I'm not doubting your truck was stolen, but there is certainly more to this story than what meets the eye. Everything that you described the thief doing will not allow a thief to drive off with the vehicle. It goes against the way that the vehicle is designed.
In the article posted earlier in the thread, the author even indicates that the immobilizer isn't disabled even if the thief can get the vehicle to unlock:
"Through a radio frequency capture-and-manipulation technique he described to The Parallax, Dale “Woody” Wooden, the founder and president of Weathered Security, says a hacker could unlock a Ford vehicle, interfere with its onboard computer systems, and even start its engine. A successful hack on its own isn’t likely to result in stolen vehicles, however: Wooden’s exploit does not deactivate a car’s immobilizer."
PATS and RKE are two separate systems. Here is how RKE functions:
RKE
The RKE feature is controlled by the BCM. When a button is pressed, the Transmitter Identification Code (TIC) and RKE command is received by the RTM. The RTM interprets the information and sends a message to the BCM over a LIN circuit, and when the network is awake over the CAN. If the BCM detects a valid programmed key, it carries out the command by controlling the door locks, releasing the tailgate latch or activating the horn or turn signals as required.
The RKE system can be used to:
- unlock the driver door.
- unlock all doors (and the tailgate).
- lock all doors (and the tailgate).
- release the tailgate latch (tailgate release button must be pressed twice within 3 seconds) (if equipped).
- arm/disarm the perimeter alarm.
- activate/deactivate the panic alarm.
- remotely start the vehicle.
- configure the staged lock programming (2-stage unlock or global unlock).
The RKE transmitters for an IKT have a normal operating range of 20m (66 ft) in an open air, no obstruction environment.
The RKE transmitters for a passive key have a normal operating range of 50m (165 ft) in an open air, no obstruction environment.
The RKE transmitters and the BCM also utilize a rolling code to prevent the code from being captured by a code grabber. The system advances the counter in the RKE transmitter and the BCM every time a RKE transmitter button is pressed.
The hacker in the article describes capturing the code transmitted by the RKE and re-sending it. The counter in the BCM and RKE advance each time a button is pressed. Therefore, the BCM is designed to ignore a signal that has a duplicate code. This is why the hacker needs BOTH programmed key fobs to be activated (button pressed) to copy the signal. Most people do not carry both programmed keys and then alternate between using one and then the other at the same time.
This is how the Passive Anti-Theft System (PATS) immobilizer works:
PATS
The PATS function is controlled by the BCM and the PCM.
When the START/STOP button is pressed, a signal is sent to the BCM. When the BCM detects the START/STOP button is pressed, it begins the key initialization sequence by activating the PATS center antenna, the PATS rear antenna and both exterior door handle keyless entry antennas. Each antenna transmits a low frequency signal with an approximate range of 1 m (3 ft). The passive key activates if it is within range of the antennas. The BCM is able to determine the passive key location (inside or outside the vehicle) based on the input from the antennas.
When the passive key activates, it sends the PATS identification code to the RTM via a high frequency signal. The RTM interprets the high frequency signal from the passive key and sends the information to the BCM over the LIN-based circuit.
If a valid programmed passive key is detected inside the vehicle, the BCM transitions the ignition out of off.
When the ignition transitions out of off and the modules initialize, the PCM sends a challenge request to the BCM. The BCM replies and if the correct identification is received, the PATS disables and allows the vehicle to start. If the PATS prevents the vehicle from starting, a DTC sets in one of the modules.
The PATS and the RKE system share operation of several components including the passive keys, the BCM and the RTM.
If there is a concern with any of these components, the PATS and the RKE system are both affected.
In the event of a no start, place a programmed passive key in the backup location to allow the vehicle to start. The PATS center antenna activates the passive key when the START/STOP button is pressed in the event the batteries are depleted within the passive key.
NOTE: If available as a selection on the scan tool, the passive start feature is a programmable parameter and can be enabled/disabled. If the feature is disabled, the features to passively enter and start the vehicle are inoperative. To start the vehicle, the passive key must be placed in the backup starting location.
The BCM controls the ignition modes and, in conjunction with the PCM, control the PATS.
The important part to note here is that the BCM needs to recognize the programmed key and the key ID is stored in BOTH the BCM and PCM. You cannot simply pull a fuse, place a blank key in the vehicle, and have it start. There are no parameters within the software that allow for such a procedure to work. Even if you could manage to gain access to the BCM and hack it, the PCM is still going to reject the information from the BCM when the challenge request is carried out. The only way to program the PCM with the new identification code is to perform a Parameter Reset, which requires IDS and coded security access - meaning valid FMC login credentials. Also, none of these procedures can be performed if the vehicle's alarm is activated. If a scan tool is connected to the DLC and the BCM detects CAN traffic, it will activate the alarm and lock itself out from programming attempts.
Customers lose their IA keys on a regular basis and need to go to the dealer to have new keys programmed. If it was as easy as pulling a fuse and placing a blank key in the backup slot, that is what technicians would be doing. Instead, if the alarm cannot be deactivated using the leyless entry keypad/Ford Pass, the BCM needs to be replaced. That is not something a thief is going to carry out in a parking lot.
Here are my questions for Sungod661:
1. Is it possible you left a spare key fob somewhere in the truck? I had a friend who did this with his fusion, he left the car unlocked and had a spark IA fob in the glove box. The thieves opened the car, pressed the start/stop button, and took off.
2. What is the extent of your aftermarket modifications? Anything electronic or tied into the network?
3. Have you had your vehicle in for service lately? A shady technician could easily program a spare key using IDS. Also, if you keep both keys together, anyone can add a spare key by following a very simple procedure that only takes a few minutes.
