Vida CEM swapping

[WhizzMan]

Yes, key from flash, I don't remember serial, but it's a 835 mcu.
I have decrypted eprom by io-terminal for compare.
I see that using my code I decrypt the first 61 bytes correctly.
files.zip

I can give you solution when i get home

Please share.

[Yariy]

Hi everybody. I wrote SBL for CEMB to read the full contents of the flash. While in test mode, CAN packets are transmitted in uncontrolled mode with 8 bytes of data. 512 KB is transmitted in 1.3 minutes. The period between CAN packets is 1.192 milliseconds. I receive all data packets on the table without errors. And now I have some questions. 1. Isn't the time between data packets 1.192 milliseconds short if you read the block remotely via the Internet? 2. Is it necessary to make the transfer of controlled request-response type instead of uncontrolled data transfer?

Would you be willing to share your code so we can do our own dumps?

sbl source code for CEMB. The test version.

[Treur]

Hi everybody. I wrote SBL for CEMB to read the full contents of the flash. While in test mode, CAN packets are transmitted in uncontrolled mode with 8 bytes of data. 512 KB is transmitted in 1.3 minutes. The period between CAN packets is 1.192 milliseconds. I receive all data packets on the table without errors. And now I have some questions. 1. Isn't the time between data packets 1.192 milliseconds short if you read the block remotely via the Internet? 2. Is it necessary to make the transfer of controlled request-response type instead of uncontrolled data transfer?

Would you be willing to share your code so we can do our own dumps?

This CEM can be readed without SBL (by address)

[Yariy]

Hi everybody. I wrote SBL for CEMB to read the full contents of the flash. While in test mode, CAN packets are transmitted in uncontrolled mode with 8 bytes of data. 512 KB is transmitted in 1.3 minutes. The period between CAN packets is 1.192 milliseconds. I receive all data packets on the table without errors. And now I have some questions. 1. Isn't the time between data packets 1.192 milliseconds short if you read the block remotely via the Internet? 2. Is it necessary to make the transfer of controlled request-response type instead of uncontrolled data transfer?

Would you be willing to share your code so we can do our own dumps?

This CEM can be readed without SBL (by address)

That's right, you can count on the address. You can read in Programm Mode and Diag Mode, but you will not read the EEPROM area that is blocked.

[Treur]

Would you be willing to share your code so we can do our own dumps?

This CEM can be readed without SBL (by address)

That's right, you can count on the address. You can read in Programm Mode and Diag Mode, but you will not read the EEPROM area that is blocked.

Этот цем вообще не интересно читать по Кану. Во первых нужен пин, что бы его получить надо цеплять по бдм, а если мы уже на проводах, то чего церемониться!?))) Вот 835 это интересно (855 я читаю и пишу по Кану).

[Yariy]

This CEM can be readed without SBL (by address)

That's right, you can count on the address. You can read in Programm Mode and Diag Mode, but you will not read the EEPROM area that is blocked.

Этот цем вообще не интересно читать по Кану. Во первых нужен пин, что бы его получить надо цеплять по бдм, а если мы уже на проводах, то чего церемониться!?))) Вот 835 это интересно (855 я читаю и пишу по Кану).

There is a trick that allows you to read the PIN code using CAN. I can't tell you about this trick here. They shared it with me and I gave my word not to reveal secrets.

[Dudde]

There is a trick that allows you to read the PIN code using CAN. I can't tell you about this trick here. They shared it with me and I gave my word not to reveal secrets.

How is this possible on CEM B?

[Yariy]

There is a trick that allows you to read the PIN code using CAN. I can't tell you about this trick here. They shared it with me and I gave my word not to reveal secrets.

How is this possible on CEM B?

The security hole

[Treur]

That's right, you can count on the address. You can read in Programm Mode and Diag Mode, but you will not read the EEPROM area that is blocked.

Этот цем вообще не интересно читать по Кану. Во первых нужен пин, что бы его получить надо цеплять по бдм, а если мы уже на проводах, то чего церемониться!?))) Вот 835 это интересно (855 я читаю и пишу по Кану).

There is a trick that allows you to read the PIN code using CAN. I can't tell you about this trick here. They shared it with me and I gave my word not to reveal secrets.

Сказал а, говори и б, но в принципе ход мысли понятен и не трудно додумать дальше)))) Принцип тот же, как терминал декриптует епром.

[porcupine7655]

Next small step with my V70 BiFuel 2006.
Readout of CEM-L with M30855FW cpu using a SBL.
Only read implemented so far.
Decrypt of eeprom data is implemented but not verified that data is correct. It looks good, much more 0 values now and not just random. Parts that was FF (unused) now looks like random, but it is as expected.
Sharing both c cource for the sbl and a python script using it. I'm running on a old raspberry pi using socketcan. There is a long delay between every message sent over can as otherwise I get overflow in socketcan in the raspberry end. Maybe I should upgrade my old v3 raspberry to something faster and newer.
I have only tested it on bench, not in car.

Code: Select all

~/cem/tools/sbl $ python3 sblflasher.py
Bus sleep....Bus idle
Check SBL running..NO
Sending SBL....Done
Checking loaded SBL OK
Starting SBL Done
Check SBL running..YES
Read memory 0xfb0000 -- 0xffffff.
  0xfb0000................
  0xfc0000................
  0xfd0000................
  0xfe0000................
  0xff0000................
  Checking CRC..OK
Read memory 0x0 -- 0x7ff.
  0x000000
  Checking CRC..OK
Read memory 0xffff00 -- 0xffff3c.
  0xffff00
  Checking CRC..OK
Exiting, Restart bus.Done