On another hackerspace mailing list a discussion of hotwiring has recently come up. The thread had a lot of interest especially from people who are also interested in lock picking. Makes sense. There was some discussion of older vehicles and several ways to bypass the ignition but also some really interesting conversations on newer systems. Such as chipkeys and immobilizers. Apparently some Chrysler vehicles use thre components that are mutually authenticated using crypto and any change to any component requires a 4 digit PIN that is tied to the vehicles VIN. WIth the PIN you can use a device called a DRB II that connects to the ODBII port and it costs around 7 grand for the tool.
Apparently after 10 failed attempts with a bad key the SKIM will invalidate the Engine Control Unit (ECU) and that unit may need to be replaced at that time. But this invalidation apparently only applies to the DRB-II Chrysler vehicles and the DRB-II models with SKIM (Cherokee, Wrangler, Grand Cherokee) don’t actually invalidate the ECU. Also if you have a physical key apparently you can ‘authorize’ a key as well.
I’m very fascinated by this discussion and would love for some of our more automotive members to pitch into a discussion at the Hive about this (or on the mailing list). I would even like to see the thought process laid out for research. Say I own vehicle X and I want to know ways to hotwire and difficulty of doing so, where would I begin my research? Anybody have an older car and they are willing to demonstrate hotwiring?
i'd be willing to donate my car to science; but i hate working on my
car during the winter so the only condition attached is that it's warm
out when we mess with it :]
As someone who has been in the car audio business for a while, installing remote starts is basically by passing everything to trick the car into starting… I’m in for whatever you want to do.
This kind of shit is relatively common. Since the late 90s-early 00s
electronic keys have become commonplace. Generally, they're not
ridiculously secure but there is no standard for this so it varies
from manufacturer to manufacturer. The earliest implementations
(read: early 90s) used standalone modules where most engine computers
made after 2000 have the functionality built in to the core operating
system. Some of the really new stuff has gone back to the two module
approach with the body control module dealing with
key/ignition/immobilizer functions and communicating over CAN bus with
other modules (typically Engine Control Module and Transmission
Control Module). Typically, the transponder and antenna responsible
for receiving radio signals from the key is always mounted externally.
I've heard rumors that zigbee and RFID are used in some
implementations, but as I said there is no standard.
In many of the early PATS system, the "key" is stored in a serial
EEPROM, 93C46 or similar. In later ECUs, it's moved into the main ECU
program memory.
Things to search for for more information:
Ford: PATS (has about a bazillion different versions, first started
~1994 with the Lincoln Mk VIII)
GM: VATS (has about a bazillion different versions, first started
~1996 with Corvette)
Honda: Immobilizer. (First started ~1998 with integra/TL/CL)
Nissan - anti-theft system. First started ?
Mitsufeces - present in Evo8 and later vehicles.
Subaru - present in 1998+ vehicles for sure.
Nissan, Mitsufeces and Subaru are all licensing their engine control
stuff from Denso. Their implementations are all at least somewhat
similar. It uses 16 bit keys, beyond that can't tell you much.
I think I could probably grab an "old school" (~1995) steering column
with key, etc. from a car that was parted out if you wanted to play
with. No immobilizer on this platform, but all the mechanicals are
fundamentally similar to newer stuff - column lock, tumbler, ignition
switch.
You can hotwire my integra (1995) in about a minute. Disengaging the
steering column lock cannot be done quickly unless you are very
destructive. At least not as far as I can tell.
-Dave