RRSPORT.CO.UK • View topic - Stolen L322's


		^ Advertise here ^ RRSPORT.CO.UK
		Forum Gallery Shop Sponsors

Home · FAQ · New Posts · My Posts · PMs · Search · Members · Members Map · Calendar · Profile · Donate · Register · Log In

Home > General > Stolen L322's - Key Protection

Page 2 of 2

TheWojtek

Member Since: 08 May 2015
Location: Poznań, Poland
Posts: 737

2010 Range Rover Sport TDV8 HSE Buckingham Blue

d-9 wrote:
The signal is a rolling code of random numbers, simply capturing the signal does nothing because you cannot guess the next code from the current one. If this is broken then Thatcham should have pulled the certificate for the system.

You put way too much trust in Thatcham. They do not follow the development of hardware and software fast enough to revoke certifications or change the test procedures.
The numbers are not random, but pseudorandom. It's a massive difference, and it comes down to a significant certainty of the next sequence that will be expected by the car from the remote. By analyzing the challenge-response handshake between the particular car and the remote, a thief (or rather the software he runs on a laptop, in most cases it happens remotely as to limit the hardware carried during a break-in) is able to reconstruct the algorithm used to generate the "random" numbers.
The car is able to receive thousands of challenge signals a second and sort them out to find one that can be responded to. This is because it has to unlock the door in a busy environment of a car park with tens of signals being transmitted simultaneously to unlock and lock various vehicles.
I don't know the details exactly, but the remote transmits an unique key identifier (static, does not change), a random sequence (the actual challenge sent to the car that knows exactly which random number to expect) and some additional information (like long/short keypress, the actual button pressed etc, static, because they do not change). This fits nicely into a 24-bit number with over 16M combinations. Perhaps it's a 32-bit transmission? Maybe it's obfuscated with additional encryption? I'm not sure, since this calls for some processing power within the remote itself, so it would be power-hungry. But maybe there is some. Most of the consumer-level encryption can be broken within hours anyway, with a 32-bit transmission we're talking about something as complicated as a four-letter Windows password, my ancient 8-core Mac decrypts such password in less than a minute, brute-force.
Never mind, since once you know the actual method of the pseudorandom code, you limit your options to mere hundreds of thousands of attempts. You just burst the bytes on the 432 MHz frequency at a rate of 1000 challenges per second and within single minutes the car is unlocked.

It's like wifi security - when wifi was invented, a WEP password was considered too complicated to hijack and decode. Within 5 years the technology has progressed to a level that allows breaking a WEP password instantly. Same with car security, it has to be a foolproof and extremely durable, well-established technology, which makes it outdated at the very time it's being first implemented.

Also see: https://www.breakerlink.com/blog/security/...rity-stop/ Regards etc.,

Wojtek

---
WAS: 2006 RRS Supercharged
IS: 2010 RRS TDV8 HSE

Fri Jun 09 2017 11:27am

Andy d

Member Since: 07 Oct 2014
Location: Sheffield
Posts: 43

i had to have a cat 5 tracker for insurance i opted for the smart track

Fri Jun 09 2017 5:50pm

Gerd1986

Member Since: 07 Oct 2015
Location: London
Posts: 303

2012 Range Rover Sport SDV6 Autobiography Santorini Black

Just to update on this.

Had a Ghost fitted to the car and been using it for a few weeks now:

Pro's

It's very easy to put the code in, a few taps and the car starts up.

Valet mode for when the car goes into the garage...30mph limit and 15min driving time. If they go over either of these they wont be able to start the car again once they turn it off.

Other than that it's invisible so you don't notice it at all.

Con's

Button limitation, although it states you can use any hardware buttons for the code this isn't the case, only a few buttons can be used. I'm not going to say in public which ones these are but it's different for every car and make.

Forgetting to put the code in....Nightmare. The dash lights up like a Christmas tree and after you put the code in straight away things don't work properly including...stuck in terrain mode until you turn the car off and back on again...forward alert not working...cruise control not working...ACC not working...lean when cornering warning...engine management light stays on. Luckily I have an IID tool in the car so I can quickly clear these off and everything goes back to normal.

Valet mode - If they do something to the car that resets the valet mode you will need to go to the garage to turn it on again.

Although there are a lot of issues when not entering the code correctly it really does give a peace of mind that even if someone gets in to the car they aren't going to get away with it.

Happy to answer any question if anyone has any.

Tue Jun 27 2017 1:48pm

Tim in Scotland

Member Since: 30 May 2005
Location: Driving along in my automobile
Posts: 17476

2013 Range Rover Sport SDV6 HSE Stornoway Grey

They will just lift it with a hydraulic lifter instead............ if they want it that badly 2020 Pangea Green 1st Edition D240 New Defender 110 is here and loving it
2018 Melting Silver Mini Countryman PHEV - soon to be replaced
2015MY Corris Grey SDv6 HSE Dynamic, the best car I have ever owned, totally reliable only a cou0le of rattles in 3 years, now no longer in my care
Also in my garage is a 1996 TDi300 Defender 90 County HT made into a fake CSW

Tue Jun 27 2017 1:57pm

Page 2 of 2

All times are GMT + 1 Hour

Jump to

< Previous Topic | Next Topic >

Posting Rules

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum