Vida CEM swapping

vladlenas · Post by **vladlenas** » 02 Jun 2025, 11:33

Treur wrote: ↑22 Apr 2025, 12:06 CEM free BDM programmer - https://volvo-tech.com/en/793-2/

Everything works great, arduino uno without soldering, using pin needles.
Спасибо!

dwappertam · Post by **dwappertam** » 02 Jun 2025, 12:10

T5Luke wrote: ↑15 Sep 2022, 13:51 CEM Data Manager.jpg

I made this long ago for my self. It works, for me and i hope for anyone who needs it to copy his own CEM. For just changing config, better take the other tool and write only the config to your cem by dice...
viewtopic.php?t=85611&start=2270

The +5V over 1K resistor is only needed if you want to write complete cem, the bootloader is is in area 0x0 - 0x3FFF. Without pulling this point to +5V you cant erase or write this area. I took this resistor just for protection, today i don't use it anymore and put this pin directly to arduinos 5V pin. But be carefull if you pull it to gnd you will notice some smoke and your cem won't work anymore...

To read:
select port, click connect, click read complete, wait till all data runs through this window, it takes around 6min. When it stopped click save to file and you will get your bin.

To erase:
click on unlock write mode, and click on all erase blocks one after one on the right side to erase all areas on the new cem.

To write:
click on open binary, select the file you want to write, click write complete.

On arduino you need the firmware from ardubdm.bin, I lost my original sketch i have 0.9.6 here and i know i flashed 0.9.8 to my arduino. I should have it on some harddisk somewhere when i find it i will post here. But i was able to make a dump of my working arduino and you can flash this soft to your arduino by write.bat.

Edit write.bat to the matching port of your arduino:
COM.jpg
and run it to flash the correct firmare onto your arduino.

I know reading takes about 6mins and writing about 90mins and the gui doesnt update right by writing but it works and it is for free..

As always have fun with it and use or reuse this for your own projects.

Well yet another cem reading this time in putty. Dammmm this slows down alot of the reading. Still busey for complete scan at 25m is this relatable on the program putyy ?

And the kaev vs version is that only for us cars of aswell for europeans?

Thanks in advance

vladlenas · Post by **vladlenas** » 02 Jun 2025, 13:05

dwappertam wrote: ↑02 Jun 2025, 12:10
T5Luke wrote: ↑15 Sep 2022, 13:51 CEM Data Manager.jpg

I made this long ago for my self. It works, for me and i hope for anyone who needs it to copy his own CEM. For just changing config, better take the other tool and write only the config to your cem by dice...
viewtopic.php?t=85611&start=2270

The +5V over 1K resistor is only needed if you want to write complete cem, the bootloader is is in area 0x0 - 0x3FFF. Without pulling this point to +5V you cant erase or write this area. I took this resistor just for protection, today i don't use it anymore and put this pin directly to arduinos 5V pin. But be carefull if you pull it to gnd you will notice some smoke and your cem won't work anymore...

To read:
select port, click connect, click read complete, wait till all data runs through this window, it takes around 6min. When it stopped click save to file and you will get your bin.

To erase:
click on unlock write mode, and click on all erase blocks one after one on the right side to erase all areas on the new cem.

To write:
click on open binary, select the file you want to write, click write complete.

On arduino you need the firmware from ardubdm.bin, I lost my original sketch i have 0.9.6 here and i know i flashed 0.9.8 to my arduino. I should have it on some harddisk somewhere when i find it i will post here. But i was able to make a dump of my working arduino and you can flash this soft to your arduino by write.bat.

Edit write.bat to the matching port of your arduino:
COM.jpg
and run it to flash the correct firmare onto your arduino.

I know reading takes about 6mins and writing about 90mins and the gui doesnt update right by writing but it works and it is for free..

As always have fun with it and use or reuse this for your own projects.
Well yet another cem reading this time in putty. Dammmm this slows down alot of the reading. Still busey for complete scan at 25m is this relatable on the program putyy ?

And the kaev vs version is that only for us cars of aswell for europeans?

Thanks in advance

For any with flash 28F400B5,

Treur · Post by **Treur** » 04 Jun 2025, 04:07

https://volvo-tech.com/en/volvo-technest/

Volvo TechNest is a powerful software suite designed for professional auto electricians, engineers, and developers working with Volvo vehicles. It provides direct access to control unit memory, full reprogramming, and fine-tuned configuration at a level beyond standard diagnostic software.

porcupine7655 · Post by **porcupine7655** » 04 Jun 2025, 12:55

Continue on my journey in Denso ecu for a V70 BiFuel 2006
Now when I have the rommonitor working it is easier to test code running in the ecu.
Added read eeprom support into dikidera's sbl2.
When I had that working I just added dumping of internal flash as well. And some simple messages so the host can know what data is comming
Still no checksum! I have increased the wait time after each can message send to not get overflow in my raspberry side. Just running on an old RaspberryPi 3 and it have hard time to keep up when can bus is running at full speed.

I add complete, with source, a tool to dump internal flash, external flash and eeprom content. First time writing Python so it is what it is.
Have NOT implemented writing.
I don't know what byte order that is normally used in this kind of dump files so it is what it is. Easy to change if it is needed.

Code: Select all

python3 sbldumper.py
Send sleep command
Timestamp:        0.000000    ID: 000ffffe    X Rx                DL:  8    ff 86 00 00 00 00 00 00
Bus idle
Timestamp:        0.000000    ID: 000ffffe    X Rx                DL:  6    7a 9c ff ff a0 00
Timestamp:        0.000000    ID: 000ffffe    X Rx                DL:  6    7a ae 2f 86 d1 1c
Timestamp: 1749049647.413265    ID: 00000021    X Rx                DL:  8    7a 9c ff ff a0 00 15 b7     Channel: c
an0
Timestamp:        0.000000    ID: 000ffffe    X Rx                DL:  6    7a 9c ff ff a0 04
...
Timestamp:        0.000000    ID: 000ffffe    X Rx                DL:  6    7a 9c ff ff a0 00
Timestamp:        0.000000    ID: 000ffffe    X Rx                DL:  2    7a a0
Unknown msg
   Timestamp: 1749049654.766986    ID: 00000021    X Rx                DL:  8    7a 9c ff ff a0 00 15 b7     Channel
: can0
Start of  intflash
0x1000
0x2000
...
0x7e000
0x7f000
0x80000
   524288 bytes
Start of  extflash
0x81000
0x82000
...
0xbf000
0xc0000
   262144 bytes
Start of  eeprom
   256 bytes
END Message

dikidera · Post by **dikidera** » 05 Jun 2025, 01:02

Denso ECM checksum exists, but the ECU makes no fuss about it(it stores code and CEM too but not sure if there is a check engine light). You can flash anything you want. Very nice about EEPROM makes reprogramming so much easier.

For the F00D(reducer sensor) code you will se

ROM:0006B636 .word 0xF00D
ROM:0006B638 .word 8
ROM:0006B63A .word 0x140
ROM:0006B63C .word 0x141
ROM:0006B63E .word 0x142
ROM:0006B640 .word 0x143
ROM:0006B642 .word 0x144
ROM:0006B644 .word 0x145
ROM:0006B646 .word 0x146
ROM:0006B648 .word 0x147

From what I've managed to deduce, 0x140-147 are the possible causes for F00D(signal too low, signal too high, signal missing etc). By looking at the pointer to the table of DTCs you may be able to find a way to code out that error.
The way Denso evaluates stuff for DTCs is based on a lot of, a lot of if/else logic for each sensor.

Btw, you can also reprogram CEM and disable bifuel mode that way. Will also stop CCM button. I once discovered the wrong way what happens when you spoof CEM signal configuration and my bifuel shut off while driving.

vladlenas · Post by **vladlenas** » 07 Jun 2025, 10:23

vladlenas wrote: ↑25 May 2025, 06:46 Hi, I have CEM "brick" HW-PN 08688434. Should I look for the exact same one for the clone? Or will any "brick" from 1999-2004 work?

I cloned CEM HW: 08688434 to HW: 08645716. Everything seems to be fine, with one nuance, the SWM module does not communicate. I understand that the hardware numbers are different, but why only SWM?
Can someone tell me why this happened? Theoretically, I understand that in these CEMs all information is stored in flash memory. Or am I wrong?
In a few words, I do not need much explanation.
Thank!

crasbe · Post by **crasbe** » 08 Jun 2025, 16:01

Yariy wrote: ↑11 Mar 2025, 07:23 Hello. I have been studying CEMB until 2004. [...] If anyone is interested, I'm attaching an incomplete CEMB schema and the Ghidra script (splitting the dump into blocks, assigning register names to addresses).

Thank you for sharing the files. This must've been a tremendous amount of work already.
Unfortunately I can't really answer your initial question about the write proceduce, but since the Flashing procedure is quite slow, I would assume that the code will trigger the Software Watchdog Service Register (SWSR). The program has to periodically write 0x55 and 0xAA to that register, otherwise the processor is resetted.

The copy functions you already identified do exactly that, but so far I did not find another function that looks promising.

Some time ago I started digging into the CEM myself to try to reverse engineer the immobilizer algorithm. I would like to convert a P2 Volvo to EV, but with the immobilizer that is not really possible (you could keep the ECM and spoof the other signals, but that's annoying).

So far I did not reach the immobilizer code, it seems like it is either obfuscated or relocated...
I know that people have reverse engineered that, since you can buy immobilizer spoofing devices, but to my knowledge they don't work without an ECM.

Perhaps someone has some information about that they'd like to share?
I don't want to make any profit, in fact the routine will then be implemented in the ZombieVerter project (https://openinverter.org/wiki/ZombieVerter_VCU) and the knowledge would also help people who want to run standalone ECUs or do funky engine swaps.

Treur · Post by **Treur** » 10 Jun 2025, 12:25

Does anyone know anything about the seed key in SID206? I asked the module for seed, but it gives me some strange data -

7E8 05 67 01 00 01 E0 55 55
7E8 05 67 01 00 17 15 55 55
7E8 05 67 01 00 5E F8 55 55
7E8 05 67 01 00 53 68 55 55
7E8 05 67 01 00 11 7C 55 55
7E8 05 67 01 00 14 0A 55 55
7E8 05 67 01 00 45 B1 55 55
7E8 05 67 01 00 1D 91 55 55

prometey1982 · Post by **prometey1982** » 11 Jun 2025, 05:33

Treur wrote: ↑10 Jun 2025, 12:25 Does anyone know anything about the seed key in SID206? I asked the module for seed, but it gives me some strange data -

7E8 05 67 01 00 01 E0 55 55
7E8 05 67 01 00 17 15 55 55
7E8 05 67 01 00 5E F8 55 55
7E8 05 67 01 00 53 68 55 55
7E8 05 67 01 00 11 7C 55 55
7E8 05 67 01 00 14 0A 55 55
7E8 05 67 01 00 45 B1 55 55
7E8 05 67 01 00 1D 91 55 55

Обычный ответ по протоколу UDS
7E8 = 7E0 + 8
5 - длина ответа в байтах
67 01 - ответ на от сервиса 27 (+ 40) 01
00 01 E0 собственно само семя. Последние 2 байта, это добивание пакета до 8 байт. Алгоритм генерации ключа по семени широко используемый. У меня есть реализация такого алгоритма на C https://github.com/prometey1982/VolvoTo ... ps.cpp#L28

Vida CEM swapping

Re: Vida CEM swapping