This post details reverse engineering the PATS security system in the Australian delivered Duratec engined Ford Focus. It follows on from this post.
After recording a few CAN sessions with and without a valid key, it was time to try and understand the encryption method being used by the focus. I took a punt and started by assuming they were using the Microchip owned Keeloq system. This encryption might be used by the wireless unlock system, but as it turns out, not the PATS system.
The cypher for the Keeloq system has been published as well as some tools to make breaking it a little easier. I started with a brute force approach. The code I wrote in C.Net was going to take years to complete all possible codes.
Disheartened by the lack of success I considered just creating a response map. Basically a table of the response for each possible challenge code. But since this is 32bit we are looking at 2GB to store the data as an offset table. Not an ideal situation, and gathering all the data would take a long long time too.
I started to look at the recorded challenge and response codes and thought there may be a pattern. However I only had responses to random challenges, making things a little tough. Then it struck me that I could remove the EFI ECU and send sequential challenges to the dash to record the responses.
With the sequential challenge \ response data (for a few hundred codes) I started to see some patterns. Then I dug a little further, looking at the data in binary helped a lot.
To cut to the chase, I was able to condense the data set required down from 32GB to just 1024 bytes!
As it turns out each byte of the challenge code maps a separate code table. So for each byte within the 4 byte challenge code, there is just 256 answers. Basically each byte is treated independently, greatly reducing the complexity. This was a huge surprise!
There are a few little tricks (bit nibble swapping and the like) which make the simple code a little harder to see at first.
In the next post I will illustrate some examples and the rules for this code simplification.
I am still convinced that there are patterns in the simplified code and this could be further reduced, I just haven't had the time yet.
