FCA Secure Gateway Module
Secure Gateway
Chrysler’s Secure Gateway Module came out this year. You may have heard about it but for those who don’t know it will change some things as far as aftermarket diagnostics is concerned. The following is a comprehensive write up on the SGW. It contains some opinion in addition to information from Chrysler factory training as well as service info pulled from my friend Shane Steele’s 2018 Ram 1500. It is important to note that I am making assumptions that, because of how new these systems are, most of the information I am going to share will apply to all current Chrysler models.
Let’s start by talking about what the Security Gateway Module (SGW) is and what its purpose is. The SGW was implemented in some models in the 2018 model year and all models 2019 going forward. The SGW in short is a module whose function is simply to keep the communication networks secure. The SGW protects the vehicle networks from being exploited by creating a firewall between two portions of the network with the most vulnerability. These are the telematics/radio units and the DLC.
Function:
So how does the SGW work? It separates the vehicle network into private and public sectors. The public sector includes the telematics unit and the DLC. Everything else on the network is considered private. Access to the private sector of the network is limited without authentication. As of now, authentication is limited to Chrysler licensed devices. We will get into this later.
Network structure:
As for the physical structure of the network, the DLC on the 2018 Ram connects directly to the SGW via a Diagnostic CAN C and a Diagnostic CAN IHS bus. The term diagnostic is used to describe the bus from the SGW to the DLC only. The SGW is also connected to the CAN C and CAN IHS busses but in the case of the 2018 Ram, is not directly connected to the LIN bus. It is connected directly to the radio via both a CAN C and IHS bus. Although the SGW wiring diagram may make it look like the SGW functions a central gateway it is important to note that it is not used to communicate signals amongst modules on the private side of the network. It serves as a frame gateway and does not provide signal gateway functionality. The SGW does not contain any drivers and does not directly operate or control any vehicle components but rather allows only authenticated messages on to the private networks.
Authentication:
The SGW authentication process takes place in the Chrysler servers. As of now there are two tools that will allow authentication through wiTECH 2.0. The Micropod II and a J2534 device. I got some help from Joey at AE Tools to help explain the advantages/disadvantages of these two options: When using a J2534 device the wiTECH subscription is registered to the software, essentially locking it to the computer. With the Micropod II the wiTECH subscription is locked to the tool allowing it to be used on any computer, tablet, or even cellphone as long as a connection to the internet is available. When working with the Micropod II, the vehicle communicates through the Micropod II directly with the Chrysler servers via WiFi. The browser of said laptop/tablet/cellphone logs into wiTECH to access vehicle communication. The J2534 device will work with the drivers and the downloaded software and port them to the wiTECH cloud instead of using an internet browser. Because of this an internet connection must be available at all times including during test drives. Many dealerships are equpiied with WiFi hotspots for this purpose however, most smartphones now have WiFi hotspot capabilities. Using a Micropod II, the WiFi must be registered on the pod as well as the laptop whereas when using J2534 device which communicates via USB, the WiFi must be registered to the computer only. This can make the pod less desirable for use when test driving. It is important to note that the J2534 wiTECH software only offers coverage from MY 2010 forward. The Micropod II coverage goes back to 2004 on CAN vehicles and covers all models 2009 forward. Chrysler is also using MEGA CAN which is only supported by J2534-3 devices. While a J2534-2 device will work with wiTECH it may have limited functionality on some of the MEGA CAN vehicles. MEGA CAN is used on everything 2018 up but can also be found in the Renegade and Fiat 500 going back to 2015 as well as the Compass, Alfa Romeo Giulia, and Fiat Spyder in 2017.
Aftermarket Impact:
Unauthorized devices will be allowed read-only or, what Chrysler calls, passive access to the private network. Passive means the ability to read codes, and data but does not include the ability to clear DTCs perform, actuator tests, special functions, ECU configuration, flashing, or module resets. At least on the private side of the network.
As a mobile tech I have already had a few calls for code clearing and I foresee that demand growing until the aftermarket comes up with a solution. I spent some time last weekend working with Shane Steele’s 2018 Dodge Ram which is equipped with a SGW. I had the Micropod II along with, the Snap-On Verus, Autel 908, and the Gscan all with the latest updates hoping to see what they all could do assuming it would be code and data reading only. What I was hoping to get a better understanding of between the aftermarket tools vs. the OEM tool was what was considered passive vs. active. On the surface it would seems like without authentication, any command requested by the scan tool would simply be ignored however I would have not been surprised if an aftermarket scan tool was able to pull the VIN which it would have had to request as well as which data it could request to read. I had many of questions and was excited to see what I could learn only to find that none of these aftermarket tools even had any coverage listed for a 2018 Ram or Dodge truck. I tried but could not communicate under previous model years either. I did not think to try the generic side of the tool but from everything I have read my assumption is that the generic OBD modes do not work on these models because of the network structure. I will follow up on this in the future and I think this will make a great discussion topic for another post.
Aftermarket Tooling:
FCA opened up access to aftermarket companies this November. Snap-On and G-scan are working towards a solution but there will likely be some challenges getting a tool to work with the FCA servers and integrating a solution to meet the need for constant WiFi. I myself am curious to see if this will look like a normal scan tool operation or use the aftermarket tool as a pass through with the J2534 interface. I have always said that many of the aftermarket tools are much more user friendly and often offer much better data display and recording features than the OEM tools. I have been overall impressed with the wiTECH software except the data graphing and record functions and would prefer this function on many of the aftermarket interfaces.
If you’re on the AESwave email list than you have probably seen the 12+8 adapter Autel will be releasing. It is not yet available and, in the email, they mention connecting to a 2018 Dodge Ram. Our tool was running version 5.6.00 and did not have the 2018 Ram listed but either way I would anticipate it being available soon. This cable essentially goes in place of the SGW. It will require removal of the unit which as far as I can tell is located either under the driver’s side of the dash or behind the infotainment unit across all models. (the torque spec for the SGW bolts is 44 in-lbs. in case you were wondering) While removing the infotainment unit may not be ideal, because the SGW does not serve any function beyond securing the network it would seem like this should be a viable solution and would provide full network capability. Furthermore, this solution may be useful in diagnosing faults with the SGW as faults in the SGW may mimic faults in other modules. It is also notable that “no communication with SGW” codes do not exist.
There is already talk in the industry about how the SGW is just another tactic to cut the aftermarket out of service. I think it is important to talk about the security vulnerabilities, how Chrysler has addressed them, and how we may see other manufacturers jump on board with similar systems going forward.
Robby Schrimsher shared a you tube video with me in another thread that details how two hackers were able to use the radio in a 2014 Cherokee to take control of many vehicle features including the steering and braking. The video goes into detail about how the hackers studied potential weaknesses in the system and were able to manipulate them even going so far as to talk about the potential to target specific VINs and control them remotely using the cell networks, without ever needing to make physical contact with the vehicle. This made big news back in 2015 and in my opinion ultimately played a role in the development and implementation of the SGW.
In addition to telematics units, the SGW also isolates the DLC which is what we, in aftermarket repair, are concerned about. Consider how many cheap Chinese dongles I am sure many of you have removed from your customers vehicles in order to connect your scan tool. I would say at least 25% of the vehicles I see daily have a dongle from either an insurance company, a DLC-to-cellphone code reading device, or fleet/mileage tracker. All of these units work wirelessly and many of them transfer data directly through wireless or Wifi networks. It stands to reason that if hackers can hack a factory Chrysler radio/telematics unit, that getting into one of these networks would be less of a challenge. Furthermore, as I learned in the above-mentioned video, the hackers were faced with challenges getting messages from the radio on to the CAN network whereas hacking an aftermarket dongle would give us direct access to the CAN network… at least in a vehicle without an SGW. Hopefully I have painted a picture of why this type of technology is necessary and likely to become standard with other vehicle manufacturers.
I am told that other manufacturers like Ford, Nissan, and Subaru are following suit and that they may even be rolling them out in … models. I don’t necessarily think this will make the aftermarket scan tools obsolete, but I do see many changes on the horizon. Maybe the aftermarket tools are able to integrate with the OEM systems which would likely give them OEM capabilities like flashing which would come just in time for OTA programming. At the same time, I could see this driving the cost of the aftermarket tools sky high. Either way, changes are coming. I would love to hear everyone else’s thoughts and predictions.
Excellent write up Mike, thanks for taking the time to do this. I can see the by-pass cable being popular with these vehicles as it connects to the busses after the SGW and wouldn't require an internet connection. Much better for road testing. Also once you're past the SGW you should be able to reflash modules. Although since the files have to come from the FCA server they may still block access
Thank you. If I had to guess I don't think module flashing will be done bypassing the SGW. Autel's solution of bypassing the SGW allows them to work around gaining security access through the FCA servers which they would need access to anyway in order to do any programming. If in the future aftermarket scan tools end up coming up with a format that allows them to gain authentication from the
Thank you for the info. I was quite surprised to learn they had implemented J-2534 wiTECH functionality. The last I heard they were still violating the "rules" on that, :-) Out here, where the typical customer is 15-20 years behind "new", I always wonder what these cars will look like by the time they are seen by us. I imagine all the SGW will have been thrown away with a permanent tuner bypass
Yea I think they are slowly getting on the J2532 bus so to speak but the catch is still the cost of registering the devices and then getting them to work with each other. I don't have every single OEM tool on the market but from what I do have I think FCA is far ahead of the curve. I know many of the others use Bosch software and hardware so I am wondering if they will eventually transition to
Mike said " I think EEPROM work might be the ticket there and is one thing I would like to learn in the future. " Yes! There are a couple guys who have written about that stuff over on iATN. Recently one showed how he wiped/virginized a Global A module so it could be used in another vehicle. Looks easy when HE does it....LOL
Haha yup! They're out there risking bricking modules while guys like me are waiting till they have it figured out to learn it. This slow shift towards an industry wide culture of training and education will hopefully be led by those guys as they charge us all boku bucks to learn from them!
It seems to me, that if a couple of guys screwing around in their home garage can do it, then the AM scan tools can't be far behind. Hook-up Autel, press the "make virgin" button, then use GM SPS to program like new. Or if that's too Sci-Fi to work, then Launch will sell a wand that just zaps the ee-prom (or whatever) into submission. The Doctor Who sonic screwdriver would work. (TV nerd
Let's be realistic... they would never let it be that easy for us...
I just want to add the website with the list of approved j2534 devices for witech. I actually sent them an email this week to try to confirm what I had heard about using the Cardaq M with mega can adapter. Here is the link: kb.fcawitech.com/article/fca-us…
FYI Tanner. The Cardaq Plus 3 is not on the list in the FCA website but it does work and , more importantly, FCA will approve it when you resister.
That is interesting that the M is on there before the Plus 3. I wonder if there is a difference between approved devices and devices that can be registered. What I mean by that is that maybe they will allow you to register an Autel J box but not support it because it is not approved. I will have to follow up on that.
Mike, I think that it has to do with the fact that companies like Drew Technologies have to pay vehicle manufacturers to validate their devices. This cost money but I'm guessing that it is time consuming. I'm also wondering how comprehensive the validation is. There's no way that they are verifying that every function works on every car. We know that's not realistic and we see evidence of it in
Is this really a solution though? If hackers can get into anything these days, and they do. Then, in my opinion, this only truly affects the aftermarket and shops without witech the most. Won't they come up with a bypass? I'm no programmer, but I am concerned about manufacturers not letting the average Indy shop do something as simple as bidirectional control. I heard that recently one has to
Mario Autel has a by pass cable. It just isn’t available yet. Also if you connect to the networks after the SGW you can access them. This isolated the DLC but really wouldn’t stop someone who has access to the vehicle from hacking into the networks. Just makes it difficult to access. Also the tuners already have work arounds for loading their custom programs. At least one sells a by pass cable
It is easy to see some manufacturers would rather have no one else work on the products they produce, or in simpler terms, have a monopoly on where the owners can bring the vehicle for service / repairs. We DO have the ability to explain to our customers the "lock-out" the manufacturers imposed and we DO have the ability to make recommendations of brands which do not impose the restrictions
First let me say that I am so far from being a hacker I can barely log into my own computer at times. From what I have read there were some serious vulnerabilities on Chrysler vehicles that were addressed with the SGW. If I had to guess the SGW makes it impossible or at least reasonably impossible to hack without modifying the vehicle. That's the point that I think really matters to the OEMs. I
youtube.com/watch?v=GmuHsC… They have the key programming figured out. Nice write up , Thanks.
That is pretty cool and seems like an easy process. Thank for sharing.
You wrote: "I did not think to try the generic side of the tool but from everything I have read my assumption is that the generic OBD modes do not work on these models because of the network structure." I can tell you the OBD communication is possible and required but maybe I am misunderstanding what you meant. I just checked some data and I can confirm that very vehicle (2018 RAM) can
I have an 18 ram and I have an Edge product on it so I can view live data. It gives me more than generic data. I can view vgt pos, Egts, egr position, trans temp, tells me when I'm in regen, etc. Not sure if they figured out a way to bypass but it works...
Edge like a tuner? Viewing data through the scan tool is allowed but essentially, bi-directional functions like clearing codes are not. The issue that I had with the aftermarket tools was moreso because they didn't even list the 18 RAM in the vehicle specific menu. That being said a $40 scanner from Autozone should still be able to read data and codes just not clear them.
From the tuner company, yes. Mine has the ability to be "unlocked" and then it can tune the truck. I do not have that function. Not interested in deleting. I only wished to view data as I tow a camper frequently. I'll try and see if my snap on scanner is able to id the truck tomorrow in generic and enhanced. May be too new still. We have a witech at work so I've only used it. Mine is updated to
It shouldn't be able to rewrite any software without a bypass cable but I wouldn't be surprised if they had one. I would be curious if you can auto ID the truck. I was surprised my Snap On didn't.
So I was not able to auto ID the truck. The software only goes to 2017. I was able to ID it as a 17 manually and I was able to view all live data in any module. I was not able to do any bidirectional control though. The Ethos tech( at 18.4) would act like it would work but there was no actual function happening. This was in the ecm, heated seat, hvac. Actuating the blower motor, fan clutch…
That is interesting. Everything I read said that it would be impossible to clear codes in generic mode. Next one I get my hands on I'm looking forward to trying. I guess that means at least ECM codes can be cleared. I looked and the Verus I was using was running 18.2. I guess I thought it was fully updated. Thanks for checking it out!
I finally remembered to attempt to clear engine codes codes, using the generic side of the scan tool, on an 18 Cherokee today. It successfully cleared them. It makes me wonder how that process works. I assume that the clear codes command must go into the SGW and the SGW makes the decision to send the same command to the ECM.
Maybe I'm late to the party but I'd expect the new FCA vehicles to still follow EPA/CARB regulations that allow display of generic powertrain DTCs, generic data, and allow those codes to be cleared. Permanent DTCs will remain.
The FCA documentation was pretty clear that aftermarket tools would have no bidirectional controls which includes code clearing. I'm not surprised that emissions related codes could be cleared but I wouldn't have been surprised if they couldn't. I'm sure keeping vehicles from being hacked and remotely controlled might be considered an acceptable reason to trump emissions regulations. I'm not
"my assumption is that some of the generic modes do not work on these models" Thanks for catching that. You mean you have hooked up a scan tool and pulled data on the generic side? Did all of the typical generic modes work except clearing codes? Often I will try to access mode 6 on a non SGW equipped vehicle and have issues. I have no idea if that's on the tool side or vehicle side. The MIL as
I see plenty of U codes commanding the MIL on as well as B and C DTCs. The most recent was a B DTC in a Neon for HVAC heater fan speed. I am specifically wanting to verify what I already know, these firewall modules can command the MIL when they fail or are bypassed resulting in a failed emission test in areas that require an OBD test. As far as generic modes, they can’t block those so if
I don't think we are on the same page. If the SGW were to fail in such a way that you could not communicate with it the vehicle would fail an emissions test in the same way it would if you attempted the test with any other no comm vehicle. That does not mean that the PCM will be taken off of the network or that the emissions testing results could not be accessed by tapping into a star
Yeh, definitely not on the same page. That happens too much on the internet. If you ever wander out to Colorado, stop by and we will get it hammered out. Nice topic, good stuff, thanks for taking the time To write this up.
Randy is correct, Services $01-$0A are required, although Service $04 is not quite as well defined in the regulation as I thought. There is no actual requirement to allow clearing of emission-related data until the 2016 regulation, which requires scan-tool clearing starting in MY 2019. Therefore, Maybe then some wiggle room on the "blocking" aspect. Previous versions of the reg only have a
Bob, … version does provide clearer guidance on the $04 but I read it as clarifications on how, when and what. If you read CARB staff initial statement of reason for the 2016 version (g) (4.10) was added to clarify both for safety issues and what items were to be reset but not that it was now required. In other words, it was always required, just not called out specifically. The phase
Randy - just so we don't leave any loose ends for these folks, as I mentioned in my email, section (g)(4.10.2) specifically requires emission-related data to be cleared by use of a scan tool (generic or enhanced), also by removal of power to the module. CARB's intent was always to require code clear via scan tool, but never specifically stated it until now. The … phase-in covers this
Ok, but.......:) (4.10.2) For 30 percent of 2019, 60 percent of 2020, and 100 percent of 2021 and subsequent model year vehicles, the emission-related diagnostic information shall be erased as a result of a command by any scan tool (generic or enhanced) and may be erased if the power to the on-board computer is disconnected.... Continuing on.... At a minimum, the emission-related diagnostic
Randy, Sounds like CARB closed the loophole in the system. Clear codes, clear readiness. Great input
I feel the answer will be incorporating J2534 boxes with scan tools. Like Bosch/OTC & Autel does. Then getting those scan tools verified by the manufacturer to work with those vehicles. I wouldn't be surprised if all scan tools went to being a windows based like tough tablet with a J2534 boxed with it. Which if the OEM's were smart they would use Linux since security tends to be better
Guido linked an article recently that seemed to suggest that ISO was looking at a solution that would allow licensed “neutral” (aftermarket) servers to act as a go-between to offer aftermarket access through the OEM server. i won’t be surprised if this becomes the norm.
Thanks for the write up, This makes sense of a body shop situation on a 18 RAM, in early 2018, I sent a tech (when I was at my previous position) to a body shop that stated a no start after attempting code clear with a aftermarket tool.. Tech onsite and the battery was dead, hooked up witech 2.0 (we only use OEM tools) cleared whatever codes were there and was done , vehicle started ran etc no