Fullscreen HTML5Med Res (??MB)HTML4

The nearest thing you can get to “unbreakable” . . . A Rolling Code 4-channel UHF Remote Control This is one very clever remote control. With rolling code, it’s close-to-impossible to electronically “crack”. With four channels, all either latching or momentary operation, it’s extremely versatile. With a sensitive prebuilt receiver, it’s long range. With up-to-16 keyring-size transmitters, it’s go-anywhere. And the kit even includes the keyring! By Ross Tester Whether you want to control a garage door or gate, a car and/or home alarm, or perhaps remotely turn lights or anything else on or off, this high-security system is just what you’re looking for! Inset top right are the pre-built, aligned and tested receiver (top) and transmitter (bottom) modules, shown here same-size. 18  Silicon Chip www.siliconchip.com.au W e’ve presented a number of remote (radio) control devices in the past. None has been more secure than this one. To guess the code combination, you’re going to need something like 23 billion years. But don’t bother: the next time it’s used, the code will have changed anyway. That’s the advantage of a rolling code (or “code hopping”) system. We explain what this means, and does, later in this article. Suffice to say at this stage that it makes one v-e-r-y secure system. For all intents and purposes, it is impossible to electronically “crack”. Go on, give it a go – we’ll see you in a few million years or so! cence-free 433MHz LIPD band (it’s actually on 433.9MHz). As with most devices of this type these days, it is based on a SAW resonator (that stands for surface acoustic wave, so now you know!). This keeps the circuit very simple but enables excellent performance. Without wanting to get into the nitty-gritty of SAW resonator operation, in essence it controls the RF side of things while a dedicated chip controls the complex digital coding. The receiver (which we’ll get to shortly) can handle up to 16 transmitters so if you have a really big family or maybe have a secure company carpark you want to give a certain number of people access to, you can do so simply by purchasing more transmitters. The transmitter has four pushbut-tons, one for each of the four channels. Of course you don’t have to use all four channels – just one will control alarm, the home security system – in fact, anything your little heart desires. The receiver/decoder Now we move on to the heart of the system, at least the bits you have to put together to make it work. In fact, there are two parts to the receiver as well. There is a 433MHz receiver module which comes assembled, aligned and ready to go. This solders into an appropriate set of holes on the main PC board once you’ve finished assembling that board. The main PC board contains the electronics which process the output from the receiver. The receiver checks the incoming code and if valid, sends a signal to one of four outputs depending on which The transmitter button was pressed on the transmitter). It’s probably not necessary to say it From here, depending on how the but there are two parts to this project, four jumpers are set on the board, the a transmitter and a receiver. signal goes either direct to an NPN First of all, there is the tiny transistor relay driver (for momentary 4-channel “key-ring” operation – the relay is energised transmitter which, while the button SPECIFICATIONS fortunat-ely, comes remains pressed)  UHF (433MHz) licence-fr 99% pre-assembled. or to a D-type flipee (LIPD band) opera tion We say fortunateflop and then to  Long range – prototype tested to 100m+ ly because it’s just the transistor relay  Pre-built and aligned tra about all SMD (surdriver (for alternate nsmitter & receiver mo dules  Rolling-code (“code ho face mount devices) operation – press pping”) operation (7. 19 co 3 x 10 which, while not once and the relay de s)  Receiver “learns” trans mitter coding impossible for the latches, press again  Receiver can handle up hobbyist to work and the relay reto 16 remotes with, requires some leases).  Transmitter can handle any number of receiv rather special hanThe flipflops ers  4 ch an ne ls av ail ab le, d l i n g . Yo u a r e change state (toggle) each either momenta ry (push on, release off) or latching (push spared that! on, push off) via jum each time a postive pers  Code acknowledge LED All you have to going pulse appears and channel status LE Ds do with the transat the clock input.  Each channel relay conta cts rated at 28VDC/1 mitter PC board is This is achieved by changeover) 2A (single pole, solder on the two the connection from  12V DC operation (6mA battery connecthe Q-bar output to quiescent; 150mA all relays actuated) tors and place it the D input via an RC in the case (with network. battery). The circuit has a most garage door openers, for example The battery contacts are slightly power-up reset. When – but it’s nice to know there are four different: the one with a spring is for power is first applied, the Q outputs channels available. the negative battery connection – it of the flipflops are reset low by the And before we move off the transgoes on the righthand side of the PC 0.1µF capacitor and 1MΩ resistor on mitter, up to three channels can be board with the only straight side of the reset (S) inputs. pressed simultaneously and the rethe PC board at the bottom. Reset is caused by sending the reset ceiver will react to all three (it won’t You may find, as we did, that some inputs of all flipflops high. Once the handle four at once, though). of the holes for the battery connectors capacitor is charged, the voltage at the Finally, as well as multiple transare filled with solder. This is easily reset inputs of the flipflops falls to virmitters, you can use more than one melted during installation. tually zero, allowing normal operation receiver if you wish. Once this is done, it’s just a matter It is perfectly acceptable to have a Each receiver “learns” its trans-mitof assembling the board in its keyring mixture of momentary and latched ter(s) so you can have a multiple case. Incidentally, the keyring case modes amongst the four channels. It’s system controlling, for example, the and battery are all supplied in the kit. up to you. garage door, the car doors, the car The transmitter itself is in the liBut if you only require momentary www.siliconchip.com.au July 2002  19 LED1 +5V +12V 10M D1-D4: 1N4004 K  IC1, IC2: 4013 0.1F 2.2k D1 6 IC1 PIN14, IC2 PIN14 5 0.1F 3 D S IC1a CLK ANTENNA Q Q R 1 RELAY1 NC COM NO A J1 4.7k 2 C B E 4 Q1 C8050 LED2 +12V 170mm 2.2k 3 9 0.1F 10 6 D CLK J2 4.7k Q E LED3  K 2.2k 0.1F 3 D S IC2a CLK Q Q R NC COM NO A 1 J3 4.7k 2 C B E 4 5 RELAY3 D3 6 5 Q3 C8050 LED4 +12V 10M A 2.2k  LED5 9 0.1F 6 S D R NC COM NO A Q IC2b CLK RELAY4 D4 8 K K  1k LEARN Q2 C8050 +12V 7 PB1 C B 12 10M 6 12 13 10 8 4 Q R NC COM NO A IC1b 9 433MHz RECEIVER MODULE S RELAY2 D2 8 11 TEST POINT K  10M Q 13 J4 4.7k 12 B C E Q4 C8050 10 +12V 1M 7805 REG1 7805 +12V IN 0.1F 100F COM GND SC 2002 Q1-Q4 C8050 +5V OUT 100F LEDS K 0.1F IC1 PIN7, IC2 PIN7 IN OUT GND C B E A D1-4 A K 4-CHANNEL UHF "ROLLING CODE" REMOTE CONTROL RECEIVER Fig.1: the circuit of the “control” section of the receiver unit. We haven’t attempted to show the 433MHz receiver itself, nor the transmitter, as these are both pre-assembled modules, saving you a lot of difficult work! action (for example, as needed by some door openers/closers) the flip-flops, along with their associated RC network components and the four header pin jumper sets, could be left out of circuit. (You’d then need four links on the PC board to directly connect the receiver outputs to their respective transistors.) Along with spike suppression diodes across each relay coil, part of 20  Silicon Chip each relay driver circuit also includes an acknowledge LED to give a visible output of what’s happening. There is also a “valid signal acknowledge” LED attached to the 433MHz module, which lights when valid code is being received. Each of the four identical relays has contacts rated at 28VDC & 12A, so can be used to control significant loads. The wide track widths on the PC board also allow high currents. The relay contacts could, of course, also be used to switch higher-rated relays or you could replace the acknowledge LED with an opto-coupler. The relays themselves are single pole but have normally open (NO) and normally closed (NC) contacts. These states refer to the unenergised state of the relay (ie, the NC contacts go open when power is applied to the relay coil www.siliconchip.com.au ASSEMBLING THE REMOTE CONTROL: The photo above shows seven of the eight parts you should find when you take the bits out for the remote control (the battery is missing!). Above centre shows the two battery connectors soldered in place on the top of the PC board, above right shows the same thing from the other side. Don’t mix up the connector with spring and the connector without. Finally, the photo at right shows the PC board in place, with battery, in one half of the keyring case. The blue pushbuttons are all on one plate – they fit in as shown but can easily fall out. As you push the two halves of the case together, make sure the pushbutton plate stays in place. The keyring itself also fits into the notch in the case as you push the two halves together. and vice-versa). The only other components on the board are a simple 5V regulated supply, consisting of a 7805 3-terminal regulator and a couple of capacitors. This supply powers the 433MHz module and the 4013 flipflops. The relay coils are powered direct from the 12V supply. Construction Start by soldering in the two battery terminals to the transmitter PC board, in the positions shown in the photographs. Place the completed board in the keyring case, making sure the push-buttons stay in position. Push the two halves together with the battery in place (and the right way around – see pictures), with the keyring clip sandwiched between the two halves. One screw holds the two halves of the transmitter case together. Press each of the four buttons and www.siliconchip.com.au ensure that the LED lights each time. If it does, you can be reasonably sure that the transmitter is working properly. Put it to one side while we move on to the receiver. Receiver board As usual, check the receiver PC board for any defects before assembly. Then solder in the resistors, capacitors, diodes, IC sockets (if used) and the four header pin sets (which select momentary or latching function). If you use IC sockets, make sure they go in the right way around – the notch is closest to the edge of the PC board. The “learn” pushbutton switch solders in place between the IC sockets. These have two pairs of pins which are not identically spaced – the switch should be an easy fit in the PC board if you get it the right way around. If in doubt, check the “closed” state with your multimeter. Now solder in the semiconductors – the regulator, diodes, transistors and the LEDs as shown on the component overlay. Watch the LED and transistor polarities – each is opposite to its neighbour! The last things to be soldered in place before the 433MHz receiver module are the four relays and the six output terminal blocks. The relays will only go in one way but the terminal blocks could be mounted back-tofront, making it almost impossible to get wires into them! (The “open” side of the terminals go towards the edge of the board, in case you were wondering!) At this point, check your assembly for any solder bridges, dry joints or missed joints. You might also now solder in the three wires – two connect 12V power while the third is the antenna. Make the power leads the necessary length to reach your supply. When the antenna wire is soldered in, measure exactly 170mm from the PC board and cut the wire to this July 2002  21 GND M J3 D3 ANT GND 1 L 10M J4 M 1M 4.7k 2.2k LED3 4.7k Power supply The receiver unit is designed for 12V battery operation and power requirements are pretty modest. At rest, (ie, no relays operating), it draws only 6mA and even with all relays actuated, the current is just a smidgeon under 150mA. Therefore, most alarm-type batteries (eg, SLAs) will be more than adequate. We had it operating for a couple of weeks on a 7Ah 12V gell cell, periodically pressing the remote control just for the hell of it, without recharging the battery. In fact, at the end of this LED4 RELAY1 RELAY2 NC COM NC C8050 2.2k COM NO D3 length. This makes it resonant at 433MHz. You should not have any bare wire(s) emerging from the end of the antenna – this could short onto something nasty and do you/it/something else some damage! If necessary, wrap a little insulation tape around the end of the antenna wire – just in case! Plug the two ICs into their sockets, again watching the polarity. The notches should line up with the notches in the sockets (assuming you got the sockets right!) OK, we’re almost there. Place the receiver module in its appropriate holes along the edge of the PC board. It will only go one way (incidentally, take care not to move the coil or touch the trimmer capacitor). Solder each of the module pins into position (there are 13 of them – don’t forget the two by themselves) and your receiver is finished. 22  Silicon Chip LED2 D2 PB1 LEARN IC2 4013 TX1 0.1F Q1 0.1F Q2 4.7k 10M ANT 2.2k NC NO RELAY3 D2 NC L LED1 COM NO NC RELAY4 0.1F D1 LA D0 VT TP 10M J2 M L 2.2k C8050 IC1 4013 1 D1 4.7k 0.1F 0.1F Q3 Q4 1k 433MHz RECEIVER MODULE TP 10M 0.1F Learning and testing +12V 0.1F 100F M J1 L LED5 100F + GND +5V DOUT VALID DATA + REG1 7805 COM NO D4 Looking at the board with the outputs/relays on the left side, move all header pins to the right side (latching). Apply power and you should see absolutely nothing happen. So far, so good. Now press the “learn” button once, then within 15 seconds press button one on the keyring transmitter for a second or so. Button one is the one all by itself on one side of the transmitter. The receiver then learns the encryp-tion from the keyring transmitter – and remembers it. Now all four buttons on your transmitter should alternately close and open the appropriate relay and light/ switch off its associated LED. Change the four jumpers over to Fig.2 (above): the component overlay of the receiver module with the full-size photograph at right. Just to confuse you, we’ve shown the board turned 180° compared to the diagram above! time the battery voltage changed only a few tens of millivolts – probably not much more than you would expect during shelf life. Therefore, just about any 12V battery would be acceptable, even a couple of 6V lantern batteries in series or even 10 C or D-size Nicads. Of course, you could also use just about any garden-variety 12V or 13.8V DC (nominal) plug-pack supply. The relays won’t worry about a few extra volts and the circuit has the on-board 5V regulator to ensure the electronics get the right voltage. Any DC plugpack over about 200mA capacity should be fine. the opposite way and all four buttons should now pull in a relay and light a LED while ever they are pressed – and release it/dim it when let go. And that’s just about it. Now all you have to do is select the jumpers the way you want them and connect the external devices you wish to control. Note that each relay has a normally open and normally closed connection as well as common, so you have a lot of flexibility at your disposal. Want even more security? We mentioned before the one major drawback with any remotely controlled security application, whether www.siliconchip.com.au What is “Code Hopping” or “Rolling Code” These two names usually refer to the same thing – in a nutshell, a security system for a security system. It’s a way of preventing unauthorised access to a digital code which might be transmitted via a short-range radio link to do something: open a garage door, lock or unlock a car and perhaps turn its own security system on and off – and much more. But before we look at these terms, though, let’s go back in time to the days before code hopping and rolling code. Short-range radio-operated control devices have been around for a couple of decades or so (at least, in any volume). The earliest ones that I remember simply used a burst of RF, at a particular frequency, with an appropriate receiver. It’s not hard to see the shortcomings of such devices. Simply sweeping the likely band(s) with an RF generator attached to an antenna would more often than not achieve the desired result (desired for the intruder, that is). It didn’t take long for crooks to latch on to this one (do you like that metaphor?). So manufacturers decided to make it a bit harder for them by modulating the RF at a frequency (or indeed multiple frequencies in some cases) “known” to the receiver. Some used the standard DTMF tones generated by phone keypads because they were very cheap and made in the millions. “Oh, gee,” said the crooks. Now we’ll have to use an RF oscillator with a modulator. Or maybe even a DTMF keypad!” Duh! (Still, it probably seemed like a good idea at the time. . .) Ever one step ahead, the manufacturers went with this (then) new-fangled digital stuff and made each transmitter send a particular code which was matched to the receiver. This was usually done by way of DIP switches in both transmitter and receiver. With eight DIP switches (probably the most common because 8-way DIP switches were common!), you would have 28 or 256 codes available. So you and your next-door neighbour could have the same type of garage door opener on the same frequency and the odds would be pretty good that their door would stay down when you pressed your button. The problem with this, though, is that the transmitter spurted out exactly the same code every time (unless, of course, both sets of dip switches were changed). Enter the crooks again. With a suitable receiver, called a “code grabber”, if they got within a few tens of metres of you they could scan for the RF signal and record your code without you knowing anything about it (for example, as you left your car in a carpark and pressed the button on your remote to lock the doors and turn on the alarm). Once you’d gone, they simply “played it back” using the same code grabber. Presto, one missing car. Or one house burgled, etc etc. Even without a code grabber, a smart intruder with the right equipment using digital techniques and trying eight combinations per second, could crack the code in no more than 32 seconds – and probably much quicker. It’s hard to believe the gall of some organisations openly flogging such devices, euphemistically disguising them (justifying them?) with names such as vehicle lockout recovery systems or disabled vehicle recovery systems. Then again, lock picks are sold for professional locksmiths, aren’t they? Now we move on a little. Microchip, the same people who brought you those ubiquitous PICs, invented a system called KeeLoq – better known to you and me as a rolling code. www.siliconchip.com.au What this does is simply present a different code every time the transmitter button is pressed. Of course, that’s the easy part. The really clever part is that the receiver “learns” the algorithm which controls the code so it knows what code to expect. Once learnt, the receiver is effectively “locked” to that transmitter. Actually, it’s even cleverer than that, because the transmitted code is, for all intents and purposes, random (as far as any external device is concerned). But the receiver can still work out what the code is going to be in advance. If it gets the right code, it actuates. If not – you’re out in the cold, baby! The chances of the same code being transmitted twice in a person’s lifetime is possible – but remote (at four transmissions per day, every day, it’s reckoned to be about 44 years!) Heart of this system is a Microchip proprietary IC, the HC301. It combines a 32-bit hopping code generated by a nonlinear encryption algorithm with a 28-bit serial number and six information bits to create a 66-bit code word. The code word length eliminates the threat of code scanning and the code-hopping mechanism makes each transmission unique, rendering code capture and resend techniques useless. Even if it didn’t code-hop, 66 bits allows 7.3 x 1019 combinations, which according to Microchip would only take 230,000,000,000 years to scan! The chip itself is also protected against intrusion. Several important data are stored in an EEPROM array which is not accessible via any external connection. These include the crypt key, a unique and secret 64-bit number used to encrypt and decrypt data, the serial number and the configuration data. The EEPROM data is programmable but read-protected. It can be verified only after an automatic erase and programming operation, protecting against attempts to gain access to keys or to manipulate synchronisation values. If the code is changed every time a button is pressed on the transmitter, what happens if, say a child starts playing with the remote control and continually presses buttons away from the receiver? OK, here’s where it gets really clever (and you thought it was clever enough already, didn’t you?). If the button is pressed say 10 times while out of range of the receiver, no problem. But if it is pressed more than 16 times, synchronisation between the two is lost. However, it only takes two presses of a button in range to restore sync. No, we don’t know how either. That’s Microchip’s secret! And speaking of button presses, there are a couple of other clever things they’ve done. At most, a complete code will take 100ms to send (it could be as low as 25ms). But if you manage to hit the button and release it before 100ms (difficult, but possible), it will keep sending that complete code. If you hold down the button, it will keep sending that same code. And if you press another button while the first is held down, it will abort the first and send the second.­ As you can see, KeeLoq is a very robust system. Sure, it’s not absolutely foolproof – nothing is (eg, there’s not much protection if they simply steal your transmitter!). But for most users, it gives almost total peace-of-mind. That’s why the system has been adopted by so many vehicle entry/exit and alarm system manufacturers, access controllers and so on. And that’s the system that’s used in the remote control unit presented here. July 2002  23 that be for a car, a building or anything else: what happens if someone pinches your remote control? It is possible to protect yourself against the casual button pusher on a stolen control – at least to some degree. Having four channels at your disposal, in this remote control system, gives you the possibility of increasing security rather significantly, simply by using a combination of keys on your remote. It is “normal” to use one button to achieve a certain function. But what if you used two buttons? It’s possible because when you press the second button, even while holding down the RELAY 1 NO C NC RELAY 1 C NO CIRCUIT TO BE SWITCHED CIRCUIT TO BE SWITCHED NC C NO RELAY NC 2 Fig.3a (left): conventional device control with one relay. Adding a second relay in series (fig 3b, right) increases security against the casual button pusher. Both buttons must be pressed at the same time for the device to actuate. first, the second button’s code is sent. So if you made one button a “momentary” and linked another button’s relay contacts through the first button’s relay contacts, you have the situation where pressing single buttons (as most people would do) wouldn’t achieve Parts List – 4-Channel Code-Hopping Remote Control 1 TX-4312RSA 4-channel keyring rolling code transmitter assembly 1 RX3302D A1.5 433MHz rolling code receiver module 1 PC board, coded K180, 86 x 78mm 4 miniature relays, SPDT, PCB mounting, 12V coils (Millionspot H5000xx) 1 ultramini pushbutton switch, PC mounting, N-O contacts 6 interlocking 2-way terminal blocks, PC mounting 2 14-pin DIL IC sockets (optional) 4 3-way header pin sets, PC mounting Red & black insulated hookup wire for power connection 1 200mm length insulated hookup wire for antenna (see text) Semiconductors 2 4013 dual “D” flipflops (IC1, IC2) 4 NPN general purpose transistors (C8050 or similar) (Q1-Q4) 1 7805 3-terminal regulator (REG1) 4 1A power diodes, 1N4004 or similar (D1-D4) 4 red LEDS, 5mm (LED1-LED4) 1 green LED, 5mm (LED 5) Capacitors 2 100µF, 16VW PC mounting electrolytics 7 0.1µF polyester or ceramic (monolithic 5mm) Resistors 4 10MΩ 1 1MΩ 4 4.7kΩ 4 2.2kΩ 1 1kΩ a thing. Only you know which two buttons (or even three buttons) have to be pressed to achieve a certain function. Fig.3 shows what we mean – the exact combination of buttons is entirely SC up to you! A close-up look at the receiver module soldered into the main PC board. Do this last, as explained in the text. 24  Silicon Chip OR Wheredyageddit? This project and the PC board are copyright © 2002 Oatley Electronics. Oatley have made separate kits available for both the transmitter and receiver, due to the fact that you might want more than one of each (as explained in the text). Rolling Code Transmitter Kit: Complete with pre-assembled transmitter module PC board, battery contacts, battery, clamshell case and keyring clip: (TX4) $25.00. Rolling Code Receiver Kit: Has the 433MHz receiver module, PC board and all on-board components as described in this article: (K180) $54.00. Oatley Electronics can be contacted by: Phone (02) 9584 3563; Fax (02) 9584 3561; Mail (PO Box 89. Oatley NSW 2223); Email (sales<at> oatleyelectronics.com); Or via their website: www.oatleyelectronics.com www.siliconchip.com.au