IPD sale XeMODeX - Experts in Volvo Electronics
Did you know? 🤔
Logged in users can get email notification of topic replies Log in or register (free).
Amazon Link Buy anything with this and it helps MVS!

Vida CEM swapping

Help, Advice, Owners' Discussion and DIY Tutorials on Volvo XC90s. The XC90 proved to be very popular, and very good for Volvo's sales numbers, since its introduction in model year 2003 (North America).
User avatar
RickHaleParker
Posts: 4408
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 562 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Wed Jun 24, 2020 8:20 pm

vtl wrote:
Wed Jun 24, 2020 7:57 pm
Yeah, seen that. I don't really understand what this software does.
It gets the pin number needed to make changes in the CEM. Like software reloads, cloning ... ect.

Yagger can get the PIN through the OBDII port but like all the other services the CEM PIN is not shared with the customer. It is used by him to provide his services. VDASH does the same and it makes sense. If they gave out the CEM PIN. Idiots would messing with things and then try to blame the service provider in order to get their mess fixed for free. Fixing someone else's mess is not cheap.

If i recall correctly Yagger's method for the P2 requires hardware other than DiCE. Or like VDASH you can snail mail the CEM and he will put the CEM pin on file in your account information.
These users thanked the author RickHaleParker for the post:
yagger
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1903
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 68 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Wed Jun 24, 2020 9:27 pm

RickHaleParker wrote:
Wed Jun 24, 2020 8:20 pm
It gets the pin number needed to make changes in the CEM. Like software reloads, cloning ... ect.
It says:
"Read Processor Renesas M32C Flash file.
Browse file and get CEM PIN security CODE.

Enjoy GUSS"

As I said before, you can't do the first line without knowing PIN up front. At least, as per Renesas.

I "browsed" a random file (PNG picture) and it printed me a 00 00 00 00 00 00 code, that was at the offset where the PIN is stored in flash. I'd say, this is not a very useful "tool" ;)
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

User avatar
RickHaleParker
Posts: 4408
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 562 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Wed Jun 24, 2020 11:05 pm

vtl wrote:
Wed Jun 24, 2020 9:27 pm
As I said before, you can't do the first line without knowing PIN up front. At least, as per Renesas.
You need to hard wire the programmer to the PC board. Read this. Your not after a chip pin. You are after a board pin or software key.

Note the third line in the comment section of the programmer software.
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1903
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 68 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Wed Jun 24, 2020 11:18 pm

In the video they read unsecured/unlocked flash. To read the locked flash you need to know ID.

That programmer costs arm and a leg. My setup is $0 investment (everything was taken from parts bin) :)

Image
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

User avatar
yagger
Posts: 306
Joined: Thu Mar 24, 2016 4:29 pm
Year and Model: S60 2005 2,5T
Location: DreamLand
Has thanked: 5 times
Been thanked: 24 times
Belarus
yagger

Re: Vida CEM swapping

Post by yagger » Thu Jun 25, 2020 11:18 am

RickHaleParker wrote:
Wed Jun 24, 2020 7:37 pm
Have you considered making a better program/service to directly compete with Vdash?
We have service similar like Vdash, but we have other philosophy. We work with people directly. WE WORK WITH CUSTOMER. )))
In case with Vdash, CUSTOMER WORK WITH SERVICE for own risk about result.
We work from 2010. But unfortunately, I think we are not good bisnessman's, we never advertise our service for world market like Vdash, but now, we start show our tech posibilites and they are very cool. Also, we try to work with shops only, because very often situations when regular customer do not has tech experience and we spend a loooot time for explain them what need to do. We lake to work with tech educated guys, they can check any things we ask them without additional spended time. Our service include diagnostic and recomendations except service itself. Sorry about my English, if need some additional explanation, better to text me PM... My be need to creat new topic about our service? ))
Volvo electronics and programming.Yagger&Doublebug - our experience invaluable.
Aftermarket Online Data Transferring Service for Volvo Pass: total

User avatar
RickHaleParker
Posts: 4408
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 562 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Thu Jun 25, 2020 1:18 pm

vtl wrote:
Wed Jun 24, 2020 9:27 pm
As I said before, you can't do the first line without knowing PIN up front. At least, as per Renesas.
Have you seen this document on programing R8C/M16C/M32C/R32C?

"To unlock the chip, we need to know the flash locking code that was last programmed into it. Most development tools use either all zeros or all ones (0xff) for the default key, so if you don't know the right key you can try those. Each chip reserves seven bytes near the end (high addresses) of the flash,which vary by family:"
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1903
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 68 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Thu Jun 25, 2020 1:24 pm

Yes, and if the key is not all 0s or 1s the chip is locked and you can't make any progress until you know the key.
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

User avatar
RickHaleParker
Posts: 4408
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 562 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Thu Jun 25, 2020 2:36 pm

MwAAAgPki-A-960.jpg
MwAAAgPki-A-960.jpg (353.03 KiB) Viewed 58 times
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
RickHaleParker
Posts: 4408
Joined: Mon May 25, 2015 2:30 pm
Year and Model: See Signature below.
Location: Kansas
Has thanked: 3 times
Been thanked: 562 times
United States of America
RickHaleParker

Re: Vida CEM swapping

Post by RickHaleParker » Thu Jun 25, 2020 4:17 pm

vtl wrote:
Thu Jun 25, 2020 1:24 pm
Yes, and if the key is not all 0s or 1s the chip is locked and you can't make any progress until you know the key.
Brute force: 16^14 +1 = 17,057,594,037,927,937 possibilities. How long would it take a cracker to try one, check the status then move on to the next one?
--------
Platform: P80 1998 C70, B5234T3, 16T, AW50-42, Bosch Motronic 4.4, Special Edition package.
Platform: X40 (Nedcar) 2003 S40, B4204T3, 14T twin scroll AW55-50/51SN, Siemens EMS 2000.
Platform P2 2005 XC90 T6 Executive, B6294T, 4T65 AWD, Bosch Motronic 7.0.
Platform P2 2004 S60R, B2524T4, AW50/51 AWD, B8444S TF80 AWD, Bosch Motronic 7.0, BorgWarner K24 turbocharger. V8 conversion in progress.

User avatar
vtl
Posts: 1903
Joined: Thu Aug 16, 2012 1:35 pm
Year and Model: 2005 XC70
Location: Boston
Has thanked: 3 times
Been thanked: 68 times
United States of America
vtl

Re: Vida CEM swapping

Post by vtl » Thu Jun 25, 2020 9:57 pm

RickHaleParker wrote:
Thu Jun 25, 2020 4:17 pm
vtl wrote:
Thu Jun 25, 2020 1:24 pm
Yes, and if the key is not all 0s or 1s the chip is locked and you can't make any progress until you know the key.
Brute force: 16^14 +1 = 17,057,594,037,927,937 possibilities. How long would it take a cracker to try one, check the status then move on to the next one?
Few seconds. I've mentioned a possibility of a side-channel timing attack on BUSY line in my first comment to the thread.

Scroll down the slides, M16 portion is in the middle: http://q3k.org/slides-recon-2018.pdf
05 XC70 265k, 16 XC60 45k, 19 Tundra 5k

Post Reply
  • Similar Topics
    Replies
    Views
    Last post