Keyfob Boosting - Thefts

Disclaimer: Links on this page pointing to Amazon, eBay and other sites may include affiliate code. If you click them and make a purchase, we may earn a small commission.

Sungod661

Full Access Member
Joined
Aug 20, 2016
Posts
273
Reaction score
92
So to recap , fuse must be removed and blank or other key tried. Anyone going to try this??


Apparently opening the door with a stolen signal is not part of the equation because it is a separate system
 

OriginalToken

Full Access Member
Joined
Apr 17, 2018
Posts
180
Reaction score
155
RKE is unrelated to PATS. Two separate systems. Even if they get the doors to unlock, a completely separate interrogation method is required to enable engine start.

Is it actually a different method? Or is it just a different way of using the same or another similar method?

I have always had a curiosity for signals, so when I first got my truck a couple years back I briefly looked at the RF traffic, back and forth, between the truck and the fob. I did not exhaustively examine it, but I did sniff the RF to see if I could tell the basics of the system. I freely admit I made some assumptions and may have missed some signals, but I think I have the basics of it.

When I approach the vehicle and touch the inside of the door handle the vehicle appears to send a low power and low frequency (125 kHz) CW pulse and interrogate message, looking for the fob. I assume the interrogation message includes something like "I want to unlock the door" as well as a code to identify that it is indeed my truck. The fob then responds back with a UHF (centered on 903 MHz, but actually two different frequencies 950 kHz apart since the data appears both ASK and FSK) identification and command to open the door. I assume both directions are coded, with changing codes, since some of the data looks unique for each transmission burst. There is also, sometimes (maybe all the time but I have missed it?), a UHF response from the truck to the fob, depending on what you asked the truck to do, for example, to tell the fob that the truck did indeed start if you commanded a remote start.

When I press start in the cab the truck again interrogates on LF, the same 125 kHz. There is a response from the fob on UHF, but I suspect there is also a lower frequency, short range, response from the fob that I did not find. The lower freq fob response probably tells the truck the fob is physically inside the truck, I imagine by comparing the received power across multiple receive locations. Hmmm, might be a fun thing to look for that response while sheltering in place, if the weather ever turns nice.

So I asked myself a hypothetical, how would I defeat all this to steal a vehicle? Thinking that out can give you an insight into how you should safeguard things.

So, to boost the signal I can think of a couple of ways, one trick and digital, one trick and analog. Neither particularly difficult, but the required knowledge is probably not a common skill set.

Two boxes, A and B, one (A) near the truck, one (B) near the fob (say outside the bedroom wall or near the key bowl by the front door).

When someone activates the door handle, box A samples the low frequency signal, it then forwards the same signal, unmolested, on a different frequency, say something UHF near 400 MHz. This could be done digitally, using something like DRFM (Digital Radio Frequency Memory) or maybe just IQ data from an SDR, or it could be done analog, simply a set of filters, mixers, local oscillators and amplifiers. The end result is the same, the 125 kHz signal is now bumped up in power and on 400 MHz, but the data in it is unchanged.

Box B is near the fob. It takes the 400 MHz signal and reverses the actions of box A, it turns the 400 MHz into 125 kHz and radiates it, maybe even with more power than the truck uses, covering a longer range.

The fob then sees the "correct" 125 kHz signal, all the right coding and modulation in place, and sends the 903 MHz "open door" command. I doubt there is even a need to grab that signal, since it can work at a couple hundred feet. But if you need to, grab that signal in box B, convert it to some other frequency and bump up the power. Let box A look for that signal and reconvert it to 903 MHz right next to the truck.

So now you are in, easy enough.

The "start the vehicle" is a variation of the same thing. With box A inside the vehicle look for the interrogate from the truck, shift it to a different frequency, unchanged, and bump up the power so it makes it to box B. Box B then converts it back down, transmits it, and looks for the ID from the key, sends ID to box A, box A transmits it on the right frequency for the truck, and away you go.

Once you have the truck started drive it to wherever you want. Sure, as soon as you drive away (or turn off the box A/B pair, or move B away from the fob) the "no key" warning will come on, but the truck will continue to run just fine until you turn it off.

No cracking codes required, no knowing the cycle, no previous captures required. As far as the fob is concerned it is responding to the truck, on the right frequencies and with the right codes, because it is, just handled one extra time. As far as the truck is concerned it can't tell box A from the fob since box A is just sending an exact copy of what the fob is sending in response to the truck.

The concept is not hard or complex at all. Implementation may take a bit more effort then I have implied, but should be imminently doable. The rig would not be all that expensive to build, something like a pair of HackRF Ones (to handle the RF duties), associated antennas, a 192 kHz sound card, and a Raspberry Pi 4 at each end, and some unique code to drive it all. Maybe a grand for each end, unless you are willing to use Chinese knock-offs, then under a grand for everything.

My above description and (possible) understanding is the results of less than 30 minutes sniffing the vehicle and the fob, a couple of years ago. I freely admit I may have missed something big, if so don't be afraid to correct me, life is a learning experience and I park my ego at the modem before I go online. Regardless, I feel that I will be spending some more time on this with the spectrum gear this weekend.

But yeah, I am having a little problem with that unprogrammed key and fuse thing, I just don't see how that could work, and oh so many ways it can't. But I have a ****** key here, and would be glad to try it out ;)


T!
 
Last edited:

Droid

kglesq's Brother
Joined
Sep 25, 2010
Posts
1,483
Reaction score
753
I just ordered a blank key off ebay. Should be here next week.

And not just doing it for this... I've been wanting a third key regardless to keep locked up in truck *without* a battery. Would hate to lose my key in a "yard sale" crash while mountain biking and then get stuck at the trailhead. With the RF key I'm not comfortable leaving it in the truck like I did with my 2011.
 

Droid

kglesq's Brother
Joined
Sep 25, 2010
Posts
1,483
Reaction score
753
Extra key showed up today. As hoped, it doesn't work. The cell modem fuse is pulled on my truck (since day 1). I left both my original keys inside house (well out of range) and unlocked truck using keypad code. Inserted blank fob into cupholder slot, got "No Key Detected" message as would be expected.

I imagine for this hack to work the key needs to be programmed using the code with that retrieved from an intercepted signal, and pulling fuse resets rolling code such that it can reuse an existing code.

Let me know if there's anything else I should try...otherwise going to program this key to truck in a couple days.
 

smurfslayer

Be vewwy, vewwy quiet. We’re hunting sasquatch77
Joined
Dec 16, 2016
Posts
16,074
Reaction score
23,565
Extra key showed up today. As hoped, it doesn't work. The cell modem fuse is pulled on my truck (since day 1). I left both my original keys inside house (well out of range) and unlocked truck using keypad code. Inserted blank fob into cupholder slot, got "No Key Detected" message as would be expected.

I imagine for this hack to work the key needs to be programmed using the code with that retrieved from an intercepted signal, and pulling fuse resets rolling code such that it can reuse an existing code.

Let me know if there's anything else I should try...otherwise going to program this key to truck in a couple days.

I’d imagine key pad entry may follow a different circuit path. i think the closest to replication would be to have a programmed key close by to open the door to mimic the intercepted signal, pull the fuse and insert the unprogrammed key to retest, but that’s just a guess.
 

FordTechOne

FRF Addict
Joined
Jul 29, 2019
Posts
6,398
Reaction score
12,499
Location
Detroit
Is it actually a different method? Or is it just a different way of using the same or another similar method?

Two different methods of operation. Reference my earlier post in this thread: https://www.fordraptorforum.com/threads/keyfob-boosting-thefts.70381/page-9#post-1465761

RKE

The Remote Keyless Entry (RKE) feature incorporates the BCM and RTM. The RTM receives the Transmitter Identification Code (TIC) from the RKE, interprets the information, and sends a message to the BCM over a private LIN circuit as well as the CAN. If the BCM determines that the key is a valid programmed key, it carries out the requested command.

PATS


When the BCM detects the START/STOP button is pressed, it begins the key initialization sequence by activating the PATS center antenna, the PATS rear antenna and both exterior door handle keyless entry antennas. Each antenna transmits a low frequency signal with an approximate range of 1 m (3 ft). The passive key activates if it is within range of the antennas. When the passive key activates, it sends the PATS identification code to the RTM via a high frequency signal. The RTM interprets the high frequency signal from the passive key and sends the information to the BCM over the LIN.

In the case of PATS, the key needs to be activated by the antennas before it transmits the PATS ID code to the RTM. This prevents the key fob from constantly transmitting the PATS data when it is not near the vehicle.

The "start the vehicle" is a variation of the same thing. With box A inside the vehicle look for the interrogate from the truck, shift it to a different frequency, unchanged, and bump up the power so it makes it to box B. Box B then converts it back down, transmits it, and looks for the ID from the key, sends ID to box A, box A transmits it on the right frequency for the truck, and away you go.

Once you have the truck started drive it to wherever you want. Sure, as soon as you drive away (or turn off the box A/B pair, or move B away from the fob) the "no key" warning will come on, but the truck will continue to run just fine until you turn it off.

No cracking codes required, no knowing the cycle, no previous captures required. As far as the fob is concerned it is responding to the truck, on the right frequencies and with the right codes, because it is, just handled one extra time. As far as the truck is concerned it can't tell box A from the fob since box A is just sending an exact copy of what the fob is sending in response to the truck.

The concept is not hard or complex at all. Implementation may take a bit more effort then I have implied, but should be imminently doable. The rig would not be all that expensive to build, something like a pair of HackRF Ones (to handle the RF duties), associated antennas, a 192 kHz sound card, and a Raspberry Pi 4 at each end, and some unique code to drive it all. Maybe a grand for each end, unless you are willing to use Chinese knock-offs, then under a grand for everything.

My above description and (possible) understanding is the results of less than 30 minutes sniffing the vehicle and the fob, a couple of years ago. I freely admit I may have missed something big, if so don't be afraid to correct me, life is a learning experience and I park my ego at the modem before I go online. Regardless, I feel that I will be spending some more time on this with the spectrum gear this weekend.

But yeah, I am having a little problem with that unprogrammed key and fuse thing, I just don't see how that could work, and oh so many ways it can't. But I have a ****** key here, and would be glad to try it out ;)T!

This guy tried it with equipment as you describe. He was only able to get access to the vehicle if 2 programmed key fobs were used in sequence, which is not a likely real-world scenario.

https://www.rtl-sdr.com/hak5-hacking-ford-key-fobs-with-a-hackrf-and-portapack/[/QUOTE]
 

Droid

kglesq's Brother
Joined
Sep 25, 2010
Posts
1,483
Reaction score
753
I’d imagine key pad entry may follow a different circuit path. i think the closest to replication would be to have a programmed key close by to open the door to mimic the intercepted signal, pull the fuse and insert the unprogrammed key to retest, but that’s just a guess.

Tried unlocking it with programmed fob, then putting blank key in reader, "no key detected" again.
 

OriginalToken

Full Access Member
Joined
Apr 17, 2018
Posts
180
Reaction score
155
Two different methods of operation. Reference my earlier post in this thread: https://www.fordraptorforum.com/threads/keyfob-boosting-thefts.70381/page-9#post-1465761

RKE

The Remote Keyless Entry (RKE) feature incorporates the BCM and RTM. The RTM receives the Transmitter Identification Code (TIC) from the RKE, interprets the information, and sends a message to the BCM over a private LIN circuit as well as the CAN. If the BCM determines that the key is a valid programmed key, it carries out the requested command.

PATS


When the BCM detects the START/STOP button is pressed, it begins the key initialization sequence by activating the PATS center antenna, the PATS rear antenna and both exterior door handle keyless entry antennas. Each antenna transmits a low frequency signal with an approximate range of 1 m (3 ft). The passive key activates if it is within range of the antennas. When the passive key activates, it sends the PATS identification code to the RTM via a high frequency signal. The RTM interprets the high frequency signal from the passive key and sends the information to the BCM over the LIN.

In the case of PATS, the key needs to be activated by the antennas before it transmits the PATS ID code to the RTM. This prevents the key fob from constantly transmitting the PATS data when it is not near the vehicle.

I don't think we are saying different things, but I may be describing things with the wrong names or terminology.

From my observations:

I am not talking about the RKE part of the operation. I.e. when you send an unlock command from in the house. That only happens on 903 MHz and will happen assuming the key fob sends the right ID and code. As far as I known, there is no low frequency component in this action. There may be a high frequency (UHF) response from the truck to the fob, under some conditions. I suspect this is how the fob can give you the green or red lights on remote start, to indicate success or failure.

What I was talking about was what happens when you touch the door handle.

Touching the door handle causes the truck to send a low frequency, 125 kHz, short range interrogate signal to the fob. If the fob is in range, the fob then sends an ID and unlock to the truck on UHF, in my case 903 MHz. This is the same kind of low frequency 125 kHz signal sent when the PATS sends. I mean it may not be the same content, or from the same antennas, but it is on the same frequency and the fob is looking for the same type of signal.

I suspect, but am not sure, just based on my signal strength measurements, that the 125 kHz signal sent when you touch the door handle is from the doors, and the 125 kHz signal sent on START / STOP is from the center console. But I did not pursue this very far, so I am not 100% on that. Regardless, it is a very similar signal used two different ways.

The fob then sends a 903 MHz signal in response, presumably with the right ID and content.

I think we are saying the same thing, but I am probably not using the right names. Like I said, that was what I gathered from sniffing the RF with a receiver.

This guy tried it with equipment as you describe. He was only able to get access to the vehicle if 2 programmed key fobs were used in sequence, which is not a likely real-world scenario.

https://www.rtl-sdr.com/hak5-hacking-ford-key-fobs-with-a-hackrf-and-portapack/

No, he was not doing what I was describing, he was capturing the rolling code, the technique I was talking about does not care or capture the code. (I think) He needed the second key fob because he first used the jamming technique that ends up with the car locking the jammed key fob out, black listing that fob until the unit is reprogrammed, and restarting the rolling code.

What I was talking about was receiving and forwarding the low frequency, 125 kHz, signal, unchanged, on another frequency, then converting it back down to 125 kHz to be applied to the real registered key fob. It would not allow me to keep controlling, sending the right codes, after leaving the area of the registered fob, but it would allow the registered fob to respond to the low frequency, short range, interrogate signal at long ranges. If done correctly the registered key fob would receive the low frequency, 125 kHz, signal that you forwarded, on 125 kHz, and respond. It would have no concept that it was beyond the range of the truck LF signal.

T!
 

Xtinct

Full Access Member
Joined
Jan 14, 2017
Posts
383
Reaction score
249
Location
Nebraska
IMG-20200314-WA0008.jpeg
I won’t explain in detail
How it’s done For fear of some scum bag using my post but I can say it is Most definitely a oversight on Ford’s part. Install a kill switch for the fuel pump (kick plate 40 pin connector , yellow wire ) will take 15 mins and cost 40$ max and you will definitely have a little more piece of mind, and get a tracking device there’s many without any monthly service charges. 80k truck and I thought I was good by being vigilant and having ford pass and alarm. That’s a mistake

After reading this I am glad I did not take the advice on this forum and instead installed a new Viper system. Fuel cut is installed as well to completely power off vehicle at all times. I went so far as to rework FordPass so I can use it to remotely kill the truck.

But are you saying there is an easy way to pull a fuse to turn off FordPass? If so, we may want to give that circuit some alternate power.


Above is the Raptor chip after cutting the board down, removing buttons, removing battery. I will stuff it in the Digital Viper remote FOB. Its dimensions will be smaller overall then the factory FOB and it will have have 1 mile 2-way confirmation range.
 
Top