Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America). P2 platform.
Post Reply
oeben
Posts: 3
Joined: 29 June 2025
Year and Model: 1982 242
Location: Norway

Re: Vida CEM swapping

Post by oeben »

The one I have with 30855 is also 0 in the key bytes, the one with 30835 is the damaged one from the car I was trying to salvage, this one however states it needs a password to read in JTAG.

I will try USB to serial on the 30835, maybe it works.
Top
duzi
Posts: 21
Joined: 16 September 2021
Year and Model: S60
Location: Lithuania
Has thanked: 18 times
Been thanked: 5 times

Post by duzi »

oeben wrote: 29 Jun 2025, 09:18
M32C / M30835FJVGP.
implemented long ago transfer all data from 835 to 855.
Top
porcupine7655
Posts: 24
Joined: 28 April 2025
Year and Model: 2006
Location: Sweden
Has thanked: 4 times
Been thanked: 18 times

Post by porcupine7655 »

oeben wrote: 29 Jun 2025, 11:18 The one I have with 30855 is also 0 in the key bytes, the one with 30835 is the damaged one from the car I was trying to salvage, this one however states it needs a password to read in JTAG.

I will try USB to serial on the 30835, maybe it works.
I think it is good to do it on a controlled way to show in what stage it fails.
If you get any readable string from version command, such as VER.1.16, you know that your wiring is correct. To be sure, test several times or even better in a loop. It can still be so that the cpu restart of any reason at some point after.

After the login is sent, it can be seen in the status bits if it is OK or not. Don't remember what bits to look for. In my example I print out status several times, before and after login.

In this way we can see what the problem is.
I'm also somewhat confused what interface was used when you say JTAG. As far as I have been able to find out there is no debug interface on this chip. How was this JTAG interface connected? What pins was used?
Top
oeben
Posts: 3
Joined: 29 June 2025
Year and Model: 1982 242
Location: Norway

Post by oeben »

I was mistaken, I thought it was JTAG but it's SPI.
That's why it will not read without the PIN, it would be possible to retreive the PIN if it was communicating (in car with the equipment I have available).

I will have to look into it deeper next week, I tried repairing the PCB by fixing burnt traces and cleaning all corrosion, but still no comms.
Will try with the program you attached to see what happens.
Top
oscilloscope
Posts: 285
Joined: 20 May 2022
Year and Model: 2005
Location: uk
Has thanked: 27 times
Been thanked: 11 times

Post by oscilloscope »

I have been looking for a complete wiring diag for a late 2010 v50 for a sid807evo and the p2 cem so I can do some bench testing for synchronisation procedures over obd, or obtaining the eeprom & flash from the sid807, I found this site (below) and got a strange feeling it was to good to be true has anyone tried viewing the pdfs for the wiring diags ? As they do not open within the browser you have to click the pdf button which I have not done.

https://volvodiag.com/ewd-online-eng/

EDIT :
never mind it looks like it was loading differently on my mobile compared too when i loaded it on my laptop that site above looks like a genuine volvo site.
Top
Treur
Posts: 126
Joined: 16 November 2024
Year and Model: 2007 V70
Location: Estonia
Has thanked: 3 times
Been thanked: 6 times

Post by Treur »

Anyone can help with eeprom decode algo? Two days, and 61bytes decrypted at all......

Code: Select all

#!/usr/bin/env python3

def hex_to_bytes(hex_string):
    return bytes.fromhex(hex_string.replace(" ", ""))

KEY = "96 BB 1D 13 B3 07 D2 39 FC 20 26 D8 30 8D 31 3F 4B EB 3C D4 2E C3 76 5D 20 BC 31 81 77 19 EF 3E 27 0C 69 7E 1B 1C 15 AE 66 BE 1F 56 3B B1 F4 6C DC 98 9B 18 74 E8 44 EA 7F F4 AE 6A 25"
key_bytes = hex_to_bytes(KEY)

def get_subtract_value(group):
    if group == 0:
        return 0
    elif group == 1:
        return 1
    elif group == 2:
        return 2
    elif group == 3:
        return 3
    elif group == 4:
        return 4
    elif group == 5:
        return 5
    else:
        return group

def decrypt_file(input_file, output_file, key_bytes):
    key_len = len(key_bytes)
    
    with open(input_file, 'rb') as f:
        encrypted_bytes = f.read()
    
    decrypted_bytes = bytearray()
    
    with open('decrypt_log.txt', 'w') as log:
        for i in range(len(encrypted_bytes)):
            group = i // 61
            key_index = i % key_len
            subtract = get_subtract_value(group)
            temp_byte = encrypted_bytes[i] ^ key_bytes[key_index]
            decrypted_byte = (temp_byte - subtract) & 0xFF
            decrypted_bytes.append(decrypted_byte)
            log.write(f'Byte {i:4d} (group {group:2d}): {encrypted_bytes[i]:02X} ^ {key_bytes[key_index]:02X} = {temp_byte:02X} - {subtract} = {decrypted_byte:02X}\n')
    
    with open(output_file, 'wb') as f:
        f.write(decrypted_bytes)

if __name__ == "__main__":
    input_file = "crypted.bin"
    output_file = "decrypted.bin"
    decrypt_file(input_file, output_file, key_bytes)
Top
dikidera
Posts: 1304
Joined: 15 August 2022
Year and Model: S60 2005
Location: Galaxy far far away
Has thanked: 67 times
Been thanked: 175 times

Post by dikidera »

What is it from?
Top
Treur
Posts: 126
Joined: 16 November 2024
Year and Model: 2007 V70
Location: Estonia
Has thanked: 3 times
Been thanked: 6 times

Post by Treur »

dikidera wrote: 09 Jul 2025, 12:55 What is it from?
Hand made)))
Top
WhizzMan
Posts: 33
Joined: 21 February 2021
Year and Model: 2001 XC70
Location: Göteborg
Has thanked: 8 times
Been thanked: 2 times

Post by WhizzMan »

Treur wrote: 09 Jul 2025, 13:06
dikidera wrote: 09 Jul 2025, 12:55 What is it from?
Hand made)))
Not enough information.
What device are you trying to decypher? Please provide all binaries you have. How did you get a 61 byte key? What cypher is being used? It doesn't make sense you have a 61 byte key, it's just an odd number.
If the binary you are trying to decypher is more than 61 bytes, you need to loop over it somehow, if the key is only 61 bytes. This is why it is important to know what cypher is being used.
Top
Dudde
Posts: 64
Joined: 22 January 2020
Year and Model: 2005 V70 and more
Location: Finland
Has thanked: 14 times
Been thanked: 17 times

Post by Dudde »

Treur wrote: 09 Jul 2025, 10:35 Anyone can help with eeprom decode algo? Two days, and 61bytes decrypted at all......

Code: Select all

#!/usr/bin/env python3

def hex_to_bytes(hex_string):
    return bytes.fromhex(hex_string.replace(" ", ""))

KEY = "96 BB 1D 13 B3 07 D2 39 FC 20 26 D8 30 8D 31 3F 4B EB 3C D4 2E C3 76 5D 20 BC 31 81 77 19 EF 3E 27 0C 69 7E 1B 1C 15 AE 66 BE 1F 56 3B B1 F4 6C DC 98 9B 18 74 E8 44 EA 7F F4 AE 6A 25"
key_bytes = hex_to_bytes(KEY)

def get_subtract_value(group):
    if group == 0:
        return 0
    elif group == 1:
        return 1
    elif group == 2:
        return 2
    elif group == 3:
        return 3
    elif group == 4:
        return 4
    elif group == 5:
        return 5
    else:
        return group

def decrypt_file(input_file, output_file, key_bytes):
    key_len = len(key_bytes)
    
    with open(input_file, 'rb') as f:
        encrypted_bytes = f.read()
    
    decrypted_bytes = bytearray()
    
    with open('decrypt_log.txt', 'w') as log:
        for i in range(len(encrypted_bytes)):
            group = i // 61
            key_index = i % key_len
            subtract = get_subtract_value(group)
            temp_byte = encrypted_bytes[i] ^ key_bytes[key_index]
            decrypted_byte = (temp_byte - subtract) & 0xFF
            decrypted_bytes.append(decrypted_byte)
            log.write(f'Byte {i:4d} (group {group:2d}): {encrypted_bytes[i]:02X} ^ {key_bytes[key_index]:02X} = {temp_byte:02X} - {subtract} = {decrypted_byte:02X}\n')
    
    with open(output_file, 'wb') as f:
        f.write(decrypted_bytes)

if __name__ == "__main__":
    input_file = "crypted.bin"
    output_file = "decrypted.bin"
    decrypt_file(input_file, output_file, key_bytes)
If you are trying to decrypt CEM L eeprom i have solution
Top
Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “XC90 1st gen 2003-2014”