How to tackle issues caused by immobilizer and Anti-Theft systems

Aug. 1, 2017
In this article we are going to investigate some of the history of these systems as well as the operation and diagnosing of them when a problem occurs. Moreover, we will investigate some of the radical changes in how we obtain security information and what we will be required to do moving forward.

Today’s modern vehicles and their systems that make them work are becoming more and more complex; immobilizer and anti-theft system are yet another example of this. Advances in key encryption, the advent of systems like smart entry and smart key technologies have changed how we go about diagnosing, repairing and programming these vehicles. Furthermore, the proprietary nature of OEM technologies and the restricting of access to repair information, tooling and security PINs is proving to make servicing these vehicles increasing more difficult. In this article we are going to investigate some of the history of these systems as well as the operation and diagnosing of them when a problem occurs. Moreover, we will investigate some of the radical changes in how we obtain security information and what we will be required to do moving forward to do so. 

Some background
First a little bit of history: St. George Evans and Edward Birkenbuel are credited with inventing the first anti-theft/immobilizer system in 1919. It consisted of three switches that were manually set by the driver that the ignition switch feed current flowed through, powering up the magneto/coil if correct or not allowing the vehicle to start and sounding the horn if incorrect. The setting could be changed by the driver.

European vehicles were mandated to have immobilizer technology as standard equipment by the end of 1998. Australia and Canada followed suit by 2001 and 2007, respectfully. Generally speaking, immobilizer systems incorporate the security technology either in the ignition switch/lock or in the key, either in form a low-tech resistor or a high tech RFID encrypted chip.

The first U.S.-manufactured vehicle to incorporate this technology was the 1985 Corvette using GM’s Vehicle Anti-Theft System (VATS). VATS was perhaps one of the antitheft systems many technicians were first exposed to. VATS may have started in the ‘85 Vette, but it was used in many other GM platforms well into the early 2000s. The system is also referred to as Passkey. 

Passkey and Passlock

The technology was all incorporated in the “key,” hence Passkey. The key had a pellet-style resistor integral to the key shank. There are 15 different key blanks with resistance from 402 to 11.2k ohms.  The ignition switch had contacts that “read” the resistance via the generation of a resistive voltage drop of a 5-volt reference across the key’s resistor. The unique voltage drop was learned by the VATS module the first time the key was cycled leaving the factory and was “cradle to grave” or never changed. The system uses two tamper modes, short tamper and long tamper, which disabled the engine start or crank and a “fail enable” mode to keep the car starting if a failure occurs after the vehicle “passed theft.” An example of Fail Enable would be a vehicle that starts and runs and the wires from the ignition switch to the base of the tilt steering column break. The vehicle security Malfunction Indictor Lamp (MIL) will remain on solid yet the vehicle will continue to start until the battery is disconnected or goes dead. The wiring, the contacts in the ignition tumbler and the pellet in the key were will subject to wear and were common failures with these systems. Tools needed to effectively diagnose these systems are already in every tech’s toolbox — usually a DVOM and a wiring schematic.

Figure 1

Technology advances and security issues prompted the second generation of GM antitheft system to be designed that incorporating the security apparatus in the ignition lock cylinder/Ignition switch.  This system is known as Passlock. An easy way to differentiate between Passkey and Passlock is to remember where the security technology is incorporated. Passkey is in the key, whereas Passlock resides in the ignition lock cylinder.

Passlock used a regular non-security mechanically cut key. The ignition switch/lock cylinder housing incorporate a special Passlock sensor. The Passlock sensor is a special Hall Effect switch, which is fixed to the housing. The ignition key tumbler assembly has a fixed magnet. When the key is rotated, the magnet is passed through the security Hall Effect. The Passlock sensor is a three-wire circuit consisting of a switched B+ feed, a ground and a 5-volt reference/signal wire. When the magnet passes through the powered Hall Effect, the 5-volt reference is pulled low through a unique resistor and the voltage known as a “R-code” is generated. The R Code is learned by a process known as Vehicle Theft Deterrent or VTD learn, which stores the learned R code in the module in charge; usually the BCM, IPC or TDM. Many techs are probably familiar with the 10-minute VTD, which was performed by turning the key to the start position and letting it spring back and waiting 10 minutes until the security MIL went out. The Passlock system was used in the late 90s, and through a lot of the 2000s the Passlock sensor had many issues and were commonly replaced. Scan data is usually pretty solid on these vehicles. The R code is displayed as Passlock voltage, should be the same every time the R code is generated and should remain at a fairly fixed value of within 0.10 volts.

GM finally went the way of many other OEMs adopting encrypted key technology called it Passkey 3 and Passkey 3+. The security mechanism again resides in the key in the form of a Radio Frequency Identification chip or RFID chip embedded in the head of the key. Many manufacturers have been using this technology in one form or another. Ford has been using this style system for many years and there is a lot of published information on how it works. There are many general similarities to most of this type of encrypted key style systems. Let examine Ford’s PATS system and its operation.

Ford PATS

Ford Passive Anti-Theft System (PATS), aka SecuriLock in early Ford publications, was introduced in 1996. It uses a security style key that has a RFID chip embedded in the key head. Each RFID key generates its own unique ID and there are over 72 billion different IDs, certainly an improvement to the 15 different resistor keys that GM Passkey I used!   

The PATS system components consist of the RFID chipped key, the transceiver, the module in charge of making the theft decision, the PCM and the data communications network. The PATS transceiver broadcasts a 134 kHz signal through the exciter coil of the transceiver that “tickles” the embedded RFID chip in the key and it broadcasts its unique identifier, which is picked up by the reader coil portion of the transceiver antenna. The key’s IDs are stored or learned by the PATS module in charge, which could be the PCM, ICM, HEC, VIC, SCIL or a standalone PATS module.  Always consult a wiring diagram to be sure the exact nature of the system you are working on. In addition to the keys being stored, there is also a learned “handshake” between the module housing the PATS functions and the PCM.

 There are two dedicated communication lines — the TX and the RX line (Figure 1)— which basically work on a “challenge and response” style protocol, as well as the vehicle’s data communication BUS, for which the “passed theft/correct key” response is sent to the PCM. The PATS transceiver bias the TX line with 12 volts and the module housing the PATS electronics pulls it low to talk. The module in charge of PATS bias the RX line with 12 volts and the transceiver pulls it low to communicate. This is the “challenge and response” protocol I refer to. Several manufacturers use a similar style system.  While a using a scan tool to pull codes and look into the data stream is always the first step in the diagnostic process and helps to gain some direction, I find that scoping on the TX and RX lines (Figure 2) and using some inexpensive tools to check the transceiver antenna may be necessary as well.  

Figure 2
Figure 3

For example, let’s say the PCM houses the PATS functionality. When it is cycled from off to on, both TX and RX are at 12 volts, the PCM momentary pulls the TX signal to ground and then the transceiver follows suit by pulling the RX signal momentarily to ground (Figure 3). As the next part of the challenge/response equation, the PCM rapidly toggles the TX signal to ground and then releases. If the key has responded, the transceiver follows suit and rapidly toggling the RX signal to ground to releases (Figure 4). If the key is the correct type and is programmed to the vehicle, both the TX and RX signal will latch high again around 12 volts and the theft decision will be made to crank and start the vehicle (Figure 5). 

Figure 4
Figure 5

Obviously there are several components to the equation that have to be correct to have a successful start. If, for example, the key is bad or has no transponder chip in it, the point after the PCM rapid cycles the TX to ground (the challenge) and transceiver will not respond in kind by toggling the RX signal rapidly (the response) due to the key never responding after the exciter coil sent the 134 kHz signal. The challenge portion will try again, again looking for a response that never comes. It usually has a distinct look about it as the challenge portion is repeated seven times before it gives up (Figure 6). 

Another failure could be that the mechanical cut of the key is correct and the key has a chip in it, but the key is not programmed. This too has a unique signature when scoping the TX and RX lines to see the challenge/response action. The PCM pulls the TX down, the transceiver momentarily pulls the RX line down. The PCM now releases the TX line and rapidly toggles the transceiver start to pull the RX down rapidly by toggling it. The PCM recognizes that the key has the right transponder chipset, but is not programmed yet and quits after the single time for that key cycle. This signature looks similar to a good key without the dipped portion when the starter cranks after the theft decision has been made. In addition, code P1260 will set in the PCM and B1600 will set in the module in charge of making the theft decision.

Figure 6

When it doesn’t work right

So let’s look at some broken cars. The first vehicle is a 2001 Windstar that is a no start, theft recovery at a used car lot. The column was damaged in the theft attempt and the steering column was replaced with a salvage yard part. The shop requested key programming thinking that was the issue. The theft lamp is flashing rapidly and codes are pulled with a scan tool. The PCM has a P1260 and a B1600 has set in the module in charge of theft. The factory scan tool was installed, the 10-minute security lockout completed and security access was granted. The keys were erased and attempted to be programmed to no avail. The steering column clamshell covers are removed and the TX and RX circuits are scoped. The distinct pattern and some logic diagnostics tells the tale.

Note how the challenge/response pattern repeats itself seven times and then quits. As stated earlier, this pattern is from an incorrect key type or no transponders in key. After consulting the Ford PATS job aid document available from the www.motorcraftservice.com site, it is determined that the keys are the square headed H72PT style keys with a 4C transponder used in 1998-2000 Windstar. This vehicle takes the domed style H84PT style key with a 4D63 transponder. The salvage yard was consulted and the used part indeed came out of a 2000 Windstar and not a 2001.

Let’s examine another vehicle. The vehicle is question is 2001 Ford Ranger that is a no start, the Theft MIL is flashing rapidly. The shop suspects a key issue and changes out the lock cylinder and two keys. Programming was requested and the keys fail to program. Codes are pulled and a P1260 is present in the PCM, indicating there is a PATS issue causing the vehicle not to start and B1681 PATS Transceiver signal not received. This is clearly not a key code. The TX and RX are scoped and the waveforms examined. The PCM is doing its job pulling the TX signal down and rapidly toggling it; however, the transceiver portion does seem to respond (Figure 7). It clearly powers up, yet doesn’t seem to be pulled low and toggled low. A transceiver checker is used and the antenna is broadcasting. Power and ground are present at the module. A continuity check from the PATS transceiver and the connector at the base of the column indicates there is excessive resistance in the RX circuit. Further investigation reveals an aftermarket remote start was installed and spliced in series to the RX circuit. The owner had purchased the vehicle used and was unaware of its presence. Disconnecting the remote start unit and repairing the wiring back to its original state allowed the key programming to go through without a hitch.

Figure 7

Having the right tools make any job easier. Immobilizer and anti-theft diagnostics are no exemption.  I am a big fan of the OE scan tool too, do so but realize not everyone can afford or have access to one. There have been some sweeping changes that have been coming on for a while that is restricting access to security information like PIN codes, repair procedures and tooling. There are locksmith tools that are designed for diagnosing the transceiver’s ability to broadcast and check keys, however some of them require the proper credentials to purchase. However, there are some simple tools that can be used to verify the transponder halo is actually broadcasting. A quick Google check for “LED key antenna tester” should result in a low-cost method of verifying the antenna is broadcasting the signal to excite the key. Another clever method of checking transceivers, room oscillators and proximity sensors is to use a good old fashion AM transistor radio. The 134 kHz transceiver signal is picked up by the radio in the form of “clicking” when placed close to the transceiver. 

The proper credentials I mention earlier to have access to security information, tooling and security PINs is to become a Vehicle Security Professional (VSP) by obtaining an LSID. The LSID VSP application is handled through the National Automotive Service Task Force Vehicle Security Professional Registry. The requirements are to be an automotive service or locksmith professional, pass a criminal back ground check, carry a $1 million commercial liability insurance in force. An application fee of $75 and $300 for a two-year license is also required. All the information and detailed requirements are outlined on the NASTF website at www.nastf.org

We have discussed some of the history, the description and operation of some early systems, investigated some similarities RFID systems share and discussed some case studies involving broken cars. Anti-theft and Immobilizer systems, like all modern technologies, continue to evolve and become increasingly more complex. I believe that if you can develop a sound game and have a step-by-step logical approach to diagnosing these systems, they can be tackled. Sometimes this means employing simple tools like an inexpensive LED antenna tester or an AM radio, or maybe it will require leveraging the technology of a labscope. But almost always it can be accomplished by using the greatest diagnostic tool in your arsenal — the one that rest on your shoulders!

Sponsored Recommendations

Best Body Shop and the 360-Degree-Concept

Spanesi ‘360-Degree-Concept’ Enables Kansas Body Shop to Complete High-Quality Repairs

ADAS Applications: What They Are & What They Do

Learn how ADAS utilizes sensors such as radar, sonar, lidar and cameras to perceive the world around the vehicle, and either provide critical information to the driver or take...

Banking on Bigger Profits with a Heavy-Duty Truck Paint Booth

The addition of a heavy-duty paint booth for oversized trucks & vehicles can open the door to new or expanded service opportunities.

Boosting Your Shop's Bottom Line with an Extended Height Paint Booths

Discover how the investment in an extended-height paint booth is a game-changer for most collision shops with this Free Guide.