Full OBD Scan tool and FCA Security Bypass Question

JasonInDLH

Well-Known Member
First Name
Jason
Joined
Jan 4, 2021
Messages
57
Reaction score
22
Location
MN
Vehicle(s)
17 Renegade Ltd, 15 Yukon Denali, 07 Yukon Denali
So on a Renegade forum I’m on there’s been great discussion of how to bypass the FCA OBD security module. Im curious what all you Do It Yourselfers are using to read and clear all the codes (SRS, ABS, etc...) and how you bypassed the security module?

The Renegade people are talking about installing a Z Automotive bypass module that connects to the FCA module. OR, they’ve mentioned simply unplugging the two FCA security module connectors and connecting them to a 12+8 cable and then connecting that to your OBD scanner.

Apparently the FCA security device on the Renegade is behind a panel under the dash somewhere. Can anyone confirm where it’s located on the JL and if either of the aforementioned methods work?

Thanks!





Advertisement

 

CarbonSteel

Well-Known Member
Joined
Jul 21, 2019
Messages
1,188
Reaction score
1,121
Location
Texas
Vehicle(s)
2019 Jeep Rubicon Unlimited
Vehicle Showcase
1
So on a Renegade forum I’m on there’s been great discussion of how to bypass the FCA OBD security module. Im curious what all you Do It Yourselfers are using to read and clear all the codes (SRS, ABS, etc...) and how you bypassed the security module?

The Renegade people are talking about installing a Z Automotive bypass module that connects to the FCA module. OR, they’ve mentioned simply unplugging the two FCA security module connectors and connecting them to a 12+8 cable and then connecting that to your OBD scanner.

Apparently the FCA security device on the Renegade is behind a panel under the dash somewhere. Can anyone confirm where it’s located on the JL and if either of the aforementioned methods work?

Thanks!
 
OP

JasonInDLH

Well-Known Member
First Name
Jason
Joined
Jan 4, 2021
Messages
57
Reaction score
22
Location
MN
Vehicle(s)
17 Renegade Ltd, 15 Yukon Denali, 07 Yukon Denali
  • Thread starter
  • Thread Starter
  • #3
Awesome! Thanks! That Tazer sure would be useful and has been included on the list of things to get!

Now... what scan tool is everyone using to read and clear codes for these Jeep’s? I have an awesome one for my Yukon that does everything from ABS bleed to reading and clearing all the codes, but unfortunately it provides only basic info for the Jeep.
 

jeepoch

Well-Known Member
First Name
Jay
Joined
Nov 13, 2019
Messages
357
Reaction score
811
Location
Longmont, CO
Vehicle(s)
2019 JL Wrangler Sport S 3.6L Auto 2 door, 2.5" lift, 35s
Jason,

There are quite a few 'Programers', 'Scanners', or 'Diagnostic' Tools on the market that are all capable of reading Diagnostic Trouble Codes (DTCs). However, any tool that 'writes' information (like clearing these codes) to any one of the On-Board Control Modules, typically the Engine Control Module or (ECM) will require that the Security Gateway Module (SGW) be bypassed.

Generally the purpose of the SGW is to provide a Controller Area Network (CAN) Bus firewall between the interior control communication links with the outside world. Said in another way, the SGW provides a mechanism that anyone, or anything must first authenticate (can prove that they are who they say they are) in order to be able to have their CAN messages received and acted upon. With the SGW installed, only factory approved messages from authorized tools will be allowed.

With the many third-party (unofficial) tool suppliers, the most simple method to communicate over the internal CAN bus is to simply remove this firewall (and bypass the SGW) altogether. In this way, all messages no longer need to be authenticated. The third-party tool can inject whatever messages they care to transmit. They can then emulate most all of the factory functionality without regard to any extra security measures. This bypass approach is indeed how 'most' after market tools do indeed work.

Sure some tool vendors do 'play-by-the-rules' and pay whatever Security License and Registration fees are required to whichever Auto Manufacturer (in this case FCA) in order to be a legally authorized vendor. This access is not trivial or inexpensive because most manufacturers do not foster any type of access beyond what is federally mandated just in order to troubleshoot OBD2 emission specific issues. Therefore, most CAN Bus product vendors take the way more easy and inexpensive route and pirate their way into the control bus via some type of SGW bypass.

Furthermore, the Security Gateway Module is also intended to zone-off the vehicle's internal control communications from it's infotainment environment. Only the Cellular access 'Guardian' type of systems (like GM's OnStar) is intended to have authorized access. This helps keep the nefarious bad-guy 'hackers' out of your vital 'drive-by-wire' control systems, (throttle, brakes, door locks, etc.) from possible remote intrusion.

Clearly if you 'jail-break' your JL with any type of SGW bypass, you are also creating a potential security hole to unfettered internal digital access from the outside world. Some may argue that this cyber security vector is only detrimental with internet-connected (cellular) radios. Unfortunately the low-level trims, base Sports, are typically the only JL's that come standard with a non-internet connected UConnect 3 radio. Every other trim and many optional package Sports have the World-Wide-Web accessable UConnect 4 cellular variants.

So by using any tool that requires that the SGW be bypassed and remain that way also opens your rig up to potential unwanted tampering. Without the SGW, your rig is unfortunately available to anyone able to determine it's radio's MAC address. Trivial to even the almost skilled hacker.

Certainly the probability of that happening is low, but it's clearly not zero. Murphy's Law states that if it can happen, given enough time it will happen. So only you can roll the roulette wheel of chance for whatever it is you want to accomplish on your rig without the SGW plugged in.

For full disclosure, I do own and use the Z Automotive Tazer JL Mini but only use it's Non-Live functions. My SGW is only bypassed to set the tire size, TPMS thresholds and a few other configurations, including reading and/or clearing DTC codes. Otherwise, my SGW always remains plugged in at all times.

Hope this gives you a better idea for what bypassing the Security Gateway Module may accomplish. Unintended consequences or not.


[Edit] Follow up:
Would it be a good thing to have FCA open up it's choke-hold over it's vehicle's calibration space and thus give us consumers direct access to this type of functionality? Some sort of interface that let's us diagnose and troubleshoot our own vehicles or reconfigure controversial systems like ESS or even allow for custom engine performance and horsepower tuning?

Of course any Joe Blow Motorhead who enjoys tinkering on their vehicle would love it.

Unfortunately that pipe-dream would only work in a non-litiguous society. Any one who used those interfaces and then hurt their vehicle or worse indirectly cause an accident, would blame anyone and everyone but themselves.

So all car companies have to take the tact to protect not only their Service revenue streams but also keep their legal liability to an absolute minimum. So they'll continue to design in firewalls and near tamper proof diagnostic access portals. It is after all in their (not your) best intetest.

This however leaves a market niche now open for third-party vendors to find ways to 'bypass' these monopolistic access restrictions and limitations. If there is a demand, someone will always try and monetize a supply. These 'Programmers', 'Scanners' and 'Diagnostic' Tools are the result.

So who is right or wrong? As consumer's we are of course always going to invest in what it is we truly want. Regardless of the unforseen or subtle consequences.

So pick your tools as best you see fit. Sometimes the risk is worth the reward. Right up to the point that it's not.

Only you can make your own risk assessment analysis.

Jay
 
Last edited:

Rhinebeck01

Well-Known Member
Joined
May 9, 2018
Messages
5,374
Reaction score
6,383
Location
.
Vehicle(s)
.
So on a Renegade forum I’m on there’s been great discussion of how to bypass the FCA OBD security module. Im curious what all you Do It Yourselfers are using to read and clear all the codes (SRS, ABS, etc...) and how you bypassed the security module?

The Renegade people are talking about installing a Z Automotive bypass module that connects to the FCA module. OR, they’ve mentioned simply unplugging the two FCA security module connectors and connecting them to a 12+8 cable and then connecting that to your OBD scanner.

Apparently the FCA security device on the Renegade is behind a panel under the dash somewhere. Can anyone confirm where it’s located on the JL and if either of the aforementioned methods work?

Thanks!
As the "Renegade people" are doing, I have a ZAutomotive bypass module (I no longer run/have a Tazer JL) for bypass, along with an inexpensive OBDll Scan tool,
https://www.amazon.com/dp/B072JF8VZF/ref=cm_sw_r_cp_apa_i_PDw.Fb35RFSEW?_encoding=UTF8&psc=1

By the way, the ZAutomotive bypass module and JSCAN pairing is a go, let's say with the JL and JT. I've used JSCAN on JL's... ZAutomotive's bypass module, can also be daisy chained with a SmartStopStart unit.

For most guys/gals, I'd recommend Tazer JL, as JSCAN is for sure, not as user-friendly, nor does it offer all that Tazer JL does.. Just one example, Tazer JL can deal with ESS and JSCAN cannot so far.
 
Last edited:
OP

JasonInDLH

Well-Known Member
First Name
Jason
Joined
Jan 4, 2021
Messages
57
Reaction score
22
Location
MN
Vehicle(s)
17 Renegade Ltd, 15 Yukon Denali, 07 Yukon Denali
  • Thread starter
  • Thread Starter
  • #6
Thanks for the input guys!

I’m aware of this malicious hacking into these FCA vehicles and would only disconnect the security module when needed in the confines of my garage. And then reconnect it when I’m done working on the Jeep. Great tips!

I’ll have to look into that JScan a bit more as it appears it can do everything I’m looking for (crossing my fingers for ABS bleed as I do plan to completely change the brake system). Thanks for recommending this!
 

golong27

Active Member
Joined
Mar 7, 2019
Messages
25
Reaction score
17
Location
glen allen va
Vehicle(s)
2018 Jeep Wrangler JLU Sport S
The video above makes it look so easy to unplug the connectors to bypass the security gateway. I spent 30 minutes this weekend trying to unplug mine - is there a secret? I pressed the tab to release and could get the connector to unseat but couldn't get a good enough grip on the other side of the connector to pull it.
 
OP

JasonInDLH

Well-Known Member
First Name
Jason
Joined
Jan 4, 2021
Messages
57
Reaction score
22
Location
MN
Vehicle(s)
17 Renegade Ltd, 15 Yukon Denali, 07 Yukon Denali
  • Thread starter
  • Thread Starter
  • #8
I haven’t looked at them to see what they look like, but did you try a needle nose pliers?
 

BlackGenesis

Well-Known Member
First Name
Andrey
Joined
Dec 4, 2019
Messages
277
Reaction score
262
Location
Muskegon Michigan.
Vehicle(s)
18 Sahara unlimited
OP

JasonInDLH

Well-Known Member
First Name
Jason
Joined
Jan 4, 2021
Messages
57
Reaction score
22
Location
MN
Vehicle(s)
17 Renegade Ltd, 15 Yukon Denali, 07 Yukon Denali
  • Thread starter
  • Thread Starter
  • #10
Jason,

There are quite a few 'Programers', 'Scanners', or 'Diagnostic' Tools on the market that are all capable of reading Diagnostic Trouble Codes (DTCs). However, any tool that 'writes' information (like clearing these codes) to any one of the On-Board Control Modules, typically the Engine Control Module or (ECM) will require that the Security Gateway Module (SGW) be bypassed.

Generally the purpose of the SGW is to provide a Controller Area Network (CAN) Bus firewall between the interior control communication links with the outside world. Said in another way, the SGW provides a mechanism that anyone, or anything must first authenticate (can prove that they are who they say they are) in order to be able to have their CAN messages received and acted upon. With the SGW installed, only factory approved messages from authorized tools will be allowed.

With the many third-party (unofficial) tool suppliers, the most simple method to communicate over the internal CAN bus is to simply remove this firewall (and bypass the SGW) altogether. In this way, all messages no longer need to be authenticated. The third-party tool can inject whatever messages they care to transmit. They can then emulate most all of the factory functionality without regard to any extra security measures. This bypass approach is indeed how 'most' after market tools do indeed work.

Sure some tool vendors do 'play-by-the-rules' and pay whatever Security License and Registration fees are required to whichever Auto Manufacturer (in this case FCA) in order to be a legally authorized vendor. This access is not trivial or inexpensive because most manufacturers do not foster any type of access beyond what is federally mandated just in order to troubleshoot OBD2 emission specific issues. Therefore, most CAN Bus product vendors take the way more easy and inexpensive route and pirate their way into the control bus via some type of SGW bypass.

Furthermore, the Security Gateway Module is also intended to zone-off the vehicle's internal control communications from it's infotainment environment. Only the Cellular access 'Guardian' type of systems (like GM's OnStar) is intended to have authorized access. This helps keep the nefarious bad-guy 'hackers' out of your vital 'drive-by-wire' control systems, (throttle, brakes, door locks, etc.) from possible remote intrusion.

Clearly if you 'jail-break' your JL with any type of SGW bypass, you are also creating a potential security hole to unfettered internal digital access from the outside world. Some may argue that this cyber security vector is only detrimental with internet-connected (cellular) radios. Unfortunately the low-level trims, base Sports, are typically the only JL's that come standard with a non-internet connected UConnect 3 radio. Every other trim and many optional package Sports have the World-Wide-Web accessable UConnect 4 cellular variants.

So by using any tool that requires that the SGW be bypassed and remain that way also opens your rig up to potential unwanted tampering. Without the SGW, your rig is unfortunately available to anyone able to determine it's radio's MAC address. Trivial to even the almost skilled hacker.

Certainly the probability of that happening is low, but it's clearly not zero. Murphy's Law states that if it can happen, given enough time it will happen. So only you can roll the roulette wheel of chance for whatever it is you want to accomplish on your rig without the SGW plugged in.

For full disclosure, I do own and use the Z Automotive Tazer JL Mini but only use it's Non-Live functions. My SGW is only bypassed to set the tire size, TPMS thresholds and a few other configurations, including reading and/or clearing DTC codes. Otherwise, my SGW always remains plugged in at all times.

Hope this gives you a better idea for what bypassing the Security Gateway Module may accomplish. Unintended consequences or not.


[Edit] Follow up:
Would it be a good thing to have FCA open up it's choke-hold over it's vehicle's calibration space and thus give us consumers direct access to this type of functionality? Some sort of interface that let's us diagnose and troubleshoot our own vehicles or reconfigure controversial systems like ESS or even allow for custom engine performance and horsepower tuning?

Of course any Joe Blow Motorhead who enjoys tinkering on their vehicle would love it.

Unfortunately that pipe-dream would only work in a non-litiguous society. Any one who used those interfaces and then hurt their vehicle or worse indirectly cause an accident, would blame anyone and everyone but themselves.

So all car companies have to take the tact to protect not only their Service revenue streams but also keep their legal liability to an absolute minimum. So they'll continue to design in firewalls and near tamper proof diagnostic access portals. It is after all in their (not your) best intetest.

This however leaves a market niche now open for third-party vendors to find ways to 'bypass' these monopolistic access restrictions and limitations. If there is a demand, someone will always try and monetize a supply. These 'Programmers', 'Scanners' and 'Diagnostic' Tools are the result.

So who is right or wrong? As consumer's we are of course always going to invest in what it is we truly want. Regardless of the unforseen or subtle consequences.

So pick your tools as best you see fit. Sometimes the risk is worth the reward. Right up to the point that it's not.

Only you can make your own risk assessment analysis.

Jay
I see your point here with your edit. Personally, I don’t change any parameters with programmers (although the TPMS threshold and tire size, etc will be helpful). I’m simply my own mechanic and perform all repairs myself and need to see the valuable information provided by the OBD scanner.
 

golong27

Active Member
Joined
Mar 7, 2019
Messages
25
Reaction score
17
Location
glen allen va
Vehicle(s)
2018 Jeep Wrangler JLU Sport S
I did try needle nose pliers but they don't open wide enough. All the connectors on my jeep are difficult to unseat so I'll figure something out - I end up struggling with the wiring harness for the hardtop every time it take it off.

I am using Jscan.
 

Rhinebeck01

Well-Known Member
Joined
May 9, 2018
Messages
5,374
Reaction score
6,383
Location
.
Vehicle(s)
.
The video above makes it look so easy to unplug the connectors to bypass the security gateway. I spent 30 minutes this weekend trying to unplug mine - is there a secret? I pressed the tab to release and could get the connector to unseat but couldn't get a good enough grip on the other side of the connector to pull it.
@golong27

Disconnect one cable at a time.

Firmly push the connector in and while hold the connector in, push the connector release tab on the backside of the connector and at the exact same time, pull down on the cable itself.. A little wiggle of the cable you are pulling down also will help the connector free up so to speak.

Do remove the plastic directly under the steering column before you go to do the deed. DO have a bright light under there with you.

IF, if you have a teen Daughter or Son or a willing Wife, have them do for you.. For some reason they seem to just get it done with little effort.... perhaps smaller, nimbler hands.. 8-)

Strongly suggest that you buy and install the SWG Extension Cable that ZAutomotive sells.... install that and no more struggling with the connectors... Were I you, I would order the SWG Extension Cable first and then go back and try the disconnect, versus trying today.
https://www.zautomotive.com/product/sgw-extension-cable/
llll.png
 

Advertisement




Extreme Terrain
 



Advertisement
Top