EMC Technologies Pty Ltd – 176 Harrick Road, Keilor Park VIC 3042 Australia
www.emctech.com.au
ROBERT BOSCH
(AUSTRALIA) PTY. LTD.
A.B.N. 48 004 315 628
PROTOCOL SPECIFICATION
SMARTRA III IMMOBILISER Page 1 of 49
F005VP0801
Drawn
Checked
Approved
RBAU-EB/EBS2-JL 03/10/06
RBAU-EB/EBS2-VA 03/10/06
RBAU-EB/EBS2 03/10/06
By Date Signature
1. ALTERATION LIST
Issue
No.
Alteration Number, Description
Valid From
By Checked
1.0 New Specification for ABIC1 Solution 03/10/06 EBS2/JL
“WARNING: ANY CHANGES OR MODIFICATIONS NOT EXPRESSIVELY APPROVED BY ROBERT BOSCH
(AUSTRALIA) PTY LTD COULD VOID THE USER’S AUTHORITY TO OPERATE THIS EQUIPMENT.
THIS DEVICE COMPLIES WITH PART 15 OF THE FCC RULES. OPERATION
IS SUBJECT TO THE FOLLOWING TWO CONDITIONS: (1) THIS DEVICE MAY
NOT CAUSE HARMFUL INTERFERENCE, AND (2) THIS DEVICE MUST
ACCEPT ANY INTERFERENCE RECEIVED, INCLUDING INTERFERENCE THAT
MAY CAUSE UNDESIRED OPERATION.
2. TABLE OF CONTENTS....................................................................................................................................................2
4.2EMS TO SMARTRA COMMUNICATIONS DESCRIPTION (OSI MODEL):............................................................................. 7
4.2.1 Diagram: OSI model................................................................................................................................................7
4.2.1.1Requirements from customer.............................................................................................................................................8
4.2.4 States of the smartra.................................................................................................................................................9
4.2.5 System security.......................................................................................................................................................10
5. MESSAGE STRUCTURE BETWEEN EMS AND SMARTRA ..................................................................................13
5.1.1 Data Packet Breakdown.........................................................................................................................................13
5.84EH –NEUTRALISE A [LEARNT]SMARTRA..................................................................................................................17
6.1.3.1Diagram: Explaining how to read message flow diagrams..............................................................................................19
6.22.1 Table: Normal Message Flow............................................................................................................................40
6.22.2 Table: Twice IG ON or Authentication..............................................................................................................40
6.22.3 Table: All modes missing transponder...............................................................................................................40
6.22.5 Table: Special cases...........................................................................................................................................41
7. REPLACING OF SYSTEM COMPONENTS................................................................................................................42
7.1REPLACING THE ENGINE MANAGEMENT SYSTEM (EMS)ECU....................................................................................42
7.1.1 Equipment required to replace the EMS in immo system.......................................................................................42
7.1.2 Process Flow Chart: Replacing Engine Management System EMS ......................................................................43
7.2REPLACING THE SMARTRA ECU..................................................................................................................................43
7.2.1 Equipment required to replace a Smartra unit in immo system.............................................................................43
7.2.2 Process Flow Chart : Replacing Smartra..............................................................................................................44
F005VP0800 HMC SMARTRA 3 Product Spec
F005VP0702 HMC SMARTRA 3 Engineering Test Spec
F005VP0703 HMC SMARTRA 3 Production Test Spec
F005VS0115 HMC SMARTRA 3 Sales Drawing
F005VP0801
3. INTRODUCTION
3.1.1Immobiliser Background
The Smartra3 immobiliser unit, known as the SMARt TRansponder Antenna (SMARTRA) will need to be
updated as a result of new requirements. The SMARTRA3 will be an update of an existing product.
The existing immobiliser system consisted of a passive challenge-response (mutual authentication)
transponder inside the key head and the SMARTRA unit. The SMARTRA communicates to a Control
Unit (CU) via a dedicated communications line.
3.1.1.1 Model : Proposed Smartra3
This design will use a different microcontroller with on board non-volatile memory and combined voltage
regulator and LIN transceiver system basis chip.
This document shall focus on the communications protocol between the Smartra and the Engine
Management System (EMS). The existing protocol has been used with two new messages added and
existing messages modified. The changes are required due to additional customer requirements.
The document shall present:
• Project background, requirements and proposed design.
• Message Structure between the EMS and Smartra.
• Message Flow charts: EMS to Transponder (via Smartra) considering different device states.
3.2 EMS to Smartra Communications Description (OSI model):
The communications between the EMS and the Smartra can be better described using the 7 layer OSI
model. The below diagram shows different levels of the interface in reference to the OSI model. It
describes the Physical layer the Data Link Layer and the Application Layer.
3.2.1Diagram: OSI model
Application
Layer
Presentation
Layer
Session
Layer
Transport
Layer
Network
Layer
Data Li nk
Layer
Physical
Layer
EM S Action Messages:
06h (ACK) Acknowledge
53h (ASCII 'S') Software version
4Bh (ASCII 'K') Transponder I DE *
41h (ASCII 'A') Transponder Authentication (Additional info for I D Matching)
57h (ASCII 'W') Transponder Write EEPROM page
52H (ASCII 'R') Transponder Read EEPROM page
4Eh (ASCII ‘N’) Neutralise a Taught Smartra **
54h (ASCII ‘T’) Teach Smartra **
15h (ASCII nak) Negative response *
For every me ssage sent to the SMARTRA from the CU there w ill be a response from the
SMARTRA unit. Only one command can be sent at a time to the SMARTRA unit.
A negative response to any command is possibl e .
* - modif ied message
** - new message
The protocol between the Control Unit (CU) and the SMARTRA is defined as :-
AddressLengthActionDataCS
The protocol between the SMARTRA and the CU is defined as :-
1 start bit-low, 8 data bits, no parity, 2 stop bits-high.
IdleStart
AddressLengthDataCS
Data
Bit 1
8 bits
S top bit
2 bits
Idle
Dedicated single wire bet ween Immobiliser and Contr ol Unit.
Bi-directional
Asynchronous
Communications @ 4800 baud
Logic Low = 0 V, Logic High = 12V, Idle State High
With the new proposed Design the Smartra shall have 3 states ([Virgin] and [Neutral] states behave the
same).
3.2.4.1 State transition Diagram:
Learnt
(follows new
protocol-
Smartra3)
2
Neutral
(follows old
protocol-
Smartra2)
1
1
Virgin
(follows old
protocol-
Smartra2)
3.2.4.1.1 States:
[Virgin] – virgin product after EOL testing.
[Neutral] – part has Diagnostic PIN Number(DPN) and Secret Encryption Key(SEK) cleared using
diagnostic tester so it can go into [Learnt] state again.
[Learnt] – part has been taught a Diagnostic PIN Number(DPN) at the OEM end of line tester or
using diagnostic tester in the field. Secret Encryption Key(SEK) is generated from the
Diagnostic PIN Number(DPN). (refer to 3.2.6)
3.2.4.1.2 State Transitions:
1) Smartra is taught the Diagnostic PIN Number(DPN) and generates the Secret Encryption Key(SEK).
2) Diagnostic Tester Places Smartra into Neutral Mode when correct DPN has been entered.
* Note : For backwards compatibility a [virgin] or [neutral] Smartra3 will function as a Smartra2 until unit
If a thief replaces the Smartra with a virgin Smartra the car will not start as the virgin Smartra does not
match the EMS.
If a thief replaces three components with a matching set (Transponder, Smartra and EMS) then by
breaking lock barrel the car can start. The car will start however the period of time to replace the
Smartra takes time ie. longer than 5 minutes to pass the Thatcham attack test. Refer to section 3.4 –
References.
A thief could steal a car in a short time if they have access to a Diagnostic Tester and a ECU with his
corresponding Diagnostic PIN Number (DPN) then the thief can steal the car by:
a. replacing the EMS with a matching EMS and transponder set.
b. use Diagnostic Tester to neutralise the Smartra3, using the secure HMC Diagnostic PIN Number
(DPN) of EMS.
c. use Diagnostic Tester to program the new Diagnostic PIN Number (DPN) that matches the thiefs
EMS Diagnostic PIN Number (DPN).
The security of the system depends on the security of the DPN.
3.2.6 Secret Encryption Key (SEK) Learning
• The EMS and Smartra will generate the Secret Encryption Key (SEK).
• Secret Encryption Key (SEK) is generated from the first 6 bytes of the 9 byte Diagnostic PIN Number
(DPN).
• The DPN is taught to the Smartra and EMS at the OEM end of line tester or in the field.
• The encryption algorithm requires each of the 6 SEK bytes to be an uneven number between 3 and
253.
o Therefore both the EMS and Smartra will use the same function that will check value of PIN
and adjust each byte of the Secret Encryption Key (SEK) accordingly:
• If DPN byte is <3 or >253 then SEK byte = 0x55.
• Else If DPN byte is even then SEK byte = DPN byte – 1.
o PIN number database (PIN for diagnostic interface) shall be maintained and protected by the
OEM and this information is not information that a thief can access.
3.4 References
HMC Engineering Spec: No ES95400-09 TITLE: IMMOBILIZER SYSTEM FUNCTIONS,
Spec (Encypted Smartra3 Type), VERSION D3, 29/06/2006
Thatcham NVSA specification: No TQSD 014.07 TITLE: THE BRITISH INSURANCE INDUSTRIES
CRITERIA FOR VEHICLE SECURITY, NEW VEHICLE SECURITY ASSESSMENT – PASSENGER
CARS, ISSUE 4A, JULY 2006
The proposal for the message structure between the Smartra and the EMS is based on the existing
communications protocol with two additional messages and some modified existing messages. The new
messages and modifications are highlighted in yellow.
4.1.1 Data Packet Breakdown
The protocol between the Control Unit (CU) [EMS] and the SMARTRA is defined as :-
AddressLengthActionDataCS
length
checksum
The protocol between the SMARTRA and the CU is defined as :-
AddressLengthDataCS
length
checksum
where :-
Address = 49h (ASCII 'I') when CU is addressing SMARTRA.
= 69h (ASCII 'i') when SMARTRA is addressing CU
Length = number of bytes following the Length byte (including checksum)
Action = valid SMARTRA actions are :-
06h (ACK) Acknowledge
53h (ASCII 'S') Software version
4Bh (ASCII 'K') Transponder IDE*
41h (ASCII 'A') Transponder Authentication (Additional info for ID Matching)
57h (ASCII 'W') Transponder Write EEPROM page
52H (ASCII 'R') Transponder Read EEPROM page
4Eh (ASCII ‘N’) [Neutralise] a [Learnt] Smartra**
54h (ASCII ‘T’) Teach a Smartra**
15h (ASCII nak) Negative response*
Note: * Modified existing message.
** New messages added.
Data = data to be exchanged between units.
CS = Checksum - one byte addition of all bytes (excluding address).
The ASCII code naming convention was carried over from existing protocol.
For every message sent to the SMARTRA from the CU there will be a response from the SMARTRA
unit. Only one command can be sent at a time to the SMARTRA unit.
A negative response to any command is possible and is defined in Section 4.10.
If the SMARTRA unit does not respond to this command then it will not be ready to accept other
communications. This command could be used to determine if the SMARTRA is ready to receive data at
the start of a communications session.
SMARTRA will take up to 5ms to start sending return Acknowledge to the CU.
4.3 53h - Software Version.
CU Request :-
49 02 53 55
SMARTRA Response :-
69 06 Software version in ASCII CS
eg. For software version A01.0 :-
69 06 41 30 31 2E 30 06
Note :- SMARTRA will take up to 5ms to start sending return Software Version to the CU.
4.4.1 0x4B – (Existing) Pre Secret Encryption Key – kept for backwards compatibility
CU Request :-
49 02 4B 4D
SMARTRA2 Response:-
69 05 IDE1 IDE2 IDE3 IDE4 Checksum
IDE1..IDE4 :- 32 bit Identifier.
4.4.2 0x4B – New – Secret Encryption Key – with Encryption check.
CU Request :-
49 08 4B
RN1..RN6 :- Random Number bytes (00-FF)
Note :- RN1..6 can be based on the 4 byte random number from the Transponder Authentication
command (refer to “4.5 Transponder Authentication”). This will avoid extra EMS processing to generate
a random number.
69 05 B0 B1 B2 B3 CS
B0 .. B3 :- Transponder bytes read (00-FF)
This request is only valid prior to key programming procedure with the Transponder in password mode.
Note :- SMARTRA will take up to 100ms to start sending the response bytes to the CU.
Message is instigated by Diagnostic Tester and passed to the Smartra through the EMS. The Smartra
will check if the DPN is correct before changing to [neutral] state.
CU Request :We request to place Smartra into Neutral Mode:
49 0B 4E DPN1 DPN2 DPN3 DPN4 DPN5 DPN6 DPN7 DPN8 DPN9 C
S
DPN1..9 - Diagnostic PIN Number byte 1 to 9
SMARTRA Response :-
69 02 ReturnCS
Return = 0x01 = Correct PIN changed from [Learnt] to [Neutral]
0x02 = Correct PIN already in Virgin State
0x03 = Correct PIN already in Neutral State
0x04 = Diagnostic PIN incorrect
Note :-
-The EMS will pass this information to the Diagnostic Tester.
4.9 54h – Teach Smartra
Message is instigated by EMS when the Smartra State is [Virgin] or [Neutral] and if the Diagnostic Tester
wants to teach the Diagnostic PIN Number.
Detection Window :- a. During Transponder IDE
b. During Transponder Authentication requests
c. During Transponder Write EEPROM page requests.
d. During Transponder Read EEPROM page requests.
Detection Criteria :- Corrupted data from Transponder (Tp), or more than one Tp in
the field, or no Tp in the field.
03h Request from Control unit is invalid
Detection Window :- End of CU request message
Detection Criteria :- Protocol layer violation -- Invalid request,
--or invalid check sum,
04h Password mode invalid
Detection Window :- During Transponder Write or Read EEPROM Page
Detection Criteria :- Tp not in password mode, or Transponder transport data has
been changed.
05h Smartra in locked state:
Detection Window :- During access to the Diagnostic functions, teaching or
neutralising a Smartra.
Detection Criteria :- When the DPN is entered while the Smartra is locked.
Refer to section 7.1.6.
1PNh
PN = page No. failed
PN = 1..7
Transponder Programming error
Detection Window :- During Transponder Write EEPROM Page request While
Transponder is in authorised state.
Detection Criteria :- Corrupted data from Transponder (Tp), Or more than one Tp in
the field, or no Tp in the field.
5. MESSAGE FLOW BETWEEN EMS, SMARTRA AND TRANSPONDER
5.1 Background
The message flow between the Smartra and the EMS is described in the following section. The Smartra
is event driven ie. the EMS sends a message, the Smartra response will be sent back to the EMS.
Components missing in system:
If no EMS is present then the Smartra does nothing.
If no Smartra is present the EMS will timeout on the ACK request message.
If no transponder is present the Smartra will send a NAK to the EMS (No transponder).
5.1.1 Starting Communications
The communications start with Ignition switch ON or Key Teaching Mode(14h) and ignition switch ON.
5.1.2 Stopping Communications
The communications stop when:
• no response received from Smartra after EMS attempts to send a message to the Smartra
more than 3 times.
• communication error on Smartra when an EMC or checksum error occurs more than 3 times.
• Authentication is complete. Note in case of ignition off by key before authentication EMS
should not store error.
5.1.3 (Re)Teaching Mode
• EMS should not start communication request (06h/4Bh/…) after IGN ON by Next Key,
• and in case of sending Teaching messages(1Ch…1Eh) from Tester(HI-SCAN or GST) EMS
should start communication request (06h/4Bh/…).
5.1.3.1 Diagram: Explaining how to read message flow diagrams
Authentication Flow : After ignition or accessories is detected by the CU (EMS) the following steps will
normally be taken to validate the key. We have not added any new messages in the flow only
increased some message sizes.
1) CU provides supply voltage to SMARTRA.
2) CU sends command 06h – ACK.
3) SMARTRA3 responds with 06h – ACK.
4) CU sends command 4Bh - Transponder IDE (+ random number(6 bytes) ).
5) SMARTRA3 responds with the transponder's Identifier (32 bits) [+ Return byte + encrypted number (6bytes) +State(1byte) ].
6) CU sends command 52h – Read EEPROM Page.
7) SMARTRA3 responds with 15h Negative Response. This indicates to EMS that Transponder is in learnt state.
8) The CU generates a random number and calculates the encrypted lock password, then sends command 41h - Transponder Authentication.
9) SMARTRA3 responds with the encrypted key password.
10) The CU compares the encrypted key password from the transponder (via SMARTRA) with its calculated encrypted key password, if they
match then the key has been authenticated.
Table displays the transponder (TP), Smartra (SM) and engine management system(EMS) states and
the messages that are sent when in the state between the EMS and the Smartra. The message flows
are described in more detail below.
5.22.1Table: Normal Message Flow
Msg
TP SM EMS Mode
Flow
no.
L L L Normal
1
description
message Flow
All modules
learnt.
Same as Flow
9.
Description
EMS message
ACK request
IDE request
Read EEPROM
Authentication req
Data EMS message Description
Smartra Response
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x52 PAGE
0x49 S 0x41 RN1..4
ELP1..4
ACK response
IDE Response
Negative response
Authentication Response
Data Smartra Message
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S 0x15 0xXX
0x69 S EKP1..4
TP = transponder SM = Smartra EMS = engine management system.
V = virgin L = Learnt N = Neutral S = size R = return value D = data M = Missing (old) = Smartra2 compatible EMS unit
Note : ** all messages have Check sum at end but this isn’t shown to simplify matrix.
5.22.2Table: Twice IG ON or Authentication
Msg
TP SM EMS Mode
Flow
no.
V V N V/L/N Twice IG ON
2
L
3
V N
V L V/L/N Twice IG ON
4
L L V/N Twice IG ON
5
V V N V/L/N
6
L V N V/L/N
7
L V N L
8
L L L Twice IG ON
9
description
or
Authentication
V/L/N Twice IG ON
or
Authentication
or
Authentication
or
Authentication
Twice IG ON
or
(Old)
Authentication
Twice IG ON
or
(Old)
Authentication
Twice IG ON
(Old)
or
Authentication
or
Authentication
Same as Flow
1.
TP = transponder SM = Smartra EMS = engine management system.
V = virgin L = Learnt N = Neutral S = size R = return value D = data M = Missing (old) = Smartra2 compatible EMS unit
Note : ** all messages have Check sum at end but this isn’t shown to simplify matrix.
Description
EMS message
ACK request
IDE request
Read EEPROM
ACK request
IDE request
Read EEPROM
ACK request
IDE request
Read EEPROM
ACK request
IDE request
Read EEPROM
ACK request
IDE request
Read EEPROM
ACK request
IDE request
Read EEPROM
ACK request
IDE request
Read EEPROM
Authentication Req
ACK request
IDE request
Read EEPROM
Authentication req
Data EMS message Description
Smartra Response
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x52 PAGE
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x52 PAGE
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x52 PAGE
0x49 0x02 0x06 0x08
0x49 S 0x4B DATA
0x49 S 0x52 PAGE
0x49 0x02 0x06 0x08
0x49 S 0x4B
0x49 S 0x52 PAGE
0x49 0x02 0x06 0x08
0x49 S 0x4B
0x49 S 0x52 PAGE
0x49 0x02 0x06 0x08
0x49 S 0x4B
0x49 S 0x52 PAGE
0x49 S 0x41 RN1..4
ELP1..4
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x52 PAGE
0x49 S 0x41 RN1..4
ELP1..4
ACK response
IDE Response
EEPROM data Response
ACK response
IDE Response
EEPROM data Response
ACK response
IDE response
EEPROM data Response
ACK response
IDE response
Negative response
ACK response
IDE Response
EEPROM data Response
ACK response
IDE Response
Negative response
ACK response
IDE response
Negative response
Authentication response
ACK response
IDE Response
Negative response
Authentication Response
Data Smartra Message
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S B0..3
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S 0x15 0xXX
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S B0..3
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
00x69 S 0x15 0xXX
0x69 0x02 0x06 0x08
0x69 S IDE1..4
0x69 S B0..3
0x69 0x02 0x06 0x08
0x69 S IDE1..4
0x69 S 0x15 0xXX
0x69 0x02 0x06 0x08
0x69 S IDE1..4
0x69 S 0x15 0xXX
0x69 S EKP1..4
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S 0x15 0xXX
0x69 S EKP1..4
5.22.3Table: All modes missing transponder
Msg
TP SM EMS Mode
Flow
no.
10
M L V/N/L
(new)
description
All modes
(missing
transponder)
TP = transponder SM = Smartra EMS = engine management system.
V = virgin L = Learnt N = Neutral S = size R = return value D = data M = Missing (old) = Smartra2 compatible EMS unit
Note : ** all messages have Check sum at end but this isn’t shown to simplify matrix.
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x4B RN1..6
0x49 S 0x4B RN1..6
Valid from:
ACK response
IDE Response (Negative)
IDE Response (Negative)
IDE Response (Negative)
14/2/06
Print Date:
Data Smartra Message
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S R IDE1..4 + ERN1..6 + State byte
23 March, 2007
DEV04205.9/I-1
ROBERT BOSCH
(AUSTRALIA) PTY. LTD.
A.B.N. 48 004 315 628
PROTOCOL SPECIFICATION
SMARTRA III IMMOBILISER Page 41 of 49
F005VP0801
5.22.4Table: Transponder (Re)teaching mode
Msg
TP SM EMS Mode
Flow
no.
11
12
13
14
15
16
V V N V/N/L
V L V/N/L
L V N V/N/L
L L V/N/L
L VN VNL
V VN VNL
(new)
(new)
(new)
(new)
(old)
(old)
description
Transponder
(Re) Teaching
Transponder
(Re) Teaching
Transponder
(Re) Teaching
Transponder
(Re) Teaching
Transponder
(Re) Teaching
Transponder
(Re) Teaching
TP = transponder SM = Smartra EMS = engine management system.
V = virgin L = Learnt N = Neutral S = size R = return value D = data M = Missing (old) = Smartra2 compatible EMS unit
Note : ** all messages have Check sum at end but this isn’t shown to simplify matrix.
Description
EMS message
ACK request
IDE Request
Write EEPROM
Authentication Req
ACK request
IDE Request
Write EEPROM
Authentication Req
ACK request
IDE Request
Write EEPROM
Authentication Req
ACK request
IDE Request
Write EEPROM
Authentication Req
ACK request
IDE Request
Write EEPROM
Authentication Req
ACK request
IDE Request
Write EEPROM
Authentication Req
Data EMS message Description
Smartra Response
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x57 WRITE_DATA
0x49 S 0x41 RN1..4
ELP1..4
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x57 WRITE_DATA
0x49 S 0x41 RN1..4
ELP1..4
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x57 WRITE_DATA
0x49 S 0x41 RN1..4
ELP1..4
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x57 WRITE_DATA
0x49 S 0x41 RN1..4
ELP1..4
0x49 0x02 0x06 0x08
0x49 S 0x4B
0x49 S 0x57 WRITE_DATA
0x49 S 0x41 RN1..4
ELP1..4
0x49 0x02 0x06 0x08
0x49 S 0x4B
0x49 S 0x57 WRITE_DATA
0x49 S 0x41 RN1..4
ELP1..4
ACK response
IDE Response
EEPROM write Response
Authentication response
ACK response
IDE Response
EEPROM write Response
Authentication response
ACK response
IDE Response
Negative response
Authentication response
ACK response
IDE Response
Negative response
Authentication response
ACK response
IDE Response
Negative response
Authentication response
ACK response
IDE Response
EEPROM write Response
Authentication response
Data Smartra Message
0x69 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S 0x57
0x69 S EKP1..4
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S 0x57
0x69 S EKP1..4
0x69 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S 0x15 0xXX
0x69 S EKP1..4
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S 0x15 0xXX
0x69 S EKP1..4
0x69 0x02 0x06 0x08
0x69 S IDE1..4
0x69 S 0x15 0xXX
0x69 S EKP1..4
0x69 0x02 0x06 0x08
0x69 S IDE1..4
0x69 S 0x57
0x69 S EKP1..4
5.22.5Table: Special cases
Msg
TP SM EMS Mode
Flow
no.
17
18
19
20
L L L
V
L VLN
L
L V L
old
L
description
Miss-matched
(new)
secret key
Old EMS new
(Old)
learnt smartra
Old EMS with
(Old)
a virgin
Smartra3
L Old Smartra
with a new
learnt EMS
TP = transponder SM = Smartra EMS = engine management system.
V = virgin L = Learnt N = Neutral S = size R = return value D = data M = Missing (old) = Smartra2 compatible EMS unit
Note : ** all messages have Check sum at end but this isn’t shown to simplify matrix.
Description
EMS message
ACK request
IDE Request 1
IDE Request 2
IDE Request 3
ACK request
IDE Request 1
IDE Request 2
IDE Request 3
ACK request
IDE Request
….
Following
messages are the
same as Smartra2
…….
ACK request
IDE Request 1
IDE Request 2
IDE Request 3
Data EMS message Description
Smartra Response
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x4B RN1..6
0x49 S 0x4B RN1..6
0x49 0x02 0x06 0x08
0x49 S 0x4B
0x49 S 0x4B
0x49 S 0x4B
0x49 0x02 0x06 0x08
0x49 S 0x4B
….
Following messages are the
same as Smartra2
…….
0x49 0x02 0x06 0x08
0x49 S 0x4B RN1..6
0x49 S 0x4B RN1..6
0x49 S 0x4B RN1..6
ACK response
IDE Response 1
IDE Response 2
IDE Response 3
ACK response
IDE Response (Negative)
IDE Response (Negative)
IDE Response (Negative)
ACK response
IDE Response
….
Following messages are
the same as Smartra2
…….
ACK response
IDE Response 1
IDE Response 2
IDE Response 3
Data Smartra Message
0x49 0x02 0x06 0x08
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S R IDE1..4 + ERN1..6 + State byte
0x69 S R IDE1..4 + ERN1..6 + State byte
0x49 0x02 0x06 0x08
0x69 S 0x15 0x03
0x69 S 0x15 0x03
0x69 S 0x15 0x03
0x69 0x02 0x06 0x08
0x69 S IDE1..4
….
Following messages are the same as
Smartra2
…….
0x69 0x02 0x06 0x08
0x69 S IDE1..4
0x69 S IDE1..4
0x69 S IDE1..4
The possibility exists that we may need to replace a component in the Immobilizer system. The
components that possibly can be replaced are:
1. EMS (when damaged).
2. Smartra (when damaged).
3. Keys [transponders] when Lost or damaged existing keys.
4. Antenna - (interface to the transponder).
6.1 Replacing the Engine Management System (EMS) ECU
The consequences of replacing the Engine Management Systems (EMS) are :
1. The new EMS needs to be taught with the same 9 byte DPN as the previous EMS had.
2. The Keys need to be re-taught.
Replacing the EMS causes non Smartra changes as well. Transponder Keys have to be re-taught to the
EMS. The EMS requests vehicle specific data from tester. The [virgin] EMS stores the vehicle specific
data and the key teaching can be started. The key teaching is done by the Ignition on with key and
additional tester command. The EMS stores the relevant data in the EEPROM and in the transponder.
Then the EMS runs authentication for confirmation of teaching process. The successful programming is
confirmed by message to tester.
6.1.1 Equipment required to replace the EMS in immo system
The proposed protocol hasn’t changed the existing Key (transponder) teach functionality. The replacing
of keys doesn’t involve any different processing from the Smartra. The Smartra shall pass messages
between the EMS and the transponder as it currently does.
6.3.1Process Flow Chart : Replacing/Adding Keys
Adding new Keys (transponder) - Process flow Chart showing changes required on Smartra after
replacing a EMS
Adding new keys
Key Teach Procedure need
Diagnostic tester interface.
return
6.4 Replacing Antenna
The proposed changes to the Smartra do not affect the antenna. That is, the lock barrel is passive and
has no unique code to identify it. If the antenna is replaced with an equivalent part, the system will work
as normal.
• The Smartra needs the Diagnostic interface to change state of Smartra to [neutral] state from the
[learnt] state in the field.
• The Smartra needs to use the Diagnostic PIN Number (DPN) to generate the Secret Encryption Key
(SEK).
• For Security reasons the Diagnostic PIN Number (DPN) is required to access the diagnostic function,
PIN number protection is required for security reasons. Once the Diagnostic PIN Number (DPN) is
taught to the [virgin] or [neutral] Smartra the Smartra enters [learnt] state. The OEM secure
Diagnostic PIN Number (DPN) is taught to the Smartra:
o at the OEMs end of line tester after the car is assembled.
o in the field when a Smartra is replaced with a [virgin] Smartra.
• The Diagnostic PIN Number (DPN) will be:
o a 9 byte number that will be Thatcham compliant selected by OEM.
o the OEM will be responsible to maintain a database for Diagnostic PIN numbers (DPN’s)
matching with VIN numbers.
o the diagnostic PIN number will be stored on both the EMS and the Smartra.
7.1.2The Diagnostics tester interface diagram:
Smartra
single wire
asynch bi-dir
comms
4800baud
EMS
k-line comms
using KWP2000
or CAN
Diagnostics
(Tester or Hi-
Scan)
7.1.3Programming Diagnostic PIN Number DPN (on the Smartra)
The Smartra will learn the 9 byte Diagnostic PIN Number (DPN) at the OEMs end of line tester or in the
field when a module is replaced.
The Diagnostic PIN Number (DPN) will inhibit placing the Smartra3 into [Neutral] state from [Learnt] state
for security reasons.
A new Smartra ECU will be delivered with no Diagnostic PIN Number (DPN) programmed into EEPROM.
In this “production mode” status, all diagnostic functions will be available without having to enter or
program a pin code previously.
Once the Diagnostic PIN Number (DPN) is programmed to the ECU at the car assembly plants end of
line tester, all diagnostics functions are possible until the end diagnostic command is transmitted from
the tester to the control unit or the car assembly plants end of line tester is removed from the vehicle.
This is to say, once the Diagnostic PIN Number (DPN) has been programmed, it does not have to be
entered again to access secured diagnostic functions until the current diagnostic session is completed.
• OEM Car manufacturer the unique Diagnostic PIN Number (DPN) shall be programmed by the
function tester on the line. The OEM needs to maintain a database with the VIN and the Diagnostic
PIN Number (DPN).
• Aftermarket dealer, the dealer must program the unique Diagnostic PIN Number (DPN) using the
diagnostic tester. The Aftermarket dealer needs to confirm the Diagnostic PIN Number (DPN) from
the OEM database.
7.1.5 Changing Diagnostic PIN Number (DPN) on Smartra
To change the Diagnostic PIN Number (DPN):
1. the Smartra will need to be placed into [neutral] state.
2. then the diagnostic tester will need to teach the new diagnostic PIN number.
At the next diagnostic session, the pin code is required to be entered correctly to enable the ECU state
change. If pin code is entered incorrectly 3 times, the Smartra will enter a time-out loop where it will not
be possible to retry entering the DPN for 60 minutes ie. a NACK will be sent from Smartra stating that
the Smartra is in locked state. After 60 minutes of IGN ON, the counters and error flags will be cleared
and the DPN can be entered.
7.1.6.1 Message Flow Diagram (Changing State – correct PIN)
Smartra[learnt] -> [neutral]
Smart ra3
responds
with a ACK
Smart ra will check if
PIN number is correct
then t he unit will enter
[neut ral] state.
In neutral st ate the
Diagnostic PIN code
is changed t o neutral
P IN code.
ACK request
0x49 0x02 0x06 0x 08
0x49 0x02 0x06 0x08
IDE request
0x49 S 0x4B + RN1..6
0x69 S ID E1..4 +
ERN1 ..6 + State byte
Neutralise Smartra
0x49 S 0x4E D PN1.. 9
0x69 S Return T1..3
EMS[learnt]
Change stat e of Smartra
to [neutral] requ est with
PIN number
EMS receives ACK
EM S knows the t ype of Smart ra
and the state the Smart ra is in.
After sending IDE request
EM S sends neutralise Smartra
comm and (0x4E) with existing