View detail for Key Fob Design Based on Atmel ATA5795

APPLICATION NOTE
Key Fob Design Based on Atmel ATA5795
ATA5795
Features
● Integrated key fob solution integrating MCU and a passive transponder
functionality using Fc = 125kHz for immobilizer applications via a contactless LF
interface and an RF transmitter functionality with programmable Fc = 300MHz to
433MHz for RKE applications
● Transponder includes immobilizer SW stack supporting the immobilizer
authentication protocol programmed at the factory
● Open source immobilizer SW stack Is based on flexible communication protocol.
The protocol Is configurable using transponder configuration memory
● Immobilizer command set supports various classes of commands such as start
authentication, read UID, read/write user memory, learn secret key1/2, and read
transponder error status
● Integrated high speed AES-128 hardware crypto module
● Atmel ATA5795 includes segmented program and user data nonvolatile memories
with protection locks
● Ultra low power consumption enables passive transponder functionality at low
coupling factors (k < 0.8% typ.)
● Integrated RF transmitter module with selectable Fc using fractional PLL in ISM
bands (315/430MHz)
● Configurable radiated power output pout at up to +12.5dBm
● Integrated flash-based Atmel ATmega 8-bit MCU includes ultra low-power design
with many dedicated data communication and mixed-signal peripherals. Includes
on-chip internal oscillators at 4MHz and 125kHz with RTC
9224B-RKE-05/15
1.
Introduction
This application note introduces Atmel® ATA5795 as a building block to design a key fob with an integrated transponder and
RKE functionality for the automotive industry.
It discusses the implementation of the key fob transponder, its physical interface, the hardware and software resources of
the system and possible application scenarios. The open source Immobilizer Software Stack application code which is
preprogrammed in the device program memory is also introduced and its features and configuration briefly discussed. The
RKE functionality, features, and configuration relying on Atmel ATA5795 and application software are reviewed.
Atmel ATA5795 was designed to function as a transponder-based key fob using its contactless LF communication interface.
It supports half-duplex LF data links with the base station. The base station generates the LF field. The data to the
transponder is sent using On-Off keying. The data from the transponder is sent using ASK modulation by damping the
carrier. The LF magnetic field is used as a data carrier and as a source of power to the transponder.
The RKE function consists of transmitting an RF data message to the vehicle for authentication. RKE message data is send
via the RF link consisting of a transmitter unit ID and a cipher message. The link is active only for a few milliseconds to keep
power dissipation low. The cipher is calculated using an AES-128 hardware-based crypto module.
Figure 1-1. Key Fob In-System Integration
Vehicle
RKE Function
Vehicle ECU
Access
Control
Module
Key
SPI, SSI
RF
Receiver
Push
button
switches
RF Data
Link
Immobilizer Function
Key Fob IC
(ATA5795)
VBAT
LF Energy
Body
Control
Module
(BCM)
1.1
LF Base
Station
LIN,
SPI
CVDD
LF Data
Link
Immobilizer Fob Application
The in-vehicle immobilizer system is primarily used for preventing engine starts by an unauthorized user. The system uses
an LF field to communicate with the passive transponder. The communication is based on series of unidirectional data
transfers between the base station (vehicle) and the transponder (key fob).
The immobilizer system includes:
1. Body Control Module (BCM): It is connected directly to the engine control module and is used as an authentication unit to enable engine start. It issues challenges and evaluates responses from the key to enable or disable
access.
2
2.
Base Station (BS): This module acts as a gateway between the key fob and the BCM. It communicates with the
key via its physical interface.
3.
Transponder (TP): The transponder unit receives data from the base station including commands and payload
data and responds accordingly. Its internally stored secret key (128 bits) is used to encrypt challenges before it
replies with a response prior to authentication.
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
Figure 1-2. Immobilizer System Diagram
LF-communication
protocol for
authentication
TP
Key with
Transponder
Data
communication
BS
downlink
Basestation
uplink
LF-communication (upand downlink), LFcommand interpreter,
AES encryption
Transparent communication
with BCM,
LF-communication with TP
(write and read of transponder
data)
BCM
Main controller in
dashboard
Data communication
(command set, data
handling), authentication,
AES encryption
The transponder can receive modulated data from the base station (downlink) and transmit data back to the base station
(uplink).
The authentication protocol is based on challenge response topology and it can be implemented either as a unidirectional
protocol where only a key is authenticated by the vehicle or as a bidirectional protocol where a key and a vehicle are both
authenticated. Varying data frame sizes may be used to send and receive payload data. Plain text challenge data received
by the fob is encrypted by the AES-128 hardware-based crypto module, after which the cipher response is sent to the base
station.
The energy to receive and transmit the protocol data is supplied by the magnetic field which is directly coupled from the base
station coil to the transponder coil during the data exchange. The transponder can also be powered by an internal battery.
This feature is used for fob configuration and during key fob debug and development.
1.2
RKE Fob Application
RKE functionality is achieved by transmitting authentication data from the key fob to the vehicle via a unidirectional RF data
link. Normally this function is used for remote communication with the vehicle via the RF link by physically interfacing with the
key fob (e.g., pushing the button).
Important key fob RKE features include:
● Integrated RKE Data Transmitter (RF Uplink): ASK/FSK 300-450MHz, 40kBaud transmitter with high power output
(+12dBm)
1.3
●
Generation of Soft Configurable Secure Protocols: Authentication is based on a rolling code protocol. The
message text is ciphered using a built-in AES-128 cryptographic engine.
●
Low Power Consumption: A large selection of sleep modes. Multi-source system clock.
Fob Application Circuit
The Atmel® ATA5795 was designed for low cost applications and requires a minimal number of external components. The
simplified schematic diagram shown below depicts a typical application components design for 433MHz. The reference
design is shown in Appendix A.
The diagram includes the LF link coil L1 and the capacitor CL1 as the transponder antenna for immobilizer applications
(fosc = 125kHz). Matching L1, CL values produce large Q which improves data integrity and immobilizer range.
The RF link loop antenna is shown to be driven by the PA (pin 28) with its return path on pin 27 which is also the ground.
Capacitors C7, C8 and C10 and inductor L3 were selected to match the antenna impedance for best power output. Their
values were also based on actual trace impedance of the reference PCB. C4 and L2 on the other hand are used as a supply
block against PA noise which could couple into the power supply and disturb the PLL circuit. Both should be placed close to
pin 28. Additionally L2 provides for the antenna bias.
RF loop antenna traces during layout should not exceed 1.5mm to keep antenna Q from reaching excessive values. For
13MHz Xtal, load capacitors C5 and C6 must be selected for XTO to run on the load resonance frequency of the crystal.
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
3
The In-System Programming (ISP) connection is shown as pin 24 (MISO), 25 (MOSI), 26 (SCK). The serial ISP connector
pins as provided on the 6-pin ISP header are:
Pin 1: MISO
Pin 6: VBAT
Pin 2: SCK
Pin 5: MOSI
Pin 3: NReset
Pin 4: GND
The supply Vbat is typically delivered from a single Li cell battery.
Figure 1-3. Application Circuit
Key
Battery
Vehicle
ECU-1
VBAT
C3
Q2 = 32.768kHz
TP Coil
CBUF
L1
CL1
16 15 14 13 12 11 10 9
C4
17
8
18
7
19
L2
Base Station:
ATA5272
6
Atmel
ATA5795
20
21
*ISP-pin
LF link
5
NRESET
4
22
3
23
2
24
1
C2
ECU-2
25 26 27 28 29 30 31 32
Q1 =
13.5MHz
*ISP-interface
AVR MCU
C7
C6
C5
RF link
C10
C8
RFLoop antenna
L3
Table 1-1.
4
Components Selected for RF Fc = 433.92MHz
Symbol
Value
Description
L1
2.35mH
CL1
680pF
TP coil LC tank capacitor
C2
68nF
VBref decoupling capacitor
C5, C6
15pF
13MHz Xtal
C7
3.9pF
Loop antennal impedance match capacitor
TP coil inductor
C8
3.4pF
Loop antennal impedance match capacitor
C10
1.26pF
Loop antennal impedance match capacitor
L2
27nH
PA supply voltage decoupling
C4
1nF
PA supply voltage decoupling
L3
12nH
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
Antenna coupling inductor
RF- Receiver
ATA574x
ATA572x
ATA5780
2.
Application Software
Application software is partitioned into two dedicated software modules, with each placed in its dedicated program memory
address space:
● Immobilizer SW Stack Module: This firmware fully supports LF channel communication with the base station. Its
features include:
●
●
Controls LF link communication with the base station via an LF field. It includes device drivers and application
modules that control the protocol handler.
●
Provides for system, user, and application command support. Specific configuration commands can set
transponder configuration including transponder crypto keys, set the modulation type used for up and down
links, and set the baud rate and many other parameters. Other application level commands control
unidirectional and bidirectional execution.
●
A configuration file which controls transponder functionality. By programming configuration file parameters a
user can select desired functional and performance features for the software (e.g., select authentication type,
enable detection header, set modulation type for up and down channel and the baud rate).
●
Factory preprogrammed image resident in the boot sector (address 0xC00 - 0xFFF). The section is individually
protected with its own lock fuses.
RKE SW Module: This firmware controls the user interface and RF transmitter. Its features include:
●
Assembly and transmission of authentication messages to a vehicle based on unidirectional rolling code
protocol
●
Resident in application memory section (address: 0x000 - 0xBFF)
●
Controls a flexible user interface using pin-change interrupts
●
Incorporates configurable physical and application parameters:
●
Physical layer parameters:
- Selectable RF carrier frequency (300MHz to 450MHz)
- Selectable modulation type (ASK versus FSK)
●
- Selectable radiated RF output power
Application layer parameters:
- Preamble signaling
- Definition of communication protocol and authentication type
- Payload data size (UID, CMD, CNTR, data padding)
2.1
Key Fob Firmware Overview
The key fob can either operate as an RKE transmitter or a secure transponder. The program memory is thus partitioned into
two separate program sections: (1) the immobilizer section which controls the immobilizer functionality and (2) the
application section which supports RKE and extra features.
With preprogrammed immobilizer SW stack the device always vectors to the boot section of the program memory which
contains the dedicated firmware used to communicate with the immobilizer system on device reset. Upon reset the
immobilizer SW stack must check if the LF field is available. When detected the software control remains in the immobilizer
module and if not it is vectored to the application section.
The device is said to be in the RKE operating mode when the LF field has not been detected at device reset and the program
control has been passed to the application code section. In this mode the key fob can send RF telegrams to the vehicle using
its RF transmitter while powered by the internal battery voltage, VBAT.
The device is said to be in the immobilizer operating mode when the LF field has been detected and the device triggers
internal reset which vectors its program control to the boot sector of the program memory, where the immobilizer specific
firmware is executed. In normal operation, upon completion of the immobilizer protocol while the LF field is disabled the
device triggers its internal reset and, with no LF field detected, it vectors from the reset vector to the application section to
enter RKE mode.
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
5
Figure 2-1. Program Memory Partitioning
Address
15
0
0
0x0BFF
3071
0x0C00
3072
0x0FFF
4095
2.1.1
Immobilizer
Space
(1024 Words)
Application Space
(3072 Words)
0x0000
Passive Operation in Immobilizer Mode
The device enters the transponder mode regardless of its current operating state (RKE, power-down) when the LF field is
detected (i.e., the transponder mode supersedes any other device state).
Once the transponder mode is active the device power is set to VCC (the passive voltage stored on the charge storage
capacitor CVDD which has been harvested from the field). Then the device can receive and transmit data in passive mode
via the LF link.
When the LF field is removed and a battery is present, the transponder executes a system reset, checks if LF field is present
and, if it is not detected, re-enters RKE mode. Then the device is reinitialized for RKE operating mode and a new outgoing
RF message is assembled in its data memory.
When no battery or a low battery voltage level is detected on the VBAT pin, the transponder can still use emergency mode to
enter the immobilizer passive mode and respond to the base station commands with the LF field present.
The diagram below depicts a power-up process and a mode changing sequence based on the presence of the LF field while
being powered by the external battery. With no LF field present the device enters RKE mode when the battery voltage is
provided at the VBAT pin. The device will exit RKE mode and automatically enter immobilizer mode when the LF field is
detected. The device stays in immobilizer mode as long as the LF field is provided. When the field is removed the device
returns to RKE mode.
Similarly, in emergency operating mode the device enters the transponder mode from power-down when the LF field is
detected and leaves the transponder mode when the field is removed.
6
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
Figure 2-2. Program Flow Control
VBAT = 1 and VFLD = 0
(Start-up)
Enter RKE Mode
Application SW
Module
VFLD?
Yes
No
VBAT = 0 and VFLD = 1
Start-up
in Emergency Mode
Enter Immobilizer Mode
Yes
Power
Down
No
Immobilizer SW
Module
VBAT?
No
VFLD?
Yes
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
7
3.
Transponder Operation
Transponder operation is based on establishing an LF data link between the transponder and the base station and receiving,
executing, and replying to a series of communication commands sent by the base station using the LF field.
3.1
Immobilizer Software Stack Overview
Atmel® ATA5795 is delivered with a preprogrammed Immobilizer Software Stack image; see [2] for the full functional
specification. This open source firmware supports full key fob transponder behavior.
Software features:
● Supports Atmel ATA5795 device physical LF interface, power management, and other hardware resources
●
●
●
●
Defined LF data links
Defined command set
Defined and reconfigurable protocols
Programmable configuration settings
The stack physical drivers control the device hardware. Its application layer controls the command interface and execution.
A command interpreter and protocol handler engine provide a transaction and system extraction layer when communicating
with the base station.
Various communication protocols, data length, modulation types, baud rates, and transponder behavior can be set by
changing the configuration file placed in the device EEPROM.
3.1.1
Software Stack Command Set
The base station - transponder communication is based on the command-response topology in which a base station
(communication master) issues individual requests (commands) to a transponder, the communication slave, and the
transponder generates corresponding replies (responses).
The command set is structured in a way that every command issued generates a transponder reply. The transponder
interprets and executes commands based on its preprogrammed configuration file in its non-volatile memory (EEPROM).
Commands include (1) utility requests, such as reading the device ID and reading from/writing to user memory, (2)
authentication requests which start an authentication protocol execution, (3) diagnostics which query the transponder status
and (4) key learn (sharing the secret key) commands that trigger key learn routines.
Some commands (i.e., authentication requests) may involve multiple data exchanges between the base station and the
transponder. However, most commands are structured so that the transponder receives individual commands which may be
followed by a data payload and a response. For example, to start an authentication sequence, the base station can first
issue a Read_UID command and then after receiving the correct UID can follow up with a Start_Authentication command.
8
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
3.1.2
Command Execution
Once the LF link is established the commands are received on the downlink and the response data is sent on the uplink.
Upon receiving data the transponder first validates received data (CRC-4 for commands, CRC-8 for payload data), decodes
command data, executes a command by first generating response data, tests packet data integrity (CRC-8), encodes and
transmits data via the uplink. When the transponder cannot validate and interpret the received data it signals the error to the
base station (i.e., sends four periods of 1kHz).
The transponder must always reply to any base station command request. When the base station does not receive any reply
within its reply time window, it resends its request until the number of maximum retries is reached.
Figure 3-1. Immobilizer Command Execution
Start
(VDD = VBAT or VDD = 0)
Fld Present?
No
Yes
Execute Reset Vector
Initialize peripherals
Enter Sleep
2
GAP?
No
Yes
Receive Command
2
Data Valid?
Flag Error
No
Yes
Execute Command
Transmit Response
2
The LF data link is aborted by the base station when the LF field is disabled.
The LF data link is terminated by the base station when:
● The protocol session is completed (the LF field is disabled)
●
The base station received an error signal from the transponder and further diagnostics continue returning the error
signal (timeout has been reached, the LF field is disabled)
●
The base station receives a command from BCM to disable the LF field
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
9
3.1.3
Transponder Configuration File
Initially the transponder is configured by programming its EEPROM configuration memory. The transponder secret keys
must be directly programmed during configuration using dedicated configuration memory commands.
Transponder device settings are stored in EEPROM page 1 and page 2 user data memory. Page 2 contains read-only
configuration parameters (data cannot be overwritten) and page 1 contains data protected with software and hardware locks
[2] which can be reconfigured using configuration commands.
Parameters flashed to the configuration memory in EEPROM page 2 include:
● User and transponder data settings
●
●
●
●
●
3.1.4
●
Default secret key (SK0-SK119)
●
Challenge, response length
●
Unique ID/serial #
Configuration register
●
Crypto Mode (CM): bilateral, unilateral
●
Data Check Disable (DCD)
●
Uplink Modulation (MOD) - Bi-phase/Manchester
●
Downlink Coding (DLP{1:0])
●
Key Select (KS)
●
Secure Key Transfer (SKT)
●
Fob power-up
BPLM, QPLM decoder threshold
Transponder damping level
Charge pump selection
WDT timeout (Watchdog timer register)
Authentication Sequences
The execution of authentication sequences is initiated upon reception of the Start_Authentication command. Once the
command is received, the CM bit in the configuration register determines the UA or BA authentication type and
Challenge_Length and Response_Length registers set challenge and response bit lengths respectively.
An example of a Unilateral Authentication (UA) sequence is shown in Figure 3-2 on page 11.
10
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
Figure 3-2. Unilateral Authentication Protocol
Authentication UA1
Key
Car
LF Field ON
Detection Header
Key
memory
Key
memory
8 + 0 bit
Key
memory
ID
8 + 32 + 8 bit
Read UID
Read UID
Cmd
ID
Random number
8 + 100 + 8 bit
Challenge
Challenge
AES-128 (enc.)
AES-128 (enc.)
8 + 56 + 8 bit
Response
=
Response
N
Y
Start Authentication
Cmd
VALID
STOP
OK, it is the
right key
Downlink = 124 bits = 31.7ms/47.6ms
Uplink = 120 bits = 30.7ms
Total = 78.3ms just LF bits worst case
3.1.5
Immobilizer Command Summary
The base station and the transponder communicate with each other via the LF downlinks and uplinks. The commands sent
by the base station cover a large functional domain and include commands to read device ID, start authentication sequence,
start key learn procedures, read status, and execute utility commands (Table 3-1).
Table 3-1.
Immobilizer Commands Overview
Command Class
Description
Notes
Reads unique transponder ID from EEPROM
Base station usually inquires for the
transponder ID at the beginning of the
authentication sequence.
Reads transponder status byte
In case the base station detects an error
condition (e.g. missing or incorrect data)
Start Authentication
Starts transponder authentication sequence based
on configuration stored in transponder EEPROM
Transponder reads its configuration memory
to execute this command (authentication
type, bit no., key, etc.)
Learn Secret Key1/2
Starts transponder Secret Key1 or Key2 learning
sequence
Transponder reads its configuration memory
to execute this command (learn sequence
type, key, etc.)
Sets transponder to enhanced mode
Enhanced mode is used to configure
transponder EEPROM while powered by an
external battery
Read UID
Read Error Status
Initiate Enhanced
Mode
Repeat Last Response Request to transponder to resend the last response
Used in retry strategy scenarios
Read User Memory
Reads a section of user memory placed in
transponder EEPROM
EEPROM address and data size is sent with
the command
Write User Memory
Writes a section of user memory into transponder
EEPROM
EEPROM address and data size is sent with
the command
Write Memory Access Writes transponder user memory access protection
Protection
for AP1, AP2, and AP3 sections.
Protects user memory against accidental
data overwrite
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
11
3.2
LF Link Overview
●
●
3.2.1
Downlink (base station to transponder unidirectional communication)
●
ASK modulation (VFLD can vary depending on modulation depth from VFLD undamped level down to ground)
●
BPLM, QPLM data encoding
●
BPLM data rate up to 5.2kBaud (BPLMD0 -> Tbit = 12  Tc + 12  Tc = 192µs,
●
QPLM data rate up to 8.9kBaud (QPLMD00 -> 2Tbit = 12  Tc + 16  Tc = 224µs)
Uplink (transponder to base station unidirectional communication)
●
ASK modulation (Vdamped, Vundamped)
●
Manchester, bi-phase encoding
●
Variable modulation depth available
●
Data rate up to 5.2kBaud (Tbit = 2  12Tc = 192µs)
LF Link Data Communication Protocol
The example below depicts a sample of a unilateral authentication data communication sequence with the base station:
1. At startup the transponder coil is energized for approx. 2ms and the transponder signal validated for another 2ms.
2.
Once validation is successful Cvdd is charged for approx. 2ms. At this time the transponder mode is acknowledged
and the transponder replies by sending its detection header.
3.
The base station transmits its 4-bit command followed by a 4-bit CRC value.
4.
The transponder receives the command and replies with a preamble followed by its 32-bit device ID.
5.
The base station sends a challenge followed by its CRC-8 value.
6.
The transponder encrypts the challenge using its internal AES-128 secret key.
7.
The transponder responds by sending the cipher data to the base station.
Figure 3-3. Immobilizer Protocol Example
BS
Field on, receiver active
Start up
LF field
connection
Transponder
detection
header
C buffer
change
Transponder detected, send
Gap in damped phase,
transmit command
During Stop condition switch to receive
and wait for ID
8-bit preamble + 32-bit of key + 8-bit CRC
4-bit command + 4-bit CRC
Mag. field
Power up and switch
to transponder mode
BS
With first gap stop modulating
and receive command
Transmit challenge
Switch to
receive
Read ID from EEPROM and send to BS
Receive response
8-bit preamble + 56-bit response + 8-bit CRC
100/120-bit challenge + 8-bit CRC
TP
12
Receive the challenge plain text
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
Encrypt
(AES)
Return encrypted response
3.3
Configuring and Operating the Transponder
The device is configured by the reset vector (i.e., POR is triggered) on power-up. The device may be powered in two
different ways:
1. VBAT: A battery is inserted between the VBAT and GND terminals. When powered initially by a battery with no
VFLD voltage detected, the device is configured in RKE mode: (1) the device checks if VFLD is detected, (2) if
VFLD=0, an RKE message data is assembled in data memory, (3) the device enters sleep mode to be awakened
by a pin-change interrupt to transmit the RKE data on the RF channel.
2.
VFLD: The device is placed in the LF field and VFLD voltage is detected at its coil inputs. VCC is ramped from 0 to
its nominal operating potential. When powered in this mode the device is configured as a transponder to execute
LF link commands (i.e., to receive LF data in transponder mode to support execution of LF downlink commands).
Figure 3-4. Device Initialization
Device Power-up
(VBAT or VFLD)
No
VFLD?
Yes
Enter RKE Mode
Enter TP Mode
Init LF-link
Init LF-link
Assemble RKE Msg.
Wait for TPGAP
Enter Sleep
Wait for Key Push
Execute LF-link command/protocol
Transmit RKE Message
3.3.1
Devices Utilizing Immobilizer Stack
By setting Interrupt Vector Select bit (IVSEL) to one and RESET fuse set to vector to immobilizer code section on reset, both
the interrupt vector table and the reset start program counter address are moved to the boot space memory. This facilitates
execution of the field voltage check and transponder initialization from the boot sector memory on power-up. Once VFLD
check is executed the program control remains either in the immobilizer code section if VFLD is detected or is passed to the
RKE application code (see Figure 3-4 above).
3.3.2
Transponder Initialization
The transponder LF communication is enabled only in transponder mode.
Normally when the LF field is detected and the LF signal is qualified to be the valid LF field source, the setup power-up
condition must be satisfied to qualify a valid transponder signal (i.e. Tsetup = ~3ms, Ttp = 1ms, Tcharge = 1ms).
Only after this validation, a reset is generated and the VDD source can be switched from VBAT to VFLD to support the
passive mode of operation.
Once the transponder mode is acknowledged the LF link is established.
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
13
3.3.3
Power Modes
The transponder can be operated either as a passive or an active device. The Transponder Power Supply Disable bit
(TPPSD) in the TPCR register controls the source of device power supply during initialization at power-up.
The device is set to passive mode when TPPSD=0 (default) in the TPCR register during initialization. Once this bit is read by
the internal transponder logic at the initialization phase the device will remain in passive mode until the device leaves the
transponder mode (e.g., the field voltage is removed or device reset is triggered).
During the reset vector routine, the transponder mode must be acknowledged while in passive operation. The transponder
mode must be acknowledged while in active operation (VDD=VBAT) by using Transponder Mode Interrupt TPINT.
See Table 3-2 for more details.
Table 3-2.
Active versus Passive Mode
Characteristic
VDD switching
Active Mode (TPPSD=1)
(1)
Reset upon entering transponder mode
Transponder Active (TPA bit in TPFR)
TP IRQ
DebugWIRE
IO ports
Notes: 1.
Passive Mode (TPPSD=0)
enabled
No
Yes
TPA=1
TPA=1
Enabled
Acknowledge TP Mode
TPINT interrupt
Disabled
(3)
Enabled
Reset Vector (at init)
Enabled(4)
Enabled
Disabled
Device can switch its power source when entering transponder operating mode based on TPPSD bit setting
2.
Must assert TPSSD to disable VDD switching
3.
No reset is generated when entering transponder operating mode during active operation
4.
External power supply must be provided to VBAT pin in passive mode
Note:
3.4
disabled
(2)
With the power switching disabled Atmel® ATA5795 does not generate a reset when entering transponder
mode. The transponder continues to be supplied by battery voltage and continues its normal program
execution.
Immobilizer Performance
The immobilizer system coupling factor has a determining effect on the immobilizer performance as a whole. The coupling
factor is influenced by many parameters which consist of a base station transceiver IC with coil, the transponder unit with
coil, and their operating physical environment (e.g. ignition lock casing material, transponder setting and its material,
distance between coils, coil size, coil material, Q factors, etc.).
3.4.1
Magnetic Coupling
By definition the coupling factor k is a magnetic field coil-to-coil coupling parameter depending, among many other factors,
on many physical and electrical parameters such as the reader and transponder coils dimensions, inductance, coils
orientation with respect to each other and the distance between them. Larger cross-section iron core transponder coils
improve magnetic coupling and extend operating range. Their large Q factors when correctly tuned to the base station carrier
frequency can greatly extend key fob operating range. The base station load current and the supply voltage amplitude can
also increase the magnetic field generated by the base station coil.
In RFID systems the coupling factor can be determined by measuring the voltage of the reader and transponder coil. A basic
coupling factor can be measured by measuring transponder coil voltage Vtp with its oscillating tank capacitor and
transponder removed (see Formula 1 below).
Formula 1
V Tag
L Reader
k  -----------------  ---------------V Reader
L Tag
14
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
●
●
●
●
●
k: coupling factor
VTag: transponder voltage
VReader: reader voltage
LReader: reader inductance
LTag: transponder inductance
Transponder parasitic loading effects on the coupling can be included in the coupling calculation according to the circuit
shown in Figure 3-5. Formula 2 can also be used to incorporate transponder loading effects of the transponder coil. The
loading normally includes a resistive current load and a parasitic capacitance.
Formula 2
V Tag
L Reader
k  A k  -----------------  ---------------V Reader
L Tag
A parasitic loading constant Ak is dependent on the parasitic load values of a transponder. Its value for a typical coil and the
transponder input is determined as Ak = 0.92 for a capacitive load of approx. 10-12pF.
Figure 3-5. Coupling Factor Measurement Circuit
Reader Antenna Coil
Transponder Antenna Coil
k
Coil1
+
RRD
LRD
RPAR
VTP
LTP
CPAR
-
Coil2
CRD
Input
Demod
The chart below shows a transponder-to-reader coupling variance for a set of measurements. Four base station/transponder
coil combinations were used. Base station coils consist of (1) 40mm Rehfeld with L = 646µH coil and (2) 80mm Tranex with
L = 738µH coils. The two transponder coils include (1) Kaschke/L = 2.45mH and (2) TR1103/L = 5.1mH coils; both use
ferrite cores. With the best coupling measured directly at the base station coil center (d = 0cm), for every coil combination
the coupling factor k drops rapidly to approximately k = 1% at a distance of ~4cm. The coupling drops more gradually as the
distance from the base station coil increases.
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
15
Figure 3-6. Measured Coupling Factors for Immobilizer System
9
Coupling Factor (%)
8
7
6
Lr = Rehfeld, Lt = 2.45mH
5
Lr =Rehfeld, Lt = 5.1mH
Lr = 738μH, Lt = 2.45mH
4
Lr = 738μH, Lt = 5.1mH
3
2
1
0
0
0.02
0.04
0.06
0.08
0.1
Distance d (m)
3.4.2
Minimum Coupling Factor
A minimum coupling factor kmin specified for an immobilizer can be used as a system performance parameter. As it is
primarily based on immobilizer system electrical and physical characteristics, it is also an indicator of the transponder
performance. To measure a minimum coupling factor a series of communication rounds were executed for a fixed set of
system parameters which include coil types, reader coil current, and a transponder environment. The transponder coil was
placed at various distances from the reader coil while executing the immobilizer communication sequence. The minimum
coupling was calculated at the most distant point from the reader with the functional communication link. The transponder
and the reader coil voltages were measured at the farthest distance from the reader coil with the transponder and the tank
capacitor disconnected (see Figure 3-5 on page 15). The coupling factor for open and loaded transponder oscillator tank can
be calculated using Formula 1 and Formula 2 respectively. Sample measurements of the minimum coupling factor for some
coil combinations are listed in Table 3-3.
Table 3-3.
Minimum Coupling Factors for Atmel ATA5795(1)
RD Coil
TP Coil
V_RD [V]
V_TP [V]
Operating
Range [cm]
Kmin (open)(2)
[%]
Kmin (loaded)(3)
[%]
Wagner
(L = 745µH)
Premo TR1102
(2.38mH)
120.3
2.06
2.9
0.96
0.88
Wagner
Kaschke
113.7
1.68
3.6
0.83
0.76
(L = 745µH)
(2.34mH)
Notes: 1. The transponder consists of the Atmel ATA5795 device programmed with Open Source License AES-128
Immobilizer Protocol Stack firmware executing BA authentication protocol
3.4.3
2.
Minimum coupling does not include load parasitics
3.
Minimum coupling includes load parasitics
Data Link Quality
One of the factors which increases energy and data coupling performance for a contactless passive transponder is to
increase antenna quality factors Q as indicated in the formula below.
Formula 3
XL
Im  Z 
Q coil = ------- = ----------------R
Re  Z 
Transponder antenna Q can be increased by using larger ferrite core-based coils. By tuning the transponder oscillating
circuit to within 1-2% of base station Fc, much greater VTag voltages can also be induced.
16
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
The reader coil Q factor is not only dependent on coil inductance but also on its coil's loss resistance and iron losses of the
coil when it is mounted on a lock cylinder. Inserting a series resistor into the antenna coil circuit makes the coil circuit more
resilient and reduces negative effects of the lock cylinder material. Reader coils with high Q values improve energy
transmission but their transient response may have a negative effect on the data signal quality. It is generally recommended
that Q factors of no more than 15 be used in the reader coil designs. Medium Q values provide a good tradeoff between
acceptable energy coupling and good data integrity between the reader and the transponder units.
3.4.4
Modulation Depth
To extend transponder operating range for uplink communication, Atmel® ATA5795 modulation depth level can be increased
by setting transponder modulation depth bits from their default setting TPMD=00 to TPMS=01.
3.5
Transponder Communication Examples
The chart below depicts a captured challenge response protocol signaling in passive mode. The transponder coil voltage
V4P is shown in green and VCC charge storage capacitor is shown as a yellow trace. Upon transponder startup, the VCC
charges rapidly and the challenge 128-bit BPLM modulated data is sent after 10ms. The transponder receives the data,
encrypts it and responds with a 128-bit response (50% modulation depth).
Figure 3-7. Immobilizer Challenge Response Scope Trace
Figure 3-8. Transponder Startup Timing and BPLM Data Encoding Using Downlink
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
17
4.
Remote Keyless Entry Operation
Main RKE functionality:
● Secure authentication cipher based protocol
●
●
4.1
Physical user interface includes push button controls
Flexible RF link frequency in 315MHz to 430MHz ISM band
RKE Fob Control
The top-level RKE module software architecture block diagram below depicts main functional steps while the device is in the
RKE mode.
RKE mode setup and operation overview sequence of events:
1. The battery is inserted and the reset is triggered (POR)
2.
The fob is initialized
3.
The RKE message is assembled and stored in data memory
4.
Sleep mode is activated (device enters power-save mode)
5.
Push button event triggers an MCU wake-up event
6.
Wake-up event is decoded
7.
Event decoded command is selected
8.
RF transmitter is enabled and configured
9.
The RKE message is transmitted
10. Upon message transmission the unit assembles a new message and enters power-save sleep mode
Figure 4-1. RKE Mode Flow Diagram
Insert Battery
RESET
Fob Init
Assemble RKE Msg.
Enter Sleep
LF Field
LF Field
LF Field
Push Button
(Pin Change IRQ)
Decode UI Command
Configure RF Transmitter
Transmit Msg.
18
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
LF Field
LF Field
LF Field
Execute IMMO Code
4.2
Physical User Interface
The programmable UI used in RKE mode which is based on any physical external triggers may include push buttons or
touch sensors or other stimulus to communicate external events to the key fob MCU.
There are a total of 16 GPIO pins capable of generating pin-change interrupts to the MCU.
Note:
4.3
Device GPIO pins are only enabled in RKE operating mode. All GPIO pins are disabled in passive transponder
operating mode.
RF Link Implementation
The RF uplink is established at the selected carrier frequency (Fc) using either ASK or FSK modulation. The message data
which includes a vehicle command and an authentication data is assembled by the RKE application software module and is
sent via the RF uplink as a unidirectional data transfer.
4.3.1
RF Communication Protocol
The protocol is based on a unidirectional RF link which is transmitted from the key fob to the vehicle. It incorporates a secure
rolling code algorithm where each message is unique in a sense that it includes an incrementing (rolling) counter value.
Each message consists of the following:
● Unique ID
●
●
●
●
4.3.2
Command code
Counter value code
Message Authentication Code (MAC)
Data integrity CRC-8 code
RKE Message Generation
When generating RKE message data the following must be considered:
● Protocol security:
●
●
Message uniqueness
●
Integrated MAC based on AES-128 cipher algorithm
Power consumption
Each key fob must be uniquely identified using its unique ID number. The (32-bit) UID value is transmitted in the message to
identify a key fob/vehicle match.
The key fob must also be able to send system commands to the vehicle. A command set based on 8-bit values in the
command field is sufficient for most applications.
The issue of protocol security deals with a system's immunity to scan or dictionary attacks. Scan attacks target the
transmission of a high volume of data and simply scan the contents for values in the payload until the right code is accepted.
A dictionary attack is based on storing part of the code and predicting the rest of the message (looking it up in the dictionary
of codes) based on stored dictionary results of previously captured combinations from the real authentication sequences.
A rolling counter algorithm shows a high degree of immunity to existing protocol attacks. This algorithm is based on using an
incrementing binary value which is encapsulated in the MAC frame. Each time a new outgoing message is transmitted a new
MAC frame is calculated based on the new counter value.
When selecting the size for the sequential counter the window of acceptance values selected by the receiver must be
considered. Normally this window must be a small fraction of the full counter range so when the transmitter and receiver
counters are slightly off but still within the window the fob can still be authenticated. In most cases a 4-byte counter value
provides ample resolution. To ease synchronization in case of a discrepancy (e.g., transmitter counter value is incremented
without receiver's acknowledgement), the receiver can set its window value to not exceed the maximum of a 100 steps
according to [5].
The MAC which is encapsulated in every message is an encrypted string of UID, CMD, and CNTRL values. When encrypting
with an AES-128 hardware-based module, the cipher data can be truncated to provide adequate bit security for a MAC.
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
19
Shown below is an example of an 18-byte RKE outgoing message payload. It consists of a user ID (UID, 32b), a command
(CMD, 8b), a rolling counter (CNTR, 32b), a MAC value (56b) based on the AES-128 encryption algorithm and a checksum
(CRC-8, 8b). To compute a MAC value a text message data is assembled as input text {UID, CMD, CNTR, <FillData>} to the
cipher module and then its cipher is generated. The input text can be padded either with, for example, zeros or UID values to
fill the input text to a 128-bit block size.
Table 4-1.
4.3.3
RKE Message Payload
Byte No.
Data Type
Description
1-4
UID(32b)
32-bit unique device ID
8-bit command
5
CMD(8b)
6-9
CNTR(32b)
32-bit counter value
10-17
MAC(56b)
Option A: EncAES-128((UID, CMD, CNTR, 056), 56)
Option B: EncAES-128((UID, CMD, CNTR, UID, UID24), 56)
18
CRC-8
Payload data checksum
RF Link Signaling
An RF link message is characterized by having high degree of security properties while transmitting its payload data with as
little power as possible. A typical RF link signaling consists of two signaling phases: a preamble and a payload phase.
The preamble is primarily used to synchronize a receiver with an upcoming data stream. The preamble can be made of
Manchester modulated string of 1s such as {01010101 ... 01010101} with an integrated synchronization bit change and/or a
header frame, e.g., {0101, 0110}.
The payload phase directly follows the preamble phase and it may consist of a header data frame (also used for
synchronization) and a payload data frame which includes the RKE message data (see Figure 4-2).
Figure 4-2. RKE Message Format
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
Size = 18 Bytes
CRC-8 (8b)
MAC (56b)
CNTRL (32b)
0x55
0x55
0x55
0x55
0X56
0x55
0x55
0x55
0x55
Tpreamble
20
CMD (8b)
Message Payload
(per byte)
UID (32b)
Preamble
(per byte)
4.3.3.1 Data Preamble
It precedes the transmission of the actual data phase and it consists of a series of alternating 1s and 0s. The data is used as
a token for a receiver wake-up to detect an incoming data string. The length of the preamble phase largely depends on the
receiver type and the wake-up method used. Atmel receivers (e.g., ATA5745/46, see [6]) use a polling cycle, TPolling where
the receiver front end is set up to poll for incoming RF signals (i.e., it is continuously switched on and off to reduce average
power consumption). When the receiver is in active mode it collects a few sample points (e.g., a Manchester modulated '1'
which corresponds to a '01' data sequence). Once the preamble signal is recognized, the receiver remains in active mode to
synchronize with header data and subsequently receive the message payload.
When a polling mode is used, this signaling affects the power consumption of the transmitter and receiver. The length of the
preamble is largely based on the maximum value of the receiver polling current. The polling cycle is based on the data
preamble time directly. The preamble time must be set in a way that the RF receiver standby time (TStandby) is significantly
larger than receiver active operating time (Tact) during signal polling such that,
TStandby >> Tact
To minimize the polling current, the receiver must spend most of its polling cycle time in standby mode.
A typical Tact = ~1ms and consists of a PLL startup interval, signal processing startup and a bit check interval. The standby
time, TStandby, on the other hand can be set based on the polling period which is determined by the average power of the
receiver in the polling mode. Generally the preamble interval is selected such that
TPreamble > Tpoll + Tbit-check
where
Tpoll = TStandby + Tact
and
Tbit-check is set to the time it takes to transmit one data bit (1/BR)
For a 315MHz RF receiver, the Atmel ATA5746 application with bit rate (BR) = 9.6kbits/s, Tpoll = 8ms and Tact = ~1ms, the
preamble interval TPreamble must be greater than 8.2ms to guarantee that the preamble is correctly detected by the receiver.
Note:
ASK modulation can be used to reduce power consumption during the preamble phase. Then once the preamble data is sent the payload data can be FSK modulated.
4.3.3.2 Payload Data
Payload data follows the preamble and the header data (if transmitted). It contains the actual RKE payload message.
Modulated 18-byte data consists of UID, CMD, CNTR, MAC and CRC frames all transmitted in sequence.
A sample RKE message with preamble:
● Preamble time = 8.2ms
●
●
●
●
●
●
●
●
Note:
Data length = 18 bytes
Baud rate = 9.6kB/s
MAC length = 56 bits
Modulation = ASK (preamble), FSK (payload data)
Data encoding = Manchester
Payload data transmission time = 18 8 (1/BR) = 15ms
Total RKE message transmission time = 8.2ms + 15ms = ~23.2ms
Power consumption (at 9.5dBm) < 12mA
Transmission time and power consumption can be reduced by increasing the baud rate.
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
21
4.3.4
Configuring the RF Transmitter
The RF transmitter is serially configurable at power-up using an SSI interface. The hardwired connections between the GP
port pins and the RF transmitter IF are shown in Table 4-2.
The serial data is shifted into the configuration register using the PC3/TM1 output port. The serial clock is driven out on
PC4/TM2. During configuration and data transmission the RF transmitter is enabled via a PC1 enable signal.
Configuring the RF transmitter:
1. Set PC2, PC3 and PC4 as outputs
2.
Assemble 32-bit RF receiver configuration settings (see next section)
3.
Use Timer2/Timer Modulator to transmit serial clock and a serial data generator on PC3 and PC4
a.
Configure TMR2 in compare mode and set BR=9600 (load T2COR register)
b.
Enable SCLK on PC4, S0 on PC3
c.
Set TMCPOL (clocks SO data on SCLK f.e.)
d.
Configure Timing Modulator
e.
Enable Timing Modulator (set the TMSSIE bit twice in the TMCR register to remove insertion of sync delay
which can add up to four SCLK periods before startup) and then Timer2
4.
Load the TMDR 8-bit buffer four times with configuration bytes to transmit a 32-bit configuration word (use SSI
Buffer Empty IRQ)
5.
The SDIN data is clocked in on the falling edge of the SCK clock into the configuration register.
Figure 4-3. Transmitting Serial Data into the Transmitter Configuration Register
Table 4-2.
22
Transmitter Port IO
Transmitter Port
Data Port
CLK (OUT)
PC2/ECIN1 (IN)
CLK output from the RF transmitter can be used as a system clock
input on PC2.
SDIN (IN)
PC3/TM1 (OUT)
Transmitter serial data input port (SDIN) is connected to TM1
output.
SCK (IN).
PC4/TM2(OUT)
Transmitter Serial Clock Input (SCK) port is connected to TM2
output.
EN (IN)
PC1 (OUT)
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
Description
Transmitter Enable (EN) input is connected directly to PC1 output.
4.3.4.1 Configuration Register Settings
The RF transmitter must be configured at power-up by shifting a 32-bit configuration word into its configuration register MSB
first. All soft configurable parameters are set this way. If a parameter needs changing during operation, a new configuration
word must be retransmitted with the new parameter changed. Selectable RF transmitter parameters:
FREQ[14:0] and 434_N315 bits set the RF carrier frequency. Fine frequency tuning step size can be achieved (step size =
793Hz) with an external 13MHz XTL. A new device RF frequency can also be selected by rewriting the FREQ[14:0] value to
change to a new carrier frequency after PLL lock time (~98.46µs).
Example:
For conRF_Freq = 433.92MHz, conRF_crystal = 13MHz, conRF_FSEP = 64
FREQ = (conRF_Freq / conRF_crystal – 32.5)  16384 – conRF_FSEP/2 – 0.5
FREQ = 14360
FSEP[7:0] sets the FSK frequency deviation. The frequency deviation can range from ±396Hz to ±101KHz in ±396Hz steps
for Fxto = 13MHz.
Example:
For FSEP = 64 and Fxto = 13MHz
Fdev = (FSEP/32768) Fxto = ±25.39kHz
ASK_NFSK bit selects ASK vs. FSK modulation. In FSK mode the digital input on SIN_TXDIN is frequency modulated
where a digital high level ('1') corresponds to the upper FSK frequency (FRF-High) and a low ('0') to the lower FSK frequency
(FRF-Low). In ASK mode a low corresponds to no RF signal and a high corresponds to the output signal present at FASK-Carrier.
PWR[3:0] bits set the RF output power. It is user programmable from its min. power setting –0.5dBm (PWR = 3) to its max.
of +12.5dBm (PWR = 15). Depending on the RF link quality the output power may be traded off for reduced power
consumption.
CLK_ON, DIV_CNTRL bits enable the divided system clock on CLK output pin. With CLK_ON = 1 and DIV_CNTRL = 0, the
system clock on CLK output pin is divided by 4 (CLK = SYSCLK/4) when DIV_CNTRL = 1, the system clock is divided by 8
(CLK = SYSCLK/8). When the CLK output pin is not used as a clock source, the CLK_ON bit can be disabled to reduce
power consumption.
The CLK_ONLY bit enables CLK_ONLY mode. With this bit set the device is powered down (this includes the PLL and PA)
with the clock oscillator divider driving the CLK output pin, which can be used by external circuitry when the device is
enabled. This feature is a power-saving feature when the clock needs to be generated without enabling the PLL and PA
circuits.
Note:
Before passing any data to the transmitter for RF transmission, the device must be serially programmed via its
32-bit configuration register after setting Transmitter Enable (EN).Before passing any data to the transmitter for
RF transmission, the device must be serially programmed via its 32-bit configuration register after setting EN
pin.
Table 4-3.
Example Configuration Register Settings
BYTE3[31:24}
- CLK_ONLY = 0 (disable clock only mode)
- S434-N315 = 1 (select Fc = 433.92MHz band)
- FREQ[14:9]
BYTE2[23:16]
- FREQ[8:1]
BYTE1[15:8]
- FREQ[0]
- FREQ[14:0] (set FREQ = 14360 for Fc = 433.92MHz)
- FSEP[7:1]
BYTE0[7:0]
- FSEP[0]
- FSEP[7:1] (set FSEP = 64 for ±25.39kHz)
- DIV_CNTRL = 0 (doesn't care if CLK_ON = 0)
- PWR[3:0] = 12 (sets PWR = 12 for Pout = +9.5dBm)
- ASK-NFSK = 0 (selects FSK modulation)
- CLK_ON = 0 (disable CLK output to save power)
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
23
4.3.5
Transmitting RF Data
When the configuration is complete SDIN_TXDIN port is used as a modulation input to send payload data to the RF
transmitter. The data transmission can start after the external oscillator (TXTO) and the PLL (TPLL) startup times have
expired. The payload is modulated and transmitted at the rate the modulation data is driven onto the TXDIN port. Up to
40kbaud of payload data can be transmitted in ASK or FSK mode.
SCK input is a “don't care” and does not have any function after the device is configured via its configuration register.
After the payload data is transmitted the RF transmitter is disabled by driving a low on the enable (EN = 0) and the data input
ports (SDIN_TXDIN = 0).
Shown below is the RF transmitted power spectrum for the FSK modulated output signal at Fc = 433.92MHz with
Fdev = ±25.39kHz at Pout = +9.5dBm.
Figure 4-4. RF Power Output
24
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
5.
References
1.
Embedded Atmel® AVR® Microcontroller including RF Transmitter and Immobilizer LF Functionality for Remote
Keyless Entry, ATA5795 Datasheet. Atmel 2010
2.
Open Source License AES-128 Immobilizer Protocol Stack, Atmel 2010
3.
Electronic Immobilizers for the Automotive Industry, Atmel Application Note, 06/2003
4.
FIPS Publication 180-2, Secure Hash Standard (SHS), U.S. DoC/NIST, August 2002 http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
5.
FIPS Publication 198, The Keyed-Hash Message Authentication Code (HMAC), U.S. DoC/NIST, March 6, 2002
http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
6.
Application Note AVR411: Secure Rolling Code Algorithm for Wireless Link, Atmel 2006
7.
Atmel Datasheet, UHF ASK/FSK Receiver, ATA5743/44/45. Ref.: 4839B-RKE-08/05
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
25
6.
APPENDIX A: Key Fob Application PCB Schematic
Figure 6-1. Key Fob Application PCB Schematic
L1b
Q1a
C5
15pF
C6
2.35mH
L1
A4P
1
VBAT
VBAT GND
15p
VBAT
C2
2.35mH
Q1
13.0MHz
RL1
68nF
10
4
3
2
VBAT
PD0
PD0
1
TME
5
XTO1
9
VBAT
6
VSRF
2
7
GNDRF
-
8
PC0
C3
100nF
A4P
1
BA20328M
VBAT
C4
A4N
+
NRES
PC0
CL1
680pF
NRESET
VBAT
32
PB6
31
PB6
PB7
30
PB7
PB0
11
C1
100nF
PD1
PD1
12
U1
ATA5795
PD2
PD2
13
VCC
PB0
29
ANT1
28
14
XTAL1
27
PB1
26
PB1
XTAL2
PB2
25
PB2
PB3
PD3
PD4
PD5
PD6
PD7
PB4
16
L3
C8
C7
ANT2
PB5
Q2
L2
GND
15
Q2a
1nF
XTO2
C9
C10
C11
32.768kHz
17 18 19 20 21 22 23 24
PB7
PC0
PB7 PB0
PC0 PB6
PB0
PB6
PB5
PD7
PB4
PD5
PD6
PD3
PD4
4
1
2
1kΩ
4
LED
PB6
S3
1
R1
PD0
S2
3
3
LD1
PB3
PB7
2
PD3
PD5
PD7
PB5
PD2
S1
3
4
1
2
PB5
PD3
PD5
PD7
PB5
PD2
PD4
PD6
PB4
PD0
PD1
PD4
PD6
PB4
PD0
PD1
VBAT
PB3
PD5
NRES
PD4
PD6
5 3 3 3 5 5 3 5
ISP
X1
A1 A3 A3 A1 A3 A1 A3 A1
PB2
NRES
PB3
26
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
PD7
PD6
PD3
XISP1
PB1
PD0
7.
Appendix B: Key Fob Application PCB BOM
Table 7-1.
Component List Application Receiver Board Atmel ATA5795 (433MHz + 315MHz)
Components
315MHz
433.92MHz
U1
X
X
RL1
Value
Material/Series
Manufacturer
ATA5795
Atmel
n.m.
R1
X
X
560R
SMD 0603
Standard
C1
X
X
100nF
SMD 0603/X7R/10%
e.g., Murata
C2
X
X
68nF
SMD 0603/X7R/10%
e.g., Murata
C3
X
X
100nF
SMD 0603/X7R/10%
e.g., Murata
C4
X
X
1nF
SMD 0603/X7R/10%
e.g., Murata
C5, C6
X
X
15pF
SMD 0603/COG/2%
e.g., Murata
X
3.9pF
SMD 0603/COG/5%
e.g., Murata
18pF
SMD 0603/COG/5%
e.g., Murata
27pF
SMD 0603/COG/5%
e.g., Murata
82pF
SMD 0603/COG/5%
e.g., Murata
39pF
SMD 0603/COG/5%
e.g., Murata
82pF
SMD 0603/COG/5%
e.g., Murata
X
3pF
SMD 0603/COG/5%
e.g., Murata
5pF
SMD 0603/COG/5%
e.g., Murata
X
2.2pF
SMD 0603/COG/5%
e.g., Murata
8.2pF
SMD 0603/COG/5%
e.g., Murata
SMD 0603/COG/2%
e.g., Murata
DR-T 3.8/1.55/15
Kaschke
B82450A2364A
EPCOS
C7
C8
C9
C10
C11
X
X
X
X
X
X
X
CL1
X
X
680pF
L1
X
X
2.35mH
X
27nH
SMD 0603/2%
47nH
SMD 0603/2%
12nH
SMD 0603/2%
27nH
SMD 0603/2%
L2
L3
Q1
X
X
X
X
e.g., Coilcraft/Würth
13,000kHz
KSS: CX5032SA Or. No.:
KSS (Kyocera Kinseki)
KB101-05236-221
13,000MHz
KDS: DSX531S Or. No.:
1BR13000CF0A
n.m.
32,768kHz
X
Q2
e.g., Coilcraft/Würth
KDS (Daishinku
Corporation)
LD1
X
X
LED, green, 2mA, 1.7V
SMD 0603/654-4304
e.g., RS
GND
X
X
Probe point black
Or. No.: 262-2179
e.g., RS
VCC
X
X
Probe Point red
Or. No.: 262-2185
e.g., RS
A4P
X
X
Probe Point green
Or. No.: 262-2191
e.g., RS
PD0-7 + PB4-5
n.m.
Header 2x5pole
Or. No.: 1002-171-010
e.g., CAB
PB0 + PB6-7 +
PC0
n.m.
Header 2x2pole
Or. No.: 1002-171-004
e.g., CAB
ATA5795-EK1
V1.2, 1.2mm, FR4, blue
PCB
X
X
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
27
8.
APPENDIX C: LF Downlink Initialization Example
/********************************************************
Function:
Config_LF_RX_VBAT(void)
Descr:
Sets up the LF downlink to receive BPLM data using SW decoder in Passive Mode
Sets up AFE and TMR3.
********************************************************/
void Config_LF_RX_BPLM_SW(void)
{
PRR1 = 0x00;
// Disable PRR for SPI and AFE
PowerSaveMode;
// Enter Power-Save Mode
// Config TMR3 in Input Capture.
ClearBit(PRR0,PRT3);
// Enable T3_Clk
T3CR = (1<<T3RES);
// TMR3 Reset
T3MRA =
((1<<T3ICS1)|\
(1<<T3CNC) | \
(1<<T3CE0)| \
(1<<T3CS1));
// In_capture=GAP, enable IC
glitch filter,
// capture r.e., T3_clock=SRC(CLK125kHz)
T3MRB =0;
// No prescaler
T3IFR=0x07;
// reset all timer interrupt flags
T3CR = (0 | (1<<T3CPRM));
// reset timer, enable capture reset
T3IMR = (0 | (1<<T3CPIM));
// Enable TMR3 IC IRQ
// Set up global variables
ucLF_FirstEdge=0;
// reset first bit flag
ucLF_ByteNr =0;
// reset Byte pointer
ucLF_BitNr =0;
// reset Bit pointer
ucNewLfTime=0;
ucLF_Flags=1;
// Set LF Field present flag
SetBit(T3CR, T3E);
// enable Timer3
}
/********************************************************
Function:
Config_LF_RX_BPLM(void)
Descr:
Set up the LF downlink to receive BPLM data using HW decoder in Passive Mode
Sets up AFE, TMR3, TM, EE
********************************************************/
void Config_LF_RX_BPLM_HW(void)
{
// Config AFE
PRR1 = 0x00;
// enable SPI and AFE clocks
TPCR |= (1<<TPMD0);
// select TP Modulation Damping Level
(TPMD=01)
SetBit(TPIMR,TPIM);
// enable TPINT IRQ mask
28
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
// Config TMR3
PRR0 &= ~(1<<PRT3);
T3CR= (1<<T3RES);
T3CR=
T3MRA=
((1<<T3CPTM)
(1<<T3CPRM)
(1<<T3CRM));
((1<<T3ICS1)
(1<<T3CE0)
(1<<T3CS0));
T3MRB=0x00;
// TMR3 Reset
|\
|\
// CLKT3 output, reset on IC and OC
| \
|\
// IC=TPGAP, {T3CNC=0 --> No glitch filter
// IC=r.e., T3_Clk=CLKFC
// No prescaler
// Tb0=12*Fclk, Tb1=20*Fclk, Tgap=12*Fclk
// T3COR=0x0F;
// OCR=d15
// Tb0=16*Fclk,
// Tb1=32*Fclk -> T3 Compare Match Interrupt vectors when Binary_1 is detected
// Tgap=16*Fclk
T3COR=0x16;
// OCR=d22
T3IFR=0x07;
// Reset all timer interrupt flags
T3IMR=(1<<T3CPIM);
// Enable TMR3 IC IRQ
// Config Timer Modulator
ClearBit(PRR0,PRTM);
TMMR=((1<<TMMS0)|(1<<MSCS0));
TMIFR=0x1F;
TMCR=((1<<TMSSIE)|(1<<TMCPOL));
// Enable Timer Modulator IF Clock
// BPLM: Enable DM3S output, CLK_T3
// Enable TM, clock polarity (1st clk is
active)
TMCR=((1<<TMSSIE)|(1<<TMCPOL));
// Config. EEPROM
EEPR |= 1;
EEARH =0x3;
EEARL =0xC0;
// Enable Timer3
SetBit(T3CR, T3E);
SetBit(T3CR, T3E);
ucIndex=0;
ucLF_RX_Data[ucIndex]
ucLF_BitNr=0;
ucLF_ByteNr=0;
}
// Enable access to block AP0 (Secret Key
Block)
// Set EEaddr=0x03C0
// Enable Timer3 (2x)
// Clear RX Data array index for
// Synonymous with TPGAP counter
// Reset the byte pointer
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
29
9.
APPENDIX D: Immobilizer Protocol Example
/********************************************************
This C source code (example only) lists a challenge response immobilizer protocol when
executed in passive mode using ATA5795 (based on IAR CC). For the sake of simplicity no
command frame or response frame is included as described in the stack immobilizer SW. It
shows basic device configuration, RX, cipher and TX routines as they may be implemented to
support execution of a real authentication protocol.
a. Initialize device and peripherals (use SW or HW BPLM decoder in passive mode)
b. Execute Challenge - Response protocol
- Receive challenge data (RX data)
- Encrypt challenge data using AES HW module
- Transmit cipher data (TX data)
c. Exit transponder mode. Wait for TPA bit to clear when VFLD is switched off.
*********************************************************/
void Immo_VFLD_Mode(void)
{
if (RX_Decoder==0x00)
// Check if SW decoder selected
{
Config_LF_RX_BPLM_SW();
// Configure device to receive BPLM data in
SW
}
else if (RX_Decoder==0x01)
// Check if HW decoder selected
{
Config_LF_RX_BPLM_HW();
// Configure device to receive BPLM data in
HW
}
__enable_interrupt();
// Execute immobilizer protocol: receive, encrypt and transmit data
LF_ChalResp128b128b();
/* Execute example Challenge-Response
protocol using
128b/AES/128b (1) Receive 128b, (2) Encrypt
AES,
(3) Transmit 128b */
// Wait until last TMDR buffer data is transmitted
PRR0 = (0 << PRT1);
// Enable TMR1
SRC_ms_Wait(20);
// Insert a delay (TMR1). Allows last byte
transmission.
// Reset AFE
ClearBit(TPCR, TPMA);
// Wait until LF field is switched off (generates a hard reset)
do
{
__no_operation();
} while ((TPFR & (1<<TPA)) !=0);
} //End Immo_VFLD_Mode
30
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
/********************************************************
Function:
LF_ChalResp128b128b
Descr:
Execute Challenge-Response using 128b-128b
a. Receive 128b
b. Encrypt using AES HW module
c. Transmit 128b
********************************************************/
void LF_ChalResp128b128b(void)
{
unsigned char TxBuf;
static unsigned char temp, EEByte=0x34, EEAddr=0x000;
SMCR=((1<<SM1)|(1<<SM0)|(1<<SE));
// Set for Power Save Sleep Mode
// Detect decoder type, execute corresponding RX routine
if (RX_Decoder==0x00)
// Detect if SW decoder selected
{
// Receive RX data using SW decoder
RX_Data_LFLINK_BPLM_SW(&ucLF_RX_Data[0]);
}
else if (RX_Decoder==0x01)
// Detect if HW decoder selected
{
SysClkDiv1();
// Set SysClk=4MHz
RX_Data_LFLINK_BPLM_HW(); // Receive and decode BPLM data in HW
SysClkDiv8();
// Set SysClk=500kHz
}
}
ClearBit(T3CR, T3E);
// Disable T3
//Encrypt RX data
SMCR=((1<<SM1)|(1<<SM0)|(1<<SE));;
AES_Init();
Assemble_ChalResp(ucLF_RX_Data);
// Set for Power-Save Sleep Mode
// Init AES block
// Compute cipher and save in the array
//Ramp up VFLD to undamped level(reduces VFLD slew for K<1%)
TPCR |= (1<<TPMOD);
// Insert a Wait-State delay (use TMR1). Orig. Tdelay=3msec
SRC_ms_Wait(3);
// SRC_ms_Wait(N) where N=integer,
Tdel=N*1.024msec
Config_LF_TX();
// Config T2/TM to drive LF TX data
// TX Preamble data (0x00, 1byte). Inserts start-up time before header data.
TxBuf = ManData((0x00 & 0xF0)>>4);
// Encode MS nibble (use 4 lsbs)
WriteSSITxBuf(TxBuf);
// Load byte into TMDR reg.
TxBuf = ManData((0x00 & 0x0F));
// Encode LS nibble (use 4 lsbs)
WriteSSITxBuf(TxBuf);
// Load byte into TMDR reg.
// TX Header data (0x02, 1 Byte). Sync data with a bit change (Manchester)
TxBuf = ManData((TX_HEADER & 0xF0)>>4);
// Encode MS nibble (use 4 lsbs)
WriteSSITxBuf(TxBuf);
TxBuf = ManData((TX_HEADER & 0x0F));
// Encode LS nibble (use 4 lsbs)
WriteSSITxBuf(TxBuf);
// Read AES cipher data and transmit it using SSI
TX_Cipher_Data();
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
31
/* Replace by T3 timeout interrupt */
// Wait until all data is transmitted
PRR0 = (0 << PRT1);
SRC_ms_Wait(50);
// Enable TMR1
// Use TMR1 to generate a delay
// Exit TP Mode (TPMA=0-> RESET)
ClearBit(TPCR, TPMA);
// Wait until the LF field is switched off
do
{
__no_operation();
} while ((TPFR & (1<<TPA)) !=0);
}
/*************************************
Descr.
TX data via LF-Link
Exit when 16 bytes transmitted
Release:
06/16/2010, Plepek
**************************************/
void TX_Cipher_Data(void)
{
static unsigned char temp, TxBuf;
PRR0 &= ~(1<<PRCU);
// Disable AES power reduction
// TX 16 Bytes - Send Cipher Data
for(unsigned char i=0; i<16; i++)
{
temp = AESDR;
TxBuf = ManData((temp & 0xF0)>>4);// Encode MS nibble
WriteSSITxBuf(TxBuf);
TxBuf = ManData((temp & 0x0F));// Encode LS nibble
WriteSSITxBuf(TxBuf);
}
AESCR = 0x00;
PRR0 |= (1<<PRCU);
}
32
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
// Disable AES Crypto module
// Enable AES power reduction
/********************************************************
Function:
Config_LF_TX(void)
Descr:
Set up TX data LF-Link for Passive Mode
Sets up AFE and TMR2, TM
Date:
06/07/2010, plepek
********************************************************/
void Config_LF_TX(void)
{
// Enable TMR2 clock
ClearBit(PRR0, PRT2);
// Config TMR2
T2CR = (1<<T2RES);
T2MR = (1<<T2CS0);
T2COR = 0x0F;
T2CR = (1<<T2CTM | 1<<T2CRM);
//
//
//
//
//
Reset T2
Set T2_Clk = 125kHz_clk
Set SCLK=125kHz/16/2
SSI_CLK=T2_CLK, Reset TMR2 on match,
T2CMP=1 enable T2 toggle
// Enable TM clock
ClearBit(PRR0, PRTM);
// Enable TM clock
//Config. Timer Modulator
TMMR
= (1<<MOS0);
TMIFR = 0xFF;
//TMIMR = (1<<TMTXIM);
TMIMR = (1<<TMTXIM);
//
//
//
//
TMCR
= (1<<TMCPOL);
//Config AFE modulating input
SetBit(TPCR, TPMS0);
TMCR
TMCR
T2CR
Set MOUT=SO (MOS[1:0]=01)
clear all flags
enable TX complete IRQ
Enable TM TX Buffer Empty IRQ
// Start TM and TMR2
|= (1<<TMSSIE);
|= (1<<TMSSIE);
|= (1<<T2E);
// Set up vars
glTXBuffEmptyFlag=1;
PowerSaveMode;
// Set TPMOD=SO; Set TPMS[1:0]=01
// Enable TMSSIE bit twice for asynch startup
// Init TXDR as empty
}
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
33
10.
APPENDIX E: Configuring RF Transmitter Variables
/********************************************************
Function:
ConfigRFTransmitter(void)
Descr:
Configure RF transmitter, Fc=433MHz, FSK
Date:
06/07/2010, plepek
********************************************************/
void ConfigRFTransmitter(void)
{
SetBit(DDRC, Tx_CS);
// TRx_CS = output
SetBit(DDRC, Tx_SDI);
// TX_SDI = output
SetBit(DDRC, Tx_SCK);
// Tx_SCK = output
ucConfigReg[0]
ucConfigReg[1]
ucConfigReg[2]
ucConfigReg[3]
=
=
=
=
0;
0;
0;
0;
/**************************************
Compute FREQ value for Fxtal=13MHz:
For Fc=433MHz:
**************************************/
// Configure FREQ
uiFreqData = 14360;
temp = ((uiFreqData << 7) & 0x80);
ucConfigReg[1] |= temp;
ucConfigReg[2] = ((uiFreqData >> 1) & 0xFF);
ucConfigReg[3] = (((uiFreqData >> 1) & 0xFF00)
Register3[5:0]
BYTE0 - Least Significant Byte
BYTE1
BYTE2
BYTE3 - Most Significant Byte
FREQ(14:0)=d14360 (15b011_1000_0001_1000)
FSEP[0:7]=64 (8b0100_0000)
Reg1[7]=0
Reg2[7:0]=0_0001_100
Reg3[5:0]=011_100
// Set for Fc=433.92MHz
// Load FREQ[0] into Register1[7]
// Load FREQ[8:1] into Register2[7:0]
>> 8); // Load FREQ[14:9] into
// Config 434_N314
ucConfigReg[3] |= (1 << 6);
// Config Fc=433 MHz set 434_N314=0
// Config FSEP
temp = 64;
ucConfigReg[1] |= ((temp >> 1) & 0xFF);
ucConfigReg[0] |= ((temp << 7) & 0x80);
// Config FSEP param
// Write FSEP[7:1] into Register1
// Write FSEP[0] into Register0
// Configure PWR,
ucConfigReg[0] |=
Pout=9.5dBm
ucConfigReg[0] |=
(CLK=SYSCLK/8)
ucConfigReg[0] |=
=0 for FSK)
ucConfigReg[0] |=
output)
}
34
//
//
//
//
DIV_CNTRL, ASK_NFSK, CLK_ON
(12<<2);
// Reg0[5:2]=PWR[3:0]. Select PWR=12 for
(1<<6);
// Reg0[6]= DIV_CNTRL, Set DIV_CNTRL bit
(0<<1);
// Reg0[1]= ASK_NFSK, Enable FSK (ASK_NFSK
0x01;
// Reg0[0]=CLK_ON, Set CLK_ON=1 (enable CLK
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
11.
Revision History
Please note that the following page numbers referred to in this section refer to the specific revision mentioned, not to this
document.
Revision No.
History
9224B-RKE-05/15
Put document in the latest template
ATA5795 [APPLICATION NOTE]
9224B–RKE–05/15
35
XXXXXX
Atmel Corporation
1600 Technology Drive, San Jose, CA 95110 USA
T: (+1)(408) 441.0311
F: (+1)(408) 436.4200
|
www.atmel.com
© 2015 Atmel Corporation. / Rev.: 9224B–RKE–05/15
Atmel®, Atmel logo and combinations thereof, Enabling Unlimited Possibilities®, AVR®, and others are registered trademarks or trademarks of Atmel Corporation in U.S.
and other countries. Other terms and product names may be trademarks of others.
DISCLAIMER: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right
is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN THE ATMEL TERMS AND CONDITIONS OF SALES LOCATED ON THE
ATMEL WEBSITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT
SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES
FOR LOSS AND PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and products descriptions at any time without notice. Atmel does not make any commitment to update the information
contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel products are not intended,
authorized, or warranted for use as components in applications intended to support or sustain life.
SAFETY-CRITICAL, MILITARY, AND AUTOMOTIVE APPLICATIONS DISCLAIMER: Atmel products are not designed for and will not be used in connection with any applications where
the failure of such products would reasonably be expected to result in significant personal injury or death (“Safety-Critical Applications”) without an Atmel officer's specific written
consent. Safety-Critical Applications include, without limitation, life support devices and systems, equipment or systems for the operation of nuclear facilities and weapons systems.
Atmel products are not designed nor intended for use in military or aerospace applications or environments unless specifically designated by Atmel as military-grade. Atmel products are
not designed nor intended for use in automotive applications unless specifically designated by Atmel as automotive-grade.