This is Part-1 of a 3-Part Series. Check out Part-2 here and Part-3 here.
IOActive recently sponsored the DEF CON 2024 Car Hacking Village (CHV) by designing one of the exclusive badges sold at the event. This took the form of a key fob badge that mirrors the functionality of everyday car key fobs, which support keyless entry and keyless start, also known as Passive Entry Passive Start (PEPS).
This post kicks off a three-part series explaining the creation of this unique device. In this first post we’ll explore the hardware. Part 2 will look at the technologies involved and the corresponding code. Finally, in the third part, we’ll dive into using signal processing tools and a software-defined radio tool to interact with the key fob.
IOActive created a design that allows anyone interested to learn what it does and how it does it, and to modify it to do all sorts of interesting things. For our design, we settled on a few key features that would allow the overall design to progress smoothly.
Key Features of the Badge:
-
UHF Transmitter: Enables communication with the vehicle for keyless entry.
-
Touch Buttons: Provides user interaction similar to standard key fobs.
- LF Receiver: Supports the keyless start functionality.
The fun part is that CHV and IOActive open-sourced this project to inspire both seasoned hackers and those new to the field.
Overcoming Constraints
As with any project, we faced certain constraints, particularly regarding time and budget. Despite these challenges, we’re proud of the innovative and educational badge we’ve created. We hope it sparked curiosity and creativity among all participants at the Defcon Car Hacking Village 2024.
Constraints and considerations included the following categories:
Budget and Time Constraints:
-
Cost Efficiency: Developing a badge that costs $50 per unit to manufacture would yield the project financially impractical DEFCON attendees.
- Time Management: Extensive design work had to be balanced with our primary responsibility of supporting our clients.
Single Prototype Design:
-
Limited Prototyping: We were allowed only one prototype PCB design before moving to production.
- Time Constraints: Unlike commercial OEMs, we had limited time to transition from concept to production.
Design Requirements:
-
UHF Transmitter: Designed to be simple with minimal components, ensuring a low bill of materials (BOM) count.
-
LF Receiver: Features a PCB printed coil for reception and integrates touch buttons for user interaction.
-
Microcontroller: Must support CAN bus communications and provide sufficient analog resources.
- CAN Bus Support: The key fob acts as an ECU, communicating via the CAN bus.
These constraints and considerations guided our design process, ensuring we created an innovative and educational key fob badge for the CHV. Despite the challenges, we were excited to see how this badge would inspire and educate participants.
Technical Bits
Now that you understand the project and what we wanted to achieve, let’s get into the technical details as to how it actually works. Sorry in advance, as this is going to get very techy very quickly.
When it came to selecting the microcontroller for our key fob badge, we had to ensure it met several critical requirements as mentioned earlier:
-
CAN Bus Support: Essential for the key fob to act as an ECU and communicate effectively.
-
Analog Support: Needed for both ADC and OP-AMP functionalities. The OP-AMP amplifies the small signal from the LF coil, while the ADC converts this amplified signal into a digital format for software processing.
- UHF Transmitter Communication: The UHF transmitter, a Microchip Technology MICRF113, requires a single wire serial input to control the RF output. Using SPI with the CLK and MISO disabled in the microcontroller provides an ideal method for sending messages to the MICRF113.
Given my personal experience with Microchip parts, ranging from the latest ARM cores to legacy signal processors, and the fact that I had the necessary development studios, programmers, and tools already installed, I decided to run with what Microchip had to offer. The next step was to use Microchip’s parametric search tool. By inputting our requirements and sorting by cost, I was able to identify a suitable part.
The Chosen Microcontroller
The microcontroller we selected is the Microchip dsPIC33CK32MP502. This automotive-grade part not only supports CAN bus communication but also includes the necessary analog components to handle the LF receiver and touch buttons.
This choice ensures that our key fob badge is both functional and cost-effective, meeting all of its design requirements while staying within budget and time constraints.
Once I had the basic parts selected, it was time to start drawing the schematic:
Let’s start off by going through the critical sections of the schematic. If you’re following along, look for the names, pin numbers, etc., and it should all make sense.
LF_ANT Net and Buttons
The LF_ANT net connects to the LF coil (LF_COIL) and is crucial for receiving signals. BUTTON_1 and BUTTON_2 nets on the left side connect to pins 2, 3, and 4, respectively. On the right side, MB_RX and MB_TX, along with DATA, connect to the main badge via the CAN bus. The DATA net serves as an output connection to the MICRF113 UHF transmitter. Additional components include a 2×3 pin header and a programming connector.
Amplification and Gain Control
Note the 47K resistor connecting pin 28 and pin 1 of the microcontroller. This resistor controls the gain or amplification of the LF signal. The gain ratio depends on R3 and R5, with doubling R3 doubling the amplifier gain. Choosing a low gain is essential due to the background electromagnetic energy at DEF CON and CHV events. High gain could lead to a low signal-to-noise ratio, affecting signal detection by the receive software.
LF Antenna Implementation
The LF antenna design is intriguing and adds to the key fob’s functionality:
-
LF_COIL Net: The LF antenna design is intriguing and enhances the key fob’s functionality. The LF_COIL net represents a track from C1 to C2, with C2 being a 0-ohm resistor chosen after tuning the coil. The actual LF coil is a spiral track on the PCB. Ideally, a dedicated component for the spiral track would be preferable, but time constraints led to this design.
-
C1 and High Pass Filter: C1 forms a high-pass filter, allowing the connection between R1 and R2 to center around half of VDD (1.65V in this case). Analog pins on the microcontroller can handle voltages within the 0V to 3.3V range only.
- Protection with D1: Component D1 is a rail-to-rail Schottky diode that protects the microcontroller (connected via the LF_ANT net) from strong LF coil signals. When the key fob is close to an LF transmitter in a car, D1 clips the signal outside safe limits. The green LF_ANT signal oscillates between 0V and 3V, while the blue LF_COIL signal oscillates between +12V and -12V.
- Signal Strength Variation: As the key fob moves away from the car, the LF signal weakens, and the D1 diode, which acts as a protection component, no longer clips the signal. The LF_ANT signal now oscillates between 0.8V and 2.4V, while the blue LF_COIL signal oscillates between +0.8V and -0.8V.
Conclusion
In summary, our key fob badge design balanced functionality, cost-effectiveness, and development constraints. This microcontroller-based design also balanced functionality, protection, and practicality within tight time constraints. With the dsPIC33CK32MP502, we achieved CAN bus support, analogue capabilities, and seamless communication with the UHF transmitter to keep the total number of components to a minimum and speed up the overall development time.
Part 2 of this series will delve into the firmware, including where to find all the resources and how to modify it. The final part of this three-part series will discuss interacting with the key fob using LF, working with LF tools like GNU Radio, capturing UHF transmissions from the fob, and demodulating and interpreting those signals.