Hijacking Lojack (legally)

[Tman305]

I've been doing some research on how/what makes lojack tick and a concept came to mind. I hope some of you can come in an chime with your thoughts.

Lojack operates on 173.075 Mhz which is a dedicated vehicle recovery frequency. (non exclusive) which means you too can also lincense and operate on this freq for the stated purpose.

Lojack uses gear manufactured by Motorola and an encoding format called "Continuous Phase Frequency Shift Key" (CPFSK) which from what I understand it is a very common format for data modems.

The gear could be manufactured by Joe Blow communications however Lojack uses Motorola AIEG (automotive industrical electronics group) to have their units manufactured.

Now if you were properly licensed, you could conceivably install a CPFSK modem/radio in your car and in case of theft send an activation signal for the modem to enter "beacon" mode while transmitting your vehicle's TAG number which would come up stolen on police computers.

Police cars equiped with receivers listening for CPFSK on 173.075 Mhz would pick up your signal and instead of receiving the lojack CODE the cops would receive your car's tag number, which on search would come back as a hot car.

They could follow the signal jus the same as they would follow the lojack signal.

Now lojack would probably require the modem to transmit a preamble to exclude non lojack units but that is where the courts should probably enter the fray and madate that a public entity should not enter into a monopoly structure with a private co.

Your thoughts ???

 

[N_Jay]

Just a few "thoughts"

CPFSK is the modulation, not the "format" or protocol.

You would need to reverse engineer LoJacks protocol to figure out what to send.

The protocol may include some authentication or other encoding to prevent unauthorized systems from spoofing a receiver. (or it may not)

The format of the "code" passed to the Police may prevent an open form alphanumeric string as would be required for sending any random license plate number.

Motorola no longer owns the business that once was their Automotive Group.
Continental Buys Motorola Auto Electronics

 

[Tman305]

I know of current receivers that can demodulate FSK. I am sure demodulating CPFSK is possible and thereby sampling the data streams sent by control towers as well data from the 2 watt mobile units that may be in the area and transmitting.

I can hear control tower data every 30 or 45 seconds so data IS readily available.

Lojack may or may not have implemented additional security on their signal receivers, FCC OET data could yield some info on this. However IF lojack did not implement this thinking that they would be the ony pony show in town, they would be hard pressed to rectify this loophole with millions of end user VLUs already deployed and another countless number of VTUs installed in police cruisers. Can you say OOoops! .. My hunch is that the VTU is only listening and demodulating CPFSK on 173.075.

The VTU is alpha numeric capable. so no problem there. Lojack has a video on youtube where they showcase the unit and you can see that decoded reply codes implement numbers and letters.
Additionally I have heard a total of 6 ground units from 2 cities, 1 county and an air unit chasing a lock code of W150 belonging to a silver Ford F150.

 

[N_Jay]

As I have always said "LoJack is Low Tech'.

Receiving most forms of FSK is relatively easy (at least until you get to the fringes.

So start framing up the data and see if you can make heads of tails from it.

THEN you are 1/2 way there.

I doubt there is any usable information in the FCC filings.

 

[prcguy]

If you were to go into business with something that compets with a Motorola product and needs one of thier receivers and protocol to work, I would think Motorola would scream software or hardware license infringment and they would sue your patns off.

I like the idea of another source for Lojack style equipment but Motorola has a warehouse full of pants that were lost by others in court over radio software infringement.
prcguy

 

[N_Jay]

1) Motorola sold that division.
2) I think the protocol is LoJack, and Motorola is (was) just the OEM for the box.

 

[KC9NCF]

I have an easier idea!!!

Get an amateur license and then install APRS in your vehicle. Use the internet coupled with direction finding. If the internet goes out, the signal can still be tracked down by several sources to include signal strength from the digipeater input, manual direction finding, and so forth.

N_Jay is the person I would look to because, as you can see, he knows this stuff. Reverse engineering would be good to do, but what do you do to get the other half through that? Do the police even monitor Lo-Jack anymore?

 

[K4APR]

I have an easier idea!!!

Get an amateur license and then install APRS in your vehicle. Use the internet coupled with direction finding. If the internet goes out, the signal can still be tracked down by several sources to include signal strength from the digipeater input, manual direction finding, and so forth.

Took the words right out of my mouth!

 

[jmp883]

If all you want to do is to track vehicles I also agree....go APRS. If you wanted to sell a system to compete with Lo-Jack there are more than just the technical issues that will need to be addressed.

Lo-Jack is a great idea, at least in concept. In reality it's not so good of an idea. I'm an emergency services dispatcher so I've had first-hand experience working with L-J. One of the agencies I used to dispatch for only had 3 or 4 of their patrol cars equipped with the tracking equipment. If any of those patrol cars were on the road when the L-J hit came in, and they weren't already on a call, then we were able to track and attempt to locate the vehicle in question.

Tman305 wrote:

Now if you were properly licensed, you could conceivably install a CPFSK modem/radio in your car and in case of theft send an activation signal for the modem to enter "beacon" mode while transmitting your vehicle's TAG number which would come up stolen on police computers.

Police cars equiped with receivers listening for CPFSK on 173.075 Mhz would pick up your signal and instead of receiving the lojack CODE the cops would receive your car's tag number, which on search would come back as a hot car.

The big issue with what has been said here is that the only way L-J is activated is when the dispatcher enters the car as stolen in the NCIC computer system. Once the NCIC entry is made it then activates the tracking device in the stolen vehicle. We then get a printout of the vehicle confirming it has been entered as stolen and that the L-J tracker has been activated. If/when the stolen vehicle comes in range of a L-J equipped patrol car then it may be found, or it may not.

If you were to be successful, once you surmounted the technical details then you'd need to address how you would get a stolen vehicle entered into the NCIC system. I promise you that no law enforcement agency will accept any computer system that deals with stolen property of any kind that is not administered by NCIC.

The other drawback to L-J, or any other potential competing system, is that not every department is equipped with L-J. The agency I'm currently working for doesn't have it, nor do the most of the towns around me. Kind of makes L-J useless if no department in the area where you use your vehicle the most doesn't have it. There is no guarantee that, once stolen, the thieves will drive your vehicle into a L-J equipped area. I started dispatching in 1992 and we had L-J then. Since L-J has been around for at least that long departments that haven't already bought the L-J tracking equipment probably aren't going to. You'd have to make your system so much more appealing, and affordable, to them to make them want to buy yours. That's assuming you've already gotten all the technical details mastered.

I really don't understand why you'd want to do this when APRS does what you want, except for showing the vehicle as stolen. I also don't understand why people willingly buy L-J when they get new vehicles. Yes L-J has had success stories but since it's not mandatory equipment for all PD's to carry I truly believe that it's money wasted buy the consumer.

Just my thoughts................

 

[Lt51506]

I have an easier idea!!!

Get an amateur license and then install APRS in your vehicle. Use the internet coupled with direction finding. If the internet goes out, the signal can still be tracked down by several sources to include signal strength from the digipeater input, manual direction finding, and so forth.

N_Jay is the person I would look to because, as you can see, he knows this stuff. Reverse engineering would be good to do, but what do you do to get the other half through that? Do the police even monitor Lo-Jack anymore?

Just chiming in to answer the question, "Do the police even monitor Lo-Jack anymore?".

Yes. Some of the Southern California feeds I listen to chase Lo-Jack hit's several times a week. Here in Idaho, maybe every few weeks they'll chase one down.
What I find interesting, is that at least 50% of these hits seem to be for malfunctioning Lo-Jack units, not an active stolen vehicle. I would imagine there are departments that suffer from the "cry wolf" syndrome and just don't bother to chase these hits down anymore (South Dakota comes to mind here).

 

[DaveNF2G]

I'm always amused by the threads about "legally" performing illegal tasks.

 

[KMA367]

Do the police even monitor Lo-Jack anymore?

In Southern California they use it all the time. A few highlights just for last month:

• 10-1-09, Ontario PD flight officers picked up the silent LoJack code of a stolen 2007 Dodge Ram 350. Ground units responded to the area, and a detective unit observed the vehicle parked in a driveway containing a female driver and a male passenger. The occupants were detained and the vehicle released to the owner at the scene.
  
  
• 10-1-09, within seven minutes of its LoJack system activating, a LAPD officer picked up the LoJack signal from the victim's stolen 2000 Honda Civic. He tracked it to the rear yard of a residence located in the 2100 block of E. 118th Street. The officer located a suspect who admitted to having the vehicle in his back yard. As the location was in the Sheriffs area, LASD Deputies were summoned to the scene. Once at the location, they obtained a consent search and located the stolen vehicle in the rear yard along with several other stolen Hondas which had the VINs removed and different VINs attached. The suspect was arrested for 10801 VC (Operating a Chop Shop) and a variety of related charges.
  
  
• 10-4-09, within 10 minutes of initial activation, Glendale PD officers picked up the silent LoJack signal of a stolen 1991 BMW 320 and started tracking the signal. At Mountain and Verdugo, they observed the BMW being driven as it passed their vehicle. Back up officers arrived and in a felony traffic stop the driver was taken into custody. The vehicle was stored for safe keeping and made available for release.
  
  
• 10-5-09, within seven minutes of the LoJack system activating, Gardena PD Officers picked up the LoJack signal from the victim's stolen 1999 GMC Suburban. They tracked it to an auto repair shop located in the 1600 block of W. 144th Street where they observed it parked at the rear of the location. They obtained consent from the owner to search the location, where they found the stolen vehicle to have the steering column broken. Their investigation found the owner of the shop did not have any repair order and claimed someone dropped the vehicle off to have some custom interior work done, but didn't know how to contact the person. He continued to make conflicting statements to the officers. There were six other people working at the business and they were questioned and released. The owner was arrested for 487 (D) PC (Grand Theft Auto). Gardena Detectives are looking at the suspect for operating a chop shop.
  
  
• Also on 10-05-09, a San Diego Police Officer near 14th and Market St. received the silent signal from a stolen 2002 Toyota Corolla just 30 minutes after it had been reported stolen. After advising his beat partners of the stolen vehicle, he started tracking the signal. A few minutes later two other officers also received the signal and tracked the car to a parking lot in the 1000 block of Ninth St. Suspect information was available, and following up on that the suspect was located a few blocks away. The suspect was arrested and the car was returned to the registered owner without sustaining any damage.
  
  
• 10-10-09, officers from the Buena Park PD picked up the LoJack signal of a stolen 1998 Chevrolet within 14 minutes of entry by Orange PD. They tracked it to a hotel on Stanton Ave., where they located it in a parking lot unoccupied. The officers contacted the manager of the hotel and learned of the room the suspects rented. The officers soon made contact with occupants and detained the primary suspect, a 23 year old female along with 4 other subjects. There they learned that the female and one of the occupants, a male parolee conspired to steal the vehicle and sell it to a chop shop. These two suspects were arrested and booked for VC 10851 DWOC, PC 496 receiving stolen property, PC 459 Burglary and possession of Methamphetamine. The vehicle was towed and later released to the happy owner.
  
  
• 10-13-09, eleven minutes after being activated, a Santa Ana PD officer picked up the silent LoJack signal from a 2004 Nissan Maxima, which had just been reported stolen to their department. The officer initiated broadcast of the LoJack hit, his location and signal direction and began tracking the signal, which appeared to be moving. With the assistance of other LoJack equipped units, the vehicle was located in a parking lot in the City of Orange. Two suspects, one male and one female were observed frantically stripping parts from the vehicle. The officers deployed, taking the two suspects into custody without incident. They were arrested for Auto Theft, Possession of Stolen Property and Stripping a Stolen Vehicle.
  
  
• 10-18-09 a CHP unit in the vicinity of the I-5 Freeway and Jamboree Road, in the City of Irvine, picked up the LoJack homing signal from a stolen 2006 Toyota Tundra Truck, which had been reported the day before to Riverside Sheriff's Menifee Station. An area wide broadcast was made of the LoJack hit, as the CHP Officer was enroute to another call and unable to begin tracking the signal. Santa Ana PD Officers monitored this broadcast, responded to the general area and they too acquired the silent signal, which was tracked to a commercial area in the 900 block of 6th Street in their city. The stolen vehicle was located and was occupied by one lone male adult suspect, who was taken into custody without incident by the responding units. The suspect, who was also on probation for narcotics violations, was arrested for Auto Theft, Possession of Stolen Property and Probation Violation. The undamaged truck was towed and stored.
  
  
• 10/20/09, a Ventura PD detective got the LoJack activation on his iPhone while in a training class in San Diego. Since the detective was out of town, he immediately contacted Ventura PD dispatch center and requested they send out a message to all units on patrol. Dispatch also created an entry for their daily watch report that is read during briefings. At the 1200 briefing, officers received the stolen information on the 2007 Nissan Titan, which was reported stolen by Ventura County Sheriff's Department- West County. Within 17 minutes after the vehicle was reported stolen, both Ventura PD and CHP picked up the silent signal form the stolen vehicle. Ventura PD patrol officers then drove to the area of Montalvo in Ventura and spotted the vehicle. A high risk traffic stop was conducted and the suspect was taken into custody for 10851 VC (DWOC) without incident. The suspect is on probation for 10851 VC and was wanted for Burglary and Forgery Charges, and was booked for 10851 VC, 459 PC (burglary)/484 (g) PC, and 182 PC.
  
  
• 10-23-09, a victim was kidnapped and raped over a two day period and the suspect then stole her vehicle. LASD deputies, knowing the victim's vehicle was LoJack equipped, quickly entered it into the Stolen Vehicle System (SVS) which activated the signal. Within ten minutes of the LoJack system activating, LASD Deputies picked up the signal from the victim's stolen 2005 Dodge Magnum and tracked it to the area of 12400 Long Beach Blvd. Within a short time, two male suspects entered the vehicle and drove away. Officers conducted a high risk traffic stop taking both suspects into custody. The driver suspect was identified as the kidnap-rape-robbery suspect by the victim. The suspect is a known gang member and was arrested for 209 PC (Kidnapping) and a variety of other related charges.
  
  
• 10-29-09, a 1998 Lexus GS300 was reported stolen to Downey PD officers who entered the information into the stolen vehicle system and NCIC. Within minutes of entry, officers from various agencies had picked up the silent LoJack signal, including officers from the California Highway Patrol East Los Angeles area. The CHP officers were on the 710 Freeway when they picked up the signal and then observed the stolen Lexus a few cars ahead of them and caught the vehicle at the 710 Freeway and Florence Ave. where they made a high risk traffic stop taking the driver into custody. The vehicle was stored undamaged.
  
  
• 10-27-2009, Riverside Sheriff's Flight Deputies flying STAR-93 picked up the LoJack signal from a stolen 2000 Toyota Tacoma Truck, which had been reported to the Torrance Police Department (in LA County) about one and one half hours earlier. The flight crew initiated a broadcast of the LoJack hit and gave their location and signal direction to the responding ground units. They also began tracking the signal westbound, and with the assistance of STAR-93 it was isolated to a casino parking lot. The stolen vehicle was located and occupied by one male adult suspect, who was taken into custody without incident.
  
  
• During the month of October, 2009, Mexico authorities using LoJack tracking in their jurisdictions recovered nine U.S. stolen vehicles.

Here are a few others

 

[kc2rgw]

My father had a 'bubble' Impala SS with Lojack in it. It was stolen multiple times and recovered due to Lojack. Sort of amusing what a hot target that car is for theft. The gang bangers love 'em evidently.

 

[poltergeisty]

Don't forget OnStar and GPS tracking. APRS? What's that? :lol:

Or you can do what I do. Throw a fox hunting transmitter in the trunk. I can guarantee your vehicle WILL be found. :lol: j/k

 

[DiGiTaLD]

My father had a 'bubble' Impala SS with Lojack in it. It was stolen multiple times and recovered due to Lojack. Sort of amusing what a hot target that car is for theft. The gang bangers love 'em evidently.

Yes they do - especially on 22s and up. Really any GM B-body. Its quite a shame really.

 

[radioman2001]

L-J has been around since about 1980 or 81. That's when the FCC gave up one of its channels for the nationwide use by L-J. I will tell you that in Nassau Cty back in the 90's they went crazy when some one programmed a HT on the freq and kept just keying up with MDC-1200 for a week or so. Also anybody can report their car stolen which would then be sent out on NCIC. So if you could find the format that is sent out, there is no reason why you can't have your own transmitter, send out the stolen code. When the car is run on NCIC it would come back stolen.

 

[DaveNF2G]

The Lojack system and NCIC are two very different things.

There is no radio code that you can use to cause a stolen vehicle hit on NCIC. It is a closed network. Any parts that travel over RF paths are not on VHF.

 

[PJH]

The LJ transmitters are enabled by sending a message via NLETS to LJ to enable them (or a phone call to them).

There is no field in the NCIC stolen vehicle file to enable LJ. You can add comments in the comment field that the vehicle is LJ equipped, but as far as the enable/disable action...its just free text.

The LJ system is a one way system. There is nothing in the field to transmit back to LJ to turn on/off a vehicle, unless the newer generation receivers have something (which last I looked, there wasn't).

Unless you knew the specific formatting, codes and programming...it would be very difficult to properly spoof a reciever. From my training way back when, they implemented several layers of security within their protocol to prevent such an action..and besides, if you were out doing that..I am sure the cops would be at your location looking around. (Besides, if they did get a datapacket ID on the receiver, they would have a message to lojack who would state that the packet is FUBAR'd and most likely not a true unit).

 

[Farscan]

Lojack is still 1980's- I think the initial thread thought a guy could make his own , and then the police could track it, but today's technology is 100x better, a company could configure a system like onstar that is a gps unit and a data type cell phone. All you would do is ping the cellphone and know it's exact location anywhere in the US or canada, so listening to a Vhf frequency is so limited, This system would be completely invisible to a thief, and hard to take the car out of cellphone coverage, probably could be lower cost than the $17(approx)(Onstar) a month, They are doing this with burglar alarms, no use in cutting the phone lines anymore, For those that still have one. lojack probably needs to update themselves also -pretty embarrassing to have almost no coverage in the u.s. You could also ping it and find out where the wife or kids really are.

 

[N_Jay]

You dismiss how easy it is to drive a car out of cell phone coverage and how easy it is to lose GPS signals.

Yes, LoJack is lo-tech, but DFing works well for the application.

It certainly could be updated significantly, but that would add very little to its value (and therefor its price and profitability) while adding significantly to its cost (with ZERO benefit to the existing deployed base).