IHU validation in 9-5

I know it's subverting the car's security stuff but has anyone seen the canbus conversation between the 9-5  IHU and the car that validates whether the IHU is permitted to be used in the car? I'm trying to work out who the actors are (Twice?) and who initiates the check.

I'm wondering if there is a way of bypassing the check - there seems to be an increasing number of head units that are forgetting who they are and need remarrying with tech2.

Rich

It wouldn't be hard to sniff the traffic between an IHU and DICE/TWICE.

That seems very odd to me that a head unit would "forget" who it's married to and cause the lockout...it could be the memory chip that holds the immobilizer code is going bad...but that's just a guess. A test for that would be to replace that chip, marry the head unit again, and see if the head unit forgets again.

There are two players in this case: DICE and TWICE. DICE checks for physical existence of IHU and other nodes on the bus, TWICE checks for security settings/marriage status of a node.

I've done some sniffing of TWICE to figure out how the negotiations between it and the transponder unit are being done to implement car lock/unlock via BlueSaab. It looks pretty straight forward apart from the part where on every acknowledgment by TWICE (?) there's a checksum (that gets calculated in a certain way I haven't been able to crack yet) that get's put into a CAN frame and tells the transponder "ok, we're good, let's tell DICE to unlock the doors".

Clear as mud, eh'? :)

Clear as mud, yes.

It'd make sense fit the IHU to initiate the check, wouldn't it? It could be off at start time.

Seth, I suspect it's stored on an eeprom in the IHU, but every time I've torn one down, nothing jumps out.  Oh hang on, if I trace the canbus +- through, I'll find a likely location.  I wonder if it would be possible to write the vin back to the rom by sniffing what a TechII does? Bound to be some random checksum nonsense in there like Karlis found....;)

I'll give it some thought and have a mooch at Tomi's site

Rich

Sandwer wrote

It'd make sense fit the IHU to initiate the check, wouldn't it? It could be off at start time.

Just on this point, the IHU has power all the time. The marriage checks/messages are sent even when it's "off" as far as the user is concerned.

If your IHUs are forgetting they're married at all, rather than claiming to be married to another car, I'd suspect the IHU eeprom. The only way to divorce an IHU (or CDC) unit not in the original car is to set the DICE's record of the VIN to the unit's original car's VIN and then divorce it, then reset the VIN correctly in the DICE, then marry the unit.

Cheers,
Sam.