Vida CEM swapping

dikidera · Post by **dikidera** » 24 Dec 2022, 03:42

I do not. I do have an oscilloscope, and I have noticed the WE pin going low every now and then when the ECU is operating normally. As soon as I start the SBL it remains HIGH, but that is because I have not issued any commands to it. I will have to solder a wire to it, but this time it will be thinner so if it decides to break, it won't take the pin off this time.

oscilloscope · Post by **oscilloscope** » 25 Dec 2022, 13:11

dikidera wrote: ↑24 Dec 2022, 03:42 I do not. I do have an oscilloscope, and I have noticed the WE pin going low every now and then when the ECU is operating normally. As soon as I start the SBL it remains HIGH, but that is because I have not issued any commands to it. I will have to solder a wire to it, but this time it will be thinner so if it decides to break, it won't take the pin off this time.

According too the Hitachi data sheet for SH7055, it suggests FWE pin needs to be in a reset state to allow for read/write enable. Which then places it in programmer mode. , I am assuming that Hitachi version of the sh7055 is the same as the renesas. Before there transition. Assuming that's the pin you mean ?

prometey1982 · Post by **prometey1982** » 26 Dec 2022, 08:45

I'm analyzing TCM's SBL at the moment. It's definely work by same algorithm as ECM flashing process. CAN sequence looks like on 0xE6 TCM:
1. Shutdown everything by 0xFF 0x86 request
2. Send 0xE6 0xC0
3. Send 0xE6 0x9C 0xFF 0xFF 0x82 0x00 // jump to addr 0xFFFF8200
4. Send 0xE6 0xAE with bootloader as payload
5. Send 0xE6 0x9C 0xFF 0xFF 0x82 0x00 // jump to addr 0xFFFF8200
6. Send 0XE6 0xA0 to jump execution point to addr from pt 5.
7. Send 0xE6 0x9C 0x00 0x00 0x80 0x00 // jump to addr 0x8000
8. Send 0xE6 0xF8 // erase memory block
9. Send 0xE6 0x9C 0x00 0x00 0x80 0x00 // jump to addr 0x8000
10. Send 0xE6 0xAE with flash payload
11. Send 0xFF 0xC8 to start add ECUs in normal mode.

I omitted the checksum check because I don't know algorithm for TCM. In my TCM's flash this check just disabled.

I didn't find 0xAE command processing ATM. Maybe additional bootloader should be loaded. But next command looks like enabling of flashing:

Code: Select all

ROM:FFFF9666 flashing_FFFF9666:                      ; CODE XREF: sub_FFFF9596+C8j
ROM:FFFF9666                 mov.w   #PJDR_W, r2
ROM:FFFF9668                 mov.w   @r2, r0
ROM:FFFF966A                 xor     #h'40, r0
ROM:FFFF966C                 mov.w   r0, @r2
ROM:FFFF966E                 mov.w   #FLASH_FECS_B, r2
ROM:FFFF9670                 mov.b   @r2, r0
ROM:FFFF9672                 and     #h'FE, r0
ROM:FFFF9674                 mov.b   r0, @r2
ROM:FFFF9676                 mov.w   #FLASH_FPCS_B, r2
ROM:FFFF9678                 mov.b   @r2, r0
ROM:FFFF967A                 or      #1, r0
ROM:FFFF967C                 mov.b   r0, @r2
ROM:FFFF967E                 mov     #0, r1
ROM:FFFF9680                 mov.w   #FLASH_FTDAR_B, r2
ROM:FFFF9682                 mov.b   r1, @r2
ROM:FFFF9684                 mov.w   #h'A5, r0
ROM:FFFF9686                 mov.w   #FLASH_FKEY_B, r1
ROM:FFFF9688                 mov.b   r0, @r1
ROM:FFFF968A                 bra     loc_FFFF96A4
ROM:FFFF968C                 nop

Post by **vtl** » 26 Dec 2022, 08:48

This thread might be the best gem thread about hacking your old Volvo in the whole Internet

Keep sharing your knowledge!

Thank you everyone and happy holidays!

McGherkin · Post by **McGherkin** » 26 Dec 2022, 10:27

Hi all. New to this and I'm sure this is a pretty noob question to ask but I'm just wanting to make sure.

I'm looking to crack the CEM pin for the two Volvos I have - A T5 C30 and D5 V50. I know Modunlock do a complete off the shelf solution using custom PCB crackers but on their website they also mention that you can make your own.....

As it happens I do like a tinker, and having just picked up a new soldering iron, I fancy a crack.

I've seen people running code on other Arduinos and RasPis in the thread as I'm looking back through the pages, so I'm hoping that this is because the Teensy method is now a bit boring and people want to experiement using other boards, rather than people giving up with using a Teensy!

Looking at the schematic on Github (https://github.com/vtl/volvo-cem-cracker), I presume I need a Teensy 4.0, two 10k resistors, a couple of SN65HVD230Rs, an OBD plug to wire it to and presumably a 5v step down converter to power the lot through the OBD 12v?

I've found these: https://thepihut.com/products/can-board ... GBedd1EBIk

Looking at them, they have 10k resistors on the board, would that be pulling RS to ground? They also have 120ohm resistors across CANH/CANL which are equivalent to R3 and R4 on the schematic, it says those are not required for in car cracking (presumably through the OBD port) but will it harm anything to have them there? Otherwise I could probably just desolder them.

That would simplify things a bit if I just need a teensy, two of those boards, a power supply (decently smoothed little switching supply okay I hope?) and a plug. And then I presume I just connect the teensy and execute the code through it using Arduino IDE and voila?

Thanks everybody!

Post by **vtl** » 26 Dec 2022, 10:42

McGherkin wrote: ↑26 Dec 2022, 10:27 Hi all. New to this and I'm sure this is a pretty noob question to ask but I'm just wanting to make sure.

I'm looking to crack the CEM pin for the two Volvos I have - A T5 C30 and D5 V50. I know Modunlock do a complete off the shelf solution using custom PCB crackers but on their website they also mention that you can make your own.....

As it happens I do like a tinker, and having just picked up a new soldering iron, I fancy a crack.

I've seen people running code on other Arduinos and RasPis in the thread as I'm looking back through the pages, so I'm hoping that this is because the Teensy method is now a bit boring and people want to experiement using other boards, rather than people giving up with using a Teensy!

Looking at the schematic on Github (https://github.com/vtl/volvo-cem-cracker), I presume I need a Teensy 4.0, two 10k resistors, a couple of SN65HVD230Rs, an OBD plug to wire it to and presumably a 5v step down converter to power the lot through the OBD 12v?

I've found these: https://thepihut.com/products/can-board ... GBedd1EBIk

Looking at them, they have 10k resistors on the board, would that be pulling RS to ground? They also have 120ohm resistors across CANH/CANL which are equivalent to R3 and R4 on the schematic, it says those are not required for in car cracking (presumably through the OBD port) but will it harm anything to have them there? Otherwise I could probably just desolder them.

That would simplify things a bit if I just need a teensy, two of those boards, a power supply (decently smoothed little switching supply okay I hope?) and a plug. And then I presume I just connect the teensy and execute the code through it using Arduino IDE and voila?

Thanks everybody!

Modunlock uses a modified cracker algo that was developed here. It is highly suspected that VDash also uses our algo, since they didn't have support for P2 cracking for years, but got such support very quickly after we published the source code

Which is a very bad GPLv3 license if anyone wants to steal the code.

Teensy is not necessary, any MCU with built-in CAN controllers and around 150-250 MHz of core frequency should do it. ESP32 was the first candidate, but it has a strange instructions timing, which makes the cracking unreliable. So it got replaced with Teensy, which is based on ARM microarchitecture.

In CAN network topology both ends of the bus must be terminated with 120 Ohm resistors, to prevent signal reflection. OBD port is not the end of the bus, so resistors are not needed. You may be able to crack some cars (like slow P1), but generally these resistors should be removed.

For bench cracking the resistors are needed, since the cracker is now the end of the bus and must be terminated.

McGherkin · Post by **McGherkin** » 26 Dec 2022, 11:02

I mainly wanted to just use a Teensy as I want to make things as simple as possible on the programming side of things. I suck at programming so I'd prefer to just build the circuit, execute the code and get my PIN.

So you reckon that the plan to use those boards is sound as long as I desolder the 120 ohm resistors?

Post by **vtl** » 26 Dec 2022, 13:01

McGherkin wrote: ↑26 Dec 2022, 11:02 So you reckon that the plan to use those boards is sound as long as I desolder the 120 ohm resistors?

Those 2 pins may be for disconnecting the resistor. It is commonly done so in other CAN-shields.

McGherkin · Post by **McGherkin** » 26 Dec 2022, 13:44

By attaching a jumper between them? Seems counterintuitive in my head as surely that ensures the CAN H and CAN L would be directly connected?

I've got the software side of things looking good so I think I'll pull the trigger and start playing!

oscilloscope · Post by **oscilloscope** » 26 Dec 2022, 13:47

McGherkin wrote: ↑26 Dec 2022, 11:02 I mainly wanted to just use a Teensy as I want to make things as simple as possible on the programming side of things. I suck at programming so I'd prefer to just build the circuit, execute the code and get my PIN.

So you reckon that the plan to use those boards is sound as long as I desolder the 120 ohm resistors?

what i did with mine was purchased a pair of CAN boards and obd connector from amazon & then managed to get a teensy from coolcomponents , and then used some old twisted pair network cable , i uploaded the sketch and it worked sort of. i did a little fiddling with the wiring and it works great. i haven't made the updated version which is avalible , with the alternative CAN transceiver.

: 20221226_210735.jpg (415.51 KiB) Viewed 528 times

this could be an option for you? , its very rough but it does work

Vida CEM swapping

Re: Vida CEM swapping