Robert Bosch Pty Ltd VIMA01 User Manual
PROTOCOL SPECIFICATION
F005VP0801
ROBERT BOSCH
(AUSTRALIA) PTY. LTD.
A.B.N. 48 004 315 628
SMARTRA III IMMOBILISER
Page 10 of 49
Issue Number:
1.0
Dev No.
3881
Valid from:
14/2/06
Print Date:
28 March, 2007
© THIS DRAWING IS THE EXCLUSIVE PROPERTY OF ROBERT BOSCH (AUSTRALIA) PTY. LTD. WITHOUT THEIR CONSENT IT MAY NOT BE REPRODUCED OR GIVEN TO THIRD PARTIES.
DEV04205.9/I-1
3.2.5 System security
If a thief replaces the Smartra with a virgin Smartra the car will not start as the virgin Smartra does not
match the EMS.
If a thief replaces three components with a matching set (Transponder, Smartra and EMS) then by
breaking lock barrel the car can start. The car will start however the period of time to replace the
Smartra takes time ie. longer than 5 minutes to pass the Thatcham attack test. Refer to section 3.4 –
References.
match the EMS.
If a thief replaces three components with a matching set (Transponder, Smartra and EMS) then by
breaking lock barrel the car can start. The car will start however the period of time to replace the
Smartra takes time ie. longer than 5 minutes to pass the Thatcham attack test. Refer to section 3.4 –
References.
A thief could steal a car in a short time if they have access to a Diagnostic Tester and a ECU with his
corresponding Diagnostic PIN Number (DPN) then the thief can steal the car by:
corresponding Diagnostic PIN Number (DPN) then the thief can steal the car by:
a. replacing the EMS with a matching EMS and transponder set.
b. use Diagnostic Tester to neutralise the Smartra3, using the secure HMC Diagnostic PIN Number
b. use Diagnostic Tester to neutralise the Smartra3, using the secure HMC Diagnostic PIN Number
(DPN) of EMS.
c. use Diagnostic Tester to program the new Diagnostic PIN Number (DPN) that matches the thiefs
EMS Diagnostic PIN Number (DPN).
The security of the system depends on the security of the DPN.
3.2.6 Secret Encryption Key (SEK) Learning
• The EMS and Smartra will generate the Secret Encryption Key (SEK).
• Secret Encryption Key (SEK) is generated from the first 6 bytes of the 9 byte Diagnostic PIN Number
(DPN).
• The DPN is taught to the Smartra and EMS at the OEM end of line tester or in the field.
• The encryption algorithm requires each of the 6 SEK bytes to be an uneven number between 3 and
253.
o
Therefore both the EMS and Smartra will use the same function that will check value of PIN
and adjust each byte of the Secret Encryption Key (SEK) accordingly:
• If DPN byte is <3 or >253 then SEK byte = 0x55.
• Else If DPN byte is even then SEK byte = DPN byte – 1.
• Else
• Else If DPN byte is even then SEK byte = DPN byte – 1.
• Else
SEK byte = DPN byte.
3.2.6.1 Diagram: Secret Key learning flow
Automobile Assy
SMARTRA
EMS
Diagnostic Tester
OEM end of line tester
shall generate a
Diagnostic Security Pin
Number and pass the
number to the EMS.
T r ansp o nd er
Diagnostic PIN 9
byte number
stored in eeprom
on EMS
0 x XXXXXXXXXXXXXXXX
Diagnostic PIN (9
bytes) number
stored in eeprom
on Smartra
0 x XXXXXXXXXXX
Secret Encrytpion
Key (SEK) (6 bytes) -
generated from
Diagnostic PIN
Number (DPN)
Number (DPN)
Secret Encrytpion
Key (SEK) (6
bytes) - generated
from Diagnostic
PIN Number (DPN)
0 x XXXXXXXXXXXXXXXX
0 x XXXXXXXXXXX
0 x XXXXXXXXXXXXXXXX