Ford smartlock

Ford information and tools can be found here
Posts: 236
Joined: Thu May 03, 2012 10:50 pm
Location: Castlemaine, Vic

Ford smartlock

Postby pman92 » Wed Jun 13, 2018 7:03 am

Hey guys,
We had a customer at work today who got us to fit a smartlock bypass module to their xh ute.
The module itself looked pretty cheap and simple, and apparently worked on all pre-AU smartlock systems.
Once fitted I connected the scope to it out of curiosity, and found it was outputting the same 4 byte/32bit message repeatedly at 1 bit per millisecond (1000 baud).

Does this mean all pre AU falcons use this same smartlock code? There's no request and response type thing or programming of codes, its just looking for that particular input and it will start?

Thanks

User avatar
Posts: 1734
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Ford smartlock

Postby Tazzi » Wed Jun 13, 2018 11:07 am

Sounds interesting!

I would say its simulating an "All OK" response to the rest of the car which is usually sent from the BEM when a valid key is connected.

Based on the tech docs, the unique password (identification code) is between the BEM and key. Once a valid key is detected, the BEM then informs the rest of the car that it is ok to start.

I guess the developers figured that the key was a strong enough security :lol:
If the unique key was sent out to the rest of the car, then it would be a bit more tricky, but sounds like a fairly simple solution!

User avatar
Posts: 1734
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Ford smartlock

Postby Tazzi » Wed Jun 13, 2018 11:11 am

Ohhh I take that one back!

Just read the tech document and saw this:

Powertrain Control Module (PCM)
Smartshield PCMs each contain a unique electronic
identification code. The PCM code must be programmed to
the BEM before the vehicle can be started. The PCM
challenges the BEM with a randomly generated code. The
BEM then verifies that a valid Transponder Ignition key is
present. The BEM then responds to the PCM, which allows
the vehicle to start and run. Refer to the Diagnostic Repair
Procedures in this chapter if the PCM needs to be replaced.


Sooooo... there is an algo to it all... the PCM sends a request to the BEM which it must respond correctly, it doesnt respond without a valid key.

Easy attack would be to monitor the process.. then simulate a challenge to a BEM with a valid key connected to then generate a list of seed/keys. Once the algo is figured out.. should be able to remove the entire BEM and deal with the challenge from the PCM directly.

User avatar
Posts: 1734
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Ford smartlock

Postby Tazzi » Wed Jun 13, 2018 11:32 am

Looks like... there is two wires???
DOL = PCM to BEM
EEI = BEM to PCM

Capture.PNG
Capture.PNG (22.67 KiB) Viewed 125 times

Posts: 236
Joined: Thu May 03, 2012 10:50 pm
Location: Castlemaine, Vic

Re: Ford smartlock

Postby pman92 » Wed Jun 13, 2018 1:59 pm

Hi Tazzi,
It sounds like you're talking about smartsheild (AU/BA/BF etc).
I'm talking about smartlock which is the older system on ED/EF/EL and XG/XH.

Posts: 236
Joined: Thu May 03, 2012 10:50 pm
Location: Castlemaine, Vic

Re: Ford smartlock

Postby pman92 » Wed Jun 13, 2018 2:58 pm

For anyone interested i have attached the scope traces.
Theres one showing the signal repeating, one at ignition on to show where the signal starts, and one zoomed in for better detail of timing.

The data line seems to be high when there is no activity, so assuming 1=low voltage/dominant and 0 = high voltage/recessive, the 4 data bytes are:
10101011 - 00101011 - 00110010 - 11001100
and then it goes back to the start and repeats.

I tried to connect the scope to compare a factory smartlock signal on a wreck EF sedan we have, but we have lost the ignition key so I couldn't check it.

I popped the cover off the ebay smartlock signal generator, and it is just a few discrete components and a PIC12F675 microcontroller on a single sided PCB.
Attachments
smartlock2.pdf
(449.07 KiB) Downloaded 7 times
smartlock 4 - power on.pdf
(445.79 KiB) Downloaded 8 times
smartlock 1.pdf
(455.7 KiB) Downloaded 10 times

User avatar
Posts: 1734
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Ford smartlock

Postby Tazzi » Thu Jun 14, 2018 10:04 am

Ahhhhhh yes, I am referring to smartshield, not smartlock. Didnt realise there was another type!

Ok.. so in hex its sending: AB, 2B, 32, CC

Doesnt really stand out as anything...

Could probably go grab an arduino, resistor and transistor.. and give a whirl at replicating it?

Pretty simple coding to replicate that one.

Posts: 236
Joined: Thu May 03, 2012 10:50 pm
Location: Castlemaine, Vic

Re: Ford smartlock

Postby pman92 » Thu Jun 14, 2018 10:34 am

Tazzi wrote:Could probably go grab an arduino, resistor and transistor.. and give a whirl at replicating it?


That was my plan.
I've pulled the ecu, distributer and wiring connectors from the wreck. I'll set it up on the bench and see if it has injector pulse and coil pulse with the arduino connected and the distributor turning ftom a drill

Site Admin
User avatar
Posts: 5191
Joined: Sat Feb 28, 2009 8:34 pm

Re: Ford smartlock

Postby antus » Thu Jun 14, 2018 5:50 pm

I think there might be something there. Like send a value, flip bit 7 and send it again. Send a value, Flip bit 0, flip the lot. send. Repeat. Or.. it could be random..... its easy to start identifying patterns that dont exist from such a small sample.

but runs of 10 or 01 and 00 and 11, as well as who byte inversions, and in a set of digits a consistently flipped end bit does look like something.

its clearer top to bottom

10101011
00101011

00110010
11001100
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 236
Joined: Thu May 03, 2012 10:50 pm
Location: Castlemaine, Vic

Re: Ford smartlock

Postby pman92 » Mon Jun 18, 2018 2:58 pm

Ive set the pcm up on the bench ready to try a smartlock signal with an arduino when I get a chance.

Interesting thing I found, if theres a PIP signal present when you switch the ignition on (EG roll starting the car and switching ignition on as your rolling) you will have ignition and injector pulse.
If you switch the ignition on with the distributor still, and then start turning the distributor, no injector pulse or spark.

It seems the PCM doesn't even look for a smartlock signal once the engine is turning

Next

Return to Ford ECUs

Who is online

Users browsing this forum: No registered users and 1 guest