Theft of Transponder Protected GM Light Trucks and SUVs

Submitted By Andy Morton

General Motors employs the PK3+ transponder based anti theft system on 2007 and newer light trucks/SUVs. The system uses a Phillips encrypted transponder chip embedded in the head of the key. The vehicles key communicates with the vehicle control module via a ring antenna/transceiver module (theft module) secured to the ignition lock assembly housing around the lock core. The starter switch is installed into the lower assembly housing beneath the lock core. The two components are mated by an actuator cam assembly. The starter switch is equipped with an actuator cam on top of the switch (white gear). When the ignition lock is rotated the actuator cam rotates the starter switch cam.
The vehicle is not equipped with a steering column locking device (locking pin). General Motors removed the column locking pin from the steering column assembly housing of automatic transmission equipped trucks beginning in the year 2001. The column lock was rumored to be reintroduced to the 2012 light truck/SUVs. The vehicle is equipped with a gear selector lever locking cable, which is attached to the assembly housing and routed to the shift gate. The shift lock cable retracts from the shift gate upon rotation of the ignition lock core, thus allowing the vehicles transmission linkage to be shifted.
During the course of vehicle examinations a pattern has developed as to methods of compromise of General Motors light trucks/SUVs transponder based anti theft systems. The major components of the theft deterrent system are: The transponder equipped key, the RFID ring antenna/ transceiver module (theft module), and the powertrain control module. These components are programmed to one another and need to be replaced as a set or reprogrammed individually. It has been noted that the swapping of preprogrammed components to a targeted vehicle would be the preferred method of compromise.
A theft starts with entry into a locked vehicle. These vehicles are equipped with a Left front door mounted door handle/ lock assembly. The door handle is made of plastic, with a metal alloy door lock. In some cases the door lock is forced inward out of the mounting position and then rotated with a flat blade type tool to the unlock position. Others had the door lock core forcibly rotated to the unlock position with a flat blade type tool. The rotation of the door lock/ core will unlock the door and disarm the content alarm. The next step has been to access the vehicle powertrain control module. This module
is mounted in the engine compartment to the left front frame rail. The powertrain control modules wiring harness connectors are disconnected and a preprogrammed control module installed in its place.
The next step involves the removal of the steering column shrouds. This will allow access to the steering column mounted ignition lock /starter switch components and the gear selector lever/ shift gate assembly. The ignition lock need not be compromised. The RFID ring antenna/ transceiver module wiring harness is disconnected and a preprogrammed module is connected to the wiring. The RFID ring antenna/transceiver module is not required to be installed on the steering column assembly housing. The module can be suspended by the wiring harness and the preprogrammed key (electronically matched to the powertrain control and transceiver modules) inserted into the ring antenna portion of the module. The starter switch is then forcibly removed from the steering columns assembly housing. Once the starter switch has been accessed, the actuator cam (white gear) on top of the starter switch can be manually rotated to energize the vehicles electrical system and to start the vehicle.
After the vehicles engine has been started, the transmission must be shifted. This can be done two ways. The gear selector lever can be forcibly moved from the ”park” position, damaging the shift lock cable detent, allowing the transmission shift linkage to operate. The second method is to access the transmission shift cable which is attached to the transmissions shift linkage and remove the “locked” shift cable by hand. This will allow manually shifting the transmission mounted linkage.
The General Motors vehicles are equipped with an ONSTAR vehicle protection/notification system. The ONSTAR system uses a GPS based tracking system in case of vehicle theft. The ONSTAR antenna is mounted to the roof panel and the control module is located behind the audio component and the HVAC controls. The examined vehicles had either the audio component and /or the HVAC controls removed to gain access to the ONSTAR module. The ONSTAR module had been removed. The ONSTAR power wire or antenna cable could also be severed. These actions would also eliminate notification to an ONSTAR operator, preventing vehicle tracking and engine shut down.