Vida CEM swapping

[oscilloscope]

Interesting... , the reason I'm trying too is to write a program to perform the synchronisation for the sid807evo and p2 cem unit. Codecard pulled the application for sale & the application is near impossible too crack unless you know how to reverse Oreans now called Themida. , I have tried and tried.. I had tried capturing the data with a logic analyzer. But that didn't capture anything of use. As I would need 144 pin analyzer which would probably cost a billion pounds. ( sarcasm)

You approach it wrong. https://xkcd.com/538/

Your right! I'll get the wrench and head over too volvo R&D

[oscilloscope]

Interesting... , the reason I'm trying too is to write a program to perform the synchronisation for the sid807evo and p2 cem unit. Codecard pulled the application for sale & the application is near impossible too crack unless you know how to reverse Oreans now called Themida. , I have tried and tried.. I had tried capturing the data with a logic analyzer. But that didn't capture anything of use. As I would need 144 pin analyzer which would probably cost a billion pounds. ( sarcasm)

You approach it wrong. https://xkcd.com/538/

What approach shall I take ?

[dikidera]

I mean there are dozens of automatic Themida unpackers on github, though it's a long shot if they work for you. Back in the day Oreans were one of the few who made an obfuscation virtual machine for their packer/protector. Themida back then was what Denuvo is for us today. With the exception of Starforce and SecuROM.

I sunk months of reverse engineering a particular SecuROM game, to the point of writing my own control flow graph generator with which I could then find all the small code checks which prevented software breakpoints. Then there was the securom vm. Fun times.

Point is you need a lot of time + experience to attempt to RE such a thing.

[oscilloscope]

I mean there are dozens of automatic Themida unpackers on github, though it's a long shot if they work for you. Back in the day Oreans were one of the few who made an obfuscation virtual machine for their packer/protector. Themida back then was what Denuvo is for us today. With the exception of Starforce and SecuROM.

I sunk months of reverse engineering a particular SecuROM game, to the point of writing my own control flow graph generator with which I could then find all the small code checks which prevented software breakpoints. Then there was the securom vm. Fun times.

Point is you need a lot of time + experience to attempt to RE such a thing.

This is true. , my Reverse engineering skills are limited at best. And one thing I don't have is alot of time. But I'll look into the oreans upackers in git and see what they do and how they work maybe they will edge the idea closer or just go down a bottomless rabbit hole.

[oscilloscope]

I mean there are dozens of automatic Themida unpackers on github, though it's a long shot if they work for you. Back in the day Oreans were one of the few who made an obfuscation virtual machine for their packer/protector. Themida back then was what Denuvo is for us today. With the exception of Starforce and SecuROM.

I sunk months of reverse engineering a particular SecuROM game, to the point of writing my own control flow graph generator with which I could then find all the small code checks which prevented software breakpoints. Then there was the securom vm. Fun times.

Point is you need a lot of time + experience to attempt to RE such a thing.

It was an option trying to reverse engineer the application, but that might be abit too time consuming. , now looking down the CAN sniffing route might be a option which could work. It's a question of what software would be easy to use , and have minimal knowledge to control it. , I did discover a cheap tool from Russia called CANHACKER , it "seems" very capable and would also appear to do quite alot with being about too adjust the data directly from the eeprom. (Amongst other things ) which this is very intriguing and could make the synchronisation quest easier. I have a number of test ecus & cems from a c30 , and a s40 i think it is , all around 2010 -2012 with the sid807 & p1 cem.

[vtl]

It was an option trying to reverse engineer the application, but that might be abit too time consuming. , now looking down the CAN sniffing route might be a option which could work. It's a question of what software would be easy to use , and have minimal knowledge to control it. , I did discover a cheap tool from Russia called CANHACKER , it "seems" very capable and would also appear to do quite alot with being about too adjust the data directly from the eeprom. (Amongst other things ) which this is very intriguing and could make the synchronisation quest easier. I have a number of test ecus & cems from a c30 , and a s40 i think it is , all around 2010 -2012 with the sid807 & p1 cem.

Pin cracker was done using a cheap counterfeit fork of Saleae Logic. I now have a real DSLogic Plus, which also has a nicer software than the new version of Saleae sw (in my opinion). Both can do CAN and LIN and many other protocols. Used one to develop a driver for 93c86 EEPROM.

Once a bulk of the protocol exchange is sniffed/understood, experimenting is way more convenient using a programmable board, which you can write software for in C or Python.

I think we had this discussion in past?

[oscilloscope]

It was an option trying to reverse engineer the application, but that might be abit too time consuming. , now looking down the CAN sniffing route might be a option which could work. It's a question of what software would be easy to use , and have minimal knowledge to control it. , I did discover a cheap tool from Russia called CANHACKER , it "seems" very capable and would also appear to do quite alot with being about too adjust the data directly from the eeprom. (Amongst other things ) which this is very intriguing and could make the synchronisation quest easier. I have a number of test ecus & cems from a c30 , and a s40 i think it is , all around 2010 -2012 with the sid807 & p1 cem.

Pin cracker was done using a cheap counterfeit fork of Saleae Logic. I now have a real DSLogic Plus, which also has a nicer software than the new version of Saleae sw (in my opinion). Both can do CAN and LIN and many other protocols. Used one to develop a driver for 93c86 EEPROM.

Once a bulk of the protocol exchange is sniffed/understood, experimenting is way more convenient using a programmable board, which you can write software for in C or Python.

I think we had this discussion in past?

We had , but the issue I was gaining was when I connected up the analyzer the information I gained made little to no sense with no frame of reference to guide me. , I had alot of information when I placed the key into the ignition and simulated the starting. The information was vast and I couldn't differentiate what was the synch check to what immo data to Start request. , the analyser Is a great bit of kit , I found I could use it to passively read a memory chip in a vic20. , without it interfering with the operation. Which I found other tools cant do very well. The idea in my head was have a tool which has a well planned out application and gives me good discernable data which makes sense. , for a laugh I connected up my cando tool that thing is not good. That just gives a CAN stream with strange PID data id's

[vtl]

We had , but the issue I was gaining was when I connected up the analyzer the information I gained made little to no sense with no frame of reference to guide me. , I had alot of information when I placed the key into the ignition and simulated the starting. The information was vast and I couldn't differentiate what was the synch check to what immo data to Start request

How canhacker could help here?

[oscilloscope]

We had , but the issue I was gaining was when I connected up the analyzer the information I gained made little to no sense with no frame of reference to guide me. , I had alot of information when I placed the key into the ignition and simulated the starting. The information was vast and I couldn't differentiate what was the synch check to what immo data to Start request

How canhacker could help here?

Well if I am reading the information correctly on the CANhacker site , you can read the CAN information and then it has a tracer function which can trace the can function call as in real time , and trace if from to the memory location. Which potentially maybe what I require.

[dikidera]

After dumping my TCM from a facelift P2 I saw that the CAN signal configuration and the underlying interfaces have changed vastly and the IDs there are not stored as plaintext as they once were with the pre-facelift cars. I am annoyed by this as it means I have to reverse it again to see the final CAN ID.

In the meantime I saw that GSM<->TCM module communication is maybe done via CEM e.g CEM is translating GSM module messages via CEM's LIN bus interface? I can't determine if it has a LIN controller inside.
Why is this important? It means it may be possible to emulate paddle shifting without having geartronic equipped. The only foreseeable problem is that I can spoof a CEM message with paddle shift information but the CEM then may retransmit the original contents thereby disabling QuickShift causing unpredictable behaviour of the box. Exciting!