No*Rats

I hate car alarms. Well, not the alarms per se, but rather the annoying noises they make.Think back to the last time you heard a car alarm going off. What was your reaction? Did you rush to the phone and call the police to report a vehicle theft in progress? Or did you assume "it's just another false alarm" and ignore it? I know that's what I do; audible car alarms "cry wolf" so often that they have become useless. I live in Southern California, where over half of the state's vehicle thefts take place, so theft is definitely a concern. However, I don't want an alarm system that is going to annoy my neighbors with false alarms.

We Corvette owners are blessed with an excellent factory immobilizer system as standard equipment. To steal a C6, a thief would basically have to tow it away. But C6 owners have other concerns besides theft of the car itself. Wheels are frequently targeted, as well as stereos and other electronic accessories the owner may have left in the car. But theft is not an owner's only concern. Corvettes and other high-performance cars are frequent targets of abuse by parking valets, service technicians, and the like, who think nothing of going for a high-speed joyride in a customer's $60,000 sports car. Remember Ferris Bueller's Day Off? Art does imitate life, and there have been many incidents of Corvettes being abused and even wrecked while in the custody of one of these "professionals;" one example is here. Having been the victim of such abuse myself, I wanted to add a tracking system to my car - one that would notify me not only of attempted theft, but also of potential abuse when I entrust my car to the care of others. So I began to research vehicle security and tracking systems.

There are many, many vehicle tracking devices available today. They range from simple devices that record data onto an SD card for later download to fully-integrated solutions which combine tracking and theft recovery features with convenience features such as unlocking doors and remote start. While these devices work well, and meet the needs of most users, in my opinion they still suffer from a serious flaw: they are closed systems, impossible for end users like me to customize or extend. Also, the connectivity service is typically quite limited. One popular tracking device limits continuous tracking to only 10 minutes. These services also limit the data retention time (e.g. track logs are only kept for 6 months before being deleted). Some tracking services don't even give you access to the tracking data at all, sharing it only with the police after your car is reported stolen. If I wanted to get a location fix simply to remember where I parked, I'd be SOL. Ironically, some of these vehicle security systems are ridiculously insecure. Like the unnamed security system that was "owned front to back" by two security researchers last year simply by sending SMS text messages. There have been other incidents, as well.

Wanting a "silent" alarm and tracking system, and not content to live within these limitations, I designed my own vehicle tracker which I call No*Rats. No*Rats consists of a GPS receiver, a GSM/GPRS transceiver, and a Class 2 bus interface, all interfaced to an embedded microcontroller. The Class 2 bus is one of the native communication media in the C6 Corvette; it is used for all functions where high bandwidth or a strict real-time response is not required, such as unlocking a door, rolling down a window, or turning on the headlights. By connecting to the Class 2 bus, No*Rats can not only monitor and report all important aspects of the vehicle's status, but can also issue commands to the other modules in the car, such as unlocking a door in response to a command received over the cellular network. And the security of the command interfaces is not an afterthought, nor is it merely "security by obscurity" - it employs strong encryption and mutual authentication between the No*Rats client and the Command and Control server.

Features

No*Rats has all the standard features one would expect from a vehicle tracking device, plus much, much more. No*Rats can send notifications via SMS or email of important events such as:

When the car is started or moved
When a speed or lateral G-force threshold is exceeded
When an acceleration or braking threshold is exceeded
When the vehicle is driven outside of (or into) a specified geographic area
When the vehicle's factory alarm system is triggered or No*Rats' own tilt and/or shock sensors are triggered during jacking or towing
When the main vehicle battery is disconnected
When the vehicle is not shut down properly (a problem peculiar to 2005 Corvettes with manual transmissions)

No*Rats can also respond to the owner's commands sent via a remote computer or smart phone:

Unlock the door(s)
Sound the horn
Flash the parking lights
Pop the trunk/hatch
Report current location and status (ignition on/off, doors open/closed/locked/unlocked, windows up/down, etc.)

While the vehicle is parked, No*Rats periodically checks the position of the vehicle using its GPS receiver. If the position changes (e.g. due to the car being pushed or towed), the owner is immediately notified. No*Rats also connects to the central server at regular intervals and reports its status; if the No*Rats unit fails to report in as scheduled (e.g. as the result of having been disabled), the server generates an immediate notification. This checking is done at a low duty cycle to maximize battery life.

The C6 Corvette key fobs are numbered 1-4 and each is distinguishable by the car, which uses the fob number to recall each driver's individual memory settings for seat position, radio stations, HVAC settings, mirror positions, etc. No*Rats can also behave differently depending on which fob is used to access the vehicle. For example, if the owner regularly uses key fob #1, but gives key fob #2 to the technician when taking his car in for service, certain tracking events (e.g. starting the car) can be suppressed if the car was accessed using fob #1 but enabled for fob #2. This avoids "nuisance" notifications being sent to the owner while he is driving his own car.

Did you forget where you parked? No*Rats can send its current location right to your smart phone, allowing your favorite navigation app to guide you right back to your car.
Did you lock your RKE fob in the car? Even though Corvette's engineers tried very hard to prevent this, some creative Corvette owners have managed to do it anyway (usually by tossing a briefcase or jacket into the hatch area where the fob antenna coverage is weak). Send the command to unlock your doors from your cell phone. Or, if you locked your phone in the car also, send the command from any Internet-connected PC, or dial the No*Rats module's phone number from any telephone and punch in your access code on the DTMF keypad.

Also, unlike traditional aftermarket alarm systems, which have dozens of wires and require professional installers to cut and splice wiring harnesses and install a bunch of relays, the No*Rats connects to the car using just 3 wires - no need for wholesale hacking and slashing of my car's wiring.

Design Considerations

Although a vehicle tracker is a pretty simple concept, the devil, as they say, is in the details. The following are some of the factors that were taken into account by the design.

Power

Modern cars have dozens of embedded microcontroller modules installed in them. These modules never turn fully off; instead, their microcontrollers enter a low-power "sleep" state until triggered by some wake-up event. For example, the RCDLR (Remote Keyless Entry) module in the C6 must always be "listening" for an RF transmission from a remote entry key fob, ready to wake up, disarm the security system, and unlock the doors when the owner presses a button on the key fob. Because these devices are never fully turned off, they continue to draw a small amount of current when the vehicle is not running; eventually the vehicle battery will be drained to the point where the car will no longer start. Thus, each module must be designed to draw as little quiescent current as possible. In the case of the C6 Corvette, GM specifications state that the car should still be able to start even after sitting for approximately 30 days; this is done by allowing a total budget for quiescent current draw of around 35mA for all of the electronics in the car. Of course, when auxiliary devices are installed they add to this ignition-off current drain and shorten the amount of time that the car can be parked without excessive battery drain. An example of what can happen when this budget is exceeded is what C6 owners call Dead Battery Syndrome, or DBS. Some early production Corvettes suffered from a firmware bug in one of the car's embedded modules; under certain conditions, one or more of the modules would not shut down properly, resulting in excessive ignition-off current drain and a dead battery overnight. Many C6 Corvettes took flatbed rides to the dealership until the problem was diagnosed and corrected with a firmware update. Other C6 owners have installed aftermarket devices only to discover a dead battery the next day.

With all this in mind, No*Rats is powered primarily from its own dedicated battery, which is recharged by the vehicle's electrical system whenever the engine is running; when the ignition is off, the additional current draw from the vehicle's battery is in the micro-amp range (i.e. almost zero). Having an independent power source also means that No*Rats will continue to operate in the event that a car thief cuts the cables to the primary battery in an attempt to defeat the alarm system.

Wireless Communication

No*Rats requires a reliable wireless data connection in order to report status and receive commands. One option would be a point-to-point RF data link on one of the license-free bands, a feature offered by some high-end vehicle alarm systems. This approach has the advantages of quick notification times and no recurring fees. Although suitable RF data modules are readily available, and are easy to incorporate into new designs, they are limited to line-of-sight operation and their maximum range is a few miles at best; what good is a vehicle tracking system that stops working a couple of miles away from home? WiFi has similar disadvantages. Cellular data service is one way to obtain the sort of broad geographic coverage that is needed for useful tracking. Another possibility would be a satellite service such as Iridium; however, I'm not aware of any embedded radio modules that could be incorporated into a vehicle tracking design by a hobbyist, nor is the service pricing likely to be particularly inexpensive.

There are two primary digital cellular technologies used in the United States: CDMA and GSM. GSM offers two distinct advantages: interchangeable SIM cards, and GPRS coverage is almost ubiquitous, both in the US and around the world. Where I live, if my Corvette is stolen, there is a good chance it will be headed straight to Mexico, where CDMA data coverage is simply nonexistent in the vast majority of the country. Not only is GPRS coverage better, I can also buy a prepaid SIM card, pop it into the GM862-GPS module, and No*Rats is instantly online. All of this makes GSM/GPRS the natural choice for No*Rats' connectivity.

Seamless Vehicle Integration

Conventional tracking devices and alarm systems are generic, designed to work in as many different cars as possible to maximize sales. The downside to being generic is that installers must hack and slash the vehicle's wiring to allow the unit to perform functions such as locking or unlocking doors or flashing the parking lights. Not only is this kind of installation a major hassle, but it can lead to electrical problems down the road. I wanted a device that would integrate with the car without splicing a bunch of wires or adding relays. All No*Rats needs is 3 wires: +12V, GND, and a connection to the Class 2 bus. Connection is easily accomplished using squeeze-taps. The Class 2 bus connection allows No*Rats to not only monitor the status of the vehicle, but to issue commands such as unlocking doors, honking the horn, or flashing the parking lights.

Data Security

Since the Internet and the public telephone network form an integral part of the data path between No*Rats and the server, data security was a top concern right from the start. It just wouldn't do to have a "hacker" be able to follow my every move, or send commands to unlock my car. The protocol between No*Rats and the server employs mutual authentication and strong encryption to set up a secure channel for all messages between the No*Rats client and the C&C server. A one-time-use session key is randomly generated for each communication session to limit exposure of the message traffic to cryptographic attacks. Keys are stored within secure hardware in the microcontroller, making them impossible to extract without a)physical access to the No*Rats hardware, and b) destroying the microcontroller in the process.

Prototype Hardware

I selected a Telit GM862-GPS for the No*Rats because it combines a GPS receiver and GPRS connectivity into a single compact module. The module also has a real-time clock capable of waking up not only the Telit module but the attached microcontroller at a programmable future time. This feature is essential so that the No*Rats can spend most of its time asleep yet still wake up at regular intervals for status reporting.

Using a HUD One prototype board as a starting point, I cobbled together a daughterboard upon which to mount the GM862-GPS. After purchasing the module as well as a breakout board from Sparkfun, I used a piece of perfboard with some header connectors soldered onto it to act as an adapter between the HUD One board and the Sparkfun breakout board; the resulting "sandwich" is hideous to look at but quite functional.

No*Rats POC

Current Status

The No*Rats has been on the back burner for a while now, due primarily to the lack of affordable M2M (machine-to-machine) cellular service plans. Although cellular providers like AT&T offer reasonably-priced data plans for phones, their terms of service specifically prohibit M2M devices (no doubt to avoid competing against their M2M resellers). To get cellular service for M2M devices, one must contract with an MVNO, i.e. a third-party reseller of cellular service. Several MVNOs offer M2M service; however, their fees are geared towards large companies with many devices (e.g. trucking companies wanting to track their truck fleets), and their pricing structures are prohibitively expensive for the hobbyist. As an example, one provider charges a $50/month basic access fee, plus another $5 - $90/month for each device (depending on how much data it uses during the month). This is fine if you are a large corporation with a fleet of 50 or 100 vehicles you want to track, but $55+/month is a little steep for someone with a single vehicle to monitor. This pricing model is why most companies that sell vehicle tracking devices to the public typically set up an M2M cellular service plan on behalf of all their customers, rather than sending their customers directly to an M2M cellular service provider. The tracking device vendors manage their service costs by severely restricting the bandwidth available to each subscriber. This is the basis for the restrictions imposed by commercial tracking device vendors.

Another obstacle is the FCC. While the GM862 module is itself FCC certified, when the module is incorporated into another device such as a tracker, the combined device must also pass FCC Part 15 emissions testing, a process which can take weeks and cost upwards of $50,000. The chances of being caught may be slim, but the fines can also be pretty big. :)