Could a strong transceiver be constructed that could interrogate and find the key fob

Thread Starter

philbo5093

Joined Jul 16, 2021
3
Related to this discussion on finding a PKE key fob... recently a runner went missing in large park. He left his cellphone in his car but likely carried his key fob with him. Could a strong transceiver be constructed that could interrogate and find his key fob (and the missing runner) if he has become incapacitated, say, 100 yards or so off a trail? Or would the "rolling code" encryption prevent any fob response?


Mods Note:
Please don't hijack other member's threads.
This thread was split from Help! Lost 433Mhz Passive Car Key indoors.
 

MisterBill2

Joined Jan 23, 2018
18,176
Could this be done? Possibly, in theory, under perfect conditions., BUT would it be usable looking for a lost person in a park? For starters, receiving a signal depends on an adequate signal to noise ratio. That, in turn, depends on the transmitter power, and for a key fob that operates on received power, and so the signal is not very strong at best. And the power signal is not very strong, either. So to have a range of a few hundred yards will take a fairly powerful transmitter on the correct frequency. Not very portable. The receiver would also need to be tuned to the correct frequency. Neither of those would be known in advance.
Thus ultimately it would not work well enough yo be worth the effort.
 

Thread Starter

philbo5093

Joined Jul 16, 2021
3
Could this be done? Possibly, in theory, under perfect conditions., BUT would it be usable looking for a lost person in a park? For starters, receiving a signal depends on an adequate signal to noise ratio. That, in turn, depends on the transmitter power, and for a key fob that operates on received power, and so the signal is not very strong at best. And the power signal is not very strong, either. So to have a range of a few hundred yards will take a fairly powerful transmitter on the correct frequency. Not very portable. The receiver would also need to be tuned to the correct frequency. Neither of those would be known in advance.
Thus ultimately it would not work well enough yo be worth the effort.
Thanks @MisterBill2 But if we have access to the runner’s car as well as to his wife’s key fob, that should tell us the frequencies, right? If this device could be funded and shared by, say, a regional Search and Rescue organization, could it be feasibly constructed for a truck mounted operation for maybe $20,000?
 

DickCappels

Joined Aug 21, 2008
10,152
The keyfob will have limited range of its own because it needs to be certified to meet certain emission requirements in most places in the world.

Skiers in some places carry radio transceivers with them that have a range of about 100 meters and run around 460 kHz. When skiing the transceiver is set to act as a beacon. The receivers have directional antennas so that in the case of a skier being buried under and avalanche the directional receivers can roughly locate the skier. Then out come the long poles to probe for the skier.

You could probably work in that direction, perhaps using the 11 meter license-free band where the range can be miles through an unobstructed path using beacon-like signaling. You might consider it in cases where people are worried about being lost.
 

Ya’akov

Joined Jan 27, 2019
9,070
Look for videos on man-in-the-middle attacks on car locking systems. They use repeating transceivers to send the low frequency presence signal to the car and start the handoff.

It could be adapted to locate the fob.

Samy is the premier source for information on this sort of thing:
 

MisterBill2

Joined Jan 23, 2018
18,176
It would make MUCH MORE SENSE for the person to carry a dedicated device. If they are carrying their car keys then they could certainly carry a small beacon transmitter, OR EVEN A SMALL CELL PHONE!!
The stupid choice is to have one of those big smart phones that will not fit in any secure pocket and have that big touch screen subject to breakage.
They should study for an hour and get an amateur radio tech license and carry a small trasceiver that is not that much bigger than the key fob, and has a range of a few miles. And if they have one with a beacon mode then they can be tracked very readily by other hams with much less expensive equipment.
Thinking about tracking a key fob is a waste of time from the very start, because every brand is different every model year, at least for the some brands.
 

MisterBill2

Joined Jan 23, 2018
18,176
The TS specified PKE fobs.
A specialy designed for one type only does not make a lot of sense. Given that there are already GPS tracking modules available for aset tracking applications, it would make more sense to invest in that technology. And, just to point out another thing, going running alone in rugged surroundings does not sound smart to begin with. Even the Army does not send out a single scout.
 

samyk

Joined Aug 20, 2016
2
As @Yaakov mentioned, since it's PKE (passive keyless entry, passive being the important part here), means there's an LF coil (typically 125kHz/134kHz) that looks for a wakeup signal (note there's date encoded via ASK, not just a CW), and the key responds in sub-GHz UHF ISM bands (typically ~300MHz/434MHz), followed by a secondary LF challenge (car) and second UHF response (fob). Interestingly if your fob is out of battery, some will allow you to place the fob up to the car (on a handle or engine start button) to inductively power the fob to both unlock the vehicle and start ignition.

@philbo5093 I believe it's technically possible but the biggest challenge is the amount of power and/or antenna size to create a strong enough LF (125/134kHz) signal and don't think this is reasonably feasible unfortunately. If we're talking about using a coil, then in my experience you generally don't get much more RX distance than a small multiple of the longest diameter of the coil. If you want an antenna for non-inductive transmission, then c/v=λ [speed of light / frequency = wavelength], so ~300 megameters per sec / 125 kHz =~ 2400 meter wavelength. Some fraction of that will transmit but perhaps someone with RF expertise can chime in on the distance and power required to transmit at a long range with a large fractional antenna length?

On the car side, since you have the make/model/year, it would be easy to record the LF wakeup signal and identify the UHF response the fob sends back (I used this as a technique to fingerprint fobs as they transmit a unique ID as well on a per-fob basis). You would want a sensitive UHF receiver with LNA but fortunately the UHF signal transmits much further than the LF signal. The receive would still be challenging since you still wouldn't be that close, but the LF transmission is going to be even more challenging. Unfortunately I don't think this can really be built and working in a reasonable time frame, I'm sorry to say.

@Ian0 You can pull the credit card data but it won't provide a CVV that you can use for online transactions as a rolling code prevents you from making more than a single transaction without continued access to the card -- granted if you're within both TX+RX range of the card, then you could perform a transaction on their behalf, but note the inductive coil is in the cm range so you need to be quite close for the bidirectional comms. There was a vulnerability several years ago that would allow you to perform multiple transactions (I demonstrated this with the MagSpoof device) by taking a chip/contactless-enabled card credentials and synthesizing the signal via EM to a magstripe reader (not an NFC/contactless reader) while altering bits of the discretionary service code (in magstripe data) in order to make the payment processor believe it wasn't a chip/contactless card and downgrade the security to not require the rolling transaction data, but I suspect that's been resolved by now.
 

MisterBill2

Joined Jan 23, 2018
18,176
So the bottom line conclusion is that the range of a key fob is not enough to do anything useful. The range would need to be at least a hundred feet, and given that the key fob range is kept short for security it is not practical.
Transponders are available but they are designed for tracking.
Even the dog training collars that deliver a loud beep have been available for many years, are able to work with a range of a hundred yards or so. Systems are available but they are quite different from an automotive key fob.
 

Ya’akov

Joined Jan 27, 2019
9,070
As @Yaakov mentioned, since it's PKE (passive keyless entry, passive being the important part here), means there's an LF coil (typically 125kHz/134kHz) that looks for a wakeup signal (note there's date encoded via ASK, not just a CW), and the key responds in sub-GHz UHF ISM bands (typically ~300MHz/434MHz), followed by a secondary LF challenge (car) and second UHF response (fob). Interestingly if your fob is out of battery, some will allow you to place the fob up to the car (on a handle or engine start button) to inductively power the fob to both unlock the vehicle and start ignition.

@philbo5093 I believe it's technically possible but the biggest challenge is the amount of power and/or antenna size to create a strong enough LF (125/134kHz) signal and don't think this is reasonably feasible unfortunately. If we're talking about using a coil, then in my experience you generally don't get much more RX distance than a small multiple of the longest diameter of the coil. If you want an antenna for non-inductive transmission, then c/v=λ [speed of light / frequency = wavelength], so ~300 megameters per sec / 125 kHz =~ 2400 meter wavelength. Some fraction of that will transmit but perhaps someone with RF expertise can chime in on the distance and power required to transmit at a long range with a large fractional antenna length?

On the car side, since you have the make/model/year, it would be easy to record the LF wakeup signal and identify the UHF response the fob sends back (I used this as a technique to fingerprint fobs as they transmit a unique ID as well on a per-fob basis). You would want a sensitive UHF receiver with LNA but fortunately the UHF signal transmits much further than the LF signal. The receive would still be challenging since you still wouldn't be that close, but the LF transmission is going to be even more challenging. Unfortunately I don't think this can really be built and working in a reasonable time frame, I'm sorry to say.

@Ian0 You can pull the credit card data but it won't provide a CVV that you can use for online transactions as a rolling code prevents you from making more than a single transaction without continued access to the card -- granted if you're within both TX+RX range of the card, then you could perform a transaction on their behalf, but note the inductive coil is in the cm range so you need to be quite close for the bidirectional comms. There was a vulnerability several years ago that would allow you to perform multiple transactions (I demonstrated this with the MagSpoof device) by taking a chip/contactless-enabled card credentials and synthesizing the signal via EM to a magstripe reader (not an NFC/contactless reader) while altering bits of the discretionary service code (in magstripe data) in order to make the payment processor believe it wasn't a chip/contactless card and downgrade the security to not require the rolling transaction data, but I suspect that's been resolved by now.
Hello, @samyk. Nice to see you here. I have enjoyed your work.
 

Thread Starter

philbo5093

Joined Jul 16, 2021
3
As @Yaakov mentioned, since it's PKE (passive keyless entry, passive being the important part here), means there's an LF coil (typically 125kHz/134kHz) that looks for a wakeup signal (note there's date encoded via ASK, not just a CW), and the key responds in sub-GHz UHF ISM bands (typically ~300MHz/434MHz), followed by a secondary LF challenge (car) and second UHF response (fob). Interestingly if your fob is out of battery, some will allow you to place the fob up to the car (on a handle or engine start button) to inductively power the fob to both unlock the vehicle and start ignition.

@philbo5093 I believe it's technically possible but the biggest challenge is the amount of power and/or antenna size to create a strong enough LF (125/134kHz) signal and don't think this is reasonably feasible unfortunately. If we're talking about using a coil, then in my experience you generally don't get much more RX distance than a small multiple of the longest diameter of the coil. If you want an antenna for non-inductive transmission, then c/v=λ [speed of light / frequency = wavelength], so ~300 megameters per sec / 125 kHz =~ 2400 meter wavelength. Some fraction of that will transmit but perhaps someone with RF expertise can chime in on the distance and power required to transmit at a long range with a large fractional antenna length?

On the car side, since you have the make/model/year, it would be easy to record the LF wakeup signal and identify the UHF response the fob sends back (I used this as a technique to fingerprint fobs as they transmit a unique ID as well on a per-fob basis). You would want a sensitive UHF receiver with LNA but fortunately the UHF signal transmits much further than the LF signal. The receive would still be challenging since you still wouldn't be that close, but the LF transmission is going to be even more challenging. Unfortunately I don't think this can really be built and working in a reasonable time frame, I'm sorry to say.

@samyk Thanks for the detailed reply. It might have been nice to come up with a useful search and rescue tool, but sounds like tracking PFE key fobs isn't the way to do it.
 
Top