Ford smartlock

Ford information and tools can be found here
pman92
Posts: 464
Joined: Thu May 03, 2012 10:50 pm
cars: HZ One Tonner
VE Ute
Location: Castlemaine, Vic

Ford smartlock

Post by pman92 »

Hey guys,
We had a customer at work today who got us to fit a smartlock bypass module to their xh ute.
The module itself looked pretty cheap and simple, and apparently worked on all pre-AU smartlock systems.
Once fitted I connected the scope to it out of curiosity, and found it was outputting the same 4 byte/32bit message repeatedly at 1 bit per millisecond (1000 baud).

Does this mean all pre AU falcons use this same smartlock code? There's no request and response type thing or programming of codes, its just looking for that particular input and it will start?

Thanks
VR-VY Holden BCM Simulator: View Post
MrModule.com.au
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Ford smartlock

Post by Tazzi »

Sounds interesting!

I would say its simulating an "All OK" response to the rest of the car which is usually sent from the BEM when a valid key is connected.

Based on the tech docs, the unique password (identification code) is between the BEM and key. Once a valid key is detected, the BEM then informs the rest of the car that it is ok to start.

I guess the developers figured that the key was a strong enough security :lol:
If the unique key was sent out to the rest of the car, then it would be a bit more tricky, but sounds like a fairly simple solution!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Ford smartlock

Post by Tazzi »

Ohhh I take that one back!

Just read the tech document and saw this:
Powertrain Control Module (PCM)
Smartshield PCMs each contain a unique electronic
identification code. The PCM code must be programmed to
the BEM before the vehicle can be started. The PCM
challenges the BEM with a randomly generated code. The
BEM then verifies that a valid Transponder Ignition key is
present. The BEM then responds to the PCM, which allows
the vehicle to start and run. Refer to the Diagnostic Repair
Procedures in this chapter if the PCM needs to be replaced.
Sooooo... there is an algo to it all... the PCM sends a request to the BEM which it must respond correctly, it doesnt respond without a valid key.

Easy attack would be to monitor the process.. then simulate a challenge to a BEM with a valid key connected to then generate a list of seed/keys. Once the algo is figured out.. should be able to remove the entire BEM and deal with the challenge from the PCM directly.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Ford smartlock

Post by Tazzi »

Looks like... there is two wires???
DOL = PCM to BEM
EEI = BEM to PCM
Capture.PNG
Capture.PNG (22.67 KiB) Viewed 7610 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
pman92
Posts: 464
Joined: Thu May 03, 2012 10:50 pm
cars: HZ One Tonner
VE Ute
Location: Castlemaine, Vic

Re: Ford smartlock

Post by pman92 »

Hi Tazzi,
It sounds like you're talking about smartsheild (AU/BA/BF etc).
I'm talking about smartlock which is the older system on ED/EF/EL and XG/XH.
VR-VY Holden BCM Simulator: View Post
MrModule.com.au
pman92
Posts: 464
Joined: Thu May 03, 2012 10:50 pm
cars: HZ One Tonner
VE Ute
Location: Castlemaine, Vic

Re: Ford smartlock

Post by pman92 »

For anyone interested i have attached the scope traces.
Theres one showing the signal repeating, one at ignition on to show where the signal starts, and one zoomed in for better detail of timing.

The data line seems to be high when there is no activity, so assuming 1=low voltage/dominant and 0 = high voltage/recessive, the 4 data bytes are:
10101011 - 00101011 - 00110010 - 11001100
and then it goes back to the start and repeats.

I tried to connect the scope to compare a factory smartlock signal on a wreck EF sedan we have, but we have lost the ignition key so I couldn't check it.

I popped the cover off the ebay smartlock signal generator, and it is just a few discrete components and a PIC12F675 microcontroller on a single sided PCB.
Attachments
smartlock2.pdf
(449.07 KiB) Downloaded 450 times
smartlock 4 - power on.pdf
(445.79 KiB) Downloaded 439 times
smartlock 1.pdf
(455.7 KiB) Downloaded 424 times
VR-VY Holden BCM Simulator: View Post
MrModule.com.au
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Ford smartlock

Post by Tazzi »

Ahhhhhh yes, I am referring to smartshield, not smartlock. Didnt realise there was another type!

Ok.. so in hex its sending: AB, 2B, 32, CC

Doesnt really stand out as anything...

Could probably go grab an arduino, resistor and transistor.. and give a whirl at replicating it?

Pretty simple coding to replicate that one.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
pman92
Posts: 464
Joined: Thu May 03, 2012 10:50 pm
cars: HZ One Tonner
VE Ute
Location: Castlemaine, Vic

Re: Ford smartlock

Post by pman92 »

Tazzi wrote: Could probably go grab an arduino, resistor and transistor.. and give a whirl at replicating it?
That was my plan.
I've pulled the ecu, distributer and wiring connectors from the wreck. I'll set it up on the bench and see if it has injector pulse and coil pulse with the arduino connected and the distributor turning ftom a drill
VR-VY Holden BCM Simulator: View Post
MrModule.com.au
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Ford smartlock

Post by antus »

I think there might be something there. Like send a value, flip bit 7 and send it again. Send a value, Flip bit 0, flip the lot. send. Repeat. Or.. it could be random..... its easy to start identifying patterns that dont exist from such a small sample.

but runs of 10 or 01 and 00 and 11, as well as who byte inversions, and in a set of digits a consistently flipped end bit does look like something.

its clearer top to bottom

10101011
00101011

00110010
11001100
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
pman92
Posts: 464
Joined: Thu May 03, 2012 10:50 pm
cars: HZ One Tonner
VE Ute
Location: Castlemaine, Vic

Re: Ford smartlock

Post by pman92 »

Ive set the pcm up on the bench ready to try a smartlock signal with an arduino when I get a chance.

Interesting thing I found, if theres a PIP signal present when you switch the ignition on (EG roll starting the car and switching ignition on as your rolling) you will have ignition and injector pulse.
If you switch the ignition on with the distributor still, and then start turning the distributor, no injector pulse or spark.

It seems the PCM doesn't even look for a smartlock signal once the engine is turning
VR-VY Holden BCM Simulator: View Post
MrModule.com.au
Post Reply