im trying to crack my V50 again but now with latest from Vtl.
can you see anything wrong in the logg?
Br Richard
v50.txt- (121.69 KiB) Downloaded 114 times
Vida CEM swapping
-
vtl
- Posts: 4726
- Joined: 16 August 2012
- Year and Model: 2005 XC70
- Location: Boston
- Has thanked: 114 times
- Been thanked: 606 times
First byte looks good, the rest is not. I wonder if the shuffle order is different for this P/N? Try to replace 0 with 3 here https://github.com/vtl/volvo-cem-cracke ... er.ino#L75 ?
-
RickHaleParker
- Posts: 7129
- Joined: 25 May 2015
- Year and Model: See Signature below.
- Location: Kansas
- Has thanked: 8 times
- Been thanked: 958 times
Would a function that tries the other known shuffle orders when a CEM fails to crack be a good idea?
Perhaps make the function a flag-able option.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
-
vtl
- Posts: 4726
- Joined: 16 August 2012
- Year and Model: 2005 XC70
- Location: Boston
- Has thanked: 114 times
- Been thanked: 606 times
Lots of people know up front what the order is for those P/Ns. I would rather prefer a pull request from them...RickHaleParker wrote: ↑06 Nov 2021, 10:45 Would a function that tries the other known shuffle orders when a CEM fails to crack be a good idea?
Perhaps make the function a flag-able option.
-
RickHaleParker
- Posts: 7129
- Joined: 25 May 2015
- Year and Model: See Signature below.
- Location: Kansas
- Has thanked: 8 times
- Been thanked: 958 times
Do you have ESP or a spy in my midst
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
-
vtl
- Posts: 4726
- Joined: 16 August 2012
- Year and Model: 2005 XC70
- Location: Boston
- Has thanked: 114 times
- Been thanked: 606 times
Well, I literally have no time for anything. The P3 change was just pushed to p3 branch as is. It is not integrated with the P1+P2 code path, you have to compile with the P3 defined.
It takes up to 31.5 hours to crack, usually much less. I've tried a few hash collision rate "improvements", however they are not reliable and often makes things even worse. So...
The pin it finds is not the real pin, however Volvo's hash algo is somewhat defective and produces collisions for the same set of the pins (~600-700) for any seed generated.
It takes up to 31.5 hours to crack, usually much less. I've tried a few hash collision rate "improvements", however they are not reliable and often makes things even worse. So...
The pin it finds is not the real pin, however Volvo's hash algo is somewhat defective and produces collisions for the same set of the pins (~600-700) for any seed generated.
Code: Select all
CPU Maximum Frequency: 600000000
CPU Frequency: 600000000
Execution Rate: 600 cycles/us
Cracking P3
CAN low-speed init done.
CAN high-speed init done.
Putting all ECUs into programming mode.
=== CEM-on-the-bench users: you have 5 seconds to apply CEM power! ===
canMsgReceive timed out, start 1979794177, now 1980394202, diff 600025
CAN_HS ---> ID=000007df data=02 10 82 00 00 00 00 00
CAN_LS ---> ID=000007df data=02 10 82 00 00 00 00 00
canMsgReceive timed out, start 686049129, now 686649177, diff 600048
Initialization done.
SEED 3f be e7, PIN 00 00 00 08 78, KEY d5 62 e4, 878 pins/s
SEED 4b 88 a5, PIN 00 00 00 17 56, KEY 60 56 b0, 878 pins/s
SEED d0 6a dc, PIN 00 00 00 26 34, KEY c5 14 9a, 878 pins/s
SEED 2a 6a 26, PIN 00 00 00 35 12, KEY cd 13 b1, 878 pins/s
SEED 1a 8c f0, PIN 00 00 00 43 91, KEY e2 88 c5, 879 pins/s
..
SEED 35 4b 18, PIN 00 05 68 17 30, KEY a3 19 ea, 879 pins/s
SEED a6 d8 18, PIN 00 05 68 26 08, KEY 2f 21 87, 878 pins/s
SEED e9 a8 27, PIN 00 05 68 34 87, KEY df 92 aa, 879 pins/s
reply: 02 67 02 00 00 00 00 00
hash collision found
SEED 36 be ee, PIN 00 05 68 38 26, KEY c9 95 40, 339 pins/s
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
-
RickHaleParker
- Posts: 7129
- Joined: 25 May 2015
- Year and Model: See Signature below.
- Location: Kansas
- Has thanked: 8 times
- Been thanked: 958 times
The way I see it is: If a PIN works consistently it is a real PIN because it gets the job done. Perhaps it best to say a P3 has ~600-700 valid PINs.
No sense in meddling around to accomplish something that does not produce different results.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
-
RickHaleParker
- Posts: 7129
- Joined: 25 May 2015
- Year and Model: See Signature below.
- Location: Kansas
- Has thanked: 8 times
- Been thanked: 958 times
If you crack a P3 in the car. Don't forget you need to keep the battery up. Keep the battery connected to a battery charger the whole time you are cracking the PIN. A charger with a capacity of 12A or higher is the word on the streets. Unlike VDASH, the Teensy 4.0 has no way to store data the resume later. If the battery gets low and the CEM stops responding, you will need to start all over again.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
-
RickHaleParker
- Posts: 7129
- Joined: 25 May 2015
- Year and Model: See Signature below.
- Location: Kansas
- Has thanked: 8 times
- Been thanked: 958 times
Where would you store the data on a Teensy 4.0 other then volatile RAM? Can some of the non volatile flash memory be used as a data storage media? There is a SD interface on the Teensy 4.0, hardware would need to be added.
⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙⸙
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
2004 S60R, B8444S TF80 AWD. Yamaha V8 conversion
2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
-
- Similar Topics
- Replies
- Views
- Last post
-
- 1 Replies
- 6431 Views
-
Last post by RickHaleParker
-
- 5 Replies
- 8699 Views
-
Last post by forumoto