Vida CEM swapping

repair · Post by **repair** » 28 Mar 2021, 06:09

I only experimented with the M30855FW processor from the L and H versions, with a flash size of 320 kb.
About what I have written a report earlier.

T5Luke · Post by **T5Luke** » 28 Mar 2021, 06:16

The 2nd byte should have a characteristic gap to notice if it is detected correctly

21 63 00 00 00 00: 000 000 127 000 2240 000 2108 000 525 000 000 000 000 : 436062
21 64 00 00 00 00: 000 000 125 001 2273 000 2120 000 481 000 000 000 000 : 435913
21 65 00 00 00 00: 000 000 115 000 2336 000 2079 000 470 000 000 000 000 : 435808
21 66 00 00 00 00: 000 000 000 000 2096 000 2202 001 701 000 000 000 000 : 437211 GAP
21 67 00 00 00 00: 000 000 085 001 2259 000 2180 000 475 000 000 000 000 : 436089

Can you post your latencys?

The CEM from 2005 can have:
M30835F Flash starts at F80000 to FFFFFF 512kb total
M30855F Flash starts at FB0000 to FFFFFF 320kb total, all cems with serial starting with 5 or later are this type

repair · Post by **repair** » 28 Mar 2021, 07:25

[ 50 -- -- -- -- -- ]: 000 000 000 011 147 063 1323 071 1239 009 136 001 000 000 000 : 260735
[ 51 -- -- -- -- -- ]: 000 001 001 006 139 074 1232 061 1315 012 152 002 002 000 001 : 261010
[ 52 -- -- -- -- -- ]: 000 000 000 005 151 065 1258 076 1281 018 145 001 000 000 000 : 260895
[ 53 -- -- -- -- -- ]: 000 000 000 006 143 065 1293 059 1266 010 158 000 000 000 000 : 260884
[ 54 -- -- -- -- -- ]: 000 000 000 007 113 072 1266 054 1189 018 278 000 002 000 000 : 261301
[ 55 -- -- -- -- -- ]: 000 000 000 006 143 069 1264 080 1269 008 161 000 000 000 000 : 260913
[ 56 -- -- -- -- -- ]: 000 000 001 006 154 068 1302 070 1227 007 158 000 005 000 002 : 260825
[ 57 -- -- -- -- -- ]: 000 000 000 007 137 070 1295 065 1259 006 161 000 000 000 000 : 260880

I do not see any gap in myself when I find the correct number.

T5Luke · Post by **T5Luke** » 28 Mar 2021, 07:29

You should see the gap in the 2nd byte of detection, you posted the first

T5Luke · Post by **T5Luke** » 28 Mar 2021, 07:37

repair wrote: ↑28 Mar 2021, 07:25 [ 50 -- -- -- -- -- ]: 000 000 000 011 147 063 1323 071 1239 009 136 001 000 000 000 : 260735
[ 51 -- -- -- -- -- ]: 000 001 001 006 139 074 1232 061 1315 012 152 002 002 000 001 : 261010
[ 52 -- -- -- -- -- ]: 000 000 000 005 151 065 1258 076 1281 018 145 001 000 000 000 : 260895
[ 53 -- -- -- -- -- ]: 000 000 000 006 143 065 1293 059 1266 010 158 000 000 000 000 : 260884
[ 54 -- -- -- -- -- ]: 000 000 000 007 113 072 1266 054 1189 018 278 000 002 000 000 : 261301
[ 55 -- -- -- -- -- ]: 000 000 000 006 143 069 1264 080 1269 008 161 000 000 000 000 : 260913
[ 56 -- -- -- -- -- ]: 000 000 001 006 154 068 1302 070 1227 007 158 000 005 000 002 : 260825
[ 57 -- -- -- -- -- ]: 000 000 000 007 137 070 1295 065 1259 006 161 000 000 000 000 : 260880

I do not see any gap in myself when I find the correct number.

Also your signal looks very noisy, you should try to optimize hardware, maybe a better mcp (there seem to be fakes on the market), or a better transceiver, or a better can line detection...

On first byte i have no noise...
15 00 00 00 00 00: 000 000 415 000 2172 000 2204 000 209 000 000 000 000 : 434414
16 00 00 00 00 00: 000 000 380 000 2140 000 2259 000 221 000 000 000 000 : 434642
17 00 00 00 00 00: 000 000 370 000 2201 000 2199 000 230 000 000 000 000 : 434578
18 00 00 00 00 00: 000 000 321 000 2112 000 2357 000 210 000 000 000 000 : 434912
19 00 00 00 00 00: 000 000 347 000 2214 000 2241 000 198 000 000 000 000 : 434580
20 00 00 00 00 00: 000 000 304 000 2360 000 2149 000 187 000 000 000 000 : 434438
21 00 00 00 00 00: 000 000 148 000 2159 000 2214 000 479 000 000 000 000 : 436048 GAP on first byte not so clear
22 00 00 00 00 00: 000 000 399 000 2055 000 2290 000 256 000 000 000 000 : 434806
23 00 00 00 00 00: 000 000 375 000 2079 000 2326 000 220 000 000 000 000 : 434782
24 00 00 00 00 00: 000 000 369 000 2081 001 2337 000 212 000 000 000 000 : 434785
25 00 00 00 00 00: 000 000 368 000 2126 000 2296 000 210 000 000 000 000 : 434696
26 00 00 00 00 00: 000 000 383 000 2086 000 2313 000 218 000 000 000 000 : 434732
27 00 00 00 00 00: 000 000 385 000 2149 000 2228 000 238 000 000 000 000 : 434638
28 00 00 00 00 00: 000 000 380 000 2105 000 2299 000 216 000 000 000 000 : 434702
29 00 00 00 00 00: 000 000 365 000 2129 000 2235 000 271 000 000 000 000 : 434824
30 00 00 00 00 00: 000 000 344 000 2196 000 2250 000 210 000 000 000 000 : 434652

repair · Post by **repair** » 28 Mar 2021, 08:12

[54 00 -- -- -- -- ]: 000 000 000 001 146 071 1267 053 1201 011 247 001 001 000 000 : 261131
[ 54 01 -- -- -- -- ]: 000 000 000 009 085 063 1249 052 1232 023 283 002 000 000 000 : 261491
[ 54 02 -- -- -- -- ]: 000 000 000 003 122 059 1236 066 1231 016 263 001 001 001 001 : 261342
[ 54 03 -- -- -- -- ]: 000 000 000 006 086 077 1275 055 1220 017 262 001 000 000 000 : 261342
[ 54 04 -- -- -- -- ]: 000 000 000 006 136 061 1267 064 1185 015 261 004 000 000 000 : 261202
[ 54 05 -- -- -- -- ]: 000 000 000 004 079 053 1247 072 1224 021 294 002 002 001 001 : 261573
[ 54 06 -- -- -- -- ]: 000 000 000 008 124 058 1268 064 1220 013 241 001 002 000 001 : 261202
[ 54 07 -- -- -- -- ]: 000 000 002 005 072 061 1360 060 1143 018 276 000 001 000 001 : 261304
[ 54 08 -- -- -- -- ]: 000 000 001 011 103 064 1247 066 1210 018 272 002 004 001 001 : 261370
[ 54 09 -- -- -- -- ]: 000 001 000 008 104 065 1296 065 1174 014 268 001 003 000 001 : 261256

I was mistaken - I wanted to upload by the second byte, but it turned out by mistake - by the first.
But even here I do not see any gap.
The transceiver is used by the MAX3051.
The only thing - a break box is connected between the CEM and the cracker - for power switching and connection.
What transceiver do you have?

T5Luke · Post by **T5Luke** » 28 Mar 2021, 09:51

So on bench you need 2 resistors with 120 Ohms between both can lines. Best would be on resistor on the cem side and one resistor on the can bus transceiver side. Useing only 1 resistor could cause this noise in latency. I use teensy with a 3,3v modified mcp2515 board that is connected to tja1050 transceiver (it seems there are a lot of fake chips for 3,3v transceivers and mcps in the net).

Post by **vtl** » 28 Mar 2021, 10:05

Built-in CAN works best with teensy (zero variation)

T5Luke · Post by **T5Luke** » 28 Mar 2021, 10:18

I didn't try internal, till now i'm happy with mcp, we only measure time between sending and receivng. I think the signal quality and how long the messeage stays on the can bus is the important factor. The 3,3V powered can transceivers have it hard to create a differential signal which could reach up to +5V, bad transceivers fail even on sending, i tested some different boards with transceivers and got some bad results even on an basic setup just for sending can frames. At the moment my mcp is powered by 3,3v but the tja1050 behind is powered by 5V. I also noticed signal issues when i use on bench setup with desktop computer. There is some current floating from cem power supply into computer power supply. Cleanest signal is achieved simple by a battery powered cem and a battery powered mobile computer. Everybody has to find out the best setup for the location he lives i guess...

T5Luke · Post by **T5Luke** » 28 Mar 2021, 13:45

Often simple things get much complicated through adding features or trying to make anything else better, i want to show a simple and maybe the worst build to crack code in car, but the most important part is it works

It is a fast hack, some jumper wires and only 1 mcp2515 shield connected to car while key is out. I'm proud to have the worst build

Vida CEM swapping

Re: Vida CEM swapping