How to decode Lojack?

[ScannerSK]

Thank you Denny! The updates are greatly appreciated.

I noticed Function 0 is missing. Not that this function is used however I thought I would mention it just in case it is a quick fix to add this function.

Shawn

F1_SITE_ID( "1Y-SITE ID" ),
F1_SPEED_UP( "1-SPEED UP" ),
F2_TEST( "2-TEST" ),
F3_DEACTIVATE( "3-DEACTIVATE" ),
F4_ACTIVATE( "4-ACTIVATE" ),
F5_UNKNOWN( "5-UNKNOWN" ),
F6_UNKNOWN( "6-UNKNOWN" ),
F7_UNKNOWN( "7-UNKNOWN" ),
F8_UNKNOWN( "8-UNKNOWN" ),
F9_UNKNOWN( "9-UNKNOWN" ),
FA_UNKNOWN( "A-UNKNOWN" ),
FB_UNKNOWN( "B-UNKNOWN" ),
FC_UNKNOWN( "C-UNKNOWN" ),
FD_UNKNOWN( "D-UNKNOWN" ),
FE_UNKNOWN( "E-UNKNOWN" ),
FF_TRACK_PULSE( "F-TRACK PULSE" ),
		
UNKNOWN( "UNKNOWN" );

 

[DSheirer]

I noticed Function 0 is missing. Not that this function is used however I thought I would mention it just in case it is a quick fix to add this function.

Fixed. New download available (20150427_0516.zip).

Denny

 

[ScannerSK]

Fixed. New download available (20150427_0516.zip).

Denny

That was fast! Thank you Denny!

 

[ScannerSK]

On my way to a sale yesterday, I passed a LoJack that was pinging in a large shopping center parking lot. The signal was already in fast mode so the police were hot on the trail. On the way back home an hour later, the police had the vehicle pulled over along the side of the road and had apparently taken the occupants into custody (likely at gunpoint). This theft had been involved in an armed carjacking so it was good to see a resolution to the situation by the police. The police later drove the vehicle off with the LoJack still pinging.

The mystery system is back up and running again in the Denver area.

I also captured samples of three acknowledgement messages yesterday, two of which may have been originating from the stolen vehicle and a third weaker example that was interfered with by two of the stolen vehicle pulses. I wonder how the towers can receive any acknowledgement messages with stolen vehicle pulses constantly transmitting?

Shawn

 

[ScannerSK]

If you are interested in purchasing LoJack, I just bumped into the following auction which has one donated by LoJack for sale at 1/2 off the normal price (auction ends today): auction.wgbh.org

Shawn

 

[ScannerSK]

LoJack Mystery System

Ok, so the mystery thickens.

While driving through the Colorado Rocky Mountains today, I came across a little town (Pinewood Springs, Colorado) with a population of just over 1,000 that has one of the mystery LoJack systems! What?

I'm puzzled over what these systems are used for? Animal tracking?

Pinewood Springs does not appear to have a Post Office, Hospital or any type of assisted living facility from what I have been able to determine.

In addition, Pinewood Springs is situated somewhat down in a valley surrounded by tall mountains all around. If I travel either direction up or down the road from town the signal gets weaker and completely fades out after about ten miles so I am fairly confidant it is right in town or very close to town. I noticed one house with a lot of antennas and weather related looking gear and a tall antenna at the firehouse for standard VHF communications however nothing else out of the ordinary. I did not notice any mountain top repeaters.

I attached a sample showing the strength of the signal received on 173.075 MHz in this small town. The decode exactly matches the previous samples of this same type of system which I recorded in a Denver suburb (Thornton, CO). There is at least one more of these systems in South Denver however I have not recorded an example for comparison.

Any ideas?

Has anyone heard this signal in a state other than Colorado?

Shawn

 

[nbdyspclk]

Hmmm,sounds like a repeater squelch?

 

[nbdyspclk]

Or carrier burst

 

[ScannerSK]

Or carrier burst

The signal is transmitted every 15 minutes at 1200 baud. Each data burst consists of the same message repeated three times:

00101010110101010101000010001100000000010000100011000000000100001000110000000001
00101010110101010101000010001100000000010000100011000000000100001000110000000001
00101010110101010101000010001100000000010000100011000000000100001000110000000001

It's a mystery why this identical signal is being broadcast from multiple locations in Colorado on the frequency assigned for stolen vehicle recoveries even from a seemingly small unnoticeable town nestled in the mountains? I don't believe it could be from the LoJack repeaters as at one location the signal strength of the mystery signal was strong while the three local LoJack towers were all very weak.

Strange...

 

[nbdyspclk]

That's a predetermined data burst,seems more a synchronizer burst?lo jack relies on cellular data streams to update it's slaves.possible satellite repeater,tower you described most likely is a lease jump tower.

 

[ScannerSK]

LoJack Actually 1190 Baud???


Denny,

I have noticed that if I compress a wave file down to 99% then SDRTrunk is much better at decoding the tower data bursts. This has the effect of changing the length of the recording from 0.779 seconds to 0.772 seconds (for a single tower burst consisting of 11 frames) which also increases the bit rate from 1190 to 1200 bits per second. That last point took me by surprise! I thought LoJack ran at 1200 baud.

Analyzing actual tower bursts, the bit rate is averaging out to around 1190 bits per second (not 1200 bits per second).

Take for example one tower burst I analyzed. It began with an extra 41 bits, contained the standard 11 frames each consisting of 80 bits and ended with an extra 6 bits for a total of 927 bits in the entire tower burst. The length of the sound clip is 0.779 seconds (from the first to final bit). This places the bits per second at 1189.99.

Is it possible to update SDRTrunk to run at 1190 baud?

Shawn

 

[ScannerSK]

LoJack Actually 1190 Baud???

I analyzed another half dozen files and the bit rate is running between 1190 to 1190.5 in every instance.

Adjusting SDRTrunk to decode LoJack at 1190 baud should provide a marked improvement in the program's decoding performance.

Shawn

 

[ScannerSK]

The signal is transmitted every 15 minutes at 1200 baud. Each data burst consists of the same message repeated three times:

00101010110101010101000010001100000000010000100011000000000100001000110000000001
00101010110101010101000010001100000000010000100011000000000100001000110000000001
00101010110101010101000010001100000000010000100011000000000100001000110000000001

It's a mystery why this identical signal is being broadcast from multiple locations in Colorado on the frequency assigned for stolen vehicle recoveries even from a seemingly small unnoticeable town nestled in the mountains? I don't believe it could be from the LoJack repeaters as at one location the signal strength of the mystery signal was strong while the three local LoJack towers were all very weak.

Strange...

This signal is likely part of a "Proximity monitoring and locating system". It states multiple times in the patent that the transponder portion of the system uses the 173.075 MHz frequency. This could explain why one would be active deep in the mountains.

"The transponder typically emits a signal at 173.075 MHz."

"Transponder ... typically emits a signal at 173.075 MHz when activated."

"The control subsystem includes an RF transmitter configured to transmit a transponder activation signal, and an RF antenna network for relaying the transponder activation signal to a receiver of the portable unit to activate the transponder thereof."

"Usually, the police in a vehicle equipped with tracking unit ... are told the last known location of proximity detector ... (e.g., a residential address) and begin their search near that location since tracking unit ... can receive a transponder signal up to two miles away."

"Transponder ... emits a signal which can be tracked from at least five miles away."

I believe some of these systems are marketed as ProximityPlus™.

 

[ScannerSK]

Mystery System on 173.075 MHz

While in Denver today, I noticed the mystery system transmitting what appears to be actual data for the first time.

I captured three examples before they ceased.

Attached to this post are the three sound recordings and below is their respective decodes from SDRTrunk:

Example 1:
18:40:58 00101010110101010101000101100101110000010001011001011100000100010110010111000001
18:40:58 00101010110101010101000101100101110000010001011001011100000100010110010111000001
18:40:58 00101010110101010101000101100101110000010001011001011100000100010110010111000001
18:40:59 00101010110101010101000100011100001000010001000111000010000100010001110000100001
18:40:59 00101010110101010101000100011100001000010001000111000010000100010001110000100001
18:40:59 00101010110101010101000101011101001000010001010111010010000100010101110100100001
18:40:59 00101010110101010101000101011101001000010001010111010010000100010101110100100001
18:40:59 00101010110101010101000101011101001000010001010111010010000100010101110100100001
18:40:59 00101010110101010101000100111100101000010001001111001010000100010011110010100001
18:40:59 00101010110101010101000100111100101000010001001111001010000100010011110010100001
18:40:59 00101010110101010101000100111100101000010001001111001010000100010011110010100001
18:40:59 00101010110101010101000101111101101000010001111110110100001000101111101101000010
18:40:59 00101010110101010101000101111101101000010001011111011010000100010111110110100001
18:40:59 00101010110101010101000101111101101000010001011111011010000100010111110110100001
18:40:59 00101010110101010101000100001100011000010001000011000110000100010000110001100001
18:40:59 00101010110101010101000100001100011000010001000011000110000100010000110001100001
18:40:59 00101010110101010101000100001100011000010001000011000110000100010000110001100001

Example 2:
18:41:12 00101010110101010101000001110101110000010000011101011100000100000111101110000010
18:41:12 00101010110101010101000001110101110000010000011101011100000100000111010111000001
18:41:12 00101010110101010101000001110101110000010000011101011100000100000111010111000001
18:41:12 00101010110101010101000000001100001000010000000011000010000100000000110000100001
18:41:12 00101010110101010101000000001100001000010000000011000010000100000000110000100001
18:41:12 00101010110101010101000000001100001000010000000011000010000100000000110000100001
18:41:12 00101010110101010101000001001101001000010000010011010010000100000100110100100001
18:41:12 00101010110101010101000001001101001000010000010011010010000100000100110100100001
18:41:12 00101010110101010101000010011010010000100000100110100100001000001001101001000010
18:41:12 00101010110101010101000000101100101000010000001011001010000100000010110010100001
18:41:12 00101010110101010101000000101100101000010000001011001010000100000010110010100001
18:41:12 00101010110101010101000000101100101000010000001011001010000100000010110010100001
18:41:12 00101010110101010101000001101101101000010000011011011010000100000110110110100001
18:41:12 00101010110101010101000001101101101000010000011011011010000100000110110110100001
18:41:13 00101010110101010101000001101101101000010000011011011010000100000110110110100001
18:41:13 00101010110101010101000000011100011000010000000111000100001000000011100011000010
18:41:13 00101010110101010101000000011100011000010000000111000110000100000001110001100001
18:41:13 00101010110101010101000000011100011000010000000111000110000100000001110001100001

Example 3:
18:41:26 00101010110101010101000001000101000000010000010001010000000100000100010100000001
18:41:26 00101010110101010101000001000101000000010000010001010000000100000100010100000001
18:41:26 00101010110101010101000001000101000000010000010001010000000100000100010100000001
18:41:26 00101010110101010101000000100100100000010000001001001000000100000010010010000001
18:41:26 00101010110101010101000000100100100000010000001001001000000100000010010010000001
18:41:26 00101010110101010101000000100100100000010000001001001000000100000010100100000010
18:41:26 00101010110101010101000001100101100000010000011001011000000100000110010110000001
18:41:27 00101010110101010101000001100101100000010000011001011000000100000110010110000001
18:41:27 00101010110101010101000001100101100000010000011001011000000100000110010110000001
18:41:27 00101010110101010101000000010100010000010000000101000100000100000001010001000001
18:41:27 00101010110101010101000000010100010000010000000101000100000100000001010001000001
18:41:27 00101010110101010101000000010100010000010000000101000100000100000001010001000001
18:41:27 00101010110101010101000001010101010000010000010101010100000100000101010101000001
18:41:27 00101010110101010101000010101010100000100000101010101000001000001010101010000010
18:41:27 00101010110101010101000001010101010000010000010101010100000100000101010101000001
18:41:27 00101010110101010101000000110100110000010000001101001100000100000011010011000001
18:41:27 00101010110101010101000000110100110000010000001101001100000100000011010011000001
18:41:27 00101010110101010101000000110100110000010000001101001100000100000011010011000001

These recordings were made near Children's Hospital and University of Colorado Hospital in Aurora (Denver suburb). The transmissions were relatively clear at that location however I still have not located precisely where these transmissions originate from. The Rocky Mountain Arsenal is between the two locations I have received this system with the greatest signal strength which makes it a possible candidate. We need a few fox hunters in Denver to pinpoint the origin of this mystery system to assist with understanding its purpose.

The fact that this system is not licensed with the FCC may indicate it is being used by a federal agency. However, the little town of Pinewood Springs, CO also has one of these systems and there are no federal installations there that I am aware of.

If anyone can make heads or tails of the above data feel free to share. I have a passing interest in these mystery systems only as they occupy the LoJack frequency. My primary interest is in simply knowing what these systems are used for -- likely some type of proximity location system.

Shawn

 

[ScannerSK]

Mystery System on 173.075 MHz

It almost appears as if the first 23 bits are always 00101010110101010101000. Currently, SDRTrunk is looking for a match in only the first 16 bits (0010101011010101).

I would not change anything in the SDRTrunk filter yet as it's too early to tell if the first 23 bits always match in every instance. However, if this can be confirmed with additional samples, then SDRTrunk could be updated sometime in the future to filter for a match on the first 23 bits thereby eliminating most of the false "transponder test" lines that currently appear.

Shawn

 

[Dispatrick]

LoJack Antenna setup

as we all know the LoJack antenna set up is 4 same length antennas arranged in a square pattern, I'm curious as to how this works in directional finding, and would a similar set up for a scanner user be useful in finding signal directions of any type? ie, open carriers, beacons, or even for some of you guys LoJack signals.

 

[DSheirer]

as we all know the LoJack antenna set up is 4 same length antennas arranged in a square pattern, I'm curious as to how this works in directional finding, and would a similar set up for a scanner user be useful in finding signal directions of any type? ie, open carriers, beacons, or even for some of you guys LoJack signals.

You could setup a DF array with multiple antennas each connected to an SDR and the SDRs all driven by a common timing source. The physical setup of the antenna array causes the incoming signal to hit each antenna at a different time/phase instant and calculating that difference allows you to determine the angle of arrival and the inverse direction to the emitter.

You could also use an electrically switched antenna array with a single SDR ...
Doppler DF units - Montreal II RDF - Antenna page

 

[ScannerSK]

I have considered the purchase of a Ramsey Doppler Direction Finder kit for years to locate interference and mystery signals.
Ramsey Doppler Direction Finder Kit : Amateur Radio Gear

"Easy to hook up to any FM receiver. Transmitter (the object of your DF'ing) need not be FM, it can be AM/FM or CW. Requires only a connection to your receiver's speaker jack and radio's antenna. The whips can be cut and optimized for any frequency from 130-1000 MHz."

Shawn

 

[ScannerSK]

For those interested in how doppler direction finding works and details on the above kit here is a copy of the manual:

http://www.allspectrum.com/ramsey/DDF1/DDF1.pdf

Shawn

 

[ScannerSK]

LoJack Mystery System

I used a Ramsey direction finder to pinpoint the area of the mystery LoJack system (operating on 173.075 MHz in the Denver area) to Buckley Air Force Base. Most bearings while circling the base pointed directly into the Air Force Base so my conclusion is the origin of the signal is from within Buckley Air Force Base.

As to the purpose of this mystery system operating on 173.075 MHz, I guess this will have to remain a mystery.

Shawn