If the security was so bad that removing part pairing would crash this, then it wasn’t secure to begin with. Same argument as apple pairing the fingerprint sensor, the emsensor is only doing the reading, not the authentication.
They’re right though. The security in newer cars and anti-theft features require that a couple of different modules talk to and validate each other. That’s how it’s designed to work to prevent theft or hacking. When your ECU talks to your keyless entry module or what have you they perform a handshake. That ECU and keyless entry module talk to the vehicle’s starting system to validate that yes the correct key at the correct range is being used to send the signal to start the vehicle.
You don’t have to have paired parts for secure authentication. You just need parts that have been set up and authenticated beforehand. That is not the same as part pairing.
Literally nothing stops you from doing that with paired parts. Nothing. Keyless cars get hacked, stolen, dismantled, and rebuilt all the time, just like any other car.
Encryption and authentication are equally secure with or without physical part pairing.
That’s not true. The paired parts are attached to the VIN. Literally programmed with the VIN of the car and a lot of them are single use for specifically this reason. You don’t know and you’re very insistent.
"Module Swapping And Ordering Using A Different VIN:
Swapping a used module from a vehicle for diagnostic purposes or to complete repairs is likely to cause vehicle symptoms or programming errors and is not recommended. Ordering a replacement module using a VIN from a different vehicle is also not recommended. Most modules on these affected vehicles are VIN/vehicle specific, and hardware variations between modules do exist. Swapping a module from a vehicle or ordering a module using a different vehicle/ VIN can cause ineffective repairs and additional vehicle downtime. Make sure all appropriate WSM procedures are followed when diagnosing the condition before any module replacements and only order modules using the correct VIN. " -GSB 24-7011
“Starting a vehicle session requires the user to select the Read VIN From Vehicle button in FDRS. Once the Read VIN From Vehicle button is selected, FDRS will read the VIN via the CAN from the PCM using OBD-II protocol from PCM Mode 09 data. The PCM will report the VIN to FDRS, which displays it in the VIN entry box. The user will then select Go, at which time FDRS will retrieve a vehicle model from the servers for that VIN, including which modules are equipped, the powertrain type, and the vehicle program information. This process occurs while FDRS displays a progress bar stating, Downloading Vehicle Information. Once obtained, FDRS will perform a network test on the vehicle and read the part numbers and DTC in all equipped modules.” -GSB 24-7011
I would be willing to believe that the manufacturer absolutely can do what you’re saying but only the actual manufacturer, not a tech at a dealership or independent shop.
If you were to do this with say a 2020 F150 (went to a junkyard, bought a BCM, plugged it into your truck) the other modules would not be able to validate it.
" Perimeter Alarm:
The BCM controls the operation of the perimeter alarm. It monitors inputs from the RKE system, the passive entry system, the power door lock system, the PATS and the ignition status to determine when to arm the perimeter alarm.
The BCM monitors all of the door ajar switches, the luggage compartment lid ajar input, the hood ajar switch, the intrusion sensor, the CAN and the ignition status to determine when to activate the perimeter alarm. When the BCM detects an input indicating an unauthorized entry into the vehicle, the BCM activates the perimeter alarm by sounding the horn and flashing all the turn signals and interior courtesy lamps at regular intervals.
The BCM monitors the RKE system, the passive entry system, and the PATS to determine when to disarm the perimeter alarm.
A switch inhibit feature temporarily disables the door lock control switches and the interior luggage compartment lid release switch 20 seconds after the vehicle is electronically locked. For detailed information of the switch inhibit feature,
Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Additionally, there is a door lock LED indicator located on each door window sill. The indicators provide lock/unlock indication for each door. They illuminate when the door is locked and are off when the door is unlocked. For detailed information of the door lock LED indicators,
Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Visual and audible feedback is also provided when locking or unlocking the vehicle. For detailed information of the vehicle locking and unlocking feedback,
Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Arming The Perimeter Alarm
The perimeter alarm is ready to arm any time the ignition is off. The perimeter alarm pre-arms when any of the following occur:
Pressing the lock button on a RKE transmitter
Pressing the door lock control switch to the lock position with a front door open, and then closing the door
Locking the vehicle with the passive entry feature
Once the system is pre-armed, there is a 20-second countdown before the perimeter alarm is armed. Each entry point to the vehicle (hood, door and luggage compartment lid) is armed separately and must be closed before that entry point begins the 20-second countdown to become armed. If all entry points are closed, the turn signals flash upon locking indicating that all entry points are entering the 20-second countdown.
Perimeter Alarm Activation
The perimeter alarm has a 12-second delay when the driver front door is opened without using a valid programmed RKE transmitter or a passive key to unlock the vehicle. During the delay, a chime sounds. If the perimeter alarm is not disarmed within the 12-second delay, the alarm activates.
The perimeter alarm activates when:
the driver front door is opened without first receiving an unlock command from the passive entry feature or a valid programmed RKE transmitter, and the 12-second delay has expired.
any other door, the luggage compartment lid or the hood is opened without first receiving an electronic unlock command from the passive entry feature or a valid programmed RKE transmitter.
the ignition transitions to RUN without a valid PATS key read received.
the BCM detects an attempt by a diagnostic scan tool to establish communication on the CAN .
The perimeter alarm only activates 10 times per arming cycle. After that, the alarm does not activate. To enable the perimeter alarm again, disarm the perimeter alarm and then arm it again.
Disarming The Perimeter Alarm
The perimeter alarm disarms when:
pressing the unlock button on a door lock control switch within the 20-second pre-arm.
the smart unlock feature activates within the initial 20-second pre-arm.
pressing the unlock button on a valid programmed RKE transmitter.
pressing the luggage compartment lid release button on a programmed RKE transmitter (this only disarms the luggage compartment lid entry point with the rest of the vehicle remaining armed).
using a valid programmed key to change the ignition to RUN.
unlocking a front door or opening the luggage compartment lid using the passive entry feature.
CAN Protection Strategy
When the perimeter alarm is armed, the BCM monitors the CAN . If a scan tool is connected to the DLC , and an attempt is made to establish a session with the BCM , it activates the perimeter alarm.
Every time the BCM detects an unauthorized access (alarm activates), all BCM programming, PID monitoring and self-test sessions are blocked for 10 minutes. At the end of the 10 minute time period, the horn chirps to indicate the 1 minute of opportunity to communicate with the BCM and program keys if none are available.
Refer to: Anti-Theft Key Programming - Scan Tool (419-01B Passive Anti-Theft System (PATS), General Procedures) .
Component Description
Door Latch
The door ajar switch, the lock/unlock solenoid and the lock/unlock status input switch are part of the door latch and not serviceable separately.
The door ajar switch is monitored by the BCM and the primary function is for the courtesy lamps system.
Refer to: Interior Lighting - System Operation and Component Description (417-02 Interior Lighting, Description and Operation) .
The lock/unlock solenoid is controlled by the BCM for locking and unlocking the door.
Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
The lock/unlock status input switch is used to illuminate the door lock status indicator.
Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Hood Ajar Switch
The hood ajar switch is a single pole switch (integrated into the hood latch) that is normally closed when the hood is closed. When the hood is opened, the hood ajar switch opens to indicate an open hood.
The BCM sends a signal to the hood ajar switch, and based on the input, the BCM determines if the hood is open or closed.
Intrusion And Inclination Sensor
The intrusion sensor is powered and monitored by the BCM at all times. When the perimeter alarm is armed, it monitors the passenger compartment for movement by emitting acoustic ultrasonic pulses. If movement is detected, it sends a signal to the BCM .
The inclination sensor is powered and monitored by the BCM at all times. When the perimeter alarm is armed, the inclination sensor monitors the vehicle for tilt or inclination from events such as significant cargo removal or addition, jacking up a wheel assembly, loading onto a tow truck, or suspension modifications causing significant front/rear ride height differences. If sufficient tilt is detected, the inclination sensor sends a signal to the BCM .
When the intrusion/inclination sensor is replaced, the LIN New Module Initialization procedure must be carried out using a diagnostic scan tool.
BCM
The BCM controls the operation of the perimeter alarm. Based on input, the BCM arms, disarms, activates or deactivates the perimeter alarm.
The BCM requires PMI when replaced. Additionally, at least 2 keys must be programmed and the parameter reset procedure carried out." - All data
On older cars you probably could go to a junkyard to get the PCM, BCM and so on. But that doesn’t work on newer cars specifically not ones with PAT systems. You’ll immobilize the car or put it in limp mode. If any one of those modules doesn’t recognise the saved in the other modules. And you’d need a lot of parts to get around that.
I guarantee you that the paired parts can and will be swapped out or stolen. It does nothing to protect consumers. Give me an example of a manufacturer who uses paired parts and I’ll find examples of thefts, hacks, and replacements.
Again, if you’re so deep in the car that this matters, this is not the part that’s going to stop you, unless the car is so poorly built that the keyless entry module is readily available without taking apart the entire car. This is a non-problem.
It isn’t just one module. That’s what I’m trying to tell you. There’s a handshake. So replacing the Electronics control module or the Powertrain control module those modules have to be configured to the Vin. In my mother’s escape the PCM is in the wheel well behind a liner held in by plastic clips. None of those parts can be replaced without being configured to the VIN.
As for poorly designed cars, yeah. They’ve been making them for years and security has been evolving. Doesn’t mean we should set ourselves back in that arena because Joe wants to swap out his PCM with one from the junk yard.
CAN network injection can be achieved through the headlight well on some cars.
I know that it isn’t just one module. What is the handshake achieving exactly? Because it’s not additional security from an attacker trying to replace the keyless entry module with a hacked one, and if it is doing that then this is a terrible security design and the actual solution is not to get to keep using this ‘security’ threat model.
According to the diagram I’m looking at? The front door handle receives the entry signal from the key that’s in proximity to the vehicle (I think it’s something like within three feet). That signal is sent to a BCM (ECU), that then talks to other PAssive entry antennas on the vehicle to unlock the door. Simultaneously it talks to the PCM and IPC through the Gateway module, sending a Passive Entry enable signal. Those modules talk to the ignition switch allowing the vehicle to be started. Looks like this happens on what’s called the High Speed CAN network. So the question is, if I can access this network via something like the PCM and the PCM isn’t properly configured to prevent this, can I override the network without having the key with sufficient tech? That’s problematic for a lot of reasons. So no. I don’t think you should be able to go to a junkyard or pick and pull and buy a module that could compromise your network and I don’t understand why anyone would want that. You absolutely can buy a module from the manufacturer and get a shop (not even a dealership, just an independent shop with the right tools) to configure a module.
If the security was so bad that removing part pairing would crash this, then it wasn’t secure to begin with. Same argument as apple pairing the fingerprint sensor, the emsensor is only doing the reading, not the authentication.
They’re right though. The security in newer cars and anti-theft features require that a couple of different modules talk to and validate each other. That’s how it’s designed to work to prevent theft or hacking. When your ECU talks to your keyless entry module or what have you they perform a handshake. That ECU and keyless entry module talk to the vehicle’s starting system to validate that yes the correct key at the correct range is being used to send the signal to start the vehicle.
You don’t have to have paired parts for secure authentication. You just need parts that have been set up and authenticated beforehand. That is not the same as part pairing.
What’s to stop me from going to a junk yard, paying for a key and the modules in question, attaching them to a different car and stealing that car?
Literally nothing stops you from doing that with paired parts. Nothing. Keyless cars get hacked, stolen, dismantled, and rebuilt all the time, just like any other car.
Encryption and authentication are equally secure with or without physical part pairing.
That’s not true. The paired parts are attached to the VIN. Literally programmed with the VIN of the car and a lot of them are single use for specifically this reason. You don’t know and you’re very insistent.
You can get whatever paired modules with a paired key from a wrecked car and plug them into a different car and start it.
You can’t. That’s the point. Once those parts are configured to a vin they only work with that vin.
"Module Swapping And Ordering Using A Different VIN:
Swapping a used module from a vehicle for diagnostic purposes or to complete repairs is likely to cause vehicle symptoms or programming errors and is not recommended. Ordering a replacement module using a VIN from a different vehicle is also not recommended. Most modules on these affected vehicles are VIN/vehicle specific, and hardware variations between modules do exist. Swapping a module from a vehicle or ordering a module using a different vehicle/ VIN can cause ineffective repairs and additional vehicle downtime. Make sure all appropriate WSM procedures are followed when diagnosing the condition before any module replacements and only order modules using the correct VIN. " -GSB 24-7011
“Starting a vehicle session requires the user to select the Read VIN From Vehicle button in FDRS. Once the Read VIN From Vehicle button is selected, FDRS will read the VIN via the CAN from the PCM using OBD-II protocol from PCM Mode 09 data. The PCM will report the VIN to FDRS, which displays it in the VIN entry box. The user will then select Go, at which time FDRS will retrieve a vehicle model from the servers for that VIN, including which modules are equipped, the powertrain type, and the vehicle program information. This process occurs while FDRS displays a progress bar stating, Downloading Vehicle Information. Once obtained, FDRS will perform a network test on the vehicle and read the part numbers and DTC in all equipped modules.” -GSB 24-7011
https://www.macheforum.com/site/attachments/gsb-24-7011_fdrs_programming_job_aid-pdf.117742/
I would be willing to believe that the manufacturer absolutely can do what you’re saying but only the actual manufacturer, not a tech at a dealership or independent shop.
If you were to do this with say a 2020 F150 (went to a junkyard, bought a BCM, plugged it into your truck) the other modules would not be able to validate it.
" Perimeter Alarm:
The BCM controls the operation of the perimeter alarm. It monitors inputs from the RKE system, the passive entry system, the power door lock system, the PATS and the ignition status to determine when to arm the perimeter alarm.
The BCM monitors all of the door ajar switches, the luggage compartment lid ajar input, the hood ajar switch, the intrusion sensor, the CAN and the ignition status to determine when to activate the perimeter alarm. When the BCM detects an input indicating an unauthorized entry into the vehicle, the BCM activates the perimeter alarm by sounding the horn and flashing all the turn signals and interior courtesy lamps at regular intervals.
The BCM monitors the RKE system, the passive entry system, and the PATS to determine when to disarm the perimeter alarm.
A switch inhibit feature temporarily disables the door lock control switches and the interior luggage compartment lid release switch 20 seconds after the vehicle is electronically locked. For detailed information of the switch inhibit feature, Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Additionally, there is a door lock LED indicator located on each door window sill. The indicators provide lock/unlock indication for each door. They illuminate when the door is locked and are off when the door is unlocked. For detailed information of the door lock LED indicators, Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Visual and audible feedback is also provided when locking or unlocking the vehicle. For detailed information of the vehicle locking and unlocking feedback, Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Arming The Perimeter Alarm
The perimeter alarm is ready to arm any time the ignition is off. The perimeter alarm pre-arms when any of the following occur:
Once the system is pre-armed, there is a 20-second countdown before the perimeter alarm is armed. Each entry point to the vehicle (hood, door and luggage compartment lid) is armed separately and must be closed before that entry point begins the 20-second countdown to become armed. If all entry points are closed, the turn signals flash upon locking indicating that all entry points are entering the 20-second countdown.
Perimeter Alarm Activation
The perimeter alarm has a 12-second delay when the driver front door is opened without using a valid programmed RKE transmitter or a passive key to unlock the vehicle. During the delay, a chime sounds. If the perimeter alarm is not disarmed within the 12-second delay, the alarm activates.
The perimeter alarm activates when:
The perimeter alarm only activates 10 times per arming cycle. After that, the alarm does not activate. To enable the perimeter alarm again, disarm the perimeter alarm and then arm it again.
Disarming The Perimeter Alarm
The perimeter alarm disarms when:
CAN Protection Strategy
When the perimeter alarm is armed, the BCM monitors the CAN . If a scan tool is connected to the DLC , and an attempt is made to establish a session with the BCM , it activates the perimeter alarm.
Every time the BCM detects an unauthorized access (alarm activates), all BCM programming, PID monitoring and self-test sessions are blocked for 10 minutes. At the end of the 10 minute time period, the horn chirps to indicate the 1 minute of opportunity to communicate with the BCM and program keys if none are available.
Refer to: Anti-Theft Key Programming - Scan Tool (419-01B Passive Anti-Theft System (PATS), General Procedures) .
Component Description
Door Latch
The door ajar switch, the lock/unlock solenoid and the lock/unlock status input switch are part of the door latch and not serviceable separately.
The door ajar switch is monitored by the BCM and the primary function is for the courtesy lamps system. Refer to: Interior Lighting - System Operation and Component Description (417-02 Interior Lighting, Description and Operation) .
The lock/unlock solenoid is controlled by the BCM for locking and unlocking the door. Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
The lock/unlock status input switch is used to illuminate the door lock status indicator. Refer to: Handles, Locks, Latches and Entry Systems - Overview (501-14 Handles, Locks, Latches and Entry Systems, Description and Operation) .
Hood Ajar Switch
The hood ajar switch is a single pole switch (integrated into the hood latch) that is normally closed when the hood is closed. When the hood is opened, the hood ajar switch opens to indicate an open hood.
The BCM sends a signal to the hood ajar switch, and based on the input, the BCM determines if the hood is open or closed.
Intrusion And Inclination Sensor
The intrusion sensor is powered and monitored by the BCM at all times. When the perimeter alarm is armed, it monitors the passenger compartment for movement by emitting acoustic ultrasonic pulses. If movement is detected, it sends a signal to the BCM .
The inclination sensor is powered and monitored by the BCM at all times. When the perimeter alarm is armed, the inclination sensor monitors the vehicle for tilt or inclination from events such as significant cargo removal or addition, jacking up a wheel assembly, loading onto a tow truck, or suspension modifications causing significant front/rear ride height differences. If sufficient tilt is detected, the inclination sensor sends a signal to the BCM .
When the intrusion/inclination sensor is replaced, the LIN New Module Initialization procedure must be carried out using a diagnostic scan tool.
BCM
The BCM controls the operation of the perimeter alarm. Based on input, the BCM arms, disarms, activates or deactivates the perimeter alarm.
The BCM requires PMI when replaced. Additionally, at least 2 keys must be programmed and the parameter reset procedure carried out." - All data
On older cars you probably could go to a junkyard to get the PCM, BCM and so on. But that doesn’t work on newer cars specifically not ones with PAT systems. You’ll immobilize the car or put it in limp mode. If any one of those modules doesn’t recognise the saved in the other modules. And you’d need a lot of parts to get around that.
I guarantee you that the paired parts can and will be swapped out or stolen. It does nothing to protect consumers. Give me an example of a manufacturer who uses paired parts and I’ll find examples of thefts, hacks, and replacements.
Wrong wrong wrong wrong. Go to literally any dealer and ask a tech.
I’ll be waiting for when you find an example, mate.
Again, if you’re so deep in the car that this matters, this is not the part that’s going to stop you, unless the car is so poorly built that the keyless entry module is readily available without taking apart the entire car. This is a non-problem.
It isn’t just one module. That’s what I’m trying to tell you. There’s a handshake. So replacing the Electronics control module or the Powertrain control module those modules have to be configured to the Vin. In my mother’s escape the PCM is in the wheel well behind a liner held in by plastic clips. None of those parts can be replaced without being configured to the VIN.
As for poorly designed cars, yeah. They’ve been making them for years and security has been evolving. Doesn’t mean we should set ourselves back in that arena because Joe wants to swap out his PCM with one from the junk yard.
CAN network injection can be achieved through the headlight well on some cars.
https://www.autoblog.com/2023/04/18/vehicle-headlight-can-bus-injection-theft-method-update/
I know that it isn’t just one module. What is the handshake achieving exactly? Because it’s not additional security from an attacker trying to replace the keyless entry module with a hacked one, and if it is doing that then this is a terrible security design and the actual solution is not to get to keep using this ‘security’ threat model.
According to the diagram I’m looking at? The front door handle receives the entry signal from the key that’s in proximity to the vehicle (I think it’s something like within three feet). That signal is sent to a BCM (ECU), that then talks to other PAssive entry antennas on the vehicle to unlock the door. Simultaneously it talks to the PCM and IPC through the Gateway module, sending a Passive Entry enable signal. Those modules talk to the ignition switch allowing the vehicle to be started. Looks like this happens on what’s called the High Speed CAN network. So the question is, if I can access this network via something like the PCM and the PCM isn’t properly configured to prevent this, can I override the network without having the key with sufficient tech? That’s problematic for a lot of reasons. So no. I don’t think you should be able to go to a junkyard or pick and pull and buy a module that could compromise your network and I don’t understand why anyone would want that. You absolutely can buy a module from the manufacturer and get a shop (not even a dealership, just an independent shop with the right tools) to configure a module.