Vida CEM swapping

Post by **RickHaleParker** » 28 Nov 2021, 07:33

matija0610 wrote: ↑28 Nov 2021, 06:42 i don't think they are at constant addresses,

if i understood correctly, teensy doesn't know where the pin is but knows how to "attack" the CEM to find out the pin.

in any case, I still have a lot to learn and explore

So you don't concor.

The Teensy CEM cracker is a timing attack. It does not extract the PIN. It plays poker with the CEM and ferrets out it secret code.

It looks like you got a lot to contribute if you choose to. You could datamine the VIDA database for useful information. We are kind of hoping the project will evolve beyond just a PIN cracker.

Post by **vtl** » 28 Nov 2021, 08:29

matija0610 wrote: ↑28 Nov 2021, 05:04 thank you.
yes, i read that earlier. and compared to some bin's.
but what I'm trying to figure out is:
is there a rule that the address is exactly right there, or should it be searched around the flash ?

The pin offset was a constant in all L-shaped CEM dumps I've looked into. Other CEM types have pins located in different offsets. For example, brick-shaped P2 CEM can have it in two locations, depending on software number (?).

Why do you need to know the pin location for your configuration tool?

Oh, I read your earlier comment... Are you asking where the config block starts in MCU address space? Or where the flash starts in address space?

matija0610 · Post by **matija0610** » 28 Nov 2021, 08:42

I do not need.
Rick was just referring to you, so we talked in the context of the pin location.
i am trying to find a rule, the start address for the offset configuration bit.

i know what i need to change but i don't know where to change. i found it manually on the old CEM 2002 s60 , and it starts at the part where the vin is stored.

please, check the screenshot I posted above.
thx

Post by **RickHaleParker** » 28 Nov 2021, 09:27

matija0610 wrote: ↑28 Nov 2021, 08:42 i know what i need to change but i don't know where to change. i found it manually on the old CEM 2002 s60 , and it starts at the part where the vin is stored.

Can't you search for the VIN number then use the VIN number location as a datum ( a fixed starting point of a scale or operation )?

What is a "damos" ? I have not been able to get any translation for "damos" that make any sense to me.

You should answer VTL's question decisively.

vtl wrote: ↑28 Nov 2021, 08:29 Are you asking where the config block starts in MCU address space? Or where the flash starts in address space?

Post by **RickHaleParker** » 28 Nov 2021, 09:47

Found this:

"Damos (A2L) file is a file that includes descriptions of all maps in the super map pack. Detecting where maps for particular controls are is often difficult and tiresome. With Damos, finding these maps is completely trouble-free and fast."

Are you asking for a map of the CEM?

matija0610 · Post by **matija0610** » 28 Nov 2021, 10:05

I didn't see vtl's edit. I ask for: where the config block starts in MCU address space?

damos is a kind of script, instruction ...i made my own damos,, there is no problem

in short.
s60,2002, fog light configuration,
on offset 448 I have to replace 0x01 (no foglight ) to 0x02 (yes foglight)
i know this but i don't know what is the starting address from which i need counting offset (448) in .bin file loaded to the hex editor .. I .
hope you understand me?

Post by **vtl** » 28 Nov 2021, 10:19

I haven't looked at configuration block any further than in our private email chat, but you can write your own autofind code based on the config block structure knowledge present in SQL:

: Screenshot at 2021-10-27 09-59-19.png (69.53 KiB) Viewed 759 times

Find the VIN (the first bytes are constant, assigned to Volvo Cars), then go back and validate Data Length, etc.

On top of that, you may want to add the "config block offset" input in your tool, so the user would be able to override the automatically found offset, in case the algo fails to detect it correctly.

Anyhow, great progress on the configuration tool! Any chance you make it available for the Volvo crowd?

matija0610 · Post by **matija0610** » 28 Nov 2021, 12:31

Of course everything will be available. if I take from the community, I give back to the community, simply.
For me this is brain training in my spare time.
Urosm and you directed me where to search.
In general, there are wonderful forums on the internet, a lot of information lies around.
The size of Vida indicated me that "there is something" .. after yours confirmation, I started researching, yes, Vida is an encyclopedia. everything is there.
let's move on .. as much as free time allows.
I have a bit of a problem with the language barrier, I understand you all, but I don't know how much you understand my writing.

Post by **vtl** » 28 Nov 2021, 13:12

Kudos for give back.

I understand you well (myself is Slavic).

Post by **RickHaleParker** » 28 Nov 2021, 19:47

matija0610 wrote: ↑28 Nov 2021, 10:05 hope you understand me?

Getting a better idea. It sounding like you are speaking of descriptors, algorithms and datums.
A descriptor would defined a pattern. A algorithm would be a set of steps to seek and find the pattern.

de·scrip·tor, /dəˈskriptər/
1. Linguistics: a word or expression used to describe or identify something.
2. Computing: a piece of stored data that indicates how other data is stored. ( It could be stored in your brain and implied in code )

al·go·rithm, /ˈalɡəˌriT͟Həm/
1. A process or set of rules to be followed in calculations or other problem-solving operations.

da·tum, /ˈdādəm,ˈdadəm/
1. A fixed starting point of a scale or operation. ( A point of reference like zero in a number system )

Descriptors tell you how to identify something.
Algorithms tell you how to do something.
Datums tell you in relation to what.

offset 448 in relation to what datum? Still looking like you are asking for a descriptor and algorithm to find a datum. Once the datum is determined you can count your way to the location you seek.

Am I getting closer?

Vida CEM swapping

Re: Vida CEM swapping