Car Thieves key fob hack

[klail]

Can I leave my fob at home inside my foil hat and just use the app when I am out and about?

Sure!! BUT good luck putting your truck into drive without the fob. I haven't tried it but I doubt you will be able to do so.

 

[Electrical]

Rolling codes are in the RF transmission; no worries there regarding these type of hacks.... hence my "baloney" comment. Although not mentioned in the OP, but everybody caught except me, that article is talking about capturing the LF signal and mimicking key fob proximity. I'm not sure if any coded security features are present here. Grinch nailed it. LF is only "capturable" at a meter or two.

Rare but possible. You need to leave the key somewhere in the house where the thieves can get close enough to detect the low energy signal, say hanging against an outside wall or right next to the front door. I hang my keys in the center of my house making this impossible.

 

[Maple]

Sure!! BUT good luck putting your truck into drive without the fob. I haven't tried it but I doubt you will be able to do so.

You can. My sister took my dad's ram to the store, just left it running while she ran inside when she realized that she didn't have the fob. I don't recommend trying it if you don't live in a little tiny town.

 

[edrclark]

The device mentioned in the article mimics the fob.

Sent from my SM-G960U using Tapatalk

Only as long as the two radios are in range

 

[edrclark]

Nope. Not true. Start your truck and throw the fob out the window. You can drive as long as you want, just dont turn off the truck!

I honestly have never tried that and now I don’t have to

 

[FirstTimeRamDriver]

First I've heard of any vehicle killing a running engine after being started with the fob. You sure it works this way?

You are right, I stand corrected. I got it confused with another GM vehicle of mine that can be slowed down by OnStar if it was stolen

 

[DM-SC]

Only as long as the two radios are in range

From what I've read about it, the device mimics the fob until it's turned off or changed to grab another fob's frequency.

I'm no expert. Just going off of what I've read, so...

Sent from my SM-G960U using Tapatalk

 

[edrclark]

One radio picks up the signal coming from the fob and rebroadcasts it to another radio by the vehicle . If the distance becomes too great between the two radios, the truck will loose the fob. The distance this works depends on the output power of the radios, and whatever obstacles are between the two radios. I would think the first building you went behind would kill the signal. The signal from the fob constantly changes based on feedback from the truck.

 

[kittyjo]

If it does get stolen just use the Uconnect app to locate the truck...

 

[DM-SC]

My understanding of the device is that it mimics the fob, after it determines the fobs frequency. The device sends the commands to the vehicle.

If it is merely repeating the signal from the fob, then the unlock/start commands would have to be initiated by the actual fob.

But, like I said, I'm just parroting what I've read about it.

Sent from my SM-G960U using Tapatalk

 

[NoRamForUconnect]

Rare but possible. You need to leave the key somewhere in the house where the thieves can get close enough to detect the low energy signal, say hanging against an outside wall or right next to the front door. I hang my keys in the center of my house making this impossible.

Half the people on this forums keys dont work when they are in the car what makes you think they can get signal through your house wall.

 

[edrclark]

My understanding of the device is that it mimics the fob, after it determines the fobs frequency. The device sends the commands to the vehicle.

If it is merely repeating the signal from the fob, then the unlock/start commands would have to be initiated by the actual fob.

But, like I said, I'm just parroting what I've read about it.

Sent from my SM-G960U using Tapatalk

As the information exchanged between the fob and vehicle are encrypted and are frequency agile, just knowing the initial frequency is of limited use.

 

[grinch72]

Half the people on this forums keys dont work when they are in the car what makes you think they can get signal through your house wall.

I can sit my fob on my kitchen table and park in my driveway right next to it. the doors will unlock with the fob inside. truck won't start but the signal is strong enough to unlock the door!

 

[NoRamForUconnect]

I can sit my fob on my kitchen table and park in my driveway right next to it. the doors will unlock with the fob inside. truck won't start but the signal is strong enough to unlock the door!

Thats strange the fob doesn't transmit multiple signals so if it unlocks the door shouldn't it start the truck too?

 

[grinch72]

Thats strange the fob doesn't transmit multiple signals so if it unlocks the door shouldn't it start the truck too?

It must use some sort of power meter if you will to determine how close it is to the truck. I can place my fob outside of the truck on the roof, etc and my truck won't start BUT it will unlock with the fob feet away! craziness. Id be curious if you tried the same, what your results were!

 

[Chris]

I’m not an expert on radio frequencies nor do I know for certain what Ram uses, but I think you are overthinking the entire concept of the fob; I do not think the fob sends a constant signal at all, or else I think the fob battery would die much more quickly by constantly transmitting a signal at least a half dozen feet and through clothing and often body parts.

Instead, I think it has a LF receiver and an HF transmitter; the truck itself send a low power LF signal when you grab a handle, then listens for a response; the signal is specifically designed to only travel a short distance, so the fob must be “near” by.

When the fob receives this signal, it sends a HF response, which the truck detects before unlocking. If the fob doesn’t send the response, the truck doesn’t unlock. Same thing with ignition, except the truck uses a different transmitter and strength so the signal is only sent inside the cab.

What these “hacking” devices do is listen for the LF signal the vehicle sends, then amplify and repeat it over a long distance so your fob can detect it and send a response. Since the fob doesn’t transmit without getting a signal first, it can’t just copy your fob by being near it. Since it essentially only clones and repeats a signal, the device can be fairly simple and cheap.

If this is wrong, I would appreciate a technical article directly from a vehicle manufacturer that describes the technology instead. If a technical article isn’t available, then it is just as likely and irrefutable that the device works by calling out to aliens, who then cloak and teleport into your vehicle to unlock it for you as anything else anyone claims.

 

[Electrical]

From what I've read about it, the device mimics the fob until it's turned off or changed to grab another fob's frequency. I'm no expert. Just going off of what I've read, so...

My understanding of the device is that it mimics the fob, after it determines the fobs frequency. The device sends the commands to the vehicle. If it is merely repeating the signal from the fob, then the unlock/start commands would have to be initiated by the actual fob. But, like I said, I'm just parroting what I've read about it.

Fob frequrncies are fixed: RF transmits at 433MHz, LF at 125kHz. The device is not mimicking a frequency, it's mimicking a "data packet". If the hacking device precisely repeats this packet, the truck will believe the key fob is near and it will do anything as when the fob is actually present. That's the theory anyway.

I can sit my fob on my kitchen table and park in my driveway right next to it. the doors will unlock with the fob inside. truck won't start but the signal is strong enough to unlock the door!

Thats strange the fob doesn't transmit multiple signals so if it unlocks the door shouldn't it start the truck too?

Confusing the RF and LF? Pressing a button is RF... with a range of 50 to 100 feet (capable of more but limited to conserve battery life). Fob detection, on the other hand, is LF with a range of only a few feet. Pressing a button to unlock the door is different from the truck detecting a fob nearby, which would then allow the truck to be started.

It must use some sort of power meter if you will to determine how close it is to the truck. I can place my fob outside of the truck on the roof, etc and my truck won't start BUT it will unlock with the fob feet away! craziness. Id be curious if you tried the same, what your results were!

Cool observation! Power meter... in the sense of antenna directionality. It makes sense that antenna patterns were not directed towards the top of the truck as this is not a likely place for the fob to be detected.

I’m not an expert on radio frequencies nor do I know for certain what Ram uses, but I think you are overthinking the entire concept of the fob; I do not think the fob sends a constant signal at all, or else I think the fob battery would die much more quickly by constantly transmitting a signal at least a half dozen feet and through clothing and often body parts.

Instead, I think it has a LF receiver and an HF transmitter; the truck itself send a low power LF signal when you grab a handle, then listens for a response; the signal is specifically designed to only travel a short distance, so the fob must be “near” by.

When the fob receives this signal, it sends a HF response, which the truck detects before unlocking. If the fob doesn’t send the response, the truck doesn’t unlock. Same thing with ignition, except the truck uses a different transmitter and strength so the signal is only sent inside the cab.

What these “hacking” devices do is listen for the LF signal the vehicle sends, then amplify and repeat it over a long distance so your fob can detect it and send a response. Since the fob doesn’t transmit without getting a signal first, it can’t just copy your fob by being near it. Since it essentially only clones and repeats a signal, the device can be fairly simple and cheap.

If this is wrong, I would appreciate a technical article directly from a vehicle manufacturer that describes the technology instead. If a technical article isn’t available, then it is just as likely and irrefutable that the device works by calling out to aliens, who then cloak and teleport into your vehicle to unlock it for you as anything else anyone claims.

I finally broke down and reviewed the Techconnect document @Neurobit posted. Sure enough, this is how the Ram's passive entry system is described. That document appears to say the keyfob is INACTIVE on both LF and RF until some action is taken by the owner, such as pressing a button or touching a passive entry door handle. So, the fob *should* not be sending out constant LF packets for someone to steal.

However, this Techconnect document is not a fully-featured service document and lots of information is simply not present. It says the RF Hub in the truck has two LF connections: 1) an LF antenna output circuit and 2) an LF antenna return circuit. What is this return circuit and where is that signal coming from? Overall I agree we have nothing to worry about, but my statement comes from a limited knowledge of the Ram's system.

One last comment. If the fob were consistently sending LF packets, the battery would surely have a shorter life than if it didn't do this. However, doing so and maintaining a reasonable life are not necessarily exclusive. After all, TPMS sensors consistently send tire pressure data (when the wheel is rolling); this, on the RF, with enough power to transmit through the tire, the wheel well, the fire wall, and whatever else. If coded efficiently, TPMS sensors can be made with reasonably safe transmit intervals of just a few seconds and still have a theoretical 8 to 10 year lifespan. I've personally done power budgets on these things. That Techconnect document estimates key fob battery life at about 3 years, which seems low to me... and makes me wonder what else is it spending its' battery juice on?

 

[slimchance]

here is another twist .. yesterday i washed my trk using one of those blue bristle brushes and when i was washing the driver or passenger door i noticed the lock post/button on the inside of the door going up and down ... every time i made a pass on the door the button would react, it was quite funny ... it's kinda like the truck was huxxing the brush .. so, you do not have to touch the door handle unlock area for the truck to unlock and no the door handle was not yet wet

 

[Edwards]

here is another twist .. yesterday i washed my trk using one of those blue bristle brushes and when i was washing the driver or passenger door i noticed the lock post/button on the inside of the door going up and down ... every time i made a pass on the door the button would react, it was quite funny ... it's kinda like the truck was huxxing the brush .. so, you do not have to touch the door handle unlock area for the truck to unlock and no the door handle was not yet wet

The unlock "pad" inside the door handle is not only looking for uniquely human contact. It's just a capacitive pad that's open to all kinds of "input." Water is a well known trigger but you could come up with all kinds of things that would substitute for your hand.

Just wondering though - how were you washing the truck without getting the handles wet?

 

[VectorZ]

A thief can also simply load your truck directly on to a flatbed trailer and be gone in a minute or so. That's why I have insurance.