Vida CEM swapping

oscilloscope · Post by **oscilloscope** » 16 Jun 2023, 14:38

vtl wrote: ↑16 Jun 2023, 14:32
oscilloscope wrote: ↑16 Jun 2023, 14:29 did you use any of the multi-com.pl break out boards & connectors or just the general wiring harness which i am assuming comes with the device?
The ones with the board.

in the mean time i'll download the software and get a feel of the software and how it functions.

oscilloscope · Post by **oscilloscope** » 17 Jun 2023, 07:51

vtl wrote: ↑16 Jun 2023, 14:32
oscilloscope wrote: ↑16 Jun 2023, 14:29 did you use any of the multi-com.pl break out boards & connectors or just the general wiring harness which i am assuming comes with the device?
The ones with the board.

Did you analyse the CAN lines only. or did you go straight too the cem microcontroller via jtag or direct pin connection. And analyse the data coming in and out ?

Post by **vtl** » 17 Jun 2023, 08:12

oscilloscope wrote: ↑17 Jun 2023, 07:51 Did you analyse the CAN lines only. or did you go straight too the cem microcontroller via jtag or direct pin connection. And analyse the data coming in and out ?

I first didn't know what pin is it. I read in Renesas datasheet about flash pin protection, so the first attempt was to crack the chip over serial line by soldering wires to PCB and forcing the chip into boot mode. I looked at the response latency with logic analyzer to confirm the theory that it differs for good/bad bytes. That attempt fail, because in Volvo Renesas is unprotected. Then T5Luke contacted me, he knew lot more on that topic, and in about month or two of brain storming and hard working we got it rolling over CAN.

DSLogic can see these latencies at a very high speed, because it captures the signals in FPGA. I'd say, it can peek at any signal in that car era electronics without problem. Cheap Saleae knock off has a lot of jitter and is not very fast to begin with.

oscilloscope · Post by **oscilloscope** » 17 Jun 2023, 09:16

vtl wrote: ↑17 Jun 2023, 08:12
oscilloscope wrote: ↑17 Jun 2023, 07:51 Did you analyse the CAN lines only. or did you go straight too the cem microcontroller via jtag or direct pin connection. And analyse the data coming in and out ?
I first didn't know what pin is it. I read in Renesas datasheet about flash pin protection, so the first attempt was to crack the chip over serial line by soldering wires to PCB and forcing the chip into boot mode. I looked at the response latency with logic analyzer to confirm the theory that it differs for good/bad bytes. That attempt fail, because in Volvo Renesas is unprotected. Then T5Luke contacted me, he knew lot more on that topic, and in about month or two of brain storming and hard working we got it rolling over CAN.

DSLogic can see these latencies at a very high speed, because it captures the signals in FPGA. I'd say, it can peek at any signal in that car era electronics without problem. Cheap Saleae knock off has a lot of jitter and is not very fast to begin with.

That's good to info to know, I have a theory that if I where to probe the CAN lines and then perform a test synchronisation on a test ecu and cem and see what happens. I'll assume that i could analyse the CAN data packets to see what section is adjusted. , currently a theory in practice it may give me a load of data which will unintelligible.

alevol · Post by **alevol** » 17 Jun 2023, 11:32

Are you going to share the results of your work?

oscilloscope · Post by **oscilloscope** » 17 Jun 2023, 15:15

alevol wrote: ↑17 Jun 2023, 11:32 Are you going to share the results of your work?

Of course

oscilloscope · Post by **oscilloscope** » 17 Jun 2023, 15:33

alevol wrote: ↑17 Jun 2023, 11:32 Are you going to share the results of your work?

I'm not too familiar with the dslogic analyser , I have most of the data sheets for pretty much all of the mcu versions , so 1k79X , 1M14E, 1k78k , OL01Y, the list continues , i have some help from a developer who is much more clued up on oreans obfuscating. Then me , and knows much better around reverse engineering tools such as m32 and ghidra , I have other the name escapes me currently.

I am curious to know what the code card developer did on the synchro software for the sid807evo with the p2 cem. , as from what I can tell the process changed after that application, SMOk provides synchro via can bus , to newer versions of the ecu and cem combinations. Which is interesting. I did read somewhere that the security changed on the later ones that smok can do , but that is of course not confirmed.

it does make me wonder whatever did happen to the original developer of the software , i had been informed by codecard the developer does not work there anymore.

oscilloscope · Post by **oscilloscope** » 18 Jun 2023, 13:26

if some of you are not aware this is an example of what the sync software does , sorry for the quality but here we go!

left hex dump is the damaged dump file , the left is the repaired dump file , i have highlighted the ABS ID showing where it is badly I might add , the information is then placed inside the ECU eeprom , as that is what's losses the info. , too keep track of the ecu versions and cem versions ,i label them the cem version , in this example this is from a sid803a and a cem which a 1L15Y MASK. ok its not the sid807evo but it could give an idea to folks.

: compared files.jpg (312.81 KiB) Viewed 366 times

oscilloscope · Post by **oscilloscope** » 20 Jun 2023, 07:26

Analyser has arrived.

I have some test cem & ecu which I can plug into and see what i can do

oscilloscope · Post by **oscilloscope** » 20 Jun 2023, 16:13

I'm going to concentrate my efforts on the sid807evo with the p3 white cem this ecu kit I already have , it's from a v40 , there in them from 2011 onwards, this one has push button start. I have purchased a body loom and will buying an engine loom. To make life simple , I'll be removing wiring so I can use the bare minimum to do the process , this is mainly the test mule for now

Vida CEM swapping

Re: Vida CEM swapping