Vida CEM swapping

Post by **vtl** » 27 Jan 2024, 10:22

yagger wrote: ↑26 Jan 2024, 20:38 I am not sure this tool can help to restore firmware completely. I downloaded FW from similar working DiCE and updated DiCE with issue by programmer.

It has the same M32C. Does it have flash protection PIN set?

Post by **vtl** » 27 Jan 2024, 10:25

fmobile wrote: ↑19 Jan 2024, 05:24 Hi there!

I just would like to express respect to Vitaly and other guys for their efforts and the final elegant solution. I have cracked the PIN of CEM-L 31314468 successfully.

During cracking I noticed that some convenient features could be helpful, so I added:
1) 'Abort' button to exit from cracking process with ECUs exiting from programming mode, if brute-force is aborted by button the last checked value will be shown, so next time you can use this last value as initial value to continue brute-forcing.
2) Allows you to run brute-forcing starting any value, it can be useful if you are brute-forcing 4 bytes, which could take up to 18 hours, so you can break it in parts.
3) i2c LCD support, I see that Mark has committed LCD support with HD44780 chip, no cons about it. Just I had an i2c LCD only, and my implementation is done in accordance with the two points above.

All details can be found here https://github.com/feodorr/volvo-cem-cracker
Maybe it can be useful to someone.

Cool work! If you format your code according to existing style and squash your commits into a small batch of meaningful one (one commit does one thing, like implements feature, with good commit message) we can merge it to upstream.

We also need to integrate Christian's "one pass" branch. Any volunteers? Last I remember it failed to crack those tricky P2 CEMs which have a "bad" pin routine placement in flash.

zootsuit7 · Post by **zootsuit7** » 28 Jan 2024, 01:21

My goal is to DIY add a remote fob. My ID48 transponder is good - never had a problem with it. I have a new ILCO fob with 8 and 16 digit numbers.

I have read all 331 pages of this thread.

Cracked my 2005 S40 first attempt, only 5 minutes! I actually ordered boards from PCBway, but I had all the other parts and I just couldn't wait! Thanks VTL, Sirloin, RickHaleParker, cmolson and everyone. This was a fun project. I used Christian's "faster-attempt" branch. I may try "one-pass" out of curiosity someday.

I got a JRL cable, and VDASH recognizes it. Got my cracked pin uploaded to them. Now it says adding remotes, keys, transponders, everything all needs an IMMO CODE TOO. Is this true? Now they want me to buy a VDD bluetooth gadget to get this IMMO code, to get this remote added. Right here is where the buck stops.

I feel like I am back to square one. I'm not paying for VIDA, I am going to disconnect the siren from the module and replace the nimh battery in it with a capacitor (to keep the warning off of the dash) and we will use the metal key like we've done for 100 years or so.

alevol · Post by **alevol** » 28 Jan 2024, 02:30

I never had luck with 2005-2006 S40/V50. What version of the software did you use?

zootsuit7 · Post by **zootsuit7** » 28 Jan 2024, 08:20

alevol wrote: ↑28 Jan 2024, 02:30 I never had luck with 2005-2006 S40/V50. What version of the software did you use?

"faster-attempt" located here - https://github.com/cmolson/volvo-cem-cr ... anches/all

alevol · Post by **alevol** » 28 Jan 2024, 08:21

Thanks

Maximus1980 · Post by **Maximus1980** » 28 Jan 2024, 13:59

Hello Volvofrank did you manage to get the cem pincode?.

vitalik2134 · Post by **vitalik2134** » 30 Jan 2024, 10:02

vtl wrote: ↑27 Jan 2024, 10:22
yagger wrote: ↑26 Jan 2024, 20:38 I am not sure this tool can help to restore firmware completely. I downloaded FW from similar working DiCE and updated DiCE with issue by programmer.
It has the same M32C. Does it have flash protection PIN set?

Yes, it has the same M32C installed, only 512 kb instead of 320 kb. I also have a DICE 000000 problem. I read it orange5

dikidera · Post by **dikidera** » 01 Feb 2024, 05:52

So we can see here that the CAN stuff is organized as follows in some of our modules

There are three common interfaces for BUS communication
HCAN0,HCAN1,LINBUS

I guess we will start wth the first interface

ROM:00011690 CAN_Interface_HCAN0_off_11690:.data.l off_7EA20 <--- unknown as of yet what this is
ROM:00011694 .data.l unk_FFFFDD00 <--very important structure in RAM. If this is not set, the code will never process/send any messages I think
ROM:00011698 .data.l CAN_Controller_HCAN0_off_7EBB0
ROM:0001169C .data.l sub_655D4
ROM:000116A0 .data.l sub_65670
ROM:000116A4 .data.l sub_6577C
ROM:000116A8 .data.l sub_659B6
ROM:000116AC .data.l sub_65960
ROM:000116B0 .data.l sub_65988
ROM:000116B4 .data.l sub_65BE4
ROM:000116B8 .data.l sub_65CF4
ROM:000116BC .data.l sub_65E4C
ROM:000116C0 .data.l CAN_HCAN_enable_normal_mode_MCR_sub_6602A
ROM:000116C4 .data.l clear_irr0_hcan_controller_sub_6605A
ROM:000116C8 .data.l sub_660B2
ROM:000116CC .data.l CAN_MailBox_GSR_TEC_Check_sub_660CC
ROM:000116D0 .data.l nullsub_6
ROM:000116D4 .data.l sub_6593A
ROM:000116D8 .data.l unk_FFFFDD24
ROM:000116DC .data.l h'1000000

The FFFFDD00 structure is important. At FFFFDD10 there is a flag that if it's not set in any way, processing of the interface/controller will not happen.
At FFFFDD14 is a pointer to another structure that changes to a different one depending in which part of the code you are., often preceding adding data that would be sent via CAN.

Everything would've been simple without said structure, it would have been just CAN Interface definition + CAN Signal configuration.

Skavac · Post by **Skavac** » 02 Feb 2024, 22:02

Anyone knows if CEM-L can be read with Orange5? I can see it supports M30855F, but I can't find a wiring diagram to connect the CEM to the orange 5. Reason I am asking because failed write with IOTerminal. Now CEM is dead

Vida CEM swapping

Re: Vida CEM swapping