Designing Next-Generation Key Fobs

Similar documents
Turn-Key Passive Entry/ Passive Start Solution

Design and Security Considerations for Passive Immobilizer Systems

RFID Penetration Tests when the truth is stranger than fiction

How to Simplify the Design of an RF Remote Control Using a Highly-Integrated Transmitter SoC

Atmel Innovative Silicon RFID IDIC Solutions

Design And Implementation Of Bank Locker Security System Based On Fingerprint Sensing Circuit And RFID Reader

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

Gemalto Mifare 1K Datasheet

2.0 Command and Data Handling Subsystem

Using RFID Techniques for a Universal Identification Device

RF & WIRELESS. 1) ams overview. 2) RFID UHF Gen 2 Readers. 3) 2.4GHz TxRx + LF Rx = Active Tag. 4) NFC Reader and Tags BNI RSO. 23 Apr 2013.

Atmel Norway XMEGA Introduction

STM32L. Ultra-low-power Cortex -M3 devices

Location-Aware and Safer Cards: Enhancing RFID Security and Privacy

REMOTE KEYLESS ENTRY SYSTEM RECEIVER DESIGN

Tire pressure monitoring

Technical Article. NFiC: a new, economical way to make a device NFC-compliant. Prashant Dekate

INTRODUCTION: ABSTRACT:

Bluetooth SMART Advertise-Only Beacon Reference Design

Security & Chip Card ICs SLE 44R35S / Mifare

PMAfob Home Automation Demo

International Journal of Engineering Research & Management Technology

Security in Near Field Communication (NFC)

FLYPORT Wi-Fi G

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

Keywords: GPS, GSM, AVR Microcontroller, SMS.

The Heartbeat behind Portable Medical Devices: Ultra-Low-Power Mixed-Signal Microcontrollers

a leap ahead in analog

nblue TM BR-LE4.0-D2A (CC2564)

Product Information S N O. Portable VIP protection CCTV & Alarm System 2

Final Design Report 19 April Project Name: utouch

Intelligent Fleet Management System Using Active RFID

Using ISO Compliant RFID Tags in an Inventory Control System

2.0 System Description

Remote Controls Radio Frequency or Infrared Content. Whitepaper by Martin Gotschlich, Infineon Technologies AG, 2010

Zigbee-Based Wireless Distance Measuring Sensor System

ENERGY HARVESTED ELECTRONIC SHELF LABEL

RDF1. RF Receiver Decoder. Features. Applications. Description. Ordering Information. Part Number Description Packages available

[WIR-1186] 865MHz-869MHz Wireless Module(version 3.0) (3.3V)

ZigBee Technology Overview

Guangzhou HC Information Technology Co., Ltd. Product Data Sheet

Chip Card & Security ICs Mifare NRG SLE 66R35

Quick Start Guide. MRB-KW01 Development Platform Radio Utility Application Demo MODULAR REFERENCE BOARD

Hello, and welcome to this presentation of the STM32L4 reset and clock controller.

USER MANUAL V5.0 ST100

MF1 IC S General description. Functional specification. 1.1 Contactless Energy and Data Transfer. 1.2 Anticollision. Energy

SECURITY OF PASSIVE ACCESS VEHICLE ANSAF IBRAHEM ALRABADY DISSERTATION. Submitted to the Graduate School. of Wayne State University, Detroit, Michigan

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Process Control and Automation using Modbus Protocol

Surveillance System Using Wireless Sensor Networks

ATB50v1 GPRS / GPS Based Fleet Management Terminal. Datasheet

Part Number Description Packages available

OBID RFID by FEIG ELECTRONIC. OBID classic / OBID classic-pro. RFID Reader Technology for Security Applications

LoRa FAQs. 1 of 4 Semtech. Semtech Corporation LoRa FAQ

Welcome to the Introduction to Controller Area Network web seminar My name is William Stuart, and I am a Applications Engineer for the Automotive

Logitech Advanced 2.4 GHz Technology

Maximizing Range and Battery Life in Low-Cost Wireless Networks

GPS Hardware. GSM / GPS In-Vehicle / Personal Tracker

3. Identification of water pumps through RFID technology. 4. Wireless control of remote water pump using RF technology.

Implementing a Digital Answering Machine with a High-Speed 8-Bit Microcontroller

User s Manual of Board Microcontroller ET-MEGA2560-ADK ET-MEGA2560-ADK

AN588 ENERGY HARVESTING REFERENCE DESIGN USER S GUIDE. 1. Kit Contents. 2. Introduction. Figure 1. Energy Harvesting Sensor Node

Talon Communications Presentation

HyperAccess Access Control System

How To Understand The Power Of An Freddi Tag (Rfid) System

Gilsson AlwaysFind Web Base Fleet Management AVL & Personal GPS Trackers

Guangzhou HC Information Technology Co., Ltd. Product Data Sheet

Guangzhou HC Information Technology Co., Ltd. Product Data Sheet

Smartphone Quick-Jack Solution FASTER TO PRODUCT FASTER TO MARKET

DESIGN OF SMS ENABLED CAR SECURITY SYSTEM

Web Site: Forums: forums.parallax.com Sales: Technical:

Radio sensor powered by a mini solar cell the EnOcean STM 110 now functions with even less light

Tri-Band RF Transceivers for Dynamic Spectrum Access. By Nishant Kumar and Yu-Dong Yao

RFID BASED VEHICLE TRACKING SYSTEM

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Waterproof portable tracker and

Using Xbee in Serial Communication

HAC-LM Series Low Power Data Radio Module

Self-Check-In Hotels Using RFID. Technology

Figure 1.Block diagram of inventory management system using Proximity sensors.

Embedded Systems on ARM Cortex-M3 (4weeks/45hrs)

What is Easy-Radio? Devices Covered. Frequency Hopping Transceiver. Where x00 denotes frequency of operation. E.g. 400 = 433MHz

Display Message on Notice Board using GSM

Logitech Advanced 2.4 GHz Technology With Unifying Technology

The Energy Harvesting Tipping Point for Wireless Sensor Applications

The Programming Interface

RN-131-PICTAIL & RN-171-PICTAIL Evaluation Boards

How To Use Nuc123 (Nuc123) For A Week

BARCODE TICKET SOLUTION RF CARD SOLUTION MAGNETIC TICKET SOLUTION

Microtronics technologies Mobile:

How To Use A Sound Card With A Subsonic Sound Card

Radiocrafts Embedded Wireless Solutions

MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

TELECOM HF VHF UHF over IP

Rayson. Bluetooth Module

Wireless Home Security System

MSITel provides real time telemetry up to 4.8 kbps (2xIridium modem) for balloons/experiments

M68EVB908QL4 Development Board for Motorola MC68HC908QL4

128KB RAM. 2.4 GHz TX/RX. Radio. 2.4 GHz ADC. Crypto accelerator. Sensor Interface

Transcription:

Designing Next-Generation Key Fobs Paul Lepek Key Fobs Today Today s key fobs can be generally subdivided into two different functional categories. The first includes Remote Keyless Entry (RKE) devices which require some sort of human intervention or a physical interface of the user to the key fob (e.g., key push) in order for the fob to produce the desired function effect such as unlocking a door or opening a sunroof. The second group of devices provides similar functionality but also features an added level of comfort by performing the same function without physical intervention by the user. Instead of the push button or touch sensor interface, a Passive Entry (PE) identifies the user (and the key fob) as a legitimate entity and automatically triggers authentication or issues a request (e.g., passive door unlock, trunk release, etc.). Both systems are based on a preprogrammed key fob device ID and authentication protocols which include an encryption stage for authorizing the issue of key fob commands to the vehicle. In this way the key can be identified by the vehicle and vice versa before any action is executed. All RKE-based systems require key fobs to support RF links which fall into Industrial, Scientific and Medical (ISM) frequency bands (i.e., 0-135kHz, 13.56MHz, 315/433MHz, 869MHz, and 915MHz). However, for a PE system the LF downlink is used by the key fob to compute a Received Signal Strength Indicator (RSSI) value and thus the fob s physical coordinates in relation to the vehicle while the RF link is used to execute the authentication protocol with the vehicle. RKE and PE system fobs are designed to be powered by a small coin battery intended to last for the life of the vehicle. Atmel has Introduced Next-Generation Transceiver and Receiver Devices with Configurable Options Moreover, all key fobs support engine immobilizer system authentication. To prevent theft every automobile uses an immobilizer system which authenticates engine starts. In this case the key fob acts as a passive authentication tag similar to the RFID tag but with a larger feature set. Most automotive key fobs use Near Field Communication (NFC) transponders which communicate with the engine controller. The transponder is integrated into the key and is a passive device. It does not need a battery for operation, but instead uses a magnetic field generated by the LF vehicle coil. It also transmits the device ID and executes a special immobilizer 15 2010 / www.atmel.com

Table 1. Key Fob Features Today Physical Interface 3 (Button, Touch, etc.) Class Immobilizer 1 Recharge 2 Batttery/ Remote Remote Entry Accessories Start Passive (Entry/Go) Accessories Personalization Settings Time/ Data Logging in Fob 4 Basic x - - - - - x x RKE (std.) x x/ x - - - x RKE (ext.) x x/x x - x - x x PE (std.) x x/x x x x x/x x PE (ext.) x x/x x x x x/x x x 1 Immobilizer support includes secure fob and vehicle authentication via the LF field using an integrated LF transponder. 2 The fob includes a built-in battery with the option of recharging the battery via the LF field. 3 Remote Start and Remote Entry are controlled via RF uni- or bi-directional link. Control of accessories can either be done using RF or IrDA links. 4 Data can be logged such as time stamp data, last device ID, last vehicle service date, and much more either via LF or RF links. protocol for its authentication but all communication takes place via an LF field generated by the vehicle. Expanding Fob Applications Originally key fobs were designed for only one purpose: to unlock the door and start the engine with the metal key. Later, RKE devices were used to remotely (HF field) unlock the door. The integrated contactless passive transponder (LF field) then unlocked the steering column and enabled the engine start. Only more recently fobs began to penetrate convenience, general utilities, secure communications, and secure access ID applications (even extending to payment systems and e-ticketing). These functions were not developed before due to a lack of hardware and software resources, primarily because of the fob s physical size and power consumption. Recently, however, it has become possible to overcome these shortcomings by incorporating much larger user and program memories, and the use of faster, more compact, and ultra-low power processors without increasing the cost of production. Additionally, the integration of flexible, reconfigurable, and secure authentication peripherals can be made feasible. These types of peripherals include crypto units, secure key management features, and integration of smart cards useful for payment, user ID, and cipherbased authentication systems. An automotive key fob can therefore be used not only to interact with the vehicle but also to gain entry to a park garage, ski lift or to purchase train tickets. This can deliver considerable benefits when goods are purchased using one of the major credit card networks. The secure user memory can also be used to store personal and secure information as personal data ID and provide transit information for e-ticketing. System-in-fob Hardware Resources Ultra-low-power 8-bit microcontroller Large Flash program and EEPROM data memory (memory segmentation with locks) RF communication interfaces - Infrared (IrDA) IF - Immobilizer IF at 125kHz - Passive entry IF at 125kHz (RX only) - Smart card IF at 13.5MHz - RKE IF at 315, 413, 868, 915MHz (frequency hopping) Power management (optional battery charge) Hardware cryptological unit (AES-128) Integrated proximity coupling smart card (ISO 14443) Cyclic Redundancy Check (CRC) block Serial interfaces (SPI, SSI) ISP/debug (dw) Analog comparator Flexible GP timers and WDT Oscillators: RTC, INTRC (125kHz, 4MHz) Automotive Compilation Vol. 7 16

The heart of a modern key is an ultra-low power microcontroller with sufficient program and data memories. Typical program memory can range from 8KB to 16KB and beyond with its data memory ranging from 1KB to 2KB depending on application requirements. Because of secure application support, the key fob s program and data memories must have provisions for memory segmentation and locks in both memory blocks. For example, the application firmware resident in program memory can be divided into separate memory sectors (e.g., application and immobilizer sections). Also data memory may have its own partitioning which can allow for soft and hard memory locks when it comes to releasing user-sensitive device-stored data (e.g., authorization password or secure key). While the microcontroller core executes application firmware, the secure user and key data is stored in the on-chip nonvolatile memories (EEPROM). The core uses various wireless communication peripheral interfaces to communicate with the infrared transceiver (IrDA), the LF transponder (125kHz), the 3D LF receiver (125kHz), the smart card (13.5MHz) and the RKE transceiver (315, 413, 868, 915MHz). Flexible serial interfaces can be shared such as SPI or Serial Synchronous Interface (SSI) to enable data exchange with every communication peripheral. A hardware data integrity check module, based on a Cyclic Redundancy Check (CRC) checksum algorithm, supports validation of received data. A unique feature of the immobilizer transponder interface is that it is closely bound to the power management unit which is used to provide power supply voltage, V DD, while exchanging LF data with the immobilizer in passive mode. In this mode all other communication with the key fob is disabled to support batteryless operation. Some key fobs may also support the battery charge feature which is integrated into the power management module for recharging the battery with the engine running. While in secure smart card mode the device can also operate in passive mode and exchange as well as encrypt and decrypt proprietary data using its own crypto module with the reader at F C = 13.5MHz. It can use its own device memory or the fob s internal nonvolatile memory. Integrated crypto modules can support many different cipher algorithms the most popular being the 256-bit block cipher known as the Advanced Encryption Standard (AES) based on the Rijndael algorithm which can be used with a 128-bit, 196-bit or 256-bit secret key. The fob must also contain analog peripherals such as internal oscillators where F = 125 khz and 4 MHz to generate its internal clock signals used for the transponder front end and the microcontroller core, respectively, with low frequency deviation across VDD and temperature. The supplied analog comparator can facilitate detection of VDD drops and prevent data corruption during nonvolatile data memory writes in passive mode. Power Management Contactless Interface/ Transponder 3D LF- Receiver Volt. Monitor IR - Driver Timer Block Crypto Unit CRC Figure 1. Fob Floor Plan SPI EEPROM/ 2KB SRAM 512B Atmel AVR - Core Data Mem. Secure EEPROM. IO-Ports FRC -Oscillator ECIN Clock Management & Monitoring SRC - Oscillator Watchdog Timer Wireless Data Communication Interfaces An entry/immobilizer system consists of at least two communication partners where one side is on the vehicle and the other on the key fob. Depending on the link type, there are several possible communication interfaces available, including: 1. IrDA link for convenience and comfort applications 2. PE/PEG link to enter and start engine, including LF downlinks and UHF uplinks RTC PM ROM 2kB PM - Flash 14kB POR / BOD & RESET debug - WIRE Serial IF Contactless Interface/ SmartCard Smart Card RF TX/TRX Module 3. Immobilizer link to start engine and emergency vehicle entry, including LF down- and uplinks 4. Chip card as user ID, authorization, authentication at pay stations, including HF down- and uplinks 5. RKE as entry authentication, including UHF down- and uplinks 17 2010 / www.atmel.com

Table 2. Modern Key Fob Communication Links Overview Application Standard Link Type F C Modulation Anticollision Data Encoding BR [Baud] Range Average Current PE/PEG Custom 3D LF downlink 0-130kHz ASK x PIE 3.9k 3-5m 2-20μA UHF uplink 315, 433, 868, 915MHz ASK/FSK - Manchester, Biphase Up to 80k 30-120m 8-20mA Immobilizer/ Emergency Entry ISO14223 /Custom LF downlink 0 - ASK - PIE 3.1-8.9k 2-10cm 40-260μA 130kHz LF uplink ASK Manchester 4.4k Chip Card ISO14443 ISO15693 ISO18000 HF downlink 13.56MHz ASK/PSK x PIE, Miller, NRZ HF uplink ASK/BPSK Manchester, NRZ Up to 20k 5-20cm 20-120μa RKE Custom UHF downlink UHF uplink 315, 433, 868, 915MHz ASK/FSK/ PSK x Manchester, Biphase Up to 80k 30-120m 8-20mA The summary of the communication channels and a brief overview is shown in table 2. Secure and Reconfigurable Firmware Application firmware which supports the complete functionality and feature set is the fundamental building block of the key fob. It may consist of many different modules and must encompass all functional and likely operating scenarios, including battery failure which comprises emergency or passive operation mode. To improve reliability it is a common practice to keep both application and immobilizer programs separate and in two distinct program spaces. While the immobilizer firmware supports distinct engine starts, the application software controls all other fob functionalities including RKE, convenience or user-id applications. The immobilizer/emergency functionality is required to take priority over any other function, which is the equivalent of an override which suspends any function currently in progress when the LF field is detected at the transponder LF coil. Figure 2 depicts a flow diagram and interaction between application and immobilizer firmware. VBAT=1 & VFLD=0 (Start-up) RKE APPLICATION SW MODULE No VFLD? Enter RKE Mode VBAT=0 & VFLD=1 (Start-up) Enter IMMO. Mode IMMOBILIZER APPLICATIONSW MODULE No VFLD? Figure 2. Immobilizer and Application Firmware Interaction Flow Chart All data communication is fully supported in the fob s firmware. Various communication protocols including unilateral, bilateral for immobilizer, PE/PEG and RKE systems can be fully configured by the application software. Based on Yes Yes Automotive Compilation Vol. 7 18

protocol topology, the application software controls dedicated peripherals by enabling them, and reading data during RX phases, and writing data during TX phases of the protocol as soft triggers (e.g., immobilizer and PE applications) or hard triggers (e.g., RKE or IrDA applications using a push button interface). A major advantage of a next-generation key fob is its in-field programmability, which can be very helpful in the event of a firmware or user data upgrade or programming. The fob can be initially configured using its dedicated general-purpose software via the LF field while the final test is performed at the factory. The user data can be added later by the Tier1 or OEM without modifying the original configuration. Even while in the field the fobs can be reprogrammed with new Abstraction Level Software Model API, Configuration Data I/O Application Layer Protocol/Session Layer Physical Drivers Figure 3. Software Partitioning as a Bottom-up Approach Transport/Link Layer Resources application and user data via one of the communication interfaces at a later date. Of course, in this case only a single functionality can be enabled while using memory locks to provide security. This is especially useful when used as a pay token in e-commerce or e-ticketing environments. Coupling Factors for Immobilizer System Coupling factor [%] 9.00% 8.00% 7.00% 6.00% 5.00% 4.00% 3.00% 2.00% 1.00% 0.00% Figure 4. Immobilizer Coupling 0 0.02 0.04 0.06 0.08 Distance d [m] Lr=Rehfeld, Lt=2.45mH Lr=Rehfeld, Lt=5.1mH Lr=738uH, Lt=2.45mH Lr=738uH, Lt=5.1mH Figure 5 shows one complete challenge-response authentication protocol which could be used in a passive automotive immobilizer application. The LF field voltage (green) is enabled for 160ms. The field is damped (2.2V) during RX state and then switched to the undamped level (6V) during TX state. The charge storage capacitor voltage (yellow) which provides V DD to the transponder is immediately charged to 2.2V during the RX data stage. The transponder encrypts (AES-128) received plain text data (128-bit challenge) and transmits the response. In many immobilizer systems the system authentication time is a major concern. To minimize authentication time, the number of bits transmitted can be reduced without compromising system security. It is common for authentication time T AUT < 130ms at BR = ~3.9kBaud. Transponder LF Field Coupling Transponder-to-base-station coupling still remains the most challenging aspect for key fobs. The proper transponder coupling can be achieved when sufficient energy is transferred from the base station to the transponder for the transponder to communicate with the base station. During design, the L-C tank must be carefully selected for optimum energy and communication performance. Figure 4 shows a typical transponder coupling at 125kHz vs. operating distance from the base station coil 5. Figure 5. Immobilizer Protocol Execution Scope Shot/Power Analysis 5 Assumes the fob coil is placed in the center of the base station coil where the coupling is best 19 2010 / www.atmel.com

Figure 6 shows field voltage and VCC traces as the key fob is energized by the field and begins to receive a BPLM data stream. Field gaps are visible which separate field On interval which is decoded by the fob using a dedicated hardware peripheral. The fob s microcontroller is in sleep mode 95% of the time to save power consumption. Table 3. RF Transceiver Parameters Sensitivity Antenna Average Gain P OUT Current Receiver -109dBm -6dB - ~6-8mA Transmitter - -18dB 10dBm ~9-10mA Table 3 shows some typical RF transceiver parameters. A snapshot of the transmitter spectrum taken at 433MHz during transmission of an RKE message to the vehicle is shown in Figure 7. The transmitter carrier frequency, the span, power output, and device setting are configured using the serial interface by shifting configuration data (in this case the 32-bit configuration word) into the RF transmitter via the MCU when the user presses the open-door button. Figure 6. Transponder at Power-up RF Communication Links Both RKE and PE/PEG systems utilize HF communications links. In comparison to LF links, HF links are superior in their operating range (up to several hundred meters) and baud rate (up to 80kBaud can be achieved). RF transceivers currently available on the market use N-fractional PLL frequency tuning techniques where the carrier frequency can be selected in firmware by the MCU. Some devices allow large tuning frequency variations, permitting more design flexibility. The transceiver s operating range remains a key performance parameter. To extend operating range, it is common for the transmitter power to be as high as 12.5dBm and the receiver sensitivity to be less than -100dBm. Antenna design is also a determining factor providing additional performance gain. Although whip antennas add additional performance gain, small loop antennas printed on the PCB are usually chosen for use in automotive key fobs. Power consumption is another critical factor on the receiver as well as on the transmitter side. Power consumption can be reduced by selecting higher data baud rates. Choosing ASK modulation tends to lower operating current since the power amplifier is momentarily disabled during modulation. Figure 7. RF TX Spectrum at 433MHz References: 1. ISO 14223 Advanced Transponders Standard 2. ISO 10536 Close Coupling Smart Cards Standard 3. ISO 14443 Proximity Coupling Smart Cards Standard 4. ISO 15693 Vicinity Coupling Smart Cards Standard 5. ISO 18000 Item Management Standard Automotive Compilation Vol. 7 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information