Kill Switch

Well, said I would post more info on my kill switch, and while I will not give specific details as to locations of items. Below is the wiring diagram for what I set up. Other ideas are to use any switch existing in the vehicle and tap off the hot when pressed side to feed to the #86 posts on the relays. However, you would also need a diode installed between the relays and switch so it won’t back-feed the switch after the relays are set on. Also, could intercept the fuel pump ground wire instead of the shifter solenoid, but then truck won’t start without activating relays first (no remote start), which is why I chose to intercept the shifter lock solenoid wire instead.

Question,

How does applying a killswitch to the shifter lock solenoid differ from enabling the police shift lockout in Forscan? Is it simply a hardware analogue to the digital solution?
 
Question,

How does applying a killswitch to the shifter lock solenoid differ from enabling the police shift lockout in Forscan? Is it simply a hardware analogue to the digital solution?
I believe Forscan shift lock just requires the key to be present. But if your key has been cloned (how they stole my neighbors 2019 F150 platy), then the Forscan shift lock mode would do nothing for you.

With a physical switch, key or no key, somebody has to know what switch to flip to allow the car to be driven.
 
Question,

How does applying a killswitch to the shifter lock solenoid differ from enabling the police shift lockout in Forscan? Is it simply a hardware analogue to the digital solution?
Well, one of the major issues with the push button start vehicles is the ability for a knowledgeable thief to scan the rfid signal for your key fob so the vehicle thinks the key is there. Others replace the BCM, PCM and possibly others (not too knowledgeable about the specifics of this theft method) with ones they have that they have a key fob for, then they can drive away. While this will not stop a good thief, it will slow them down and throw another issue their way, possibly making them think twice and leave.
 
My '22 came from the factory with 'police mode' enabled. No Forscan required.

Tested by starting truck and taking the fob inside the house. Could not move the column shifter at all.
 
I believe Forscan shift lock just requires the key to be present. But if your key has been cloned (how they stole my neighbors 2019 F150 platy), then the Forscan shift lock mode would do nothing for you.

With a physical switch, key or no key, somebody has to know what switch to flip to allow the car to be driven.
Well, one of the major issues with the push button start vehicles is the ability for a knowledgeable thief to scan the rfid signal for your key fob so the vehicle thinks the key is there. Others replace the BCM, PCM and possibly others (not too knowledgeable about the specifics of this theft method) with ones they have that they have a key fob for, then they can drive away. While this will not stop a good thief, it will slow them down and throw another issue their way, possibly making them think twice and leave.

So, yes, it is a hardware solution analogous to the Ford software implementation. I think the shifter solenoid is the best possible target for such a kill switch installation, well done. Did you choose this because of the Police mode feature, or ?

I know the SDR attack was reported to Ford in 2019 and I know they quickly implemented a feature called a 'sleeping fob' in the UK on Focus, Fiesta, Puma and Kuga models but American's don't take security seriously - in any quadrant - so I've had less success determining what, if any, steps Ford has taken to mitigate the vulnerability here.
 
Last edited:
So, yes, it is a hardware solution analogous to the Ford software implementation. I think the shifter solenoid is the best possible target for such a kill switch installation, well done. Did you choose this because of the Police mode feature, or ?

I know the SDR attack was reported to Ford in 2019 and I know they quickly implemented a feature called a 'sleeping fob' in the UK on Focus, Fiesta, Puma and Kuga models but American's don't take security seriously - in any quadrant - so I've have less success determining what, if any, steps Ford has taken to mitigate the vulnerability here.
Is it the best, no. Will it prevent a seasoned thief, no. Will it prevent joy rider kids (who still the 2019 plat), yes. Will it slow somebody down, yes.
 
Is it the best, no. Will it prevent a seasoned thief, no. Will it prevent joy rider kids (who still the 2019 plat), yes. Will it slow somebody down, yes.
I really was trying to pay you a compliment.

I prefer to step out of the absolutes and deal with probabilities, I also view proper security as an exercise in layering distinct remediations to collective effect. But speaking in isolation, what, in your estimation would be a better target for such an installation?
 
Last edited:
So, yes, it is a hardware solution analogous to the Ford software implementation. I think the shifter solenoid is the best possible target for such a kill switch installation, well done. Did you choose this because of the Police mode feature, or ?

I know the SDR attack was reported to Ford in 2019 and I know they quickly implemented a feature called a 'sleeping fob' in the UK on Focus, Fiesta, Puma and Kuga models but American's don't take security seriously - in any quadrant - so I've had less success determining what, if any, steps Ford has taken to mitigate the vulnerability here.
While I have always been aware of the shifter lock solenoid, I didn’t really think of utilizing it this way until I got this truck (first vehicle I have owned with remote start) and wanted an extra layer of production while still allowing remote start capability. Thought about using the brake switch, but thought utilizing the solenoid directly was a safer option should one of the relays stop functioning.
yes, I don’t know why Ford doesn’t do more, such as a fob sleep mode to stop it from broadcasting unless you push a button on it….
 
While I have always been aware of the shifter lock solenoid, I didn’t really think of utilizing it this way until I got this truck (first vehicle I have owned with remote start) and wanted an extra layer of production while still allowing remote start capability. Thought about using the brake switch, but thought utilizing the solenoid directly was a safer option should one of the relays stop functioning.
yes, I don’t know why Ford doesn’t do more, such as a fob sleep mode to stop it from broadcasting unless you push a button on it….
I suppose you could always utilize a well hidden PLC with many vehicle functions tied into it and a USB with some specific programming so only your USB would allow proper functionality of said functions, but don’t know what other functions you could intercept while still allowing the remote start function. Would be nice to have the software to dig into the Ford module programming and be able to make something like that work and only allowing idle and no transmission shifting functions (tie into transmission shift solenoid signals also)…
 
I really was trying to pay you a compliment.

I prefer to step out of the absolutes and deal with probabilities, I also view proper security as an exercise in layering distinct remediations to collective effect. But speaking in isolation, what, in your estimation would be a better target for such an installation?
I think it fantastic. My statement was more an observation on these diy kill switches in general. They are not the be all end all, but they are a great piece of added security. I've got similar plans and am still debating if I over complicate it with stacked relays and multiple switches or just the single switch.

But yes, your design is right on and where I plan to start.
 
Well, I was unaware of the Police options until very recently and I hadn't considered that function at all. I think it's a really clever take on a classic anti-theft approach.

At it's core, this is the nature of the keyfob vulnerability.


It seems to me that the most effective counter to the fob specific class of flaws is behavioral rather than technological.

For example:
Use a Faraday box to store your fobs at the entrance to your home
DO NOT use the buttons on the fob to interact with the truck
DO use the proximity RFID button on the handle to unlock, and the numbered combo to lock.
DO understand the hallmarks of a repeater attack.
 
Last edited:
Yes, the fuel pump circuit is the way to go.
A semi-invisible toggle switch mounted under the dash that powers the fuel pump on or off directly from the battery is king. I do not have any concern of theft where I live now, but in the past I did. The thief may get it started from the fuel in the line, but within a few hundred feet or within 30 seconds, the engine will die and the thief will flee instead of sticking around trying to figure it all out. I only had one car that I did this with and it was 2nd nature for me to hit the pump switch, start it with the key and drive. A true battery kill switch needs to be well thought out before installed because of all of the modern electronic systems that draw current to keep active or things in memory when the vehicle is off. Direct wired fuel pump switches are the way to go.
 
Well, I was unaware of the Police options until very recently and I hadn't considered that function at all. I think it's a really clever take on a classic anti-theft approach.

At it's core, this is the nature of the keyfob vulnerability.


It seems to me that the most effective counter to the fob specific class of flaws is behavioral rather than technological.

For example:
Use a Faraday box to store your fobs at the entrance to your home
DO NOT use the buttons on the fob to interact with the truck
DO use the proximity RFID button on the handle to unlock, and the numbered combo to lock.
DO understand the hallmarks of a repeater attack.
How about using the Ford app to lock doors? It's always been my nightly routine to clicker lock all the cars when I check the front door. But if that creates an opening for a repeater attack, I can adjust accordingly.
 
A semi-invisible toggle switch mounted under the dash that powers the fuel pump on or off directly from the battery is king. I do not have any concern of theft where I live now, but in the past I did. The thief may get it started from the fuel in the line, but within a few hundred feet or within 30 seconds, the engine will die and the thief will flee instead of sticking around trying to figure it all out. I only had one car that I did this with and it was 2nd nature for me to hit the pump switch, start it with the key and drive. A true battery kill switch needs to be well thought out before installed because of all of the modern electronic systems that draw current to keep active or things in memory when the vehicle is off. Direct wired fuel pump switches are the way to go.
As discussed a bunch before this, that circuit and the starter circuit leave remote start non functional. The shift interlock will allow the truck to start and idle but not go out of park. So even moving from reverse to drive is independent of the kill switch. This creates far fewer risks to entangled operations
 
How about using the Ford app to lock doors? It's always been my nightly routine to clicker lock all the cars when I check the front door. But if that creates an opening for a repeater attack, I can adjust accordingly.

It depends on what threats you're protecting from, but in regard to the specific issues we're looking at in this thread, the app is very likely more secure.

Some users have pulled the fuse for the Ford Connect Modem, I've personally disabled mine in Forscan, so for people like that, pressing the two buttons on the door pillar remain the single best option for locking the vehicle.
 
Last edited:
Yes, the fuel pump circuit is the way to go.

I like this idea, and would think a fuel cut off switch is the way to go too.
I had this on an old convertible Jimmy when I was in college, and forgot I switched it. The switch was in the glove box. Tried to go out for a cruise at lunch with a group of friends and the motor just cranked and cranked. Even tried to pop start it to no avail. Couldn't steal my own truck. Silly me, remembered later in class...DOH!

Do these trucks have an inertia cut off switch? Had this switch pop on a Ranger when I was traveling cross country back in the 1990, and no one could figure it out until I towed it from Southern Ca. to Vegas, then a garage there told me about it. Simple button under the glove box
 
Last edited:
Has anyone figured out how to use a upfitter switch as a kill switch or battery disconnect?
You could tie the output of one of the upfitter switches into this system and use it to isolate any function you choose, rather than the shift lock solenoid. Also made an improvement to my previous schematic to include an output to the horn, or a secondary horn mounted somewhere hard to get to.please see below
 

Attachments

  • RELAY WIRING.pdf
    211.5 KB · Views: 164
As discussed a bunch before this, that circuit and the starter circuit leave remote start non functional. The shift interlock will allow the truck to start and idle but not go out of park. So even moving from reverse to drive is independent of the kill switch. This creates far fewer risks to entangled operations
I lived 40+ years without remote start, so it makes ZERO difference to me to have it or not. A fuel pump switch will allow starting the truck (until it runs out of gas). My current remote start feature needs the key put into the ignition to actually put the truck into reverse or drive.
 
Back
Top