How to decode Lojack?

[ScannerSK]

do i need to save my log in anyway on sdrtrunk or is it automatic

Once you right click and disable the channel in SDRTrunk it completes writing the log files. The program starts a new log file next time the channel is again enabled.

Shawn

 

[reconrider8]

OK where does it save these logs out I went under config and disabled it and I closed it but idk where it saved the logs to

 

[ScannerSK]

OK where does it save these logs out I went under config and disabled it and I closed it but idk where it saved the logs to

Hello,

On my computers they are saved under the following path: C:\Users\LoginUserName\SDRTrunk\ (LoginUserName is your login name). I have noticed in some newer versions of Windows that Microsoft makes the folder which contains your specific username hidden so you may not see it in the list under C:\Users.

If you go into my documents and then hold down the Alt button while pressing the up arrow it should take you to the right area. The folder is named SDRTrunk.

Shawn

 

[ScannerSK]

Hello,

This morning I noticed a total of three Function 3 (speed-up) commands with the same address spaced only minutes apart from each other:

20141217	91309	PASSED	FUNCTION: 3-SPEED-UP 	ADDRESS [8766E56]	VRC [F0] LRC [86] CRC [B747]
20141217	91413	PASSED	FUNCTION: 3-SPEED-UP 	ADDRESS [8766E56]	VRC [F0] LRC [86] CRC [B747]
20141217	91517	PASSED	FUNCTION: 3-SPEED-UP 	ADDRESS [8766E56]	VRC [F0] LRC [86] CRC [B747]

I also noticed four activations around this same time frame which turned into deactivations. The first activation, last activation and the first deactivation of each address is shown below.

20141217	63941	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [1AC78B3]	VRC [0C] LRC [78] CRC [6759]
20141217	64245	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [1AC78B3]	VRC [0C] LRC [78] CRC [6759]
20141217	123029	PASSED	FUNCTION: C-DEACTIVATE 	ADDRESS [1AC78B3]	VRC [4E] LRC [87] CRC [ECCD]

20141216	170801	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [1B71821]	VRC [82] LRC [9F] CRC [D2EA]
20141217	81229	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [1B71821]	VRC [82] LRC [97] CRC [D2EA]
20141217	90653	PASSED	FUNCTION: C-DEACTIVATE 	ADDRESS [1B71821]	VRC [C0] LRC [68] CRC [597E]

20141217	94933	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [4F95C4E]	VRC [82] LRC [D7] CRC [849E]
20141217	95237	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [4F95C4E]	VRC [82] LRC [D5] CRC [849E]
20141217	113357	PASSED	FUNCTION: C-DEACTIVATE 	ADDRESS [4F95C4E]	VRC [C0] LRC [2A] CRC [0F0A]

20141215	214312	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [67257C2]	VRC [5C] LRC [EE] CRC [E6C9]
20141217	72732	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [67257C2]	VRC [5C] LRC [EE] CRC [E6C9]
20141217	91620	PASSED	FUNCTION: C-DEACTIVATE 	ADDRESS [67257C2]	VRC [1E] LRC [11] CRC [6D5D]

The first address [1AC78B3] was successfully activated at 6:42 AM. The first speed-up request was at 9:13 AM and the deactivate at 12:30 PM so this would make sense. It could potentially have taken three hours to find the unit following the speed-up request (especially if the speed-up request expired after one-hour and another one was not requested). Maybe the police lost the initial tracking signal and just happened upon the vehicle at a later time.

The second address [1B71821] was successfully activated at 8:12 AM. The speed-up request was at 9:13 AM and the deactivate at 9:06 AM. Although a speed-up request will reactivate a transponder (from what I recall reading) it is highly unlikely that a deactivate request would proceed a speed-up request.

The third address [4F95C4E] was successfully activated at 9:52 AM. The first speed-up request was at 9:13 AM. The fact that the speed-up request came prior to the activation requests appears to rule this one out.

The forth address [67257C2] was successfully activated at 7:27 AM. The first speed-up request was at 9:13 AM and the deactivate at 9:16 AM. This one is also a possibility and may be the most likely candidate. Within minutes of the speed-up request a deactivation was requested most likely upon successful recovery of the vehicle.

It's still early to say for certain however it's fun to speculate.

Shawn

 

[reconrider8]

does someone want to review my logs? i opened up the log file and its all jumbled up but if someone wants to look through it

 

[ScannerSK]

I started noticing a new Station ID [28-F0] today. It is being broadcast from both my local towers. This new Station ID appears sporadically in one of the middle slots among the existing FA-40 and FA-81 tower messages. The reason I mention this is that it does not follow the format of having a C, D, E or F as the third character.

I am still noticing new Function 8 site IDs on this end which appear to change on a daily basis.

On 12/15 there were 9 of the following lines between 7:30 PM - 8:30 PM:
20141215 193824 PASSED FUNCTION: 8-SITE ID SITE [28-F0] ADDRESS [70328F0] VRC [00] LRC [AC] CRC [6696]

On 12/16 there were 25 of the following lines between 6:00 PM - 8:30 PM:
20141216 181049 PASSED FUNCTION: 8-SITE ID SITE [52-A1] ADDRESS [58652A1] VRC [78] LRC [42] CRC [C577]

On 12/16 there were 25 of the following lines between 8:57 AM - 10:29 AM:
20141216 85713 PASSED FUNCTION: 8-SITE ID SITE [8C-30] ADDRESS [8E18C30] VRC [14] LRC [05] CRC [13C3]

On 12/16 into 12/17 there were 11 of the following lines one at 8:22 AM, 9 between 2:24 PM - 6:32 PM and 1 on 12/17 at 12:05 PM.
20141216 82257 PASSED FUNCTION: 8-SITE ID SITE [BA-81] ADDRESS [EBDBA81] VRC [13] LRC [AF] CRC [12B5]

On 12/17 there were 13 of the following lines between 9-11 AM:
20141217 95341 PASSED FUNCTION: 8-SITE ID SITE [0C-80] ADDRESS [6290C80] VRC [6C] LRC [63] CRC [EAAA]

On 12/17 there were 11 of the following lines between 6:49 AM and 6:59 AM:
20141217 64909 PASSED FUNCTION: 8-SITE ID SITE [80-20] ADDRESS [0748020] VRC [D8] LRC [A1] CRC [8471]

These new site IDs began to appear on 12/15 when one of the local towers was down and experiencing problems. I'm not sure these are of any particular importance. Maybe the LoJack towers have some type of node connection type capabilities to receive data from other towers across the country?

Shawn

 

[ScannerSK]

does someone want to review my logs? i opened up the log file and its all jumbled up but if someone wants to look through it

I'll review your logs. I sent you my e-mail by private message. Or, if the size is not too large you can attach to this forum.

Shawn

 

[reconrider8]

i sent it through email anyway

 

[ScannerSK]

i sent it through email anyway

Hello,

Just as a reference, your data shows that it spans the following time frames:
12/15 1553 - 1831
12/16 1832 - 12/17 0600

It appears you are receiving information from a single tower:

FUNCTION: 8-SITE ID SITE [F8-C0] 	ADDRESS [80FF8C0]	VRC [14] LRC [05] CRC [19A3]

You had two activations which turned into deactivations:

First activation, last activation and first deactivation shown
20141215	160113	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [1C303F8]	VRC [8E] LRC [71] CRC [622A]
20141216	184527	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [1C303F8]	VRC [8E] LRC [71] CRC [622A]
20141216	192351	PASSED	FUNCTION: C-DEACTIVATE 	ADDRESS [1C303F8]	VRC [CC] LRC [AE] CRC [E9BE]

Only activation received and first deactivation shown:
20141216	211551	PASSED	FUNCTION: 2-ACTIVATION 	ADDRESS [BA3AC80]	VRC [0E] LRC [53] CRC [C93E]
20141216	213359	PASSED	FUNCTION: C-DEACTIVATE 	ADDRESS [BA3AC80]	VRC [48] LRC [AC] CRC [42AA]

The interesting part of your data is 15 "Set Rate" lines. I have sorted these by time and address:

20141215	160009	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [4A5ADB0]	VRC [5C] LRC [48] CRC [E97D]
20141215	161609	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [4A5ADB0]	VRC [5C] LRC [48] CRC [E97D]
20141215	163105	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [4A5ADB0]	VRC [5C] LRC [48] CRC [E97D]
20141215	170617	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [4A5ADB0]	VRC [5C] LRC [48] CRC [E97D]
20141216	183655	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [4A5ADB0]	VRC [5C] LRC [48] CRC [E97D]
20141216	185503	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [4A5ADB0]	VRC [5C] LRC [48] CRC [E97D]

20141215	180041	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [708F970]	VRC [EE] LRC [67] CRC [BF3E]
20141216	185151	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [708F970]	VRC [EE] LRC [67] CRC [BF3E]

20141215	155657	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [DC24670]	VRC [FA] LRC [CB] CRC [0557]
20141215	161153	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [DC24670]	VRC [FA] LRC [CB] CRC [0557]
20141215	162649	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [DC24670]	VRC [FA] LRC [CB] CRC [0557]
20141215	165641	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [DC24670]	VRC [FA] LRC [CB] CRC [0557]
20141215	171137	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [DC24670]	VRC [FA] LRC [CB] CRC [0557]
20141215	172633	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [DC24670]	VRC [FA] LRC [CB] CRC [0557]
20141216	184839	PASSED	FUNCTION: 6-SET RATE 	ADDRESS [DC24670]	VRC [FA] LRC [CB] CRC [0557]

It is only a guess at this point that Function 6 represents a set rate command. The large majority of your examples appear to be spaced around 15-16 minutes apart from each other which I'm making a note of. All three of these examples ended close to the same point in time. I'm uncertain whether any of these were related to your activation/deactivate examples.

Edited - I should add most of these appear to have been falling into specific message slots however it is hard to tell for certain as it appears the first part of your data bursts may be getting cut off. This is likely due to a weak signal as all throughout the data there are instances of minutes being skipped. The Function 6 [DC24670] address appeared each time as the first line in your data bursts (possibly the second slot). The other two addresses were falling into later message slots.

Shawn

 

[reconrider8]

ill be able to grab more when ever i get my audio 1.8 cable back lol

 

[ScannerSK]

The towers likely also pick up the 1-watt tracking pulses transmitted by the stolen vehicle, in addition to the acknowledgement message, to keep tabs on where the vehicle is located.

I ran across documentation for the LoJack Network Repeater Unit abbreviated NRU which provides details into the workings of the LoJack repeater operation.

-There are both 13 and 8 second spaced LoJack networks.

-"An NRU can repeat downlink transmission bursts it receives from either a Remote Transmitter Unit (RTU), another NRU, or from the network."

-"It relays back any reply code transmission it receives from an activated Vehicle Locator Unit (VLU) as an uplink message to a tower connected to the central system."

-"An NRU can also repeat uplink transmissions from any nearby VLU or repeaters. If connected via IP/broadband, the NRU can forward to a central system any reply code or uplink messages it hears."

-"The NRU fully supports VLU7 timing and indexing requirements for downlink transmissions for basic messages such as Activation, Deactivation, Speed up, and extended downlink messages such as AltDeactivate."

Shawn

 

[reconrider8]

keep seeing EE00000 that keeps getting a deactivate request its been going on all night but ive not seen an activaction request yet

 

[JSTARS03]

Help

I followed the below directions.
I have SDR# running with Virtual Audio Cable
into SDR Trunk and the Command window does show PASS
with a long Binary string after each burst on 173.075
but I do not see a log like everyone is pasting here.
Nothing in the program directory. I have decoded Messages checked.
and nothing in the Events or Messages tab of SDR Trunk
I am missing something here

Thanks
JSTARS03

Hi reconrider8,

On my end, I am simply running the audio output from a scanner into the audio input on my computer.

Settings:
Right click "Systems", add "New System",
Right click "New System", add "New Site",
Right click "New Site", add "New Channel"

Under "New Channel":
Source: Mixer/Sound Card
Decoder: NBFM / AFC checked / 3000 Hz
Aux: LJ1200 173.075 checked
Event Log: I only check the "Decoded Messages" (personal choice)
Record: nothing checked (personal choice)

Shawn

 

[ScannerSK]

keep seeing EE00000 that keeps getting a deactivate request its been going on all night but ive not seen an activaction request yet

Hello,

You can ignore the following two addresses:

ADDRESS [EE00000]
ADDRESS [D5C0000]

I believe these are calibration packets (Guaranteed Packets) which enable the LoJack receivers to know where the first message begins. The above addresses only appear in the first message of a data burst. If you don't see one of the above addresses at the beginning of a data burst then the beginning of the data burst may have been cut off or not decoded properly. I miss the first message from only one of my local towers about 1/4 of the time even with the squelch wide open (not sure why).

Shawn

 

[ScannerSK]

I followed the below directions.
I have SDR# running with Virtual Audio Cable
into SDR Trunk and the Command window does show PASS
with a long Binary string after each burst on 173.075
but I do not see a log like everyone is pasting here.
Nothing in the program directory. I have decoded Messages checked.
and nothing in the Events or Messages tab of SDR Trunk
I am missing something here

Thanks
JSTARS03

Hello,

Once you have the settings entered, right click on "New Channel" and select "Enable". After this, left click on the box beneath "File" and "Screen Capture" until it turns yellow and I believe you should be good to go.

On most computers the files are saved under your username folder in a sub folder titled SDRTrunk. Refer to post #143 above.

Shawn

 

[JSTARS03]

Thanks

Thank you, that started the Message and Event Tabs to populate.
I will let it run and post results, let you see some data from a different location to help.

JSTARS03

 

[ScannerSK]

I wrote a simple filter program that reads in the binary data file from SDRTrunk and outputs the timestamp and decoded data. It only outputs the address and function data if the crc matches.

Hi Eric,

Do you have a program or spreadsheet you would be willing to share that displays the CRC value when the Function code and Address are entered? Just curious... I ran across a couple examples online however have not been able to get them to work properly (example: Simply Modbus - Data Communication Test Software - Modbus ASCII vs RTU).

Shawn
73s

 

[ScannerSK]

Possibly one of these ready made CRC calculators will work if I can determine what is required in the various fields.

I'm looking into why the test message fails the CRC (possibly this is intentional to prevent rebroadcast by other towers) and why the stolen vehicle tracking pulses on the YouTube example require correction on the Function Code part of the data most of the time.

CRC Calculator 1
CRC Calculator 2
CRC Calculator 3

Shawn

 

[DSheirer]

Shawn, you can calculate the CRC by hand by dividing the CRC polynomial into the message. Binary division uses the exclusive-or operation:

0 XOR 0 = 0
0 XOR 1 = 1
1 XOR 0 = 1
1 XOR 1 = 0

Align the polynomial under the first 1-bit in the message (skipping the VRC and LRC which aren't protected) and divide only the bit positions where they align with the polynomial, and copy down the remaining bits, rinse and repeat until you can no longer align the polynomial under the message bits. If the remainder in the last 16 crc bits is zero, then it passed the CRC.

To calculate the CRC from a new message, use all zeros in the last 16 CRC bit positions and perform the exact same binary division. The remainder is what gets placed in the CRC field of the message prior to transmitting it.

Example:

01100110 11110011 11001110111000000000000000000000 1101111100000010 Original message
                  10110111101100011 Polynomial
01100110 11110011 01111001010100011000000000000000 1101111100000010
                   10110111101100011 Polynomial
01100110 11110011 00100010100010010100000000000000 1101111100000010
                    10110111101100011 Polynomial
01100110 11110011 00001111011001010010000000000000 1101111100000010
                      10110111101100011 Polynomial
01100110 11110011 00000100000111100011100000000000 1101111100000010
                       10110111101100011 Polynomial
01100110 11110011 00000001101000111011010000000000 1101111100000010
                         10110111101100011 Polynomial
01100110 11110011 00000000110011001101011100000000 1101111100000010
                          10110111101100011 Polynomial
01100110 11110011 00000000011110110110011010000000 1101111100000010
                           10110111101100011 Polynomial
01100110 11110011 00000000001000001011111001000000 1101111100000010
                            10110111101100011 Polynomial
01100110 11110011 00000000000011010101001000100000 1101111100000010
                              10110111101100011 Polynomial
01100110 11110011 00000000000001100010100100111000 1101111100000010
                               10110111101100011 Polynomial
01100110 11110011 00000000000000111001010010110100 1101111100000010
                                10110111101100011 Polynomial
01100110 11110011 00000000000000010100101001110010 1101111100000010
                                 10110111101100011 Polynomial
01100110 11110011 00000000000000000010010100010001 1101111100000010
                                    10110111101100 011 Polynomial
01100110 11110011 00000000000000000000100011111101 1011111100000010
                                      101101111011 00011 Polynomial
01100110 11110011 00000000000000000000001110000110 1010011100000010
                                        1011011110 1100011 Polynomial
01100110 11110011 00000000000000000000000101011000 0110000100000010
                                         101101111 01100011 Polynomial
01100110 11110011 00000000000000000000000000110111 0000001000000010
                                            101101 11101100011 Polynomial
01100110 11110011 00000000000000000000000000011010 1110111001100010
                                             10110 111101100011 Polynomial
01100110 11110011 00000000000000000000000000001100 0001100001010010
                                              1011 0111101100011 Polynomial
01100110 11110011 00000000000000000000000000000111 0110001101001010
                                               101 10111101100011 Polynomial
01100110 11110011 00000000000000000000000000000010 1101111011000110
                                                10 110111101100011 Polynomial
01100110 11110011 00000000000000000000000000000000 0000000000000000

Denny

 

[ScannerSK]

Shawn, you can calculate the CRC by hand by dividing the CRC polynomial into the message....
Denny

Thank you Denny! Now I understand.

At first glance, I thought I could place this easily into a spreadsheet and then realized the polynomial always begins beneath a 1 bit in the preceding line which makes creating a spreadsheet a challenge. I appreciate you taking the time to explain how to process this by hand.

Shawn
73s