Exploring the security relearn

[TJBaker57]

So yesterday I took a junkyard P10 PCM from a 2002 built in 06/01, the same year truck as my 4. 2, a 2002 built in 10/01 and installed it and did the security relearn. First time doing this for me. I had already interrogated this junkyard PCM on the kitchen table, connecting C1-20 and C1-21 to a 12 volt jump pack and hooked up a serial data line to an elm327. Used a couple of OBD apps like OBD Fusion and a serial terminal to extract VIN number and all trouble code data there was to be had. Of course there were a lot of immature codes due I presume to being so minimally connected and lacking all manner of sensor inputs it expects to see. Also pulled the calibration IDs along with the calibration ID verification numbers. Primarily I wanted a baseline.

The relearn took 3 cycles and I wasn't closely attending the operation so there was a little extra time between cycles in the routine and it wound up taking 38 minutes from commencement to engine startup. So here's the twist. I recorded the class 2 data stream of the entire security relearn procedure for exploration.


I am now examining that data. The first thing I see that may be useful simply confirms what the standard security relearn directions state, that is that the PCM and BCM and I would imagine the IPC as well must have communications established across the class 2 serial data bus. This seems obvious but I can see this happening to someone who doesn't know how to verify communications. The result would be a security light that does not shut off after 10 minutes. Why?? I can see in the class 2 data that after the 10 minute time period it is the PCM that sends a serial data message to 'Vehicle Security', the BCM acknowledges this message and then the BCM turns off the security light. So if that PCM message doesn't get to the BCM I would expect to see the security light to simply remain on.

So a reasonable precursor to doing a security relearn could be;

(A) Verify PCM to IPC communications by observing the IPC for a transmission range position indication and the presence of a fuel tank level indication as these are both PCM to IPC serial data functions.

(B) Verify BCM to IPC serial data communications by observing a high beam indicator light and a Parking Brake indicator light. These are also serial data communications that go from BCM to IPC.

I would expect it safe to believe that if both PCM and BCM have proven communications with the IPC then it follows that the PCM and BCM have communications established.

 

[TJBaker57]

Continuing the relearn experiments yesterday I had a go at BCMs. I took the BCM from that same junkyard 2002 TrailBlazer that I got the PCM from and compared the RPO codes. When I grabbed PCM, BCM, & TCCM from junkyard trucks I took pictures of the RPO code stickers. My 2002 and the junkyard 2002 were surprisingly similar. Mine has a sunroof the donor did not. Different radios also, I have the 6 disc Bose, donor had a cassette I think. A few other things here and there. Not related to BCM but it has the same rear axle ratio as well, good news there in case I want a spare PCM.

So having reviewed the RPO codes and some limited scouring of the internet yielding mixed results as to the applicability of the 30 minute relearn procedure with regard to BCM, I moved forward. I swapped my BCM out with the junkyard BCM. I had previously opened, examined, measured and recorded all pin to ground resistances of this BCM and entered said data into my spreadsheet for future reference.

For the sake of clarity I was now swapping BCM only, the original PCM was in the truck and verified fully operational.

The 30 minute relearn procedure worked as well as can be expected. I noted this time the security light would flash instead of remain solid as had happened during the PCM relearn.

It proceeded like this.... Key to RUN, IPC bulb check then the normal dash lights, NO security light. Key to START would yield a flashing security light. Return key to RUN and left there for no less than 10 minutes (verified by timepiece NO guesswork here). The security light flashed for ten minutes and then went off. Turned key to OFF for no less than 30 seconds. Turned key back to RUN, bulb check, normal dash lights, NO security light. Key to START and again a flashing security light. Return to RUN again and left there for another timed ten minute minimum. Security light goes off, return key to OFF, wait at least 30 seconds, repeat.

It took the full 3 cycles then the truck started. I noted the following: door locks and windows worked, headlights, parking brake indicator all worked. Radio displayed "LOCKED". Sunroof did not work. I sort of expected the sunroof to not work as the junkyard BCM lacked that RPO. The radio I forgot about, not surprised it locked. I just realized I should have tested the keyfob operations. I would imagine they should work but cannot verify that.

Under certain circumstances I could see this being an option for some owners short on funds if they can live with reduced functionality assuming they can find a close match to their RPO codes. An item of concern might be the Supplemental Restraints system. I know this module (Sup Rest) requests a partial VIN. I don't know why. I don't know if functionality is affected in the case of a mismatch??

An odd thing happened during the relearn. On the 3rd cycle, during the 10 minute wait, out of the blue the HVAC turned on. I have automatic controls and so did the junkyard BCM. I turned it off. A few minutes later it turned back on. This time I just turned the fan to minimum to reduce electrical load even though I had a 10 amp charger connected. I just now looked at the class 2 data and see no BCM activity during the time(s) the HVAC turned on. A mystery.

Another note: again after the ten minute wait it is the PCM that is first on the bus and sends a status report to 'Vehicle Security'. A difference here though is that unlike the PCM swap where the BCM immediately turned off the security light, this time the BCM acknowledges the report and waits 15 seconds before turning the security light first to SOLID, then a half second later to off. These differences are invisible to the user, it can only be seen in the class 2 data stream which of course I recorded.

I forgot to request trouble codes. I would have liked to see what was maybe in there. Anyway, not sure of what to expect I swapped back my original BCM. I think I somewhat expected it to just work as before. Nope. Had to go through the whole security relearn again. This time through though I had a SOLID security light!! Presumably this original BCM should still have the same expected Passlock sensor value. Maybe that's the difference?? The junkyard BCM had to learn the Passlock sensor value of this truck and that is the reason for the flashing security light vs a solid light??

After the relearn with the original BCM back in the truck all systems are back. Radio works, sunroof works all seems well.

So what did my original BCM have to learn when swapped back in? I have no idea!! Maybe I will find something in the recorded class 2 message data that will tell me. The raw data is just shy of 26000 messages. After filtering 'heartbeat' messages there are just short of 9900 messages.

 

[budwich]

your work here in is laudable.... it continues to amaze. I am glad you always get back a "working truck"... Related to this, would be the "unforgiving thread" on the "no start / unknown driver" which some how tumbles down the same type of thing with "language difficulties" with "multitudes" of PCM and BCM, plus maybe ignition switch / key sensor sensor.... but can't get out the other "end". Maybe he needs you for a "real road trip"...

 

[TJBaker57]

Maybe he needs you for a "real road trip"...

I once drove from Black Rock/High Rock in northwest Nevada all the way to Mammoth Lakes California just to move the spark plug wires 180 degrees around a volkswagen distributor!! Had never met the owner, she was known to my girlfriend though. It was an old aircooled microbus. From the thread online I was certain what the no start issue was but was also certain I would get nowhere trying to convince the owner of the issue. I was sightseeing anyway and had never been to Mammoth Lakes! Someone had installed the distributor drive incorrectly. It was easiest to just move the wires around.

 

[TJBaker57]

A somewhat related post is this.....

The Passlock sensor mechanism. I've been experimenting with the 2 junkyard sensors I recently pried out. In a wiring diagram I noted there were actually 2 levels or switches in these sensors. One for the proper operation of the key rotation and a second for detecting tamper. They work by connecting a resistance across the yellow wire which carries a nominal 5 volt signal from the BCM, and ground, dropping the 5 volts to a lower level to be recognized by the BCM.

I used to think the 5 volts came from the sensor electronics but bench testing has revealed that not to be so. If you trip the tamper sensor it puts a lower resistance across the yellow and ground and drops the voltage to a value recognized by the BCM as an invalid value activating the security system. So if you go at these sensors with a magnet you very quickly trip the tamper sensor. Only once was I succesful in getting just the right level of magnetic field to fool a sensor on the workbench. The resistances I measured across yellow to ground was 867 ohms normal operation and 280 ohms in tamper. Before triggering of the sensor the measured resistance of yellow to ground was infinite.

I also just tested the operation of the Passlock sensor in my vehicle and made a short video of the test. In doing this test I discovered a thing or two. The 12 volts that powers the sensor electronics on the red/white wire, and also the nominal 5 volt value from the BCM to the yellow wire of the sensor appear to be powered whenever the BCM is not in sleep mode. Just opening a door or pressing a keyfob button awakens the BCM and these voltages are applied to the sensor. It took between 10 to 11 minutes for my BCM to drop these voltages after key off and removed and doors closed etc. leaving the vehicle idle while I watched the meters.

Once triggered by key rotation to START/CRANK the resistors remain connected across the yellow & ground until the key is turned back away from RUN. Even the Accessory position removes the resistance from the circuit.



In the video I have the meter connected to ground and the yellow wire from the sensor which terminates at BCM terminal B10 of connector C1. The starter relay is removed for the test.

 

[TJBaker57]

Only once was I succesful in getting just the right level of magnetic field to fool a sensor on the workbench.

In the last couple of months I've gotten better at triggering the Passlock sensor(s). Also traced out their circuitry and identified parts and so forth. This allowed me to fool the passlock circuitry in my benchtop setup. I only need to apply the proper resistance across the yellow and orange/black wires as I turn the ignition switch to CRANK and even the Tech 2 doesn't detect any irregularity.

When properly operated by the ignition lock assembly the small magnet that rotates with the cylinder comes close to the security hall sensor which completes a circuit through both the tamper resistor and the security resistor in series. (I once thought they were separate circuits but now traced them and they are in series) This resistance is connected across the yellow wire which carries a 5 volt signal from the BCM and the orange/black wire which is a lo reference from the BCM. This resistance path to ground pulls low the nominal 5 volt signal low to a value expected by the BCM for that truck. If the magnetic field is too strong it also triggers the tamper hall sensor which is located farther from the magnet, beneath the security hall sensor on the small circuit board. When that sensor triggers it connects a midpoint in the afforementioned series resistance circuit to the lo reference creating a far lower resistance which drops the BCM 5 volt signal very low. This alerts the BCM to tampering with the system.


The hall sensors fit into a protrusion in their housing which is radiused to fit snugly close to the rotating magnet.


This is where a sensor has been pried from the lock housing. The depression for the hall sensors can be seen here. Also one or more colored marking can be seen. Each sensor I removed had a series of colored markings which I believe identifies the resistance values of the unit.








Here is a silent video where I trigger the Passlock sensor(s) with a couple magnets. I pause the video while switching the harness between the 3 sensors I have. I think it was the final sensor where I failed the attempt and triggered the tamper sensor with the first pass and then reset and got it the second time. Values of around 291 or 292 ohms are where the tamper sonsor has triggered. The higher values are the ones expected by the BCM.

New video by Thomas J Baker

photos.app.goo.gl

 

[mrrsm]

FWIW... On more than one occasion, we have read of people, "Turning the Key SLOWLY" as doing the trick to get their Engines to Start in the belief that the problem component was their Ignition Switch ...instead of possibly invoving what you have discovered and revealed here.

So Tom... Perhaps there is a "Rotational Moment" involving the Turning of the Key-Cylinder that plays an active part in sweeping the Tiny Magnetic Gauss Field through that little Hall Effect Sensor (in a particular direction) that is part of the Validation Process.

Perhaps this action also sort of gives the PCM the confidence to believe that the Owner/Driver has the Right Key ...and has progressed along with a Very Smooth, Clockwise turning movement while Starting the Vehicle... Nothing TOO Furtive ...as might be done by a Car Thief.

Also, If you are using your Tech 2 in tandem for checking-searching for additional ways to investigate any hidden aspects of Theft Deterrence... this Tech 2 PATHS PDF is a REAL Time Saver for Dialing In on the requisite Key Pad Input Sequences to try out various things as well: