Today’s modern vehicles and their systems that make them work are becoming more and more complex; immobilizer and anti-theft system are yet another example of this. Advances in key encryption, the advent of systems like smart entry and smart key technologies have changed how we go about diagnosing, repairing and programming these vehicles. Furthermore, the proprietary nature of OEM technologies and the restricting of access to repair information, tooling and security PINs is proving to make servicing these vehicles increasing more difficult. In this article we are going to investigate some of the history of these systems as well as the operation and diagnosing of them when a problem occurs. Moreover, we will investigate some of the radical changes in how we obtain security information and what we will be required to do moving forward to do so.
First a little bit of history: St. George Evans and Edward Birkenbuel are credited with inventing the first anti-theft/immobilizer system in 1919. It consisted of three switches that were manually set by the driver that the ignition switch feed current flowed through, powering up the magneto/coil if correct or not allowing the vehicle to start and sounding the horn if incorrect. The setting could be changed by the driver.
European vehicles were mandated to have immobilizer technology as standard equipment by the end of 1998. Australia and Canada followed suit by 2001 and 2007, respectfully. Generally speaking, immobilizer systems incorporate the security technology either in the ignition switch/lock or in the key, either in form a low-tech resistor or a high tech RFID encrypted chip.
The first U.S.-manufactured vehicle to incorporate this technology was the 1985 Corvette using GM’s Vehicle Anti-Theft System (VATS). VATS was perhaps one of the antitheft systems many technicians were first exposed to. VATS may have started in the ‘85 Vette, but it was used in many other GM platforms well into the early 2000s. The system is also referred to as Passkey.
Passkey and Passlock
The technology was all incorporated in the “key,” hence Passkey. The key had a pellet-style resistor integral to the key shank. There are 15 different key blanks with resistance from 402 to 11.2k ohms. The ignition switch had contacts that “read” the resistance via the generation of a resistive voltage drop of a 5-volt reference across the key’s resistor. The unique voltage drop was learned by the VATS module the first time the key was cycled leaving the factory and was “cradle to grave” or never changed. The system uses two tamper modes, short tamper and long tamper, which disabled the engine start or crank and a “fail enable” mode to keep the car starting if a failure occurs after the vehicle “passed theft.” An example of Fail Enable would be a vehicle that starts and runs and the wires from the ignition switch to the base of the tilt steering column break. The vehicle security Malfunction Indictor Lamp (MIL) will remain on solid yet the vehicle will continue to start until the battery is disconnected or goes dead. The wiring, the contacts in the ignition tumbler and the pellet in the key were will subject to wear and were common failures with these systems. Tools needed to effectively diagnose these systems are already in every tech’s toolbox — usually a DVOM and a wiring schematic.
Technology advances and security issues prompted the second generation of GM antitheft system to be designed that incorporating the security apparatus in the ignition lock cylinder/Ignition switch. This system is known as Passlock. An easy way to differentiate between Passkey and Passlock is to remember where the security technology is incorporated. Passkey is in the key, whereas Passlock resides in the ignition lock cylinder.
Passlock used a regular non-security mechanically cut key. The ignition switch/lock cylinder housing incorporate a special Passlock sensor. The Passlock sensor is a special Hall Effect switch, which is fixed to the housing. The ignition key tumbler assembly has a fixed magnet. When the key is rotated, the magnet is passed through the security Hall Effect. The Passlock sensor is a three-wire circuit consisting of a switched B+ feed, a ground and a 5-volt reference/signal wire. When the magnet passes through the powered Hall Effect, the 5-volt reference is pulled low through a unique resistor and the voltage known as a “R-code” is generated. The R Code is learned by a process known as Vehicle Theft Deterrent or VTD learn, which stores the learned R code in the module in charge; usually the BCM, IPC or TDM. Many techs are probably familiar with the 10-minute VTD, which was performed by turning the key to the start position and letting it spring back and waiting 10 minutes until the security MIL went out. The Passlock system was used in the late 90s, and through a lot of the 2000s the Passlock sensor had many issues and were commonly replaced. Scan data is usually pretty solid on these vehicles. The R code is displayed as Passlock voltage, should be the same every time the R code is generated and should remain at a fairly fixed value of within 0.10 volts.
GM finally went the way of many other OEMs adopting encrypted key technology called it Passkey 3 and Passkey 3+. The security mechanism again resides in the key in the form of a Radio Frequency Identification chip or RFID chip embedded in the head of the key. Many manufacturers have been using this technology in one form or another. Ford has been using this style system for many years and there is a lot of published information on how it works. There are many general similarities to most of this type of encrypted key style systems. Let examine Ford’s PATS system and its operation.
Ford Passive Anti-Theft System (PATS), aka SecuriLock in early Ford publications, was introduced in 1996. It uses a security style key that has a RFID chip embedded in the key head. Each RFID key generates its own unique ID and there are over 72 billion different IDs, certainly an improvement to the 15 different resistor keys that GM Passkey I used!
The PATS system components consist of the RFID chipped key, the transceiver, the module in charge of making the theft decision, the PCM and the data communications network. The PATS transceiver broadcasts a 134 kHz signal through the exciter coil of the transceiver that “tickles” the embedded RFID chip in the key and it broadcasts its unique identifier, which is picked up by the reader coil portion of the transceiver antenna. The key’s IDs are stored or learned by the PATS module in charge, which could be the PCM, ICM, HEC, VIC, SCIL or a standalone PATS module. Always consult a wiring diagram to be sure the exact nature of the system you are working on. In addition to the keys being stored, there is also a learned “handshake” between the module housing the PATS functions and the PCM.
There are two dedicated communication lines — the TX and the RX line (Figure 1)— which basically work on a “challenge and response” style protocol, as well as the vehicle’s data communication BUS, for which the “passed theft/correct key” response is sent to the PCM. The PATS transceiver bias the TX line with 12 volts and the module housing the PATS electronics pulls it low to talk. The module in charge of PATS bias the RX line with 12 volts and the transceiver pulls it low to communicate. This is the “challenge and response” protocol I refer to. Several manufacturers use a similar style system. While a using a scan tool to pull codes and look into the data stream is always the first step in the diagnostic process and helps to gain some direction, I find that scoping on the TX and RX lines (Figure 2) and using some inexpensive tools to check the transceiver antenna may be necessary as well.