Can I still read fault codes through the OBD-II port without authenticating?

Yes. Read-only OBD-II traffic — VIN, stored DTCs, live PIDs, freeze-frame, readiness monitors — passes through the SGW unauthenticated. What's blocked is anything that writes: clearing DTCs, bi-directional actuator tests, ECU programming, key learning, module configuration, adaptations and relearns, service-mode functions like electric parking brake retraction.

What is AutoAuth and do I have to pay for it?

AutoAuth is the third-party service Stellantis uses to gate write access through the SGW. Your certified scan tool requests a session token via AutoAuth's servers, which check it against FCA's registry of approved tools. Cost is roughly $50/year per shop (up to five users, additional seats a few dollars each) or $50/year for an individual owner. The session lasts as long as the tool stays connected and the ignition stays on — it's not a one-time unlock.

Do generic ELM327 dongles or off-brand scanners work?

For read-only OBD-II, yes — anything that speaks ISO 15765 / generic OBD-II will read PIDs and DTCs. For anything that writes, no. AutoAuth only honors requests from tools FCA has whitelisted: Snap-on, Autel, Launch X431, Topdon, Xtool, Thinkcar, and a small set of others have certified models. Unbranded ELM327 dongles cannot authenticate.

Is bypassing the SGW legal?

On a vehicle you own, in most US jurisdictions, yes — the SGW is a manufacturer-installed security boundary, not a regulatory one like emissions-control hardware. Bypassing it may void manufacturer warranty on related modules, can affect insurance terms if disclosed, and reintroduces the original attack surface (relevant if the vehicle has cellular telematics like Uconnect). Right-to-repair legislation in some states is actively reshaping this landscape but as of 2026 the AutoAuth subscription model remains in force at the OEM level.

Why was the SGW introduced?

Largely in response to the 2015 Miller/Valasek remote Jeep Cherokee hack, where researchers compromised a vehicle over its cellular Uconnect connection and pivoted into the CAN bus to control steering, brakes, and transmission. The SGW is FCA's architectural answer: instead of trying to harden every ECU individually, isolate the external attack surface behind a single gatekeeper module.

[ Secure Gateway Module (SGW / SGM) ]

Q: Which vehicles have the Secure Gateway Module?

FCA (now Stellantis) began rolling out the SGW on some 2017-build vehicles sold as 2018 models, and by 2020 nearly the entire FCA US lineup includes one — Chrysler, Dodge, Jeep, Ram, and Alfa Romeo. Coverage is primarily North American; non-US-market vehicles often skip it. The simplest check is to plug a generic scanner in and try to clear a DTC: if it silently fails on a 2018+ FCA vehicle, the SGW is in play.

← back to Car Hacking

Reference notes on the Secure Gateway Module (SGW on Stellantis paperwork, SGM in the aftermarket) found on 2018+ FCA / Stellantis vehicles — what it is, what it gates at the OBD-II port, how the AutoAuth subscription path works, what physical bypass means, and how to decide between paying for a certified tool, paying for AutoAuth, or installing a hardware bypass. Written from the perspective of someone who actually works on these cars rather than someone trying to sell you a $5,000 scan tool.

[ What it is ]

The Secure Gateway Module is a dedicated security ECU that sits between the OBD-II port and the rest of the vehicle's CAN bus network. FCA (now Stellantis) began installing it on some 2017-build vehicles that came to market as 2018 models. By 2020 nearly the entire FCA US lineup ships with one — Chrysler, Dodge, Jeep, Ram, and Alfa Romeo. Coverage is primarily North American; non-US markets often skip it.

Physical location varies by model. Common spots: behind the glove box, under the dashboard near the steering column, or co-located with the Body Control Module. On Jeep platforms it's frequently behind the glove box near the same 13-way CAN connectors discussed in the DIY OBD-II Diagnostic Cable writeup — which is one reason that behind-the-glovebox access point is so useful for research work.

[ Why it exists ]

Largely a response to the 2015 Miller/Valasek Jeep Cherokee remote hack. Researchers compromised a vehicle over the cellular Uconnect connection and pivoted from the infotainment processor into the CAN bus, where they were able to control steering, brakes, and transmission behavior on a moving vehicle. The story made it onto the cover of Wired, prompted a 1.4M-vehicle recall, and forced the industry to take in-vehicle network segmentation seriously for the first time.

The SGW is FCA's architectural answer: rather than try to harden every individual ECU against a hostile attacker who has already reached the CAN bus, isolate the external attack surface (OBD-II port plus Uconnect telematics) behind one gatekeeper module that enforces policy on what crosses the boundary.

Conceptually it's the same idea as a network firewall. A chokepoint with one job: inspect requests, drop or forward based on policy, log if you care.

[ What's gated at the OBD-II port ]

Without authentication, a generic OBD-II scanner can still do everything that's read-only:

  Allowed without authentication
  ------------------------------
  - Read VIN
  - Read stored DTCs (fault codes)
  - Read pending and permanent DTCs
  - View live data / OBD-II PIDs (RPM, coolant temp, O2 sensors,
    short and long fuel trim, MAF, MAP, throttle position, etc.)
  - Read freeze-frame data captured at the time of a fault
  - Read readiness monitors
  - Read mode 06 on-board monitoring results

  Blocked without authentication
  ------------------------------
  - Clear / reset DTCs
  - Bi-directional control (actuator tests, forced regen,
    ABS bleeding routines, etc.)
  - ECU programming or coding of any module
  - Key fob programming
  - Module replacement / configuration
  - Adaptations and relearns (TPS, throttle body, transmission,
    steering angle sensor calibration, etc.)
  - Service-mode functions (electric parking brake retraction,
    suspension calibration, etc.)

The practical effect: a $30 ELM327 dongle and a free OBD-II app on your phone still gets you everything you'd need to chase down a check-engine light. But you can't clear the code afterward without authenticating.

[ How it works at the data layer ]

The OBD-II port no longer wires directly into the internal CAN-C and CAN-IHS buses. Traffic from the port terminates at the SGW first; the SGW decides what (if anything) gets forwarded to the buses behind it:

  [ scan tool ]
        |
        v
  [ OBD-II port ]
        |
        v
  [ SGW  ] -- check request type -----+
        |                              |
        |   if read-only PID           |  if write / actuator /
        |   or basic OBD-II            |  programming request
        v                              v
  [ CAN-C / CAN-IHS ]            [ check session auth ]
   (target ECU sees it)                 |
                                        v
                                  authenticated  --> forward
                                  not auth'd     --> drop or NRC

The SGW also acts as a MITM for the Uconnect head unit. The radio talks to the SGW, not to the powertrain bus directly — so a compromised infotainment processor can't reach the brake controller without going through SGW policy. That's the architectural lesson from the Cherokee hack made concrete.

Practically, when a request is dropped, you usually see either a silent failure (no response at all) or a UDS Negative Response Code, typically 7F <service> 33 (securityAccessDenied) or 7F <service> 7E (subFunctionNotSupportedInActiveSession). A scan tool will surface this as "command failed" or "vehicle communication error" depending on how charitable its UI is.

[ AutoAuth — the authentication path ]

Stellantis partnered with a third-party service called AutoAuth (autoauth.com) to gate write access. A certified scan tool, an active AutoAuth subscription, and a live internet connection are all required at the time of use — not a one-time unlock.

The authentication flow looks like this:

  1.  Tech plugs the certified scan tool into the OBD-II port.
  2.  Tool reads a challenge value from the SGW.
  3.  Tool relays the challenge to AutoAuth's servers over the
      shop's internet connection, along with the tech's account
      credentials.
  4.  AutoAuth verifies the credentials and confirms with FCA's
      registry that the tool serial is approved.
  5.  AutoAuth returns a response value to the scan tool.
  6.  Tool presents the response to the SGW; SGW unlocks the
      write-capable session for that ignition cycle.

  Session is valid until ignition off OR tool unplugged.

Cost as of 2026 is roughly $50/year per shop for up to five employees, with additional users at a few dollars each. Individual vehicle owners pay $50/year too. The tool itself must be FCA-certified — current supported brands include Snap-on, Autel, Launch X431, Topdon, Xtool, Thinkcar, and a few others. Generic ELM327 dongles and unbranded scanners cannot authenticate and never will, by design.

For full OEM-level work (key programming, full coding, ECU flashing, module replacement procedures), Stellantis's own wiTECH 2 is still the reference implementation and has direct SGW access without AutoAuth — but it requires a dealer-level subscription that's several orders of magnitude more expensive than the AutoAuth track.

[ Hardware bypass options ]

Because the SGW raises the bar for independent repair and modding, an aftermarket cottage industry has built physical bypass solutions. Three categories:

  12+8 conversion connector
  -------------------------
  A passive adapter cable that mates with the OBD-II port on
  one side and a 12+8 connector on the other. Re-routes the
  diagnostic pins to expose the internal CAN buses directly,
  bypassing the SGW's filtering. Most "SGW bypass cable" or
  "AutoAuth bypass cable" products listed on Amazon and eBay
  fall into this category. Plug in, work, unplug — non-permanent.

  Bypass harness
  --------------
  A more invasive solution: physically unplug the SGW from the
  vehicle and plug a passthrough harness into the gateway's
  vehicle-side connectors, restoring the pre-2018 direct-wired
  topology. Some harnesses retain the SGW in-line for state
  signaling but reroute its CAN connections.

  Permanent removal
  -----------------
  Some shops remove the SGW entirely on customer vehicles.
  This is the most reversible-looking option from a wiring
  standpoint but introduces compatibility risks with any
  module that expects the SGW present for state queries.

Caveats worth knowing before pulling the trigger:

  - Manufacturer warranty on related modules may be affected.
  - Some 2024+ vehicles have moved toward distributed gateway
    function across multiple modules; a single-point bypass
    doesn't fully work on those.
  - You're reintroducing the attack surface the SGW exists to
    mitigate. For a daily driver with active cellular telematics
    that's a real (if small) concern — the original Cherokee
    attack vector is now public and well-documented.
  - Some insurance policies have clauses around aftermarket
    modifications. Read yours before, not after.
  - If the vehicle gets stolen or involved in an incident, a
    bypass is exactly the sort of thing a forensics report will
    flag.

[ Practical guidance ]

How to decide which path makes sense for your use case:

  Just reading codes occasionally
  -------------------------------
  Any OBD-II scanner works. No SGW issue. A $20 ELM327 and a
  free phone app is sufficient. Don't overthink it.

  Occasional clear / bi-directional work on your own vehicle
  ----------------------------------------------------------
  Cheapest path is a low-end certified tool (Topdon TopScan,
  base Launch model) plus the $50/year AutoAuth subscription.
  Internet required at the time of use, so a phone hotspot
  works if you're in a driveway.

  Frequent professional / shop use
  --------------------------------
  Full-tier scan tool (Autel MaxiSYS, Launch X431 Pro, Snap-on
  Modis Edge / Zeus, etc.) plus AutoAuth shop subscription.
  This is standard shop equipment for any indie that touches
  FCA vehicles regularly post-2018.

  Heavy modification work / no reliable internet at the bay
  ---------------------------------------------------------
  Physical bypass harness makes more sense — no per-session
  auth, no recurring subscription, no internet dependency.
  Trade-off is everything in the caveats list above.

  OEM-level work (key programming, full coding, flashing)
  -------------------------------------------------------
  wiTECH 2 with a dealer-level subscription. AutoAuth doesn't
  cover the full surface. This is the path most independent
  locksmiths and tuners end up on if they specialize in FCA.

For research work specifically — sniffing, learning the bus layout, reverse-engineering message IDs — the SGW is largely irrelevant because direct CAN access via the behind-the-glovebox 13-way connectors (see DIY OBD-II cable writeup) bypasses it entirely. The SGW only gates traffic that arrives via the OBD-II port or the Uconnect head unit; internal taps don't cross that boundary.