Login Register

Vida CEM swapping

A mid-size luxury crossover SUV, the Volvo XC90 made its debut in 2002 at the Detroit Motor Show. Recognized for its safety, practicality, and comfort, the XC90 is a popular vehicle around the world. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America). P2 platform.
Post Reply
Treur
Posts: 126
Joined: 16 November 2024
Year and Model: 2007 V70
Location: Estonia
Has thanked: 3 times
Been thanked: 6 times

Re: Vida CEM swapping

Post by Treur »

porcupine7655 wrote: 14 Aug 2025, 08:20
I think, you did it on CEM with 835CPU.
Try decrypted eep dump from 855 in attach, can you see anything?
eep_855_dec.zip
(1.3 KiB) Downloaded 42 times
Top
porcupine7655
Posts: 24
Joined: 28 April 2025
Year and Model: 2006
Location: Sweden
Has thanked: 4 times
Been thanked: 18 times

Post by porcupine7655 »

Treur wrote: 14 Aug 2025, 22:38 I think, you did it on CEM with 835CPU.
Try decrypted eep dump from 855 in attach, can you see anything?
eep_855_dec.zip
It is from a cem with a M30855FWUGP cpu.
Your dump is different than mine. The immo records are not stored in same way. Rest of data looks like it is.
In mine all stored data is in duplets with crc after each. In this dump the immo data is stored in a different way.
Can you share the flash as well? I can't promise that I take a look how it is stored but if I have it probability increases.
It will also be easier to have the raw eeprom dump too see what area is nothing stored at.
Top
Treur
Posts: 126
Joined: 16 November 2024
Year and Model: 2007 V70
Location: Estonia
Has thanked: 3 times
Been thanked: 6 times

Post by Treur »

porcupine7655 wrote: 15 Aug 2025, 10:00 It is from a cem with a M30855FWUGP cpu.
Your dump is different than mine. The immo records are not stored in same way. Rest of data looks like it is.
In mine all stored data is in duplets with crc after each. In this dump the immo data is stored in a different way.
Can you share the flash as well? I can't promise that I take a look how it is stored but if I have it probability increases.
It will also be easier to have the raw eeprom dump too see what area is nothing stored at.
I'm looking at this dump now and I have a very strong feeling that I decrypted it with the wrong algorithm. 835 has 61 byte code, and 855, as far as I remember, has 2048 bytes. And it seems to me that I decrypted it with the algorithm from 835
Top
porcupine7655
Posts: 24
Joined: 28 April 2025
Year and Model: 2006
Location: Sweden
Has thanked: 4 times
Been thanked: 18 times

Post by porcupine7655 »

Treur wrote: 15 Aug 2025, 10:36
porcupine7655 wrote: 15 Aug 2025, 10:00 It is from a cem with a M30855FWUGP cpu.
Your dump is different than mine. The immo records are not stored in same way. Rest of data looks like it is.
In mine all stored data is in duplets with crc after each. In this dump the immo data is stored in a different way.
Can you share the flash as well? I can't promise that I take a look how it is stored but if I have it probability increases.
It will also be easier to have the raw eeprom dump too see what area is nothing stored at.
I'm looking at this dump now and I have a very strong feeling that I decrypted it with the wrong algorithm. 835 has 61 byte code, and 855, as far as I remember, has 2048 bytes. And it seems to me that I decrypted it with the algorithm from 835
Don't think you have used wrong algo. There is a lot of records with correct crc and they have a duplicate. If you used wrong algo this will not show up. BUT the area where I have immo data in my cem it finds no records.

Code: Select all

Records:
  018--01f: 000000000000 CRC b475 OK
  020--027: 000000000000 CRC b475 OK
  034--03d: ba7d84920dbabfb8 CRC df89 OK
  03e--047: ba7d84920dbabfb8 CRC df89 OK
  1b4--1b7: 0010 CRC d0f2 OK
  1b8--1bb: 0010 CRC d0f2 OK
  228--22f: 000000000200 CRC 0446 OK
  230--237: 000000000200 CRC 0446 OK
  238--23b: 0000 CRC 51e2 OK
  23c--23f: 0000 CRC 51e2 OK
  240--25b: 0101c5df03000000000000000000001000000080040000003180 CRC 5973 OK
  25c--277: 0101c5df03000000000000000000001000000080040000003180 CRC 5973 OK
  278--293: 0100800000000000000000000000000000000000000000000000 CRC ccb9 OK
  294--2af: 0100800000000000000000000000000000000000000000000000 CRC ccb9 OK
  2b0--2cb: 000000000000001bf17e72fe00005c0000000000000000000000 CRC d837 OK
  2cc--2e7: 000000000000001bf17e72fe00005c0000000000000000000000 CRC d837 OK
  2e8--303: 001bf17f31fe00005d0000000000000000000000081bf17f50fe CRC 0db3 OK
  304--31f: 001bf17f31fe00005d0000000000000000000000081bf17f50fe CRC 0db3 OK
  320--33b: 00005d0000000000000000000000001bf17f60fe00005c000000 CRC f0d6 OK
  33c--357: 00005d0000000000000000000000001bf17f60fe00005c000000 CRC f0d6 OK
  358--373: 000000000000000002001bf17ff7fe00005c0000000000000000 CRC 004b OK
  374--38f: 000000000000000002001bf17ff7fe00005c0000000000000000 CRC 004b OK
  390--3ab: 0000001bf188cbfe00005a00000000000000000000000b0a1bf1 CRC efa2 OK
  3ac--3c7: 0000001bf188cbfe00005a00000000000000000000000b0a1bf1 CRC efa2 OK
  3c8--3e3: 8c3cfe000059000000000000000000000a1bf18f99fe00005900 CRC 5b51 OK
  3e4--3ff: 8c3cfe000059000000000000000000000a1bf18f99fe00005900 CRC 5b51 OK
  400--41b: 000000000000000000000a1bf18ccefe00005900000000000000 CRC 270d OK
  41c--437: 000000000000000000000a1bf18ccefe00005900000000000000 CRC 270d OK
  438--453: 000000000a1bf18ccffe00005900000000000000000000000a1b CRC e54c OK
  454--46f: 000000000a1bf18ccffe00005900000000000000000000000a1b CRC e54c OK
  470--48b: f18cd0fe00005900000000000000000000000a1bf18cd1fe0000 CRC 6c11 OK
  48c--4a7: f18cd0fe00005900000000000000000000000a1bf18cd1fe0000 CRC 6c11 OK
  4a8--4c3: 5900000000000000000000000a1bf18cd2fe0000590000000000 CRC d6e5 OK
  4c4--4df: 5900000000000000000000000a1bf18cd2fe0000590000000000 CRC d6e5 OK
  504--509: f39df11b CRC 51e1 OK
  50a--50f: f39df11b CRC 51e1 OK
  510--517: 000000000000 CRC b475 OK
  518--51f: 000000000000 CRC b475 OK
  538--553: 0000000000000a1bf18eaffe0000590000000000000000000000 CRC 1653 OK
  554--56f: 0000000000000a1bf18eaffe0000590000000000000000000000 CRC 1653 OK
  570--573: 0100 CRC 89fb OK
  574--577: 0100 CRC 89fb OK
  578--57b: 5000 CRC a631 OK
  57c--57f: 5000 CRC a631 OK
  580--583: 0101 CRC 00ea OK
  584--587: 0101 CRC 00ea OK
  590--5ab: 0e010203040506070e08090a0b0c0d000014001400b00000000f CRC 3b1e OK
  5ac--5c7: 0e010203040506070e08090a0b0c0d000014001400b00000000f CRC 3b1e OK
  60c--627: 000d00b50007000f0004008f0007000f000400920000000f0004 CRC 31b3 OK
  628--643: 000d00b50007000f0004008f0007000f000400920000000f0004 CRC 31b3 OK
  644--65f: 0000000e000e000000b40007000a000200020009000a000100d7 CRC a5fb OK
  660--67b: 0000000e000e000000b40007000a000200020009000a000100d7 CRC a5fb OK
  67c--697: 0007000a0002000f0007000a000200100007000a000200110007 CRC 599e OK
  698--6b3: 0007000a0002000f0007000a000200100007000a000200110007 CRC 599e OK
  6b4--6cf: 000a000200bf0007000a000200c00009000a0001006c00000000 CRC 465e OK
  6d0--6eb: 000a000200bf0007000a000200c00009000a0001006c00000000 CRC 465e OK
  6f8--713: 0000000000000000000000000100000000000000000000000000 CRC 9aca OK
  714--72f: 0000000000000000000000000100000000000000000000000000 CRC 9aca OK
Unmapped:
  000--017: 64a52a14f92f734403feff6bfe86ae512cfb12b02879f2a4 
  028--033: 276070002746250ebd4d30f5 
  048--1b3: eacf220c0daa58db6478d2a850d984b7a9ad1cf95189e33bb007a0c67c74bbbb30e0fcde36c1dae834ef25b031518c8bbe81a0c8259286062c0a36e85915308c11f255f678640cc1a954c7bdb78dd614c016761cc44ff87b407c74bbbb9be009e436c1da5660643c74354fb77c7839a0c8250409ca4365fb5382edd870e60daa7d20670a2d57af267b485ae7e306ae761cc4d977b72f13b900606308f513c93e510e6362d08aceae717c50f5a0c8259286062c0a36e85915308c11f255f6c69b872d57af267b48722be331fd761cc44ff87b407c74bbbb9be009e436c1dae89fefd08aceae717c7839a0ff762f407cd5e6b88614a8f6f6e81edb988b03d00a3d609d46f3d752a5c33b5d84936892b4fb41cf1ec2dd259ccf5b5c731738febd176751d66d5302563c4de9ad3ddafe5e9305712afe3eec0992dce9a833c690743fb834a21361b93c64030ca300bc43185f4c3c1b7a193380710cc96b6c513ceb4ef1b6c459981729c4124e7b3c 
  1bc--227: 09396478e1a650d984b7beda1cf9006be33be1e55e9da0c34444641ff61bc93e251760102f7531518e8387c65f37da6d79f9d3f5c8172e201551cd45aa09396478d2a850d984b78dd41cf95189e33bb00784bf838b4444641ef69303f7067bbf1d1a204d518ed265c65f6638 
  4e0--503: 3c66fd512a28d3ca03841c4896d1c2b295f497bd0eff8247e5e2dbb661c47b3c4ed3129d 
  520--537: 3abfe68189268539c69ed9cbbb9cfd9eb506f4894ceee9d3 
  588--58f: 73ee5c480939359a 
  5c8--60b: aa09688678d2f9b2d8843e76d51c70aad188ece34cef53acf4b2a1d1f697f4df6392ef2a888fb5d90eab145321bd7ff07e71f9d3d1e117a6cc8160e60daa2d116478f4e6 
  6ec--6f7: e904d28eb8ff010094017952 
  730--7ff: f86df880ab5429fe18ba2272f9af4b018905932250880e57303f90338f71296e7d0d2a4b2f04b7463bfe5c5a600dda7fc087f66aab241af7217c4a0df0f165f097bc433ee900a23b6be0b65219911e88394b93164f2926892a9669317162123554371cae5f22e745427816c164db9cee72b23d03ee3864521ae7e672e79fb44a37e009ab3363ebbd59129a168030429a1f46212e862599663e796a1b3c5d3e15a65729ec4e49731ec96dd295e77bba3534d90f536522dfdf4bdea68d720fdb32900858d385602ba32fb9087aa520791e
Edit: Attaching script used. It tries to find data blobs that ends with correct crc16 checksum. Datablob up to 0x40 bytes big. Limit size to speed up running and minimize risk of false positive. This is different from script I shared before. That looks for datablocks that have exactly same data twice in a row. After found it check the crc.
Attachments
cem_eeprom_records2.zip
(1.31 KiB) Downloaded 36 times
Top
Treur
Posts: 126
Joined: 16 November 2024
Year and Model: 2007 V70
Location: Estonia
Has thanked: 3 times
Been thanked: 6 times

Post by Treur »

And the algorithm is really was wrong, I received a couple of Eproms and decrypted via IO-Terminal looks normal))) So now I need to write an algorithm for 855. I already found the key.
CEM 93C86 EEPROM dec_ori.zip
(1.23 KiB) Downloaded 42 times
I fixed the encryption algorithm and got -
Synchro: 746368207449
Crypto: 4AC0D73EE37CF551856C4892
Key pin: 730998
Key 1: C81AB88C
Key 2: C81AA475
Key 3: 8D300F5E
Key 4: AA8ED34F
Key 5: 121C920E
Key 6: 8C92CEB1
Top
porcupine7655
Posts: 24
Joined: 28 April 2025
Year and Model: 2006
Location: Sweden
Has thanked: 4 times
Been thanked: 18 times

Post by porcupine7655 »

Treur wrote: 15 Aug 2025, 13:25 And the algorithm is really was wrong, I received a couple of Eproms and decrypted via IO-Terminal looks normal))) So now I need to write an algorithm for 855. I already found the key.

CEM 93C86 EEPROM dec_ori.zip

I fixed the encryption algorithm and got -
Synchro: 746368207449
Crypto: 4AC0D73EE37CF551856C4892
Key pin: 730998
Key 1: C81AB88C
Key 2: C81AA475
Key 3: 8D300F5E
Key 4: AA8ED34F
Key 5: 121C920E
Key 6: 8C92CEB1
I got almost same result.

Code: Select all

Records:
  018--01f: 000070867026 CRC 3441 OK
  020--027: 000070867026 CRC 3441 OK
  034--03d: e36bfdb1e0ef7812 CRC d763 OK
  03e--047: e36bfdb1e0ef7812 CRC d763 OK
  048--04b: 2000 CRC 62c1 OK
  04c--04f: 2000 CRC 62c1 OK
  134--13b: 746368207449 CRC 002b OK
  13c--143: 746368207449 CRC 002b OK
  144--151: 4ac0d73ee37cf551856c4892 CRC 0f93 OK
  152--15f: 4ac0d73ee37cf551856c4892 CRC 0f93 OK
  160--165: 73099800 CRC 383a OK
  166--16b: 73099800 CRC 383a OK
  16c--171: c81ab88c CRC 179c OK
  172--177: c81ab88c CRC 179c OK
  178--17d: c81aa475 CRC 68ca OK
  17e--183: c81aa475 CRC 68ca OK
  184--189: 8d300f5e CRC 4f16 OK
  18a--18f: 8d300f5e CRC 4f16 OK
  190--195: aa8ed34f CRC f7a3 OK
  196--19b: aa8ed34f CRC f7a3 OK
  1b4--1b7: 9089 CRC c5e2 OK
  1b8--1bb: 9089 CRC c5e2 OK
  1bc--1c1: 03000200 CRC 4e18 OK
  1c2--1c7: 03000200 CRC 4e18 OK
  1c8--1cb: 0000 CRC 51e2 OK
  1cc--1cf: 0000 CRC 51e2 OK
  1d0--1f3: 2b977026000000000000000000000000000000000000000000000000000000000100 CRC ec77 OK
  1f4--217: 2b977026000000000000000000000000000000000000000000000000000000000100 CRC ec77 OK
  220--223: 0000 CRC 51e2 OK
  224--227: 0000 CRC 51e2 OK
  228--22f: 000000000000 CRC b475 OK
  230--237: 000000000000 CRC b475 OK
  238--23b: 0000 CRC 51e2 OK
  23c--23f: 0000 CRC 51e2 OK
  240--25b: 0101000000080008000000000000000800000000108000000008 CRC 218c OK
  25c--277: 0101000000080008000000000000000800000000108000000008 CRC 218c OK
  278--293: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  294--2af: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  2b0--2cb: 0000000000000d25946de9510c2572054b6e01a400379a000000 CRC c146 OK
  2cc--2e7: 0000000000000d25946de9510c2572054b6e01a400379a000000 CRC c146 OK
  2e8--302: 00000c2594ce4f50001f5f054b6e01013e204b08000000000d CRC 25fc OK
  304--31e: 00000c2594ce4f50001f5f054b6e01013e204b08000000000d CRC 25fc OK
  320--33b: 94d4ab510c2073054b6e019300010a00000000000025ec174053 CRC 152a OK
  33c--357: 94d4ab510c2073054b6e019300010a00000000000025ec174053 CRC 152a OK
  358--373: 0c1665054c26019300010a00000000000d261831ee4d0c146f05 CRC da14 OK
  374--38f: 0c1665054c26019300010a00000000000d261831ee4d0c146f05 CRC da14 OK
  390--3ab: 4c7c645500010a0000000000002671bac2fe000064054d630191 CRC cdce OK
  3ac--3c7: 4c7c645500010a0000000000002671bac2fe000064054d630191 CRC cdce OK
  3c8--3e3: 00010a00000000000c2547b517fe00005d054a92019100010a00 CRC 6714 OK
  3e4--3ff: 00010a00000000000c2547b517fe00005d054a92019100010a00 CRC 6714 OK
  400--41b: 000000000c2547b518fe00005d054a92019500010a0000000000 CRC 9038 OK
  41c--437: 000000000c2547b518fe00005d054a92019500010a0000000000 CRC 9038 OK
  438--453: 0d2547d8c1530c2172054a9201a800002a00000000000d2551d2 CRC ee1d OK
  454--46f: 0d2547d8c1530c2172054a9201a800002a00000000000d2551d2 CRC ee1d OK
  470--48b: 27520c4b73054abe019500404a0000ff8e000d2551d22f520c4b CRC 993f OK
  48c--4a7: 27520c4b73054abe019500404a0000ff8e000d2551d22f520c4b CRC 993f OK
  4a8--4c3: 74054abe019000404a0000ff7e070d2551d3da510c4b69054abe CRC 6a38 OK
  4c4--4df: 74054abe019000404a0000ff7e070d2551d3da510c4b69054abe CRC 6a38 OK
  4e0--4e5: 634d0500 CRC ab35 OK
  4e6--4eb: 634d0500 CRC ab35 OK
  4ec--4f3: 8df8b13e0000 CRC dd6b OK
  4f4--4fb: 8df8b13e0000 CRC dd6b OK
  504--509: 93ba7126 CRC 2191 OK
  50a--50f: 93ba7126 CRC 2191 OK
  510--517: eb6563267902 CRC 6030 OK
  518--51f: eb6563267902 CRC 6030 OK
  538--553: 01b300058a00000000000d257ae5794c0c1271054b295f500005 CRC e3d7 OK
  554--56f: 01b300058a00000000000d257ae5794c0c1271054b295f500005 CRC e3d7 OK
  570--573: 0113 CRC 93d9 OK
  574--577: 0113 CRC 93d9 OK
  578--57b: 5000 CRC a631 OK
  57c--57f: 5000 CRC a631 OK
  580--583: 0001 CRC d8f3 OK
  584--587: 0001 CRC d8f3 OK
  590--5ab: 8a000000000000258fcf09520c1f64054b670000001600000000 CRC 8f9c OK
  5ac--5c7: 8a000000000000258fcf09520c1f64054b670000001600000000 CRC 8f9c OK
  5c8--5cb: 0000 CRC 51e2 OK
  5cc--5cf: 0000 CRC 51e2 OK
  5d0--5d3: 0100 CRC 89fb OK
  5d4--5d7: 0100 CRC 89fb OK
  5d8--5db: 0100 CRC 89fb OK
  5dc--5df: 0100 CRC 89fb OK
  5f8--601: e9270000d4110000 CRC 823c OK
  602--60b: e9270000d4110000 CRC 823c OK
  60c--627: 00000601020304050600000000000000000300d9008e001b0002 CRC 5b43 OK
  628--643: 00000601020304050600000000000000000300d9008e001b0002 CRC 5b43 OK
  644--65f: 00d8008d006b000400d8006f002b00a500a5000000940066008c CRC 548b OK
  660--67b: 00d8008d006b000400d8006f002b00a500a5000000940066008c CRC 548b OK
  67c--697: 0002009f00000000000000bb003e003e00000011003e003e0000 CRC 182e OK
  698--6b3: 0002009f00000000000000bb003e003e00000011003e003e0000 CRC 182e OK
  6b4--6cf: 00120002003a0025002b00310031000000170031003100000016 CRC fea1 OK
  6d0--6eb: 00120002003a0025002b00310031000000170031003100000016 CRC fea1 OK
  6ec--6f1: 01000000 CRC 8812 OK
  6f2--6f7: 01000000 CRC 8812 OK
  6f8--713: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  714--72f: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  768--783: c027090000000000000000000000000000000000000001004800 CRC 0d62 OK
  784--79f: c027090000000000000000000000000000000000000001004800 CRC 0d62 OK
  7a0--7bb: 0031003100000037000b000b0000009f00030003000000940000 CRC faab OK
  7bc--7d7: 0031003100000037000b000b0000009f00030003000000940000 CRC faab OK
  7e4--7e9: 00080000 CRC f1c8 OK
  7ea--7ef: 00080000 CRC f1c8 OK
Unmapped:
  000--017: 8c0e9bd06c760d32cd70835e660650f934773485a4a4d4bf 
  028--033: a97f6c9bc8722e21af32ad17 
  050--133: 8cadacdcb072741ba981a711711aa52d48f1f8f425a2746493c17b2728a63aa50049b0a8a8a276a1bfe39d1f8ac17e641f21de63904c741441e825662293b2b3c3a86a6d02b098be096901be3653eae0ec3cbb6d7d8ad963303fb12db20841b9a1a1ab7fa9b7e8961481ca766c1628d76a99447c1b4ee72a692a9bbbbacaa163650abb93b5026209b63f5ae3e9e534b35a4abdee54080788148b317881999a9044928cd0ae2db8f34f552e10e855a67b432376de135013a28382f19a585e3183ab8c3b5b308f0762d4ded203845242b4e75d010e801c803a738a9292984d9b85d9a725b0 
  19c--1b3: 121c920e912b629b84848e5a8c92ceb133a6ed514b300df2 
  218--21f: e579e65d14edf5f5 
  303--303: 00 
  31f--31f: 00 
  4fc--503: 04d00618443bb92c 
  520--537: c7ac139bf9404a469710c6d72073c9959a148b14aee71e06 
  588--58f: cd9831fcbffd4c6d 
  5e0--5f7: 7aadbd4a19a3fff071ed72c8817860616bbf69772b55d441 
  730--767: 8458600055fc31723e8faeafdfb476711eac84a215751da22a4ff6fcf020a7716196c57f242ba539a61c55adb5b5bf6bbda3fc820095de62 
  7d8--7e3: ac79afb1ed931184f04c562d 
  7f0--7ff: a58485f59e5d5b3486ae883f58338c04
Only difference is that Key5 and Key6 is in what my script marks as "unmapped" area e.g they don't have correct crc or is not duplicated.
If I shall guess is that are never written so they are all 0xff in raw encrypted eeprom.
In my dump I had only two keys defined, all other was 0xff in raw file. DHA gave id all 0 if readout.
Top
ObliviousOrange
Posts: 2
Joined: 16 August 2025
Year and Model: 2011 C30
Location: Los Angeles

Post by ObliviousOrange »

Hello everyone. New to this forum and new to messing with car software. I'm having trouble getting the CEM PIN out of my 2011 C30 though, which I wanted for VDASH.

I got a Teensy 4.0, two SN65HVD230DR transceivers, and a buck converter. I successfully uploaded the code to the teensy, and only changed the code to work with this super tiny OLED screen I have on hand.

I've been too lazy to wait for shipping of more electronics stuff, so to connect to the OBD I used alligator clips and the ends of paperclips since i didn't have any other wires thick enough for a snug fit. As far as i could figure, it seems to have a workable connection.

No PCB used here, just a breadboard. I've double-checked the wiring many times now.
20250816_195258.jpg
What happened is that I kept getting a loop of "initializing" on the OLED after plugging everything in. switching some wires on the RX/TX for the U3 transceiver made it say "unknown CEM, exiting" which i assume is better. I'd also get a CAN_LS error if I unplugged U5 which might be a good sign?

After getting nothing after a lot of messing around, I tried deleting the CM_PIN_AUTODETECT line as suggested in here for P1s. Then when I tried plugging it in my car made a loud click noise, lights turned off, and the clock reset (but was otherwise okay). It would still loop on initializing and every time the screen flashed the car would click again. Very concerning.

At this point I've thrown my hands up, idk what else I should be trying. I'm still trying to learn all this, any help would be appreciated. And I expect a lot of what I've said to sound like nonsense to anyone with experience so thanks for your patience.
Top
Treur
Posts: 126
Joined: 16 November 2024
Year and Model: 2007 V70
Location: Estonia
Has thanked: 3 times
Been thanked: 6 times

Post by Treur »

porcupine7655 wrote: 16 Aug 2025, 13:35
Treur wrote: 15 Aug 2025, 13:25 And the algorithm is really was wrong, I received a couple of Eproms and decrypted via IO-Terminal looks normal))) So now I need to write an algorithm for 855. I already found the key.

CEM 93C86 EEPROM dec_ori.zip

I fixed the encryption algorithm and got -
Synchro: 746368207449
Crypto: 4AC0D73EE37CF551856C4892
Key pin: 730998
Key 1: C81AB88C
Key 2: C81AA475
Key 3: 8D300F5E
Key 4: AA8ED34F
Key 5: 121C920E
Key 6: 8C92CEB1
I got almost same result.

Code: Select all

Records:
  018--01f: 000070867026 CRC 3441 OK
  020--027: 000070867026 CRC 3441 OK
  034--03d: e36bfdb1e0ef7812 CRC d763 OK
  03e--047: e36bfdb1e0ef7812 CRC d763 OK
  048--04b: 2000 CRC 62c1 OK
  04c--04f: 2000 CRC 62c1 OK
  134--13b: 746368207449 CRC 002b OK
  13c--143: 746368207449 CRC 002b OK
  144--151: 4ac0d73ee37cf551856c4892 CRC 0f93 OK
  152--15f: 4ac0d73ee37cf551856c4892 CRC 0f93 OK
  160--165: 73099800 CRC 383a OK
  166--16b: 73099800 CRC 383a OK
  16c--171: c81ab88c CRC 179c OK
  172--177: c81ab88c CRC 179c OK
  178--17d: c81aa475 CRC 68ca OK
  17e--183: c81aa475 CRC 68ca OK
  184--189: 8d300f5e CRC 4f16 OK
  18a--18f: 8d300f5e CRC 4f16 OK
  190--195: aa8ed34f CRC f7a3 OK
  196--19b: aa8ed34f CRC f7a3 OK
  1b4--1b7: 9089 CRC c5e2 OK
  1b8--1bb: 9089 CRC c5e2 OK
  1bc--1c1: 03000200 CRC 4e18 OK
  1c2--1c7: 03000200 CRC 4e18 OK
  1c8--1cb: 0000 CRC 51e2 OK
  1cc--1cf: 0000 CRC 51e2 OK
  1d0--1f3: 2b977026000000000000000000000000000000000000000000000000000000000100 CRC ec77 OK
  1f4--217: 2b977026000000000000000000000000000000000000000000000000000000000100 CRC ec77 OK
  220--223: 0000 CRC 51e2 OK
  224--227: 0000 CRC 51e2 OK
  228--22f: 000000000000 CRC b475 OK
  230--237: 000000000000 CRC b475 OK
  238--23b: 0000 CRC 51e2 OK
  23c--23f: 0000 CRC 51e2 OK
  240--25b: 0101000000080008000000000000000800000000108000000008 CRC 218c OK
  25c--277: 0101000000080008000000000000000800000000108000000008 CRC 218c OK
  278--293: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  294--2af: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  2b0--2cb: 0000000000000d25946de9510c2572054b6e01a400379a000000 CRC c146 OK
  2cc--2e7: 0000000000000d25946de9510c2572054b6e01a400379a000000 CRC c146 OK
  2e8--302: 00000c2594ce4f50001f5f054b6e01013e204b08000000000d CRC 25fc OK
  304--31e: 00000c2594ce4f50001f5f054b6e01013e204b08000000000d CRC 25fc OK
  320--33b: 94d4ab510c2073054b6e019300010a00000000000025ec174053 CRC 152a OK
  33c--357: 94d4ab510c2073054b6e019300010a00000000000025ec174053 CRC 152a OK
  358--373: 0c1665054c26019300010a00000000000d261831ee4d0c146f05 CRC da14 OK
  374--38f: 0c1665054c26019300010a00000000000d261831ee4d0c146f05 CRC da14 OK
  390--3ab: 4c7c645500010a0000000000002671bac2fe000064054d630191 CRC cdce OK
  3ac--3c7: 4c7c645500010a0000000000002671bac2fe000064054d630191 CRC cdce OK
  3c8--3e3: 00010a00000000000c2547b517fe00005d054a92019100010a00 CRC 6714 OK
  3e4--3ff: 00010a00000000000c2547b517fe00005d054a92019100010a00 CRC 6714 OK
  400--41b: 000000000c2547b518fe00005d054a92019500010a0000000000 CRC 9038 OK
  41c--437: 000000000c2547b518fe00005d054a92019500010a0000000000 CRC 9038 OK
  438--453: 0d2547d8c1530c2172054a9201a800002a00000000000d2551d2 CRC ee1d OK
  454--46f: 0d2547d8c1530c2172054a9201a800002a00000000000d2551d2 CRC ee1d OK
  470--48b: 27520c4b73054abe019500404a0000ff8e000d2551d22f520c4b CRC 993f OK
  48c--4a7: 27520c4b73054abe019500404a0000ff8e000d2551d22f520c4b CRC 993f OK
  4a8--4c3: 74054abe019000404a0000ff7e070d2551d3da510c4b69054abe CRC 6a38 OK
  4c4--4df: 74054abe019000404a0000ff7e070d2551d3da510c4b69054abe CRC 6a38 OK
  4e0--4e5: 634d0500 CRC ab35 OK
  4e6--4eb: 634d0500 CRC ab35 OK
  4ec--4f3: 8df8b13e0000 CRC dd6b OK
  4f4--4fb: 8df8b13e0000 CRC dd6b OK
  504--509: 93ba7126 CRC 2191 OK
  50a--50f: 93ba7126 CRC 2191 OK
  510--517: eb6563267902 CRC 6030 OK
  518--51f: eb6563267902 CRC 6030 OK
  538--553: 01b300058a00000000000d257ae5794c0c1271054b295f500005 CRC e3d7 OK
  554--56f: 01b300058a00000000000d257ae5794c0c1271054b295f500005 CRC e3d7 OK
  570--573: 0113 CRC 93d9 OK
  574--577: 0113 CRC 93d9 OK
  578--57b: 5000 CRC a631 OK
  57c--57f: 5000 CRC a631 OK
  580--583: 0001 CRC d8f3 OK
  584--587: 0001 CRC d8f3 OK
  590--5ab: 8a000000000000258fcf09520c1f64054b670000001600000000 CRC 8f9c OK
  5ac--5c7: 8a000000000000258fcf09520c1f64054b670000001600000000 CRC 8f9c OK
  5c8--5cb: 0000 CRC 51e2 OK
  5cc--5cf: 0000 CRC 51e2 OK
  5d0--5d3: 0100 CRC 89fb OK
  5d4--5d7: 0100 CRC 89fb OK
  5d8--5db: 0100 CRC 89fb OK
  5dc--5df: 0100 CRC 89fb OK
  5f8--601: e9270000d4110000 CRC 823c OK
  602--60b: e9270000d4110000 CRC 823c OK
  60c--627: 00000601020304050600000000000000000300d9008e001b0002 CRC 5b43 OK
  628--643: 00000601020304050600000000000000000300d9008e001b0002 CRC 5b43 OK
  644--65f: 00d8008d006b000400d8006f002b00a500a5000000940066008c CRC 548b OK
  660--67b: 00d8008d006b000400d8006f002b00a500a5000000940066008c CRC 548b OK
  67c--697: 0002009f00000000000000bb003e003e00000011003e003e0000 CRC 182e OK
  698--6b3: 0002009f00000000000000bb003e003e00000011003e003e0000 CRC 182e OK
  6b4--6cf: 00120002003a0025002b00310031000000170031003100000016 CRC fea1 OK
  6d0--6eb: 00120002003a0025002b00310031000000170031003100000016 CRC fea1 OK
  6ec--6f1: 01000000 CRC 8812 OK
  6f2--6f7: 01000000 CRC 8812 OK
  6f8--713: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  714--72f: 0000000000000000000000000000000000000000000000000000 CRC 70b4 OK
  768--783: c027090000000000000000000000000000000000000001004800 CRC 0d62 OK
  784--79f: c027090000000000000000000000000000000000000001004800 CRC 0d62 OK
  7a0--7bb: 0031003100000037000b000b0000009f00030003000000940000 CRC faab OK
  7bc--7d7: 0031003100000037000b000b0000009f00030003000000940000 CRC faab OK
  7e4--7e9: 00080000 CRC f1c8 OK
  7ea--7ef: 00080000 CRC f1c8 OK
Unmapped:
  000--017: 8c0e9bd06c760d32cd70835e660650f934773485a4a4d4bf 
  028--033: a97f6c9bc8722e21af32ad17 
  050--133: 8cadacdcb072741ba981a711711aa52d48f1f8f425a2746493c17b2728a63aa50049b0a8a8a276a1bfe39d1f8ac17e641f21de63904c741441e825662293b2b3c3a86a6d02b098be096901be3653eae0ec3cbb6d7d8ad963303fb12db20841b9a1a1ab7fa9b7e8961481ca766c1628d76a99447c1b4ee72a692a9bbbbacaa163650abb93b5026209b63f5ae3e9e534b35a4abdee54080788148b317881999a9044928cd0ae2db8f34f552e10e855a67b432376de135013a28382f19a585e3183ab8c3b5b308f0762d4ded203845242b4e75d010e801c803a738a9292984d9b85d9a725b0 
  19c--1b3: 121c920e912b629b84848e5a8c92ceb133a6ed514b300df2 
  218--21f: e579e65d14edf5f5 
  303--303: 00 
  31f--31f: 00 
  4fc--503: 04d00618443bb92c 
  520--537: c7ac139bf9404a469710c6d72073c9959a148b14aee71e06 
  588--58f: cd9831fcbffd4c6d 
  5e0--5f7: 7aadbd4a19a3fff071ed72c8817860616bbf69772b55d441 
  730--767: 8458600055fc31723e8faeafdfb476711eac84a215751da22a4ff6fcf020a7716196c57f242ba539a61c55adb5b5bf6bbda3fc820095de62 
  7d8--7e3: ac79afb1ed931184f04c562d 
  7f0--7ff: a58485f59e5d5b3486ae883f58338c04
Only difference is that Key5 and Key6 is in what my script marks as "unmapped" area e.g they don't have correct crc or is not duplicated.
If I shall guess is that are never written so they are all 0xff in raw encrypted eeprom.
In my dump I had only two keys defined, all other was 0xff in raw file. DHA gave id all 0 if readout.
This dump have only 4 keys
Top
vtl
Posts: 4724
Joined: 16 August 2012
Year and Model: 2005 XC70
Location: Boston
Has thanked: 114 times
Been thanked: 603 times

Post by vtl »

ObliviousOrange wrote: 16 Aug 2025, 21:13 Hello everyone. New to this forum and new to messing with car software. I'm having trouble getting the CEM PIN out of my 2011 C30 though, which I wanted for VDASH.

I got a Teensy 4.0, two SN65HVD230DR transceivers, and a buck converter. I successfully uploaded the code to the teensy, and only changed the code to work with this super tiny OLED screen I have on hand.

I've been too lazy to wait for shipping of more electronics stuff, so to connect to the OBD I used alligator clips and the ends of paperclips since i didn't have any other wires thick enough for a snug fit. As far as i could figure, it seems to have a workable connection.

No PCB used here, just a breadboard. I've double-checked the wiring many times now. 20250816_195258.jpg

What happened is that I kept getting a loop of "initializing" on the OLED after plugging everything in. switching some wires on the RX/TX for the U3 transceiver made it say "unknown CEM, exiting" which i assume is better. I'd also get a CAN_LS error if I unplugged U5 which might be a good sign?

After getting nothing after a lot of messing around, I tried deleting the CM_PIN_AUTODETECT line as suggested in here for P1s. Then when I tried plugging it in my car made a loud click noise, lights turned off, and the clock reset (but was otherwise okay). It would still loop on initializing and every time the screen flashed the car would click again. Very concerning.

At this point I've thrown my hands up, idk what else I should be trying. I'm still trying to learn all this, any help would be appreciated. And I expect a lot of what I've said to sound like nonsense to anyone with experience so thanks for your patience.
What do you see printed on the serial console?

Also try this version, it works better with P1 (and some P2s, too): https://github.com/cmolson/volvo-cem-cr ... e/one_pass
Top
myname
Posts: 39
Joined: 10 January 2010
Year and Model: 2007 XC70
Location: Montreal Quebec
Has thanked: 1 time
Been thanked: 4 times

Post by myname »

sorry for being behind, does anyone else have a OBD-Vida software up and running to crack a CEM on a 2005+?
Never got T5 luke software to work for me.

Thanks!
Top
Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “XC90 1st gen 2003-2014”