|
|
|
|
|
|
BMW Garage | BMW Meets | Register | Today's Posts | Search |
|
BMW 3-Series (E90 E92) Forum
>
E90post members' efforts help recover stolen 335i
|
|
10-24-2009, 02:13 PM | #133 |
Banned
16
Rep 415
Posts |
i have to laugh i must say at people's explanation of how it was done. wrong and wrong again. What lame explanations.
A car key fob contains an RF transmitter with an encoder that works together with an RF receiver and decoder in the car. Advanced keys (BMW comfort access) is the same thing but it's automatic you do not have to press the button since it also works as a proximity detector which is sometimes directional (mercedes) the encoder-decoder part of that system is what provides the security but it took me 1 hour to read such a device datasheet online: http://focus.ti.com/lit/ds/symlink/trc1300.pdf a bit more on pseudo random number generators to find a way to hack into that system just for fun. you have probably read that the code is 20 bits wide or so and that the code is constantly changed to prevent someone from intercepting it through the airwaves and re-produce it to get into your car while you are away doing your business. That protection is called code rolling or hoping and was not used until 10 years ago. It is essentially a pseudo random generator that will cycle through all possible 20 bits combinations in a repeatable and predictible way. The encoder and decoder start from the same seed so that they follow the same sequence of codes. All it takes to break this is to know how the pseudo random generator calculates the next code from the current. Here we get into the interesting part. Every single keyless encoder-decoder unit from one manufacturer will have the same pseudo random cycle generator the only difference is it is programmed with a different seed. Imagine a sequence of 2^20 numbers always repeated in the same order the seed is just where you start in that sequence. You only need either to know how the generator calculate next code based on the current one to break that whole security. These generators are all based on linear feedback shift registers (LFSR) because LFSR guarantee that you will have the longest sequence before it repeats otherwise if it is too short it can be broken by simply memorizing it. Now here is the interesting part the thief just needs to get the encoder in ANY key from one car manufacturer model (M3, X5, etc..) make a relatively easy electronic board setting to operate the encoder a number of times and log the output codes then use the Berlekamp–Massey algorithm which is available online here: http://en.wikipedia.org/wiki/Berlekamp-Massey_algorithm to find the LFSR architecture that will exactly reproduce the same code generation. All of this in the confort of his home. Once the Berlekamp–Massey algorithm is done he has a master key to ALL cars models by that manufacturer. What he does next is take out the OEM encoder from ANY keyless FOB or advanced key and replace it his own software version of it with the LFSR he got. this can be done with a laptop setting maybe. He also need receiver and decoder which he can take out from any car from that model to be able to read your current code. Once he has all that it is over. The only difficulty is locating someone with that car model who is leaving the vehicle and using his keyless FOB. At which points it is no longer a technical job and contrary to what is being said it will take zero time to open your car. he gets your code, his software calculates next one, no search required, opens your car, game over. The only ways to avoid this is have a short range keyless entry like comfort access since range will be too short for someone to intercept your current code. Although in an urban area not so sure. It took me 1-2 hours to read about all this from scratch on the internet so you can imagine how easy it would be for an organized ring to do this. oh and the reason for leaving that 335i on a street for several days is to make sure it is "clean" have it sit somewhere to make sure that the car does not have a concealed wired antenna like lo jack powered from a secondary hidden power generator (not car battery). Then if the car is still there after a few days they come back and finish the job. They don't take the risk having that car lead the police to their hub. I got that from a PBS program on Masterminds. |
Appreciate
0
|
10-24-2009, 03:34 PM | #135 |
Lieutenant General
1277
Rep 17,493
Posts
Drives: like I'M BOUT THAT LIFE
Join Date: Jul 2008
Location: PARADISE aka CANES COUNTRY
|
Nicely done nybsbl04. Funny story though.
__________________
#datbimmerdoe #thatbimmertho
FOLLOW @datbimmerdoe on INSTAGRAM |
Appreciate
0
|
10-24-2009, 04:00 PM | #137 |
Lieutenant Colonel
140
Rep 1,990
Posts |
My question as well. I would assume they would be dropped when the situation was explained but this will require a court appearance. Then the towing and impound fees.
|
Appreciate
0
|
10-24-2009, 05:45 PM | #138 | |
Lieutenant Colonel
95
Rep 1,996
Posts |
Quote:
__________________
________________
My ///M is in my garage .... and it is a beast! 2010 E92 M3 Space Grey | Fully Loaded 1996 E36 M3 Dakar Yellow - SOLD 2004 Honda Accord Euro - SOLD |
|
Appreciate
0
|
10-24-2009, 05:51 PM | #139 | |
Colonel
147
Rep 2,383
Posts |
Quote:
|
|
Appreciate
0
|
10-24-2009, 05:55 PM | #140 |
Major General
361
Rep 5,873
Posts
Drives: m
Join Date: Nov 2008
Location: usa
|
To make sure that any lo jack or bmw assist gps system dont find the car. They should have put it in a better spot though, which is why the story doesnt add up.
If they were awesome enough to steal the bmw in the first place, which isnt easy, why leave it in such a bad spot?
__________________
Last edited by deletedelete; 10-25-2009 at 02:50 PM.. |
Appreciate
0
|
10-24-2009, 06:55 PM | #141 |
Banned
16
Rep 415
Posts |
|
Appreciate
0
|
10-24-2009, 07:17 PM | #142 | |
Private First Class
6
Rep 100
Posts |
Quote:
__________________
Spent a year deciding between a E90 M3 or AMG C63. "The M3 attracted me with her seductive curves but it was what the C63 said that finally seduced me."
Kleemanized C63 |
|
Appreciate
0
|
10-24-2009, 09:10 PM | #143 |
Colonel
102
Rep 2,760
Posts |
There are junkyards in New York that have parts for bland new models out a mere 2 months. Not saying anything, but people are sure naive, how do you think that happens? Yeah it could be from accident cars, but come-on. I have bought parts from such places because they have legit sales business, but is the source always what they say it was? I used to work for a guy in Lodi, NJ many many moons ago. Remember when the Lexus LS first hit US dealers? He had one of the first arrivals to NJ, because he knew it was a rebadged Toyota Crown or something like that, and he was a car nut and all sorts of nice expensive cars, who thought the new car was very good, never mind the press took a while to realize this was a jewel, so he pre-ordered one.
Anyway, car gets into an accident damages a body panel and breaks a suspension piece, he had to wait on. I know because I washed the car for him. Anyway he gets his estimate gets insurance payment, then tells me he'll get a like new part for it from the junkyard and I am like ok. Thinking where the hell would you get these parts for car that's been out barely a month? (Wreck prone car or what?) Mind you this is the only Lexus LS I had seen so far. Well guy calls hunts point NY, talks to some guy tells him what he is looking for negotiates a price, and then tells me, ok, they'll see what they can do and call me back tomorrow kid, come back in a week detail the car for me after the repairs. Incredibly a week later I go to detail his LS and its in brand new condition all parts courtesy of Junk yard. Even back then I was no slouch, I quickly figured out what the possibility was that parts really were not from where they said they were from. I tell him what I am thinking, he smiles and says, kid, I see you aren't all that slow on the uptake, but its none of my business where they came from, I bought them from a legit store. I think, Hmmm, got it! I kind agree with him. Its none of our business where they source cheap parts from, but we all know it really does not always smell right. Ever heard of people selling TVs that "fell off the truck?" None the less Great detective work! Kudos!!
__________________
E92 335 | Space Gray | Saddle Brown Dakota | Dark Burl Trim | ZPP | ZSP | AT | Idrive | 6FL | FBO | Dinan CAI | Quaife LSD | STG3 PROCede.
|
Appreciate
0
|
10-25-2009, 02:05 AM | #144 |
Colonel
2025
Rep 2,805
Posts
Drives: F33 430 and F39 M35i
Join Date: Feb 2009
Location: Cleveland, OH
|
shame on the ticket writers if they were cops or city employees. after two days of no movement, someone should've ran the plate and attempted to contact the owners. I'm in Ohio and I can run plates from any of the 50 states and Canada from my MDT. Don't know how NY works, but if someone reports a car stolen, the plate is normally entered in NCIC and anyone that runs it can tell it's been reported stolen. Doesn't matter what state, I've gotten stolen cars from Oregon. Weird.
|
Appreciate
0
|
10-25-2009, 02:25 PM | #145 | |
Major
96
Rep 1,337
Posts |
Quote:
__________________
If everything seems under control, then you aren't going fast enough"
|
|
Appreciate
0
|
10-25-2009, 02:34 PM | #146 |
Banned
317
Rep 1,842
Posts |
|
Appreciate
0
|
10-25-2009, 08:51 PM | #148 |
Lieutenant
12
Rep 431
Posts |
Nice job!
FM
__________________
F34 335i xDrive, M Sport, Alpine White, Black Dakota, Dark Burl, Dynamic Handling, Technology, Driver Assistance, Premium, Active Cruise Control, Heated Seats, Side and Top View Cameras, European Delivery, Debadged
|
Appreciate
0
|
Bookmarks |
|
|