How to decode Lojack?

[ecps92]

I've seen decodes (actual tracking) with multiple other letters including Q

Most Training Devices begin with three zeros
One was 0004Q (say it fast)

I noticed LoJack units featured on YouTube display reply codes containing letters other than A-F (such as G, K, L, M, N, Q and V) however the decoding program as it currently stands only displays addresses containing numbers and the letters A-F.

I wonder if the decoding of the bits is correct? How do LoJack receivers decode letters such as G, K, L, M, N, Q and V? If a 4-bit format is being used then there are only 16 possible patterns which is enough to cover the numbers 0-9 and the letters A-F only.

An online article states, "Several hundred million unique codes are available for use as activation and reply codes."
https://www.ncjrs.gov/pdffiles1/Digitization/126175NCJRS.pdf

Any ideas?

 

[ScannerSK]

Just an interesting side note regarding LoJack being non-transferable between vehicles according to their website:

"Your LoJack® Stolen Vehicle Recovery System is not transferable from one vehicle to another as the serial number on your LoJack® Unit is registered to the Vehicle Identification Number (VIN) of your vehicle." LoJack FAQs

I was considering purchasing a used LoJack unit listed on E-bay however realized after speaking with a LoJack representative that the unit is permanently tied to the original vehicle VIN number it was installed into both in the LoJack system in the National Crime Information Center (NCIC) computer database. So, what this means is that if the original vehicle is ever stolen the LoJack unit will be activated in the new vehicle it is installed in. Oops, explain that one to the police.

However, I do recall reading years ago a story in which someone transferred a LoJack unit to a different vehicle they owned which was subsequently stolen. The person explained to the police the vehicle had a LoJack unit transferred from another vehicle. The police were able to contact LoJack and have them manually activate the LoJack unit even though it was installed in a different vehicle than the original vehicle.

So, my recommendation would be not to purchase a LoJack unit taken from another vehicle unless the original vehicle was taken to a junk yard and then maybe I would consider it.

Shawn

 

[ScannerSK]

Another LoJack patent that details how the reply code appears on the display is the following:
Patent US4908629

An audio example of a stolen vehicle signal is located on YouTube:
http://www.youtube.com/watch?v=2JwXwxeWc0Y

The above audio sample decodes to the following 80-bits:

01010101000011110111001001001000111010101000000000100110001000010110101001001111

It appears the "reply code" that was displayed on the screen was 000MC, a code used by LoJack for testing/training purposes.

I reached out to the person who posted the YouTube video in an attempt to verify the 000MC is what appeared on the screen at the time the recording was made however have not received a reply.

Patent 6229988 shows a LoJack message as a preamble "01010101" and a flag "00001111" followed by a 64-bit message (8-bit VRC, 8-bit LRC, 4-bit FCN Code, 28-bit address and 16-bit CRC).

Patent 4908629 shows a LoJack message as a preamble (most likely 01010101) and a flag (most likely 00001111) followed by a transponder code, rate command and redundancy checks.

Why the difference in the formatting of the message between the two patents? Could 4908629 be an older design that is no longer in use?

With the above patent and stolen vehicle audio example I wonder if it is possible to figure out how the reply code works?

 

[DSheirer]

It appears the "reply code" that was displayed on the screen was 000MC, a code used by LoJack for testing/training purposes.

With the above patent and stolen vehicle audio example I wonder if it is possible to figure out how the reply code works?

I'm guessing that the vehicle transponders will reply using a different sync pattern than what the tower is using (00001111) so that other vehicle transponders won't receive a false trigger and attempt to decode the message(s) from the activated (neighbor) vehicle transponder.

Key to figuring this out is to get a recording of an activated vehicle transponder, so that we can figure out what that pattern is. A good starting guess might be inverting the tower sync pattern (11110000).

The tower should be broadcasting on a repeating schedule (every xx seconds) so that any activated vehicle transponders know when to expect an opening so that they can transmit.

Have you been hearing any activated vehicle responses recently??

 

[ScannerSK]

Have you been hearing any activated vehicle responses recently??

I have not heard any activated vehicle responses lately. There is an example of one on YouTube which appears to indicate a reply code of 000MC Raw audio from the discriminator tap on a Lojack recovery system.

This activated vehicle response on YouTube decodes as follows:
01010101000011110111001001001000111010101000000000100110001000010110101001001111

I'm not sure how the 000MC was deciphered by the receiving unit from this string of bits?

Shawn

 

[ScannerSK]

I ran across an interesting not regarding LoJack reply codes this evening:
"The reply code must be exactly five characters, each of which must be either a decimal digit [a number] or an upper case letter other than 'B,' 'I,' 'O,' and 'Z.'" http://chesapeakesheriff.com/Log in page/VCIN Manuals/VCIN_Operators_Manual-2006.pdf

 

[ScannerSK]

Another LoJack patent that details how the reply code appears on the display is the following: Patent US4908629...

Patent 6229988 shows a LoJack message as a preamble "01010101" and a flag "00001111" followed by a 64-bit message (8-bit VRC, 8-bit LRC, 4-bit FCN Code, 28-bit address and 16-bit CRC).

Patent 4908629 shows a LoJack message as a preamble (most likely 01010101) and a flag (most likely 00001111) followed by a transponder code, rate command and redundancy checks.

There is one additional patent that shows yet a third format layout for the 64-bit message:
Patent US8618957

This patent shows each 64-bit message begins with an 8-bit VRC, followed by a longer coded message and finally by auxiliary fields AF1, AF2, AF3 and AF4.

Shawn

 

[ScannerSK]

After further reading it appears patent https://www.google.com/patents/US4908629?dq=4908629 (also https://www.google.com/patents/US4818998?dq=US4818998A) provides the details necessary to obtain the reply code transmitted by a stolen vehicle.

At first glance I thought these patents were outdated and did not apply as figure 7 shows only 3 characters as being displayed for a reply code when current LoJack units display 5 character reply codes. However in the text it clearly states the system uses a "5-character alphanumeric display".

Shift Registers (a type of IC chip) are used in this patent to store bits which are then used to light up various segments to form characters on a display. In this way, bits (1's and 0's) represent on and off switches for the various segments on the display which are used to form the numbers and letters of the reply code.

The patent states that a "pair" of 8-bit shift registers are used. A pair typically means two however I fail to understand how 16 segments alone could light up the segments required to form 5 characters. Possibly up to five shift registers are in use (a total of 40 bits) to control the display segments used to form 5 characters.

Now, the challenge is to determine which bits contained in the 64-bit stolen vehicle message (following the preamble "01010101" and flag "00001111") control various segments on the display to form numbers and letters. Also, as the bits are shifted into the register they may be in reverse order as to how they light up various segments on the display.

Oh, by the way, I have determined that the stolen vehicle recording example (Raw audio from the discriminator tap on a Lojack recovery system) most likely does not correspond to a reply code of 000MC. The reason is that I discovered the original picture of this test reply code (000MC) on another web page so it was likely borrowed by the YouTube user to go along with their audio example of a stolen vehicle transmission. Currently, there is no known stolen vehicle audio file that I am aware of in which the reply code is also known.

Shawn

 

[EricCottrell]

After further reading it appears patent https://www.google.com/patents/US4908629?dq=4908629 (also https://www.google.com/patents/US4818998?dq=US4818998A) provides the details necessary to obtain the reply code transmitted by a stolen vehicle.

At first glance I thought these patents were outdated and did not apply as figure 7 shows only 3 characters as being displayed for a reply code when current LoJack units display 5 character reply codes. However in the text it clearly states the system uses a "5-character alphanumeric display".

Shift Registers (a type of IC chip) are used in this patent to store bits which are then used to light up various segments to form characters on a display. In this way, bits (1's and 0's) represent on and off switches for the various segments on the display which are used to form the numbers and letters of the reply code.

The patent states that a "pair" of 8-bit shift registers are used. A pair typically means two however I fail to understand how 16 segments alone could light up the segments required to form 5 characters. Possibly up to five shift registers are in use (a total of 40 bits) to control the display segments used to form 5 characters.

Now, the challenge is to determine which bits contained in the 64-bit stolen vehicle message (following the preamble "01010101" and flag "00001111") control various segments on the display to form numbers and letters. Also, as the bits are shifted into the register they may be in reverse order as to how they light up various segments on the display.


Shawn

Hello,

The figure with the shift registers is showing how the microprocessor interfaces with the displays. This is a common method where the microprocessor determines what LEDs or segments should be lit and then generates the proper data bits to do it. So there is no one-to-one correspondence between the over-the-air data and display data.

There are 32 characters (a power of 2) used in the reply code. It would take 25 bits to represent all possible reply IDs or 33, 554, 432 unique addresses. If the IDs are 28 bits then it is possible that three of the bits are used to specify equipment addresses other than vehicles.

It would make sense for test addresses to be at the beginning of the block. 000MC could represent address 0000000000000001010001011, which is interesting because the M and C characters are one's complements of each other, if the character mapping follows this logical map.

00000 0
00001 1
00010 2
00011 3
00100 4
00101 5
00110 6
00111 7
01000 8
01001 9
01010 A
01011 C
01100 D
01101 E
01110 F
01111 G
10000 H
10001 J
10010 K
10011 L
10100 M
10101 N
10110 P
10111 Q
11000 R
11001 S
11010 T
11011 U
11100 V
11101 W
11110 X
11111 Y

73 Eric

 

[EricCottrell]

I have not heard any activated vehicle responses lately. There is an example of one on YouTube which appears to indicate a reply code of 000MC Raw audio from the discriminator tap on a Lojack recovery system.

This activated vehicle response on YouTube decodes as follows:
01010101000011110111001001001000111010101000000000100110001000010110101001001111

I'm not sure how the 000MC was deciphered by the receiving unit from this string of bits?

Shawn

Hello,

I need to setup something to decode my local Lojack frequency.

Your decode does not match my mapping suggestion.

One additional question regarding the ID mapping is where the 3 additional bits are put. I assume they are either at the beginning or the end of the address. If I decode your example then there are at least two possible addresses.

01010101 00001111 01110010 01001000 1110 101 01000 00000 01001 10001 00001 0110101001001111
Preamble Flag     VRC      LRC      FCN   ?    8     0     9     J    1    CRC

01010101 00001111 01110010 01001000 1110 10101 00000 00001 00110 00100 001 0110101001001111
Preamble Flag     VRC      LRC      FCN    N     0     1     6     4    ?  CRC

73 Eric

 

[ScannerSK]

Your decode does not match my mapping suggestion.

Hi Eric,

I discovered earlier today that the 000MC displayed on the YouTube video is most likely not the correct reply code to match with the recorded audio. So as of right now, I am unaware of any audio example of a stolen vehicle or LoJack test signal in which the reply code is positively known. This makes it more challenging to verify the proper decode of the LoJack signal.

You have some amazing insights! The character map you posted explains why the B, I, O and Z are excluded from reply codes.

From the various patents I have pondered whether the data burst follows the same bit structure/format for both the tower and the stolen vehicle transmissions or if each has a slightly different bit structure/format? Assuming all data bursts follow the same "Preamble, Flag, VRC, LRC, FCN, address, CRC" format then you may have just figured out LoJack! Or, at least how to decode the reply code which would be fantastic!

If the IDs are 28 bits then it is possible that three of the bits are used to specify equipment addresses other than vehicles.

I'm not sure if the following sentence from the patent helps with regards to the above three bits or not?

"The preferred alphanumeric display at CD [code display] is effected from data clocked from the microprocessor 8 (GO, FIG. 7) into a pair of 8-bit shift registers SR, the first bits controlling which of the LED dot-matrix display unit of CD are used to display a given character (left), and the following comprise the code for a given character, so as to produce an alphanumeric display containing the unique code or serial number of the vehicle transponder which is sending the reply signals R to the tracking vehicle." Patent 4908629

An online article states on page 19, "Several hundred million unique codes are available for use as activation and reply codes". If all 28 bits of the address field are used to create addresses this would be 268,435,456 possible unique addresses. However, if 25 bits are used it would reduce the possible unique addresses to 33,554,432. Whatever the three bits are utilized for (maybe equipment/display version) it appears from the above statement that they are taken into account as part of the unique address.

It would sure be very interesting to verify whether one of your two examples is the correct reply code!

73's Shawn

 

[ScannerSK]

I ran across one additional patent which is worthy of mention in this thread for future reference. Patent US8630605

Also, I noticed the following statement that may be of interest:
"The Reply Code alphabet is constructed from 19 segment characters. The Signal Strength display is one continuous row of 25 segments."
FCC OET Document

Shawn

 

[uman18]

I bought a pallet of "miscellaneous items" at an auction one time and it had a LoJack unit. I tried to sell it on ebay and a few days later a CHP officer with the auto-task force and a rep from lojack were at my front door....they claimed I had "stolen property". The rep said they "lease" the equipment to the departments. I told him then why doesn't it say property of lojack....he said they were working on that. I should of fought to keep it but it was like whatever, I didn't take a loss.

 

[ecps92]

Lo/Jack has always been a 5 character response code in the display

After further reading it appears patent https://www.google.com/patents/US4908629?dq=4908629 (also https://www.google.com/patents/US4818998?dq=US4818998A) provides the details necessary to obtain the reply code transmitted by a stolen vehicle.

At first glance I thought these patents were outdated and did not apply as figure 7 shows only 3 characters as being displayed for a reply code when current LoJack units display 5 character reply codes. However in the text it clearly states the system uses a "5-character alphanumeric display".

Shift Registers (a type of IC chip) are used in this patent to store bits which are then used to light up various segments to form characters on a display. In this way, bits (1's and 0's) represent on and off switches for the various segments on the display which are used to form the numbers and letters of the reply code.

The patent states that a "pair" of 8-bit shift registers are used. A pair typically means two however I fail to understand how 16 segments alone could light up the segments required to form 5 characters. Possibly up to five shift registers are in use (a total of 40 bits) to control the display segments used to form 5 characters.

Now, the challenge is to determine which bits contained in the 64-bit stolen vehicle message (following the preamble "01010101" and flag "00001111") control various segments on the display to form numbers and letters. Also, as the bits are shifted into the register they may be in reverse order as to how they light up various segments on the display.

Oh, by the way, I have determined that the stolen vehicle recording example (Raw audio from the discriminator tap on a Lojack recovery system) most likely does not correspond to a reply code of 000MC. The reason is that I discovered the original picture of this test reply code (000MC) on another web page so it was likely borrowed by the YouTube user to go along with their audio example of a stolen vehicle transmission. Currently, there is no known stolen vehicle audio file that I am aware of in which the reply code is also known.

Shawn

 

[EricCottrell]

Hello,

Hopefully there are no typos in this.

Lojack CRC Observations

Only Address and function code are protected.

16 bit CRC is sent LSB first like the function and address codes.

I suspect the VRC and LRC are sent LSB first as well. These codes are used as a quick way for units to determine if a message might be for the unit, so do not carry additional information.

Exponent x^15+x^11+x^10+x^8+x^7+x^6+x^5+x^3+x^2+1 or 0x8DED
CRC Intialization Value is 0.

CRC Table
Address F CRC
8000000 0 C6F6
4000000 0 637B
2000000 0 F74B
1000000 0 BD53
0800000 0 985F
0400000 0 8AD9
0200000 0 839A
0100000 0 41CD
0080000 0 E610
0040000 0 7308
0020000 0 3984
0010000 0 1CC2
0008000 0 0E61
0004000 0 C1C6
0002000 0 60E3
0001000 0 F687
0000800 0 BDB5
0000400 0 982C
0000200 0 4C16
0000100 0 260B
0000080 0 D5F3
0000040 0 AC0F
0000020 0 90F1
0000010 0 8E8E
0000008 0 4747
0000004 0 E555
0000002 0 B45C
0000001 0 5A2E
0000000 8 2D17
0000000 4 D07D
0000000 2 AE68
0000000 1 5764

73 Eric

 

[EricCottrell]

I discover something new every day in regards to LoJack. It appears each LoJack unit has an address that is seven characters in length which presumably corresponds to the seven character addresses we are seeing transmitted by the LoJack towers. An example of the seven character unit ID is shown on the following LoJack website: https://my.lojack.com/controls/registration-card.html. However, LoJack receivers only display five characters on their screen. These five characters are known as the "reply code". I wonder if the "reply code" is specific to each LoJack unit (possibly part of the unit ID) or whether LoJack can program what "reply code" will be transmitted from any given unit? There is a lot to learn when it comes to LoJack. Another question is whether the format of the signal transmitted by a stolen unit is the same format as tje signal transmitted by the towers?
[/url]

Shawn

Hello,

The A in the middle makes me think this is the address of the unit in Hex format. 28 bits is seven hex digits.

73 Eric

 

[ScannerSK]

Hello,

The A in the middle makes me think this is the address of the unit in Hex format. 28 bits is seven hex digits.

73 Eric

After a little digging, it appears each LoJack unit has both an activation code and a separate distinct reply code programmed into it at the factory. My current understanding is that both of these codes consist of five characters. The seven characters contained in the registration number/LoJack unit label itself are most likely unrelated to the LoJack activation and reply codes broadcast by the towers/stolen vehicle units. This is my understanding presently.

It's unfortunate we do not have a LoJack recording with a known five character reply code.

73 Shawn

 

[EricCottrell]

Hello,

I tested out the crc and found an error in the CRC value for Function value 2..It should be AEC8 hex.

CRC Table (Values in Hexidecimal)
Address F CRC
8000000 0 C6F6
4000000 0 637B
2000000 0 F74B
1000000 0 BD53
0800000 0 985F
0400000 0 8AD9
0200000 0 839A
0100000 0 41CD
0080000 0 E610
0040000 0 7308
0020000 0 3984
0010000 0 1CC2
0008000 0 0E61
0004000 0 C1C6
0002000 0 60E3
0001000 0 F687
0000800 0 BDB5
0000400 0 982C
0000200 0 4C16
0000100 0 260B
0000080 0 D5F3
0000040 0 AC0F
0000020 0 90F1
0000010 0 8E8E
0000008 0 4747
0000004 0 E555
0000002 0 B45C
0000001 0 5A2E
0000000 8 2D17
0000000 4 D07D
0000000 2 AEC8
0000000 1 5764

73 Eric

 

[ScannerSK]

A member (freqhopping) attached an unusual example of LoJack signals to an older thread:
http://forums.radioreference.com/general-scanning-discussion/50450-what-im-hearing-lojack-freq.html
http://forums.radioreference.com/at...648075-what-im-hearing-lojack-freq-lojack.zip

The data burst immediately preceding each set of steady tones decodes out to the following:
01010101 (Preamble)
00001111 (Flag)
01000000 (VRC)
01000000 (LRC)
0100 (Function)
0000010000001100100000000000 (Address)
1100000000000000 (CRC)

The address portion would appear to decode out to one of the following addresses:
000
00100 = 4
00001 = 1
10010 = K
00000 = 0
00000 = 0

00000 = 0
10000 = H
00110 = 6
01000 = 8
00000 = 0
000

This is the first example I have heard of LoJack with tones. I wonder if this was some type of testing or if the older LoJack units transmitted these tones when stolen? The audio file appears to have been recorded in January 2004.

Shawn

 

[ScannerSK]

Breakout of the 80-bit LoJack signal per patents:

8-bit Preamble (01010101)
8-bit Flag (00001111)
8-bit VRC (Vertical Redundancy Check) (Bit matching operation to determine whether unit should wake-up or go back to sleep)
8-bit LRC (Computer control)
4-bit FCN (Function code: controls activate/deactivate/speed-up)
28-bit Address
16-bit CRC (Check on the address port)

There is an excellent power point presentation on how VRC (vertical redundancy check), LRC (longitudinal redundancy check) and CRC (cyclic redundancy check) schemes often function at the following site:
www.ece.osu.edu/~klein/ece766/766-10n.ppt

I noticed the last bit of the 8-bit VRC and the last bit of the 4-bit FCN code are almost always 0. The rare instance of a 1 may indicate an improper decode at least in the case of the VRC.

Shawn