Vida CEM swapping

sirloins · Post by **sirloins** » 11 Nov 2020, 16:01

I've been playing around with some commands.

So this "pin" is sent in this "programming" mode. I am exploring commands while still in "normal" mode.

I see from the service list there are many functions related to security, does anyone have any idea how to correctly attempt a login?

An example service is A3. There are a few modes that seem to respond:

A3 01 - Request Seed (I get 00's back, but no error)
A3 02 - Send Key (I do not get an error back, but I don't know exactly what it is expecting)

What I would like to do is see about getting logged in this way, and being able to read flash by memory address.

Post by **vtl** » 11 Nov 2020, 16:06

Seed is what P3 has. P3 PIN procedure is not like in P2.

Post by **vtl** » 11 Nov 2020, 16:28

2 more P2 CEMs got cracked!

Don't forget you need a common ground between Teensy and CEM

sirloins · Post by **sirloins** » 11 Nov 2020, 16:37

Ahh okay, I think I messed up my services query and saw those ones. I was hoping to use the commands like A7 01 to read some data from flash etc.

Do you happen to know what commands are available once logged in with the PIN?

T5Luke · Post by **T5Luke** » 11 Nov 2020, 17:01

Not so much, you can upload your own bootloader and set instruction counter to it...

Post by **vtl** » 11 Nov 2020, 17:05

Yes, you need SBL.

sirloins · Post by **sirloins** » 12 Nov 2020, 07:07

Understood, thanks guys.

So if my understanding is correct with both this P1 and P2 CEM, when put into programming mode we are running in some flash bootloader with minimum commands available. There are commands to load an SBL into RAM then jump and start executing it (As we can't write flash while running from flash).

The SBL is either found via a VBF from VIDA perhaps (if you have done any software changes). Otherwise, one would have to write their own.

I may try to write some simple hello world type program that I can load into ram and run as the SBL. I tried a bunch of commands once in this programming mode and found the following:

While still "locked" these commands were found:

50 88 - Read Part Number (from vtl arduino code) - returned 50 8E 00 00 08 69 07 19 (ECU Part Number)

50 90 - Reads some other code - returned 50 96 00 00 00 08 62 19 (Appears to be ECU Serial)

50 BE - Send PIN to get access to the rest of the commands

50 C0 - returned 50 C6 00 08 68 86 48 41 (This is "Start PBL" command from that doc I mentioned)

Once the correct PIN was sent, these additional commands worked:

50 9C - Returned 50 9C 00 00 00 00 00 00

50 A9 through AF -All returned the same 50 A9 02 00 00 00 00 00

Obviously, I did not send the correct parameters to the above commands which is why they returned 02, but it shows there is something there.

I saw a document written by some student I think that did some ECU work for hilton? They listed a bunch of commands, while they do not match the exact ones I saw above, I assume the A9 through AF commands are used for the loading/starting of that SBL.

Post by **RickHaleParker** » 12 Nov 2020, 08:23

sirloins wrote: ↑12 Nov 2020, 07:07 While still "locked" these commands were found:

The communication protocol for P1 & P2 is Ford's GGD ( Generic Global Diagnostic ).
If you poke around there are documents on GD that are not supposed to be accessible to the public.

Post by **vtl** » 12 Nov 2020, 08:44

sirloins wrote: ↑12 Nov 2020, 07:07I saw a document written by some student I think that did some ECU work for hilton?

This was Robert himself

sirloins · Post by **sirloins** » 12 Nov 2020, 08:54

Damn haha, I didn't put 2 and 2 together. I actually am saving up for a tune from them for my V50 seems like a good company!

Thanks for the pointers guys, appreciate answering my very uninformed questions!

I actually found a dev-board here in Canada for the MC9S12 that I may pickup (used). I know this doesn't help the P2 guys much though.

Vida CEM swapping

Re: Vida CEM swapping