Something like CRC check of flash line where the pin resides and then doing all possible pin code permutations and calculating CRC?
Vida CEM swapping
-
vtl
- Posts: 4723
- Joined: 16 August 2012
- Year and Model: 2005 XC70
- Location: Boston
- Has thanked: 114 times
- Been thanked: 603 times
Re: Vida CEM swapping
-
davidgg
- Posts: 1
- Joined: 18 December 2025
- Year and Model: Volvo S40 T5 2011
- Location: Budapest
- Been thanked: 1 time
Hello everyone,
This is my first comment here, but I've been observing and noting many things for the past month, to be able to build my own PIN cracker.
I was a bit worried since the CEM P/N found in my car (31296881) is still in Unconfirmed status in vtl's code, but I'd like to confirm that I didn't have to tweak any settings, everything worked on the first execution perfectly and the PIN was cracked successfully some time later.
I'm happy to share that after some tweaking (and throwing out garbage Aliexpress 3.3V transceivers), I managed to build a working example
In the end I've used a pair of TJA1050T transceivers, as those were in stock in the local store, can recommend them. Also would like to note that in my case the readout did not work when key wasn't inserted. It did work though with the key inserted, in position 0.
I apologize for the looks of this creation, but I didn't want to solder directly together the Teensy and the PCB I got from PCBWay, because I did exactly that the first time and then had a miserable 90 minutes trying to separate them without making any damages
Here is the log dump, just FYI:
This is my first comment here, but I've been observing and noting many things for the past month, to be able to build my own PIN cracker.
I was a bit worried since the CEM P/N found in my car (31296881) is still in Unconfirmed status in vtl's code, but I'd like to confirm that I didn't have to tweak any settings, everything worked on the first execution perfectly and the PIN was cracked successfully some time later.
I'm happy to share that after some tweaking (and throwing out garbage Aliexpress 3.3V transceivers), I managed to build a working example
In the end I've used a pair of TJA1050T transceivers, as those were in stock in the local store, can recommend them. Also would like to note that in my case the readout did not work when key wasn't inserted. It did work though with the key inserted, in position 0.
I apologize for the looks of this creation, but I didn't want to solder directly together the Teensy and the PCB I got from PCBWay, because I did exactly that the first time and then had a miserable 90 minutes trying to separate them without making any damages
Code: Select all
Build Date: Dec 25 2025 22:01:26
CPU Maximum Frequency: 600000000
CPU Frequency: 180000000
Execution Rate: 180 cycles/us
PIN bytes to measure: 3
CAN low-speed init done.
Reading part number from ECU 0x40 on CAN_LS
CAN_LS ---> ID=000ffffe data=cb 40 b9 f0 00 00 00 00
CAN_LS <--- ID=021204b8 data=13 00 86 45 26 a3 06 ca
CAN_LS <--- ID=02e0402e data=00 00 20 10 40 8b d9 21
CAN_LS <--- ID=03c3f7fc data=60 00 00 00 00 22 d8 04
CAN_LS <--- ID=00600005 data=8f 40 f9 f0 00 31 29 68
CAN_LS <--- ID=0e03d7f8 data=00 21 03 34 01 01 00 00
CAN_LS <--- ID=080030ae data=c0 00 03 01 31 03 42 e9
CAN_LS <--- ID=0730302e data=00 00 00 01 20 02 42 e8
CAN_LS <--- ID=0c800010 data=00 00 00 00 00 00 00 00
CAN_LS <--- ID=0cb00080 data=00 00 00 00 00 00 00 00
CAN_LS <--- ID=00600005 data=09 81 20 20 20 31 31 49
Part Number: 31296881
Searching P/N 31296881 in 50 known CEMs
CAN HS baud rate: 500000
PIN shuffle order: 2 4 5 0 3 1
CAN high-speed init done.
Putting all ECUs into programming mode.
CAN_HS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff 86 00 00 00 00 00 00
Reading part number from ECU 0x50 on CAN_HS
CAN_HS ---> ID=000ffffe data=50 88 00 00 00 00 00 00
CAN_HS <--- ID=00000003 data=50 8e 00 00 31 29 68 81
Part Number: 31296881
Initialization done.
Profiling CEM
1000 pins in 623 ms, 1605 pins/s, average response: 65 us, histogram 32 to 97 us
Calculating bytes 0-2
range 100, samples 10
candidates short list: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 (+ 50 more)
us: 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
[ 00 -- -- -- -- -- ]: 0 0 0 0 211 58 157 46 95 24 112 26 198 55 13 4 0 0 0 0 : latency 65134; std 33.37
[ 01 -- -- -- -- -- ]: 0 0 0 0 219 62 182 56 112 41 104 27 137 37 15 5 1 1 0 1 : latency 64734; std 33.22
# ...
[ 09 17 02 -- -- -- ]: 0 0 0 0 0 0 2180 770 3449 963 3311 863 3956 1214 6369 1888 3933 1016 6 7 : latency 2070032; std 963.81
best candidates ordered by latency:
0: 64 lat = 2082726
1: 02 lat = 2070032
2: 05 lat = 2069841
...
range 2, samples 400
candidates short list: 64 02
us: 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
[ 09 17 64 -- -- -- ]: 0 0 0 0 0 0 0 0 6874 2015 6855 2004 4382 1276 4192 1296 6419 1846 2132 614 : latency 2777092; std 1288.64
[ 09 17 02 -- -- -- ]: 0 0 0 0 0 0 2880 985 4693 1373 4347 1179 5269 1569 8546 2445 5230 1354 9 2 : latency 2759837; std 1288.34
best candidates ordered by latency:
0: 64 lat = 2777092
1: 02 lat = 2759837
...
pin[2] choose candidate: 64
Candidate PIN 09 17 64 -- -- -- : brute forcing bytes 3 to 5 (3 bytes), will take up to 623 seconds
Progress: 0%..done
found PIN: 31 03 09 34 17 64
PIN is cracked in 1406.55 seconds
Validating PIN
PIN verified.
done
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
-
- Similar Topics
- Replies
- Views
- Last post
-
- 1 Replies
- 6396 Views
-
Last post by RickHaleParker
-
- 5 Replies
- 8644 Views
-
Last post by forumoto