Vida CEM swapping

Post by **RickHaleParker** » 25 Aug 2021, 03:54

mscarrock wrote: ↑25 Aug 2021, 01:06 Maybe it has been discussed already but how do VDASH guys crack your P2 CEM-B < 2005 from the bin file?

D5T5 knows where to look in a CEM-B. We don't where to look in a CEM-B. If we can get one dump from a CEM-B where the PIN is known, that would change. If we could find anomalies in the CEM-B timing that could change. Anomalies in the CEM-B energy consumption might lead to a side-attack that will work.

Somebody needs to find a crack in the dam so to speak ( a catalyst ).

Most of all we need people with skills and insatiable curiosity.

zajcis · Post by **zajcis** » 25 Aug 2021, 05:04

Not too complicated - old CEMs pass is located at the front door of the emulated electronically erasable/programmable read-only memory

Post by **vtl** » 27 Aug 2021, 16:06

I read the 28F400 in a chip programmer. Where in early P2 "brick" CEM the PIN is located?

Post by **RickHaleParker** » 27 Aug 2021, 21:45

vtl wrote: ↑27 Aug 2021, 16:06 I read the 28F400 in a chip programmer. Where in early P2 "brick" CEM the PIN is located?

Might be possible to ferret out the location with two CEM-B.
1. Set all, if any, parameters the same in VIDA.
2. Compare the two dumps for differences.
The PIN should be one of the locations that are different.

Post by **vtl** » 27 Aug 2021, 22:43

T5Luke wrote: ↑21 Apr 2021, 05:24 Here, the bootloader checks if the CEM has a pin set at 0x4000 or 0x6000, new cems come with empty pin, need to follow further, but there are so many things to do like the other tool for CEM...

We have all the internet open knowledge regarding P2 CEMs pin right here in this thread

I was looking at my dump:

Code: Select all

$ ./pin CEM-28F400.BIN 1 | grep -a 000:\ 
offset 006000: 99 45 01 55 15 49 : �EUI
offset 054000: 80 24 39 08 07 00 : �$9
offset 062000: 46 00 34 66 39 10 : F4f9
offset 067000: 10 66 78 48 01 00 : fxH

Only FFs at 0x4000 (found the address somewhere else), but this 0x6000 was very suspicious. Now, as T5Luke pointed out a few months ago, the pin could be at address 0x6000. So my pin is 99 45 01 55 15 49.

Of course, I don't know the shuffle order, so the CEM rejects the pin. Go figure.

Post by **RickHaleParker** » 27 Aug 2021, 23:02

vtl wrote: ↑27 Aug 2021, 22:43 Of course, I don't know the shuffle order, so the CEM rejects the pin. Go figure.

6!(6-6)! = 720.
How much work would it be for you to write a sketch that takes the set ( 99 45 01 55 15 49 ) and run through the 720 permutations?
One of the 720 is in the correct shuffle order.

Post by **vtl** » 27 Aug 2021, 23:09

Today I learned the Heap's permutations algorithm...

Code: Select all

1 0 3 2 5 4 
CAN_HS ---> ID=000ffffe data=50 be 45 99 55 01 49 15
CAN_HS <--- ID=00000003 data=50 b9 00 00 00 00 00 00
i 719 unlock 1

Post by **RickHaleParker** » 27 Aug 2021, 23:26

vtl wrote: ↑27 Aug 2021, 23:09 Today I learned the Heap's permutations algorithm...

There you go. You can use Heap's permutations algorithm to generate the 720 permutations from the clear text Pincode until you find the correct encoded Pincode. Then compare the correct encoded PIN to the clear text pin to determine the shuffle.

Or just use Heap's permutations algorithm to shuffle the shuffle.

Post by **RickHaleParker** » 27 Aug 2021, 23:45

You might want to place that code in the Main under Tools\ Permutations\ PermutationFinder.ino That way anybody that knows their PIn can use it.

Post by **vtl** » 28 Aug 2021, 11:13

OK, it's crackable over CAN. The algo needs tuning (simplification, really), but I see a latency notch when feeding the right byte in the right place. Renesas algo is more complicated, in fact.

Stay tuned.

Vida CEM swapping

Re: Vida CEM swapping