How does the toyota keyless ignition system work and how can i make my own?

[NFrank89]

for those of you who are not aware, many toyotas (among other companies) now use a keyless ignition system. you simply keep your key fob in your pocket at all times. when you approach the vehicle and your hand passes between the handle and the door it instantly unlocks the vehicle. then you sit inside, hold the brake and press the start button. no turning of any keys, it senses the fob is on you and you're good to go.

now, i have a very clear understanding of automotive electrical systems, i install alarms, stereos, remote starts, and diagnose electrical problems for a living. what im more interested in is how it works on the circuit level. and how i can create my own or something similar. the control module that is. any info?

 

[cobra1]

lookup "Passive Keyless Entry" or "PKE"
you should find what your looking for.

 

[Mickster]

A brief overview of this (very complex) type of system...

The remote key/fob, unlike traditional remotes, is actually a transceiver.
The vehicle is equipped with a number of interior and exterior antennae:
Interior - areas including the dash, centre console and load compartment just behind the rear seats.
Exterior - areas including both front door and the boot (trunk) handles.

The door handles and boot (trunk) handle also have capacitive sensors to detect the presence of a hand.

A traditional transponder chip and reader coil are still used, along with a mechanical key blade & lock, in case of a flat battery (vehicle or transceiver).

The system works on a challenge/response basis, using different frequencies, something like this:
The driver approaches the vehicle and touches a door/boot handle. The PKE control unit picks up the 'Open' request from the capacitive sensor and sends out a challenge, via the appropriate antenna, to the transceiver. IIRC, this is performed at 125kHz, but other manufacturers may use a different frequency. The transceiver responds with it's unique serial code, which is picked up by the appropriate antenna and compared in the PKE control unit. Provided the code matches with that which is stored in the PKE control unit, the vehicle is unlocked.

Once unlocked and the driver has entered the vehicle, the interior antennae are used for the ignition on/start process. This is usually performed at 315 or 433mHz, depending upon global locality, IIRC. Again, the transceiver is challenged and expected to respond. Should the transceiver be found to be out of range of the interior antennae, the on/start process is usually blocked and a warning light may be illuminated. If the transceiver battery is low or flat, the vehicle will likely require unlocking mechanically and the transceiver be placed either in a specific location (such as when a model range is only available with PKE) or somewhere around the steering column/dash (such as when a model range is available with traditional open/start, or PKE as an option) in order for the reader coil to activate, challenge, then pick up the response from the transponder chip.

HTH.

 

[joecascio]

I was under the impression that there was encryption built into the fob transceiver so that a thief lurking nearby could not "sniff" the fob's response and enable them to copy it, and hence steal the car.

 

[Sceadwian]

There might be a revolving code, but as far as I know the system's tend to work on security through obfuscation, not to mention the distance the transmitter/receiver can be picked up is so low that anyone trying to actively sniff out the frequencies would be difficult to miss the size of the antenna required to pick it up at a distance would be relatively large. I have never heard of anyone hacking these types of systems before except an early version (oddly enough on a very expensive car)

Getting detailed technically info isn't easy.

Might be fun to hack, but it's a WHOLE lot easier to smash a window if you want to get into someone's car.

 

[SABorn]

From what i assume they use a RFID tag which has no battery in the tag and is powered by the transmitter, simular to the key swipe cards some security buildings use and also the micro chips implanted in animals, anti theift devices in department stores, shipment freight handling/tracking etc.

Animal tags are normally half duplex and swipe cards etc are full duplex.
The low end frequencys used are 125khz upwards into the mhz range.

The antenna coil size would be the hard part to be able to get a consistant reading from any location.
Most RFID detectors only have a short distance read but some can read from meters away, bur require a much larger coil like in department stores with the large antenna fields you walk through.

Pete.