Right to Repair and the Consequences of Legistlation
Recently I sat in on a meeting with representatives of a scan tool manufacturer. We were discussing the FCA secure gateway and the wave which it is creating among all the OEMs. We all celebrated as the government compelled the OEMs to give us access in the Aftermarket to service information and programming capabilities. Now it seems that we are seeing retaliation for our efforts under the guise of safety and security.
FCA has, as many of us know, the Secure Gateway Module. It's job is to prevent tools other than an FCA approved tool from clearing codes, using bi-directional contols or programming. One can simply go behind the module and do these functions. Not for long. This was only the first step. Every OEM is looking at encrypting their system to prevent unwanted access. Aftermarket tool manufactures are forced to pay FCA a $50,000 royalty to be in the club. Then there are re-occurring charges and technician specific log-in requirements. Within a few years automotive networks will be so locked down there will be no tuning, few scan tool choices for 2017 and up vehicles and only certain people will be allowed to work on vehicles.
My question is how long are we going to take it? Global A VIN locks, Component Protection, LSID/VSP? Who owns our cars anyway? How far does the IP rights of the OEM go before infringing on our rights as the end users and aftermarket service providers? Where is the outrage from the "Green Movement" about parts that end up in landfills due to them only being one time use?
Here is an analogy... If the PC computer market worked like the Automotive OEM world, then every time you changed a board or hard drive you would have to buy another Microsoft C of A. IBM would be the only supplier for parts. If you took the Video card out of one machine, you would be prevented from using it in another. Imagine if Dell locked all their parts to a PCs serial number? Your monitor goes dead, you take one out of storage and hook it up. The PC just beeps at you. Why? The monitor is locked to the PC it was first married to. Oh, it gets better. Instead of being able to obtain drivers freely from the OEM website you have to pay $40 each time you download it. Furthermore the driver is only good for that PC and for a limited amount of time. There was a problem with the original driver. There is an update. It will cost $40. This is what we have been putting up with for at least 10 years. On the programming side with the exception of a few OEMs this has been going on since soon after OBDII was released. I understand Intellectual Property and the effort it takes to produce product. The PC market still thrives with drivers given freely and parts being reusable. Why is the Automotive OEM so arrogant, so stingy and so vindictive?
RIP Autel, it was a good ride.
What are your thoughts? Does this bother anyone else?
Good conversation starter Michael. Most who know me well, also know my passion for keeping the aftermarket shops able to compete adequately regarding diagnostics. For many years I have made reference to feeling like "Chicken Little", warning of the impending doom in the near future - with a similar response from "The Indies" - but alas it appears my predictions are coming to fruition.
(My) Cut to the chase: Due to the fragmentation, the rampant empathetic attitudes which prevail and the microscopic number of sensible individuals of which comprise the majority of aftermarket repair shops, "The Indies" will have comparatively LITTLE impact on the manufacturers when compared to the angry CONSUMER, the vehicle owners across this country, who will no longer be able to get their cars repaired where they wish. Until the public also pushes the manufacturers, I believe they (O.E.s) will continue on the current path with little resistance.
A comprehensive consumer educational program MUST be instituted immediately in order for the aftermarket to hope for a fair resolution.
Once the consumers know what the independent aftermarket is faced with, and the resulting limitations, I believe action will begin to help swing the pendulum the other way. Until such time, I see no promising future for "The Indies".
I don't know when you have time to sleep Michael but I can say that we all benefit from the fact that you most likely don't.
This is a very important conversation. There are so many layers, variables, agendas etc. Most in the industry don't even know what it all means and what we're up against. I don't even think that some vehicle manufactures fully understand what needs to happen and how to manage it. It can be so difficult to comprehend how a decision made today will effect our industry next year. This conversation has to start now and continue until we've worked through the details and have it right.
Our industries professionals need to pay attention and get involved. During R2R, maybe, we would've had a better chance knowing what to ask for and knowing what the repercussions of our request might be if we would've had more involvement. If we would've had more conversations.
We have to be careful to consider all the variables and agendas. We have to be careful that we know what to ask for and we have to have policies that consider the advancement of automotive technology. We can't afford to limit our policies to address current technologies.
I can tell you that this topic is one of high priority for ASA National. Bob Redding, ASA's Washington DC representative, is very busy with this.
I will add a link below to a discussion on Cyber Security and Data Access that Carm Capriotto recorded for ASA during the ASA Meetings this past April. This is not a detailed conversation. It was designed to bring awareness but if you follow ASA, they will release reports on this topic from time to time. Better yet, as Chris Chesney says, be the bacon. Bacon. Get involved and be committed.
Thanks again Michael for bringing it up.
Hi Michel I and many others feel your pain.You bring up a lot of good points simply stated only car makers get away with it. What can we do is the question and answer.I don’t know!And have no answer.Should we have our customers file Complaints each time we have to ask for some sorts of permission to work on their vehicle or would it be gas on the fire.
It seems to me we are in serious trouble in the future.The manufactures have to protect themselves and there is a certain Amount of friendly fire that’s unavoidable.Having oe tooling will not be in reach for most shops,mobile programming,ect.
The RIP Autel comment was made tongue in cheek. It seems that the other OEMs are going to follow suit with encryption beyond the gateway module. The SGM is just a stop gap. More secure methods are being developed. This means that reverse engineering will be mute until the codes are cracked. The encryption for Chrysler is being handled by a firm that works with the DOD. It is difficult if not impossible to circumvent. There is little chance Autel will be invited into the club. Therefore as the OEM's implement their own strategies, scan tool companies that don't pay the ransom and are invited into the club, will no longer have coverage.
It's funny you posted this today. I am currently working through getting my WiTech micropd system up and running again and it's going to take significant time with tech support to get it running again.
I have the updated secure micropodII. I have registered it and used it successfully in the past. The problem I have right now is that since I have not used it for a few months, it has to go through the network configuration process again and likely download and install all the latest updates.
It is quite a hassle to use this type of tool on an intermittent basis. If you're not logging in on a regular basis, you are likely to find yourself in a similar situation. The days of a plug and play tool are going away. Generally I like all the new technology but what I'm dealing with today is a real pain in the ass.
I can understand the need to install the latest updates before using the tool if it's been idle for awhile, but having to go through the cumbersome network configuration is just wrong.
Chrysler does offer short term subscriptions but, for the tool to be functional for diagnostics, it's $50/3day. If you want to flash or do a "restore vehicle config" It will be another $35 for a techauthority sub. So if you want to flash a module with the Micropod2 on a short term sub, you will be into it for $85.00
I miss the days where you buy a CD with all the calibrations and you are covered. Subaru still does this. $75 plus shipping and you are good until the next release. Honda gets it. $10 for a day you have full scan tool access. I spend several hours a week updating and reinstalling software. What a pain.
Another green argument for more ammunition...
All of the EPA final rules I have read usually include verbiage about access to repair tooling. The idea is if it becomes too costly or shops with tools are too far away emissions systems do not get fixed. IMO powertrain module access is not enough anymore. So many things can be tied back to emissions and so many non powertrain modules supply information for engine performance.
In 2005 when I started working for Vetronix there was a lot of discussion about a R2R nationwide. Most of the reps in the room were against it. Me being the new guy in the room asked Jay Meyering during break why we were against it and he explained that if it went through the manufacturers would figure out a ways to price the access so nobody could or would be able to work on the vehicles. He was adamant that we did not need legislation as most of the manufacturers were allowing OE access as part of J2534 anyway. We would be much better off having a panel like NASTF requesting aftermarket access and determining what we needed etc. I believed him and I am not surprised that his prediction in 2005 is coming to fruition.
I say we dont take it. How do we fight it? Now we have the Government involved. I say we fight to overturn it. Start a new company or task NASTF with negotiating with the manufacturers. R2R is going to be the demise of many aftermarket shops, aftermarket scan tools and lots of performance tuning companies.
Another possible solution is to invent an aftermarket PCM that anybody can access. Sell it as part of the 100K Service as a celebration of no longer affected by the warranty department.
Wouldn’t it be good if we could have a world wide boycott on repairing a vehicle manufacturers models. Let’s say for one month no independent garages would work on Ford vehicles. The dealerships would be so swooped they couldn’t cope, they would loose millions of pounds in lost parts sales and people would stop buying there cars. Maybe then the manufacturers would realise how much they actually need us.
There are more reasons nowadays that in the past for the OEMs to restrict access to the modern vehicle.
i don’t like it. It’s a result of the internet connected “programmable” vehicle.
As long as we in the aftermarket have unrestricted access to OEM resources to the vehicle and tooling we are protected. Is it costly and cumbersome ? Yes. Does it give those of us who invest in the added access an edge? Yes. Is that valuable? Yes. Does it make “us” more valuable? Yes.
I don’t want my family riding around in a vehicle that can be hacked because someone hacked into an Autel server in Taiwan and commanded all 2009 Acura’s to go WOT at a specific time and date. The only way to prevent this crap is to insure that all changes to a vehicles programming originate from that OEMs server.
We need to pony up and play along, just like in the past only different.
I like it Rusty! If we choose to play as "they" present the rules we are "in the game" if we choose to go the "less traveled by" road.... we may be out of the game
I had a nice visit last week with a very large aftermarket parts company. They have a very comprehensive line of used, reman, and new aftermarket parts. I have made my views about R2R pretty clear over the years and thought I had a pretty good idea about most of the issues. Well I got an education which added a completely new dimension.
There are laws that protect aftermarket parts companies. I am free to make parts which form/fit/function with few exceptions. The problem now is many parts, even simple door window switches contain software. I am still free to make this switch as long as I develop the software independently to interact with the vehicle network. I can't copy the software out of the factory part. It is my responsibility to ensure the parts operate properly. Now how about we have an HVAC controller. Works great, was well tested and I just sold thousands of them. Manufacturer (insert name here) decides that the PCM or some other control unit needs a software update because of (insert reason here). Well now the new software no longer works with my HVAC controller, and a new software update from the manufacturer will not "fit" on my HVAC control. Who is at fault? Naturally the manufacturer will blame the "sub-standard" aftermarket part even though that would be incorrect. We can also look at it this way. Manufacturer makes a nice trailer hitch. Lots of aftermarket companies make nice things you can attach. Manufacturer "decides" that there is a safety issue with the hitch so instead of it being a square it does a recall and changes them all to a round hole. Aftermarket stuff no longer fits. This is an oversimplification but how is this different than the bits and bytes in parts? Just because you can't see them or touch them.
I don't know the answer here so if anyone has comments I would love to hear them.
Robert, that is a very very interesting take on this. The preserving their aftermarket idea suddenly makes a some other things clearer. I have wondered for some time why there is this growing trend towards addressing everything on the vehicle. A lot of it, to my simple mind made no sense. Why does a mirror assembly need addressed? Looking at it thru the lens you posted it makes a lot of sense. For the OEM's. We may be seeing the first flakes of an avalanche. With RFID chips and their replacements, QR coding and ever cheapening micro processors the possibilities are endless. Collision parts come to mind. The safety argument can be made for virtually every part on the car. Headlight assy's. Do they meet NHSTA standards? Sheet metal, will replacement panels "crumple" in the same fashion as OE? Bumpers, glass etc. In this fashion the vehicle become a source of continuing revenue for the OE. For a long time. Every replacement repair will require that a fee be paid. GM and others have already started this with their subscription tiers for programming.
Have you been following the John Deere vs right to repair story? They are arguing that while you may own the actual metal in the machine you are leasing their software. They have defeated R2R in several states. Safety being one of their arguments.
It will be interesting to see how this plays out in the HD marketplace. There buyers do have power that the auto "indy" side can only dream of. And never achieve. 300 buyers account for 80% of annual sales. Thru the American Trucking Association (ATA) they are not shy in communicating to the OEM's.
Thanks for adding to this. From what little I know about the HD market it is a bit different than passenger cars in this respect. Manufacturers who make "platforms" have to expose vehicle interactions with the networks much more since they may sell you a rolling frame and you bolt on a cement mixer, etc, etc. All the parts need to talk so the network is much more exposed. Different market, higher margins for service, urgency, you name it.
The old arguments used for the high priced tools, and education in our industry are fine but do nothing more than drive up the cost of ownership. Not good for efficiency and our countries GDP. People just have to pay more. There are way better ways. I have argued this for years. In fact my biggest beef with the OEs is that they claim that the "codes" and "control information" for service of their vehicles is proprietary. No Way! This should be part of the owners manual when you buy the car. And your are 100% right, if a manufacturer sold me a car with failed software it needs to be easy and FREE for me to put it on my car. The mechanisms to do this safely, securely, are easy. They just don't embrace the solutions.
You know how far behind we are out here, so this might all be sorted-out by the time the cars come to me, but it sure will be funny if/when the cars with affordable OE subs can all be fixed at the small shops and the Chryslers all have to go to the dealer.
Word gets around pretty fast "don't buy Chryslers you can't get it fixed".
Then again, we never need OE for anything the customers can actually afford NOW, so it might not matter.
I agree with Robert,
If I buy a vehicle, should the software and firmware in each part belong to me? This is a problem with John Deere. Nebraska tried to take them on. Not sure where that went. We have laws in the US that tell us that "tuning" a vehicle out of EPA compliance is illegal. The OEMs are using this as a reason to restrict access. They have been cheating the EPA tests for years. VW/Audi was caught and reprimanded. Some OEMs seem to be untouchable.
Let us say that changing the code is shut down. What about copying the code to a new ECU? This should be legal and accessible. This also should be available without paying an access fee. It is in the IT world. Imagine instead of having to pay the OEM for the update software hooking up with the old module, inhaling the code, then exhaling the code into the replacement. Most of the time we replace modules it is a hardware issue and not a memory / software issue. Updates should be complimentary. When a new driver or update comes out, Microsoft contacts us on our PCs and tell us an update is ready. GM tells us there is an update and for $40 it can be yours. What if Microsoft told GM, Ford, Chrysler that for every update for every PC and Laptop that they own they will now be paying for updates. There would be pushback and outrage. We as consumers and service suppliers just take it. We pay to play. It gets more expensive every year.
We do need to take security seriously. At the same time we can't be like Chicken Little. It is more likely that the big three get hacked or there is an internal hack within their own organization than from an aftermarket scan tool company. Do you think a software engineer in a foreign country cares what happens to car owners in North America? Would someone without honor write bad code for a big reward? When code is originally written there is a formula used to make sure all the machine code adds up. It is called a checksum. If the code value does not match the checksum there is a checksum error. This shows up as an internal memory error. This comes up as a check engine lamp in the case of a PCM. When memory gets weak or changed by a surge the checksum no longer adds up. Each module has a limited amount of memory space. The code knows how much of the space is used. In order to place a time-bomb into code, the whole code has to be de-compiled, re-written, re-compiled with the same checksum. The rest of the network has to see that module as expected. If this is not done perfectly then the system recognizes a problem and reports it. (Robert explained this as with an aftermarket part) Some of the early diesel tuners ran into this when writing their own code for Ford products. They used more memory than the OEM did. When the vehicle was sold, the new owner ended up with a vehicle that would not pass emissions. The service provider removes all the aftermarket equipment or the tuner box is lost. The vehicle gets reprogrammed with the OEM calibration and half way though the process freezes. Now you have a brick. How many times do you get strange codes when dealing with "tuned" vehicles? It is due to the one doing the tuning not anticipating every scenario.
I really like the idea of consumer awareness. What manufactures are going to keep the OBD open and who is closing it? Chrysler has already made their decision. I hear that Nissan and VW are not far behind. Ford is changing their system. Maybe the aftermarket parts manufactures need to lead the campaign. Maybe Bill Gates would take the OEMs on?
Checksum error can be re-calculated. There are programs for that, and have seen it done. An example would be writing out DEF on a Mercedes diesel after it is cancelled they know what the Checksum formula is and just write in a new value. I agree with Rusty that I would not want to have someone hack the Autel server and write some malicious killer code. The problem is I remember from a chemistry class many years ago the instructor said " there is no such thing as bullet proof glass, they just keep making bigger bullets. The hackers always find a way around the new security. The only ones it really limits is us techs who 99.9999% have no hacking skills.
The other point you made is about 1 use modules. In the past we would repair older vehicles with used parts, because often the value of the vehicle was worth less than what a new part would cost. Now call me a bleeding heart, but someone goes out and buys a Chevrolet Aveo in 2011 ( I don't know if you have those vehicles in the US) often because that is all they can afford. Now 8 years later their radio goes, and it is a single use module that cost $3000, the vehicle is not even worth that. Just seems like there is something not right here.
There is a calculation based on the software and configuration data on most modern Daimler/Mercedes ECUs. They refer to it as the CVN, Calibration Verification Number. This was also written into some of our OBD laws but it has been painfully slow to be adopted. The intent is when you do an OBD inspection the vehicle CVN is compared to data that is on file for the particular vehicle. If the CVN does not match, you fail. It runs as a background process in the software just like an OBD monitor we are all familiar with. It catches lots of the tampering but if you throw enough resources at.... It has not been widely implemented because as you can imagine you need to get many government and industry entities to work together. Something that has challenged the whole world. Who, how, and where do you maintain the CVN data? What is the process in a failed inspection? Who's fault is it when things mess up due to no fault of the vehicle owner, and who pays to get it right?
What makes you think it is easier for someone to hack the Autel server rather than one operated by the OE? Perhaps check with Lockheed Martin regarding their F-35 data? :)
Yes, checksum can be recalculated. There are even apps for that. The problem is that unless the module is one that is popular, the checksum may not be one that is known. When cloning many PCMs, the apps and equipment I use will often say "unknown checksum". Since nothing is changed, it really does not matter. When making changes, this creates a problem. (tuning for instance) The changes that would be needed for a time bomb would require much more than a simple re-calculation. There would have to be enough room in memory to add the code. There would have to be a time component in the existing code. You would have to know the seed key in order to add or change code in any of the memory locations. Some manufactures rotate these keys in order to make access more difficult. What would happen if someone hacked the On-Star system and pushed a worldwide update? Skynet?
I sat through a CTI class on Cyber Security. Very interesting and definitely something to be aware of. At some level it seems that the OEMs are making a claim about security that is true in order to move their agenda forward. (Increasing the difficulty and cost to gain access to proprietary systems) Yes, hackers will eventually break every code that is created. The SGW and other methods will eventually be defeated. (with more than a bypass cable) I totally agree with you on that one.