Vida CEM swapping

[MaxDenisov]

I'm a bit late but had much different things to do and didn't come so far with a normal user "useful" software. My idea was and is to release a windows soft this week, which allows to change the parameters of the car, like having fog lights, having this, having that. Beyond each parameter is one setting, like parameter 2, a 1 stands for LHD and and a 2 for RHD car. There are parameters which decide if you have a cruise control or a trip computer. With your pincode you can change your car with this tool how you like. I have heard there are companys outside takeing lots of cash just for changeing 1 parameter, so please be a bit patient with me Maybe someones here can get out a parameter list out of some db or create it on other way for the others here, i just provide a parameter changer and dont want to be involved in this lists, i would like to load this lists as external txt file.

Some parameters have more than one item for setting: like Audio( different systems etc)

[Klopendus]

Im have 2 old cem s60 2003 and xc90 2003 28f400 flash files, the pin located in flash, the string 600h or older cem with flash 28f400 the string is 400h

[Klopendus]

If the pin is changed to FF FF FF FF FF FF can read write cem flash.

[vtl]

All 00 or FF == no write protection is for Renesas M32C. Volvo uses no Renesas pin, it's either 00 or FF, so write is enabled.

However, Volvo implements its own pin code check that is carried out over CAN before you can do anything useful with the flash. This pin code has nothing to do with the Renesas M32C pin code.

[vtl]

Spent couple of evenings working with the older, straight CEM. It seems the timing attack in its current form does not work for these CEMs. Maybe I need to try old code, the one with STD deviation tracing.

The code is in "rework" branch if anyone is interested.

[RickHaleParker]

If anybody has another idea for terminology, speak up. What matters the most is that we have a consensus on what terminology is used.

No takers ?

Another idea CEM-K for K-line.

[T5Luke]

You are not the only one whos spended nights with this, if you connect to the can lines to the car side and not to the obd site you don't need k line init. Did you read your CEMs flash before?
Code is entered without displacement. And from what i have seen in disassembler so far only 1 byte is checked. But in my tests i had most different results by testing the last can byte first. I also have probs with disassembler cause it doesnt decode full, need to find out how, dont like this universal tool.

About setting code to FF, it seems only if CEMs code is FF you can upload your own bootloader, with setting a code, the cem gets locked.

[vtl]

T5Luke, can you share pin check disassembly? It will help understanding why it does not work.

Also I fear Renesas only works because flash access takes very long time. It is not the latency of the cmp+jmp execution, it is something else.

[T5Luke]

Hi, if i had it i would share it. Code is shown in previous posts and on can bus 0xBE command orientation is 1:1 so unchanged.

Debugging tools are rare for this "not so new cpu", the pin compare code doesnt get disassembled automatically at the moment, i get only around 20 functions, need to work around if i remember right there was some keystroke to disassemble at some starting point you can choose...

I read this CEMs by 5 wires at the backside by some nanos, i would suggest to do this first...

In this 20 functions i can only find the command for checking the prog command, and there 1 byte after the next byte is checked in right condition. I wont think a compiler would mess around the order, so i would have thought the same for BE command.

[vtl]

So, first two bytes are FF 86, do I read it right? Interesting...

Actually, it must be a parser for "prog mode on" CAN frame: first bytes FF 86 followed by all zeros. This is not a pin compare routine.

And you say it is a prog mode =) Lol, stupid me.