Hopefully, many of you have already read the two-part travail of my tough Tile tracker and what it helped me locate: a Volvo key fob inadvertently “eaten” by my Honda snowblower earlier that same day. If not, I encourage you to click through the links and get caught up before coming back here; if nothing else, you’ll likely end up with a chuckle (at my expense, of course).

I’m writing these words at the beginning of April, spring has sprung (sorta…this is Colorado, after all), and the snow berm in front of my house (to which the snowblower had deposited the key fob in the first place, after first dismembering it) is almost fully melted. However, so far I’ve only been able to find a few pieces of the key fob scattered amidst the plants, trees and bushes:

As that last comment foreshadows—if the title of this piece wasn’t already enough of a tip off—I intend to actualize the “When life gives you lemons, make lemonade” aphorism by doing a teardown and analysis on the remnants. In the process, I also aspire to gain some conceptual insight into how these things work.

A good place to start on the second aspiration is by figuring out what to call this thing in the first place. The aforementioned “key fob” is a common term, although Wikipedia prefers “smart key.” It’s a key (pun intended) piece of the (more Wikipedia lingo) “remote keyless system”:

A smart entry system is an electronic lock that controls access to a building or vehicle without using a traditional mechanical key. The term keyless entry system originally meant a lock controlled by a keypad located at or near the driver’s door, which required entering a predetermined (or self-programmed) numeric code. Such systems now have a hidden touch-activated keypad and are still available on certain Ford and Lincoln models. The term remote keyless system (RKS), also called keyless entry or remote central locking, refers to a lock that uses an electronic remote control as a key which is activated by a handheld device or automatically by proximity. Widely used in automobiles, an RKS performs the functions of a standard car key without physical contact. When within a few yards of the car, pressing a button on the remote can lock or unlock the doors, and may perform other functions. A remote keyless system can include both a remote keyless entry system (RKE), which unlocks the doors, and a remote keyless ignition system (RKI), which starts the engine.

The vehicle associated with my smart key is a 2008 model year Volvo XC70 AWD. From what I can gather from online research coupled with candid dealer discussions, prior model year Volvos used an initially “dumb” key fob that the owner could uniquely mate to the particular vehicle him/herself via a “custom” operating mode (analogous to how you link a garage door remote control to the receiver in the motor assembly). And newer Volvos ironically return to this same user-friendly approach, apparently. But beginning with my model year, and for several years, Volvo smart keys came pre-programmed with a custom code (printed out on an all-important piece of paper) that only the dealer could (expensively) mate to the car. Lucky me.

Once initial mating is successful, operation is conceptually simple, albeit with implementation nuances between manufacturers and models. My smart key is relatively elementary in comparison to newer implementations of the concept: integrated buttons allow me to unlock and disarm (one press for driver, a second for all) and lock (all) doors (these buttons apparently also can control the windows…I admittedly didn’t know that until I re-read the user manual earlier today while researching this piece), illuminate exterior lights as you approach, and distinctly unlock and disarm only the tailgate. There’s also a “panic” button that honks the horn and flashes the vehicle lights if you press it, and an “information” button that works in conjunction with green (upper left), yellow (upper right) and dual red (lower left) LEDs surrounding the button matrix and tells you if the vehicle is unlocked, locked, or alarm-activated (as well as, in the latter case, if the vehicle senses that someone’s inside).

Once you’ve entered the car, baseline starting of the vehicle involves inserting the key in a dashboard slot where a motor feeds it into a locked operating position, then pressing the “Start Stop Engine” button next to it.

Unfortunately, the key is prone to getting stuck in this position:

Fortunately, in my particular case (once again, until researching today I didn’t realize how “special” I was) my car apparently came with an option (the aforementioned RKI in the Wikipedia entry) that allows me to also start the car with the smart key still in my pocket (or elsewhere), as long as I’m sitting in the driver seat and the wireless connectivity between the smart key and car isn’t being RF-blocked. Cool.

That said, referencing my earlier “elementary in comparison to newer implementations of the concept” comment, I’m still not that cool. Consider, for example, my wife’s Land Rover Discovery; she can lock or unlock whatever door she’s in proximity to solely via a capacitive switch activation on the door handle, without removing her smart key from her purse at all far from pressing buttons on it (again, as long as the wireless connectivity between the smart key and car isn’t being RF-blocked). That said, as the dealer I recently conversed with confirmed, there’s a notable downside to this approach: the smart key is out of necessity constantly broadcasting, which has a deleterious effect on battery life. On several occasions already in the few years we’ve owned it, she’s needed to place the key against the steering column in a particular location in order to be able to start the car (which involves inductively-coupled supplemental wireless power transfer), immediately followed by a smart key battery replacement by yours truly once we safely get home (for obvious reasons, I keep spares on hand at all times). Newer Volvos instead put this “special spot” in the center console:

Conceptual treatment concluded, let’s get to the analysis of today’s subject. The two halves of the case were already separated (not to mention torn asunder from the backup metal key, which remained attached to the Tile Mate and my others) when I found them. I’d temporarily pressed them back together for the earlier photos. Here’s a somewhat more accurate semblance of reality as I came across it (now imagine them buried deep in a pile of snow):

Flip them over and the PCB comes into initial view:

Since the case was busted, the PCB lifted right out:

In-between the button matrix and the PCB is a “membrane” which presumably is present to give the smart key some semblance of moisture and broader environmental resistance:

But the PCB’s what we care about most, right?

Detaching a couple of retention tabs allows the multi-button assembly to lift right off, bringing the circuitry on the front side of the PCB into full view:

Immediately visible are the six switches, three of them in proximity to the earlier mentioned information LEDs. And at one end of the PC is an IC marked CC1020, which appears to be a “single-chip FSK/OOK CMOS wireless transceiver for narrowband apps in 402-470 and 804-940 MHz range.” Here’s a link to the product page for Texas Instruments’ variant of the chip, although the vendor marking on this particular IC is unknown to me.

In contrast, although the source of the other IC (in the middle of the switch matrix) is indisputable, its function is somewhat mysterious. Labeled F7953C05 and with a Philips Semiconductor stamp on it, Google research suggests that it’s more recently supplied by NXP Semiconductor (which makes sense, since NXP was created in 2006 from Philips’ spin-off of its semiconductor division)…but I can’t even find a product page for it, far from a datasheet.

To learn more, I’m going to temporarily divert your attention to a closeup view of one of the other case fragments:

There’s just enough plastic still intact to enable me to discern the FCC ID, KR55WK49266, which as-usual led me to an abundance of additional information. Among other things, check out this block diagram from the VDO (the German brand of Continental Automotive, previously part of Siemens) user manual, a more discernable version of which I snagged from another source:

My assumption is that everything within the blue rectangle is handled within the F7953C05, with the CC1020 tackling the RF Stage function. And in retrospect, the dearth of public information on the F7953C05 in comparison to other ICs I research in these teardowns isn’t that surprising (although Google did reveal to me that BMW uses the same IC in some of its smart keys). After all, no manufacturer wants someone other than the owner to be able to unlock and enter the vehicle, far from start it and drive it away—a grim scenario that Honda ironically experienced just a few days before I sat down to write. One thing I still don’t know for sure (but assume), for example, is if the Volvo system employs “rolling code.” Wikipedia again:

Most keyless systems use a technique called rolling code to avoid replay attacks, in which the open command is intercepted to be used by a thief at a later time. In the rolling code, a pseudorandom number generator is used to generate a different unlock sequence to be sent each time the car is unlocked.

One other thing to note on this side of the circuit board is the “PCB loop antenna” for transmission, which routes above the top four buttons. And speaking of PCBs, we haven’t yet taken a close look at the other side; let’s fix that omission:

The bit of shiny metal in one quadrant, which to me looks something like a German Iron Cross, is the negative terminal for the lower CR2430 in the two-battery “sandwich” (oddly, by the way, the aforementioned Siemens-now-Continental user guide says that the smart key takes only one battery). But that’s likely not what first caught your eye. What’s the deal with the sizeable mysterious soldered-down grey square thing containing the following topside marketing?

At first I assumed that this was the source of the transmitter’s encrypted-data processing. Turns out, though, that per FCC internal photos it’s just the reception antenna (again, note the PCB-embedded antenna surrounding it at the edge of the circuit board). A reception antenna? Why? Well, according to the FCC documentation, this smart key operates at two different frequencies, 902.16 MHz and 903.575 MHz (although curiously, Wikipedia indicates that “most RKEs operate at a frequency of 315 MHz for North America-made cars and at 433.92 MHz for European, Japanese and Asian cars”…the latter explaining the alternative frequencies handled by the CC1020). And quoting from the user manual (with spelling correction by yours truly):

The RF remote control system consists of a remote key which is a RF transmitter / receiver and a RF transmitter / receiver unit at the vehicle. The Remote Key is used to transmit information for locking or unlocking the vehicle (as also Trunk Lid/Approach Light/Panic /comfort open/Comfort Close/Check vehicle status/Passive lock/passive unlock/passive start operations) by a bidirectional RF transmission line for normal remote operation by pressing a button.

If the telegram which was received from the vehicle unit is not corrupted the vehicle unit will send an acknowledgement message to the Remote key. If the acknowledgement message is not received by the Remote key, the remote key will repeat the transmission at the second channel.

In closing, I thought I’d also share some images of the intact successor smart key from the dealer, to show you what it looks like when not run through a snowblower first. To that point, since it set me back nearly $600, I trust you’ll forgive me for not attempting a full disassembly!

Popping off the back panel to replace the batteries is a bit nerve-wracking but not too bad:

And speaking of $600, in my previous write-up I intentionally-not-subtly proposed that the profit margin on this smart key was likely outrageous. Reader “chargehanger” was first to respond post-publication with the following insight (bracketed text is mine):

The BOM [bill of materials] for this key fob is around 19 Euro [$21 USD as I write this].

I would love any additional insight you can supply, “chargehanger” (or anyone else knowledgeable on the topic, for that matter) as to how you came up with that BOM figure. More generally, as always let me know your thoughts in the comments!

—Brian Dipert is Editor-in-Chief of the Edge AI and Vision Alliance, and a Senior Analyst at BDTI and Editor-in-Chief of InsideDSP, the company’s online newsletter.

Did you try EBAY? My 2001 BMW 540 needed a new key a few years ago. I lost one and the other one wasn’t working for years because my daughter threw it in a pool and left it. I could still use the one from the pool to manually open the door and start the car, but I was still down to one key. The dealer wanted $300 each! There is a small chip inside. The BOM was less than $5! I found a guy on EBAY that would cut a key for you with only a picture of your key, $35 per key. It had everything except the chip to start the car. I bought that at digikey or someplace for $2 each. Hardest part was the code. I bought a programmer for another $35, but I had to get to the key codes. I had to tear my dash apart to get to a module buried under the dash. Next I had to solder a couple wires and use a jumper to get to the software. That allowed me to get the information the software needed to program the new keys. If you are counting, I finished with two keys for $109, way below the $300 for one key!

But your labor cost, is that free? However, you now have the skills to make more replacement keys at $~54 each.

The low power, short range radio company Chipcon was acquired by Texas Instruments in 2006. That’s the CC logo on the transceiver chip.

All the last few vehicles I’ve own (Ford Ranger, Nissan Leaf, Chevy Volt) would all accept up to 4 programmed keys. The owner can add a 3rd and 4th key if they can present the 1st and 2nd keys. Buried somewhere in the owners manuals, a procedure was listed for adding additional keys. If you have keys 1 & 2, you would save yourself much coin by purchasing and programming a 3rd key before you need it.

If you have only one key, the dealer can use their programming key with your one key to add additional keys (and bill you for needing to use their key). If you have no keys, the dealer would have to borrow another dealers programming key to add additional keys (even more coin!).

Get your own third key before you need it.

I have a Toyota Highlander that only came with one fob. It was a repo. I bought a fob on AliExpress for about $50. and programmed it. Amazon has them for about $100. I also have a Camry that I had to fight with the dealer to give me 2 fobs because 1 was lost. When they finally did, they programmed it but did not remove the lost fob registration. Their excuse was they didn’t do that. It took me all of 2 min to delete it. It would have taken them 30 seconds while they were programming the new one. The dealer cost is over $200. I wouldn’t pay that, let alone $600. If you still have the remains of your old one and it still works you can get a replacement cover for $15. here https://www.aliexpress.com/item/2251832728507873.html?spm=a2g0o.productlist.0.0.5d535b03nXFiWw&algo_pvid=bc68e485-ccba-4788-8489-622e434c0d0a&algo_exp_id=bc68e485-ccba-4788-8489-622e434c0d0a-20&pdp_ext_f=%7B%22sku_id%22%3A%2265993921761%22%7D&pdp_npi=2%40dis%21USD%21%2115.0%21%21%21%21%21%402101d8f416542825980477205ec689%2165993921761%21sea They also have the complete fob for about $30. – but then you need to program it. I don’t know about Volvo, but my Techstream app works like a charm. The Toy dealer can also cut a key without a matching one, so I assume they can program a FOB without a matching one. If you have one, you may be able to program one with a simple key on/off pedal pushing code.

I found a shop that specializes in replacement car keys where I got a new fob, programmed and metal key cut for a very good price. They also deleted the lost one.

The square device on the back of the PCB is a LF (RFID) antenna that is used to detect signal coming from the car in order to use the FOB instead of a key.

You must Sign in or Register to post a comment.