Post-mortem investigation: Volvo key fob

Article By : Brian Dipert

High replacement vehicle smart key prices seem outrageously profitable to the supplier, but without taking one apart, how can you be sure? Let’s tackle that mystery.

Hopefully, many of you have already read the two-part travail of my tough Tile tracker and what it helped me locate: a Volvo key fob inadvertently “eaten” by my Honda snowblower earlier that same day. If not, I encourage you to click through the links and get caught up before coming back here; if nothing else, you’ll likely end up with a chuckle (at my expense, of course).

I’m writing these words at the beginning of April, spring has sprung (sorta…this is Colorado, after all), and the snow berm in front of my house (to which the snowblower had deposited the key fob in the first place, after first dismembering it) is almost fully melted. However, so far I’ve only been able to find a few pieces of the key fob scattered amidst the plants, trees and bushes:

  • Most of the outer case, including the front panel button assembly
  • One of the two CR2430 batteries, and
  • The PCB inside the case, which you’ll see shortly

As that last comment foreshadows—if the title of this piece wasn’t already enough of a tip off—I intend to actualize the “When life gives you lemons, make lemonade” aphorism by doing a teardown and analysis on the remnants. In the process, I also aspire to gain some conceptual insight into how these things work.

A good place to start on the second aspiration is by figuring out what to call this thing in the first place. The aforementioned “key fob” is a common term, although Wikipedia prefers “smart key.” It’s a key (pun intended) piece of the (more Wikipedia lingo) “remote keyless system”:

A smart entry system is an electronic lock that controls access to a building or vehicle without using a traditional mechanical key. The term keyless entry system originally meant a lock controlled by a keypad located at or near the driver’s door, which required entering a predetermined (or self-programmed) numeric code. Such systems now have a hidden touch-activated keypad and are still available on certain Ford and Lincoln models. The term remote keyless system (RKS), also called keyless entry or remote central locking, refers to a lock that uses an electronic remote control as a key which is activated by a handheld device or automatically by proximity. Widely used in automobiles, an RKS performs the functions of a standard car key without physical contact. When within a few yards of the car, pressing a button on the remote can lock or unlock the doors, and may perform other functions. A remote keyless system can include both a remote keyless entry system (RKE), which unlocks the doors, and a remote keyless ignition system (RKI), which starts the engine.

The vehicle associated with my smart key is a 2008 model year Volvo XC70 AWD. From what I can gather from online research coupled with candid dealer discussions, prior model year Volvos used an initially “dumb” key fob that the owner could uniquely mate to the particular vehicle him/herself via a “custom” operating mode (analogous to how you link a garage door remote control to the receiver in the motor assembly). And newer Volvos ironically return to this same user-friendly approach, apparently. But beginning with my model year, and for several years, Volvo smart keys came pre-programmed with a custom code (printed out on an all-important piece of paper) that only the dealer could (expensively) mate to the car. Lucky me.

Once initial mating is successful, operation is conceptually simple, albeit with implementation nuances between manufacturers and models. My smart key is relatively elementary in comparison to newer implementations of the concept: integrated buttons allow me to unlock and disarm (one press for driver, a second for all) and lock (all) doors (these buttons apparently also can control the windows…I admittedly didn’t know that until I re-read the user manual earlier today while researching this piece), illuminate exterior lights as you approach, and distinctly unlock and disarm only the tailgate. There’s also a “panic” button that honks the horn and flashes the vehicle lights if you press it, and an “information” button that works in conjunction with green (upper left), yellow (upper right) and dual red (lower left) LEDs surrounding the button matrix and tells you if the vehicle is unlocked, locked, or alarm-activated (as well as, in the latter case, if the vehicle senses that someone’s inside).

Once you’ve entered the car, baseline starting of the vehicle involves inserting the key in a dashboard slot where a motor feeds it into a locked operating position, then pressing the “Start Stop Engine” button next to it.

Unfortunately, the key is prone to getting stuck in this position:

 

Fortunately, in my particular case (once again, until researching today I didn’t realize how “special” I was) my car apparently came with an option (the aforementioned RKI in the Wikipedia entry) that allows me to also start the car with the smart key still in my pocket (or elsewhere), as long as I’m sitting in the driver seat and the wireless connectivity between the smart key and car isn’t being RF-blocked. Cool.

That said, referencing my earlier “elementary in comparison to newer implementations of the concept” comment, I’m still not that cool. Consider, for example, my wife’s Land Rover Discovery; she can lock or unlock whatever door she’s in proximity to solely via a capacitive switch activation on the door handle, without removing her smart key from her purse at all far from pressing buttons on it (again, as long as the wireless connectivity between the smart key and car isn’t being RF-blocked). That said, as the dealer I recently conversed with confirmed, there’s a notable downside to this approach: the smart key is out of necessity constantly broadcasting, which has a deleterious effect on battery life. On several occasions already in the few years we’ve owned it, she’s needed to place the key against the steering column in a particular location in order to be able to start the car (which involves inductively-coupled supplemental wireless power transfer), immediately followed by a smart key battery replacement by yours truly once we safely get home (for obvious reasons, I keep spares on hand at all times). Newer Volvos instead put this “special spot” in the center console:

 

Conceptual treatment concluded, let’s get to the analysis of today’s subject. The two halves of the case were already separated (not to mention torn asunder from the backup metal key, which remained attached to the Tile Mate and my others) when I found them. I’d temporarily pressed them back together for the earlier photos. Here’s a somewhat more accurate semblance of reality as I came across it (now imagine them buried deep in a pile of snow):

Flip them over and the PCB comes into initial view:

Since the case was busted, the PCB lifted right out:

In-between the button matrix and the PCB is a “membrane” which presumably is present to give the smart key some semblance of moisture and broader environmental resistance:

But the PCB’s what we care about most, right?

Detaching a couple of retention tabs allows the multi-button assembly to lift right off, bringing the circuitry on the front side of the PCB into full view:

Immediately visible are the six switches, three of them in proximity to the earlier mentioned information LEDs. And at one end of the PC is an IC marked CC1020, which appears to be a “single-chip FSK/OOK CMOS wireless transceiver for narrowband apps in 402-470 and 804-940 MHz range.” Here’s a link to the product page for Texas Instruments’ variant of the chip, although the vendor marking on this particular IC is unknown to me.

In contrast, although the source of the other IC (in the middle of the switch matrix) is indisputable, its function is somewhat mysterious. Labeled F7953C05 and with a Philips Semiconductor stamp on it, Google research suggests that it’s more recently supplied by NXP Semiconductor (which makes sense, since NXP was created in 2006 from Philips’ spin-off of its semiconductor division)…but I can’t even find a product page for it, far from a datasheet.

To learn more, I’m going to temporarily divert your attention to a closeup view of one of the other case fragments:

There’s just enough plastic still intact to enable me to discern the FCC ID, KR55WK49266, which as-usual led me to an abundance of additional information. Among other things, check out this block diagram from the VDO (the German brand of Continental Automotive, previously part of Siemens) user manual, a more discernable version of which I snagged from another source:

My assumption is that everything within the blue rectangle is handled within the F7953C05, with the CC1020 tackling the RF Stage function. And in retrospect, the dearth of public information on the F7953C05 in comparison to other ICs I research in these teardowns isn’t that surprising (although Google did reveal to me that BMW uses the same IC in some of its smart keys). After all, no manufacturer wants someone other than the owner to be able to unlock and enter the vehicle, far from start it and drive it away—a grim scenario that Honda ironically experienced just a few days before I sat down to write. One thing I still don’t know for sure (but assume), for example, is if the Volvo system employs “rolling code.” Wikipedia again:

Most keyless systems use a technique called rolling code to avoid replay attacks, in which the open command is intercepted to be used by a thief at a later time. In the rolling code, a pseudorandom number generator is used to generate a different unlock sequence to be sent each time the car is unlocked.

One other thing to note on this side of the circuit board is the “PCB loop antenna” for transmission, which routes above the top four buttons. And speaking of PCBs, we haven’t yet taken a close look at the other side; let’s fix that omission:

The bit of shiny metal in one quadrant, which to me looks something like a German Iron Cross, is the negative terminal for the lower CR2430 in the two-battery “sandwich” (oddly, by the way, the aforementioned Siemens-now-Continental user guide says that the smart key takes only one battery). But that’s likely not what first caught your eye. What’s the deal with the sizeable mysterious soldered-down grey square thing containing the following topside marketing?

232D
H743

At first I assumed that this was the source of the transmitter’s encrypted-data processing. Turns out, though, that per FCC internal photos it’s just the reception antenna (again, note the PCB-embedded antenna surrounding it at the edge of the circuit board). A reception antenna? Why? Well, according to the FCC documentation, this smart key operates at two different frequencies, 902.16 MHz and 903.575 MHz (although curiously, Wikipedia indicates that “most RKEs operate at a frequency of 315 MHz for North America-made cars and at 433.92 MHz for European, Japanese and Asian cars”…the latter explaining the alternative frequencies handled by the CC1020). And quoting from the user manual (with spelling correction by yours truly):

The RF remote control system consists of a remote key which is a RF transmitter / receiver and a RF transmitter / receiver unit at the vehicle. The Remote Key is used to transmit information for locking or unlocking the vehicle (as also Trunk Lid/Approach Light/Panic /comfort open/Comfort Close/Check vehicle status/Passive lock/passive unlock/passive start operations) by a bidirectional RF transmission line for normal remote operation by pressing a button.

If the telegram which was received from the vehicle unit is not corrupted the vehicle unit will send an acknowledgement message to the Remote key. If the acknowledgement message is not received by the Remote key, the remote key will repeat the transmission at the second channel.

In closing, I thought I’d also share some images of the intact successor smart key from the dealer, to show you what it looks like when not run through a snowblower first. To that point, since it set me back nearly $600, I trust you’ll forgive me for not attempting a full disassembly!

Popping off the back panel to replace the batteries is a bit nerve-wracking but not too bad:

And speaking of $600, in my previous write-up I intentionally-not-subtly proposed that the profit margin on this smart key was likely outrageous. Reader “chargehanger” was first to respond post-publication with the following insight (bracketed text is mine):

The BOM [bill of materials] for this key fob is around 19 Euro [$21 USD as I write this].

I would love any additional insight you can supply, “chargehanger” (or anyone else knowledgeable on the topic, for that matter) as to how you came up with that BOM figure. More generally, as always let me know your thoughts in the comments!

This article was originally published on EDN.

Brian Dipert is Editor-in-Chief of the Edge AI and Vision Alliance, and a Senior Analyst at BDTI and Editor-in-Chief of InsideDSP, the company’s online newsletter.

 

Leave a comment