View Single Post
      10-24-2009, 02:13 PM   #133
oneginee
Banned
6
Rep
416
Posts

 
Drives: GT3 RS
Join Date: Oct 2007
Location: SE

iTrader: (0)

i have to laugh i must say at people's explanation of how it was done. wrong and wrong again. What lame explanations.

A car key fob contains an RF transmitter with an encoder that works together with an RF receiver and decoder in the car. Advanced keys (BMW comfort access) is the same thing but it's automatic you do not have to press the button since it also works as a proximity detector which is sometimes directional (mercedes)

the encoder-decoder part of that system is what provides the security but it took me 1 hour to read such a device datasheet online:
http://focus.ti.com/lit/ds/symlink/trc1300.pdf

a bit more on pseudo random number generators to find a way to hack into that system just for fun. you have probably read that the code is 20 bits wide or so and that the code is constantly changed to prevent someone from intercepting it through the airwaves and re-produce it to get into your car while you are away doing your business. That protection is called code rolling or hoping and was not used until 10 years ago. It is essentially a pseudo random generator that will cycle through all possible 20 bits combinations in a repeatable and predictible way. The encoder and decoder start from the same seed so that they follow the same sequence of codes. All it takes to break this is to know how the pseudo random generator calculates the next code from the current. Here we get into the interesting part. Every single keyless encoder-decoder unit from one manufacturer will have the same pseudo random cycle generator the only difference is it is programmed with a different seed. Imagine a sequence of 2^20 numbers always repeated in the same order the seed is just where you start in that sequence. You only need either to know how the generator calculate next code based on the current one to break that whole security. These generators are all based on linear feedback shift registers (LFSR) because LFSR guarantee that you will have the longest sequence before it repeats otherwise if it is too short it can be broken by simply memorizing it. Now here is the interesting part the thief just needs to get the encoder in ANY key from one car manufacturer model (M3, X5, etc..) make a relatively easy electronic board setting to operate the encoder a number of times and log the output codes then use the Berlekamp–Massey algorithm which is available online here:
http://en.wikipedia.org/wiki/Berlekamp-Massey_algorithm
to find the LFSR architecture that will exactly reproduce the same code generation. All of this in the confort of his home. Once the Berlekamp–Massey algorithm is done he has a master key to ALL cars models by that manufacturer.
What he does next is take out the OEM encoder from ANY keyless FOB or advanced key and replace it his own software version of it with the LFSR he got. this can be done with a laptop setting maybe. He also need receiver and decoder which he can take out from any car from that model to be able to read your current code. Once he has all that it is over. The only difficulty is locating someone with that car model who is leaving the vehicle and using his keyless FOB. At which points it is no longer a technical job and contrary to what is being said it will take zero time to open your car. he gets your code, his software calculates next one, no search required, opens your car, game over. The only ways to avoid this is have a short range keyless entry like comfort access since range will be too short for someone to intercept your current code. Although in an urban area not so sure. It took me 1-2 hours to read about all this from scratch on the internet so you can imagine how easy it would be for an organized ring to do this.

oh and the reason for leaving that 335i on a street for several days is to make sure it is "clean" have it sit somewhere to make sure that the car does not have a concealed wired antenna like lo jack powered from a secondary hidden power generator (not car battery). Then if the car is still there after a few days they come back and finish the job. They don't take the risk having that car lead the police to their hub. I got that from a PBS program on Masterminds.