Gateway Pass Thru: Access to protected control units

The increasing networking of modern commercial vehicles has a consequence that directly affects independent workshops. This is because more and more control units are protected by a so-called security gateway (SGW). This gateway prevents uncontrolled access to safety-relevant systems such as engine control, brake control or immobiliser. For the workshop, this means that there is no write access, no calibration and no software updates without authenticated authorisation. The legal framework for access to manufacturer-specific repair and maintenance information is set by the RMI Regulation (EU 2018/858). In addition, Gateway Pass Thru solutions must fulfil the electromagnetic compatibility requirements of ECE R10 (EMC of vehicles) in order to avoid repercussions on the vehicle bus. Information on OE access via manufacturer-specific portals can also be found in the article OEM system access - both paths coexist.

Gateway Pass Thru technology offers a complementary approach here. It enables session-based authenticated access to the control units behind the security gateway - via the existing multi-brand diagnostics system and an internet connection to the OEM backend. The topic is particularly relevant for E-truck service, where almost every control unit is behind safety gateways. This article therefore explains the technology, the support provided by the manufacturers, the role of SERMI and the practical implementation in the workshop - equally relevant for independent multi-brand workshops and for OE workshops that are expanding their range of brands. Accredited testing organisations also document the effects in their current industry reports.

Gateway Pass Thru is a session-based procedure. It opens access to ECUs behind the internal vehicle gateway via a multi-brand VCI and an authenticated connection to the respective OEM backend. It addresses the security layer that has been securing protected ECUs at many manufacturers since around 2017.

The basic principle is relatively simple: the security gateway in the vehicle protects access to security-relevant control units. In order to authorise access in accordance with the RMI framework, the workshop first authenticates itself to the OEM server - the method provided by the manufacturer. Pass Thru technology uses the existing multi-brand VCI (Vehicle Communication Interface) as a „pass-through“ - hence the name. The VCI connects to the vehicle (via OBD) on the one hand and to the OEM backend via the Internet on the other. The OEM server then recognises the authenticated workshop and sends an activation token to the security gateway, which then enables access for the duration of the session. If you would like to delve deeper, you can also find more information in the article on Modern truck diagnostics Further information.

Pass Thru support is widespread among major commercial vehicle manufacturers. However, the range of functions and technical implementation vary depending on the manufacturer. Some manufacturers link access to the standardised SAE J2534 interface, while others use manufacturer-specific protocols in conjunction with their own portal and defined VCI hardware. Which technical interface a specific vehicle requires is therefore clarified on a case-by-case basis via the respective manufacturer portal.

Session-based pass thru and manufacturer-specific OE access are different tools with different application scenarios. Which method is suitable in each individual case depends on the volume, brand mix and order depth. Consequently, both methods typically coexist in the multi-brand workshop.

SERMI certification (Security-Related Repair and Maintenance Information) has been mandatory throughout Europe since 2023 for access to security-relevant control units - immobilisers, anti-theft devices, key programming. Without SERMI certification, you will therefore not be granted access to these systems via Pass Thru - regardless of whether you are registered and willing to pay.

• Application: You apply for certification from a nationally accredited Conformity Assessment Body (CAB). The evidence required - trade registration, extract from the commercial register, proof of identity of the applicant, proof of good repute - depends on the respective national implementation; the recognised CABs can also be accessed via the central SERMI platform.
• Identity check: Personal identification of the applicant by the accredited body. This is usually done on site or via Video-Ident.
• background check: Verification of good repute and additional documents in accordance with national regulations. The applicant must not have any relevant criminal convictions.
• Certificate issue: If the result is positive, a digital certificate is then issued, which is integrated into the OEM portals and Pass Thru systems. Period of validity: three years.

To be able to use Gateway Pass Thru in your workshop, you must fulfil the following requirements:

• Multi-brand diagnostic system: A current system with Pass Thru support. In the Alltrucks system, the Alltrucks multi-brand diagnostics / Alltrucks KTS Truck V3 (Bosch + Knorr-Bremse integration) - see also the article on Bosch ESI[tronic].
• Compatible VCI: The Vehicle Communication Interface must support the Pass Thru function in terms of hardware and software.
• Manufacturer portal registration: For each relevant manufacturer, registration with a user account and stored means of payment is also required (one-off, registration itself is usually free of charge).
• PIN authorisations for trailer systems: Manufacturer-side PIN authorisations are used for certain trailer functions - specifically Bosch PIN 2 (Trailer) and Knorr-Bremse PIN TEBS 4, The Alltrucks structure can be accessed by Alltrucks partners. In addition, for the trailer configuration of Knorr-Bremse systems, the OCT (Online Communication Tool) relevant.
• SERMI certification: SERMI certification is mandatory for access to safety-relevant systems.
• Stable internet connection: At least 50 Mbit/s, ideally wired. The connection should also be uninterrupted for software updates.
• Trained staff: Employees must be familiar with the Pass Thru function and the respective manufacturer protocols. This is because operating errors can damage control units.

Session-based pass thru and manufacturer-specific OE accesses address different application scenarios. The session-based method is particularly useful if access to protected control units of a specific brand is required only occasionally. Dedicated OE access, on the other hand, is more suitable for high order volumes with low functional requirements for a single brand. In practice, many multi-brand workshops therefore combine both methods; the selection is based on the brand mix of the business. If you would like to delve deeper into order economics, you will also find more information in the article on Contribution margin per order Further information.

You can also read more about direct OE access via manufacturer portals in the article OEM system access. The choice between session-based billing and continuous access depends on the specific vehicle range and order profile.

In addition, it is worth taking a look at which diagnoses a current Multi-brand diagnostic system is already covered without Pass Thru. In practice, a large proportion of workshop tasks can be processed without Pass Thru; for the tasks behind the Security Gateway, the session-based model therefore supplements the diagnostic setup.