Holy pixels Batman

Introduction

I recently bought a Volvo DICE clone off of AliExpress for $75. DICE is the communication tool Volvo dealerships use to configure and program Volvo cars. The clones are pretty good, real DICE is worth hundreds, and all the major tools (VDASH, VIDA, p3tools) work with the clones. Bing bang boom, nothing to see here.

I love AliExpress

Driving the Drivers

So there’s no native driver in Windows for these things. Not a problem (except for me having to find a Windows laptop in 2025. Yeah I said it). I go to the AliExpress listing, find they’ve got a MegaUpload folder with files, and meander my way down to that. You watch the video (that’s all in Chinese) and it tells you that the file Scanmatik_2.21.22_Setup.exe is how the drivers are installed.

I won't fall for that old trap!

You download that file on your dad’s personal Windows laptop and Firefox triggers with a malware warning. You chuckle to yourself, “as if I’d fall for that. I know it’s big DICE trying to keep me down” so you ignore that warning. And then the file gets quarantined by Windows Defender. This laptop hasn’t been connected to the internet since 2022. This is probably actually malware.

“Pfft, I’m a security professional - these tricky AliExpress tricksters can’t trick me!”.

“I’m just going to go to the official Scanmatik site, download the latest version (for security reasons), and call it a day. This is looking like a proper 45min adventure”.

“Get Bricked”, by The Turbo Bricks

Yeah so turns out Scanmatik doesn’t actually like people making clones of their hardware. And turns out I didn’t purchase a DICE clone but a Scanmatik clone… The newer versions of Scanmatik will completely brick any clones they come across. So uh yep. Yeah.

“I Will Save You”, by Jesus Vallejo

The only reason I knew it was bricked was because I came across this repo by jesusvallejo. The absolute legend worked out which version of Scanmatick bricks clones (anything above 2.21.22) and has provided instructions on where to solder wires for SWD and the firmware for the device! Huzzah!

The leaded solder makes me feel things

You have to have BOOT0 pulled high to 3.3V when connecting your flasher (I used an STLINK v2 clone and it worked fine). If st-link --probe isn’t finding anything, you need to make sure the DICE has a solid green light on as you’ve pulled BOOT0 high.

It's the itty bitty little pad in the corner

After that, it’s a little tricky. There is write protection on the chip.

(BOO)

Which means you’ll get something like this when you try to write the unbricked firmware:

❯ st-flash write 22-STM32F105VC.bin 0x08000000
st-flash 1.8.0
2025-10-15T11:41:36 INFO common.c: STM32F1xx_CL: 64 KiB SRAM, 0 KiB flash in at least 2 KiB pages.
Unknown memory region

You need to use openocd to do a cheeky and skip passed that.

openocd -f interface/stlink.cfg -f target/stm32f1x.cfg \
  -c "adapter speed 50; reset_config srst_only srst_push_pull; \
      init; reset halt; \
      stm32f1x unlock 0; \
      shutdown"

which will give you:

Open On-Chip Debugger 0.12.0
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
Info : clock speed 50 kHz
Info : STLINK V2J39S7 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.319838
Info : [stm32f1x.cpu] Cortex-M3 r1p1 processor detected
Info : [stm32f1x.cpu] target has 6 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f1x.cpu on 3333
Info : Listening on port 3333 for gdb connections
[stm32f1x.cpu] halted due to breakpoint, current mode: Thread
xPSR: 0x41000000 pc: 0x2000003a msp: 0x20000e88
[stm32f1x.cpu] halted due to debug-request, current mode: Thread
xPSR: 0x41000000 pc: 0x2000003a msp: 0x20000e88
Info : device id = 0x10016418
Warn : STM32 flash size failed, probe inaccurate - assuming 256k flash
Info : flash size = 256 KiB
shutdown command invoked

and then when you try to write, you’ll see it complete:

❯ st-flash --reset write 22-STM32F105VC.bin 0x08000000

st-flash 1.8.0
2025-10-15T11:47:07 INFO common.c: STM32F1xx_CL: 64 KiB SRAM, 256 KiB flash in at least 2 KiB pages.
file 22-STM32F105VC.bin md5 checksum: 3fd8d65cbbf7fb861859da52e3111c87, stlink checksum: 0x03787a00
2025-10-15T11:47:07 INFO common_flash.c: Attempting to write 262144 (0x40000) bytes to stm32 address: 134217728 (0x8000000)
-> Flash page at 0x803f800 erased (size: 0x800)
2025-10-15T11:47:10 INFO flash_loader.c: Starting Flash write for VL/F0/F3/F1_XL
2025-10-15T11:47:10 INFO flash_loader.c: Successfully loaded flash loader in sram
2025-10-15T11:47:10 INFO flash_loader.c: Clear DFSR
128/128 pages written
2025-10-15T11:47:21 INFO common_flash.c: Starting verification of write complete
2025-10-15T11:47:23 INFO common_flash.c: Flash written and verified! jolly good!

Hooray! After uninstalling the evil version of Scanmatick and installing the good one, I can successfully use VDASH to connect to the car! There was a whole section here of me setting up a VM from volvodiag.com because I thought I needed proper VIDA but that was not the case (I had also installed the naughty Scanmatick on the VM - not that it would have helped at this point).

Cracked

I set it up to crack the CEM, getting ready for the all the beautiful gains my engine was about to make. It only took around 2-3 hrs with a few false starts and then I had the CEM PIN!

But apparently needed the ECM PIN to tune the engine! Well, crap. How do I get that? Can’t bruteforce it and VDASH says they don’t support my car - I would need to pull the ECM out of my car and send it to them. Surely there’s a better way… Stay tuned…