Somehow a thief in my area has been unlocking cars by simulating Fobs. Made me wonder if this would also start a car with a keyless ignition.

 

While it is theoretically possible, practically, no. The C6 FOB system is far more complex than the older "keyless entry" systems. The thief must have access to your FOB to duplicate it. With many millions of possible combinations that change every time the FOB is used, it is easier to just roll the car onto a flatbed.

Here are 2 possible ways it can be done and both require at least limited access to your working FOB.

http://www.technologyreview.com/news...ntenna/page/1/

http://www.wired.com/2014/08/wireless-car-hack/

 

Local Police came to HOA meeting this week and talked about that. Nothing has been seen here yet. Said the devices are homemade and can fit in a pack of cigs or similar size pkg, nothing more than a circuit board and small battery. So far they seem to be only interested in opening cars to steal contents.

 

So far that is all they have done here. Apparently they are just driving down the streets at night and targeting any cars that the device is able to unlock. I'm going to try setting my car that sits outside the garage to beep the horn when it is unlocked.

 

Hi.

When you touch the door pad on you locked C6, the RCDLR sends an ENQ to your FOB. This in essence is asking the FOB to send it's magic number, and if correct, the RCDLR will unlock the door. The same deal happens when you push the Start Button - only this time the starter is engaged.

So imagine you pull into a lot, lock your C6, and head over to say Walmart. Someone was watching you leave your beauty, and decides it should be his. He discreetly walks beside you and sends your FOB the same ENQ that is standard on all C6's, and probalbly all GM cars. (Your C6 is way out of range at this time.)

Now your FOB sends the magic numbers - these can easily be captured. He will send multiple ENQs, capturing your successive magic numbers (which as you know, change according to an alogorythm).

Then it's a piece of cake. He walks over to your C6, touches the door pad, and the RCDLR sends an ENQ. The device that is in his pocket will send out the correct magic number, and bye bye C6.

It's real easy - what GM has to do is change the ENQ's according to an alorythym, just as they do when unlock codes are sent by your FOB.

Maybe they smartened up for the C7??

M.....

 

oh crap!

 

Gee, someone thought of that many years ago. The ENQ signal that is sent changes randomly. Oops. That's why, so far, the only proven way to simulate a FOB in a PKES system is to get real close to both the car and a valid FOB and relay the signals between them over a distance larger than the car's design would permit. You can't predict what the car is going to ask or what the response should be from previous transmissions. You can cut the possibilities down a bit as indicated in the article link I posted but you are still left with 100 times as many combinations to try as you need with an older car using a mechanical key.

 

You can set the horn to honk when it locks and you can set it to turn on the lights when it unlocks but it will never honk the horn when it unlocks.

 

I stand corrected. I always thought the ENQ's were standard across vehicles.

I thought they were using the Texas Instrument MARCSTAR 1315 I E/D chip, and I never saw that in its specs.

Thanks for the update.


M....

 

The vette is always in the garage. I was thinking of my other car that sits in the driveway in front of the garage. I never keep anything in it but still don't want someone going through it.


And to make things even worse a gun was stolen out of one of the cars robbed the other night. So now the thief may be armed

 

I'm not sure what chip they use. GM has a habit of doing proprietary chips. But they could very well be using that chip since it does use an algorithm to change the encoding and decoding signals with every transmission. The MARCSTAR I E/D system uses a synchronized encoding where the valid code for a command changes with every transmission and the transmitter and receiver must both agree that the current signal is from a learned device and incremented from the last signal received from the that device.
http://www.ti.com/lit/ds/slws011d/slws011d.pdf
In English, not only does the car know the valid FOBs but the FOBs know the car and they change language every time they speak to each other. In your scenerio, you tried to open a locked door causing the car to ask if a FOB was nearby. You recorded that request and played it back to a valid FOB. The valid FOB WOULD recognize that signal and respond. You recorded that and went back to the car. But when you tried to open the door a second time the car had changed language. The car is now asking in Polish and expects an answer in Polish. You play your recorded response which is English. The car says HUH? and asks again in Chinese. You don't get in. So now the valid FOB comes back and you try to open the door. The car asks "Who's there?" in Swahili. The FOB says "Swahili? That's one confused car but Swahili is one of the 1.07 trillion languages I know and isn't more than 256 languages past the last language we used using our agreed to algorithm of language changes so I'll answer." The FOB responds with a correct number in Swahili and the car opens.