What is SFD? - Vasya Diagnost
🔥
We deliver orders to any point in Europe, and around the world!
🔥
+7 (499) 755 82 34
EUR
EN
RU EN
0
Buy

What is SFD?

What is SFD?

What is SFD?

Since 2020, starting with the release of MQB37W models (Golf 8/Audi A3/Škoda Octavia/SEAT León), Volkswagen AG has been implementing a new vehicle security feature called SFD ("Schutz Fahrzeug Diagnose"). To access configuration/coding, the vehicle must be pre-unlocked using a special token. Currently, this token can only be obtained through an official GeKo account, and the user must be registered in advance on the SFD server.

There is no other way except the official one. Vehicle owners and popular diagnostic programs will be limited, except for access to data related to basic diagnostics and partially to technical maintenance.

What goal does the Volkswagen Group pursue by implementing SFD?

  • The current method (activating secure access using a 5-digit code) no longer meets the modern level of technology;
  • Preventing manipulation of factory settings and coding parameters of the vehicle;
  • The interaction of installed control units creates new paths for possible hacker attacks, especially on vehicles that are constantly connected to the network;
  • Installation of software or control units that were never intended to work in a specific vehicle;
  • Coding and configuration can be unsafe due to the actions of unauthorized third parties, for example, an adaptive cruise control radar whose parameters do not match the vehicle or are incorrectly adapted.

Additionally, EU Regulation 858/2018, which came into effect in September 2020, compelled the Volkswagen Group to develop a secure solution and implement it in newer vehicles. Therefore, the Group is not only changing its own security rules but also complying with the EU regulation, which serves to protect the vehicle electronics from unauthorized access.

Why does this post apply to all diagnostic tools?

Currently, only official dealers from unauthorized countries using an online connection that occurs automatically in the background can guarantee the unlocking method. Although the token can only be used once and is valid only for the generated vehicle, using various vehicle data, including the VIN number, the possibility of requesting offline unlocking creates a "loophole" in security and in the original purposes of implementing SFD.

At the time of writing this article (May 2023), it is unknown whether it will be possible in the future for third parties to obtain tokens.

What does this mean for regular car owners?

Many people know the feeling when buying a car that the desired option, such as a rearview camera, navigation system, or even a simple software feature like road sign recognition, is missing from the available configuration in the dealer's showroom or even in a used car. "Retrofitting" will no longer be simple and possibly feasible in the future. Until now, such manipulations were quickly performed using certain well-known diagnostic tools by entering a 5-digit login, marking new equipment in the Gateway module, or changing coding values and then clicking "Execute".

All VAG cars were very easily modified/upgraded, but in some cases, they were less secure as the work was not always done by experienced specialists with the necessary knowledge and auxiliary tools, such as a stand for calibrating adaptive cruise control cameras. With the emergence of new digital assistants for vehicle management, this issue will become even more important.

It is not yet clear how this will affect the retrofitting offerings from the manufacturer and official dealers. By preventing self-diagnosis, certain software functions would have to be offered as an official retrofit license, known as FoD (Feature on Demand), but that is a completely different topic.

Principle of operation of car diagnostic protection

Connection will be performed in two ways: online and offline. Offline connection is a backup method, for example, in case the internet connection of the OEM diagnostic tester at the official dealer's service facility is temporarily unavailable.


1. Online connection

Components involved in the process:

  • The control unit in the car contains the protected diagnostic objects and can allow or deny access to them.
  • The diagnostic tester is used by the user to access the diagnostic objects in the control unit.
  • The SFD server contains a user database with access rights and issues a token for connection.

Process flow:

  • Step 1: Prerequisite: the user is registered on the SFD server and the dealer portal (later on the Group Retail Portal).
  • Step 2: Within the car diagnostics, the user wants to perform services protected by SFD on one or multiple control units with SFD protection.
  • Step 3: The control unit sends a message indicating the presence of SFD protection and requests a connection token.
  • Step 4: The diagnostic tester sends a connection request to the SFD server, specifying the identification data of the control unit and the required access level.
  • Step 5: The SFD server verifies the request, performs authorization, and sends a signed connection token to the tester. The SFD server records the access details (user identification data, control unit identification data, time, etc.).
  • Step 6: The diagnostic tester sends the connection token to the control unit. The control unit verifies the token and grants access to the corresponding diagnostic objects.

2. Manual (offline) connection to SFD

Offline connection procedure:

  • Step 1: Directly requesting a token by the diagnostic tester is not possible.
  • Step 2: A service employee saves a structured connection request from the control unit, which is necessary for token generation.
  • Step 3: The employee accesses the dealer portal (in the future, the Group Retail Portal) from another computer and navigates to the SFD server token request page in the SFD application.
  • Step 4: The employee enters the structured connection request obtained from the control unit, requests a token, and copies it to the diagnostic tester (e.g., on a USB drive).
  • Step 5: The user on the tester performs the function of manually transferring the token to the control unit.
  • Step 6: The control unit verifies the token and grants access to the corresponding diagnostic objects.

The implementation of SFD project consists of two stages:

Stage 1 involves protecting access to protected diagnostic objects in control units and confirming access at the individual user level. The need for protection is determined for specific control units and diagnostic objects. Protection is limited to specific write services (encoding, adaptation, parameterization) and procedures. Diagnostic protection is not established for regular read services (such as reading the control unit event recorder). SFD also does not affect functions such as loading data blocks with data loader units, firmware or software updates, and flash data security.

Stage 2, in addition to Stage 1, involves protecting diagnostic data from various manipulations during transmission through end-to-end encryption of data transmitted between VAG IT servers and control units. To record access to protected diagnostic data, organizations require strong user authentication. This is achieved through two-factor authentication, which can be implemented using:

  • PKI cards
  • SecurID cards
  • Applications that generate one-time passwords (e.g., Google Authenticator, Microsoft Authenticator)

However, in the initial stage, weak authentication using a username and password will be used as a temporary solution on the dealer portal. Simultaneously, work will be carried out to transition to strong authentication through the Group Retail Portal. To work with SFD, the diagnostic tester must have an internet connection.

There are 3 options for unlocking SFD:

  • Option 1: The unlocking time is set to 90 minutes, after which the control unit is locked again.
  • Option 2: SFD is reactivated after driving a distance of 200 km.
  • Option 3: The control unit remains unlocked until SFD is reactivated by the user.

Option 1 is used in vehicles after leaving the assembly line, while options 2 and 3 are only for development and production purposes.

How to recognize SFD?

The Gateway plays a crucial role in identifying vehicles with SFD (Software Fault Detection), similar to the case with component protection and FEC/SWaP. Specifically, the Gateway with part number 5WA 907 530 can be used to unambiguously recognize a vehicle with SFD (MQBevo / MQB2020). Additionally, the part number 1EA 937 012 indicates a vehicle on the MEB platform (currently ID3, ID4, and ID6), which also utilizes SFD:
Address 19: CAN Gateway (J533) File QML:*
Part No SW: 5WA 907 530 M HW: 5WA 907 530 A
Component: GW2020 Low 753 7086
Revision: -------- Serial number: *
Coding: *
GVL: *
Dataset ASAM/ODX: EV_GatewMQB2020 004008
ODX: EV_GatewMQB2020_004_VW38.odx
SFD ("Schutz Fahrzeug Diagnose") - unlocking is required

Which control units does SFD affect?

Known control units with SFD functionality:

  • [01] - Engine
  • [03] - ABS Brakes
  • [09] - Cent. Elect.
  • [15] - Airbags
  • [17] - Instruments
  • [19] - CAN Gateway
  • [23] - Brake Booster
  • [4B] - Multifunc. Module
  • [5F] - Information Electr.
  • [75] - Telematics
  • [8107] - Antenna

Which models are already using SFD?

Currently, only a few models are using SFD:

MQBevo / MQB2020

  • Audi A3 8Y (2020–present);
  • SEAT León KL (2020–present);
  • Škoda Octavia Mk4 (2020–present);
  • Volkswagen Caddy Mk4 (2020–present);
  • Volkswagen Golf 8 (2019–present);
  • Volkswagen Talagon (2021–present);
  • Cupra Formentor (2021–present);
  • Ford Tourneo/Transit Connect Mk3 (2022–present);
  • Volkswagen Lamando (2022–present).

MEB

  • Audi Q4 e-tron (2021–present);
  • Audi Q4 Sportback e-tron (2021–present);
  • Audi Q5 e-tron (2021–present);
  • Cupra Born (2021–present);
  • Škoda Enyaq (2020–present);
  • Volkswagen ID.3 (2019–present);
  • Volkswagen ID.4 (2020–present);
  • Volkswagen ID.5 (2021–present);
  • Volkswagen ID.6 (2021–present);
  • Volkswagen ID.BUZZ (2022–present).

Information about implementing SFD in Russian
Information about implementing SFD in English
Information about implementing SFD in German