Implementation of IMMO function

I. Overview

        Car keys are generally powered by button batteries, and the battery will definitely run out of power. IMMO is to realize the normal start of the vehicle when the key is out of power.

Second, the implementation process

        The realization process of the IMMO function is to communicate SPI through the main control board (KEA128) and the low frequency board (PJF7992), in order to drive the external antenna to communicate with the 3D antenna on the key (NCF29A1) at a frequency of 125KHz, obtain the key ID, and complete the HT3 encryption authentication, you canDrive related peripherals to realize the start of the vehicle; the whole process can be divided into the following steps.

(1) Drive antenna

        Based on the DataSheet of PJF7992 (as shown in Figure 2.1.1), there must be a corresponding wake-up waveform before SPI communication with the low-frequency board, that is, the CS pin is pulled down by about 350us and then pulled up. After the delay is 10ms, the main control board can communicate with the low-frequency board SPI.

Figure 2.1.1 Wake-up waveform

        Description: Twup = 10ms; Trem, min = 150 us;

        After the SPI communication is realized, the two registers DRVCON and DCON1 can be configured through the SPI communication to realize the antenna drive. The specific waveform is shown in Figure 2.1.2 below.

Figure 2.1.2 Waveform of the driving antenna

(2) Get IDE

        The acquisition of keychain can be achieved by sending “11100“ through the drive antenna. Before that, configure the registers PHMEAS, SMPLC, and TXCON to control the antenna phase, sampling time, and drive the TX1/TX2 channels, and then use the WR_RD_BUF command to write ”11100“.

        It is recommended to find and send at +90°, -90°, and 180° in the normal phase, respectively, to prevent the key from not responding. The specific waveform is shown in Figure 2.2.1 below.

Figure 2.2.1 Acquisition of key IDEs

(3) Send 64-bit challenge+16-bit MAC for encryption and authentication

        The HT3 encryption authentication process of NCF29A1: The low-frequency board first drives the antenna to send a 64-bit random number (for convenience of testing, I sent a 64-bit ‘0’), the main control board calculates a 16-bit MAC based on the 96-bit key, the 64-bit random number, and the ID of the key, and then drives the antenna to send this. For a 16-bit MAC, if the 48-bit response sent by the key is obtained and the calculated data is correct, it proves that the handshake is successful. The specific waveform is shown in Figure 2.3.1 and Figure 2.3.2 below.

Figure 2.3.1 64-bit random number

Figure 2.3.2 Obtained EQ+Response

        By observing the waveforms of the external antenna (yellow) of the low-frequency board and the key (green), it can be seen that when the antenna transmits data, the waveform of the key will also fluctuate. This is the external antenna of the low-frequency board and then charge the key with mutual inductance. Based on the distance limit, the IMMO function isIt is achieved under the condition that the key is 3cm~5cm away from the external antenna of the low-frequency board.

        In addition, after IMMO's HT3 encryption authentication is passed, the ULP-EEPROM of the key can also be read and written through relevant commands, which can change the relevant configuration of the key.

3. Reference materials

[1] ds489211 - Product Data Sheet - HT3-Family_Transponder - MRK III (1.1).pdf

[2] f7992A_2015.pdf