Using Renault 285916556R transponder ring as a reader

[josefe17]

Hi,

First iof all congratulations for your huge work with Hitag. Carhacking is a very very obscure world where learning anything is a huge step.

I'm trying to use a 285916556R antenna coil for reading a Dacia keyfob with chip 2244706. I have been able to see some communications by modifying the firmware hitaguino to use a common din+dout (see https://github.com/josefe17/hitager/tree/common_dout_din) and adding I2C-type level shifters to interface the coil unit (their logic levels are shifted to 12 V) but i don't know if I'm doing well and getting valid things. In fact, I do communicate with the unit and the keyfob as displayed data changes when the key is not near but I don't get nothing similar to yours (plenty of FF, not good i think) and only Arduino and Receiver indicators are green, RFID adapter and transponder are red. I suppose chip is PCF7961M but I don't know how to check it. Would you mind helping me a bit undestanding what I am doing? My goal is being able to repair a key from a junk vehicle with another junk BCM from a different vehicle, and overall learning about this.

Regards and thanks a lot in advance.

Jose F.

[tusker-tools]

Hi Jose, good to hear that this project helped you to learn about communicating with RFID chips. It took a while until I understood what you mean with "use a common din+ dout". In fact it is mentioned in the PCF7991 datasheet that Din and Dout may be connected in order to form a two wire bus. I personally never tried that, but I can try to support you.

Could you start by providing me a Logic Analyzer capture of at least one communication sequence? This would be helpful for me to understand this kind of interfacing.

Regards, tusker-tools

[josefe17]

Sorry for the delay, has been a long month.

I have made some tests and captures and these are:

Mainly, the chip by desing ensures not to send data while a valid reception has started, and the arduino cannot write to the chip while it is sending, as well as not to change to read mode while is writing data.

[tusker-tools]

Is the problem solved with the hints given in #13 ?

[josefe17]

No. I wasn't able to make 285916556R (AKA AW1102 board) work, even after stripping all the level shifters, regulators, replacing the chip, setting it to 3 wire mode and disabling filtering. Always get some errors. However, with the same sketch and Arduino everything works fine with a similar one to 8200216724 (it's like a symmetrical version of that–card is loaded by the other side), so I suspect that the RF matching chain is slightly different and it doesn't work.

[tusker-tools]

This seems strange to me. From my point of view if the reader was able to read keys in car, it should be also possible to get it working with hitager.

In your captures I do not see any READ_TAG command. So I actually can't see the problem. But what I see (and wonder about) is a WRITE_CONFIG_PAGE_3 command which setsFSEL0 bit. This would be required if you are using a 12MHz Oscillator. Was this change intended?

You mentioned that you suspect the RF matching to have issues. Did you try some different configurations of the PCF7991? In the latest Hitager version I added several options here like filter settings (highpass, lowpass). Also you could try different gain settings.

Below you see an example capture of how a READ_TAG sequence should look like:

[josefe17]

The problem is that I don't know exactly what each setting does and the implications of each (I'm not so deep in RF and Hitag yet). I may give it a try. But by now I have something working to understand the protocol and what each setting does. If you have additional documentation or technical information I'd thank you.

The main goal of using the ring one is to make it work with the car embedded device by only changing the plug , so everybody with that cars can use it, but this goes slow.

[josefe17]

I can do additional captures if you tell me which commands to check and the required settings.

[tusker-tools]

You can look up some info about the commands of the PCF7991 in the datasheet.

Regarding the HF settings of the PCF7991, I'm not an expert on this. But as mentioned you can start trying different settings of Gain, Filter H and Filter L, in my understanding these are the most important ones.

The READ_TAG command (and the corresponding signals) can be captured in a normal key reading cycle. Just capture it with your logic analyzer and post it here.