This post details reverse engineering the PATS security system in the Australian delivered Duratec engined Ford Focus. It follows on from this post.
To reverse engineer this system I began by listening to the CAN bus interaction between the Cluster & ECU. I use a Peak USB CAN interface, which is great, but you need to write you own PC software to get the best out of it.
The first task is to sort out which data on the bus relates to the function you are interested in. Typically you will get 20 ~ 50 addresses reporting at different rates on the bus so it can be daunting to start with. Removing components from the system one by one can help in starting to narrow down the addresses of interest.
In this case the engine ECU PATS is reported on address 46h whilst the instrument panel reports on 40h.
The next step is to identify the interaction pattern. There is no need to understand the detail of the message content yet, just the order and timing of the 'conversation'. This part needed recordings from several engine starts to compare the common parts, and the parts that changed.
The data interaction is detailed below.
The highlighted frames are the important ones. I don't know the interaction between the Key ECU and Cluster, but since I want to replace all of these, I don't care.
Basically the above shows a classic challenge response scheme., also know as Friend Or Foe This method doesn't require any codes or keys etc to be broadcast, reducing the chance of hacking. A diagram of the interaction is below.
The first task is to sort out which data on the bus relates to the function you are interested in. Typically you will get 20 ~ 50 addresses reporting at different rates on the bus so it can be daunting to start with. Removing components from the system one by one can help in starting to narrow down the addresses of interest.
In this case the engine ECU PATS is reported on address 46h whilst the instrument panel reports on 40h.
The next step is to identify the interaction pattern. There is no need to understand the detail of the message content yet, just the order and timing of the 'conversation'. This part needed recordings from several engine starts to compare the common parts, and the parts that changed.
The data interaction is detailed below.
The highlighted frames are the important ones. I don't know the interaction between the Key ECU and Cluster, but since I want to replace all of these, I don't care.
Basically the above shows a classic challenge response scheme., also know as Friend Or Foe This method doesn't require any codes or keys etc to be broadcast, reducing the chance of hacking. A diagram of the interaction is below.
Next I needed to get an understanding of the encryption to try and replicate it.
