It’s always been interesting to me to see which of my writeups particularly resonate with the readers (as measured by metrics such as online page views and the number of both posted public comments and private emails I receive in response), and to theorize why this might be the case. Unsurprisingly, for example, teardowns consistently garner lots of attention. But what’s been interesting to me is how little that interest from you seems to correlate to the price tag of the widget being dissected, or even to any existing awareness of it and its manufacturer. As I told other staffers at EDN the other day while we were discussing the topic:
To be honest, there’s not much “science” to the topics I choose for teardowns…I just go by what I personally would be curious to poke around the insides of, under the assumption that at least some readers are like me. Sometimes the most inexpensive, oddball, etc. teardown subjects end up getting the most reader response. I’m also happy that I seem to consistently be able to craft an interesting (at least to me) analysis out of even the most seemingly simple teardown subject.
Of course, it doesn’t hurt when the overall theme of a piece is of personal resonance to the audience…
Regarding the recent key fob series, my theory is that there’s a general sense in the community that automakers rip off vehicle owners, especially for things like vehicle feature upgrades and other initial-sale options, ongoing maintenance (both parts and labor), and “aftermarket” updates. I suspect that my writeups tapped into that angst, translating into reader interest.
That series, for those of you who haven’t already seen it, to date comprises two blog posts:
Followed by a teardown:
One comment on that second blog post, from reader “chargehanger”, was especially intriguing:
The BOM [editor note: bill of materials cost] for this key fob is around 19 Euro [editor note: approximately $19.82 USD as I write these words].
Given that I’d paid my local Volvo dealer $570, inclusive of “labor”, for a replacement key fob, I wasn’t going to leave that comment unexplored. So, in the subsequent teardown, I referenced the earlier comment from “chargehanger”, following up with what I hoped would be a too-tempting-to-ignore invitation:
I would love any additional insight you can supply, “chargehanger” (or anyone else knowledgeable on the topic, for that matter) as to how you came up with that BOM figure.
Happily, as we say back in my birth state of Indiana, he “took the bait”. Christoph Riehl (aka “chargehanger”, complete with the appropriately named website www.chargehanger.com where he sells overhead cable holders for EVs) emailed me at the beginning of June:
I just read your article on EDN.
I was the one giving you a hint on the BOM cost for the key fob.
I was involved in the development of this key, a long time ago, and I can give you some insights (within the limits of not breaking trade secrets, of course)
I, of course, took him up on his offer that very same day:
Good to “meet” you! Hope you enjoyed my teardown piece.
I’d love to publish any insights you might be able and willing to provide on the product’s development, feature set, bill of materials and/or anything else you think would be of interest to the audience.
What follows is his response sent to me a few days later, only lightly edited by me for clarity:
I was working at Siemens VDO (which then became Continental), mainly having RF subsystem responsibilities, and I worked on this key fob system.
I haven’t been in the industry for 10 years, so all this is a bit dated.
All my statements here are publicly available knowledge, so no trade secrets have been broken, and you can publish this.
There are basically 3 types of traditional key fobs, but this Volvo key is an interesting special case:
- Immobilizer-only fobs, with a mechanical key blade and immobilizer transponder pill (no longer built, for at least 15 years)
- RKE [editor note: remote keyless entry] fobs, with one LF [editor note: low frequency] coil and functions 1, 2, and 3 only [editor note: keep reading for function descriptions]. The typical fob production cost here is about 9 Euro, not including the key blade.
- Passive entry/passive start key fobs. The typical fob production cost here is 13 Euro without a key blade, also without metal in the housing.
Entry and start are complex systems, with many interlinked microcontrollers and sometimes with additional intentional complexity meant to deter hacking.
Key fobs may seem conceptually simple, but they are actually very hard to engineer due to their low power consumption optimization and crypto integration, as well as the harsh environments in which they need to operate.
A key fob has more functions than you might think:
- Mechanical key
Today often only seen as a backup, to open the door when the key or car battery is dead. Can only start the car if the old-style ignition lock, fitted with an immobilizer, authenticates the transponder.
- RKE (car opening/closing by pressing the button on the fob)
The key typically sends out a 434 or 315 MHz signal to the car, without any feedback. The signal includes a “rolling code”, which is basically a counter incremented at each use, signed cryptographically so it cannot be replayed (each code is valid for only one use). Typical range: 20m
- Immobilizer start (transponder)
The key fob can be used to start the car with a RFID-style passive transponder at 120 kHz. It uses a proprietary protocol based on a crypto challenge/response that authenticates the fob to the engine controller. The engine controller is typically installed at an intentionally hard-to-access location so it cannot be easily “swapped” in order to steal the car. The immobilizer reader can power the fob controller through one of the LF coils. The key fob can therefore function even when no battery is present, and even if the key fob is rotted away by corrosion (to wit, the LF circuit is selectively varnished so that it can survive nearly anything). When the key battery is dead, you can open the door with the mechanical key and start the car by putting the key into/onto the immobilizer reader. Typical range: 10cm.
- Passive access
When the driver pulls on the car handle, as well as on a cyclic basis, the car sends out a 120 kHz wakeup signal with a crypto challenge. If in LF range (typically 2m) the key fob wakes up, calculates crypto, locates itself with LF field strength measurements, and answers to the car by transmitting on the RF link. The localization step is important not only to check if the fob is near enough, but also to determine if it is currently inside or outside the car (If inside, no locking is allowed, but starting is allowed. Outside is the reverse). Localization usually requires 3-6 LF antennas, distributed strategically in the car interior and handles. Localization uses a 3D antenna on the key fob. The LF link is unidirectional only; the extended 2m range does not allow the fob to transmit, even if often the same antennas are used for bidirectional immobilization. Listening all the time makes the key fob battery last much less long than with basic RKE-only keys.
- Passive start
When pressing the start button, the same basic steps as with function 4 happen, this time to allow the engine to start only if the key is inside the car. Operating range is reduced to “inside the car only”.
Modern systems use Bluetooth in conjunction with a phone, or UWB. Emerging UWB can be made immune to relay attacks because it can make a secure time-of-flight measurement. In contrast, all other existing technologies are by principle vulnerable to relay attacks. The vulnerability of legacy systems was widely known in the industry, but no alternative existed prior to UWB becoming available inexpensively. Therefore, prior to UWB, OEMs and suppliers just “ignored” the problem, relying on the perceived technical complexity of relay attacks to minimize its likelihood of occurrence.
Your 6-button Volvo key fob seems to have a few ripped-off components at the base of the RF antenna, close to the CC1020 transceiver. If you replaced them, the fob might work again.
It’s a “special case” key fob because it has a bidirectional 100m range RF link (using 900 MHz in US). It can also display the car status on LEDs if you press the “i” key. “Guaranteed” 100m is quite difficult to achieve given the key fob’s small form factor constraints; this is the reason for the two big batteries, along with the complex bidirectional RF transceiver based on the CC1020.
The 5-button version of the design is a much simpler RKE key without feedback and with only 20m range.
The big component mentioned in your teardown is a reception antenna, but not for 902 MHz, as you assumed. It is for 3D reception at 120 kHz.
The main chip in the design is the common PCF7953 [editor note: this is the IC I’d referred to as the “F7953C05” in my earlier teardown, and is based on a Philips Semiconductor-now-NXP Semiconductors low-power, 8-bit microcontroller architecture], which integrates everything except the RF circuitry. Newer chips can also include the RF transmitter.
Regarding your comment “a membrane which presumably is present to give the smart key some semblance of moisture and broader environmental resistance”, yes! Fobs in general are engineered to withstand a lot of abuse, tested to (for example) come out still working after a few washing-machine 90°C wash cycles. The watertightness can fail after some years, when materials degrade, but the silicone membrane in your case does not really age. Unfortunately, snow blowers were not considered in the design specifications 😉
Rough and quick generous BOM cost estimation for the PCB, in high volume, and prior to recent COVID-induced chip shortages:
- CC1020: 2,7 Euro [editor note: approximately $2.82 USD]
- PCF7953: 2,5 Euro [~$2.61 USD]
- Total for other small components: 4 Euro [~$4.17 USD]
- Board: 2 Euro [~$2.09 USD]
- Labor: 2 Euro [~$2.09 USD]
- Overhead: 3 Euro [~$3.13 USD]
Real costs are probably lower.
Christophe concluded with some additional-information links for further reader research:
I’d like to thank Christophe Riehl for his generosity both in taking the time to write me in such length and detail, for his willingness to share his insights with other readers, and for the extremely interesting information he’s provided. I suspect he’ll also see this writeup, so I encourage you to leave him (and me) your questions and other thoughts in the comments!
—Brian Dipert is Editor-in-Chief of the Edge AI and Vision Alliance, and a Senior Analyst at BDTI and Editor-in-Chief of InsideDSP, the company’s online newsletter.