Spoofing TPMS signal - Page 7 - Subaru Outback - Subaru Outback Forums
 45Likes
Reply
 
LinkBack Thread Tools Rating: Thread Rating: 1 votes, 1.00 average.
post #61 of 81 (permalink) Old 06-02-2018, 02:51 PM Thread Starter
Super Moderator
 
Brucey's Avatar
 
Join Date: Nov 2005
Location: WV
Car: '17 3.6 Limited
Posts: 8,906
Feedback Score: 0 reviews
Recorded a 15 minute drive at 70 mph today.

No signals in the 315 mhz range at all. Going to have to hunt it down and see what I'm doing wrong. I can pick up FM stations with this antenna so I know it works.

Brucey is offline  
Sponsored Links
Advertisement
 
post #62 of 81 (permalink) Old 06-02-2018, 03:34 PM
Registered User
 
Dennis_Root's Avatar
 
Join Date: Sep 2017
Location: Cantin, ct USA
Car: 2008 Outback limited 2.5l
Posts: 27
Feedback Score: 0 reviews
What are you using to sniff for the signal? Ideal antenna length is 9.37 inches 23.81cm. You may need an amplifier to pick that signal out of the noise. Sorry my first post is here and not in introductions.

Sent from my SM-N950U using Tapatalk

Brucey likes this.
Dennis_Root is online now  
post #63 of 81 (permalink) Old 06-02-2018, 03:51 PM Thread Starter
Super Moderator
 
Brucey's Avatar
 
Join Date: Nov 2005
Location: WV
Car: '17 3.6 Limited
Posts: 8,906
Feedback Score: 0 reviews
Quote:
Originally Posted by Dennis_Root View Post
What are you using to sniff for the signal? Ideal antenna length is 9.37 inches 23.81cm. You may need an amplifier to pick that signal out of the noise. Sorry my first post is here and not in introductions.

Sent from my SM-N950U using Tapatalk
This SDR https://amzn.to/2LTPpUE

Antenna length is around 5 inches. Do you think even a few feet away from the source it would effect picking it up?
Brucey is offline  
post #64 of 81 (permalink) Old 06-02-2018, 04:02 PM
Registered User
 
Dennis_Root's Avatar
 
Join Date: Sep 2017
Location: Cantin, ct USA
Car: 2008 Outback limited 2.5l
Posts: 27
Feedback Score: 0 reviews
At that length, you are under 1/4 wave length so you will lose a lot of sensitivity. You would need to be within inches of the transmitter and even then would have a hard time picking up the signal. If that has a removable whip, you can swap in a longer piece of wire to get to 1/4 wave with the length of 9.37 inches. Being a mag mount, the car would act as the ground plane.

Sent from my SM-N950U using Tapatalk
Brucey likes this.
Dennis_Root is online now  
post #65 of 81 (permalink) Old 06-02-2018, 04:57 PM
Registered User
 
Dennis_Root's Avatar
 
Join Date: Sep 2017
Location: Cantin, ct USA
Car: 2008 Outback limited 2.5l
Posts: 27
Feedback Score: 0 reviews
It also looks like you are looking for a signal being transmitted at .0199 watts. An amplifier will definitely help. As will filtering to pick out this signal from the noise.

Sent from my SM-N950U using Tapatalk
Brucey likes this.
Dennis_Root is online now  
post #66 of 81 (permalink) Old 06-02-2018, 06:24 PM Thread Starter
Super Moderator
 
Brucey's Avatar
 
Join Date: Nov 2005
Location: WV
Car: '17 3.6 Limited
Posts: 8,906
Feedback Score: 0 reviews
Quote:
Originally Posted by Dennis_Root View Post
It also looks like you are looking for a signal being transmitted at .0199 watts. An amplifier will definitely help. As will filtering to pick out this signal from the noise.

Sent from my SM-N950U using Tapatalk
Got any specific recommendations? Cut a piece of 14 gauge wire to 9.37 inches?
Brucey is offline  
post #67 of 81 (permalink) Old 06-02-2018, 06:44 PM
Registered User
 
Dennis_Root's Avatar
 
Join Date: Sep 2017
Location: Cantin, ct USA
Car: 2008 Outback limited 2.5l
Posts: 27
Feedback Score: 0 reviews
If that whip is swappable then that would work. The other option is making a dipole antenna. But that would require an adapter to mate to the mcx connector for that device. They are easy enough to make. But even with the right antenna, picking that signal out of the noise can still be tricky.

Sent from my SM-N950U using Tapatalk
Dennis_Root is online now  
post #68 of 81 (permalink) Old 06-02-2018, 07:55 PM Thread Starter
Super Moderator
 
Brucey's Avatar
 
Join Date: Nov 2005
Location: WV
Car: '17 3.6 Limited
Posts: 8,906
Feedback Score: 0 reviews
Quote:
Originally Posted by Dennis_Root View Post
If that whip is swappable then that would work. The other option is making a dipole antenna. But that would require an adapter to mate to the mcx connector for that device. They are easy enough to make. But even with the right antenna, picking that signal out of the noise can still be tricky.

Sent from my SM-N950U using Tapatalk
That's why I like the "record it on the balancing machine" aspect as it should be stationary but still transmitting. I tried a ghetto method of putting the car on jack stands this morning and only leaving one wheel on to get the purest signal possible but the car will not allow it.

My local favorite mechanic has a Road Force balancing machine. Lists at 300 rpm balance speed. That might not be enough assuming they don't start to transmit until closer to 500 rpm. I know it can be recorded on the fly because it's been done before (previous Jared Boone video) but if I can't get it to work I'm sure they could be talked into letting me sit around the shop with a laptop for a minute.
Brucey is offline  
post #69 of 81 (permalink) Old 06-02-2018, 08:06 PM
Registered User
 
Dennis_Root's Avatar
 
Join Date: Sep 2017
Location: Cantin, ct USA
Car: 2008 Outback limited 2.5l
Posts: 27
Feedback Score: 0 reviews
The wheel balance machine idea is a good idea to trigger it provided the car does not need to send a wake up signal to the sensor. My understanding is the is not the case on most cars. But it may take a set time of rotation for it to go active. Some chips require 20 minutes to go active. The less electronics running the lower the noise floor will be and the better the signal will stand out. Also the cooler the better as thermal noise will add to the overall interference that you need to overcome. Get the antenna asclose as possible to receive the strongest signal. Make sure that the mag mount antenna is places on a metal surface atlest as wide as the antenna length to optimize the ground plane. If you can detect the signal you should be good as the data packets sent do not appear to be encrypted.

Sent from my SM-N950U using Tapatalk
Brucey likes this.
Dennis_Root is online now  
post #70 of 81 (permalink) Old 06-02-2018, 08:23 PM Thread Starter
Super Moderator
 
Brucey's Avatar
 
Join Date: Nov 2005
Location: WV
Car: '17 3.6 Limited
Posts: 8,906
Feedback Score: 0 reviews
Quote:
Originally Posted by Dennis_Root View Post
The wheel balance machine idea is a good idea to trigger it provided the car does not need to send a wake up signal to the sensor. My understanding is the is not the case on most cars. But it may take a set time of rotation for it to go active. Some chips require 20 minutes to go active. The less electronics running the lower the noise floor will be and the better the signal will stand out. Also the cooler the better as thermal noise will add to the overall interference that you need to overcome. Get the antenna asclose as possible to receive the strongest signal. Make sure that the mag mount antenna is places on a metal surface atlest as wide as the antenna length to optimize the ground plane. If you can detect the signal you should be good as the data packets sent do not appear to be encrypted.

Sent from my SM-N950U using Tapatalk
Yup. In theory it's easy but this is well beyond my typical skill level. Hence me enlisting everyone I can to help me.

The signal is not only un-encrypted but we know it's running at 315 MHZ and ASK/Manchester encoding based on the FCC test report I listed earlier.

It's just a matter of recording it and playing it back and seeing if that is enough to satisfy the vehicles ECU/BCU/TPMS computer.

If it is enough, jobs done.

If it's not I'll have to dig deeper into decoding it.

Brucey is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Subaru Outback - Subaru Outback Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Rate This Thread
Rate This Thread:



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome