Jump to content

Vehicle anti-theft / RFID fob.

Recommended Posts

Does this sound like a worthwhile project?

This is inspired by the recent (early September) theft of my 1988 Toyota 4Runner.


Proposed: RFID reader embedded into the vehicle's electrical system in such a way that the vehicle will either not start or run if the RFID tag (perhaps present as a key fob) was not detected by the reader.


Typically, a thief would breech a door or window so as to facilitate access to the vehicle. Then the thief would either damage the ignition switch or otherwise find a way to provide power to the vehicle ECU and ignition system (hot wire it), then would engage the starter motor so the engine would run, and would then drive away with the vehicle.


If the proposed system were to be installed in an area which would require significant time to access and even more time to bypass, this would be a comparatively secure system, no?


One drawback I see is that if the vehicle is parked in a location within range of the tag, which would mean the system could read the RFID tag, the vehicle would be operational. However, if the system performed periodic checks, say every 5 seconds, to verify the RFID tag remained present, the thief may get 30 feet away before the vehicle stopped running.


This, coupled with a camera installed in dash, pointed at the driver's seat to capture an image of the perpetrator, available for download via wireless or other means, may be something worthwhile?

Link to post
Share on other sites
  • Replies 41
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Some inside info for you. There are many systems that use something similar , but there are actually laws (and codes of ethic) that dictate how these work (for the most part).   A : You do not want

i do not in any way think you're an idiot. I am familliar with the hilux , as well as the 22r and 22re. I drove and 88 ir 89 hilux with the same 22re but standard trans.   Fortunate for you , the tr

That rfid reader is pretty easy to work with... I've got one sitting here that voodoofish sent me a while back...

Most RFID systems barely have tens of inches range, let alone feet.


For a car, the most important thing is energy draw while the car is off, to not drain the battery.


And for the most part you are looking at the same thing a standard immobilizer system works. RFID or similar chipped key, a coil to pickup that chip, tied to the ignition system. Only needs to be activated when someone is trying to start the car (key in ignition), no need to check every couple of seconds. Additionally, most immobilizers only stop the car from turning over if the chip isn't present. After it is started, you can remove the chip/key/fob and it will stay on, for safety reasons. There are ones that will disable the car after a minute or two, but do you really want to find yourself liable for a car crash if you do it wrong?

Link to post
Share on other sites

I'd second cbe in suggesting that once the car is started, it should never be shut off mid-drive. The system only needs to stuff up once to cause a crash, and my experience of RFID is that it often takes a couple of goes to work.


I wonder if you could simulate a flat battery, instead of cutting power to the starter motor completely? Just wondering, don't actually have experience with automotive electronics.

Link to post
Share on other sites

This sounds like a good Idea.

In theory it should work, but I do agree that it should not be active when the car is in motion or started.


As where to kill the power from, I would not suggest the main power line, because you will have to reset your clocks every time after you start the car, due to you cutting the main power till RFID is read.....


I personally would put a the power kill on the starter motor main power line.... but you will need something that can take the current when you turn over the car

Link to post
Share on other sites
I personally would put a the power kill on the starter motor main power line.... but you will need something that can take the current when you turn over the car

The starter motor should already be relay switched, just need to tap into the feed for the relay coil, along with 2 diodes to prevent back flow into the ecu or your circuit.

Link to post
Share on other sites

Starter motor does have a relay in line, but that wouldn't necessarily keep the vehicle from being started. The thief would only have to bypass the relay, applying power directly to the starter to get the engine cranking over, easily done under the hood.


Powering it wouldn't be a big problem, just have to step down the voltage. It could be powered by any wire which is hot when the key is on.


Interrupting power to ignition system would probably suffice. Even if the thief could get the engine cranking, the device would prevent the coil from sparking thus no engine running. The igniter module draws a few amps so I'd need a relay or other suitable means to switch it on. It could also be set up to sense if the engine is being cranked and trigger an alarm if the key fob isn't detected.

Link to post
Share on other sites

I would interrupt the fuel pump power personally, and I would do it with a new relay installation on the fuel pump power wire somewhere in the area of the trunk.

The relays for ignition, starter and fuel pump are in the engine bay easily accessible with the hood up on toyota trucks of that vintage. You want something that a car thief with a bit of knowledge can't bypass quickly.


Given a MSD430 you could do away with the RFID concept in the first place and just use a password type system. Mount three momentary buttons somewhere you can reach, connected to an 430 in an unreachable area, which then closes the relay to enable the fuel pump. Press the buttons in the correct pattern and the 430 is happy. Press them in the wrong pattern, no start.

You can then label them with some obscure car feature to disguise them.

Or, if some of your dash buttons/sliders are not being used you could even use the factory stuff. A few sensors and you could have a car that refuses to start unless the heater controls are set a specific way.

There are a lot of entertaining options, really.

(For giggles, I just whipped up a one-button combination lock program that could be used)


If you really want to be a pain, put a standard bonus relay in the starter wire as well. Then the thief can make the car crank with a bit of work, but it'll never start. Not many are going to continue with that process.

Link to post
Share on other sites
  • 2 weeks later...

Hey: You might be interested in the RF430F5978. It combines the TI TMS37157 PaLFI chip with a CC430 (4/32) in a single package. There is a user's guide on ti.com, but the marketing seems to be so far nonexistent. http://www.ti.com/lit/ug/slau378/slau378.pdf


You can use it together with an RI-ACC-ADR2 kit from TI, for the PaLFI part. For the UHF part, this chip is supported by my project OpenTag (http://www.github.com/jpnorair/opentag). I have been able to use the LF field to power & charge the device, enough so that it can be battery-less.


Anyway, TI already uses parts from their PaLFI line as vehicle immobilizers and keyless entry, so it's a good place to start. Quite a bit of the application-level stuff is already done.


Link to post
Share on other sites

One drawback I see is that if the vehicle is parked in a location within range of the tag, which would mean the system could read the RFID tag, the vehicle would be operational. However, if the system performed periodic checks, say every 5 seconds, to verify the RFID tag remained present, the thief may get 30 feet away before the vehicle stopped running.


LF RFID (like PaLFI) is ideal for this. The fall-off is 1/r^2 (in some designs 1/r^3), so you can keep the range limited to a precise "bubble." It is even better in cars with steel bodies, because the LF field will be conduced by the ferromagnetic steel, and you can very easily tune the range to work only within about 1-2m of the car.


Most vehicle immobilizers and keyless entry systems (there are others, not just PaLFI, and they all use LF RFID), include some sort of event. Otherwise, the energy cost of strobing the LF reader can be a problem. For keyless entry, the event is touching the door handle. For key-based immobilization, the event is putting-in a key into the ignition. The round shape of the PaLFI demo reader is no mistake: it is the perfect size that fits into an ignition key barrel. So, if the car starts and a key with an LF fob is not detected in or near the ignition key barrel, then the immobilizer activates and shuts down the car. You can implement this by running a wire OR, if you are using the RF430, you can send a message wirelessly to the immobilizer via UHF. The range of DASH7 (OpenTag) is very long, so you could potentially even immobilize the car remotely, 1km away.


Many new cars have this feature. Your 88 Toyota surely did not, since this technology didn't exist in 1988. As far as I know, nobody makes an aftermarket immobilizer kit as good as factory OEM (indeed, you would be using all the same parts), so I think your project would be pretty cool.

Link to post
Share on other sites

Thanks, jpnorair.

I'll look at the links provided.


The way I imagine the system working wouldn't keep anyone out of the vehicle- the truck doesn't even have power door locks much less power windows. It would be just a keyfob hanging off the key ring which the system (mounted under the dashboard, so would be mostly shielded from the outside world) would look for when the key was turned to start the engine. No fob detected (within range), would mean the engine will not start. And should the fob be within range of the detector allowing the engine to start, the engine would die if vehicle moved and the fob was no longer detected. And if the vehicle was running then died because the fob was out of range, it would sound an alarm.

Link to post
Share on other sites
  • 2 weeks later...

Some inside info for you. There are many systems that use something similar , but there are actually laws (and codes of ethic) that dictate how these work (for the most part).


A : You do not want to disable something that ; in the event of a failure (of the device) , you would cause the vehicle to lose power or shut off.

B : Refer to A.


Most remote start and almost all ad-hoc immobilzer systems use the Starter interrupt. In every car (most) there is a wire going from your ignition to your starter relay. This is on of the very few places you could interrupt the starting of a car , without affecting its driveability. A lot of remote start applications monitor either an injector or cam/crank signal to verify that the module is working. Some of them do interrupt the fuel supply , but this is only if the ID tag (any number of implements such as PASSLOCK , RFID) is out of range. This is a very risky system , as if you are in a 10,000lb truck (just for example) , going down the interstate at 80mph , and you lose fuel , you in turn lose power steering , and 90% of brake power. This , as I'm sure you can imagine , is a bad thing.


The safest way is the way it is always done , but putting other implements in place to make it more difficult or impossible to gain access to the circuitry. With enough time , I would have no problem bypassing any security measure that may be put into place if I was thouroughly motivated. (pop the trans into neutral and push it , tow it , break the ignition cylinder and jump the starter , bump start it , picking the ignition lock , or the ever popular master key.)


You're best best would be a multi-front approach. Such as

A: Starter Interrupt (from the ignition cylinder , as many remote starts and buy-here-pay here code boxes work)

B: Starter Relay interrupt (located behind the glovebox or somewhere inconspicuous , even mounted remotely , possibly adding another relay to power the relay. Using a uC , you could have several failsafes (lights on , door open for example , or any number of circuits that can be tapped into to monitor a condition of your choice)

C: Tamper proof screws and bolts to secure the column and dash cladding (Tamper proof torx dont count. Single use flathead screws would be your best bet , but your mechanic probably wont have these {i happen to have a master set , so this wouldn't be foolproof , it would just take longer})

D : An alarm system (you could easily make this , so that if your doors are open , and your rfid key isnt within range , the alarm would sound. Alerting you to nefarious activities) .


The thing that comes to mind at this point is the new mazda's use an RFID key that automatically unlocks the doors if you are within a certain range. You dont even put a key in. As long as you have the FOB/CARD on your person , you simply get in the car , and turn a knob (switch). When you get out , and walk out of range , the car beeps , and/or shuts off.


The possibilities for notification are endless. I'm fairly certain you could make the MSP ring your cell , send you an email , make an app do a dance , or whatever your heart and mind can conjure. The main thing you need to watch , is as I said , dont modify the fuel or battery circuitry unless you are using a mechanical device. A fuel kill switch can be (and I have done a few times ) wired into the headlight circuitry , or other such circuits (although headlights are one of the few that have the power surplus , and will be applicable without the car already running). A battery kill is going to be difficult to make , even mechanically. There are race switches available that can handle the amps , but finding an 800amp relay may be an issue. Running 0gauge wire inside the cabin is extremely noticeable , and if a thief blows your hood latch , they will be even more motivated by the thought of a juicy stereo system once they see huge wiring going inside the car.Which at that point a decent thief would just remove your battery , break a window , and pop it into neutral."Decent" being an ironic sentiment , you know what I mean.



I'd be happy to discuss your options via pm , if you're concerned about your secrets getting out. I have access to wiring diagrams and schematics for any car out there , so I could point you in the direction that would be most effective on whatever vehile you are looking to secure.



Heres a couple of non-biased links , just to show what I am babbling about.


Tamper Proof one-way machine screws (example) sorry if outside links are frowned upon. This was just the first site google popped up with them.



Turns out there are a few 800a/100v relays. I dont do too much online ordering ,so I use what is available locally , and these are most certainly not.




Buy here pay here code box. I have installed these , along with GPS enabled models. Paytech is the brand I have previously installed , but for the most part , they are easily bypassed. How they work : pay your months bill , get a 5 digit code , enter it , and it let's you start your car for another 30 days... Power , ground , interrupt relay (and relay power/gnd). The gps models require you to run an antenna which is usually a complete PITA.



There are also ways to prevent your transmission from being tampered with , but this usually resorts to putting a metal plate on the undercarriage , covering the engine/trans. Again , this is limited unless you use thick steel , and tamper proof bolts. A good thief(lol) will have the facilities to cut the bolts , and remove the pan. If this isnt an option , a tow truck can always be employed , so you are never 100% covered. Few people will question someone hooking a car up to a stinger (tow truck) in a crowded mall parking lot. Even if the guy comes out , the person can use some social engineering to dupe the victim , either saying he was parked illegally , owed fines , etc. The only way to stop this if you happen to catch them , is to call the cops and tell them what is going on , and perhaps using your own judgement how much your car is really worth (IE:concealed carry , violent means).



This is all at your own risk , I make no warranty or guaruntees hitherto. I am an ASE certified technician , fluent in locksmithing , vehicle circuitry , failsafes , and the like ; but I cannot persuade you to do anything you dont deem logical and safe. DO NOT pull a gun on the guy repo'ing your car , and say I told you to do it.



Sorry , disclaimers suck , but I have to cover my rear as well.

I'll help any way I can.


Link to post
Share on other sites

Appreciate the feedback.


All of those things have already crossed my mind.


A failsafe could be something similar to two MCU's handshaking. Obviously, the power up sequence would need to be well defined, and faults handled there as well. If one is a master and the other a slave, a fault in the master on power up could render the system inoperative, so the slave would detect this and report a system failure via a dash indicator. Would the system allow the vehicle to be operated in a failure mode? ... to be determined.


Assuming no power-on faults, the "system" starts with the master MCU toggling a pin high. The slave MCU detects this and toggles its pin high. The first detects this and toggles its pin low and in response the other toggles its pin low, ad infinitum. If one MCU doesn't detect the pin state toggle from the other within 2 seconds, it resets the other MCU, waits 5 seconds then toggles its pin 10 times over 10 seconds. If the other MCU is still not responding, an indicator on the dashboard is illuminated, power to the other MCU is interrupted, and it allows the vehicle to be driven until the key is turned off after which it (maybe?) refuses to allow the engine to start until the system is repaired. This could be extended out to 3 or 4 MCU's for added redundancy, if necessary.


However, this still doesn't address how to handle the actual theft of the vehicle.


- Would all the MCU's scan for the FOB? Probably not a bad idea. But what if one malfunctions and doesn't detect the FOB, or the FOB is erroneously reported as present? Obviously, that can't be arbitrated with only two MCU's. So 3 is a minimum for some fault-tolerance there; an odd number is needed to avoid contention if one-half of the MCU's disagree with the others. But now I run into the issue of where to put all the RFID detectors, and really, how many do I need.?.. as in, could one detector be utlilized by multiple MCU's?


- What vehicle circuit(s) are affected to prevent theft? In any case, I feel any one circuit would need at least two MCU's on it, in parallel, for fail safe operation.



Mental gymnastics... one possible solution....


5 MCU's: 1 as a "watchdog" over the others and 4 others split into pairs over two "anti-theft" circuits... possibly the starter relay and the fuel pump relay circuits. All of the MCU's would need to be synchronized somehow, so that timeouts can be detected predictably. Any MCU should be able to raise an error condition, which would be reported via an indicator on the dash.


The watchdog could have 5 GPIO pins configured as outputs: one for each secondary MCU to monitor; 4 pins configured as inputs- one for each MCU to respond to the watchdog with; plus the RFID detector pin requirements, and an additional output pin used to signal "fob_is_present" (MSP430G2553 might be enough, no?). Additionally, each 'pair' of MCU's would have a pair of pins to monitor each other within their circuit, a pin to monitor the watchdog's "fob_is_present" pin and a pin to signal an error... could be "ANDed" with other MCU's error pins for a simple error display.


Power up sequence:

I'm not sure the time between the key being inserted and turned to "START" is enough time to detect the fob so maybe the watchdog should wake up if any door opens and then check for the fob.

I've entered the truck from the passenger's side and started the truck many times, so that should be anticipated.

If the fob is present, it could set an internal bit indicating it was present, but it will not toggle the pin until it detects the key is turned to "START". But what to do if the door opens and the fob is present, but then the key doesn't get turned to start the engine? Maybe wake every 5 seconds to detect the fob, and if the fob is detected, go back to sleep, otherwise reset the bit and go to sleep until the door opens again? I think that would cover a situation where, say, the driver got in the car and sat there waiting for someone for a long time.


The slave MCU's, I believe, should wake when the master raises the "fob_is_present" pin.This permits the slave MCU's to do their job and close (or maybe open) circuits so the vehicle will start.

But, I do it all the time- get in the truck, turn the key "ON" so I can listen to the radio... doesn't mean I'm going to start the truck.



So, regardless of the systems I choose to interrupt, how far off target have I drifted?


Link to post
Share on other sites

Very interesting thread with good posts. Might be a strange comment, but this almost seems a bit similar to my garage-door-opener project :-) You could make the whole startup of the car keyless (just replace the key with a button :-) ) and it could send a signal to your fob and it'd reply with an encrypted code.

Link to post
Share on other sites

Very interesting thread with good posts. Might be a strange comment, but this almost seems a bit similar to my garage-door-opener project :smile: You could make the whole startup of the car keyless (just replace the key with a button :smile: ) and it could send a signal to your fob and it'd reply with an encrypted code.


Interesting idea. The system could engage the starter and sample the IGf pulses ("I Got fire"), and when the pulses were occuring fast enough for it to assume the engine is running, say something like 33 pulses per second, disengage the starter. 33 pulses per second would equate to approximately 500 rpms for a 4 cylinder engine: 33 / 4 * 60 = 495. 495 is greater than the cranking speed, but slower than idle so should be a good indicator the engine is running and doesn't require the starter- far better, in my opinion, than just holding the starter for 5 seconds or something like that.


But I'd still need the key in the ignition switch to unlock the steering wheel and gear selector.


The more I think about this, the best place to locate the module would be within the ECU itself. I wonder if there's room?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...