Ford Focus Duratec Box 'O Tricks - PATS Code Fun

This post details reverse engineering the PATS security system in the Australian delivered Duratec engined Ford Focus. It follows on from this post.

After recording a few CAN sessions with and without a valid key, it was time to try and understand the encryption method being used by the focus.  I took a punt and started by assuming they were using the Microchip owned Keeloq system.  This encryption might be used by the wireless unlock system, but as it turns out, not the PATS system. 

The cypher for the Keeloq system has been published as well as some tools to make breaking it a little easier.  I started with a brute force approach.  The code I wrote in C.Net was going to take years to complete all possible codes.

Disheartened by the lack of success I considered just creating a response map.  Basically a table of the response for each possible challenge code.  But since this is 32bit we are looking at 2GB to store the data as an offset table.  Not an ideal situation, and gathering all the data would take a long long time too.

I started to look at the recorded challenge and response codes and thought there may be a pattern.  However I only had responses to random challenges, making things a little tough.  Then it struck me that I could remove the EFI ECU and send sequential challenges to the dash to record the responses.

With the sequential challenge \ response data (for a few hundred codes) I started to see some patterns.  Then I dug a little further, looking at the data in binary helped a lot.

To cut to the chase, I was able to condense the data set required down from 32GB to just 1024 bytes!

As it turns out each byte of the challenge code maps a separate code table.  So for each byte within the 4 byte challenge code, there is just 256 answers.  Basically each byte is treated independently, greatly reducing the complexity.  This was a huge surprise!

There are a few little tricks (bit nibble swapping and the like) which make the simple code a little harder to see at first.

In the next post I will illustrate some examples and the rules for this code simplification.

I am still convinced that there are patterns in the simplified code and this could be further reduced, I just haven't had the time yet.

Ford Focus Duratec Box 'O Tricks - Hardware

 

Just here to get a picture link for a forum...

Killing ABS Warnings - Sometimes You Just Get Lucky!

At the moment I am doing some work on the electrical system of a Hot Rod build that is mostly made up of a 2005 VZ Commodore, being built by Jim.

The good part about this project is that it is using almost all of the commodore, so the harness stays in tact and everything is guaranteed to work together in harmony.

Apart from a few small issues, the biggest headache is the ABS.   The rod won't have ABS, so the instrument cluster was beeping and showing animated warnings non stop.

Pesky ABS Warning on the LCD Dash

I had looked at a lot of options to fix this, the easiest was to use a BCM from a non ABS VZ ute (yes they made them) but I think nearly everyone would have optioned AC & ABS, the base option is only to get the headline price down.

 In the end I decided the only way to fix it was to create a ghost system that would pretend to be the ABS.  Now I could reverse engineer this, but It was going to take ages and I needed access to a working system.  Convincing a friend of a friends mother that you need to plug-in an play with the family car is not as easy as you think!

This time however, I go lucky!...   Even though the ABS wasn't hooked up on the rod, we still had the original ABS unit.  So I hooked up a CAN bus monitor and compared the system with and without the ABS module running.   This yielded three message addresses belonging to the ABS.

Without ABS

With ABS ON

So now I knew that the ABS module was sending frames out on 140h, 280h, 2F0h at 21ms, 100ms and 100ms respectively.  But I had no idea what the content of these frames represented.  Sure I can guess,  wheel speed, status, brake force, but that still doesn't help.  

Suddenly I had a thought, I felt a little silly about trying it and didn't explain to those watching what I was doing in case of embarrassment.....  But what do you know, it worked.    I Just spammed out empty (all zeros) frames at on the addresses above at the original rates.

It seems that the BCM was happy seeing something, but nothing from the ABS module.  It stopped telling the cluster to beep and flash, so now everyone is happy.

Sometimes you just get lucky.

Ford Focus Duratec Box 'O Tricks - Engineering In Reverse

This post details reverse engineering the PATS security system in the Australian delivered Duratec engined Ford Focus. It follows on from this post.

 To reverse engineer this system I began by listening to the CAN bus interaction between the Cluster & ECU.  I use a Peak USB CAN interface, which is great, but you need to write you own PC software to get the best out of it.

The first task is to sort out which data on the bus relates to the function you are interested in.  Typically you will get 20 ~ 50 addresses reporting at different rates on the bus so it can be daunting to start with.  Removing components from the system one by one can help in starting to narrow down the addresses of interest.

In this case the engine ECU PATS is reported on address 46h  whilst the instrument panel reports on 40h.

The next step is to identify the interaction pattern.  There is no need to understand the detail of the message content yet, just the order and timing of the 'conversation'.   This part needed recordings from several engine starts to compare the common parts, and the parts that changed.

The data interaction is detailed below.

The highlighted frames are the important ones.  I don't know the interaction between the Key ECU and Cluster, but since I want to replace all of these, I don't care.

Basically the above shows a classic challenge response scheme., also know as Friend Or Foe  This method doesn't require any codes or keys etc to be broadcast, reducing the chance of hacking.  A diagram of the interaction is below.

Next I needed to get an understanding of the encryption to try and replicate it.

Ford Focus Duratec Box 'O Tricks - System Layout

This post details the PATS security system in the Australian delivered Duratec engined Ford Focus. It follows on from this post.

The PATS (Passive Anti Theft System) essentially forms the vehicles immobiliser.  Without the PATS system working, your Focus just wont start.

The thing that makes the system a little odd in this vehicle is the critical function performed by the instrument cluster.  Not only is the cluster required for PATS operation, it has to be coded to match both the ECU and key!

The diagram below shows the layout of the components in the Focus PATS system.

The Instrument Cluster communicates with the Key ECU which is located beside the ignition cylinder, it includes a loop type antenna for wireless communication with the circuitry embedded in the key head.   Communication with the cluster is by a independent serial bus.

The Cluster interacts with the Engine ECU through the high speed CAN bus which is shared with most other ECU's.  The messages sent between these components perform many functions apart from the PATS feature.

Seatbelt Warning Lamp Timer

If you are registering a ICV (Clubman, Cobra etc) in Australia you will need to have a seatbelt warning light to meet ADR requirements.  There are a number of ways that the lamp is allowed to operate (for example linked to a switch in the seat), the easiest is just to run the lamp for a short time when the ignition is turned on.

The small (60x20mm) circuit will run the lamp for 20 to 30sec after power is supplied.  When power turned off and on again the timing period restarts.

The circuit is a simple and robust.  Power feed comes from ACC or ON ignition lines.  The output can run a small bulb (2W max) an LED or the lamp in an OEM dash (where it needs to be grounded to operate).

The board is double heatshrinked and supplied with fly leads and wiring instructions, it is  easily taped or cable tied to a harness or frame.

The completed timer board, wrapped in heatshrink

Dash lamp with symbol is also available

The Timers can be purchased for $20 including shipping (Aus only)

If you want the lamp as well the package is shipped for $35.

For sales and enquiries please email me using the form on the right, or using this address  info@migdevelopments.com

Below is a hook-up diagram covering a few diferent scenareos. Click on the image for a larger view.

Tim's Tachometer Interface

Tim is building an ICV using a 4cly Toyota Camry engine.   For a dash he bought a multifunction LCD unit intended for motorbikes.  It was a 'vapor' brand -> see picture below....

Vapor LCD Dash Unit - Intended For A Motorbike

The problem was that the tachometer was not triggering.   The vapor dash had an input that could supposedly be hooked up a number of ways.  The primary method was to wrap in input wire around the ignition lead, inductively coupling it.

Since the engine in Tim's car uses coil on plug ignition, there was no lead to wrap the line around.

Even though the dash instructions said that the tacho could also be connected to the coil trigger line, this didn't work.   The trigger line is 5v, we fixed this with a transistor to get the same signal to 12v, but with no success.

The only time that the dash would just to life was when the line was connected to the power supply line of the coil.  When I looked at this line on the oscilloscope I could see a lot of noise related to the coil firing.  Each time the coil charged the voltage would drop and then spike to 16v when charging stoped (inductive field collapse).   This worked ok at low rpm, but there was too much interference from the other coils at higher rpm causing erratic behaviour.

Interestingly some cheap rpm meters that plug into the cigarete plug use the noise on the power line to detect the coil firing rate.

Since the dash seemed to be triggered better by higher voltages (which would get quite high when inductively coupled with the ignition lead) I build a simple charge pump circuit to increase the system voltage to around 25v.  The 5v coil trigger line activates an NPN transistor which is pulled up to the 25v rail.   All this gives a higher input voltage signal to the dash, causing it to spring to life.

Circuit on proto-board

Circuit neatly mounted in a box

Basic Schematic of circuit

The only modification we made was to hook the circuit up to two coils, doubling the rpm displayed (this adjustment couldn't be made in the dash).  The reason was that the unit was designed for a high reving motorbike and didn't look so good only revving to less than half the full display range.

USB DRO Project

This project will increase the usability of any Mill or Lathe with minimal cost.  Whats a DRO?  It stands for Digital Read Out and is connected to the axis on a milling machine or lath to show the current location of the cutter.  This makes it much easier to make things, rather than reading the dials and counting in your head.  The productivity gains from adding a DRO are huge.

Traditional DRO System

Unfortunately DRO's tend to be realy expensive, some systems cost more than the home workshop equipment they are connected to.  When I started to look at options I quickly ruled out the traditional 7 segment LED displays for the following reasons:

• Too difficult to run - A three axis system might have 25 or more modules!
• Too much current draw - It adds up!
• Too expensive - Again, the cost adds up

I was also keen to make the system flexible, so that some users might have one axis, others 4 or more.  Designing the PCB and control systems to be modular was a headache.

As an alternative to 7 Segment LED modules, I explores LCD's.  However the readability was not so good and the same issues with flexibility etc weren't resolved.

Finally I decided to produce a PC based system.  It is pretty easy to get your hands on a low cost (free) older PC running XP, small LCD screens (14") are worthless and both can be mounted easily high up next to the machine (or in between a mill and lathe for a shared setup).

By using the PC as the display and input system the costs are kept down, the system is flexible and there is plenty of scope for fancy functions to be added later (like pseudo CNC).

The above pictures are of the prototype system currently under development.  The board on the left is the optical transceiver option (for linear\rotary position) and the board on the right is the hall switch option (for spindle RPM).

The optical transceiver and matching linear strips are from US Digital.  The USB bridge is an FTDI FT232RL and currently a Microchip PIC18F1220 is loaded as the micro. Power is derived from the USB bus with a P channel mosfet ensuring the board does not draw excess current during suspend mode.

The pins exiting the side of the PCB are for development programming and will not be there in the final version.  Also, the wires jumping across the micro are there to correct a mistake in the circuit which seems inevitable despite checking are rechecking (damn microchip and there use of the easily forgotten vdd \ vcc). The boards are 55mm x 32mm and were produced by PCB Core. The final units will be encapsulated in epoxy for water resistance.    

I will keep placing updates here as I go.  If you have any interest in the system please drop me an enquiry using the form on the right.

UV PCB Exposure From Old Scanner

This is a project I finished a long time ago and even though I no longer use it the idea could be useful for someone else into home made PCB's.

Over the first few years of mucking around with electronics I tried many methods of making PCB's at home.  Starting with hand drawing the tracks with a marker pen, then moving to some of the iron on methods.  Finlay I decided the best (most accurate, repeatable, satisfying) method was the UV sensitive system from Kinsten. 

To make this system work as well as possible the exposure should be done on a flat bed with the artwork sandwiched between the PCB and light source.  Kinsten sell a nice UV exposure unit (picture below), but it is a bit pricey for the home user.

Kinsten Exposure Unit

As an alternative I salvaged an old flat bed scanner from a local throw-out.  Removing the workings of the scanner I placed 5 small UV fluorescent tubes and associated power circuits that I removed from a number of 'party' lights that were designed to run from batteries or a 9v plug pack.   I seem to remember paying around $5 each for the lights on sale.   To finish off the project I added a switch mode power supply (240v -> 9v) and a timer from an old oven (rotate to set, rings a bell and switches off when finished).-

Photos of the recycled flat bed scanner

This unit gave me the most repeatable and accurate home made boards, I was able to produce small pitch footprints for SMD and make double sided boards (without plated through holes \ vias).  There are also chemicals available to 'silver' the exposed copper (at room temp) to give the look of tin platting (HALT) as can be seen in the example below.

In the end I have decided to get a commercial company to make all of my PCB's now.  Once you are handling small SMD parts and want high density there are too many defects when trying to make your own boards economically.  I recommend the following PCB manufactures:

• Futurlec [Thailand: For Through Hole and Larger SMD - Double Sided]
• PCB Core [China: For High Density, Low Pitch SMD, Multi Layer]

Example PBC made using this system

Of course, its is pretty hard to come by a stand alone scanner these days, they all seem to be built into multifunction printers!

Race Car ECU - Graduate Project

This is a blast from the past.  Reminds me of how far my electronics knowledge and design skill has come!

My final year engineering (mech) project was to build a prototype engine ECU and data logger (integrated) for the Formula SAE contest.  The project was completed in partnership with Julian Sanders under Prof Bruce Kuhnell.  We also had some guidance from an engineer for a Formula One team.

The system was based around a Freescale MPC555 32bit processor, which was quite advanced at the time.  The prototype was made with 2 A3 sized double sided PCBs which were hand made.  Most of the parts were through hole.  The system had an enormous number of inputs and outputs handled by the circuitry on these boards.

 

User input was from a 'remote' hand controller with an LCD screen and input keys.  Data was logged onto an SD flash card using a uMMC board from Rouge Robotics.

By the end of the project we had the system running and test software written.  However there wasn't time to hook it up to an engine.   The reports for this project are available for download below, feel free to take a look.  Please don't send any questions or comments, the project was completed a long time ago and I am more than aware of the limitation of my understanding at the time.

Research Paper

Final Report