RKE is unrelated to PATS. Two separate systems. Even if they get the doors to unlock, a completely separate interrogation method is required to enable engine start.
Is it actually a different method? Or is it just a different way of using the same or another similar method?
I have always had a curiosity for signals, so when I first got my truck a couple years back I briefly looked at the RF traffic, back and forth, between the truck and the fob. I did not exhaustively examine it, but I did sniff the RF to see if I could tell the basics of the system. I freely admit I made some assumptions and may have missed some signals, but I think I have the basics of it.
When I approach the vehicle and touch the inside of the door handle the vehicle appears to send a low power and low frequency (125 kHz) CW pulse and interrogate message, looking for the fob. I assume the interrogation message includes something like "I want to unlock the door" as well as a code to identify that it is indeed my truck. The fob then responds back with a UHF (centered on 903 MHz, but actually two different frequencies 950 kHz apart since the data appears both ASK and FSK) identification and command to open the door. I assume both directions are coded, with changing codes, since some of the data looks unique for each transmission burst. There is also, sometimes (maybe all the time but I have missed it?), a UHF response from the truck to the fob, depending on what you asked the truck to do, for example, to tell the fob that the truck did indeed start if you commanded a remote start.
When I press start in the cab the truck again interrogates on LF, the same 125 kHz. There is a response from the fob on UHF, but I suspect there is also a lower frequency, short range, response from the fob that I did not find. The lower freq fob response probably tells the truck the fob is physically inside the truck, I imagine by comparing the received power across multiple receive locations. Hmmm, might be a fun thing to look for that response while sheltering in place, if the weather ever turns nice.
So I asked myself a hypothetical, how would I defeat all this to steal a vehicle? Thinking that out can give you an insight into how you should safeguard things.
So, to boost the signal I can think of a couple of ways, one trick and digital, one trick and analog. Neither particularly difficult, but the required knowledge is probably not a common skill set.
Two boxes, A and B, one (A) near the truck, one (B) near the fob (say outside the bedroom wall or near the key bowl by the front door).
When someone activates the door handle, box A samples the low frequency signal, it then forwards the same signal, unmolested, on a different frequency, say something UHF near 400 MHz. This could be done digitally, using something like DRFM (Digital Radio Frequency Memory) or maybe just IQ data from an SDR, or it could be done analog, simply a set of filters, mixers, local oscillators and amplifiers. The end result is the same, the 125 kHz signal is now bumped up in power and on 400 MHz, but the data in it is unchanged.
Box B is near the fob. It takes the 400 MHz signal and reverses the actions of box A, it turns the 400 MHz into 125 kHz and radiates it, maybe even with more power than the truck uses, covering a longer range.
The fob then sees the "correct" 125 kHz signal, all the right coding and modulation in place, and sends the 903 MHz "open door" command. I doubt there is even a need to grab that signal, since it can work at a couple hundred feet. But if you need to, grab that signal in box B, convert it to some other frequency and bump up the power. Let box A look for that signal and reconvert it to 903 MHz right next to the truck.
So now you are in, easy enough.
The "start the vehicle" is a variation of the same thing. With box A inside the vehicle look for the interrogate from the truck, shift it to a different frequency, unchanged, and bump up the power so it makes it to box B. Box B then converts it back down, transmits it, and looks for the ID from the key, sends ID to box A, box A transmits it on the right frequency for the truck, and away you go.
Once you have the truck started drive it to wherever you want. Sure, as soon as you drive away (or turn off the box A/B pair, or move B away from the fob) the "no key" warning will come on, but the truck will continue to run just fine until you turn it off.
No cracking codes required, no knowing the cycle, no previous captures required. As far as the fob is concerned it is responding to the truck, on the right frequencies and with the right codes, because it is, just handled one extra time. As far as the truck is concerned it can't tell box A from the fob since box A is just sending an exact copy of what the fob is sending in response to the truck.
The concept is not hard or complex at all. Implementation may take a bit more effort then I have implied, but should be imminently doable. The rig would not be all that expensive to build, something like a pair of HackRF Ones (to handle the RF duties), associated antennas, a 192 kHz sound card, and a Raspberry Pi 4 at each end, and some unique code to drive it all. Maybe a grand for each end, unless you are willing to use Chinese knock-offs, then under a grand for everything.
My above description and (possible) understanding is the results of less than 30 minutes sniffing the vehicle and the fob, a couple of years ago. I freely admit I may have missed something big, if so don't be afraid to correct me, life is a learning experience and I park my ego at the modem before I go online. Regardless, I feel that I will be spending some more time on this with the spectrum gear this weekend.
But yeah, I am having a little problem with that unprogrammed key and fuse thing, I just don't see how that could work, and oh so many ways it can't. But I have a ****** key here, and would be glad to try it out
T!
