Vida CEM swapping

5ft24 · Post by **5ft24** » 11 Apr 2021, 22:55

Works great!
Key in, position 0
Fired it up, CEM part number is correct,
1119.16 seconds to get the PIN, tested 8 different times. drove around in between a couple of the tests just so things could have a chance to change if they were going to. Same 6 digit pin each time!
If anyone has a code sample for the teensy 4.0 that I can use to send the pin and request access to something that needs the pin to test, let me know.
Thanks!

Post by **RickHaleParker** » 12 Apr 2021, 00:49

T5Luke wrote: ↑11 Apr 2021, 17:20 Yes P3 code is much shorter, so it is possible to bruteforce by slow dice within 24h, but it is not static as in P2. You send the cem a request and the cem responds with a random value, you calculate this random value by a special formula and put somewhere in this formular your pin inside and send the result back, if your pin was right the cem responds positive. So cracking in p3 askes for value and each time it increases pin by 1 from 0 to ... till it gets a positive response...

That sound like an Encryption key not a PIN number. You got to solve the riddle before you may pass.

Post by **RickHaleParker** » 12 Apr 2021, 02:18

vtl wrote: ↑01 Feb 2021, 10:21 Worse, in some jurisdictions, like USA, it is not legal to develop an algorithm that will crack it, since its hash computation algorithm falls under DMCA umbrella.

What am I missing? Motorized land vehicles are exempt.

"As a result of the 2015 section 1201(a)(1) rulemaking process, the Librarian of Congress granted the following six exemptions:

2. Computer programs that control the functioning of motorized land vehicles. This exemption does not cover computer programs primarily designed for control of telematics or entertainment systems for vehicles. "

Codified at 37 CFR §201.40(b)(9)

Details: Where circumvention is a necessary step to allow diagnosis, repair, or lawful modification of a vehicle function and where circumvention does not constitute a violation of applicable law (including regulations promulgated by the U.S. DOT or EPA), and is not accomplished for the purpose of gaining unauthorized access to other copyrighted works.
This exemption does not cover computer programs accessed through a separate subscription service.

T5Luke · Post by **T5Luke** » 12 Apr 2021, 03:57

5ft24 wrote: ↑11 Apr 2021, 22:55 Works great!
Key in, position 0
Fired it up, CEM part number is correct,
1119.16 seconds to get the PIN, tested 8 different times. drove around in between a couple of the tests just so things could have a chance to change if they were going to. Same 6 digit pin each time!
If anyone has a code sample for the teensy 4.0 that I can use to send the pin and request access to something that needs the pin to test, let me know.
Thanks!

Perfect, you have luck

We found out something new again, with MY2005, you have a early V8 which seems to have the P2 protocol then.
I had some MY2006 which defenitly had the P3 protocol and my MY2007 also has the P3 protocol on engine side.

When you look at the screenshots on page 45, you see V8 and 6 cylinder is listed as P28 with diffferent protocol.

Can you try to make a memory dump?

Post by **vtl** » 12 Apr 2021, 08:19

RickHaleParker wrote: ↑12 Apr 2021, 02:18
vtl wrote: ↑01 Feb 2021, 10:21 Worse, in some jurisdictions, like USA, it is not legal to develop an algorithm that will crack it, since its hash computation algorithm falls under DMCA umbrella.
What am I missing? Motorized land vehicles are exempt.

"As a result of the 2015 section 1201(a)(1) rulemaking process, the Librarian of Congress granted the following six exemptions:

2. Computer programs that control the functioning of motorized land vehicles. This exemption does not cover computer programs primarily designed for control of telematics or entertainment systems for vehicles. "

Codified at 37 CFR §201.40(b)(9)

Details: Where circumvention is a necessary step to allow diagnosis, repair, or lawful modification of a vehicle function and where circumvention does not constitute a violation of applicable law (including regulations promulgated by the U.S. DOT or EPA), and is not accomplished for the purpose of gaining unauthorized access to other copyrighted works.
This exemption does not cover computer programs accessed through a separate subscription service.

CEM is not a telematics system nor entertainment. Also the details part makes it very vague: when you get the CEM pin via crypto hack, it is an access to other copyrighted works, like code in CEMs firmware? You need a lawyer degree to be sure (and a stash of money just in case you fail in the court).

On P1/P2 it is easy: you just keep sending unlock messages, measuring the time and observing latency irregularities in replies. No crypto functions and defeating specially crafted software countermeasures whatsoever.

Also I stated that many times, but here it goes again: P3 was a turning point for me. No more Volvos. I mean, yes to Volvo, no to Ford/Geely/new Swedish attitude, call it however you want.

Istvan52 · Post by **Istvan52** » 12 Apr 2021, 10:09

Not the best forum, but is active so I am sure I will get a reply: I have a 2005 V70 non-turbo. Engine cooling fan not working. I tested the fan with a PWM signal and seems ok. I can never get the cooling fan engaged on the car. The ODB tester shows that the CEM does get the temperature right. Even at 118 C the fan does not engage. I did clean the CEM contacts, checked the wiring from CEM to fan. The system message does correctly display the engine overheated message. I This a 2005 model, there was a recall on the 2004 fan control module. I actually do have a spare fan from a 2003 ( has different connector though). I tested that one too with the PWM signal and they both seem to behave identically...Is there a way to force the ECM to activate the fan? any thoughts? does anybody have a picture of the internal PCB of the CEM ( I did work on a lot of embedded designs), I would like to see if it is worth opening?

5ft24 · Post by **5ft24** » 12 Apr 2021, 11:43

CEM's get water in the connectors when there is a leak in the front of the vehicle. May want to pull it and clean all the contacts and see if there may be damage to the board

Post by **vtl** » 12 Apr 2021, 12:56

Istvan52 wrote: ↑12 Apr 2021, 10:09 Not the best forum, but is active so I am sure I will get a reply: I have a 2005 V70 non-turbo. Engine cooling fan not working. I tested the fan with a PWM signal and seems ok. I can never get the cooling fan engaged on the car. The ODB tester shows that the CEM does get the temperature right. Even at 118 C the fan does not engage. I did clean the CEM contacts, checked the wiring from CEM to fan. The system message does correctly display the engine overheated message. I This a 2005 model, there was a recall on the 2004 fan control module. I actually do have a spare fan from a 2003 ( has different connector though). I tested that one too with the PWM signal and they both seem to behave identically...Is there a way to force the ECM to activate the fan? any thoughts? does anybody have a picture of the internal PCB of the CEM ( I did work on a lot of embedded designs), I would like to see if it is worth opening?

You can activate it in VIDA+DiCE. Also trace the wiring to ECM (I think the fan must be going to ECM, not CEM).

Post by **vtl** » 12 Apr 2021, 13:12

T5Luke wrote: ↑12 Apr 2021, 03:57 Perfect, you have luck
We found out something new again, with MY2005, you have a early V8 which seems to have the P2 protocol then.
I had some MY2006 which defenitly had the P3 protocol and my MY2007 also has the P3 protocol on engine side.

Does it apply only to V8? Or any other XC90 past 2005 can't be cracked, since it's a half blood P3?

T5Luke · Post by **T5Luke** » 12 Apr 2021, 13:49

I know this V8s from 2006 and newer respond to P3 protocol on HS bus. Can bus logging shows only short IDs instead of extended CAN IDs in P2. When you look to the screenshots on page 45, the V8 and the 3.2 V6 are listed together as seperate P28. But 3.2 V6 here is not to find. From my testing i know the latest P2 based XC90 2015 D5, 2.5T engines run on P2 protocol. But it is hard to get an complete overview.

Vida CEM swapping

Re: Vida CEM swapping