Vida CEM swapping

[Treur]

Does anyone know anything about the seed key in SID206? I asked the module for seed, but it gives me some strange data -

7E8 05 67 01 00 01 E0 55 55
7E8 05 67 01 00 17 15 55 55
7E8 05 67 01 00 5E F8 55 55
7E8 05 67 01 00 53 68 55 55
7E8 05 67 01 00 11 7C 55 55
7E8 05 67 01 00 14 0A 55 55
7E8 05 67 01 00 45 B1 55 55
7E8 05 67 01 00 1D 91 55 55

Обычный ответ по протоколу UDS
7E8 = 7E0 + 8
5 - длина ответа в байтах
67 01 - ответ на от сервиса 27 (+ 40) 01
00 01 E0 собственно само семя. Последние 2 байта, это добивание пакета до 8 байт. Алгоритм генерации ключа по семени широко используемый. У меня есть реализация такого алгоритма на C https://github.com/prometey1982/VolvoTo ... ps.cpp#L28

Да это понятно всё, меня просто смутили нули в первом байте seed, а так уже сделал авторизацию и SBL вогнал.

[dikidera]

I managed to get data from the Mongoose. Buuut, some bugs left, and the ABS module didn't like that, as soon as I started my generic J2534 tool, perhaps the pins were not right and boom, immediate SRS code.
Other than that, there was a performance issue with the logging, I think it's solved now, but we will see.

Needs more debugging. But not much time left these days. I have a big vegetable garden, with over 250-300 tomato plants and battling TSWV and CMV viruses.

[porcupine7655]

Looking deeper into the Denso ECU. Before I looked at the AUD, Advanced User Debugger, port that exists on the SH processor. I think it is an interesting feature of the cpu. It is possible to run it in two modes. One where host can send read/write commands to set or read memory locations without any support from the firmware. Other mode is it can output all branches so it is possible to see where code is executed.
When I initial looked it I didn't got it to work. When I got the rom monitor working I could see that the block was turned off. Turning it on and I could see activity on the port. I stopped looking it at that point in time as I thought that it was needed an firmware change to get it running.
BUT I was wrong. When starting look at the disassembly I noticed that it is only disabled if pin PF13 is low. I was not able to find any connection to that pin so I tried to just pull it high. It was a success, at least here on the bench.
Wrote a quick hack in a teensy to see how fast I can read 32bit data. It take around 6us. This is not the limit. The bus can run at up to 20MHz clock speed, and need around 24 clock cycles to do a 32bit read.

I also wrote a quick parser to my Lauterbach logic analyzer to decode the branch trace data. It looks promising. I can follow the startup of the ecu and what branches it do. The problem here is the speed data is coming. Process data on every clock cycle is needed. And it is running at 20MHz.

I attach my teensy arduino program if anyone want to continue...
EDIT: Small bug found, swapped two address nibbles. New version here: viewtopic.php?p=664455#p664455

[porcupine7655]

Test on how long time it take to readout the external flash, 256kByte, over the AUD port. It take less than a half second.

[dikidera]

The AUD port was interesting, officially the CPU only supports branch trace and ram monitor. Unoficially it should also allow for register modifications, it is after all JTAG, but H-UDI is proprietary and to bruteforce of the possible JTAG commands would've taken forever. We know it's possible just like how a guy managed to find many undocumented Intel instructions.

Those features are most desirable when the engine is running. So we can get real data in and out. Especially for real-time tuning. I mean road tuning is where we're at without a dyno and specialized equipment.

[porcupine7655]

I attach my teensy arduino program if anyone want to continue...

Small bug found, managed to swap two address nibbles.
New version attached.

[BlackLotus]

Can a P1 CEM (part number 8690719) from a 2005 V50 with a MC9S12DG128B (left chip) and a MC9S12DT256B (right chip) be cloned using a USBDM interface?

Specifically, are the flash and EEPROM contents of both chips in these CEMs "secured" or "unsecured"?

My CEM board has 5 "holes" (per chip) where the 4 BDM wires could easily be soldered to (and expose the BDM interface), but i am a bit unsure about whether this will work for cloning due to the chip datasheets mentioning that the flash and EEPROM can optionally (per choice of the car manufacturer) be "secured" against easy reading/dumping.

Did Volvo enable this "secured" feature on these CEMs? And if yes, are there known workarounds/glitches/attacks/etc. that would enable flash and EEPROM reading/dumping anyway?

I am aware that there are commercial solutions that apparently allow CEM cloning. But i wonder whether they are just providing an expensive (well, expensive in case you only need to clone one specific CEM for your personal car, like i do) interface for the unsecured BDM? Or are the CEM chips actually secured and the commercial solutions are doing some additional "magic" so that they are able clone them anyway?

[Treur]

There is no problem cloning cem via bdm

[oscilloscope]

https://volvo-tech.com/en/volvo-technest/

Volvo TechNest is a powerful software suite designed for professional auto electricians, engineers, and developers working with Volvo vehicles. It provides direct access to control unit memory, full reprogramming, and fine-tuned configuration at a level beyond standard diagnostic software.

looks interesting bit of software.

[dikidera]

Soon





Works with mongoose, but will likely work with DiCE as well. The Special Commands need quite some more work. The idea is to be able to implement custom dynamic records, more generic data etc. P3 is a placeholder, I don't really have any of that implemented.

Hopefully I can also make it work for dumping via B4 checksum, maybe even SBL upload.