Realization of IMMO function

Car keys are generally powered by button batteries, and the battery will definitely run out of power. IMMO is to realize the normal start of the vehicle when the key is dead.

2. Implementation process

        The realization of the IMMO function is through the SPI communication between the main control board (KEA128) and the low-frequency board (PJF7992), so as to drive the external antenna to communicate with the 3D antenna on the key (NCF29A1) at a frequency of 125kHz, and obtain the key IDE. And after completing the encryption and authentication of HT3, you can drive the relevant peripherals to realize the startup of the vehicle; the whole process can be divided into the following steps.

(1) Driving the antenna

        Based on the DataSheet of PJF7992 (as shown in Figure 2.1.1), there must be a corresponding wake-up waveform before SPI communication with the low-frequency board, that is, the CS pin is pulled down for about 350us and then pulled up. After a delay of 10ms, the main control board can communicate with the The low frequency board performs SPI communication.

Figure 2.1.1 Wake-up waveform

        Explanation: Twup = 10ms; Trem,min = 150us;

        After the SPI communication is realized, the two registers DRVCON and DCON1 can be configured through the SPI communication to drive the antenna. The specific waveform is shown in Figure 2.1.2 below.

Figure 2.1.2 Waveforms driving the antenna

(2) Get the IDE

        The key IDE can be obtained by driving the antenna and sending "11100". Before this, configure the registers PHMEAS, SMPLC, and TXCON to control the antenna phase, sampling time and drive TX1/TX2 channels, and then write "11100" through the WR_RD_BUF command.

        It is recommended to search and send in the normal phase, +90°, -90° and 180° to prevent the key from not responding. The specific waveform is shown in Figure 2.2.1 below.

(3) Send 64 bit Challenge+16bit MAC for encrypted authentication

        The HT3 encryption authentication process of NCF29A1: the low-frequency board first drives the antenna to send 64-bit random numbers (for the convenience of testing, I sent 64 bit '0'), the main control board according to the 96-bit key, 64-bit random number and key IDE Calculate the 16-bit MAC, and then drive the antenna to send the 16-bit MAC. If the 48-bit Response sent by the key is obtained and the calculated data is correct, it proves that the handshake is successful. The specific waveforms are shown in Figure 2.3.1 and Figure 2.3.2. .

Figure 2.3.1 64-bit random number

Figure 2.3.2 EQ+Response obtained

        By observing the waveforms of the external antenna (yellow) and the key (green) on the low-frequency board, it can be seen that when the antenna sends data, the waveform of the key will also fluctuate to a certain extent. The IMMO function is realized under the condition that the key is 3cm~5cm away from the external antenna of the low frequency board.

        In addition, after the HT3 encryption authentication of IMMO is passed, the ULP-EEPROM of the key can also be read and written through relevant commands, so as to change the related configuration of the key.