I'm considering buying the SKIM module ( part#56045275AC ) along with some Strattec keys ( part#692325), installing them myself and then having the system programmed by dealer. But I'm not confident that this is a secure system. There is mention of people with SKIM having their trucks stolen and mention of devices that can defeat the SKIM. With a DRBIII programmer or equivalent anything seems possible and these are becoming easier to purchase online. I understand the limitations with regards to the transponder keys which I'm comfortable with because these I understand. What I'm NOT comfortable with is the communication that happens between SKIM module and the ECM via the PCI bus. The service manual states:

So just what is this "valid key" message sent over the PCI bus ? It would seem from the wiring diagrams that the SKIM module communicates over the same PCI bus as everything else including the OBDII connector so I'm hoping this "valid key" message isn't cleartext J1850 VPW that can be read with OBDII scan tool ? Anybody out there know ?

Sven

 

It's a rolling code and constantly changes. You will need the SKIM code to get module into program mode.
This explains operation of SKIM in your vehicle read on.

The SKIM transmits and receives RF signals through a tuned antenna enclosed within a molded plastic ring that is integral to the SKIM housing. When the SKIM is properly installed on the steering column, the antenna ring is oriented around the ignition lock cylinder housing. This antenna ring must be located within eight millimeters (0.31 inches) of the Sentry Key in order to ensure proper RF communication between the SKIM and the Sentry Key transponder.

For added system security, each SKIM is programmed with a unique “Secret Key” code and a security code. The SKIM keeps the “Secret Key” code in memory. The SKIM also sends the “Secret Key” code to each of the programmed Sentry Key transponders. The security code is used by the assembly plant to access the SKIS for initialization, or by the dealer technician to access the system for service. The SKIM also stores in its memory the Vehicle Identification Number (VIN), which it learns through a PCI bus message from the PCM (NGC) or ECM (Cummins) during initialization.

The SKIM and the PCM/ECM both use software that includes a rolling code algorithm strategy, which helps to reduce the possibility of unauthorized SKIS disarming. The rolling code algorithm ensures security by preventing an override of the SKIS through the unauthorized substitution of the SKIM or the PCM/ECM. However, the use of this strategy also means that replacement of either the SKIM or the PCM/ECM units will require a system initialization procedure to restore system operation.

When the ignition switch is turned to the ON or START positions, the SKIM transmits an RF signal to excite the Sentry Key transponder. The SKIM then listens for a return RF signal from the transponder of the Sentry Key that is inserted in the ignition lock cylinder. If the SKIM receives an RF signal with valid “Secret Key” and transponder identification codes, the SKIM sends a “valid key” message to the PCM/ECM over the PCI bus. If the SKIM receives an invalid RF signal or no response, it sends “invalid key” messages to the PCM/ECM. The PCM/ECM will enable or disable engine operation based upon the status of the SKIM messages.

The SKIM also sends messages to the Instrument Cluster which controls the VTSS indicator LED. The SKIM sends messages to the Instrument Cluster to turn the LED on for about three seconds when the ignition switch is turned to the ON position as a bulb test. After completion of the bulb test, the SKIM sends bus messages to keep the LED off for a duration of about one second. Then the SKIM sends messages to turn the LED on or off based upon the results of the SKIS self-tests. If the VTSS indicator LED comes on and stays on after the bulb test, it indicates that the SKIM has detected a system malfunction and/or that the SKIS has become inoperative.

If the SKIM detects an invalid key when the ignition switch is turned to the ON position, it sends messages to flash the VTSS indicator LED. The SKIM can also send messages to flash the LED as an indication to the customer that the SKIS has been placed in it's “Customer Learn” programming mode. See Sentry Key Immobilizer System Transponder Programming in this section for more information on the “Customer Learn” programming mode.

For diagnosis or initialization of the SKIM and the PCM/ECM, a DRBIII® scan tool and the proper Powertrain Diagnostic Procedures manual are required. The SKIM cannot be repaired and, if faulty or damaged, the unit must be replaced.

 

Thanks for responding BigIron70. "Rolling code" is referring to random number that is part of two-way challange response that is part of the authentication between key and SKIM module ? I'm interested in the communication between SKIM module and ECM over the PCI bus and whether it is secure.

Sven

 

Fully read your post again, sorry. Ok, so there is a rolling code algorithm between the SKIM module and ECM. I think this is good security as it would prevent somebody from being able to inject some canned valid key message onto PCI bus which is so readily accessible on our trucks. Only remaining "practical" vulnerability that I see is to prevent "easy" access to the OBDII port via some kind of OBDII lock. This would prevent somebody from easily connecting a DRBIII or equivalent programmer to reprogram SKIM, etc. I also need to get some SKIM or immobilizer stickers for windows as I'm hoping that seeing these is going to deter somebody from trying. Anybody with SKIM have factory stickers on the door windows, can't find such a part in parts manual ?

Sven

 

No vehicle is completely thief proof.