Investigating a Volvo key fob: a educated reader shares his insights

0
11


It’s all the time been attention-grabbing to me to see which of my writeups significantly resonate with the readers (as measured by metrics reminiscent of on-line web page views and the variety of each posted public feedback and personal emails I obtain in response), and to theorize why this is likely to be the case. Unsurprisingly, for instance, teardowns persistently garner numerous consideration. However what’s been attention-grabbing to me is how little that curiosity from you appears to correlate to the worth tag of the widget being dissected, and even to any present consciousness of it and its producer. As I advised different staffers at EDN the opposite day whereas we had been discussing the subject:

To be sincere, there’s not a lot “science” to the matters I select for teardowns…I simply go by what I personally can be curious to poke across the insides of, below the idea that not less than some readers are like me. Generally essentially the most cheap, oddball, and many others. teardown topics find yourself getting essentially the most reader response. I’m additionally pleased that I appear to persistently have the ability to craft an attention-grabbing (not less than to me) evaluation out of even essentially the most seemingly easy teardown topic.

In fact, it doesn’t damage when the general theme of a bit is of private resonance to the viewers…

Relating to the latest key fob sequence, my idea is that there’s a normal sense locally that automakers rip off automobile homeowners, particularly for issues like automobile characteristic upgrades and different initial-sale choices, ongoing upkeep (each elements and labor), and “aftermarket” updates. I believe that my writeups tapped into that angst, translating into reader curiosity.

 

That sequence, for these of you who haven’t already seen it, thus far contains two weblog posts:

Adopted by a teardown:

One touch upon that second weblog submit, from reader “chargehanger”, was particularly intriguing:

The BOM [editor note: bill of materials cost] for this key fob is round 19 Euro [editor note: approximately $19.82 USD as I write these words].

Provided that I’d paid my native Volvo supplier $570, inclusive of “labor”, for a substitute key fob, I wasn’t going to depart that remark unexplored. So, within the subsequent teardown, I referenced the sooner remark from “chargehanger”, following up with what I hoped can be a too-tempting-to-ignore invitation:

I’d love any further perception you may provide, “chargehanger” (or anybody else educated on the subject, for that matter) as to the way you got here up with that BOM determine.

Fortunately, as we are saying again in my start state of Indiana, he “took the bait”. Christoph Riehl (aka “chargehanger”, full with the appropriately named web site www.chargehanger.com the place he sells overhead cable holders for EVs) emailed me firstly of June:

Whats up Brian,

I simply learn your article on EDN.

I used to be the one providing you with a touch on the BOM price for the important thing fob.

I used to be concerned within the improvement of this key, a very long time in the past, and I may give you some insights (inside the limits of not breaking commerce secrets and techniques, after all)

I, after all, took him up on his supply that exact same day:

Christophe,

Good to “meet” you! Hope you loved my teardown piece.

I’d like to publish any insights you may have the ability and prepared to supply on the product’s improvement, characteristic set, invoice of supplies and/or anything you suppose can be of curiosity to the viewers.

What follows is his response despatched to me a couple of days later, solely evenly edited by me for readability:

Whats up Brian,

I used to be working at Siemens VDO (which then grew to become Continental), primarily having RF subsystem obligations, and I labored on this key fob system.

I haven’t been within the business for 10 years, so all this can be a bit dated.

All my statements listed below are publicly obtainable data, so no commerce secrets and techniques have been damaged, and you may publish this.

There are principally 3 varieties of conventional key fobs, however this Volvo secret’s an attention-grabbing particular case:

  • Immobilizer-only fobs, with a mechanical key blade and immobilizer transponder tablet (now not constructed, for not less than 15 years)
  • RKE [editor note: remote keyless entry] fobs, with one LF [editor note: low frequency] coil and capabilities 1, 2, and three solely [editor note: keep reading for function descriptions]. The standard fob manufacturing price right here is about 9 Euro, not together with the important thing blade.
  • Passive entry/passive begin key fobs. The standard fob manufacturing price right here is 13 Euro with out a key blade, additionally with out steel within the housing.

Entry and begin are advanced methods, with many interlinked microcontrollers and generally with further intentional complexity meant to discourage hacking.

Key fobs could appear conceptually easy, however they’re really very onerous to engineer because of their low energy consumption optimization and crypto integration, in addition to the tough environments during which they should function.

A key fob has extra capabilities than you may suppose:

  1. Mechanical key
    At present typically solely seen as a backup, to open the door when the important thing or automotive battery is lifeless. Can solely begin the automotive if the old-style ignition lock, fitted with an immobilizer, authenticates the transponder.
  2. RKE (automotive opening/closing by urgent the button on the fob)
    The important thing usually sends out a 434 or 315 MHz sign to the automotive, with none suggestions. The sign features a “rolling code”, which is principally a counter incremented at every use, signed cryptographically so it can’t be replayed (every code is legitimate for just one use). Typical vary: 20m
  3. Immobilizer begin (transponder)
    The important thing fob can be utilized to begin the automotive with a RFID-style passive transponder at 120 kHz. It makes use of a proprietary protocol primarily based on a crypto problem/response that authenticates the fob to the engine controller. The engine controller is often put in at an deliberately hard-to-access location so it can’t be simply “swapped” with the intention to steal the automotive. The immobilizer reader can energy the fob controller by way of one of many LF coils. The important thing fob can due to this fact perform even when no battery is current, and even when the important thing fob is rotted away by corrosion (to wit, the LF circuit is selectively varnished in order that it may possibly survive practically something). When the important thing battery is lifeless, you may open the door with the mechanical key and begin the automotive by placing the important thing into/onto the immobilizer reader. Typical vary: 10cm.
  4. Passive entry
    When the motive force pulls on the automotive deal with, in addition to on a cyclic foundation, the automotive sends out a 120 kHz wakeup sign with a crypto problem. If in LF vary (usually 2m) the important thing fob wakes up, calculates crypto, locates itself with LF subject power measurements, and solutions to the automotive by transmitting on the RF hyperlink. The localization step is essential not solely to examine if the fob is close to sufficient, but additionally to find out whether it is at present inside or exterior the automotive (If inside, no locking is allowed, however beginning is allowed. Exterior is the reverse). Localization normally requires 3-6 LF antennas, distributed strategically within the automotive inside and handles. Localization makes use of a 3D antenna on the important thing fob. The LF hyperlink is unidirectional solely; the prolonged 2m vary doesn’t permit the fob to transmit, even when typically the identical antennas are used for bidirectional immobilization. Listening on a regular basis makes the important thing fob battery final a lot much less lengthy than with fundamental RKE-only keys.
  5. Passive begin
    When urgent the beginning button, the identical fundamental steps as with perform 4 occur, this time to permit the engine to begin provided that the hot button is contained in the automotive. Working vary is diminished to “contained in the automotive solely”.

Trendy methods use Bluetooth along side a telephone, or UWB. Rising UWB will be made proof against relay assaults as a result of it may possibly make a safe time-of-flight measurement. In distinction, all different present applied sciences are by precept susceptible to relay assaults. The vulnerability of legacy methods was extensively recognized within the business, however no different existed previous to UWB changing into obtainable inexpensively. Due to this fact, previous to UWB, OEMs and suppliers simply “ignored” the issue, counting on the perceived technical complexity of relay assaults to reduce its probability of prevalence.

Your 6-button Volvo key fob appears to have a couple of ripped-off elements on the base of the RF antenna, near the CC1020 transceiver. If you happen to changed them, the fob may work once more.

It’s a “particular case” key fob as a result of it has a bidirectional 100m vary RF hyperlink (utilizing 900 MHz in US). It will possibly additionally show the automotive standing on LEDs in case you press the “i” key. “Assured” 100m is sort of tough to realize given the important thing fob’s small type issue constraints; that is the rationale for the 2 massive batteries, together with the advanced bidirectional RF transceiver primarily based on the CC1020.

The 5-button model of the design is a a lot less complicated RKE key with out suggestions and with solely 20m vary.

The massive element talked about in your teardown is a reception antenna, however not for 902 MHz, as you assumed. It’s for 3D reception at 120 kHz.

The primary chip within the design is the widespread PCF7953 [editor note: this is the IC I’d referred to as the “F7953C05” in my earlier teardown, and is based on a Philips Semiconductor-now-NXP Semiconductors low-power, 8-bit microcontroller architecture], which integrates the whole lot besides the RF circuitry. Newer chips can even embody the RF transmitter.

Relating to your remark “a membrane which presumably is current to present the sensible key some semblance of moisture and broader environmental resistance”, sure! Fobs basically are engineered to face up to a whole lot of abuse, examined to (for instance) come out nonetheless working after a couple of washing-machine 90°C wash cycles. The watertightness can fail after some years, when supplies degrade, however the silicone membrane in your case does not likely age. Sadly, snow blowers weren’t thought-about within the design specs 😉

Tough and fast beneficiant BOM price estimation for the PCB, in excessive quantity, and previous to latest COVID-induced chip shortages:

  • CC1020: 2,7 Euro [editor note: approximately $2.82 USD]
  • PCF7953: 2,5 Euro [~$2.61 USD]
  • Complete for different small elements: 4 Euro [~$4.17 USD]
  • Board: 2 Euro [~$2.09 USD]
  • Labor: 2 Euro [~$2.09 USD]
  • Overhead: 3 Euro [~$3.13 USD]

Actual prices are in all probability decrease.

Christophe concluded with some additional-information hyperlinks for additional reader analysis:

I’d prefer to thank Christophe Riehl for his generosity each in taking the time to write down me in such size and element, for his willingness to share his insights with different readers, and for the extraordinarily attention-grabbing info he’s supplied. I believe he’ll additionally see this writeup, so I encourage you to depart him (and me) your questions and different ideas within the feedback!

Brian Dipert is Editor-in-Chief of the Edge AI and Imaginative and prescient Alliance, and a Senior Analyst at BDTI and Editor-in-Chief of InsideDSP, the corporate’s on-line publication.

Associated Content material



LEAVE A REPLY

Please enter your comment!
Please enter your name here