Ford smartlock
-
- Posts: 466
- Joined: Thu May 03, 2012 10:50 pm
- cars: HZ One Tonner
VE Ute - Location: Castlemaine, Vic
Ford smartlock
Hey guys,
We had a customer at work today who got us to fit a smartlock bypass module to their xh ute.
The module itself looked pretty cheap and simple, and apparently worked on all pre-AU smartlock systems.
Once fitted I connected the scope to it out of curiosity, and found it was outputting the same 4 byte/32bit message repeatedly at 1 bit per millisecond (1000 baud).
Does this mean all pre AU falcons use this same smartlock code? There's no request and response type thing or programming of codes, its just looking for that particular input and it will start?
Thanks
We had a customer at work today who got us to fit a smartlock bypass module to their xh ute.
The module itself looked pretty cheap and simple, and apparently worked on all pre-AU smartlock systems.
Once fitted I connected the scope to it out of curiosity, and found it was outputting the same 4 byte/32bit message repeatedly at 1 bit per millisecond (1000 baud).
Does this mean all pre AU falcons use this same smartlock code? There's no request and response type thing or programming of codes, its just looking for that particular input and it will start?
Thanks
Re: Ford smartlock
Sounds interesting!
I would say its simulating an "All OK" response to the rest of the car which is usually sent from the BEM when a valid key is connected.
Based on the tech docs, the unique password (identification code) is between the BEM and key. Once a valid key is detected, the BEM then informs the rest of the car that it is ok to start.
I guess the developers figured that the key was a strong enough security
If the unique key was sent out to the rest of the car, then it would be a bit more tricky, but sounds like a fairly simple solution!
I would say its simulating an "All OK" response to the rest of the car which is usually sent from the BEM when a valid key is connected.
Based on the tech docs, the unique password (identification code) is between the BEM and key. Once a valid key is detected, the BEM then informs the rest of the car that it is ok to start.
I guess the developers figured that the key was a strong enough security
If the unique key was sent out to the rest of the car, then it would be a bit more tricky, but sounds like a fairly simple solution!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: Ford smartlock
Ohhh I take that one back!
Just read the tech document and saw this:
Easy attack would be to monitor the process.. then simulate a challenge to a BEM with a valid key connected to then generate a list of seed/keys. Once the algo is figured out.. should be able to remove the entire BEM and deal with the challenge from the PCM directly.
Just read the tech document and saw this:
Sooooo... there is an algo to it all... the PCM sends a request to the BEM which it must respond correctly, it doesnt respond without a valid key.Powertrain Control Module (PCM)
Smartshield PCMs each contain a unique electronic
identification code. The PCM code must be programmed to
the BEM before the vehicle can be started. The PCM
challenges the BEM with a randomly generated code. The
BEM then verifies that a valid Transponder Ignition key is
present. The BEM then responds to the PCM, which allows
the vehicle to start and run. Refer to the Diagnostic Repair
Procedures in this chapter if the PCM needs to be replaced.
Easy attack would be to monitor the process.. then simulate a challenge to a BEM with a valid key connected to then generate a list of seed/keys. Once the algo is figured out.. should be able to remove the entire BEM and deal with the challenge from the PCM directly.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: Ford smartlock
Looks like... there is two wires???
DOL = PCM to BEM
EEI = BEM to PCM
DOL = PCM to BEM
EEI = BEM to PCM
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 466
- Joined: Thu May 03, 2012 10:50 pm
- cars: HZ One Tonner
VE Ute - Location: Castlemaine, Vic
Re: Ford smartlock
Hi Tazzi,
It sounds like you're talking about smartsheild (AU/BA/BF etc).
I'm talking about smartlock which is the older system on ED/EF/EL and XG/XH.
It sounds like you're talking about smartsheild (AU/BA/BF etc).
I'm talking about smartlock which is the older system on ED/EF/EL and XG/XH.
-
- Posts: 466
- Joined: Thu May 03, 2012 10:50 pm
- cars: HZ One Tonner
VE Ute - Location: Castlemaine, Vic
Re: Ford smartlock
For anyone interested i have attached the scope traces.
Theres one showing the signal repeating, one at ignition on to show where the signal starts, and one zoomed in for better detail of timing.
The data line seems to be high when there is no activity, so assuming 1=low voltage/dominant and 0 = high voltage/recessive, the 4 data bytes are:
10101011 - 00101011 - 00110010 - 11001100
and then it goes back to the start and repeats.
I tried to connect the scope to compare a factory smartlock signal on a wreck EF sedan we have, but we have lost the ignition key so I couldn't check it.
I popped the cover off the ebay smartlock signal generator, and it is just a few discrete components and a PIC12F675 microcontroller on a single sided PCB.
Theres one showing the signal repeating, one at ignition on to show where the signal starts, and one zoomed in for better detail of timing.
The data line seems to be high when there is no activity, so assuming 1=low voltage/dominant and 0 = high voltage/recessive, the 4 data bytes are:
10101011 - 00101011 - 00110010 - 11001100
and then it goes back to the start and repeats.
I tried to connect the scope to compare a factory smartlock signal on a wreck EF sedan we have, but we have lost the ignition key so I couldn't check it.
I popped the cover off the ebay smartlock signal generator, and it is just a few discrete components and a PIC12F675 microcontroller on a single sided PCB.
- Attachments
-
- smartlock2.pdf
- (449.07 KiB) Downloaded 460 times
-
- smartlock 4 - power on.pdf
- (445.79 KiB) Downloaded 450 times
-
- smartlock 1.pdf
- (455.7 KiB) Downloaded 434 times
Re: Ford smartlock
Ahhhhhh yes, I am referring to smartshield, not smartlock. Didnt realise there was another type!
Ok.. so in hex its sending: AB, 2B, 32, CC
Doesnt really stand out as anything...
Could probably go grab an arduino, resistor and transistor.. and give a whirl at replicating it?
Pretty simple coding to replicate that one.
Ok.. so in hex its sending: AB, 2B, 32, CC
Doesnt really stand out as anything...
Could probably go grab an arduino, resistor and transistor.. and give a whirl at replicating it?
Pretty simple coding to replicate that one.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 466
- Joined: Thu May 03, 2012 10:50 pm
- cars: HZ One Tonner
VE Ute - Location: Castlemaine, Vic
Re: Ford smartlock
That was my plan.Tazzi wrote: Could probably go grab an arduino, resistor and transistor.. and give a whirl at replicating it?
I've pulled the ecu, distributer and wiring connectors from the wreck. I'll set it up on the bench and see if it has injector pulse and coil pulse with the arduino connected and the distributor turning ftom a drill
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Ford smartlock
I think there might be something there. Like send a value, flip bit 7 and send it again. Send a value, Flip bit 0, flip the lot. send. Repeat. Or.. it could be random..... its easy to start identifying patterns that dont exist from such a small sample.
but runs of 10 or 01 and 00 and 11, as well as who byte inversions, and in a set of digits a consistently flipped end bit does look like something.
its clearer top to bottom
10101011
00101011
00110010
11001100
but runs of 10 or 01 and 00 and 11, as well as who byte inversions, and in a set of digits a consistently flipped end bit does look like something.
its clearer top to bottom
10101011
00101011
00110010
11001100
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 466
- Joined: Thu May 03, 2012 10:50 pm
- cars: HZ One Tonner
VE Ute - Location: Castlemaine, Vic
Re: Ford smartlock
Ive set the pcm up on the bench ready to try a smartlock signal with an arduino when I get a chance.
Interesting thing I found, if theres a PIP signal present when you switch the ignition on (EG roll starting the car and switching ignition on as your rolling) you will have ignition and injector pulse.
If you switch the ignition on with the distributor still, and then start turning the distributor, no injector pulse or spark.
It seems the PCM doesn't even look for a smartlock signal once the engine is turning
Interesting thing I found, if theres a PIP signal present when you switch the ignition on (EG roll starting the car and switching ignition on as your rolling) you will have ignition and injector pulse.
If you switch the ignition on with the distributor still, and then start turning the distributor, no injector pulse or spark.
It seems the PCM doesn't even look for a smartlock signal once the engine is turning