Security / Immobiliser - Particularly Td5

[simonr]

My plan for X-Eng this year is to launch a selection of security products, mostly but not exclusively for Defenders. A couple of these have already been mentioned on different threads.

I have an 03 Plate Td5 110 which has an Immobiliser built in to the ECU. I had assumed that it would be fairly secure - but I'm assured that bypassing it is easy and takes seconds for someone in the know! Unfortunately, nobody will tell me how.

The reason I want to know is to produce something to make it harder! If it's that easy, it serves no purpose other than to lul you into a false sense of security.

The trouble with that is the only people who don't know are the people who need it to protect their vehicle. The people in the know are on the whole the same people who want to steal it - so keeping it secret seems counterproductive!

A good example is the way you can shut up many alarms by shorting the contacts on one of the indicator bulbs. The bulb is flashed by the alarm. shorting the contacts blows the alarm fuse. The solution is to fit a lower current fuse in line with each of the indicator bulbs so it blows in preference to the alarm fuse!

As they say in computer security circles (Quote from Applied Cryprography book I think) "There is no security in obscurity".

If one of you happens to know, even if you don't want to post it in public, would you PM me and I'll sign an oath in blood that I will not breath it to another living soal?

Si

[yella 90]

you need to do something that kills the signal to either the crank sensor or injectors.

i shouldnt say it but if i wanted i could start any normal td5 with my ecu's in seconds as the immo is completely wiped from mine.

so in my eyes you need to break the signal to either but do it in the engine loom somewhere.

the only problem is it takes two minutes to flirt a loom in really rough and its running again.

you would also need to keep the disruption to resistance in the loom down aswel.

[yella 90]

another way could be to bring all the earth points into one and have something that breaks that side up, as we all know td5's are fussy on the earth points and simply refuse to start if one

is bad.

[simonr]

The implication from the conversation I had was that on a Td5, with the 10AS Alarm unit active and working and the vehicle immobilised, there is something you can do, without swapping the ECU which will disable the immobiliser. I imagine it's along the lines of shorting / cutting something.

My thoughts on a better immobiliser is one which does pretty much what you say above - but just gives the ECU misleading readings from the various sensors so you get a mass of engine warnings and the engine goes in to limp mode. This doesn't necessarily stop the vehicle being taken, but it will make the thief think this might be an expensive vehicle to fix / pass on - and a slow vehicle that keeps stopping is more likely to attract attention.

The reason I need to know how the immobiliser is knobbled is to make sure the secondary immobiliser is not knobbled by the same knobble!

Si

[CwazyWabbit]

........

The reason I need to know how the immobiliser is knobbled is to make sure the secondary immobiliser is not knobbled by the same knobble!

Si

I saw a quote on a FB group saying it was easy to bypass, but there were a few simple things that could be done to make it harder. I'm fairly certain it was Porny from IRBDevelopments who said that. He might be a good person to chat to, although as you are both in the same business then maybe it will be a dead end for commercial reasons.

[Off Road Toad]

I'm sure the immobilser isn't that advanced on a defender. mine is immo free completely now (all bypassed) they don't have key recognition like say on a disco. what i'm getting at is when our 130 was stolen they just smashed the ignition barrel and started it ala hollywood style.

The immo basically just disables the starter motor from what i'm aware?

[yella 90]

the problem these days though si is people just love to crack stuff.

you stand the chance of spending hours devaloping a good idea only for someone to buy it, find out how it works, crack it then it gets leaked out and its game over.

the best bet is to add your own device's or security features that only you, the owner knows about.

thats what i have done.....and its nothing above theres still other things to cheat.

its still the age old problem, if there going to take it, its going no matter what, all you can do is slow them down with mechanical devices where they have to make a noise to crack it.

or, electric fence the bugger....they will only touch it once.

[simonr]

The immo basically just disables the starter motor from what i'm aware?

I think it's more than that because when it's immobilised, the starter runs but the engine does not start!

I've spoken to several people in the trade who have said it's impossible without reprogramming - but one person outside who said it's easy and you don't need to reprogram or replace the ecu. I know one person who has had their Td5 stolen even though fitted with an enabled Immobiliser. They had moved the ECU and ODB socket - so there was nothing to plug a programmer or a different ecu in to - but it was still driven away!

Si

[simonr]

No security is invulnerable. All you are doing is adding time. The hope is that if it takes long enough - they will pick on a more vulnerable vehicle.

Si

[Guest]

Si, Simon White did a load of job related research into how defenders were being stolen including things around the AS10 rear window etc, it would probably be worth your while dropping him a message. If you don't have it I can PM you his number.

Jason.

[CwazyWabbit]

Anyone got a 10AS unit they don't want? For experimental research purposes ...... I don't want to pay silly money for one though. If I find anything out I'll let SimonR know.

[Retroanaconda]

I have one Barry. You're welcome to have a play with it if you like.

Si, I've read something about stolen Td5s usually ending up with the front nearside indicator removed or hanging loose. Whether this was to do with shorting the indicator bulb as you say or simply to get access to and cut the alarm sounder wires I don't know.

[landy andy.]

Is this a good idea,

Telling people how to stop my alarm??????

Thanks, better get some fuses in the system ASAP, great, thanks

Yes I am sure those in the game know, but let's not help them too much

Andy

[CwazyWabbit]

I have one Barry. You're welcome to have a play with it if you like.

......

Cheers James, I'll take you up on that If I find anything out I'll let you know so you can sort it before you use it in your build. Do you know if they are sealed?

...... but one person outside who said it's easy and you don't need to reprogram or replace the ecu. I know one person who has had their Td5 stolen even though fitted with an enabled Immobiliser. They had moved the ECU and ODB socket - so there was nothing to plug a programmer or a different ecu in to - but it was still driven away!

Si

Did they get it back Si? If so did the immobiliser still work afterwards?

[CwazyWabbit]

Is this a good idea,

Telling people how to stop my alarm??????

Thanks, better get some fuses in the system ASAP, great, thanks

Yes I am sure those in the game know, but let's not help them too much

Andy

I'm not planning on doing a thread like I did for the TD5 Speedo stuff, so the only extra people who get told anything if I find anything out will be SimonR, and Retroanaconda. I believe these two people to be very trustworthy and if it helps SimonR develop something to help secure Defenders then I'm all for that.

[Retroanaconda]

Mine is the non-central-locking variety (270) so I was going to replace it with a central locking version (280), though I believe the only difference is the lack of a relay to drive the CDL motors (which are done direct from the 10AS unit. Think the alarm/immobiliser functions are the same though.

It opens up easy enough, as per this link (re. CDL): http://la7dja.org/defender/cdl/

[landroversforever]

Is this a good idea,

Telling people how to stop my alarm??????

Thanks, better get some fuses in the system ASAP, great, thanks

Yes I am sure those in the game know, but let's not help them too much

Andy

I wouldnt be worried about a couple of posts mentioning a possible method. The information is going to be out there somewhere anyway. Every car will have a weak link built into it for legitimate reasons to it can be got into by people like the AA when you lock your keys in it!

I for example know how to get into a certain mid-sized family car, and it involves a similar method to the above.

[CwazyWabbit]

I wouldnt be worried about a couple of posts mentioning a possible method. The information is going to be out there somewhere anyway. Every car will have a weak link built into it for legitimate reasons to it can be got into by people like the AA when you lock your keys in it!

I for example know how to get into a certain mid-sized family car, and it involves a similar method to the above.

I don't think there is any legitimate excuse for there to be an intentional weakness in car security in case you lock your keys/fob in the car. Even when these 'backdoors' are left with the best intentions they will be discovered and used for nefarious purposes.

Wouldn't most people rather pay for a new car window than have their pride and joy nicked?

[simonr]

I personally think that the fact that nobody will talk about the weaknesses in public IS the problem, or at least a part of it. Ask yourself, is your vehicle safer now you know about that one? Maybe not immediately, but hopefully in a few days it will be.

Really there should be a thread about security weaknesses. Forewarned is forearmed as they say. It is of course possible that it would aid a would be criminal, but someone would have told them sooner or later anyway, and so long as solutions to the problems exist, the vehicles saved will outweigh this.

Mr Wabbit, they got the truck back thanks to a cheap eBay tracker - like another one belonging to one of my friends. I've now bought one of the same ones - and it works really well! Send it a text and it replies with a link to google maps showing it's location!

Do any of you know about the communication between the AS10 and the ECU? One person said you can get around the immobiliser by swapping the AS10 for a knobbed one. I was under the impression that the key fob code was only stored in the ECU. When the AS10 detects a key fob, it passes the code to the ECU which if valid allows it to be started.

However, if swapping the AS10 works, it would indicate that the AS10 checks the code then tells the ECU that it's OK to start? If so, how does it do so? Is it just changing the state of a line or something more secure? Either way, interrupting that line with another switch might be enough? If the AS10 cannot tell the ECU - it shouldn't start?

Si

[CwazyWabbit]

.....

Mr Wabbit, they got the truck back thanks to a cheap eBay tracker - like another one belonging to one of my friends. I've now bought one of the same ones - and it works really well! Send it a text and it replies with a link to google maps showing it's location!

.....

As this one got recovered it might answer a lot of your questions. Would you be able to ask the owner what damage was done? Was the original 10AS still fitted? Does it still work? Had it been accessed?

Feel free to PM answers if you get them.

I do agree with the full disclosure ideal btw ..... but I think responsible disclosure is important especially in these circumstances.

[Off Road Toad]

As far as i know the AS10 has to be paired with an ecu, this can probably be done with nanocom or similar. My ecu is programmed not to look for an AS10 signal. in fact i don't have an AS10 on my truck at all. the green plug that goes to the AS10 has some wires bypassed/joined. it is possible to short out one contact/wire in the ecu instead of re-programming it. With my little green connector (substitute for the AS10) and my immo free ecu (inc modified injector codes) i can start and run any TD5 engine.

If the pikey Ba£$ta£d$ want your truck they will get it

Steve

[CwazyWabbit]

.....

Do any of you know about the communication between the AS10 and the ECU? One person said you can get around the immobiliser by swapping the AS10 for a knobbed one. I was under the impression that the key fob code was only stored in the ECU. When the AS10 detects a key fob, it passes the code to the ECU which if valid allows it to be started.

However, if swapping the AS10 works, it would indicate that the AS10 checks the code then tells the ECU that it's OK to start? If so, how does it do so? Is it just changing the state of a line or something more secure? Either way, interrupting that line with another switch might be enough? If the AS10 cannot tell the ECU - it shouldn't start?

Si

I was under the impression the AS10 and ECU had to be synced with nanocom before they worked together.

I wonder how fast the comms between the two are? I have a logic analyser which may allow the comms to be monitored depending on the speed of them.

I read somewhere that the ecu requested a code from the AS10 before starting, if the code was correct it would allow it to start. This would concur with the syncing up of the ecu and 10AS units with nanocom.