Vida CEM swapping

[vtl]

I could send you the two DIPs or two chips and breakout boards.

Oh, thanks! I clicked on a $9.99/10 pcs offering on ebay already, but thanks!

[RickHaleParker]

Oh, thanks! I clicked on a $9.99/10 pcs offering on ebay already, but thanks!

To find Pin #1 you compare the angles of the edge bevels to the Datasheet. There is no Pin 1 markings.

[vtl]

Oh, well: I just bought a used P3 CEM

[RickHaleParker]

Oh, well: I just bought a used P3 CEM

The marathon to a effective P3 crack algorithm begins.

[vtl]

So P3 wants a new seed for every hash try.

Code: Select all

SEED 55 e9 da, PIN 99 54 92 00 00, KEY 5d 19 67, 500 pins/s
SEED 87 5a bb, PIN 99 59 92 00 00, KEY 1e 6c e6, 500 pins/s
SEED 1c e4 9e, PIN 99 64 92 00 00, KEY 57 6a 7e, 500 pins/s
SEED 31 22 75, PIN 99 69 92 00 00, KEY 6d 1c 8f, 500 pins/s
SEED aa 99 55, PIN 99 74 92 00 00, KEY 0e 74 b8, 500 pins/s
SEED 6f 21 28, PIN 99 79 92 00 00, KEY 03 a6 5b, 500 pins/s
SEED f7 9d 0c, PIN 99 84 92 00 00, KEY f6 b3 cd, 500 pins/s

At 500 pins/s it would take up to 100^5÷500÷3600÷24=231 days to brute force, plus some time to resolve hash collision (find all pins that produce the same hash for the given seed, and try all of them to unlock). Hmmm...

[RickHaleParker]

At 500 pins/s it would take up to 100^5÷500÷3600÷24=231 days to brute force, plus some time to resolve hash collision (find all pins that produce the same hash for the given seed, and try all of them to unlock). Hmmm...

Unless your really clever I don't think the Teensy 4.0 has enough resources to crack a P3. 2Mb of ram will not be enough for all the data that would need to be stored ... unless the maximum number of hash collisions is always under ~400,000 ( 2MB/ 5B ).
400,000 / 10,000,000,000 X 100% = 0.004% ... possible but I dead reckon it is highly improbable.

⇧⇧⇧ See post below. I'm picking this apart. ⇧⇧⇧

I'm thinking a USB - OBDII interface like ELM327 or a FDTI. Then do the math and data processing in a client side application. That way you have all the resources of the PC to do the work.

There are Linux driver for both ELM327 or a FDTI. The development would not need to be done in the dozy OS as with it would be with DiCE as the target interface.

Furthermore technical documentation for ELM327 or a FDTI is easily accessible. Technical documentation for DiCE is not.

ELM327 or FDTI cost less then DiCE and many already have ELM327 or FDTI in their tool box. If they don't have one in the tool box, the cost of one is low enough one would not need to dip into the rent money to get one.

I am pretty sure I read somewhere there is a predefined shortlist. That is, when assigning the 5 byte pin Volvo did not use all of the 100^5 possible pins. The assigned PINs follow some pattern or range. If we can discover what the predefined shortlist is it would drastically reduce the time need to find the first accepted hash over the CAN. If you get a working P3 cracker and collect enough 5 Byte PINs we should be able narrow down a predefined shortlist. Then use the predefined shortlist to reduce the crack time.

Accepted hashes can be use to create shorter and shorter shortlist. Until, like the Highlander, there can be only one. When you get the first accepted hash you can create a log of all the collisions by emulating the challenge in software. Somewhere in the log is the correct PIN. Thereafter eliminate the PINs in the log one by one using a challenge over the CAN until you get a a second accepted hash. Use the second seed and hash to pare down the number PINs in the log quickly using software emulation. Keep this up until there is only one member in the log. The Highlander PIN will be the correct PIN.

The logic is: the correct PIN will always produce the correct hash and will never be eliminated from the short list. Incorrect PINs can produce the correct has but not every time. Incorrect PINs are eliminated when they get the hash incorrect one time.

[swinokur]

y'all probably already know this, but looking at ELM's website: https://www.elmelectronics.com/elm-is-closing/ (not until June 2022, so there's probably still time left to purchase from them...)

[RickHaleParker]

y'all probably already know this, but looking at ELM's website: https://www.elmelectronics.com/elm-is-closing/ (not until June 2022, so there's probably still time left to purchase from them...)

There are some good ELM327 clones that would work. Then there is FDTI. Any interface that can communicate with the CEM would work as long as the application supports it. To avoid complications we should pick one of the better one as the target interface. I am leaning toward FDTI that market is not as flooded by crappy clones.

[RickHaleParker]

The hash is three bytes that six digits 100,000. 1/100,000 X 100^5 = 100,000 collisions ( statistical means ) .... that would fit in 0.5MB of ram.

100^5 / 100,000 = 100,000 . Statically you should find the first accepted hash within a 100,000 tries.
100,000 / 500/s = 200 seconds. 3.33 minutes average to find the first accepted hash.
Looking like this might be doable with the resources of a Teensy 4.0 after all.

There could be something in the challenge algo that slews the 100,000 means in collisions calculation.

If I got everything right we might even be able to beat Vdash's crack time of 8 hours typical, 24 hours maximum.
It looking like under 8 minutes + the time it takes to do the collisions report + overhead.

How it is time for team work. Pick this apart if you can.

[vtl]

I reworked algo a bit: it starts with very low samples, goes over the whole range quickly, elects the best half, increases samples, repeats until only one candidate is left. It gives a chance for the correct byte to misfire sometimes and be not just the best, but above the average.

Last 4 rescans are done with samples 100 to 400, which collects enough entropy to detect statistically significant signal (bad code alignment, noise on bus, whatever).

Below is an example run on the CEM-L dump that has a tricky third byte, which was previously possible to crack only with not very reliable by-STD election (LAT_ONLY commented out). Now it does it in one pass in 30 minutes.

Please try it out on your die hard CEMs that don't crack. I'll try it later with the early brick-shaped CEM.

https:// gist.github.com/vtl/cb6f72102d6555f3d752a95ca41006ea (remove the space after //).