Development of DIY Electronic Upgrades

Wow you’re a sensitive one. @RyanDCLB can stand up for himself and did a great job doing it. Considering the first post was rather random as far as mods go, I took it different and Ryan explained it very well. Thread jacks are not remotely uncommon and this one had great traction which us three are now helping detract from.

Hope you both have a great day.


My pardon OP, nothing else to see here boys. Carry on gentlemen!

 

@N2DesignsInc

First of all, I honestly do not understand what the fixation is with thinking that I am going to sell this commercially. I think I have stated 5 times in this thread that my intention is not to make money off of this and offer it more as a DIY system. Its in the title of the thread! Are the people actually reading through the thread or just selectively locking on to individual words and making assumptions?

Second of all, I am well aware of the legal situation. Two points:

1. I absolve all responsibility for this device. Use / build at your own risk
2. COTS solutions ARE in fact transmitting over various RF mediums (cell phone, wifi, etc.) to accomplish remote starting, not to mention spoofing.

You should point your post towards the tens or hundreds of COTS remote start system developers out there and not me. I do not think you clearly understand what spoofing means. All signals at stock in the vehicle are the intended signals. Any modification to the stock intended operation of those signals, I can claim IS spoofing. Therefore, all COTS remote start systems are spoofing signals.

Furthermore, the burden of proof to say that an aftermarket system or vehicle modification caused an issue that should be fixed under warranty is on the manufacturer. Its a law. (Don't remember the name of the law). For example I add a cover and aftermarket bed rack system to my truck. I then bring it in for service under warranty to fix a failed starter. The manufacturer just can't say: "Oh! look, you modified your truck in an unintended way! Your warranty is void!" The manufacturer would have to prove that the stated unauthorized modification in fact made the starter fail (news flash - they won't be able to). Same idea applies if I add some fancy new RF box to my bed that is doing unknown things that the manufacturer has no clue about. Maybe I'm just storing it there or delivering it somewhere.

I have had the pleasure to work with people before who fail to properly filter the information they present either because they are lazy or do not understand the topic. Instead they present a massive information dump that has an erroneous amount of information in it that may not apply. Instead of it being the job of the presenter to filter that information (which it is), they now flip it and put the burden on whoever sees that information.

What I would suggest is you come up with a list valid differentiating points that can be attacked and compare them to systems on the market now. For example, how exactly is a COTS remote start that communicates to an LTE modem inside vehicle and then literally spoofs a bunch of CAN communications and electronic signals to the ECU to brute force start it NOT an issue? It states clearly on many of the websites that I have read on COTS remote starts: "This module mimics a key fob and starts the vehicle." If anything, that's more dangerous than what I am making considering that this remote start keeps the key fob as a first class authentication device.

If all the other COTS solutions can maybe "bypass" and not worry about the stuff you said, why then did Toyota put in the door open engine stop? I can tell you why, because Toyota did not intend for those COTS remote start systems to exist and finagle with the vehicle to start it. They knew they couldn't stop people from modifying their vehicles with unauthorized devices.

As a last example, I just read a recent paper published in 2019 about how easy it is to reverse engineer the CAN bus messages in a modern vehicle. You can do just about anything. An aftermarket module could, for example, spoof the odometer or RPM meters on the instrument cluster. What's not to say a COTS remote start doesn't do that at some point in time? After all, it does have direct access to the CAN bus in the vehicle. Yet, dealers allow the installation of many aftermarket devices without voiding the warranty.

I have talked about the case of the manufacturer warranty, but what about the insurance company for a stolen vehicle? You can be the judge on these two scenarios that have to be presented to the insurance company.

COTS Remote Start
User: My car was stolen!
Agent: Ok, does your car have a remote start system?
User: Yes. Its the (insert name here).
Agent: I just did a brief look at their website. It looks here that this system literally says that it mimics and bypasses your key fob. That sounds like a thief's paradise. I'm sorry, we can't help you.

This Remote Start
User: My car was stolen!
Agent: Ok, does your car have a remote start system?
User: Yes. Its the (insert name here).
Agent: I just did a brief look at their website. This remote start directly involves the key fob in authentication at every step. How the hell did they steal the car? Well, OK let's talk about how much we can reimburse you.

Long story short. How do you think it sounds if I put this aftermarket gadget on my truck that can bypass the key fob entirely for what it needs to do compared to something that acts more like the stock vehicle by 'not' bypassing and involving the fob? The specifics don't matter, because the agent doesn't care. It doesn't matter if the thief will be stopped when they next press the brake because the fob isn't there in the COTS case (looks like they might not be stopped). The COTS case just sounds horrible at first glance. Unfortunately, many of the agents are not technical people and they care about "first glances".

 

I agree on many accounts and my apologies if I thought you were wanting to profit off it since it's a hot topic that folks are dying to have this feature and in fact it's what's holding them back at times...the law you're referring to is the Magnuson-Moss act. A federal US law. Doesn't stop ignorant dealers from scapegoating, I don't even think most of them think about this law before putting blame on stuff, and most folks don't want to get into a legal situation just to explain it to them, costs less to resolve out of pocket on both ends. So It does not apply internationally, but then again, not for resale, then who cares as you've implied.

I do disagree about the definition of "spoofing", even in coding terms. You're still "simulating" something even if modular and not intertwined into an OEM system, to do something that the manufacturer doesn't want. The definition means to "trick". However, all that's out the window if it's not for re-sale obviously. It was just advice, don't take it the wrong way. I support all innovative minds and thinkers in their ambitions. I do wish you luck in this project as it seems like you're one to take on the challenge.

 

I am not sure how your definition of spoofing is that different from mine. They sound about the same. My point is that the COTS remote starts are also spoofing, so I am not doing anything different.

 

I just climb through the window like Bo Duke.
Truck never shuts off.. got em’ Toyota.

 

I’ve thoroughly enjoyed reading this so far

 

@BSCowboy

You've enjoyed the fireworks or the technical aspects?

 

@N2DesignsInc

If this is business info you don't want to reveal, I understand. But I'm curious about the cell module add-on you sell.

Depending on his approach, OP will likely need a cell module of some kind. Is the manufacturer of your cell module open & collaborative? i.e. do you think they would they give out info on how to use their module in another device?

 

I've tried. Unless you've got their corporate badge and on their payroll, they won't release their proprietary protocol...the device has a few different libraries of protocols (that you pre-select) it can run that are fixed choices you get, and only updated OTA or some special serial cable. I know which lines are Tx and Rx, power and GND, and I'm sure there is a unique serial cable (or one that can be made) assuming we know the serial COM parameters and baud rate and so on. However, I'm assuming OP will be using CAN to communicate directly to the vehicle (via his remote starter), but the device we sell that communicates to the vehicle via CAN (remote starter) runs it's own protocol on the back end which the cellular module only communicates to. The cellular module sends out a command, the remote starter does the rest as the cell module plugs into the remote start itself and they communicate with their own protocol as mentioned. The output protocol is CAN and DIO. In other words, the cell module can't be used as a stand alone remote starter. Hopefully that makes some sense...

 

Trying to solve the remote communications right now is not an issue. We could make the module communicate remotely over LTE, Wifi, RF, or even bluetooth. For any of these, we can just pick up a cheap embedded module and work with it to transfer the data. I don't have lots of experience with LTE modems, but I do know they sell embedded ones. There is probably a PI project out there already transferring data over a cell network.

I won't be touching CAN communications to start the vehicle, like so many remote starts seem to do. I will be replaying the human element electronically. This means tapping into the switch and sensor signals and toggling them in sequence when we get a remote start request.

1. Remote start request comes in from a radio
2. Unlock door
3. Open door
4. Depress brake pedal
5. Depress PTS

There would be a receiver module inside the vehicle that has a radio on it to receive the remote start request (LTE, Wifi, RF, doesn't matter). The module would tap into the various required signals in the list and spoof them using a micro controller (for example). The receiver then additionally will forward the ping requests from the vehicle for the key fob to a receiver module outside the vehicle. That receiver module will be sitting next to a key fob and will forward its response back to the receiver in the vehicle.

Let's be clear here. Solving the "remote" RF part is a non issue at this point. Whether its LTE, wifi, bluetooth, doesn't matter. We need to solve the second shutoff problem first before moving forward. The above system is proof of concept.


The proof of concept system could be as simple as getting two phones and writing and writing a phone app.

Receiver (in vehicle)
Phone connects to an SDR and another board (Arduino like). The SDR is used to to act as the key fob transciever relay in the car. The Arduino board is used to spoof the switch / sensor signals through GPIO

Receiver (remote)
Phone connects to an SDR next to a key fob.

The in vehicle and remote receiver blocks use wireless data transfer to relay the vehicle + key fob signals back and forth.


I think the downfall of COTS remote starts it the fact they try to solve the problem by brute forcing the ECU using the CAN bus. The CAN bus is not ever involved in this solution. The only reason the CAN bus would be involved is, for example, if there is a dedicated micro controller that handles some of the switches and relays those activations back to the ECU through the CAN bus. In this case, we can easily spoof those CAN messages to make the ECU think a button was pressed. However at the end of the day, all switches and sensors can be traced back to two or more GPIO signal wires.

 

@N2DesignsInc

That makes sense. It would be nice if they embraced tinkerers and supplied the pinout for the connector, and maybe even a basic linux driver. But with most companies that's just crazy dreams.

Clearly their business model is based on selling whole integrated systems and not enabling piecemeal reuse of a few components.

 

I did a test to check out my idea (2) here.

• Leave fob #1 in center console,
• Push the driver side door button,
• Lock truck using fob #2,
• Reach in and Push the PTS button once putting the truck into accessory mode,
• Push and hold the PTS button for 13+ seconds to start the truck,
• Truck is locked, fob #1 is inside, truck is running, no weight on seats or floorboard,
• Fob #2 or the Smart Handle will not let me unlock the truck from the outside,
• Release door button, door ajar alarm notification on the dash,
• Unlock button on the door will unlock the doors,
• Push the PTS button to stop the engine.

 

@RyanDCLB

So what did we learn? It looks like you were able to get the 10 - 13 PTS press to work without the door sensors and brake. I had no doubt it would work.

One idea I had to get by the key fob issue was to actually have some way of electrically jamming a second key fob that was left in the car. With this, you could have an RF signal from the outside un jam the fob when you want to remote start it. The issue is security and reliability.

Placing a 2nd fob in the truck and electrically jamming it via RF is very easy, such that the vehicle and fob would not be able to communicate. However the issue with this approach, for example, placing an RF jammer module in the truck that is controlled remotely is that it is a default ON device. You would essentially have the jammer ON by default and then turn it OFF via remote command. This is extremely bad for reliability. What if the firmware screws up and never stops jamming? Now you can't get into your car easily. You would have to find a spot around the vehicle in which another fob works... not to mention the jammer is overloading the vehicle antenna.

A more reliable idea I had was to make an electromechanical faraday cage. Faraday cages cannot inherently be turned on and off. However, the idea is that you would put a second fob inside the cage and close it. The cage would have a motor on the outside with a door. The motor would be controlled via remote command. When you want to remote start, you would send the remote command which would open the door and let the RF out. This is a much more reliable system, because it is not actively jamming the vehicle. Furthermore, if you think a thief could just smash the window and pull the cage out and open it, think again. We could make the cage exactly like an electronic lock box.

Putting the fob inside the car allows us to get past the immobilizer checks extremely easily and reduces the problem. However, the big thing I see with this is whether or not a person would want to give up a second fob for this type of system. Its kind of like leaving a second key in the ignition for remote starts (which they do).

Why consider this over the retransmitter system? Way less complicated parts. Little tiny embedded gadgets like this are super easy to make. Additionally, the remote communications becomes an order of magnitude easier and more reliable. For one, we don't exactly know if cell network data latency will actually be an issue (@ksJoe assures me that it wont), but I have my doubts. Yes, latency is pretty small, but I am worried about how long the window timeouts are on the vehicle ECU. Secondly, SMS messages via embedded LTE are waaaay easier than retransmitting data. We don't fully know the specifics of how the transmitters and receivers work on the vehicle (continuous pinging, RF fields, etc.), so its quite possible a simple retransmission that we are planning won't work.

 

Yep. Not everyone is opensource...definitely a profit-based business model, but I have to respect that. I would be too, I mean who doesn't want to protect their intellectual assets, R&D and product from copy cats?

 

Spot on. I was never a fan of some kits that require a key to be sacrificed and dedicated to the inside of the vehicle. Granted, they were put into terminal boxes which I have access to but I refuse to put together these types of kits for any vehicle that requires this method because it's not a modern approach, AND these keys aren't cheap to replace. But that solves the immobilizer/bypass issue where as other remote starters "learn" your key and don't require it to be left behind. This is what I think you want to emulate.

 

@N2DesignsInc

It would be nice if we could easily learn the key. The issue is that I don't think that's actually what COTS remote starts do. I think that verbage is just to relate it to the lay person.

What remote starts are actually doing is they are intercepting the communications between the ECU and immobilizer unit via GPIO signals and the CAN bus. This requires access to those two components and a lot of time to reverse engineer. Essentially the data in between the units can be spoofed. The ECU asks to ping the fob, and the immobilizer can just say "yep" regardless if its there or not. Of course they electrically switch the decision process in firmware.

This is what I wanted to do before @ksJoe suggested the retransmitter system, which involves no reverse engineering of the protocol.

I could be wrong about how the remote starts are operating. Instead of guessing, I would like some concrete technical documentation or exact knowledge of what they are doing before we can agree that the remote start "learns" the key.

From my understanding, it cannot learn the key. This is because of rolling codes. Every time the fob is used, a number is incremented on the fob and re encoded using encryption. There is no "guessing" the next key that will be used, only jamming and retransmitting a current key as in the rolljam attack.

Do you happen to know the private key and encryption method used on the Tacoma? Can we recreate any RF data packet that we want?

 

Absolutely. I don't work for free, and I don't expect anyone else to either.

The point I was going for is - some companies sell parts for prices where they're happy to sell to tinkerers even if they don't sell many whole packages (and some can be profitable in this). With a proprietary system, no one can use pieces, only the whole. That gives them a lot of choice on where to put their profit margin. Their margin has to be somewhere in order for them to be in business, and its their choice where to put it.

I wasn't trying to complain about their choices, just making observations.

BTW, I have a 2020 on order. I'm planning on trying the Toyota remote start app for the free trial year. At the end of that, there's a good chance I'll be ordering a remote start system from you.

 

My 06 Lexus uses push button remote start, and I suspect it is the same underlying system as on the Toyotas (though there could be some changes since '06).

My lexus came with 1 key when I bought it in 08. I thought I'd be clever and buy a fob on ebay, then just pay the dealer to sync it to the car. I know the syncing process requires special equipment not generally available.

After dealer techs worked on it a while without success, the tech came out and asked me if the fob had been synced to another vehicle previously. I explained how I bought it. He said something to the effect of, once it is linked to a car, they can't link it to another.

He said if they fully initialized the ECU, getting authoriziation codes from Japan (and costing several hundred $), they should be able to sync it up. Instead I bought a new fob from the dealer, and tossed my useless fob in the drawer because I didn't want to rip off some other ignorant buyer.

Parts of this don't seem consistent to me, but that is the explanation I got.

This does however, offer some insights into the complexity of the linking a fob to the vehicle, and how tightly controlled that is for security reasons. These fobs may look similar to the generic keyless entry fobs, but they are far more secure.

just some food for thought

 

I *think* it’s possible to code a key fob with tech stream.

 

No problem!