Chrysler Secure Gateway Module
I thought I would post this here to start a conversation about FCA’s Secure Gateway Module or SGW as they call it. It seems the more I research this system the more questions I have. So I decided to post some of these questions here on Diagnostic Network. I have answers for some of the questions but not all. And I think putting these questions here will lead to more questions being brought up. But that’s what this forum is for, to ask questions and share information. So if you have an answer for these questions or if you have other questions, please post them so we can all learn about this system. Before reading this I suggest you read a post here on Diagnostic Network by Mike Reynolds from Mobile Automotive Service Solutions. Mike has a lot of really good information on the subject. Thanks for posting Mike.
OK question number one.
Q. Can the SGW be by-passed. A. Yes. There are by- pass harnesses available and all you really need to do is tap into/access the network data lines after the SGW. Keep in mind this is just the first step in the process of securing networks on these vehicles. Speculation is that the next step will be adding a secure component to the body of each message. This could happen within a few years. When this happens simply by-passing the gateway won’t be much help.
Q. Can an aftermarket scan tool be used on vehicles with an SGW. A. Yes. Aftermarket scan tools have limited access. According to FCA information an aftermarket scan tool can retrieve limited data PIDs and DTCs but cannot erase DTCs. You will not have access to bi-directional controls. I have not connected to a vehicle yet to verify any of this, I want to get as many questions as I can before I hook up to a vehicle with an aftermarket scan tool and find out what can and cannot be done. I suspect that the limited data available will be generic or Global OBDII data pids. I don’t know if we will be able to retrieve VIN numbers but suspect we should.
Q. Can you reprogram modules on SGW vehicles using J2534? A. Since you can use a J2534 device with a wiTECH subscription you should be able to reprogram with J2534. Note that although a J2534-2 device will work with wiTECH 2018 and up FCA vehicles as well as some models back to 2015 use MEGA CAN and require J2534-3 devices. You may have limited functionality on these vehicles with J2534-2 devices.
Q. Do any aftermarket scan tool manufacturers plan to get their tools authenticated?A. Unknown. Hopefully someone from Snap-on or Bosch etc will answer this question. At time of writing only authenticated tools can access the vehicle networks, and only with an active wiTECH subscription. Information I found online indicates that aftermarket tools can be authenticated by FCA. But I cannot verify this information. Plus there is the fee involved in authenticating the tool. Will there be enough demand while these vehicles are under warranty to warrant the cost?
Q. Which tools are authenticated and will work on these vehicles?A. At time of writing only the FCA factory scan tool, the WiTech is authenticated. And an active subscription is needed to exchange security keys between the vehicle and the FCA server. Once a connection has been established if it is interrupted or lost you need to start over again with the establishment of the security keys. This means to road test the vehicle you will need a mobile device with internet access to establish and maintain the connection for the scan tool to communicate with the vehicle.
Q. Can I turn off the MIL with an aftermarket device?A. Unknown. FCA information says you cannot erase DTCs but that may be a wording issue. By that I mean you may be able to erase DTCs and turn off the MIL but because we only have access to emissions related DTCs when they are erased they remain in $10 permanent DTCs. This may be what is meant by “DTCs cannot be erased”.
Q. If the SGW is bypassed will it set a DTC?A. Unknown. It is possible that the SGW could detect unauthorized activity on the network and store a DTC that could then only be read by an authorized device.
Q. Are other manufacturers going to follow FCA and start using gateway modules to isolate the DLC from the networks?
A. Yes. Ford and General Motors are and according to information here on DN so are Subaru and Nissan. Expect to see this on other manufacturers as well.
That’s it to start. If you have answers or more questions or disagree with something here let me know. Let’s all learn together.
Hello again Allan, good topic. RE: question 4 I believe I have read elsewhere in this forum that Snap - on and G - scan have been granted permission to develop an aftermarket version, utilizing the Fiat Chrysler Automobiles FCA resources. This could be a worrying trend that FCA or others "grant" access to certain aftermarket tool developers, and not others. I understand that this is not as
Here is the post from a few weeks ago that has some information. diag.net/msg/m1fsoznwl3…
Hi Allan. For some reason it seems that this topic is not one of huge interest, that is until it suddenly arrives in service bays with a vengeance. I posted about GM's venture into Isolated Networks here: diag.net/msg/m5on82rckc… with a view to how technicians approaching GM LAN bus diagnostics without doing some research will need to do some research. This is due to the restructuring of the
Thank you Martin for the response and all the information regarding GMs approach to this system. I am also surprised by the lack of interest in these systems. This is the direction manufacturers are taking and it changes the way we will diagnose network issues. We all need to get on board with these changes. Hopefully the more we discuss it the more people will get involved. Not only are we
From the dealership side of the fence I know that at training they inform us that no aftermarket tools will be able to work as intended. For example bi-directional controls, clearing DTCs, etc. They also inform us that any aftermarket insurance pod could disrupt functions of the radio and CAN bus. I'm assuming this is due to the SGW recognizing a foreign connection and blocking off access to any
Thanks for that information Shane. I know that aftermarket insurance and other dongles attached to the DLC cause issues on other manufacturers vehicles even without the secure gateway. There are TSBs advising techs to check for anything tapped into the network communication lines. Any module/device on a network can cause communication issues, but isolating that device during diagnosis can be
I may be out of my depth here, but I feel it's actually a waste of time on the part of the OEM, at least in terms of an actual "security" measure. It's introducing a new failure point with little actual benefit besides allowing FCA or whomever else to make it after for aftermarket/independent repair to access the vehicle. If someone wants to get around it they will. Anyone who has gone through
I agree Chris, if it can be developed it can be hacked. It’s just a matter of time and how bad someone wants it. Introducing coding into the actual messages will take diagnosis to another level. And the hackers they are trying to keep out will already have a way around whatever new security measures they have in place anyway. It’s an endless circle of develop new tech, hack the new tech…
Allan, I agree 100%. The other concern is how does one prove that the problem lies within corrupted software if said corrupted software does not allow one to access the network in order to confirm/deny suspected corrupted software. Or the myriad of other potential faults that can be introduced with a single line of bad code or misinterpretation by a module due to EMI, voltage fluctuations…
Hi Chris sorry for the late reply. Try this link to a post by Mike Reynolds here on Diagnostic Network. If the link doesn't work just look for FCA Secure Gateway Module-Discussion-Network Communications-Security. Mike has some great information in that post. Also a short term subscription to techauthority.com
Good morning Shane, Are you able to capture a sample of that signal via scope?
Me and Mike Reynolds did capture one. I will get it and upload it for you
So pretty much for the people that are not invested in the factory tools it all comes down to IF/WHEN? When will some of aftermarket tools start to become certified? And from a article I just read it claims that the aftermarket tool would have to be able to connect to the internet and then connect to Chrysler's website to be able to gain access. But lets take Snap on as an example if they were
Thanks for the response Chris, yes the way it works is when the scan tool is connected to the vehicle it has to be online and connected to the FCA server. The server and the vehicle exchange security keys. When authenticated the scan tool is able to communicate with vehicle via the gateway. The connection must be active for communication. If the connection to the server is lost the Secure
Attached are files showing the signal that is sent to the scope when a WiTech pod is hooked up vs when an aftermarket tool is set up. There are 3 different shots of the witech signal, they are just zoomed in for analysis. The shot with no signal is what happens when an aftermarket tool is hooked up. As you can see the SGW recognizes non OEM tools and doesn't even send a signal.
Thanks for the scope captures Shane. You stated that the SGW recognizes non OEM tools and doesn't even send a signal. Since the scan tool has to be connected to the FCA server to communicate with the vehicle I believe the signal would be sent from the scan tool to the vehicle to initiate communication and the SGW would respond to that signal/request. Since the aftermarket scan tool is not
What you said makes more sense. It was backprobed into the DLC and that explains why there was no signal because the scan tool must have been sending it. With the aftermarket tool it doesn't know to send a signal. Also I haven't found any issues yet with aftermarket pod hooked into the DLC.
Thanks Shane the aftermarket dongles, GPS trackers and who knows what else that gets plugged into the DLC causes enough issues that some vehicle manufacturers have issued TSBs telling techs to look for anything attached to the DLC or even tapped into the data lines when diagnosing concerns related to data bus communication. These things can cause parasitic drains that may not show up because the
Maybe the OE's will put a secure DLC cover on the connector that requires a pin code to open?
So the sample you have captured is the message from the Security Gateway Module to the WiTech and the aftermarket scan tool? Otherwise we would be seeing the diagnostic request from the aftermarket scan tool?
Jaxon I believe what Shane captured was the security key exchange between the FCA (Fiat Chrysler America) server and the Secure Gateway Module which FCA refers to as the SGW. The scan tool needs to be connected to the server to communicate with the vehicle. The server and the vehicle exchange security keys and if validated the scan tool is able to communicate with the networks beyond the
Hello Allan, thank you. I understand the concept of what you have described. The third response to this thread by Shane contains 4 pictures. The third from the left picture shows what appears to be a snap on scope of what is likely to be an ISO15765 Bus, showing nil activity. Specifically; I understand that the aftermarket un-named tool in this analysis does not have effective communication
The image with no activity is what happens immediately after the aftermarket scan tool is hooked in. There is no verification signal at all where as the other 3 images are immediately after the witech tool is plugged in and a verification signal is sent. On the Chrysler vehicles with an SGW there is diagnostic can c wires between the SGW and DLC. So all the modules convey their message to the
It's hard to say what the activity on those screenshots actually was. I originally had an idea of getting a micro- amp clamp and trying to use it inline between the tool and the SGW to see if I could determine signal direction but I didn't have one handy. I attempted to use a low amp clamp with a wire spliced in the CAN circuit and wrapped around the amp clamp jaw as many times as it would let
Ahh, now you're talking, Mike. Do you have any equipment that can translate it into Hex-decimal data? Jax