In July 2015, Wired Magazine published an article entitled, “Hackers Remotely Kill a Jeep on the Highway – With Me in It.” The article described how two hackers gained control over a Jeep Cherokee via the internet. The hackers were able to take over a lot of the vehicle’s functions, including the brakes, transmission, steering, wipers and entertainment system, by using a notebook computer.
The attack, which was arranged and planned, was carried out 10 miles from the vehicle. However, because it was performed over the internet, it could have been carried out from anywhere in the world. (A video of this from inside the vehicle is at: https://www.wired.com/video/watch/hackers-wireless-jeep-attack-stranded-me-on-a-highway.)
Naturally, this stunt made the news quickly, but one of the things that wasn’t well-known was that the hackers released onto the internet most of the software that allowed them to hijack the vehicle, timed to coincide with a convention of “black hat” hackers in Las Vegas. The hackers had been working with FCA US (Fiat Chrysler Automobiles) for nine months before the release of the software so FCA could have a software “patch” available to block this type of attack when the Wired story came out.
As you might imagine, FCA wasn’t happy that the hacking software was released publicly, but it made the patch available to all customers who wanted it. The patch also was integrated into new vehicles that were manufactured after that date.
The main vulnerability of the vehicle was the so-called Uconnect module, which FCA introduced in 2013 and was on hundreds of thousands of vehicles all over the world at the time of the test. The Uconnect module has a built-in cellular connection that runs in the background, and it also can serve as a mobile hotspot.
All that the hacking software required to attack an individual vehicle was the IP address of the Uconnect module. The hackers also demonstrated the ability to scan for vehicles that use this system and, thus, are vulnerable to this type of attack.
The response by FCA to this revelation was interesting. Rather than removing or isolating the vulnerable devices, it doubled down by adding an elaborate firewall system to their vehicles. This was called the Security Gateway and allegedly was designed to thwart a remote hacking attack. In reality, FCA added yet another layer of wireless devices and equipment to their vehicles, which greatly increased the number of places where a vehicle could be vulnerable to future attacks.
Advantage FCA
A well-known statement that typically is applied to politics is “you should never let a crisis go to waste.” The idea is that you can gain an advantage for yourself while watchdogs are paying attention to the crisis at hand. FCA used this “crisis” not only to add technology to their vehicles, but also to force owners to have to go back to the dealerships for any service that even was remotely connected to the security system.
It’s no surprise that FCA, like every other auto manufacturer in the world, wants to bring as much service and repair business back to the dealership as possible. But some manufacturers work harder at this than others. For example, you won’t find any so-called factory-trained Ford mechanics at an independent repair shop unless they used to work at a Ford dealership. Ford simply doesn’t offer factory training to mechanics who aren’t Ford employees. Chrysler used to have extensive training programs for “outside mechanics,” but since Fiat acquired Chrysler, that program essentially has been shut down.
The powers that be at Fiat and Chrysler already were doing everything in their power to make sure that as much business as possible got funneled back to their dealerships. From the time that Chrysler was acquired by Fiat in 2014, FCA has taken many actions that directly affected automotive locksmiths in the United States. (Editor’s Note: The Merger between FCA and Peugeot S.A. was finalized near the end of 2020, resulting in the birth of the world’s fourth-largest auto manufacturer. The new corporate entity is known as Stellantis. As of press time, it still was too early to tell what, if any, changes this merger would bring to the U.S. market.)
One of the first things that FCA did was to cut off locksmith access to Chrysler immobilizer codes — known as SKIM (Sentry Key Immobilizer Module) codes or PIN codes. By denying locksmiths access to these codes, FCA hoped to bring most key duplication and origination back to the dealerships. That didn’t work out quite as FCA had planned.
Aftermarket Solutions
Before FCA pulled the plug on the PIN codes, the good folks at AE Tools & Computers had been working on ways to pull the PIN codes directly from the anti-theft module. At a Just Cars event in 2015, Orvis Kline told me that he considered the DMAX tool from AE Tools & Computers to be essential to anyone who wanted to work on Chrysler vehicles.
On his recommendation, I bought one that day, and within a week, I was in total agreement with him. The DMAX allowed me to pull the PIN directly from the vehicle and then add a new key when duplicating a key and in “all keys lost” situations. On most vehicles, I could do all of this through the onboard-diagnostics (OBD) port, but on some of the first-generation modules, pulling the PIN required removing the SKIM and connecting directly to a single chip. The DMAX also allowed me to do a lot of troubleshooting and rewrite information in cases where a module had been replaced.
My DMAX more than paid for itself in the first six months that I owned it, and I still use it regularly. In fact, on the day I wrote this, I had to make keys for a Chrysler PT Cruiser that, for some reason, wouldn’t communicate with my other tools. The DMAX did the job in seconds. I still don’t know what the problem was with that vehicle, but I don’t really care. The fact that the DMAX got the job done quickly and I was able to move on to the next job was just more evidence of what Kline had said. The DMAX no longer is in production, but the folks at AE Tools still support the tool and provide excellent tech support. (https://www.aetools.us)
Before long, software to pull Chrysler PIN codes started to appear on many aftermarket programmers, and now the inability to get PIN codes directly from Chrysler isn’t an issue, except on vehicles that have the first-generation SKIMs and vehicles that have SKREEM modules. FCA has made several changes to the computer architecture to try to prevent locksmiths from pulling the PIN codes, but each time that it makes a change, someone comes up with a way around the changes. It must have been very frustrating to the engineers at FCA.
Opening the Gateway
It probably shouldn’t be a surprise that when FCA introduced the Security Gateway system, it not only attempted to block hacking attempts, but it also worked to block anyone but the dealer from adding or replacing keys. Soon, the Security Gateway system was used on almost all new FCA vehicles.
The Security Gateway isn’t a single device or system, but an entirely new level of technology that was added to the CAN bus system. Ironically, the CAN bus, or CAN (Controller Area Network), system was instituted by a federal mandate to stop manufacturers from cutting independent service providers out of servicing new vehicles.
Generally, there are two ways for locksmiths to connect to the Security Gateway on any of the vehicles equipped with it. Probably the easiest and most common way to do the job is to connect to the CAN-Hi and CAN-Lo circuits by way of the so-called Star Connector.
The Star Connector is a multiport connector that might be located almost anywhere in a vehicle. There also might be multiple Star Connectors located in various places in a vehicle. The Security Gateway Star Connectors always are colored green and typically will have several connectors attached to them. You can plug a cable from your programmer into any of the open connectors. If all connectors already have something plugged into them, you can unplug one to connect your tool. Just be sure to plug back in whatever you unplugged after you finish programming. (So far, I have encountered only two Star Connectors that didn’t have an open position to plug into.)
The basic Star Connector is used for a lot of other connections in the vehicle wiring, but ONLY the connectors that are part of the Security Gateway will be green. In one case, I came across two Star Connectors that were close to each other, but the Security Gateway connector was somewhat more difficult to see. In fact, I got the feeling that the connectors had been deliberately positioned in such a way to make it difficult to find the correct connector.
The other option is to connect your tool directly to the Radio Frequency Hub (RFH), which handles many radio-frequency operations in the vehicle, including those used by proximity-fob systems. The RFH module might be located almost anywhere in the vehicle, but in many cases, it might require a lot of effort to access it. This is why you most often will connect to a Star Connector.
The RFH module generally has three cables going into it. The connector that you’ll have to disconnect is a 16-pin connector located next to a similar but somewhat smaller connector. (The third cable is located on the opposite side of the module.) Before you can disconnect the cable from the RFH, you’ll have to disengage a gray locking clip. This clip locks the connector in place so it can’t come loose because of vibration. After the clip has been disengaged, you’ll have to depress a plastic spring-tab on the connector to remove the cable.
The cable that you must have to connect to the RFH will have male and female plugs. The male plug is plugged into the RFH to replace the cable that you disconnected. The cable from the vehicle that you disconnected from the RFH then is connected to the female plug on your cable. On the opposite end of your cable, there will be male and female OBD-II plugs. The male plug is connected to the OBD-II port in the vehicle, and the female plug is connected to the normal OBD cable from your programmer.
Because of the way the new RFH cables are designed, they aren’t specific to any one machine but generally will work on any programmer that has the proper software installed. Two of these cables are manufactured by Advanced Diagnostics USA and The Diagnostic Box. The Diagnostic Box cable also incorporates a plug for the Star Connector and an extra-long coiled cord between the OBD-II plugs and the RFH plugs.
Diagnostic Roadmap
Knowing the locations of the connectors that you will have to plug your cables into is critical information to program FCA vehicles. I put the information that I have into a chart. (Download as pdf) Bear in mind that on almost every FCA vehicle, you’ll have a choice of attaching to one of the Star Connectors or to the RFH. In the chart, I listed only the locations of the connectors that I’m aware of. I plan to update this chart as new vehicles are introduced and I discover the locations of additional connectors that I haven’t found. I’ll make updated versions of this chart available on my website at www.autolockinfo.com/locksmith.
A few vehicles require some additional explanation.
Dodge Charger and Dodge Challenger
As you might imagine, similar or related vehicles often have the access points in or near the same areas. For instance, the Security Gateway Star Connectors on the Dodge Charger and the Dodge Challenger can be accessed from either the trunk or by removing the glove box. Obviously, if the trunk is full, you might choose to attack the glove box. If the trunk is empty, the connector in the trunk might be the better option.
In the case of attacking the connector below the glove box, you begin by releasing the two stops on the side of the glove box, which will allow you to tilt it down far enough to pull the glove box out of the dash. This will give you access to the white plastic clip that holds the Security Gateway Star Connector in place. By releasing the tabs and sliding the clip, the Star Connector will drop down into a position where you can access it relatively easily from under the dash.
If you choose to go for the connector in the trunk, you’ll have to pull up the carpet on the passenger side at the point where the floor of the trunk meets the rear seatback. Folding the seatback down might provide you with better access to that area. After the carpet has been pulled up, you’ll see a white Star Connector, which is NOT the one that you want. If you look toward the wheel well and under a flap of sound-deadening material, you should see the edge of the green Star Connector. After you unclip the connector from the floor of the trunk, it will pull out far enough for you to access it relatively easily.
Dodge Durango and Dodge Journey
In the Durango or Journey, one of the Security Gateway Star Connectors is located on the passenger side of the transmission tunnel, behind the forward edge of the plastic trim below the center console. You’ll have to pull the top of the plastic trim down and fold down the carpet at the point where the trim meets the carpet. The green Security Gateway Star Connector then will be visible. It’s a tight fit, but you should be able to plug in to one of the ports on the Star Connector. If you can’t reach the connector, you can use a long pair of forceps to plug in or disconnect the Star Connector and pull it up for better access.
Chrysler Pacifica
The 2017 Pacifica was the first vehicle to get selected portions of the Security Gateway system. There often are programming issues on 2017 models, because some or all of the Security Gateway functions might or might not have been activated, depending on when the vehicle was manufactured. After 2017, Pacificas tend to program more easily, but if you must do a 2017 Pacifica, make sure that your machine supports it before you take the job, and be prepared for problems. I have had to send two customers back to the dealer after being unable to program a fob. In both cases, the dealer replaced at least one module. The easiest Security Gateway Star Connector to attack on the Pacifica is located on the passenger side of the vehicle behind a plastic cover that can be removed only when the sliding door is open. After the cover is off, the Star Connector is easy to attack.
Ram Pickups
There generally are two Security Gateway Star Connectors that you can access easily on these vehicles. I normally attack the Star Connector located under the dash on the driver’s side, near the OBD-II port, but sometimes access to it is blocked by wiring harnesses and add-on trailer-towing devices bolted under the dash. If you can’t access the connector under the dash, there is another one behind the passenger-side kick panel just forward of the door.
Good luck, and if you hear of any other locations not noted, let us know. And if Stellantis or any of its divisions makes any changes, we’ll let you know.
Steve Young has been a locksmith since 1973 and has trained and taught locksmiths since 1988. He is a frequent contributor to Locksmith Ledger.