Ask Hackaday: Can You Steal A Car With A Mini Tesla Coil?

Last week we caught wind of a piece from the Today Show that shows very technically minded thieves stealing cars with a small device. Cops don’t know how they’re doing it, and of course the Today show (and the Hackaday comments) were full of speculation. The top three theories for how these thieves are unlocking car doors are jamming a keyless entry’s ‘lock signal’, a radio transmitter to send an ‘unlock’ code, or a small EMP device touched to the passenger side door to make it unlock.

That last theory – using a small EMP device to unlock a car’s door – got the attention of someone who builds mini EMP devices and has used them to get credits on slot machines. He emailed us under a condition of anonymity, but he says it’s highly unlikely a mini EMP device would be able to activate the solenoid on a car door.

This anonymous electromagnetic wizard would like to open up a challenge to Hackaday readers, though: demonstrate a miniature EMP device able to unlock an unmodified car door, and you’ll earn the respect of high voltage tinkerers the world over. If you’re successful you could always sell your device to a few criminal interests, but let’s keep things above board here.

85 thoughts on “Ask Hackaday: Can You Steal A Car With A Mini Tesla Coil?

    1. You can easily light a neon lamp using an electrical field, otherwise neon lamps would not work. I did that in the mid 70s putting a 6 watts neon tube pulled from a portable lamp near my CB rtx antenna.
      But lighting a lamp and opening a lock are completely different things.

  1. the mini emp is not capable of making solenoid function all alone BUT it doesn’t have to the reason it works is the security system detects a voltage drop on the circuit. The voltage drop is what triggers the alarm system to send the power to the lock actuator, and that is what opens the lock thats why the alarm does not go off it thinks that the key has been put in the lock and turned. a voltage drop to the circuit is the trigger to lock if unlocked or unlock if locked. Simple and if you don’t believe me go ahead and look at the lock actuator circuits on the honda or accura a tech even made note of this in a comment

    1. The energy flowing through the coil induces a voltage somewhere in the coin acceptor’s circuitry. Probably several places. Probably higher voltage than the circuits are designed for. With extreme good luck, voltages leak all over the place, and some of the current ends up activating a transistor somewhere that would normally be triggered by a coin input.

      Basically just throwing enough electrons at it, and crossing your fingers. It’s not a high-tech solution, or targetted at all. Unless someone knows better.

  2. I’ll repeat here my theory (comment 230 on the original story) that they are not breaking in.
    I believe that when the owner takes the keys into the house they are still near enough to the car to make the alarm think the person trying the door handle is the keyholder and thus it opens for them.

    The reason why they don’t drive off with the car is because it will go out of range of the keyfob and stop,this is why they only go for the contents of the glovebox.

    The title is misleading, the criminals in the original piece never drove off with a stolen vehicle and I don’t remember anyone saying you could steal a car with their theory only that it may open the door.

    1. you don’t need the “keyless-key” the keep the car running. just to start it.
      once it’s started, you can bring the key out of range and the car will keep running.
      i know this because of a friend with a car like this. he once drove with his wife, the key was in his wifes pocket. he dropped her off somewhere and went to look for a parkingspace. the problem was, once he parked the car, he noticed the missing key, which was still in his wifes pocket, far away. he couldn’t lock the car and couldn’t start it again.

      1. Depends on the car, mine will complain if the key is not IN the car, i.e. standing beside the car with the key won’t let it start, they key has to be inside the vehicle to start, and will start to complain if you take the key out of range…

        1. Smash left turn light open the door now you looped the alarm and now you are in the car turn on the duplex extender rf repeater a-b brigh and you will Start the car all locks have weak spots sorry to say

      2. I tried to start a 1998 Chrysler Sebring convertible with a “dumb” key in the ignition and one of the security keys held up against the column next to the ignition lock. Didn’t work. The security key has to be in the lock to start the car.

        I’d need to check again to be sure, on my 1997 Taurus, the remote won’t pop the trunk or unlock the doors if the key is in the ignition lock, with the engine running or off.

        If a current could be induced in the coil of a simple solenoid actuated lock, that could cause it to retract. Not likely to happen with motor driven lock actuators.

        As for jiggering the alarms, don’t have a clue. Car alarms are designed to go off when the lock is opened with the alarm armed, and the lock wasn’t opened using a key or the remote fob. In other words, the lock mechanism physically moved by using the mechanical button/knob or by using a locksmith type tool to slide into the door.

        An interesting thing did happen with my 97 Taurus and a 2004 Dodge Dakota. They were both at a shop and someone started arc welding. The instant the spark was struck, both car alarms went off. The randomness of the RF emission from the welding arc somehow triggered the car alarms.

        Perhaps someone has discovered a specific RF signal spread that can scramble some car alarms into NOT going off. Combine it with a method of popping solenoid type lock actuators and you’ve a B&E device that leaves behind no evidence.

      3. Some friends of mine did this with a Renault (Megane I think), they managed to get the driver (a friend too) out of his running car, and drove the car a few blocks away. It didn’t stop event at a red light, but didn’t start after ignition was turned off…

    2. No standard car system will turn the car off if the keyless fob is removed while on. That’s a huge liability and lawsuits waiting to happen. Imagine the system or the fob dies while you are on the highway.

    3. Actually your not right about the don’t drive off don’t no if you have read it or you actually tryed it out. I can tell you that most cars 🚗 keyless they drive to the engien is off of empty for gas. That out of reach from the key only counts when you intet and push start then the key is out of control sorry to say. We can hope they step up and do something about the problem

  3. I dont think this device alone could output enough power to activate a solenoid. First of all the point of entry would have to be isolated from ground. Meaning some sort of barrier between the door handle and the actual door, or the lock and the door.

    Doors / body of the car, are usually grounded, and would cause any output to travel right to ground.

    The solenoid, or whatever is used in cars would need to have a driver board, which has constant power running to it. If the driver board had a mosfet to act as a switch, and someone was able to find a spot of entry that wasnt surrounded by ground… MAYBE, and thats a HUGE MAYBE this would work. HIGHLY UNLIKELY.

    These type of devices have shown to send output that will travel through copper wires, traveling to circuit boards, and affecting the boards in a number of different ways, HOWEVER I SERIOUSLY DOUBT THIS CAN BE USED to activate a solenoid or its “driver” board whatever that may be. (Ive never looked inside of a car door, so I have no clue whats going on in there)

    It is an interesting challenge though….

  4. this is why the mini tesla unlocks the door (weak pulse to ground) here is the article:
    04-21-2008, 11:42 PM #2
    baller status
    Honda-Tech Member
    Garage is empty, add now

    Join Date: Nov 2007
    Location: Western Hemisphere
    Posts: 491
    iTrader Rating: (0)
    Re: Unlock switch on Passenger Side door (Black/Red Wire) doesn’t work (Tr0LL)
    You don’t tap into them individually. The black/white and black/red control both sides. Just a weak pulse to ground on either wire is enough to trigger it.

    I have no idea what you broke or how. But you should start there?
    My motor doesn’t exist.
    It’s 10PM. Do you know where your Honda is?

    1. Those snippets hardly make sense out of context/formatting, but I think it’s agreeing with what I’ve known. You’re not trying to activate a solenoid directly, just fudging a switch-press for a low-current signal. Certain cars have this disabled once locked of course.

      1. Sorry here is the site where I got the information from, and you’re right I should be a bit more descriptive in my writing. From what I know Honda and Acura open with the low current signal and because the doors are not solid as Ford or Cadillac (meaning it has less of a Faraday cage effect) the pulse travels thru the composite materials of the handle area and the rest is history

    1. No way. The coil of the solenoid would block the electromagnet. And even if it were powerful enough it would probably stick to the door before it ever got to the coil.

  5. Sorry here is the site where I got the information from, and you’re right I should be a bit more descriptive in my writing. From what I know Honda and Acura open with the low current signal and because the doors are not solid as Ford or Cadillac (meaning it has less of a Faraday cage effect) the pulse travels thru the composite materials of the handle area and the rest is history

  6. Has anybody actulually built his circuit? – it dosn’t make sense – following the youtube video circuit description, the transistor connects directly across the battery [shorting it via the 10K resistor biasing the transistor on], the base coil at right angles to the collector coil [minimum pickup?]

        1. The power source appears to be 5x 9V batteries in series. 9V batteries have a relatively high internal impedance, so it helps to imagine a small resistor in series with the power source. Then it’s no longer impossible, just inefficient in terms of battery depletion and transistor heating – neither of which is really an issue for something operated intermittently. All that matters is that it successfully oscillates, and transfers sufficient power to the load.

          1. “I would place an inductor in series with the collector an the positive, this could prevent battery depletion.”

            Wow, it’s almost like this is the purpose of the smaller coil!

  7. Interesting, there are a lot of legal issues here.
    Just reading this thread could come under “conspiracy to…” etc.
    Back to hacking, I have a Mira here with CLS which is going to be scrapped anyway, if anyone wants to “experiment” on it to see if older cars can be unlocked like this please PM me.

    Re. EMP/Tesla Coil/etc, you don’t even need much current as it is obviously the pulse geometry (rise time, etc) that makes the difference.
    Think jeweller’s screwdriver versus sledgehammer, both work but the former does less collateral damage.

    I also noticed the thread re. tyre pressure meters not being protected on high end cars, if true then this is a MAJOR security fail of Biblical proportions.

  8. The main problem with these devices is poor EMI control, i have had this problem with some homemade circuits where they pick up unexpected signals and trigger when they are not supposed to. If the main device is a microcontroller a simple 100ms debounce is usually enough to foil most things like this

      1. When the machine is keeping tabs on how much it owes you and it thinks you put in $100, when you hit the payout button even without playing I don’t think it matters which mechanism you tricked by then, it’s going to pay you what it thinks it owes you.

  9. In the old days of coin-op arcade games, some people used piezo gas barbeque-lighters against the coin door to generate high voltage spikes that would make noise on the coin inputs to the board and gain credits. Later boards added caps and software to filter out the spikes.

  10. cant this be used to jam electric meters for free or cheaper electric by making the meter spin backwards, stop or the smart meters malfunction in the same way that thecar locks do or something?

    1. Is it possible to stop (or full damage, but invisible) the new electric meter (version with digital LCD display) on our house, by direct short shock to its connecting terminals from the top of Tesla transformer / Tesla coil? Wanted is the error, which looks like caused by pulse of high voltage from the grid.

  11. 1) Unlock door
    2) ???
    3) Steal car

    So I just want to know why this post is titled with “steal a car”. Sensationalism?

    Also, all circuits described so far are HERF, not EMP.

    1. Let’s not let facts get in the way. The mythical “EMP” has long been touted by many as a way of getting into cars, getting free credits, opening electronic locks. Lots of people claim to have made them and they work, yet there is no evidence.

      I’ve filed it away with the number of people who have actually used thermite to open safes and have turned a scanner into a transmitting radio.

      1. Jeg er åbenbart så det eneste levende bevis og opfinder jeg har lavet en hel del emp generatorer først var det en begynder fejl da jeg sku lave en tazer men opskriften var ik hel korrekt så det kostede mig en mobiltelefon men da jeg så hva jeg havde lavet så betalte det sig hjem igen hurtigt lovligt. !!!

  12. Some thoughts.

    1) The thieves could have been scammed and have been sold a “snake oil” gadget to unlock cars and are just discovering cars that aren’t locked.

    2) Could be a variant of the locking signal being jammed – I have seen a whole carpark where cars went unlocked due some device transmitting on the fobs frequency.

    3) Could it be a very strong magnet that can mechanically affect the locking mechanism of certain cars – I suspect the skin of some car doors don’t have much steel in them these days.

  13. If the circuit is enclosed in a faraday jail the EMP can’t do anything. Isn’t the car itself a faraday jail? Just asking, i suppose that the circuit near the windows is exposed it might work.

  14. If the EMP where activating just the actuator/solenoid wouldn’t the car alarm still go off when opening the door? I think the hack targets the key lock itself to fool the lock that a key has been inserted and used for opening, that way the alarm will be deactivated. The lock mechanism must have some kind of limit switch when turning the key that sends an “unlock” command to the car computer that in turn activates the door solenoids.

    The reason they target the passenger side door may just be because it’s easier to access the glove compartment from that side and you’ll probably have more room if you’re going to get inside and do a more thorough search.

  15. @ xmitman you mean you bought a product or paid for subscription and did not send the product or give you premium access to the site?

    i hope you paid by credit card so you can do a chargeback

    1. I bought the 8 bit jammer he shows beating the IGT slot machine, it was supposed to include schematics, gerber files, code for the micro-controller and a completely assembled unit. I paid $850 by Western Union, he wouldn’t accept any other type of payment. He never shipped anything and made up excuse after excuse, then stopped responding to emails. After a couple of months of updates to his Pheed site, he stopped updating it completely. Some of his schematics work to light fluorescent tubes but none of it works on modern slot machines. It’ll work on a few plastic slot machines from China that you might find in South America but nothing you’d find in a North American casino. Nonetheless, he never shipped anything because it doesn’t work even after I gave him a prepaid FEDEX label. He has ripped off many people and several of them started new groups to continue the research. He tries to hide, but I was able to investigate and get a lot of information on him including his personal details to give to the authorities which I’ll do when I’m ready. I’ll let him sweat, not knowing what to expect, then I’ll hand over the evidence to the police or go directly to the DA with a ready-to-go case file.

      1. Vil du sige til politiet du prøvede og købe en jammer til ulovlige ting. Men du blev snydt så nu vil du gerne ha deres hjælp. Det måske fordi jeg bor i Denmark men jeg kan næsten ik tro politiet er så naive nogle steder i verden men lige meget hvad så håber jeg du får dine penge. Og sælger burde ha en seriøs røv fuld istedet for en lille bøde

  16. here is another version that looks more like i think what it should be

    just remove d1 and c2 and make the high side coil longer i think is how it should work.

    i suspect either the person in the youtube video hastily threw together the schematic or we have another leonardo davinci he did not want to take the blame for theft of property if the device is used for that purpose.

    remember: this is for educational use only and using it to break into cars is illegal and considered breaking and entering and theft but is a great way to test your own car for security flaws.

  17. The car thieves “round ‘ere” use two electronic metods: One is to just scan through all possible codes, which can be done in minutes, because most car remote keyfobs are just dumb ppm-modulated radios sending the same fixed 16-bit number 3 times on every “open”-key press and thus very easy to hack. Not even the simplest cryptography need apply for carlocks. The thief just run the entire sequence in a parking lot and *something* will open.

    The other popular way is to duplicate the keys completely, together with the electronic ID, when someone uses a valet serviced car park, garage or car cleaning service. Only nice cars are at risk here.

    1. I don’t think most car remotes are dumb. Ford, Audi, BMW, VW, Mercedes all use rolling codes. There really aren’t that many left that are fixed code.

      Regardless, the ones that are generally transmit at less than 2kbaud. At most you can transmit 125 16bit codes per second like this, and most systems I’ve bruteforced have been limited to closer to 10.

      2^16 / 125 is almost 9 minutes of covering the entire keyspace. A long time to wait.

  18. @cybergibbons no but i assume because every lock has a master means to open.

    most likely they are causing the electronics to malfunction and act up.

    i wouldnt be surprised if you hold the device to the car and keep it on the lock actuator will go clicking rapidly/randomly like as if you flick the lock button back and forth rapidly repeatedly.

    or like in the old days you could push and hold the lock button for a few seconds then release and push and hold it again and the actuator would chatter on and off as that is the circuit breaker bulb cycling on and off.

    also it may be possible that you could fowl up the other electronics in the car

    1. It’s nonsense. Most of the responses are conjecture without even a basic understanding of how cars work – how door locks work, how the ECU works, how the immobilizer works.

      In Europe thieves have cracked the security of OEM key fobs / push to start systems. These are on newer high-end vehicles. All of them rely on the same, very weak security encryption. I say “Europe” because it hasn’t caught on stateside yet. There is nothing magical or spooky about it. No reason to invoke Tesla.

      Aftermarket alarm key fobs are based on much stronger security. They can be circumvented but it’s harder… there are devices that sync up to the key fob – but they can only do this when the key fob is in use. DEI’s (Viper, Python, Clifford etc) solution is that when disarmed, the alarm LED blinks a number of times indicating how many key fobs are programmed. It’s on the owner to notice that a third one is programmed, then erase all and reprogram his own key fobs.

  19. @Shaun yes you are right that’s the signal between the fob and the radio receiver circuit in the security system.

    the signal between the controller circuit and the h bridge (motor reversal driver) and relay driver transistors is not and can not be protected with encryption.

    if you ever played with a radio controlled car in the 70’s and 80’s especially the single function cars during a thunderstorm or near a running jacobs ladder or tesla coil you notice the car acting up.

    that is the emf created by lightning or other sources.

    now if you saw the one video where the tesla coil caused the numbers on the one device to randomize.

    that’s because the emf is acting on the display driver chip.

    if you have seen the movie “short circuit 2” the scene where johnny 5 comes up from the man hole and lifts the getaway car the note the radio display, horn and lights was all acting up at the same time.

    the robot was doing something similar.

    also note in the video where he destroyed a multimeter doing that to the meter i think that is what happens with the road patriot witch is a emp/emf device that is designed to disable the car.

    it is possible that the tesla coil is destroying the car’s security computer.

    an easy way to test that safely is if you become a victim of this attack then try your fob to see if it still works.

    if it still works then it did not cause any damage

  20. i build jammers emp .not for slots.just for me…see what i can do…whats happening..etc. EMP devices can t open car door!!! no right side…no left side !!! i have many types of jammer…many types of transistors…none open a car door. for slots… for few types of slots

  21. I’ve had the remote receiving device from an american jeep to look at. There is a remote receiver and it’s microcontroller attached inside the passenger door (inside a plastic housing – the only shielding is the door itself, the radio signal needs to reach the receiver in normal operation). Once it receives the ‘unlock’ signal it sends a data stream to the vehicle ecu that disables the alarm and also unlocks the door. All you need to do is crash that microcontroller so that it incorrectly sends the command to unlock and disable the alarm. A close enough and powerful enough pulsed RF field would most likely do it – i’ve experienced equipment malfunctions myself with only a couple of watts of RF power, but have never had the opportunity to legally try it on a car or someone elses equipment.

    1. Still, big difference between crashing an MCU, and getting it to send out whatever required sequence to open the door. Presuming there’s some intelligence in the system and it’s not just a voltage pulse. It’s presumably on a serial bus, so a simple call-response, or even just the right sequence of bytes, would be easy for mfrs to implement, and make cracking more than a completely simple job.

      If it is just a sequence of bytes, maybe a pickup coil near as it’s legitimately opened, connected to a laptop. Would be great if you owned one yourself, and the sequence was the same for all cars of that model.

      Since criminals are known to sniff codes and suchlike, I’d expect mfrs to put in at least as much security is convenient. There’s lots of security stuff you can do just in simple software on low-end MCUs. They manage it in keychains running off a watch battery.

      If a pulse of energy was going to open a door, it’d have to be right at the low-tech end, the transistor that drives the solenoid that pulls the lock open. Anything above that would be a one in a million fluke, to be able to glitch like that.

      That, or a really shittily designed lock system. And I think they’ve all gone now.

      1. On MCU crashing: All semiconductor junctions are diodes, so an RF field becomes rectified by them, pulsing it exacerbates any effects caused. Using a higher frequency emission means smaller circuit traces can more easily act as antennas – in a car the long wiring loom can act as an antenna for lower frequencies. The outcome of stray voltages running around an MCU is unknown, but it can jump the internal program counter about (one particular EMP device I made caused erratic operation of a childs toy at over 5m distance – no magnetrons used here either and the toy had no electromagnetic shielding). If the program counter happens to land in the piece of code that unlocks the doors then it will, serial transmission or not. The reason I haven’t tried it is that it could prove costly if the controller decides to overwrite it’s internal memory (which holds the keyfob data), and I don’t fancy paying for a new locking module, it can also cause an effect called latch-up which could permanently destroy or damage the MCU.

        In the UK in the past (around mid 80’s) if you had an illegal CB booster you could get free fuel by keying up the transmitter at the fuel pumps – it used to reset the amount delivered to zero… (no one called it EMP then though). Coded car radios could be unlocked by crashing the internal MCU, by dabbing a damp finger across it’s quartz crystal and hoping for the best – sometimes the memory would be corrupted, this is the effect you’d probably get from large RF exposure.

        Most petty criminals are unlikely to have anything as ‘high-tech’ as code grabbers / decoders. It was fun for me though at the time alarms used the fixed code type (early 90’s), I used to leave the (8-bit at the time) computer running overnight hooked to a boosted key fob and get a dawn chorus of alarms as people that thought they’d unarmed their vehicle had unknowingly armed it and attempted to enter… now it’s all rolling code you can’t do this particular stunt.

        Build yourself a power RF oscillator and have an experiment with your own electronic devices to see the outcome, CD players and DVD players are particularly sensitive. You must take responsibility for any permanent damage caused, however; it is a possibility.

        From what I’ve seen of the so called ‘slot machine jammers’, it’s a circuit very similar, if not the same as the ‘slayer exciter’ used for mini Tesla coils and probably operates somewhere between 2 and 20 MHz (definitely not worth the $800+ dollars I’ve seen them advertised for – apart from the fact they are said to no longer work and not to mention that deliberately causing mis-operation of something you don’t own, without permission, is most likely illegal anyway).

        1. Sure, but there’s a lot of junctions in a chip! Getting the right one to flip the program counter to a useful address is itself really unlikely, without worrying about all the other induced voltages running round the place ruining things. You MIGHT, but I’d watch out for getting struck by lightning on the way home.

          I heard people used to use the electric sparker from cigarette lighters, back in the day, for fruit machines. Just zap the chassis. Not sure how often it worked. I’d bet they don’t work now. The more complex stuff you have in a machine, the less likely to glitch it just-right to get what you want. They probably didn’t work that well even then! Maybe on a machine that’s mostly mechanical, with just a few electronic bits, glitching single transistors to trigger things. By now the ship’s well sailed, but I doubt it’s something you’ll get your money back on.

          The car radio thing’s interesting, but presumably those radios defaulted to a fail-safe state, ie unlocked and ready to go. Should some voltage glitch occur, not rare in cars, you’d get less irate customers complaining about a glitch that unlocks their radio, than one that locks it. Of course a damp finger isn’t a voltage glitch, but it’s still an error, that upsets the watchdog or the brownout detector or whatever. Fail-safe covers many unforseen problems. For a car door, better to fail locked.

          1. I once worked for a fruit machine manufacturer and one of the tests for a new machine while it was being certified for EMI compliance was to touch a calibrated charged probe to various metal parts. I witnessed the particular machine being tested crash due to this (it would either lock up or reset). The reason is that as the high voltage surge passes through the ground wiring it induces transients into other circuit parts which can cause an upset – some information here:

            I’m lucky in that I can build my own devices and have previously built an effective (but not exactly portable – it used sections of co-ax cable) em generator for very little outlay (less than £10 UK). The few parts needed for one of the so called ‘EMP jammers’ also cost next to nothing – it’s nothing more than an RF power oscillator.

            I can build a ‘slot machine jammer’, but doubt anyone would let me test it against their vehicle, but if I get lucky I’ll be sure to post the results here.

        2. BTW which 8-bit computer? Just out of curiosity…! Did you design the interface yourself? I know the Atari 8-bit home computers could have a data-direction register altered at a memory address, to turn the joystick ports into 8 easy outputs.

          You could also wire 4 Nicads, for 4.8V, up to the joystick port’s 5-volt output. It’d run the computer from there, like a battery backup! With a small wagon for the TV I’d have had a “laptop” comparable to most 80s “portable” computers.

          1. The 8 bit computer was indeed an Atari, an 800XL – (If I remember right it, memory locations 54018 and 54016 were used for controlling the port — so nerdy, lol). It used the ground and a single output from the joystick port to turn the UHF (it was 418MHz then) OOK keyfob on or off. The transmitter ran on one of those small 12v batteries but as the output only had to bais the keyfob transistor on/off the 0v/5v from the port was fine. A small piece of 6502 code was used to toggle the output quickly enough (and at a regular pace), turning the transmitter on or off in place of the transmitters original chip. I had to work out the patterns for high or low or open (most of the keyfob chips had 3 state code setting inputs) by receiving some transmissions, recording them on tape and then viewing the waveform with a sound sampler on that same computer – the things a bored 12 year old gets up to eh… and no internet to help either. Those were the days.

  22. you all were so wrong …..smh. it really was legit. Parasitic Capacitance driven by a modified slayer exciter using an original 2sc2078 transistor from Cobra 27 CB radio. The right amount of turns and rotation and length of the windings needs to be precise. A reversed polarity red/green is also needed. Be careful though, it comes with a 10 year prison sentence if you’re caught with one.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.