 11545     0  2824     0     0     0     0     0     0     0 : latency    2611502; std 1768.82
[ 84 62 27 -- -- -- ]:     0     0     0     0     0     1  1355     1 14152     0 11635     0  2850     0     0     0     0     0     0     0 : latency    2611698; std 1776.33
[ 84 62 58 -- -- -- ]:     0     0     0     0     0     0  1414     1 14157     0 11590     1  2831     0     0     0     0     0     0     0 : latency    2611420; std 1773.55
best candidates ordered by latency:
0: 27 lat = 2611698
1: 77 lat = 2611502
2: 58 lat = 2611420
...
range 2, samples 400
candidates short list: 27 77 
                   us:    78    79    80    81    82    83    84    85    86    87    88    89    90    91    92    93    94    95    96    97 
[ 84 62 27 -- -- -- ]:     0     0     0     0     0     0  1765     0 18800     0 15571     0  3858     0     0     0     0     0     0     0 : latency    3482786; std 2347.43
[ 84 62 77 -- -- -- ]:     0     0     0     0     0     0  1751     1 19051     1 15469     0  3719     0     0     0     0     0     0     0 : latency    3481968; std 2379.97
best candidates ordered by latency:
0: 27 lat = 3482786
1: 77 lat = 3481968
...
pin[2] choose candidate: 27
Candidate PIN 84 62 27 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 640 seconds
Progress: 0%..5%..10%..15%..20%..25%..30%..35%..40%..45%..50%..55%..60%..65%..70%..75%..80%..85%..90%..95%..
PIN is NOT cracked in 2061.36 seconds
done
Resetting all ECUs.

[scaro]

Could be noise. Long cables, bad ground, key in wrong pos. and more. In car or on bench?
Just brainstorming i have no better clue right now.