Keyfob Boosting - Thefts

Disclaimer: Links on this page pointing to Amazon, eBay and other sites may include affiliate code. If you click them and make a purchase, we may earn a small commission.

Sungod661

Full Access Member
Joined
Aug 20, 2016
Posts
273
Reaction score
93
This can be done , my question to you is shouldn’t a 80k truck already have this and do you feel like splicing wires in an attempt
To fix fords blunder?
 

Ski4Ever

Full Access Member
Joined
Jan 23, 2019
Posts
508
Reaction score
167
Location
Denver, CO
This can be done , my question to you is shouldn’t a 80k truck already have this and do you feel like splicing wires in an attempt
To fix fords blunder?
Is Ford going to fix their blunder? If not, yes, I’d rather do it than not have it done, but I don’t know where to begin at this point. Like I said, having the fuse number and wire colors would help! Did you post that info in the thread somewhere? I only read the past 4 pages or so...
 

GordoJay

FRF Addict
Joined
Feb 8, 2020
Posts
7,647
Reaction score
16,671
Location
Colorado
This can be done , my question to you is shouldn’t a 80k truck already have this and do you feel like splicing wires in an attempt
To fix fords blunder?

If Ford did it, thieves would know where to look for the fuse. Wouldn't solve the problem.
 

Ski4Ever

Full Access Member
Joined
Jan 23, 2019
Posts
508
Reaction score
167
Location
Denver, CO
If Ford did it, thieves would know where to look for the fuse. Wouldn't solve the problem.
Unless they fixed it in a different way (through programming that didn’t allow a blank key to work, etc). It doesn’t necessarily have to be a fuse relocation on their part.
 

FordTechOne

FRF Supporting Member
Supporting Member
Joined
Jul 29, 2019
Posts
6,672
Reaction score
13,068
Location
Detroit
I'm not doubting your truck was stolen, but there is certainly more to this story than what meets the eye. Everything that you described the thief doing will not allow a thief to drive off with the vehicle. It goes against the way that the vehicle is designed.

In the article posted earlier in the thread, the author even indicates that the immobilizer isn't disabled even if the thief can get the vehicle to unlock:

"Through a radio frequency capture-and-manipulation technique he described to The Parallax, Dale “Woody” Wooden, the founder and president of Weathered Security, says a hacker could unlock a Ford vehicle, interfere with its onboard computer systems, and even start its engine. A successful hack on its own isn’t likely to result in stolen vehicles, however: Wooden’s exploit does not deactivate a car’s immobilizer."

PATS and RKE are two separate systems. Here is how RKE functions:

RKE

The RKE feature is controlled by the BCM. When a button is pressed, the Transmitter Identification Code (TIC) and RKE command is received by the RTM. The RTM interprets the information and sends a message to the BCM over a LIN circuit, and when the network is awake over the CAN. If the BCM detects a valid programmed key, it carries out the command by controlling the door locks, releasing the tailgate latch or activating the horn or turn signals as required.

The RKE system can be used to:

  • unlock the driver door.
  • unlock all doors (and the tailgate).
  • lock all doors (and the tailgate).
  • release the tailgate latch (tailgate release button must be pressed twice within 3 seconds) (if equipped).
  • arm/disarm the perimeter alarm.
  • activate/deactivate the panic alarm.
  • remotely start the vehicle.
  • configure the staged lock programming (2-stage unlock or global unlock).
The RKE transmitters for an IKT have a normal operating range of 20m (66 ft) in an open air, no obstruction environment.

The RKE transmitters for a passive key have a normal operating range of 50m (165 ft) in an open air, no obstruction environment.

The RKE transmitters and the BCM also utilize a rolling code to prevent the code from being captured by a code grabber. The system advances the counter in the RKE transmitter and the BCM every time a RKE transmitter button is pressed.

The hacker in the article describes capturing the code transmitted by the RKE and re-sending it. The counter in the BCM and RKE advance each time a button is pressed. Therefore, the BCM is designed to ignore a signal that has a duplicate code. This is why the hacker needs BOTH programmed key fobs to be activated (button pressed) to copy the signal. Most people do not carry both programmed keys and then alternate between using one and then the other at the same time.

This is how the Passive Anti-Theft System (PATS) immobilizer works:

PATS

The PATS function is controlled by the BCM and the PCM.

When the START/STOP button is pressed, a signal is sent to the BCM. When the BCM detects the START/STOP button is pressed, it begins the key initialization sequence by activating the PATS center antenna, the PATS rear antenna and both exterior door handle keyless entry antennas. Each antenna transmits a low frequency signal with an approximate range of 1 m (3 ft). The passive key activates if it is within range of the antennas. The BCM is able to determine the passive key location (inside or outside the vehicle) based on the input from the antennas.

When the passive key activates, it sends the PATS identification code to the RTM via a high frequency signal. The RTM interprets the high frequency signal from the passive key and sends the information to the BCM over the LIN-based circuit.

If a valid programmed passive key is detected inside the vehicle, the BCM transitions the ignition out of off.

When the ignition transitions out of off and the modules initialize, the PCM sends a challenge request to the BCM. The BCM replies and if the correct identification is received, the PATS disables and allows the vehicle to start. If the PATS prevents the vehicle from starting, a DTC sets in one of the modules.

The PATS and the RKE system share operation of several components including the passive keys, the BCM and the RTM.

If there is a concern with any of these components, the PATS and the RKE system are both affected.

In the event of a no start, place a programmed passive key in the backup location to allow the vehicle to start. The PATS center antenna activates the passive key when the START/STOP button is pressed in the event the batteries are depleted within the passive key.

NOTE: If available as a selection on the scan tool, the passive start feature is a programmable parameter and can be enabled/disabled. If the feature is disabled, the features to passively enter and start the vehicle are inoperative. To start the vehicle, the passive key must be placed in the backup starting location.

The BCM controls the ignition modes and, in conjunction with the PCM, control the PATS.

The important part to note here is that the BCM needs to recognize the programmed key and the key ID is stored in BOTH the BCM and PCM. You cannot simply pull a fuse, place a blank key in the vehicle, and have it start. There are no parameters within the software that allow for such a procedure to work. Even if you could manage to gain access to the BCM and hack it, the PCM is still going to reject the information from the BCM when the challenge request is carried out. The only way to program the PCM with the new identification code is to perform a Parameter Reset, which requires IDS and coded security access - meaning valid FMC login credentials. Also, none of these procedures can be performed if the vehicle's alarm is activated. If a scan tool is connected to the DLC and the BCM detects CAN traffic, it will activate the alarm and lock itself out from programming attempts.

Customers lose their IA keys on a regular basis and need to go to the dealer to have new keys programmed. If it was as easy as pulling a fuse and placing a blank key in the backup slot, that is what technicians would be doing. Instead, if the alarm cannot be deactivated using the leyless entry keypad/Ford Pass, the BCM needs to be replaced. That is not something a thief is going to carry out in a parking lot.

Here are my questions for Sungod661:

1. Is it possible you left a spare key fob somewhere in the truck? I had a friend who did this with his fusion, he left the car unlocked and had a spark IA fob in the glove box. The thieves opened the car, pressed the start/stop button, and took off.

2. What is the extent of your aftermarket modifications? Anything electronic or tied into the network?

3. Have you had your vehicle in for service lately? A shady technician could easily program a spare key using IDS. Also, if you keep both keys together, anyone can add a spare key by following a very simple procedure that only takes a few minutes.
 
Last edited:

Sungod661

Full Access Member
Joined
Aug 20, 2016
Posts
273
Reaction score
93
1. No spare key was left
2.only after market parts connected electronically is the tail gate release, fog lights and winch
3. It was brought to ford 3 months before the theft for an oil change
 

Droid

kglesq's Brother
Joined
Sep 25, 2010
Posts
1,486
Reaction score
757
One required step in this process is to put a fake key in the under-cupholder passive key reader, correct?

Would adding a "kill switch" for that reader thus be effective in preventing it? If that reader were normally denied power, would the truck be at all upset (e.g. CEL, cluster popups, or other annoyances)?

If that's possible, "simple" solution might be to wire its power through a switch mounted inside a console vault. Don't think there would be any way to work around that without removing/ripping out the console.

I'm only looking for a solution that prevents their "standard script" from working. If someone wants my truck bad enough to engineer a solution to the workaround, that's a problem for the insurance co.
 

Sungod661

Full Access Member
Joined
Aug 20, 2016
Posts
273
Reaction score
93
I am not sure if that would work , the downside is not being able
To program a third (spare)key yourself.

for me the kill switch was the most logical and simplest fix
 
Top