[theexperthand]

Quote:

Originally Posted by beast_within

Yesterday I replicated the scenerio in my 1st Gen Harrier XZ. When I shut the boot door, the car started honking, hazard lights came on and all 4 doors got unlocked by themselves. Tried twice to lock the smart key inside the boot and same results.

Having said that, I can lock the smart key inside the boot by following these steps

1. All doors are already unlocked position.
2. Keep one smartkey inside the boot.
3. Shut the boot
4. Lock the car using the remote button on the spare smart key.
5. Car gets locked with smart key inside the boot

Wow, that is really strange. Does your car have a request sensor on the boot door? Or, is it some feature reduction done by Tata? If yes, severely disappointed.

Can any other Harrier owners (2022 model) please try this?

--Anoop

[D_Security_Guy]

Curious to see how this thread progress!

The 'replay-attack' like the one mentioned below has become obsolete when the modern transmitter-receiver started using the 40-bit code generated from pseudo-random number generator, so that the same code can't be used twice and can't be predicted due to large sample set and entropy.

Quote:

Originally Posted by Govind

Just out of curiosity:
It should be possible to lock/unlock by playing that video as well? So if we record the beep/signal on the phone while someone locks/unlicks the car, the person can later replay the recorded content and do lock/unlock?

However, waiting to see from the experts here , how the transmitter can transmit the code using the mic in mobile phone and the receiver can sync the same at their end over phone's speaker?

[beast_within]

Quote:

Originally Posted by theexperthand

Wow, that is really strange. Does your car have a request sensor on the boot door? Or, is it some feature reduction done by Tata? If yes, severely disappointed.

Can any other Harrier owners (2022 model) please try this?

--Anoop

Yes there is a request sensor button below the oval "T" logo.

[VALLURIS]

Quote:

Originally Posted by irdevanand

Heard about this hack several times but this is the first time hearing from a verified source and happy that it works. By any chance can you capture this again in a video and post in Youtube? will be helpful for many.

Regards
Dev

Wow !! Is this for real. I have seen so many videos on Youtube and even tried the same on our cars, it never worked.

I tried again just before posting this message and it didn't work.

Will this work only if we leave keys inside the car ?

[PreludeSH]

It could be some co-incidence that the car got unlocked. It could be the key that was left inside the boot (?) that did this.

The keyfob sends the code modulated over a given radio frequency. The receiver not only has to tune to this frequency but also decode the code transmitted. This is in radio frequency range (100s of Mhz) and cannot be transmitted over speaker/mic.

For OP, please demonstrate this and have Tata check it over since it looks like some flaw and mix of events. The mobile phone has nothing to do with this

[ecenandu]

Quote:

Originally Posted by D_Security_Guy

Curious to see how this thread progress!
The 'replay-attack' like the one mentioned below has become obsolete when the modern transmitter-receiver started using the 40-bit code generated from pseudo-random number generator, so that the same code can't be used twice and can't be predicted due to large sample set and entropy.

Quote:

Originally Posted by Samurai

May be Nyquist principle has ceased to exist...

I'm also curious about how this worked; it is improbable to work over mobile phones with my limited knowledge in this field. Is the remote lock an aftermarket system?

On a related note, here is a video on hacking the remote locking system of the car. It is more sophisticated, using SDR, software-defined radio.

https://www.youtube.com/watch?v=5CsD8I396wo

[theexperthand]

Quote:

Originally Posted by beast_within

Yes there is a request sensor button below the oval "T" logo.

Are you sure it hosts a request sensor? I thought it is only a press button to unlock the hatch door.

If a request button is present, it is more mysterious that the hatch door got locked with a key inside.

I will try to replicate this one more and will update the findings.

--Anoop

[brownkaiser]

Quote:

Originally Posted by irdevanand

Slightly off topic ...
My Honda city wont lock itself if the key is inside . One day we packed the spare key inside one of the suitcases and when we tried to lock the boot it kept unlocking. Finally i had to take the key out and then lock.

Both Tata and Mahindra have achieved design parity and better safety compared to other leading makers. Now is the time to focus on these minute topics for a wholesome experience.

Regards
Dev

But Mahindra already provides this feature. My XUV 5OO doesn't get locked via button on door handle, if the key is inside the car. And instead of just unlocking, the car keeps beeping and won't get locked, when you try to lock.

Off-topic, but surprised to see some other posts by BHPians starting to bash Tata & Mahindra for something so unrelated, without even bothering to check facts.

[beast_within]

Quote:

Originally Posted by theexperthand

Are you sure it hosts a request sensor? I thought it is only a press button to unlock the hatch door.

If a request button is present, it is more mysterious that the hatch door got locked with a key inside.

I will try to replicate this one more and will update the findings.

--Anoop

By the "appearance" it looks similar to the request sensor button. No sure what is really inside it. If not request sensor button, how would boot unlock when we press this button (below the T logo) with smart key in our pocket.

[BrakeDancer]

Quote:

Originally Posted by Strider24

My 11 year old Corolla Altis too does this. My wife frequently tries to lock the car with keys inside and this feature help always.

On the other hand, this trick is amazing. I never knew this can be done. Thanks for sharing.

Oh that's good to know. I'd have assumed this is more standard across manufacturers since it's a nifty thing to have. However, my point was limited to leaving keys inside the boot and associated warning from the car and boot lid coming back up along with it. If I leave the keys inside the car the car won't lock at all and as soon as I walk away it'll start the warning beeps. So there's no accidental locking. There's the option to remotely lock or unlock it from the Honda Connect app though.

[venkyhere]

Quote:

Originally Posted by Samurai

May be Nyquist principle has ceased to exist...

Unless the keyfobs have started working below 4Khz frequency, I can't fathom how this can work. The ADC on the mobile phone will only sample at 8000 times/sec. So it can't capture higher frequencies than half that rate (4k).

If they sample at higher frequencies, say 16K... twice the number of data has to be sent across. To capture a 10MHz signal, the phone has to send across 2500 times more data compared to a regular speech. Just saying...

Samurai, maybe this is what is happening, by pure luck

Quote:

Originally Posted by venkyhere

What must be happening is "aliasing" through subsampling+supersampling on the signal. The phone mic and speakers operate over <20Khz range, and remote keyfob communication must be somewhere within 100Mhz and 1000 Mhz. But some 'aliasing' can happen, if lucky (google "signal aliasing").

In layman terms, it's like how at certain speeds, if observed from a parallel vehicle, a car's wheels appear to slowly moving in reverse OR if we pay attention to the barricade guard rail alongside a highway, it's poles moving backwards at certain speeds, then stationary at further speeds, an even forwards at even higher speeds.

Only a blind guess, since the radio freq of communication b/w a car's keyfob and the audio frequency band of human hearing are certainly disjoint from each other.

Whatever encoding/decoding of the digital data is involved, and the bits-to-symbol/symbol-to-bits needs to be done, are all done by the original authorized agents only (the keyfob and the car's BCM), so there is no 'security breach' here.

In the off-chance that the same data pattern is blasted repeatedly by the keyfob, there is a pure luck possibility that the carrier freq of the keyfob and sampling freq of the BCM receiver are a pure harmonic multiple of the clock freq of the audio ADC and DAC on the phones. Which could result in the BCM accidentally supersampling a low bandwidth signal and identifying it as a valid symbols from the expected signal bandwith range.

Just a wild guess. How else can such a thing happen, unless the vehicle keyfobs are operating in 4KHz range (in which case, we should hear them).

[robincsamuel]

Quote:

Originally Posted by irdevanand

My Honda city wont lock itself if the key is inside. One day we packed the spare key inside one of the suitcases and when we tried to lock the boot it kept unlocking. Finally i had to take the key out and then lock.

I had the same experience with my Kia Sonet as well. The car won’t lock itself automatically, or when pushed the lock manually (when the door is open) or when I press the request sensor button if the key is inside. However, it does lock if I press the lock button from the other key fob, even if the spare key is inside.

[Samurai]

Quote:

Originally Posted by venkyhere

In the off-chance that the same data pattern is blasted repeatedly by the keyfob, there is a pure luck possibility that the carrier freq of the keyfob and sampling freq of the BCM receiver are a pure harmonic multiple of the clock freq of the audio ADC and DAC on the phones. Which could result in the BCM accidentally supersampling a low bandwidth signal and identifying it as a valid symbols from the expected signal bandwith range.

What is the statistical probability of that happening?

[fatman2022]

Quote:

Originally Posted by anshu1101

Ditto in my Hyundai Tucson. If I try to lock the car using the button on the request sensor, and have left the key inside the car, the car would emit a long chime and the doors will not get locked.

Same on Kia Carens.

I learnt this the hard way when one random day, the car was not getting locked. It happened near the dealer showroom, and hence went to check with him. They were confused as heck, and took me to the service center.

Replicated the issue at the SC, and they accepted to take the car and have a look - I took off my bag - went to the viewing area.

Engineers took the car in - tried to lock, and it worked ! Tried it a couple of times, worked again. They called me, I tried, and it worked. So I kept my bag inside, and thought to give it a final try, and boom, didn't lock.

They tried all diagnostics via OBD port, all passed.

Finally someone had the wit to ask for a spare key, and it hit me - the spare key was inside the bag ! Huh. Cue embarrassment and apologies from me, and lesson never to be forgotten.

[vijaysrk]

Quote:

Originally Posted by venkyhere

Samurai, maybe this is what is happening, by pure luck



Whatever encoding/decoding of the digital data is involved, and the bits-to-symbol/symbol-to-bits needs to be done, are all done by the original authorized agents only (the keyfob and the car's BCM), so there is no 'security breach' here.

In the off-chance that the same data pattern is blasted repeatedly by the keyfob, there is a pure luck possibility that the carrier freq of the keyfob and sampling freq of the BCM receiver are a pure harmonic multiple of the clock freq of the audio ADC and DAC on the phones. Which could result in the BCM accidentally supersampling a low bandwidth signal and identifying it as a valid symbols from the expected signal bandwith range.

Just a wild guess. How else can such a thing happen, unless the vehicle keyfobs are operating in 4KHz range (in which case, we should hear them).

I think we're all missing one basic point here - mobile phones mics and speakers operate in the 20-20kHz range for sound waves, which are mechanical waves.

The signal emitted by the key fob on the other hand, is an electromagnetic wave. So any comparison of frequencies is moot, if we're talking about different kinds of waves altogether!

So let's let Harry Nyquist rest peacefully in the beyond for now!

Now I don't for a minute mean to undermine @theexperthand or @venkyhere's experience of seeing this work, but I think there could be an entirely different phenomenon at work here, if this method does indeed work.

As for me, when I first heard about unlocking car doors with a key fob over mobile over ten years ago, I immediately tried it with an elaborate setup with a friend's help, with very limited (read zero) success