This is only a preview of the July 2002 issue of Silicon Chip. You can view 28 of the 96 pages in the full issue, including the advertisments. For full access, purchase the issue for $10.00 or subscribe for access to the latest issues. Items relevant to "Telephone Headset Adaptor":
Articles in this series:
Items relevant to "Remote Volume Control For The Ultra-LD Amplifier":
Items relevant to "Direct Conversion Receiver For Radio Amateurs; Pt.1":
|
The nearest thing you can get to “unbreakable” . . .
A Rolling Code
4-channel UHF
Remote Control
This is one very clever remote control. With rolling code, it’s
close-to-impossible to electronically “crack”. With four channels, all
either latching or momentary operation, it’s extremely versatile. With
a sensitive prebuilt receiver, it’s long range. With up-to-16 keyring-size
transmitters, it’s go-anywhere. And the kit even includes the keyring!
By Ross Tester
Whether you want to
control a garage door
or gate, a car and/or
home alarm, or perhaps
remotely turn lights or
anything else on or off,
this high-security system is just what you’re
looking for!
Inset top right are the
pre-built, aligned and
tested receiver (top) and
transmitter (bottom)
modules, shown here
same-size.
18 Silicon Chip
www.siliconchip.com.au
W
e’ve presented a number of
remote (radio) control devices in the past. None has
been more secure than this one. To
guess the code combination, you’re
going to need something like 23 billion
years. But don’t bother: the next time
it’s used, the code will have changed
anyway.
That’s the advantage of a rolling
code (or “code hopping”) system. We
explain what this means, and does,
later in this article.
Suffice to say at this stage that it
makes one v-e-r-y secure system. For
all intents and purposes, it is impossible to electronically “crack”. Go on,
give it a go – we’ll see you in a few
million years or so!
cence-free 433MHz LIPD band (it’s
actually on 433.9MHz). As with most
devices of this type these days, it is
based on a SAW resonator (that stands
for surface acoustic wave, so now
you know!). This keeps the circuit
very simple but enables excellent
performance.
Without wanting to get into the nitty-gritty of SAW resonator operation,
in essence it controls the RF side of
things while a dedicated chip controls
the complex digital coding.
The receiver (which we’ll get to
shortly) can handle up to 16 transmitters so if you have a really big family or
maybe have a secure company carpark
you want to give a certain number of
people access to, you can do so simply
by purchasing more transmitters.
The transmitter has four pushbut-tons, one for each of the four
channels.
Of course you don’t have to use all
four channels – just one will control
alarm, the home security system – in
fact, anything your little heart desires.
The receiver/decoder
Now we move on to the heart of the
system, at least the bits you have to
put together to make it work.
In fact, there are two parts to the
receiver as well. There is a 433MHz
receiver module which comes assembled, aligned and ready to go. This
solders into an appropriate set of holes
on the main PC board once you’ve
finished assembling that board.
The main PC board contains the
electronics which process the output
from the receiver.
The receiver checks the incoming
code and if valid, sends a signal to one
of four outputs depending on which
The transmitter
button was pressed on the transmitter).
It’s probably not necessary to say it
From here, depending on how the
but there are two parts to this project,
four jumpers are set on the board, the
a transmitter and a receiver.
signal goes either direct to an NPN
First of all, there is the tiny
transistor relay driver (for momentary
4-channel “key-ring”
operation – the relay is energised
transmitter which,
while the button
SPECIFICATIONS
fortunat-ely, comes
remains pressed)
UHF (433MHz) licence-fr
99% pre-assembled.
or to a D-type flipee (LIPD band) opera
tion
We say fortunateflop and then to
Long range – prototype
tested to 100m+
ly because it’s just
the transistor relay
Pre-built and aligned tra
about all SMD (surdriver (for alternate
nsmitter & receiver mo
dules
Rolling-code (“code ho
face mount devices)
operation – press
pping”) operation (7.
19 co
3
x
10
which, while not
once and the relay
de
s)
Receiver “learns” trans
mitter coding
impossible for the
latches, press again
Receiver can handle up
hobbyist to work
and the relay reto 16 remotes
with, requires some
leases).
Transmitter can handle
any number of receiv
rather special hanThe flipflops
ers
4
ch
an
ne
ls
av
ail
ab
le,
d l i n g . Yo u a r e
change state (toggle)
each either momenta
ry (push on, release
off) or latching (push
spared that!
on, push off) via jum
each time a postive
pers
Code acknowledge LED
All you have to
going pulse appears
and channel status LE
Ds
do with the transat
the clock input.
Each channel relay conta
cts rated at 28VDC/1
mitter PC board is
This
is achieved by
changeover)
2A (single pole,
solder on the two
the connection from
12V DC operation (6mA
battery connecthe Q-bar output to
quiescent; 150mA all
relays actuated)
tors and place it
the D input via an RC
in the case (with
network.
battery).
The circuit has a
most garage door openers, for example
The battery contacts are slightly
power-up reset. When
– but it’s nice to know there are four
different: the one with a spring is for
power is first applied, the Q outputs
channels available.
the negative battery connection – it
of the flipflops are reset low by the
And before we move off the transgoes on the righthand side of the PC
0.1µF capacitor and 1MΩ resistor on
mitter, up to three channels can be
board with the only straight side of
the reset (S) inputs.
pressed simultaneously and the rethe PC board at the bottom.
Reset is caused by sending the reset
ceiver will react to all three (it won’t
You may find, as we did, that some
inputs of all flipflops high. Once the
handle four at once, though).
of the holes for the battery connectors
capacitor is charged, the voltage at the
Finally, as well as multiple transare filled with solder. This is easily
reset inputs of the flipflops falls to virmitters, you can use more than one
melted during installation.
tually zero, allowing normal operation
receiver if you wish.
Once this is done, it’s just a matter
It is perfectly acceptable to have a
Each receiver “learns” its trans-mitof assembling the board in its keyring
mixture of momentary and latched
ter(s) so you can have a multiple
case. Incidentally, the keyring case
modes amongst the four channels. It’s
system controlling, for example, the
and battery are all supplied in the kit.
up to you.
garage door, the car doors, the car
The transmitter itself is in the liBut if you only require momentary
www.siliconchip.com.au
July 2002 19
LED1
+5V
+12V
10M
D1-D4: 1N4004
K
IC1, IC2: 4013
0.1F
2.2k
D1
6
IC1 PIN14,
IC2 PIN14
5
0.1F
3
D
S
IC1a
CLK
ANTENNA
Q
Q
R
1
RELAY1
NC
COM
NO
A
J1
4.7k
2
C
B
E
4
Q1
C8050
LED2
+12V
170mm
2.2k
3
9
0.1F
10
6
D
CLK
J2
4.7k
Q
E
LED3
K
2.2k
0.1F
3
D
S
IC2a
CLK
Q
Q
R
NC
COM
NO
A
1
J3
4.7k
2
C
B
E
4
5
RELAY3
D3
6
5
Q3
C8050
LED4
+12V
10M
A
2.2k
LED5
9
0.1F
6
S
D
R
NC
COM
NO
A
Q
IC2b
CLK
RELAY4
D4
8
K
K
1k
LEARN
Q2
C8050
+12V
7
PB1
C
B
12
10M
6
12
13
10
8
4
Q
R
NC
COM
NO
A
IC1b
9
433MHz
RECEIVER
MODULE
S
RELAY2
D2
8
11
TEST
POINT
K
10M
Q
13
J4
4.7k
12
B
C
E
Q4
C8050
10
+12V
1M
7805
REG1 7805
+12V
IN
0.1F
100F
COM
GND
SC
2002
Q1-Q4
C8050
+5V
OUT
100F
LEDS
K
0.1F
IC1 PIN7,
IC2 PIN7
IN
OUT
GND
C B E
A
D1-4
A
K
4-CHANNEL UHF "ROLLING CODE" REMOTE CONTROL RECEIVER
Fig.1: the circuit of the “control” section of the receiver unit. We haven’t attempted to show the 433MHz receiver itself, nor
the transmitter, as these are both pre-assembled modules, saving you a lot of difficult work!
action (for example, as needed by some
door openers/closers) the flip-flops,
along with their associated RC network
components and the four header pin
jumper sets, could be left out of circuit. (You’d then need four links on
the PC board to directly connect the
receiver outputs to their respective
transistors.)
Along with spike suppression diodes across each relay coil, part of
20 Silicon Chip
each relay driver circuit also includes
an acknowledge LED to give a visible
output of what’s happening.
There is also a “valid signal acknowledge” LED attached to the
433MHz module, which lights when
valid code is being received.
Each of the four identical relays has
contacts rated at 28VDC & 12A, so can
be used to control significant loads.
The wide track widths on the PC board
also allow high currents.
The relay contacts could, of course,
also be used to switch higher-rated
relays or you could replace the acknowledge LED with an opto-coupler.
The relays themselves are single
pole but have normally open (NO) and
normally closed (NC) contacts. These
states refer to the unenergised state of
the relay (ie, the NC contacts go open
when power is applied to the relay coil
www.siliconchip.com.au
ASSEMBLING THE
REMOTE CONTROL:
The photo above shows seven of the
eight parts you should find when you
take the bits out for the remote control
(the battery is missing!).
Above centre shows the two battery
connectors soldered in place on the top
of the PC board, above right shows the
same thing from the other side. Don’t
mix up the connector with spring and
the connector without.
Finally, the photo at right shows the
PC board in place, with battery, in
one half of the keyring case. The blue
pushbuttons are all on one plate – they
fit in as shown but can easily fall out.
As you push the two halves of the case
together, make sure the pushbutton
plate stays in place. The keyring itself
also fits into the notch in the case as
you push the two halves together.
and vice-versa).
The only other components on the
board are a simple 5V regulated supply, consisting of a 7805 3-terminal
regulator and a couple of capacitors.
This supply powers the 433MHz
module and the 4013 flipflops. The
relay coils are powered direct from
the 12V supply.
Construction
Start by soldering in the two battery terminals to the transmitter PC
board, in the positions shown in the
photographs.
Place the completed board in
the keyring case, making sure the
push-buttons stay in position.
Push the two halves together with
the battery in place (and the right
way around – see pictures), with the
keyring clip sandwiched between the
two halves.
One screw holds the two halves of
the transmitter case together.
Press each of the four buttons and
www.siliconchip.com.au
ensure that the LED lights each time.
If it does, you can be reasonably sure
that the transmitter is working properly. Put it to one side while we move
on to the receiver.
Receiver board
As usual, check the receiver PC
board for any defects before assembly.
Then solder in the resistors, capacitors, diodes, IC sockets (if used) and
the four header pin sets (which select
momentary or latching function).
If you use IC sockets, make sure they
go in the right way around – the notch
is closest to the edge of the PC board.
The “learn” pushbutton switch solders in place between the IC sockets.
These have two pairs of pins which
are not identically spaced – the switch
should be an easy fit in the PC board
if you get it the right way around. If in
doubt, check the “closed” state with
your multimeter.
Now solder in the semiconductors
– the regulator, diodes, transistors and
the LEDs as shown on the component
overlay. Watch the LED and transistor
polarities – each is opposite to its
neighbour!
The last things to be soldered in
place before the 433MHz receiver
module are the four relays and the six
output terminal blocks. The relays will
only go in one way but the terminal
blocks could be mounted back-tofront, making it almost impossible
to get wires into them! (The “open”
side of the terminals go towards the
edge of the board, in case you were
wondering!)
At this point, check your assembly
for any solder bridges, dry joints or
missed joints.
You might also now solder in the
three wires – two connect 12V power
while the third is the antenna. Make
the power leads the necessary length
to reach your supply.
When the antenna wire is soldered
in, measure exactly 170mm from the
PC board and cut the wire to this
July 2002 21
GND
M
J3
D3
ANT
GND
1
L
10M
J4
M
1M
4.7k
2.2k
LED3
4.7k
Power supply
The receiver unit is designed for
12V battery operation and power requirements are pretty modest. At rest,
(ie, no relays operating), it draws only
6mA and even with all relays actuated,
the current is just a smidgeon under
150mA.
Therefore, most alarm-type batteries (eg, SLAs) will be more than
adequate.
We had it operating for a couple of
weeks on a 7Ah 12V gell cell, periodically pressing the remote control just
for the hell of it, without recharging
the battery. In fact, at the end of this
LED4
RELAY1
RELAY2
NC
COM
NC
C8050
2.2k
COM
NO
D3
length. This makes it resonant at
433MHz.
You should not have any bare
wire(s) emerging from the end of the
antenna – this could short onto something nasty and do you/it/something
else some damage! If necessary, wrap
a little insulation tape around the end
of the antenna wire – just in case!
Plug the two ICs into their sockets, again watching the polarity. The
notches should line up with the notches in the sockets (assuming you got the
sockets right!)
OK, we’re almost there. Place the
receiver module in its appropriate
holes along the edge of the PC board.
It will only go one way (incidentally,
take care not to move the coil or touch
the trimmer capacitor).
Solder each of the module pins into
position (there are 13 of them – don’t
forget the two by themselves) and your
receiver is finished.
22 Silicon Chip
LED2
D2
PB1
LEARN
IC2 4013
TX1
0.1F
Q1
0.1F
Q2
4.7k
10M
ANT
2.2k
NC
NO
RELAY3
D2
NC
L
LED1
COM
NO
NC
RELAY4
0.1F
D1
LA
D0
VT
TP
10M
J2
M
L
2.2k
C8050
IC1 4013
1
D1
4.7k
0.1F 0.1F
Q3
Q4
1k
433MHz RECEIVER MODULE
TP
10M
0.1F
Learning and testing
+12V
0.1F
100F
M
J1
L
LED5 100F
+
GND
+5V
DOUT
VALID
DATA
+
REG1 7805
COM
NO
D4
Looking at the board with the
outputs/relays on the left side, move
all header pins to the right side
(latching).
Apply power and you should see
absolutely nothing happen. So far,
so good.
Now press the “learn” button once,
then within 15 seconds press button
one on the keyring transmitter for a
second or so. Button one is the one all
by itself on one side of the transmitter.
The receiver then learns the encryp-tion from the keyring transmitter
– and remembers it.
Now all four buttons on your transmitter should alternately close and
open the appropriate relay and light/
switch off its associated LED.
Change the four jumpers over to
Fig.2 (above): the
component overlay of the receiver
module with the
full-size photograph at right. Just
to confuse you,
we’ve shown the
board turned 180°
compared to the
diagram above!
time the battery voltage changed only
a few tens of millivolts – probably not
much more than you would expect
during shelf life.
Therefore, just about any 12V battery would be acceptable, even a couple of 6V lantern batteries in series or
even 10 C or D-size Nicads.
Of course, you could also use just
about any garden-variety 12V or 13.8V
DC (nominal) plug-pack supply.
The relays won’t worry about a
few extra volts and the circuit has
the on-board 5V regulator to ensure
the electronics get the right voltage.
Any DC plugpack over about 200mA
capacity should be fine.
the opposite way and all four buttons
should now pull in a relay and light a
LED while ever they are pressed – and
release it/dim it when let go.
And that’s just about it. Now all you
have to do is select the jumpers the
way you want them and connect the
external devices you wish to control.
Note that each relay has a normally
open and normally closed connection
as well as common, so you have a lot
of flexibility at your disposal.
Want even more security?
We mentioned before the one major
drawback with any remotely controlled security application, whether
www.siliconchip.com.au
What is “Code Hopping” or “Rolling Code”
These two names usually refer to the same thing – in a nutshell,
a security system for a security system.
It’s a way of preventing unauthorised access to a digital code
which might be transmitted via a short-range radio link to do
something: open a garage door, lock or unlock a car and perhaps
turn its own security system on and off – and much more.
But before we look at these terms, though, let’s go back in time
to the days before code hopping and rolling code.
Short-range radio-operated control devices have been around
for a couple of decades or so (at least, in any volume). The earliest
ones that I remember simply used a burst of RF, at a particular
frequency, with an appropriate receiver.
It’s not hard to see the shortcomings of such devices. Simply
sweeping the likely band(s) with an RF generator attached to an
antenna would more often than not achieve the desired result
(desired for the intruder, that is).
It didn’t take long for crooks to latch on to this one (do you like
that metaphor?). So manufacturers decided to make it a bit harder
for them by modulating the RF at a frequency (or indeed multiple
frequencies in some cases) “known” to the receiver.
Some used the standard DTMF tones generated by phone
keypads because they were very cheap and made in the millions.
“Oh, gee,” said the crooks. Now we’ll have to use an RF oscillator
with a modulator. Or maybe even a DTMF keypad!”
Duh! (Still, it probably seemed like a good idea at the time. . .)
Ever one step ahead, the manufacturers went with this (then)
new-fangled digital stuff and made each transmitter send a
particular code which was matched to the receiver. This was
usually done by way of DIP switches in both transmitter and
receiver.
With eight DIP switches (probably the most common because
8-way DIP switches were common!), you would have 28 or 256
codes available. So you and your next-door neighbour could have
the same type of garage door opener on the same frequency and
the odds would be pretty good that their door would stay down
when you pressed your button.
The problem with this, though, is that the transmitter spurted
out exactly the same code every time (unless, of course, both sets
of dip switches were changed). Enter the crooks again.
With a suitable receiver, called a “code grabber”, if they got
within a few tens of metres of you they could scan for the RF signal
and record your code without you knowing anything about it (for
example, as you left your car in a carpark and pressed the button
on your remote to lock the doors and turn on the alarm).
Once you’d gone, they simply “played it back” using the same
code grabber. Presto, one missing car. Or one house burgled, etc etc.
Even without a code grabber, a smart intruder with the right
equipment using digital techniques and trying eight combinations
per second, could crack the code in no more than 32 seconds – and
probably much quicker.
It’s hard to believe the gall of some organisations openly flogging
such devices, euphemistically disguising them (justifying them?)
with names such as vehicle lockout recovery systems or disabled
vehicle recovery systems. Then again, lock picks are sold for
professional locksmiths, aren’t they?
Now we move on a little. Microchip, the same people who brought
you those ubiquitous PICs, invented a system called KeeLoq – better
known to you and me as a rolling code.
www.siliconchip.com.au
What this does is simply present a different code every time the
transmitter button is pressed. Of course, that’s the easy part. The
really clever part is that the receiver “learns” the algorithm which
controls the code so it knows what code to expect. Once learnt,
the receiver is effectively “locked” to that transmitter.
Actually, it’s even cleverer than that, because the transmitted
code is, for all intents and purposes, random (as far as any external
device is concerned). But the receiver can still work out what the
code is going to be in advance. If it gets the right code, it actuates.
If not – you’re out in the cold, baby!
The chances of the same code being transmitted twice in a
person’s lifetime is possible – but remote (at four transmissions
per day, every day, it’s reckoned to be about 44 years!)
Heart of this system is a Microchip proprietary IC, the HC301. It
combines a 32-bit hopping code generated by a nonlinear encryption algorithm with a 28-bit serial number and six information bits
to create a 66-bit code word. The code word length eliminates the
threat of code scanning and the code-hopping mechanism makes
each transmission unique, rendering code capture and resend
techniques useless.
Even if it didn’t code-hop, 66 bits allows 7.3 x 1019 combinations,
which according to Microchip would only take 230,000,000,000
years to scan!
The chip itself is also protected against intrusion. Several important data are stored in an EEPROM array which is not accessible
via any external connection. These include the crypt key, a unique
and secret 64-bit number used to encrypt and decrypt data, the
serial number and the configuration data.
The EEPROM data is programmable but read-protected. It can be
verified only after an automatic erase and programming operation,
protecting against attempts to gain access to keys or to manipulate
synchronisation values.
If the code is changed every time a button is pressed on the
transmitter, what happens if, say a child starts playing with the
remote control and continually presses buttons away from the
receiver? OK, here’s where it gets really clever (and you thought
it was clever enough already, didn’t you?).
If the button is pressed say 10 times while out of range of the
receiver, no problem. But if it is pressed more than 16 times, synchronisation between the two is lost. However, it only takes two
presses of a button in range to restore sync. No, we don’t know
how either. That’s Microchip’s secret!
And speaking of button presses, there are a couple of other
clever things they’ve done. At most, a complete code will take
100ms to send (it could be as low as 25ms). But if you manage
to hit the button and release it before 100ms (difficult, but possible), it will keep sending that complete code. If you hold down
the button, it will keep sending that same code. And if you press
another button while the first is held down, it will abort the first
and send the second.
As you can see, KeeLoq is a very robust system. Sure, it’s not
absolutely foolproof – nothing is (eg, there’s not much protection
if they simply steal your transmitter!). But for most users, it gives
almost total peace-of-mind. That’s why the system has been adopted by so many vehicle entry/exit and alarm system manufacturers,
access controllers and so on.
And that’s the system that’s used in the remote control unit
presented here.
July 2002 23
that be for a car, a building or anything
else: what happens if someone pinches
your remote control?
It is possible to protect yourself
against the casual button pusher on
a stolen control – at least to some
degree.
Having four channels at your disposal, in this remote control system,
gives you the possibility of increasing
security rather significantly, simply by
using a combination of keys on your
remote.
It is “normal” to use one button to
achieve a certain function. But what
if you used two buttons? It’s possible
because when you press the second
button, even while holding down the
RELAY
1 NO
C
NC
RELAY
1
C
NO
CIRCUIT
TO BE
SWITCHED
CIRCUIT
TO BE
SWITCHED
NC
C
NO
RELAY NC
2
Fig.3a (left): conventional device control with one relay. Adding a second
relay in series (fig 3b, right) increases
security against the casual button
pusher. Both buttons must be pressed
at the same time for the device to
actuate.
first, the second button’s code is sent.
So if you made one button a “momentary” and linked another button’s
relay contacts through the first button’s
relay contacts, you have the situation
where pressing single buttons (as most
people would do) wouldn’t achieve
Parts List –
4-Channel Code-Hopping Remote Control
1 TX-4312RSA 4-channel keyring rolling code transmitter assembly
1 RX3302D A1.5 433MHz rolling code receiver module
1 PC board, coded K180, 86 x 78mm
4 miniature relays, SPDT, PCB mounting, 12V coils (Millionspot H5000xx)
1 ultramini pushbutton switch, PC mounting, N-O contacts
6 interlocking 2-way terminal blocks, PC mounting
2 14-pin DIL IC sockets (optional)
4 3-way header pin sets, PC mounting
Red & black insulated hookup wire for power connection
1 200mm length insulated hookup wire for antenna (see text)
Semiconductors
2 4013 dual “D” flipflops (IC1, IC2)
4 NPN general purpose transistors (C8050 or similar) (Q1-Q4)
1 7805 3-terminal regulator (REG1)
4 1A power diodes, 1N4004 or similar (D1-D4)
4 red LEDS, 5mm (LED1-LED4)
1 green LED, 5mm (LED 5)
Capacitors
2 100µF, 16VW PC mounting electrolytics
7 0.1µF polyester or ceramic (monolithic 5mm)
Resistors
4 10MΩ
1 1MΩ
4 4.7kΩ
4 2.2kΩ
1 1kΩ
a thing.
Only you know which two buttons
(or even three buttons) have to be
pressed to achieve a certain function.
Fig.3 shows what we mean – the exact combination of buttons is entirely
SC
up to you!
A close-up look at the receiver module soldered into the main PC board. Do this
last, as explained in the text.
24 Silicon Chip
OR
Wheredyageddit?
This project and the PC board
are copyright © 2002 Oatley Electronics.
Oatley have made separate kits
available for both the transmitter
and receiver, due to the fact that
you might want more than one of
each (as explained in the text).
Rolling Code Transmitter Kit:
Complete with pre-assembled
transmitter module PC board,
battery contacts, battery, clamshell
case and keyring clip: (TX4) $25.00.
Rolling Code Receiver Kit:
Has the 433MHz receiver module,
PC board and all on-board components as described in this article:
(K180) $54.00.
Oatley Electronics can be contacted by: Phone (02) 9584 3563; Fax
(02) 9584 3561; Mail (PO Box 89.
Oatley NSW 2223); Email (sales<at>
oatleyelectronics.com); Or via
their website: www.oatleyelectronics.com
www.siliconchip.com.au
|