SwedeSpeed - Volvo Performance Forum banner

Part Numbers for Popular P1 Software Updates

23K views 195 replies 20 participants last post by  motoeltech 
#1 · (Edited)
After spending a good part of my 3-day subscription in VIDA researching and executing software updates for my V50, I’ve compiled the below list of part numbers for the different popular software upgrades on the P1 platform. Based on my google-based research, these may also work on some P2 and P3 models, as well.

30679693 - Fog Light Application
- Install Fog Lights and/or Keep On w/High Beams
- Cost: $53.17

30667237: Master Key Application
- Add/Delete Keys
- Cost: $34.18

30679690: Low-Beam 2 Application
- Turn off Daytime Running Lights (DRL) with switch in position 0
- Cost: $34.18

30772600: Frequency Band EU Appl
- Changes Radio from US to Euro Frequency Usage, checks all frequencies, rather than just those ending in odd numbers
- Cost: $182.30

Good luck!
 
See less See more
#55 · (Edited)
The "4 kb file" is on 2015, so it's hard to say if it was the same case on 2014D, however the script required to configure the ECU could very easily be under 4kb. It's likely just the secret configuration command and the address to send it to.

Yea I see those scripts too, under that scriptContent table, but it doesn't seem like they all correspond to the "software packages", a lot of them are read ops, which doesn't correspond with software download (swdl) to me. Not sure what happens if you try to execute one of those, or how to even "uncompress" the XML that those blobs are allegedly encoded in.

I will say, architecturally, VIDA 2015 is lightyears ahead of 2014. I've never used it, but I've got to imagine it's a huuuuge improvement over the janky javascript, IE, embedded .Net crapola they were doing before.
 
#56 ·
To bad my Dice stopped working. It worked for couple years but last days im trying to connect to the laptop but only gave an error that it is not recognized. Tried reinstalling dice drivers and add a line into variable envioroment. The first time i added a variable it started to work again but when i wanted to connect to the car again, same problem. not reccognized.

So i can not help anymore with any Dice or something.
 
#73 ·
My new CANBus shield (and arduino specifically for this) are arriving today. Hopefully I can get it up and running today and try to log some stuff.

Currently have a 3-day VIDA subscription. Anyway for me to access the local database stuff on the software I've downloaded? Or anything else I should do?

Sent from my iPhone using Tapatalk
 
#79 ·
I finally got the proxy working. Messing around with some stuff now and hoping to get a good idea on how the PIN number, etc works for software. Should have some results soon.


Sent from my iPhone using Tapatalk
 
#80 ·
Nice work, keep us posted.

I have slowly become more inclined to also get a 3-day license and perform the total can upgrade. I think I just need to check that module under the glove box for any signs of water/coolant. Also the price tag seems quite high to do it at around $400 someone else posted. I guess it depends on how many updates there are. On the other hand, I have a tendency to get bit by doing updates when everything already seems to be working fine...
 
#81 ·
Just remember that when updating the firmware it is imperative that you connect a 20A charger to the vehicle to maintain a steady voltage during the reflash process. You cannot afford to have any voltage drops or fluctuations during reflashing!

Sent from my iPad using Tapatalk
 
#82 ·
What charger/maintainer are you guys using for keeping the battery charged?

I currently use this: https://www.canadiantire.ca/en/pdp/...lligent-battery-charger-12-8-2a-0111518p.html

It goes up to 12A, and seems to keep my battery charged while I was just reading codes etc through VIDA. I don't know how stable it really is, or if it would last more than the 15 minutes I have used it previously.

I do have a current clamp meter, I will log the current consumption next time I have the dice unit connected to read codes. The variable here is if things are reflashed/restarted they could perhaps pull a lot of current at startup causing a voltage drop (like if power steering pump kicks on briefly or something).
 
#83 ·
Using a different charger but it also only went up to 12amps and was fine. Just make sure you turn off all the high draw stuff (like radio headlights etc) and then you should be good. I drove the car around for a bit and then put it on the charger when I got back so it held it around 13.3 volts during my entire update process.

Sent from my iPhone using Tapatalk
 
#85 ·
#86 ·
All I can say is read VIDA. VIDA says to connect an external charger capable of suppling something like 20A continuous current at a stable voltage so that the risk to voltage fluctuations is zero and the risk of damage to devices during reflashing is zero.

If you deviate from the recommended approach, then you increase the risk.

Doesn’t mean it will not work.
Just means it gets riskier, and you have to accept that.


Sent from my iPad using Tapatalk
 
#87 · (Edited)
So an update: I logged quite a bit of stuff on VIDA 2015 when i was working on the car but unfortunately didnt have the chance to log my software downloads. All other data worked to log but when i would try to log during a software update VIDA would crash, i even had to request a refund on one to get it working again. However, I was digging back through the 2014D database and found a table called "dbo.CryptKey". This is inside of the "DiagSwdlSession" schema. Inside the table, which is made up of three columns, is an ID column, a version column, and a "KeyData" column. There is only one entry (row) in this table for me. For our research and for the sake of curiosity, here is my "KeyData" (crypt key, without quotes): "0x10743C76F36588300B9AED84F944FB2C". I am not sure if this is they key we need for the CEM or not, i will do some more digging. If this ends up being sensitive info I will remove it, but I do not think it is unless you have access to my specific car. If anyone can make anything of this or wants more info, let me know! For now, i will keep digging! Thanks guys!

Edit: also to note, the column type for "KeyData" is a varbinary, length 50, not null. Hope this helps!
 
#89 ·
Correct. I'm gonna do some more digging and find out when exactly that key is used. It very well good be left over from the original user who cracked 2014D.

Sent from my iPhone using Tapatalk
 
#91 ·
Bumping this somewhat old thread. I want to perform upgrades on my 2 P2 2007 Volvos. Mainly I want to disable TPMS on my XC70.

I just started messing with VDASH and haven't hooked it up to the car yet, but is the P2 CEM pin hard to get as well? Haven't found much info on this.

I'm very interested in buying a crap volvo 2005-2007 and stripping all of the electronics from it for setting up a bench to work on the "car" after I scrap the body.

I have already reverse engineered most of the DIM messages for powering up and controlling the DIM outside of the car and I think I could make some progress on sniffing vida and messing with the CEM if it's not my DD.

Here is the code for powering up the DIM outside the car btw - https://github.com/andrewgabler/VolvoDIM

Sent from my iPhone using Tapatalk
 
#96 ·
They have different chipsets but the process should be relatively similar depending on how he decoded the CEM. If he used a BDM reader only the module would differ.
 
#101 ·
I’m going to try and whip up a simple YouTube video here soon so that this is more accessible than some background discussions by the people over at VDASH.

For P2 volvos all that is needed is a software download from a legitimate vida installation and then VDASH will grab your pin from the local DB that vida stores it in.

I have yet to go sniffing around vidas databases for the pin but i’m sure you could find it in there fairly easily if you wanted it for custom development, which I am interested in doing soon.


Sent from my iPhone using Tapatalk
 
#102 ·
Nice to hear VDASH is expanding past P3 platform, I had engaged them a while ago about cracking P1s and P2s and they said the demand wasn't there so they were keeping it to the BDM route.
 
#103 · (Edited)
Just found this thread, interesting I must say.

I have personally had some experience with the installation of new "software" for my Volvos myself. The reason why i put software within quotation marks is because you are not really installing any software as everything is already "installed" in your car. Instead you only change 1 bit inside the CEMs flash memory to activate the function, the so called Car-Configuration. I have successfully changed the configuration in my old 2004 V70 and my P1 Volvo S40 using the BDM method of soldering into the MCU of the CEM. It is a bit of a nasty process as you may risk damaging the CEM if you are not careful, resulting in a dead car. Therefor I am really interesting in getting to know howto do this over the canbus network/OBD2. I am pretty sure the only thing that happens when you install a new software is that only a handfull of packages are sent over the canbus to the CEM, first authorizing using the secret PIN-code, then telling what bit to be changed and then closes the operation. The pin is stored somewhere in the CEM itself and this is what Vdash extracts when you decode your pin for the P1/P2 Volvos.

Is there anyone that have logged the HIGH-speed canbus traffic between DICE and CEM when installing a software, preferable also have a dump of their CEMs flash memory? Using this information we should probably figure out how to change the car configuration ourselves (over the CANBUS). I am pretty sure this is what the Vdash team has done and then integrated into there software. Smart businesses idea I must say... :whistle:

This picture shows the Car Configuration block in P1 CEMs flash. Is is very similar for P1 and P3 Volvos as well. As you see, you only have to change one bit.:cool:

 
#104 ·
3r1k, nice to see someone else still interested in these models.

I have not logged anything myself, I do have the tools and have been reluctant to do the whole "CAN Upgrade" for fear of damaging something and having to go to the dealer.

I do plan to eventually do this, I agree that some of these features are likely just toggling bits in the memory, although I would expect much more is done during the full can upgrade as it seems to update other modules in the car (I could be wrong, haven't done it).

I did link to a post (can't remember if it was in this thread) about a vulnerability in some of these CEMs that allowed brute forcing the PIN, I think this is why some companies are able to get this secret PIN that is required for writing to the CEM.

I would be up for logging some communication during an update or perhaps while installing a tune, but I haven't seen a feature I want to add yet. The DRL delete is the only thing I have seen so far that I might be interested in.
 
#108 ·
Yes you are totally correct that some updates will actually install software into the modules. I would say this is only done when you do the total can upgrade or have the car in for service. In this case the software is downloaded and upgraded in the different CAN modules around the car including the CEM (if there are any updates available). Dunno if Volvo still releases updates for these old cars? But the software in the modules themselves are the same for all cars (with some exception like the ECU) and the module/function is then only enabled if the correct bit is set in the car configuration. This is check everytime you power up the car.

For example, I retrofitted the alarm system to my car with all its components, then I changed the car configuration and it then worked without anything else as the alarm software is already in the CEM from the factory.

I haven't investigated the brute forcing method as my main focus right know is to figure out the pin location and canbus messages necessary to change the config. I would guess the Vdash software just brute force all possible pincodes by sending a carconfig change request over the canbus network. As it takes like 24h minimum it cannot be the most elegant solution.

The DRL delete is super simple to do with what I explained in my previous post, just change the 0x02 to 0x01 on that memory location.
 
#106 · (Edited)
Remember, a few years ago here in the USA. automakers tried to take a right to repair case to federal court, first stating that you may buy your car, but you don't own your car, and therefore, are not allowed to work on it. When that looked like it was going to lose, they launched a second one that said you may own your car, but you don't own the software on it, calling it proprietary and therefore under the ownership and direction of the auto manufacturers - that also lost. Pepperidge Farm remembers.

It always did irritate me like a mother f!@#$%$#@@!!D!~@#$ that I would pay $39-$149 for a 12 kb download in VIDA to update my components. That is not Kilobytes, that's Kilo BITS. Even the total CAN upgrade was only like 1.2 kB. It is insane to me to this day imo. It also irritates me that all of VIDA, ALL THE INSTRUCTIONS, ARE IN AN SQL DATABASE ON YOUR COMPUTER, yet because they want VIDA to be some super secret money maker that only volvo mechanics can get, they obfuscate everything making it that much more difficult to work on your car.
 
#110 ·
Haha expensive bytes... I can probably understand why Volvo have chosen this approach but for me it still does not make sense that you have to buy a configuration when you have bought hardware for hundreds of dollar.

I also think it is worth looking at what the Vdash software is doing. Much of there knowledge is gained for sniffing the communication between VIDA and the car. Some of the softwares (configurations) they are selling costs more than what VIDA/Volvo charges lol? If I wonder what Volvos lawyers think about this....
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top