Vida CEM swapping

[matija0610]

Not trying to hijack the thread, but does anyone have links to the "Car Config Editor" software? Successfully read the flash from my '05 XC90 CEM-H, and I'd like to change some parameters.

Thanks in advance!

I can.
PM me .bin and your wishes.

[vtl]

Who still searches his pincode and has a P2 car from model year 2006-

Just a DICE-206751 is enough to crack pin and dump full flash without any risk.

(or 2005- CEM with series number starting by 0000491...)

So, this is how others cracking P2 CEMs. We went above and beyond, and came up with a novel cracking method that also works on P1

[alevol]

cracking method that also works on P1

It seems, that P1 Cem 31327215 uses UDS only since it can not be cracked with timing attack. I have found many feedbacks regarding the same part number, that it can not be cracked.

[vtl]

No, 215 (and 217) is crackable via timing attack. IIRC, 215/217 are the quickest CEMs ever to crack. It just needs a tweak to the I/O (add "quiet" time between CAN requests). See sirloin's fork, he managed doing that with CAN interrupt disabled, though it is not strictly necessary: I cracked my 215 with just adding sufficient delay() to the regular code base. But sirloin's is more robust, though the rest of CEMs are harder to break or even impossible.

Someone needs to unify all good forks/branches in one code base.

[RickHaleParker]

See sirloin's fork,

Sirlion on github is cmolson.
https://github.com/cmolson/volvo-cem-cracker/branches

[T5Luke]

So, this is how others cracking P2 CEMs. We went above and beyond, and came up with a novel cracking method that also works on P1

Yes, this is absolutely correct, but not everybody has a teensy here and if we can simplify things in use why not.

We also have seen many have probs to get everything running correctly, and if it is possible to offer a simply solution why not.

Many users have a dice here and got the installiation running. A simple click and the code is found in max 32h on this p2 models. Yes teensy can do it in less than 30mins but ordering a teensy plus components and figure out how everything works takes over 32h ,till the first package arrives mostly 32h are still over...

On private car you won't use the teensy again but dice gives you very nice dtc presents for a long...

[vtl]

Yes, this is absolutely correct, but not everybody has a teensy here and if we can simplify things in use why not.

We also have seen many have probs to get everything running correctly, and if it is possible to offer a simply solution why not.

Many users have a dice here and got the installiation running. A simple click and the code is found in max 32h on this p2 models. Yes teensy can do it in less than 30mins but ordering a teensy plus components and figure out how everything works takes over 32h ,till the first package arrives mostly 32h are still over...

On private car you won't use the teensy again but dice gives you very nice dtc presents for a long...

Agreed with everything said, but the whole journey came to life because a few minds got bored =) I regret nothing.

[T5Luke]

This UDS hack only works for P2 CEMs from MY 2006 and newer. P2 cems from 2005-2006 are very easy to force by timing attac, this drivers need a teensy but they will find a pin very easy. Now the CEMs -2004 are missing

[vtl]

Now the CEMs -2004 are missing

If you brave enough to read through the thread, I've attempted to do that. But Volvo hired either a bad programmer or a brilliant one, and their pin compare code is not vulnerable to timing attack

[yamaha1024]

I would like to know