Signal Analysis in Keyless Systems: ASK/FSK Testing, Rigol DSA800 Spectral Analyzer & PKE Systems

In the article we will describe the methods of testing ASK / FSK signals used in keyless systems in modern cars.
Rigol Technologies expanded the Radio Frequency (RF) range test system of the DSA800 Spectral Analyzer from the additional test features of passive proximity (keyless) lock systems. The Rigola solution is very convenient to use and much cheaper than other test systems on the market.

Passive Keyless Entry (PKE) systems are electronic systems primarily used to open cars or buildings without mechanical keys. Such locking systems work with a passive element (key) that is activated by a device (e.g. a car) sending a periodic signal to the environment. One of the most widespread examples of such a system is the proximity car opening system. The vehicle always sends a constant low frequency (LF) signal around 130 kHz to the surrounding environment. If the correct key is near the vehicle (about 1-1.5 m), it recognizes the LF signal and sends back the correct ID (ID) in the form of an RF signal (in the UHF band) with ASK or FSK modulation. When the car door is opened manually, the system is unlocked. In some solutions it is also possible to start the car engine with the button when the key is in the vehicle cabin, or to open the trunk. The frequency of the UHF signal used in PKE systems depends on the location. In Europe, the 433 MHz carrier frequency of the ISM2 band is mainly used. Such applications also use the 868 MHz carrier frequency in Europe, which is not a frequency in the ISM band. In the USA and Japan, the frequency of 315 MHz is mainly used.

Two types of proximity lock operation procedures are possible:

1) The vehicle sends the LF signal with a short wake up signal
[letter: 128f17176f]
[*: 128f17176f] During the defined period, the vehicle sends the LF signal to the environment with short information (excitation signal).
[*: 128f17176f] If the proximity key is close to the car, it sends back a confirmation signal (UHF).
[*: 128f17176f] The key and the car start data transmission with the identification data (ID) check.
vCar sends the ID to the key. If the identification data is correct, the key sends its code. If the code is correct, the vehicle unlocks the door, allowing it to be opened.
[/ letter: u: 128f17176f]
2) The vehicle sends the LF signal with its ID
[letter: 128f17176f]
[*: 128f17176f] During the defined period, the vehicle sends the LF signal with its identification data to the environment.
[*: 128f17176f] If the proximity key is close to the car and the received ID is correct, the key sends its identification code back. If this code is correct, the car can be opened. [/ List: u: 128f17176f]


FSK modulation - modulation with frequency keying

FSK (Frequency Shift Keying) modulation is a type of digital modulation. This modulation modulates the carrier wave with a digital signal, and changes in the frequency of the carrier wave are discrete. The basic form of this modulation is 2FSK modulation. 2FSK modulation is used e.g. in proximity systems such as car opening systems or tire pressure monitoring systems. In the simplest form of 2FSK modulation the two digital states "0" and "1" (2FSK with 1 bit / symbol) are transmitted at two different frequencies.
These two frequencies modulate the carrier wave and both have the same spacing from the carrier frequency. The difference between FSK modulation and analog FM modulation is that in FSK modulation the two transmitted frequencies change in tact with binary data, and in FM modulation the carrier frequency changes according to the analog modulation signal.

The separation of the two key frequencies from the carrier frequency is called the FSK deviation:
* FSK deviation = ?f
* fcarrier (carrier frequency) +- ?f
Example:
Figure 1 shows a 2FSK modulation signal with ?f = 40 kHz and fcarrier = 866 MHz

Fig. 1 2FSK signal with 40 kHz deviation and 866 MHz carrier frequency measured with DSA832E instrument

The distance between the two characteristic frequencies is 80 kHz:

fmax = fcarrier + ?f = 866 MHz + 40 kHz
fmin = fcarrier - ?f = 866 MHz - 40 kHz
fmax - fmin = 80 kHz
The characteristic frequency interval is 2 x FSK deviation:
? (f2 - f1) = 2 x ?f


Fig. 2 2FSK modulation constellation diagram, carrier frequency is in the center of the screen.

The test results illustrated in Figures 3 and 4 show different types of relevant measurements:


Fig. 3 Good / Bad mask for curve analysis

The signal should not exceed the user-defined lines of the Good / Bad mask (Fig. 3). The test can be performed with DSA832, DSA832E or DSA8754.
The absolute values of both frequencies can be measured (Fig. 4, 2R and 3D markers).
The carrier frequency interval can be checked with the marker function (fig. 4, marker 1D).
It is also possible to measure the value of the power difference of both frequencies (Fig. 4, 2R and 2D markers).


Fig. 4 Measured characteristic parameters of the 2FSK signal (see Marker Table)

Another available measurement is bandwidth occupancy analysis (OCP). The OCP function measures the frequency range within which 99% of the spectral power of the signal is contained. The signal carrier frequency is in the middle of this range (see Figure 5). OCP can be measured with the DSA800 with the option DSA800-AMK (5).

The OCP value for the 2FSK signal is calculated from the relationship:
OCPBW = baud rate + 2 x ?f (6)
For example: baud rate 10k symbols / s and frequency deviation 40 kHz
OCPBW = 10k symbols / s + 2 x 40kHz = 90kHz





Fig. 5 Measurement of the bandwidth occupation (OCP) of the 2FSK signal


Filtering

The purpose of filtering is to give digital pulses a smooth rounded shape for better spectral measurement results and bandwidth reduction. Different types of filters can be selected in ULTRA IQ STATION Rigola software. For FSK modulation, a special Gaussian filter is available to limit the bandwidth before transmission. Filtering the FSK signal with this type of filter results in a signal conversion to GFSK modulation. In this software it is possible to set the bandwidth extension factor (? = B * T), the pulse length (number of samples per pulse during one bit) and oversampling (increase the sampling rate for better compliance with the sampling theorem, so that a simpler filter can be used. reconstruction). The Gaussian characteristic is shown in Figure 6. The filter length is the product of the pulse length and the ovwersampling value.

The band extension factor ? is calculated from the values:
[letter: 128f17176f]
[*: 128f17176f] Gaussian characteristic band (@ -3dB):
[*: 128f17176f] duration of one bit: TBit [/ list: u: 128f17176f]

Fig. 6 Gaussian characteristic

The 2FSK signal can be generated in the ULTRA IQ STATION software and loaded into the RF signal generator with the IQ option (DSG3030-IQ or DSG3060-IQ (8).



Fig. 7 Generation of 2FSK signal in ULTRA IQ STATION software




The clock frequency in the generator sets the output frequency of the array synthesis clock. The clock frequency is calculated from the oversampling value and the bit rate (in our example of 2FSK modulation, one transmitted symbol contains one bit).
Clock frequency = oversampling value * bit rate

S1220 software for 2FSK demodulation

Rigol provides (as an option) an ASK / FSK software demodulation solution in the form of the S1220 software package. This software works with the DSA832, DSA832E and DSA8759 analyzers. ASK demodulation is described at the end of this article.
[letter: 128f17176f]
[*: 128f17176f] The software displays the waveforms of the symbols of the modulated signal.
[*: 128f17176f] You can analyze eye diagrams, which is especially important when analyzing the jitter of the tested signal.
[*: 128f17176f] It is possible to set the signal pattern as a reference waveform. Each time a pattern is transmitted, it is marked in yellow.
[*: 128f17176f] Carrier power, frequency deviation and carrier frequency offset can be measured.
[*: 128f17176f] Manchester encoding is supported.
[*: 128f17176f] You can save and load configuration data.
[/ letter: u: 128f17176f]

2FSK signal settings are shown in Figure 8.

Fig. 8 S1220 software for ASK / FSK demodulation






Fig. 9 Configuration for FSK modulation in the S1220 package



Measure FSK signals with DSA815, DSA705 and DSA710 instruments

The S1220 software is intended only for the DSA832 (E) / DSA875 analyzers. The measurement speed of the DSA815, DSA705 and DSA710 is slower than that of the DSA832 (E) / DSA875 and too slow for 2FSK signals. Rigol solved this problem by introducing a new option for continuous signal recording (SSC-DSA) 10. With the SSC-DSA option, it is also possible to analyze 2FSK signals measured with DSA815, DSA705 and DSA710 instruments. With this option, the analyzer is switched to the FFT mode with a faster signal registration rate. This option enables parallel measurements of FSK signals (up to three 2FSK signals) up to 1.5 MHz (see fig. 10) directly via the instrument without any additional software.



The option has three main characteristics:


[letter: 128f17176f]
[*: 128f17176f] Real-time spectrum display (RT Trace).
[*: 128f17176f] Maximum Hold function.
[*: 128f17176f] Analysis of the recorded 2FSK signal, which includes:
- also the maximum value memory function in parallel with the continuous measurement,
- Pass / Fail test against user-set boundary lines,
- activation of two marker lines,
- measurement of the two frequencies of the 2FSK signal, the amplitude of both, the frequency deviation and the carrier frequency offset.
[/ letter: u: 128f17176f]


Fig. 10 Measurement of the 2FSK signal with the DSA815 instrument with the SSC option

Fig. 11 Measuring three 2FSK signals simultaneously with max hold function


ASK modulation - modulation with amplitude keying

ASK modulation (Amplitude Shift Keying) is also a type of digital modulation used in eg keyless locking systems or beacons. In the simplest form, the two digital signal states "0" and "1" are multiplied with the carrier frequency (see figures 12 to 14 ). c (2FSK with 1 bit / symbol) are transmitted at two different frequencies. On / Off Keying (OOK) is used in keyless systems using ASK modulation.


Two-state keying (OOK):
[letter]
[*] In state "1" the carrier wave is transmitted; at state "0" the carrier is turned off.
[*] ASK modulation is 100% (see fig. 14).

Fig. 12 Pulse sequence "1" and "0" (digital signal)

Fig. 13 ASK carrier modulus (sine wave)

Fig. 14 ASK modulation (digital signal * carrier)
The ASK signal may also be transmitted with a constant carrier wave. In this case, state "0" is transmitted with a lower amplitude than state "1". ASK modulation can be e.g. 10% (e.g. in so-called near field communication [NFC] systems with a code rate of 424 kbps).
The ASK modulation index is calculated from the following formula:
[letter]
[*] m = (AB) / (A + B) * 100
[*] If m = 8 ~ 14% then ASK modulation is ~ 10%.
[*] The modulation depth is B / A

Fig. 15 10% mod ulacja ASK

ASK modulation band is defined by the relationship:
B = 2 x baud rate

ASK signals can also be generated by a DSG3000-IQ series RF signal generator (eg DSG3060) with ULTRA IQ STATION software (see figure 16).

Fig. 16 ULTRA IQ STATION settings for ASK signal generation



The frequency range is shown in Figure 17. The ASK spectrum is equal to 2 x the transmission rate. Such a spectrum is visible with different signal lines. It makes sense because the expected spectrum in this form of transmission is not only an OOK signal.
[letter: 128f17176f]
[*: 128f17176f] Time domain burst is represented by the SI function (sinx / x) in frequency variation.
[*: 128f17176f] Pulse train (constant sequence 0101 ... time domain corresponds to the SI function multiplied by the Dirac pulse train (pulse train of very small width) in the frequency domain.
[*: 128f17176f] The multiplication with the carrier frequency results in a shift of this function to the carrier frequency.
[/ letter: u: 128f17176f]

The digital signal is visible in the zero span mode of the analyzer (see Figure 18). In this mode, you can analyze the impulse train in the time domain.

Fig. 17 Spectrum of the ASK signal

Fig. 18 View of the ASK signal in the zero span mode

The ASK signal can also be analyzed with the S1220 Rigola ASK-FSK demodulation software. The settings and images for analysis are the same as for the analysis of 2FSK signals.

S1220 Rigol Software


https://www.ndn.com.pl/


*Sponsored article

Interesting thing, it could do with debugging this kind of thing: "RFID" - contactless cards # 23 edu elektroda.pl
I wonder why the vehicle activates the key with the LF field and the key responds in the UHF band, what are the advantages (maybe the LF has a short range and allows "proximity" to be natively realized) does it not complicate the design?

The described method of operation resembles challenge-response authorization, I wonder what the "strength" is - the key length of the cryptographic algorithm used in the key.

I was looking for an answer to your question regarding two channels (LF and UHF) and it is probably just energy saving, UHF transmission is faster than LF and thus the battery lasts longer. I am sending a link to the atmel and nxp article:
http://www.atmel.com/Images/Article_AC9_How-to-Define-the-LF-Drivers-Key.pdf

http://www.nxp.com/documents/leaflet/75017275.pdf

It is very possible, an interesting thing with the LF coils are positioned in three axes.

I once came across a Qi charger with three coils: Wireless car charger. Does convenience compensate for losses?
but there they were placed in one plane and increased the field of operation of the WCT charger (the charger detected the coil closest to the receiver coil).

There are various solutions, but in simplified terms, the key is most often released via the LF. Usually 125khz. At low frequency it is easier to transport energies (as in chip cards that do not have their own power supply). The energy transfer efficiency is higher. The answer is UHF because the small battery in the key would not be able to modulate the field at a distance of a few meters. For example, about 2A of current is pumped into a 125khz antenna in a car, which triggers the key, to energize the key. The battery in the key wouldn't take it for a long time.
Why 3 antennas? - For a greater probability that the key will receive enough energy to trip. Even with a slight deflection of the receiving and transmitting antennas, the energy transfer efficiency drops significantly.
After activation, the key has a defined time period within which it must send a response. The latest solutions try to avoid the problem of "extending" the key, currently the most frequently used method by thieves, through the use of broadband modulation.

These two things:
-continuous pinging by the car to detect the key
-and an attack in the form of "key extension", i.e. building a transparent channel between the car and a remote user
they scared me away a bit from this solution ...

In fact, a simple button on the key would be enough to "extend" the communication, but the question is whether such a solution would be functionally different from an ordinary remote control with a button.

This solution with LF coils in three axes / planes is very clever, to which it can be compared in HF communication, maybe to MIMO or rather SIMO because it is in one direction.

MIMO or SIMO only has in common that it can also have 3 antennas. This technique used in cars is that depending on how we hold the key, we polarize the antenna differently. As if we moved the antenna on the roof of a single-family house by 90 degrees (the signal will decrease because the polarization of the transmitter and antenna is not correct). Having antennas in 3 different axes, any polarity will always match "quite".
MIMO is a technique used in new generation radio techniques (LTE, WiMax, WiFi) and planned in 5G networks, and allows for appropriate summation of signals from multiple antennas in signals with multipath, i.e. OFDM modulation.

TechEkspert wrote:

-continuous pinging by the car to detect the key

Continuous, i.e. how often the car asks if the key is nearby?

I do not know how much "ping" is sent, but from a practical point of view, probably every 1s would be sufficient, but anyway such a ping is sent 24/7 when the car is parked in the parking lot.

TechEkspert wrote:

I do not know how much "ping" is sent, but from a practical point of view, probably every 1s would be sufficient, but anyway such a ping is sent 24/7 when the car is parked in the parking lot.

Rather, it makes no sense to send a signal without interruption, sending a signal is initiated either by a button in the handle or by simply pulling the handle. More frequent pinging is done when the ignition is on, but due to the proximity of the key, the powers are lower.

It is not true that the ping is sent all the time. In fact, I am not aware of a case where such a ping would be sent all the time.
Pinging does occur, but it happens more in certain situations, for a specific purpose, rather than just like that.
Again, this is different, but generally no ping is sent when the car is shut down. This would discharge the battery, not to mention the battery in the key.
Ping is sent under certain circumstances. For example, if the engine is running and the driver's door is opened, there will be periodic pings to make sure the key is in.
Many systems will warn you that the key is outside the car.
Another case. In the so-called active systems after turning off the engine, closing the door, it will ping until the key is out of range (several meters) and then the door is locked.
But then there's no ping anymore. The key is detected when the handle is pulled.
Most of the car's computers go to sleep after a few days and then even after pulling the handle, you can see a clear slowing down of the lock's reaction time to pulling the handle.

The walking speed is about 1.3 m / s, so the car would have to ping every 1s.
3-5 antennas would quickly discharge the battery.
We have 100 cars in the parking lot that ping the keys every 1s?

Nonsense.

The system works when you touch the handle or put your hand behind the handle.

Mitsubishi outlander 2007 - you have to pull the door handle and it only works from the driver's door or the trunk, it unlocks and can only be opened. Sometimes it doesn't catch on the driver's side, better than the trunk.

@NDN Warsaw it would be nice if you ever did modern tools, let's call it "retro analysis", for example, of signals generated by an analog modem (I know, it may be difficult to get it, but the dial-up number 0202122 still works ).

Once I got materials from Fr. dial-up you can see you were getting the most out of the analog line in those days, and you can see the technological advancement there is.
Such retro themes are popular and show how fast telecommunications is changing, e.g. the topic of Fr. switchboards and cable networks .

@TechEkspert , are you aware that this artificially boosting this topic (and other sponsored ones) is really visible, right?

@freddie Chopin what are your feelings and opinion,
on the other hand, I am interested in specific topics, and if you can achieve something thanks to the interaction on the forum, then make good use of the opportunity.
But this "offtop" is enough ...

On the other hand, as for modems operating on analog lines, despite the age of these technologies, signal analysis would not necessarily be trivial:
http://www.kt.agh.edu.pl/~danda/V.html

Here, even someone has archived the signals for each connection speed standard:



Now I thought that it would be equally interesting to analyze the signals produced by modern modems ADSL / VDSL .