Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America). P2 platform.
Post Reply
vtl
Posts: 4723
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 603 times

Re: Vida CEM swapping

Post by vtl »

Make it opensource, and I can make it work under the sane operating system (Linux) ;)
Top
andrewak
Posts: 1
Joined: 24 July 2025
Year and Model: 2006 V50
Location: North

Post by andrewak »

vtl wrote: 23 Jul 2025, 06:48 Make it opensource, and I can make it work under the sane operating system (Linux) ;)
+1 for Linux! Count me in!
Top
v164
Posts: 2
Joined: 24 July 2025
Year and Model: 1971 164
Location: Esperance

Post by v164 »

I have successfully cracked the pin on 2005 V70, read the flash and changed the conf to disable fourC. Is there a tool (freeware or I can also support) to write CEM for P2 apart from Vdash, SMOK etc?
Top
Dudde
Posts: 64
Joined: 22 January 2020
Year and Model: 2005 V70 and more
Location: Finland
Has thanked: 14 times
Been thanked: 17 times

Post by Dudde »

v164 wrote: 24 Jul 2025, 01:55 I have successfully cracked the pin on 2005 V70, read the flash and changed the conf to disable fourC. Is there a tool (freeware or I can also support) to write CEM for P2 apart from Vdash, SMOK etc?
OpenMoose, work in progress
Top
Treur
Posts: 126
Joined: 16 November 2024
Year and Model: 2007 V70
Location: Estonia
Has thanked: 3 times
Been thanked: 6 times

Post by Treur »

v164 wrote: 24 Jul 2025, 01:55 I have successfully cracked the pin on 2005 V70, read the flash and changed the conf to disable fourC. Is there a tool (freeware or I can also support) to write CEM for P2 apart from Vdash, SMOK etc?
Volvo TechNest - https://volvo-tech.com/en/volvo-technest/
Top
porcupine7655
Posts: 24
Joined: 28 April 2025
Year and Model: 2006
Location: Sweden
Has thanked: 4 times
Been thanked: 18 times

Post by porcupine7655 »

porcupine7655 wrote: 16 Jul 2025, 23:51
porcupine7655 wrote: 15 Jul 2025, 13:11 Next small step with my V70 BiFuel 2006.
Readout of CEM-L with M30855FW cpu using a SBL.
Only read implemented so far.
Decrypt of eeprom data is implemented but not verified that data is correct. It looks good, much more 0 values now and not just random. Parts that was FF (unused) now looks like random, but it is as expected.
Sharing both c cource for the sbl and a python script using it. I'm running on a old raspberry pi using socketcan. There is a long delay between every message sent over can as otherwise I get overflow in socketcan in the raspberry end. Maybe I should upgrade my old v3 raspberry to something faster and newer.
I have only tested it on bench, not in car.
Looked somewhat more on the decrypted eeprom data. It is correct decrypted as all data is in two records.
Yellow is first instance of data, green backup.
(Red is unused area, FF in unencrypted)
cem-eeprom-backup-pages.png
Wanted to verify that I have understand how data is stored in eeprom. Just how, not what.
How crc is calculated, if all records are duplicated, if any data is stored in different way etc.
I wrote a quick python hack that extract all datablobs in a decrypted eeprom image and check the crc of them.
In the script it only looks for records that have one exact same backup record.
All other addresses are printed as unmapped.
In the cem code I have found the decriptor table that tells what addresses is used in eeprom and where the data is mirrored into ram. And some more information. But this is not used in this python script.
I attach the script if someone want it or are interested.

In my dump I have cross checked the unmapped area with the raw encrypted eeprom dump and all of this addresses are 0xff.

Code: Select all

Records:
  018--027: 000000000000 CRC b475 OK
  034--047: 31d3b9698fa4843a CRC 2dd8 OK
  048--04f: 0000 CRC 51e2 OK
  050--063: 0000000000000000 CRC 2479 OK
  134--143: 224063327188 CRC c357 OK
  144--15f: 30dd615aec78f992eb8faed7 CRC 0fee OK
  160--16b: 23360400 CRC ba93 OK
  16c--177: 2ad7f993 CRC c653 OK
  178--183: cbdd95ef CRC 93fd OK
  1b4--1bb: 4079 CRC 714a OK
  1bc--1c7: 0a000300 CRC f5f8 OK
  1c8--1cf: 0000 CRC 51e2 OK
  1d0--217: 411e3c6d000000000000000000000000000000000000000000000000000000000100 CRC 2648 OK
  220--227: 0000 CRC 51e2 OK
  228--237: 000000000000 CRC b475 OK
  238--23f: 0000 CRC 51e2 OK
  240--277: 0101000000004201000000000000000000000000000000001000 CRC e8ab OK
  278--2af: 0000800000000000000000000000000000000000000000000000 CRC 9c74 OK
  2b0--2e7: 0000000000000000000000000000640000000000000000000000 CRC d6cd OK
  2e8--31f: 000000000000000064000000000000000000000000000014affe CRC edbc OK
  320--357: 000064067306037d000000000000000000151100000064067306 CRC e513 OK
  358--38f: 03040100ff0008000000047960fe000059067306ff0101000000 CRC e915 OK
  390--3c7: 00000c546087ba430c2a61062efd03010100000000000c546087 CRC b4d4 OK
  3c8--3ff: bb430c2a60062efdb30e0000000000000c54609334430c2b6006 CRC 7408 OK
  400--437: 2efd470f0100000000000d42b95f6c430c01740608a500000000 CRC 4417 OK
  438--46f: 000000000d42b969f5460c02740608ab43000000000000000d31 CRC 93ee OK
  470--4a7: 5da98b3f0ff97305bf86000100048a0000000d315db4113f0ff8 CRC f642 OK
  4a8--4df: 7005bf8600000000000000000d338e4cc6460ffb7105c8230f9e CRC 6f4f OK
  4e0--4eb: 06730600 CRC c57e OK
  504--50f: e98b0400 CRC f001 OK
  510--51f: d713866c5a04 CRC 932b OK
  538--56f: 0000000000000e4188990b350fe56606071b0300000000000000 CRC 2125 OK
  570--577: 0100 CRC 89fb OK
  578--57f: 5000 CRC a631 OK
  580--587: 0001 CRC d8f3 OK
  588--58f: 0100 CRC 89fb OK
  590--5c7: 0501020304050000000000000000004d014d0100002600e6004d CRC b20a OK
  5c8--5cf: 0000 CRC 51e2 OK
  5d0--5d7: 0100 CRC 89fb OK
  5f8--60b: 830d000000000000 CRC 5916 OK
  60c--643: 016500b400220123010100280020012201020021000600060000 CRC fb7c OK
  644--67b: 00d7000200020000001500020002000000160002000200000037 CRC d15c OK
  67c--6b3: 00460146010000a000460146010000a800000400040000cd0000 CRC b2a2 OK
  6b4--6eb: 04000404000c000004000400008100b801bd0103008600000000 CRC ea7d OK
  6f8--72f: 0000000000000000000000006400000000000000000000000000 CRC 19a1 OK
Unmapped:
  000--017: 97e29f19e9ccfa7d29a2857821aa58e8bbdd82ec02c552ae
  028--033: 362201c6d0e39387115e54b0
  064--133: 903d2909ced9ea9a8e18565ca7f161780f6135cac7f286f38e08fbdee86e3ab1966a33b849f9aacc94fa14d245b9e206b6de03eba8b8be72ef78d1b62189243010d7c1f28d990f414baff9687106683cc2cff98df88503f3d6e16733b89f623bb746f6a5c39cf21ddb4cb0eb0ebed508e0a3b3b67ae671d8bf28812c0727e0f6c5b5a136787296c050493d5307f9f4c1b5c1bc3acaefd95f0c87a05d048f7ecf9cfaa5cb25e3778bd03585ed30d99a8a8f43de49ef881fb61b0f2fe9ffccbca83e70799dcb5b42355b0ef0fdc8bcc9b4
  184--1b3: 669ac1249bf32ec68595905dc057fe990ea7091d3dfaecdfafba2c62688cda4a54234d19e7eadfaadfa224d4f1c74216
  218--21f: 5b151ffaac3c2552
  4ec--503: 8793b37462512134a2ece60254c4dea9c7936d6055205528
  520--537: 1613df42d27b1c8b228f9bba7d6b58283caae7ed095fcfd6
  5d8--5f7: 7db12fb81176e148e5f0d01701324256cf818b6f39a9b0c6a8fc020f3a4e3845
  6ec--6f7: e414310781d55d7a87de55a4
  730--7ff: 827e27ac5dedbed888e608ce59a5fe1aaac21ff7b4a4a26ef364cdaa3d95382c0ccbddee998d1b555fbbed7c65127c28d6dbed99ec9117e7c2f57327ac8b762fbb4afaa9cf90fe11d740bce702b2d904ecafbfba76ea7dd4b3248d203313d4c2f18195024c46a2f4647d096733cdc0f581f5880efedbed6b30bb9c6138b342f3a0c699f719df4bb7ec09b9d10ce5a6b6b37fe275dbbc2b822f3b1bddcbf8889c0a444da9ff6f76016f3ac4c9fc88fd8039c9ecda5c0883a558018a7bcb98fda2cc22e4738fd53080e835dd9e898c40dd
Attachments
eeprom data blobs.zip
(972 Bytes) Downloaded 49 times
Top
oscilloscope
Posts: 285
Joined: 20 May 2022
Year and Model: 2005
Location: uk
Has thanked: 27 times
Been thanked: 11 times

Post by oscilloscope »

dikidera wrote: 16 Jul 2025, 01:37
porcupine7655 wrote: 15 Jul 2025, 13:11 Next small step with my V70 BiFuel 2006.
Readout of CEM-L with M30855FW cpu using a SBL.
Only read implemented so far.
Decrypt of eeprom data is implemented but not verified that data is correct. It looks good, much more 0 values now and not just random. Parts that was FF (unused) now looks like random, but it is as expected.
Sharing both c cource for the sbl and a python script using it. I'm running on a old raspberry pi using socketcan. There is a long delay between every message sent over can as otherwise I get overflow in socketcan in the raspberry end. Maybe I should upgrade my old v3 raspberry to something faster and newer.
I have only tested it on bench, not in car.

Code: Select all

~/cem/tools/sbl $ python3 sblflasher.py
Bus sleep....Bus idle
Check SBL running..NO
Sending SBL....Done
Checking loaded SBL OK
Starting SBL Done
Check SBL running..YES
Read memory 0xfb0000 -- 0xffffff.
  0xfb0000................
  0xfc0000................
  0xfd0000................
  0xfe0000................
  0xff0000................
  Checking CRC..OK
Read memory 0x0 -- 0x7ff.
  0x000000
  Checking CRC..OK
Read memory 0xffff00 -- 0xffff3c.
  0xffff00
  Checking CRC..OK
Exiting, Restart bus.Done
Please try sudo ifconfig can0 txqueuelen 1000/sudo ifconfig can1 txqueuelen 1000 this helped me when writing SBL. There were also issues in some kernels with the drivers that I had to downgrade to an earlier kernel.
I have been reading through your progress regarding what your doing, I don't fully understand all of it. But it's very interesting, I was curious too know if there is any further info on process of SBL ?
Top
dikidera
Posts: 1304
Joined: 15 August 2022
Year and Model: S60 2005
Location: Galaxy far far away
Has thanked: 67 times
Been thanked: 175 times

Post by dikidera »

vtl wrote: 23 Jul 2025, 06:48 Make it opensource, and I can make it work under the sane operating system (Linux) ;)
Not always. Linux has a lot of fragmentation and often regression bugs with certain drivers necessating either a downgrade or downright recompilation of the kernel with git cherrypick of the commits for certain drivers. What works on one operating system(flavor) may not work on another.

I have used it a lot, compiled so many phone kernels back in the day, and various other Linux projects.

For linux since we dont have a registry I guess a simple selector for the .so library will work or perhaps we can search for some env variable much like LD_PRELOAD or did you mean by Wine or perhaps python-can?
Top
porcupine7655
Posts: 24
Joined: 28 April 2025
Year and Model: 2006
Location: Sweden
Has thanked: 4 times
Been thanked: 18 times

Post by porcupine7655 »

oscilloscope wrote: 26 Jul 2025, 07:55
dikidera wrote: 16 Jul 2025, 01:37
porcupine7655 wrote: 15 Jul 2025, 13:11 Next small step with my V70 BiFuel 2006.
Readout of CEM-L with M30855FW cpu using a SBL.
Only read implemented so far.
Decrypt of eeprom data is implemented but not verified that data is correct. It looks good, much more 0 values now and not just random. Parts that was FF (unused) now looks like random, but it is as expected.
Sharing both c cource for the sbl and a python script using it. I'm running on a old raspberry pi using socketcan. There is a long delay between every message sent over can as otherwise I get overflow in socketcan in the raspberry end. Maybe I should upgrade my old v3 raspberry to something faster and newer.
I have only tested it on bench, not in car.

Code: Select all

~/cem/tools/sbl $ python3 sblflasher.py
Bus sleep....Bus idle
Check SBL running..NO
Sending SBL....Done
Checking loaded SBL OK
Starting SBL Done
Check SBL running..YES
Read memory 0xfb0000 -- 0xffffff.
  0xfb0000................
  0xfc0000................
  0xfd0000................
  0xfe0000................
  0xff0000................
  Checking CRC..OK
Read memory 0x0 -- 0x7ff.
  0x000000
  Checking CRC..OK
Read memory 0xffff00 -- 0xffff3c.
  0xffff00
  Checking CRC..OK
Exiting, Restart bus.Done
Please try sudo ifconfig can0 txqueuelen 1000/sudo ifconfig can1 txqueuelen 1000 this helped me when writing SBL. There were also issues in some kernels with the drivers that I had to downgrade to an earlier kernel.
I have been reading through your progress regarding what your doing, I don't fully understand all of it. But it's very interesting, I was curious too know if there is any further info on process of SBL ?
Nothing done yet. To much to do in other areas of life. Plan still exists to add write support of both eeprom and internal flash.
Top
poto993
Posts: 5
Joined: 7 August 2025
Year and Model: volvo 2020
Location: pennsylvania

Post by poto993 »

will love to know.
Top
Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “XC90 1st gen 2003-2014”