CN113678176B - Passive entry/passive start system for carrier phase based ranging using MUSIC style feature value decomposition for range determination - Google Patents

Passive entry/passive start system for carrier phase based ranging using MUSIC style feature value decomposition for range determination Download PDF

Info

Publication number
CN113678176B
CN113678176B CN202080024760.XA CN202080024760A CN113678176B CN 113678176 B CN113678176 B CN 113678176B CN 202080024760 A CN202080024760 A CN 202080024760A CN 113678176 B CN113678176 B CN 113678176B
Authority
CN
China
Prior art keywords
vehicle
signal
antenna
module
antennas
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202080024760.XA
Other languages
Chinese (zh)
Other versions
CN113678176A (en
Inventor
雷蒙德·迈克尔·斯蒂特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Denso Corp
Original Assignee
Denso Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US16/598,191 external-priority patent/US10991182B2/en
Priority claimed from US16/824,444 external-priority patent/US11227453B2/en
Application filed by Denso Corp filed Critical Denso Corp
Publication of CN113678176A publication Critical patent/CN113678176A/en
Application granted granted Critical
Publication of CN113678176B publication Critical patent/CN113678176B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01QANTENNAS, i.e. RADIO AERIALS
    • H01Q1/00Details of, or arrangements associated with, antennas
    • H01Q1/27Adaptation for use in or on movable bodies
    • H01Q1/32Adaptation for use in or on road or rail vehicles
    • H01Q1/3208Adaptation for use in or on road or rail vehicles characterised by the application wherein the antenna is used
    • H01Q1/3233Adaptation for use in or on road or rail vehicles characterised by the application wherein the antenna is used particular used as part of a sensor or in a security system, e.g. for automotive radar, navigation systems
    • H01Q1/3241Adaptation for use in or on road or rail vehicles characterised by the application wherein the antenna is used particular used as part of a sensor or in a security system, e.g. for automotive radar, navigation systems particular used in keyless entry systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • B60R25/24Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user
    • B60R25/245Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user where the antenna reception area plays a role
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S13/00Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
    • G01S13/74Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems
    • G01S13/76Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems wherein pulse-type signals are transmitted
    • G01S13/765Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems wherein pulse-type signals are transmitted with exchange of information between interrogator and responder
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S13/00Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
    • G01S13/74Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems
    • G01S13/82Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems wherein continuous-type signals are transmitted
    • G01S13/84Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems wherein continuous-type signals are transmitted for distance determination by phase measurement
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S13/00Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
    • G01S13/88Radar or analogous systems specially adapted for specific applications
    • G01S13/93Radar or analogous systems specially adapted for specific applications for anti-collision purposes
    • G01S13/931Radar or analogous systems specially adapted for specific applications for anti-collision purposes of land vehicles
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S3/00Direction-finders for determining the direction from which infrasonic, sonic, ultrasonic, or electromagnetic waves, or particle emission, not having a directional significance, are being received
    • G01S3/02Direction-finders for determining the direction from which infrasonic, sonic, ultrasonic, or electromagnetic waves, or particle emission, not having a directional significance, are being received using radio waves
    • G01S3/04Details
    • G01S3/043Receivers
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S3/00Direction-finders for determining the direction from which infrasonic, sonic, ultrasonic, or electromagnetic waves, or particle emission, not having a directional significance, are being received
    • G01S3/02Direction-finders for determining the direction from which infrasonic, sonic, ultrasonic, or electromagnetic waves, or particle emission, not having a directional significance, are being received using radio waves
    • G01S3/74Multi-channel systems specially adapted for direction-finding, i.e. having a single antenna system capable of giving simultaneous indications of the directions of different signals
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S5/00Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations
    • G01S5/02Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations using radio waves
    • G01S5/0284Relative positioning
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S5/00Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations
    • G01S5/02Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations using radio waves
    • G01S5/06Position of source determined by co-ordinating a plurality of position lines defined by path-difference measurements
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01QANTENNAS, i.e. RADIO AERIALS
    • H01Q1/00Details of, or arrangements associated with, antennas
    • H01Q1/27Adaptation for use in or on movable bodies
    • H01Q1/32Adaptation for use in or on road or rail vehicles
    • H01Q1/325Adaptation for use in or on road or rail vehicles characterised by the location of the antenna on the vehicle
    • H01Q1/3275Adaptation for use in or on road or rail vehicles characterised by the location of the antenna on the vehicle mounted on a horizontal surface of the vehicle, e.g. on roof, hood, trunk
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01QANTENNAS, i.e. RADIO AERIALS
    • H01Q13/00Waveguide horns or mouths; Slot antennas; Leaky-waveguide antennas; Equivalent structures causing radiation along the transmission path of a guided wave
    • H01Q13/10Resonant slot antennas
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01QANTENNAS, i.e. RADIO AERIALS
    • H01Q21/00Antenna arrays or systems
    • H01Q21/24Combinations of antenna units polarised in different directions for transmitting or receiving circularly and elliptically polarised waves or waves linearly polarised in any direction
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01QANTENNAS, i.e. RADIO AERIALS
    • H01Q21/00Antenna arrays or systems
    • H01Q21/28Combinations of substantially independent non-interacting antenna units or systems
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01QANTENNAS, i.e. RADIO AERIALS
    • H01Q9/00Electrically-short antennas having dimensions not more than twice the operating wavelength and consisting of conductive active radiating elements
    • H01Q9/04Resonant antennas
    • H01Q9/0407Substantially flat resonant element parallel to ground plane, e.g. patch antenna
    • H01Q9/0464Annular ring patch
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01QANTENNAS, i.e. RADIO AERIALS
    • H01Q9/00Electrically-short antennas having dimensions not more than twice the operating wavelength and consisting of conductive active radiating elements
    • H01Q9/04Resonant antennas
    • H01Q9/30Resonant antennas with feed to end of elongated active element, e.g. unipole
    • H01Q9/42Resonant antennas with feed to end of elongated active element, e.g. unipole with folded element, the folded parts being spaced apart a small fraction of the operating wavelength
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • B60R25/24Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user
    • B60R25/246Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user characterised by the challenge triggering
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C2209/00Indexing scheme relating to groups G07C9/00 - G07C9/38
    • G07C2209/60Indexing scheme relating to groups G07C9/00174 - G07C9/00944
    • G07C2209/63Comprising locating means for detecting the position of the data carrier, i.e. within the vehicle or within a certain distance from the vehicle

Abstract

An access system for a vehicle is provided. The access system includes an antenna (38) and an access module (36). The antennas are configured to each receive a signal transmitted from the portable access device (32, 34) to the vehicle (30). The signal is transmitted at a frequency of 2.4 GHz. The access module is configured to: down-converting the received signal to generate an in-phase signal and a quadrature-phase signal; performing carrier phase based ranging, including implementing a MUSIC algorithm to (i) determine a distance between the portable access device and the vehicle, and (ii) determine an angle of arrival of a received signal received at the antenna; determining a location of the portable access device relative to the vehicle based on the distance and the angle of arrival; and granting access to the vehicle based on the location.

Description

Passive entry/passive start system for carrier phase based ranging using MUSIC style feature value decomposition for range determination
Cross-reference to technical application
The present application claims priority from U.S. patent application Ser. No. 16/824,444, filed on 19/3/2020, which is a continuation-in-part application from U.S. application Ser. No. 16/598,191, filed on 10/2019, which claims the benefit of U.S. provisional application Ser. No. 62/744,814, filed on 10/12/2018, U.S. provisional application Ser. No. 62/801,392, filed on 5/2019, and U.S. provisional application Ser. No. 62/826,212, filed on 29/3/2019. The present application also claims priority from U.S. provisional application No. 62/850,055 filed 5, 20, 2019.
Technical Field
The present disclosure relates to passive entry/passive start systems (passive entry/passive start system).
Background
The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
Conventional passive entry/passive start (PEPS) systems allow keyless entry (keyless entry), including: if the user has a key fob (key fob) that has been paired with an onboard PEPS electronic control unit (or PEPS module), the user is provided access to various vehicle functions. As an example, a user in possession of a key fob may engage a vehicle having a PEPS module. The key fob communicates with the PEPS module and if the key fob is authenticated, the PEPS module can unlock the doors of the vehicle. The PEPS module (i) performs an authentication process to determine whether the key fob is authorized to access the vehicle, and (ii) determines the location of the key fob relative to the vehicle. The authentication process may include the exchange of encrypted passwords or signatures. If the password or signature is correct, the key fob is determined to be authorized. The location of the key fob may be determined based on, for example, the strength of the signal received from the key fob. If the key fob is authenticated and located within the authorized area of the vehicle, the vehicle interior can be accessed without using a conventional key.
As another example, a user in possession of the key fob may activate a vehicle function by pressing a button on the key fob. In response to pressing the button, the key fob communicates with the PEPS module and if the key fob is authenticated and within a predetermined distance of the vehicle, the PEPS module performs the described functions associated with the pressed button on the key fob (e.g., starting the vehicle, opening a door, setting an alarm, etc.). The communications performed for these two examples may include the key fob and the PEPS module performing a one-way Low Frequency (LF) wake-up function as well as a one-way or two-way Radio Frequency (RF) authentication function.
A mobile phone, or key fob (PAK), vehicle access system may operate similarly to the PEPs system, except that the vehicle is accessed using a mobile phone instead of a key fob. For example, the mobile phone may communicate with a PAK module or a Telematics Control Unit (TCU) in the vehicle to begin the access pairing process. The mobile phone and PAK module or TCU perform an access pairing procedure to establish a trust relationship. The pairing process may includePairing, thereby: exchanging security information directly between the mobile phone and the vehicle; exchanging mobile phone addresses, mobile phone identity resolution keys, reserved identifiers, and/or encryption keys via a cloud-based network; and/or the mobile phone presents a certificate to the vehicle, wherein the certificate is certified by (i) the mobile phone, (ii) a trusted security signing authority (such as the manufacturer of the vehicle), and/or (iii) a trusted third party. In the case of a certificate, the certificate may include an identifier of a person authorized to access the vehicle, an identifier of a cloud-based network authorized to transmit the certificate, an identifier of a rental agreement of the vehicle, an identifier of the vehicle, a day of use of the vehicle by an authorized person Periods and time periods, and/or other restrictions and/or access/permission information.
For passive entry, some user action is typically required to initiate the process of waking up the key fob or mobile phone (referred to as the portable access device). For example, this may include a user utilizing a portable access device to engage a vehicle and/or touch and/or pull a door handle. When the PEPS module or PAK module (referred to as the access module) detects this action, the access module performs a localization process to start searching and waking up the key fob. In a unidirectional RF system, an LF downlink signal (e.g., a 125 kilohertz (kHz) signal) is sent from the access module to the key fob to wake up the key fob to send commands and data for authentication purposes to the key fob. The key fob then sends a response signal to the access module via the RF uplink. The response signal may be at an ultra-high frequency (e.g., 315 megahertz (MHz) or 433 MHz). In a two-way RF system, an LF downlink signal is sent from the access module to the key fob to wake up the key fob and establish a two-way RF link between the access module and the key fob. The bi-directional RF link may transmit signals at UHF frequencies (e.g., 315MHz, 422MHz, 868MHz, or 915 MHz). The key fob is then authenticated using the bi-directional RF link. The key fob includes a microcontroller that remains in sleep mode (or low power listening mode) that continuously checks for a valid LF signal. Once the valid LF signal contains the correct vehicle-specific wake-up identifier, the microcontroller generates a signal to wake up the PEPS controller to communicate with the vehicle's access module.
The vehicle may have, for example, 4-6 LF antennas that generate an LF magnetic field. The controller of the key fob measures the LF signal level during communication with the access module. The controller determines a Received Signal Strength Indicator (RSSI) and provides the RSSI to the access module. The access module then determines the location of the key fob based on the RSSI. The key fob includes three separate antenna coils or one 3D coil that is used to determine x, y, and z axis values indicative of the location of the key fob.
Smart phones, wearable devices, and/or other smart portable network devices may act as key fobs. The smart portable network device may enable various vehicle functions and remote ranging features, such as passive welcome lighting, distance limiting on remote parking applications, and the like.
Disclosure of Invention
An access system for a vehicle is provided. The access system includes an antenna and an access module. The antennas are configured to each receive a signal transmitted from the portable access device to the vehicle. The signal is transmitted at a frequency of 2.4 GHz. The access module is configured to: down-converting the received signal to generate an in-phase signal and a quadrature-phase signal; performing carrier phase based ranging, including implementing a MUSIC algorithm to (i) determine a distance between the portable access device and the vehicle, and (ii) determine an angle of arrival of a received signal received at the antenna; determining a location of the portable access device relative to the vehicle based on the distance and the angle of arrival; and grant access to the vehicle based on the location.
In other features, the antenna is disposed in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and the antenna.
In other features, the antenna is disposed in a metallic structure of the vehicle.
In other features, the antenna is positioned such that there is no line of sight between the antenna and the portable access device.
In other features, the access system further comprises sensors, wherein each sensor comprises two or more antennas, and wherein the sensors are disposed in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and each sensor.
In other features, the access module is configured to: monitoring the received signal and generating a received signal strength indication based on the received signal; determining whether the portable access device is inside or outside the vehicle based on the received signal strength indication; and determining a distance between the portable access device and the vehicle when the portable access device is outside the vehicle.
In other features, the at least one antenna is a circularly polarized antenna.
In other features, the antenna includes: a circularly polarized antenna comprising a conductive annular body having an inner bore; a circular isolator connected to the conductive annular body; and a linearly polarized antenna connected to the circular polarized antenna and the circular isolator and extending outwardly from the circular isolator. The linearly polarized antenna includes a sleeve and a conductive element extending through the sleeve. The linearly polarized antenna extends perpendicularly to the radial direction of the circularly polarized antenna.
In other features, the access module is configured to: while implementing the MUSIC algorithm, collecting analysis signal samples of the signals received at each antenna to generate a reception data matrix; estimating a data covariance matrix based on the received data matrix; using a eigenvalue decomposition process to determine an mxm matrix based on the covariance matrix, wherein M is an integer greater than or equal to 2; determining a plurality of incident signals; dividing the m×m matrix into a plurality of matrices; calculating a MUSIC spectrum based on one of the plurality of matrices; and performing a peak search on the MUSIC spectrum to determine an angle of arrival.
In other features, the receiver includes a phase locked loop and is phase locked with a transmitter of the portable access device. The access module is configured to perform a tone exchange with the transmitter and determine at least one of a distance or an angle of arrival based on the tone exchange.
In other features, the receiver includes a phase locked loop and is phase locked with a transmitter of the portable access device. The access module is configured to: performing a tone exchange with the transmitter and determining round trip time information based on the tone exchange; and determining the distance based on the round trip time of flight information.
In other features, a vehicle is provided and includes: accessing a system; a vehicle body; and a roof, center console, floor or at least partially enclosed metal structure. The antenna is implemented in at least one of a roof, a center console, a floor, or an at least partially enclosed metal structure.
In other features, a method is provided and includes: receiving, at each of a plurality of antennas, a signal transmitted from the portable access device to the vehicle, wherein the signal is transmitted at a frequency of 2.4 GHz; down-converting the received signal to generate an in-phase signal and a quadrature-phase signal; performing carrier phase based ranging, including implementing a MUSIC algorithm to (i) determine a distance between the portable access device and the vehicle, and (ii) determine an angle of arrival of a received signal received at the antenna; determining a location of the portable access device relative to the vehicle based on the distance and the angle of arrival; and granting access to the vehicle based on the location.
In other features, the antenna is disposed in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and the antenna.
In other features, the antenna is positioned such that there is no line of sight between the antenna and the portable access device.
In other features, the antenna pairs are implemented as part of respective sensors. The sensors are arranged in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and each sensor.
In other features, the method further comprises: monitoring the received signal and generating a received signal strength indication based on the received signal; determining whether the portable access device is inside or outside the vehicle based on the received signal strength indication; and determining a distance between the portable access device and the vehicle when the portable access device is outside the vehicle.
In other features, the at least one antenna is a circularly polarized antenna.
In other features, the method further comprises: while implementing the MUSIC algorithm, collecting parsed signal samples of the signals received at each antenna to generate a received data matrix; estimating a data covariance matrix based on the received data matrix; using a eigenvalue decomposition process to determine an mxm matrix based on the covariance matrix, wherein M is an integer greater than or equal to 2; determining a plurality of incident signals; dividing the m×m matrix into a plurality of matrices; calculating a MUSIC spectrum based on one of the plurality of matrices; and performing a peak search on the MUSIC spectrum to determine an angle of arrival.
In other features, the method further comprises: performing a tone exchange with a transmitter of the portable access device; and determining at least one of a distance or an angle of arrival based on the tone exchange. The receiver of the portable access device performing the tone exchange comprises a phase locked loop and is phase locked with the transmitter of the portable access device.
In other features, the method further comprises: performing a tone exchange with the transmitter and determining round trip time information based on the tone exchange; and determining the distance based on the round trip time of flight information. The receiver of the portable access device performing the tone exchange comprises a phase locked loop and is phase locked with the transmitter of the portable access device.
An access system for a vehicle is provided. The access system includes a receiver and an access module. The receiver is configured to receive a signal transmitted from the portable access device to the vehicle. The access module is configured to: generating a differential signal based on the received signal; upsampling the differential signal to generate a first upsampled signal; obtaining or generating an expected signal; upsampling the desired signal to generate a second upsampled signal; cross-correlating the first up-sampled signal with the second up-sampled signal to generate a cross-correlated signal; determining a phase difference between the first up-sampled signal and the second up-sampled signal based on the cross-correlation signal; determining a round trip time of a signal received by the receiver; and granting access to the vehicle based on the round trip time.
In other features, the access module is configured to: down-converting the signal to generate a down-converted signal; sampling the down-converted signal to generate a sampled signal; performing arctangent on the sampling signal to generate an arctangent signal; and differentiating the arctangent signal to generate a differentiated signal.
In other features, the access module is configured to: determining at least one of a location or a distance of the portable access device relative to the vehicle based on the round trip time; and granting access to the vehicle based on at least one of the location or the distance.
In other features, the access module includes: a first upsampler configured to upsample the differential signal to generate a first upsampled signal; and a second upsampler configured to upsample the desired signal to generate a second upsampled signal. The upsampling rate of the first upsampler is the same as the sampling rate of the second upsampler.
In other features, the access module includes: a sign module configured to determine a sign of the differential signal; and a bit pattern module configured to generate the desired signal based on the sign of the differential signal.
In other features, the access module is configured to: obtaining an expected signal; and the expected signal is a predetermined signal obtained by the access module prior to receiving the received signal.
In other features, the access module is configured to perform an iterative process comprising: multiplying the bits of the first up-sampled signal and the second up-sampled signal to generate a resulting product; summing the resulting products to generate a product sum value; and shifting the second up-sampled signal relative to the first up-sampled signal. The iterative process provides a product sum value. The access module is configured to determine a phase difference based on the product sum value.
In other features, the access module is configured to reconstruct a signal transmitted from the portable access device to the vehicle based on zero crossings of a portion of the cross correlation signal associated with a maximum of the product sum values.
In other features, the access module includes: an upsampler configured to upsample the differential signal to generate a first upsampled signal; a symbol module configured to determine a symbol of the first upsampled signal; and a bit pattern module configured to generate a desired signal based on the sign of the first up-sampled signal.
In other features, a portable access device of an access system of a vehicle is provided. The portable access device includes a receiver and a control module. The receiver is configured to receive a signal transmitted from an access module of the vehicle to the portable access device. The control module is configured to: generating a differential signal based on the received signal; upsampling the differential signal to generate a first upsampled signal; obtaining or generating an expected signal; upsampling the desired signal to generate a second upsampled signal; cross-correlating the first up-sampled signal with the second up-sampled signal to generate a cross-correlated signal; determining a phase difference between the first up-sampled signal and the second up-sampled signal based on the cross-correlation signal; determining a round trip time of a signal received by the receiver; and either transmitting the round trip time to the vehicle to obtain access to the vehicle based on the round trip time, or determining at least one of a location or a distance between the portable access device and the vehicle and transmitting the at least one of the location or the distance to the vehicle to obtain access to the vehicle.
In other features, the control module is configured to: down-converting the signal to generate a down-converted signal; sampling the down-converted signal to generate a sampled signal; performing arctangent on the sampling signal to generate an arctangent signal; and differentiating the arctangent signal to generate a differentiated signal.
In other features, the control module is configured to: determining at least one of a location or a distance of the portable access device relative to the vehicle based on the round trip time; and transmitting at least one of the location or the distance to the vehicle to obtain access to the vehicle based on the at least one of the location or the distance.
In other features, the control module includes: a first upsampler configured to upsample the differential signal to generate a first upsampled signal; and a second upsampler configured to upsample the desired signal to generate a second upsampled signal, wherein an upsampling rate of the first upsampler is the same as a sampling rate of the second upsampler.
In other features, the control module includes: a sign module configured to determine a sign of the differential signal; and a bit pattern module configured to generate the desired signal based on the sign of the differential signal.
In other features, the control module is configured to: obtaining an expected signal; and the expected signal is a predetermined signal obtained by the control module before the received signal is received.
In other features, the control module is configured to perform an iterative process comprising: multiplying the bits of the first up-sampled signal and the second up-sampled signal to generate a resulting product; summing the resulting products to generate a product sum value; and shifting the second up-sampled signal relative to the first up-sampled signal. The iterative process provides a product sum value. The control module is configured to determine a phase difference based on the product sum value.
In other features, the control module is configured to reconstruct a signal transmitted from the access module of the vehicle to the portable access device based on zero crossings of a portion of the cross correlation signal associated with a maximum of the plurality of product sums.
In other features, the control module includes: an upsampler configured to upsample the differential signal to generate a first upsampled signal; a symbol module configured to determine a symbol of the first upsampled signal; and a bit pattern module configured to generate a desired signal based on the sign of the first up-sampled signal.
An access system for a vehicle is provided and includes an antenna and an access module. The antennas are configured to each receive a signal transmitted from the portable access device to the vehicle. One of the antennas is a circularly polarized antenna. The access module is configured to: down-converting the received signal to generate an in-phase signal and a quadrature-phase signal; performing a MUSIC algorithm to determine an angle of arrival of a received signal received at an antenna; determining a distance between the portable access device and the vehicle based on the angle of arrival; and granting access to the vehicle based on the distance.
In other features, the antenna includes: a circularly polarized antenna comprising a conductive annular body having an inner bore; a circular isolator connected to the conductive annular body; and a linearly polarized antenna connected to the circular polarized antenna and the circular isolator and extending outwardly from the circular isolator. The linearly polarized antenna includes a sleeve (sleeve) and a conductive element extending through the sleeve. The linearly polarized antenna is orthogonal to the radial extension of the circularly polarized antenna.
In other features, the access module is configured to: while performing the MUSIC algorithm, collecting analysis signal samples of the signals received at each antenna to generate a reception data matrix; estimating a data covariance matrix based on the received data matrix; using a eigenvalue decomposition process to determine an mxm matrix based on the covariance matrix, wherein M is an integer greater than or equal to 2; determining a plurality of incident (impinging) signals; dividing the m×m matrix into a plurality of matrices; calculating a MUSIC spectrum based on one of the plurality of matrices; and performing a peak search on the MUSIC spectrum to determine an angle of arrival.
In other features, the access module is configured to: performing a covariance smoothing method to generate a modified covariance matrix; and using a eigenvalue decomposition process to determine an mxm matrix based on the modified covariance matrix.
In other features, the access module is configured to: converting the in-phase and quadrature-phase sample vectors to phase angle vectors while generating the received data matrix; generating recreated in-phase and quadrature phase sampling vectors for each antenna based on the phase angle vectors; and generating a received data matrix based on the recreated in-phase and quadrature phase sample vectors for each antenna.
In other features, the access module is configured to: creating a time vector corresponding to the in-phase and quadrature-phase sample vectors; discarding some of the analysis signal samples collected around the antenna switching time; expanding each repeated portion of the remaining samples by a step size pi; averaging the sine wave frequency of the rest samples; finding the average slope of the remaining samples; measuring the standard deviation of the average slope; determining which antennas are misaligned based on the measured standard deviation; and for each antenna, interpolating the straight line points on the time vector to generate a reconstructed phase angle vector.
In other features, the access module is configured to: checking which of the antennas has inaccurate alignment if the standard deviation is greater than a predetermined threshold; and re-measuring the standard deviation of the average slope for antennas with inaccurate alignment among the antennas.
In other features, the access module is configured to perform a purging method comprising: performing an iterative process, the iterative process comprising: removing the source signals one at a time using a calibration array manifold comprising antennas; and forcing the position of the source signal to an offset position and recalculating the direction of arrival angle of the remaining signals. While performing the iterative process, the access module converges to a new set of incident angles of arrival.
In other features, a vehicle is provided and includes: a vehicle body; and a roof, center console, floor or at least partially enclosed metal structure. The antenna is implemented in at least one of a roof, a center console, a floor, or an at least partially enclosed metal structure.
In other features, the antenna comprises a multi-axis polarized RF antenna assembly, wherein the multi-axis polarized RF antenna assembly comprises a circularly polarized antenna and is oriented in the roof of the vehicle.
In other features, a method is provided and includes: receiving signals transmitted from the portable access device to the vehicle at each of a plurality of antennas, wherein one of the antennas is a circularly polarized antenna; down-converting the received signal to generate an in-phase signal and a quadrature-phase signal; performing a MUSIC algorithm to determine an angle of arrival of a received signal received at an antenna; determining a distance between the portable access device and the vehicle based on the angle of arrival; and granting access to the vehicle based on the distance.
In other features, performing the MUSIC algorithm includes: collecting an analytic signal sample of the signal received at each antenna to generate a receive data matrix; estimating a data covariance matrix based on the received data matrix; using a eigenvalue decomposition process to determine an mxm matrix based on the covariance matrix, wherein M is an integer greater than or equal to 2; determining a plurality of incident signals; dividing the m×m matrix into a plurality of matrices; calculating a MUSIC spectrum based on one of the plurality of matrices; and performing a peak search on the MUSIC spectrum to determine an angle of arrival.
In other features, the method further comprises: performing a covariance smoothing method to generate a modified covariance matrix; and using a eigenvalue decomposition process to determine an mxm matrix based on the modified covariance matrix.
In other features, the method further comprises: converting the in-phase and quadrature-phase sample vectors to phase angle vectors while generating the received data matrix; generating recreated in-phase and quadrature phase sampling vectors for each antenna based on the phase angle vectors; and generating a received data matrix based on the recreated in-phase and quadrature phase sample vectors for each antenna.
In other features, the method further comprises: creating a time vector corresponding to the in-phase and quadrature-phase sample vectors; discarding some of the analysis signal samples collected around the antenna switching time; expanding each repeated portion of the remaining samples by a step size pi; averaging the sine wave frequency of the rest samples; finding the average slope of the remaining samples; measuring the standard deviation of the average slope; determining which antennas are misaligned based on the measured standard deviation; and for each antenna, interpolating the straight line points on the time vector to generate a reconstructed phase angle vector.
In other features, the method further comprises: checking which of the antennas has inaccurate alignment if the standard deviation is greater than a predetermined threshold; the standard deviation of the average slope is re-measured for antennas with inaccurate alignment among the antennas.
In other features, the method further comprises performing a purging method comprising: performing an iterative process, the iterative process comprising: removing the source signals one at a time using a calibrated array manifold comprising antennas and forcing the position of the source signals to offset positions and recalculating the direction of arrival angles of the remaining signals; while performing the iterative process, convergence to a new set of angles of arrival of the incident light is performed.
In other features, the vehicle includes (i) a body and (ii) a roof, center console, floor, or at least partially enclosed metal structure. The antenna is implemented in at least one of a roof, a center console, a floor, or an at least partially enclosed metal structure.
In other features, the antenna includes a multi-axis polarized RF antenna assembly. The multi-axis polarized RF antenna assembly includes a circularly polarized antenna and is oriented in a vehicle roof.
A multi-axis polarized RF antenna assembly is provided and includes a circularly polarized antenna, a circular isolator, and a linearly polarized antenna. The circularly polarized antenna includes a conductive annular body having an inner bore. The circular spacer is connected to the conductive ring. The linearly polarized antenna is connected to the circularly polarized antenna and the circular isolator and extends outwardly from the circular isolator. The linearly polarized antenna includes a sleeve and a conductive element extending through the sleeve. The linearly polarized antenna is orthogonal to the radial extension of the circularly polarized antenna.
In other features, the conductive element is a wire. In other features, the sleeve is formed of polytetrafluoroethylene. The conductive element is formed of copper.
In other features, the linearly polarized antenna is configured to extend downwardly from the circularly polarized antenna in use.
In other features, the circularly polarized antenna is a 2-axis antenna. The linearly polarized antenna is a single axis antenna.
In other features, the multi-axis polarized RF antenna assembly further comprises a ground plane. A circular isolator is disposed on the ground plane between the conductive element and the ground plane and between the circularly polarized antenna and the ground plane.
In other features, the circularly polarized antenna includes two feed points that are phase shifted by 90 ° and are configured to receive signals that are 90 ° out of phase with each other.
In other features, a vehicle is provided that includes a body and a roof. The roof includes a multi-axis polarized RF antenna assembly. The multi-axis polarized RF antenna assembly is oriented in the roof of the vehicle such that the linearly polarized antenna extends downwardly from the circularly polarized antenna.
In other features, a vehicle system is provided that includes a multi-axis polarized RF antenna assembly, a second multi-axis polarized RF antenna assembly, and an access module. The multi-axis polarized RF antenna assembly is a first multi-axis polarized RF antenna assembly and is configured to be implemented in a vehicle. The second multi-axis polarized RF antenna assembly is configured to be implemented in a vehicle and includes: a second circularly polarized antenna comprising a second conductive annular body having a second inner bore; a second circular spacer connected to the second conductive annular body; and a second linearly polarized antenna connected to and extending outwardly from the second circular isolator. The second linearly polarized antenna includes a sleeve and a conductive element extending through the sleeve of the second linearly polarized antenna. The second linearly polarized antenna is orthogonal to the radial extension of the second circularly polarized antenna. The access module is connected to the first multi-axis polarized RF antenna assembly and the second multi-axis polarized RF antenna assembly and is configured to communicate with the portable access device via the first multi-axis polarized RF antenna assembly and the second multi-axis polarized RF antenna assembly.
In other features, at any time at least one of the linearly polarized antenna or the first multi-axis polarized RF antenna assembly is not cross polarized with the antenna of the second multi-axis polarized RF antenna assembly.
In other features, the access module is configured to perform a passive entry passive start operation or a mobile phone, i.e., key, operation, comprising: radio frequency signals are transmitted and received via a first one of the multi-axis polarized RF antenna assemblies and a second one of the multi-axis polarized RF antenna assemblies.
In other features, the access module is configured to grant access to the vehicle based on the radio frequency signal.
In other features, the access module is configured to execute an algorithm to determine which antenna pair having a first one of the multi-axis polarized RF antenna assemblies and a second one of the multi-axis polarized RF assemblies is to be used for communication with the portable access device. In other features, the portable access device is a key fob or a cellular telephone.
In other features, a method of communicating with a portable access device is provided. The method includes iteratively executing an algorithm via an access module of the vehicle, wherein the algorithm includes a series of operations including: selecting a frequency from the frequencies; selecting an antenna pair from the possible antenna pairs; wherein the antennas of the possible antenna pairs comprise antennas with different polarization axes; transmitting the packet to the portable access device via the selected antenna; receiving a first received signal strength indicator, RSSI, and a response signal from the portable access device, wherein the first RSSI corresponds to transmission of the packet; and measuring a second RSSI of the response signal. Based on the first RSSI and the second RSSI, a best frequency of the frequencies and a best antenna pair of possible antenna pairs are selected. One or more additional packets are transmitted using the selected optimal frequency and the selected optimal antenna pair.
In other features, each selected antenna pair includes one of a linearly polarized antenna and one of a circularly polarized antenna.
In other features, the method of claim 1, further comprising: transmitting the one or more additional packets to authorize the portable access device; determining whether the portable access device is authorized to access the interior of the vehicle; if the portable access device is authorized, access to the vehicle interior is granted.
In other features, the method further comprises: measuring a time of flight of the one or more additional packets, comprising: a time to send the one or more additional packets to the portable access device and a time to receive one or more responses from the portable access device; and estimating a distance between the vehicle and the portable access device based on the measured time of flight.
In other features, the estimated distance is used to detect whether another device is attempting to perform a range relay (range extender type relay station) attack. In other features, the method of claim 4, further comprising: if another device is attempting to perform an extended range relay attack, countermeasures are performed, including blocking access to the interior of the vehicle. In other features, the countermeasure includes notifying an owner of the vehicle of the extended range relay attack.
In other features, the method further comprises: exchanging a plurality of unmodulated carrier tone pairs with the portable access device on a plurality of frequencies, wherein the unmodulated carrier tone pairs include a receive tone and a transmit tone; measuring the phase of the received tone relative to the transmitted tone and collecting frequency data; and estimating a distance between the vehicle and the portable access device based on the measured phase and frequency data.
In other features, the method includes: it is determined whether another device is attempting to perform a range relay attack based on the estimated distance. In other features, each selected antenna pair includes a linearly polarized antenna.
In other features, the algorithm includes switching between possible pairs of antennas between consecutively transmitted packets. In other features, the algorithm includes switching between possible pairs of antennas during transmission of a portion of the packet. In other features, the portion of the packet is a continuous wave tone.
In other features, some of the possible pairs of antennas include two antennas that are co-located.
In other features, the method further comprises: transmitting the packet to the portable access device; measuring a time-of-flight value for the packet based on a response signal received from the portable access device, wherein the response signal is transmitted based on the packet; determining whether another device is performing a range-extended (range extender type) relay attack based on the time-of-flight value; and preventing access to the interior of the vehicle in response to detecting the extended range relay attack.
In other features, the portable access device is a key fob or a cellular telephone. In other features, the method further comprises encrypting an identifier of the best antenna pair. The transmission of the one or more additional packets includes the encrypted identifier of the best antenna pair.
In other features, a vehicle system for communicating with a portable access device is provided. The vehicle system includes an access module and an antenna having different polarization axes. The access module is configured to iteratively execute an algorithm. The algorithm includes a series of operations including: selecting a frequency from a plurality of frequencies; selecting an antenna pair from antennas having different polarization axes; transmitting the packet to the portable access device via the selected antenna; receiving a first RSSI and a response signal from the portable access device, wherein the first RSSI corresponds to the transmission of the packet; and measuring a second RSSI of the response signal. The access module is configured to: selecting an optimal one of the frequencies and an optimal one of the antenna pairs based on the first RSSI and the second RSSI; and transmitting one or more additional packets using the selected optimal frequency and the selected optimal antenna pair.
In other features, the access module is configured to: measuring a time of flight of the one or more additional packets, comprising: a time to send the one or more additional packets to the portable access device and a time to receive one or more responses from the portable access device; and estimating a distance between the vehicle and the portable access device based on the measured time of flight.
In other features, the access module is configured to: exchanging a plurality of pairs of unmodulated carrier tones with the portable access device at a plurality of frequencies, wherein the unmodulated carrier tones include receive and transmit tones; measuring a phase of the received tone relative to the transmitted tone; collecting measured phase and frequency data; and estimating a distance between the vehicle and the portable access device using the measured phase and frequency data.
In other features, the access module is configured to detect whether the portable access device is attempting to perform a range relay attack based on the estimated distance.
In other features, the access module is configured to detect whether the device is attempting to perform a range relay attack based on the estimated distance.
In other features, the access module is configured to: if the portable access device is attempting to perform a range-extended relay attack, countermeasures are performed, including blocking access to the interior of the vehicle.
In other features, the countermeasure includes: and notifying the owner of the vehicle of the extended range relay station attack. In other features, the portable access device is a key fob or a cellular telephone.
In other features, the portable access device is configured to encrypt an identifier of the optimal antenna pair. The transmission of the one or more additional packets includes the encrypted identifier of the best antenna pair.
In other features, a system for detecting a range-extending relay attack is provided. The system includes a first transmitter, a receiver, and a first module. The first transmitter is configured to transmit a first radio frequency signal from one of the vehicle and the portable access device to the other of the vehicle and the portable access device. The receiver is configured to receive a first response signal from one of the vehicle and the portable access device in response to the first radio frequency signal. The first module is configured to: monitoring or generating one or more parameters associated with the transmission of the first radio frequency signal and the reception of the first response signal; based on the one or more parameters, detecting a range-extending relay attack performed by an attacking device to gain at least one of access to the vehicle or operational control of the vehicle, wherein at least one of: (i) The first radio frequency signal is relayed from the vehicle to the portable access device via the attack device, or (ii) the first response signal is relayed from the portable access device to the vehicle via the attack device; and executing countermeasures in response to detecting the extended range relay attack.
In other features, the first module is implemented at the vehicle. In other features, the first module is implemented at a portable access device.
In other features, the first module is configured to: measuring a round trip time of the first radio frequency signal; and detecting the extended-range relay attack based on the round trip time.
In other features, the first module is configured to: transmitting a second radio frequency signal and receiving a second response signal prior to the transmission of the first radio frequency signal and the reception of the first response signal; monitoring at least one of: a first received signal strength indicator of a second radio frequency signal or a second received signal strength indicator of a second response signal; and determining at least one of a path, frequency, channel, or antenna pair for transmitting the first radio frequency signal and receiving the first response signal based on at least one of the first received signal strength indicator or the second received signal strength indicator.
In other features, the first module is configured to: transmitting a second radio frequency signal and receiving a second response signal prior to the transmission of the first radio frequency signal and the reception of the first response signal; monitoring an antenna polarization state corresponding to at least one of the second radio frequency signal or the second response signal; and determining at least one of a path, frequency, channel, or antenna pair for transmission of the first radio frequency signal and reception of the first response signal based on the antenna polarization state of at least one of the first radio frequency signal or the first response signal.
In other features, the first module is configured to transmit the first radio frequency signal upon receiving the first response signal or the second radio frequency signal from one of the vehicle and the portable access device.
In other features, the first module is configured to receive the first response signal upon receiving the second radio frequency signal from one of the vehicle and the portable access device.
In other features, the first module is configured to: determining a series of randomly selected frequencies or channels; sharing the series of randomly selected frequencies or channels with one of a vehicle and a portable access device; and transmitting the first radio frequency signal and receiving the first response signal based on the randomly selected frequency or channel.
In other features, the first module is configured to: randomizing an access address for the vehicle or the portable access device; sharing a randomized access address with a portable access device; and generating the first radio frequency signal to include one of the access addresses.
In other features, the first module is configured to: measuring a length of at least one bit of the first response signal; and detecting a range-extending relay attack based on the length of the at least one bit.
In other features, the first module is configured to: monitoring the slope of the rising and falling edges of the first response signal; and detecting the extended range relay attack based on the slope.
In other features, the first module is configured to: the first response signal is aligned (including scaling peaks and aligning zero offsets) with an idealized gaussian waveform for a known bit pattern and bit rate using a sliding correlation function (sliding correlation function), and based on the alignment, a range-extended relay attack is detected.
In other features, the first module is configured to: accumulating a portion of the predetermined waveform of the first response signal immediately after the zero crossing and before a next peak; determining an average value based on the accumulated portions; and detecting a range-extended relay attack based on the average value.
In other features, the first module is configured to: accumulating a portion of the first response signal after a peak of the predetermined waveform and before a next zero crossing; determining an average value based on the accumulated portions; and detecting a range-extended relay attack based on the average value.
In other features, the first module is configured to randomize a direction of travel of the first radio frequency signal, including whether the first radio frequency signal is transmitted from the vehicle to the portable access device or from the portable access device to the vehicle.
In other features, the countermeasure includes at least one of blocking access to the vehicle or controlling operation of the vehicle.
In other features, the system further includes a second transmitter configured to transmit a dummy signal when the first transmitter transmits the first radio frequency signal or the receiver receives the first response signal.
In other features, the method includes: a first module implemented at the vehicle; a portable access device comprising a second module. The first module is configured to transmit a first radio frequency signal to the portable access device and receive a first response signal from the portable access device. The second module is configured to transmit a second radio frequency signal to the vehicle and receive a second response signal from the vehicle. The first module transmits a first radio frequency signal and the second module transmits a first response signal or a second radio frequency signal, or the first module receives the first response signal and the second module transmits at least one of the second radio frequency signal.
In other features, the first module and the second module are configured to: exchanging at least three pairs of radio signals comprising portions of unmodulated carrier tones, wherein the unmodulated carrier tones include receive radio and transmit tones; and measuring the phase of the received tone relative to the transmitted tone. One or more of the first module and the second module are configured to: collecting frequency and phase information; and estimating a distance between the first module and the second module based on the phase and frequency information.
In other features, one or more of the first module and the second module are configured to detect a range-extending relay attack using the estimated distance.
In other features, a method of detecting a range-extended relay attack is provided. The method comprises the following steps: transmitting a radio frequency signal from one of the vehicle and the portable access device to the other of the vehicle and the portable access device via the transmitter; receiving a response signal responsive to the radio frequency signal from one of the vehicle and the portable access device via the receiver; monitoring or generating one or more parameters associated with the transmission of the radio frequency signal and the reception of the response signal; and detecting, based on the one or more parameters, a range-extended relay attack performed by the attacking device to obtain at least one of access to the vehicle or operational control of the vehicle. There is at least one of the following: (i) The first radio frequency signal is relayed from the vehicle to the portable access device via the attacking device, or (ii) the first response signal is relayed from the portable access device to the vehicle via the attacking device. The method further comprises the steps of: executing countermeasures in response to detecting the extended range relay attack; measuring the round trip time of the radio frequency signal; monitoring at least one of a first received signal strength indicator of the radio frequency signal or a second received signal strength indicator of the response signal; and detecting the extended-range relay attack based on the round trip time.
In other features, a system for accessing a vehicle or providing operational control of a vehicle is provided. The system includes a master device comprising: a first antenna module including a first antenna having different polarization axes; a transmitter configured to transmit a challenge signal (challenge signal) from the vehicle to a slave device via the first antenna module, wherein the slave device is a portable access device; and a first receiver configured to receive a response signal from the slave device in response to the challenge signal. The system further comprises a first sniffer device comprising: a second antenna module including a second antenna having a different polarization axis; and a second receiver configured to receive the challenge signal from the transmitter and the response signal from the slave device via the second antenna module. The first sniffer device is configured to measure when the challenge signal and the response signal arrive at the first sniffer device to provide a time of arrival. The master device or the first sniffer device is configured to (i) estimate at least one of a distance from the vehicle to the slave device or a position of the slave device relative to the vehicle based on the arrival time, and (ii) block at least one of access to the vehicle or operational control of the vehicle based on the estimated at least one of distance or position.
In other features, the master device or the first sniffer device is configured to: determining a round trip time associated with the transmission of the challenge signal based on the arrival time; and detecting, based on the round trip time, a range-extended relay attack performed by the attack device to obtain at least one of access to the vehicle or operation control of the vehicle. The response signal is relayed from the slave device to the vehicle by the attacking device and altered by the attacking device. The master device is configured to perform countermeasures in response to detecting the extended range relay attack.
In other features and at any time, at least one of the first antennas of the first antenna module is not cross-polarized with at least one of the second antennas of the second antenna module.
In other features and at any time, at least one of the first antennas of the first antenna module is not cross polarized with an antenna of the slave device.
In other features, the master device or the first sniffer device is configured to: determining a first amount of time that the first sniffer device receives the challenge signal and a second amount of time that the sniffer device receives the response signal; and estimating a distance based on the first amount of time and the second amount of time.
In other features, the system further comprises a second sniffer and a third sniffer. The second sniffer device comprises a third antenna module comprising a third antenna and a third receiver configured to receive the challenge signal from the transmitter and the response signal from the slave device via the third antenna module. The third sniffer device comprises a fourth antenna module comprising a fourth antenna and a fourth receiver configured to receive the challenge signal from the transmitter and the response signal from the slave device via the fourth antenna module. The second sniffer device is configured to measure when the challenge signal and the response signal reach the second sniffer device to provide a time of arrival. The third sniffer device is configured to measure when the challenge signal and the response signal reach the third sniffer device to provide the time of arrival. The master device, the first sniffer device, the second sniffer device or the third sniffer device is configured to estimate the position based on the arrival time provided by the first sniffer device, the arrival time provided by the second sniffer device and the arrival time provided by the third sniffer device.
In other features, the first sniffer device is configured to determine a first amount of time for the first sniffer device to receive the response signal. The second sniffer device is configured to determine a second amount of time for the second sniffer device to receive the response signal. The third sniffer device is configured to determine a third amount of time for the third sniffer device to receive the response signal. The master device, the first sniffer device, the second sniffer device, or the third sniffer device is configured to estimate the location based on the first amount of time, the second amount of time, and the third amount of time.
In other features, the master device is configured to periodically send a challenge signal or other challenge signal to the slave device and receive a corresponding response signal from the slave device. The first sniffer device is configured to measure when the challenge signal and the response signal arrive at the first sniffer device to provide a corresponding arrival time. The master device or the first sniffer device is configured to (i) update at least one of a distance or a location based on arrival times associated with the challenge signal and the response signal, and (ii) block at least one of access to the vehicle or operational control of the vehicle based on the at least one of the updated distance or the updated location.
In other features, a method for accessing a vehicle or providing operational control of a vehicle is provided. The method comprises the following steps: transmitting a challenge signal from a master device to a slave device of a vehicle via a first antenna module, wherein the first antenna module includes a first antenna having a different polarization axis; at a first receiver, receiving a response signal from the slave device in response to the challenge signal; receiving, at the first sniffer device, a challenge signal from the master device and a response signal from the slave device via a second antenna module and a second receiver, wherein the second antenna module comprises a second antenna having a different polarization axis; measuring when a challenge signal and a response signal are received at the first sniffer device to provide a time of arrival via the first sniffer device; estimating at least one of a distance from the vehicle to the slave device or a position of the slave device relative to the vehicle based on the arrival time; and preventing at least one of access to the vehicle or operational control of the vehicle based on at least one of the estimated distance or location.
In other features, the method includes: determining a round trip time associated with the transmission of the challenge signal based on the arrival time; based on the round trip time, detecting a range-extending relay attack performed by the attack device to obtain at least one of access to the vehicle or operation control of the vehicle, wherein a response signal is relayed from the slave device to the vehicle by the attack device and altered by the attack device; and executing countermeasures in response to detecting the extended range relay attack.
In other features and at any time, at least one of the first antennas of the first antenna module is not cross-polarized with at least one of the second antennas of the second antenna module.
In other features and at any time, at least one of the first antennas of the first antenna module is not cross polarized with an antenna of the slave device.
In other features, the method further comprises: determining a first amount of time for the first sniffer device to receive the challenge signal and a second amount of time for the sniffer device to receive the response signal; and estimating a distance based on the first amount of time and the second amount of time.
In other features, the method further comprises: receiving, at a third receiver of the second sniffer device, a challenge signal from the transmitter and a response signal from the slave device via a third antenna module, wherein the third antenna module comprises a third antenna having a different polarization axis; and receiving, via a fourth antenna module, a challenge signal from the transmitter and a response signal from the slave device at a fourth receiver of the third sniffer device. The fourth antenna module includes a fourth antenna having a different polarization axis. The method further comprises the steps of: measuring when the challenge signal and the response signal arrive at the second sniffer device to provide a time of arrival via the second sniffer device; measuring when the challenge signal and the response signal arrive at the third sniffer device to provide a time of arrival via the third sniffer device; and estimating a location based on the time of arrival provided by the first sniffer device, the time of arrival provided by the second sniffer device, and the time of arrival provided by the third sniffer device.
In other features, the method further comprises: determining a first amount of time for the first sniffer device to receive the response signal; determining a second amount of time for the second sniffer device to receive the response signal; determining a third amount of time for the third sniffer device to receive the response signal; and estimating a position based on the first amount of time, the second amount of time, and the third amount of time.
In other features, a challenge signal or other challenge signal is periodically sent from the master device to the slave device, and a corresponding response signal is received from the slave device; measuring, at the first sniffer device, when the challenge signal and the response signal reach the first sniffer device to provide a corresponding arrival time; updating at least one of the distance or the location based on the arrival times associated with the challenge signal and the response signal; and preventing at least one of access to the vehicle or operational control of the vehicle based on at least one of the updated distance or the updated location.
In other features, a system for accessing a vehicle or providing operational control of a vehicle is provided. The system includes a first network device and a control module. The first network device includes a first antenna module, a transmitter, and a receiver. The first antenna module includes antennas having different polarization axes. The transmitter is configured to transmit a series of tones from the vehicle to the second network device via the first antenna module and to change a frequency of the tones during transmission of the series of tones. At any moment in time, at least one of the antennas of the first antenna module is not cross polarized with the antenna of the second network device. The receiver is configured to receive the series of tones from the second network device. The control module is configured to (i) determine a comparison between a phase difference of the series of tones and a frequency difference of the series of tones, (ii) determine a distance between the first network device and the second network device based on the phase difference and the frequency difference, and (iii) block at least one of access to the vehicle or operational control of the vehicle based on the distance.
In other features, the control module is configured to: for each of the tones, changing a corresponding frequency during transmission of the tone; generating a curve relating the phase variation of each of the tones to the frequency variation for the tones, respectively; determining the slope of the curve; and determining the distance based on the slope of the curve.
In other features, the control module randomizes a channel selected for transmitting the series of tones.
In other features, the control module randomizes a direction in which tones are transmitted between the first network device and the second network device. The tones include one or more tones of the series of tones.
In other features, the control module is configured to: transmitting and receiving a series of tones via a transmitter and a receiver; and determining the distance based on the phase difference and the corresponding frequency difference of the series of tones.
In other features, the system further comprises a second network device. The first network device includes a first tone exchange responder and a first tone exchange initiator. The first tone exchange initiator includes a transmitter. The first tone exchange responder includes a receiver. The second network device includes a second tone exchange responder and a second tone exchange initiator. The second tone exchange responder responds to the series of tones by sending the series of tones or the second series of tones back to the first tone exchange initiator. The second tone exchange initiator transmits a third series of tones to the first tone exchange response.
In other features, the control module is configured to determine the distance based on at least one of: (i) The phase difference of the second series of tones and the frequency difference of the second series of tones, or (ii) the phase difference of the third series of tones and the frequency difference of the third series of tones.
In other features, the first network device is implemented within a vehicle. The second network device is a portable access device.
In other features, the first network device transmits two symbols to the second network device at two different frequencies simultaneously. The length of both symbols is less than or equal to 1us to deter successful attacks.
In other features, clock timing of the first network device and the second network device are synchronized. The first network device transmits a first symbol to the second network device at a first frequency. Simultaneously with the first network device transmitting the first symbol to the second network device, the second network device transmits the second symbol to the first network device. The length of the first symbol and the second symbol is less than or equal to 1us to prevent successful attacks.
In other features, a method of accessing a vehicle or providing operational control of a vehicle is provided. The method comprises the following steps: transmitting a series of tones from a first network device to a second network device via a transmitter and a first antenna module, and changing the frequency of the tones during transmission of the series of tones, wherein the first antenna module includes antennas, and wherein at any time at least one of the antennas of the first antenna module is not cross-polarized with an antenna of the second network device; receiving the series of tones from the second network device at a receiver in the vehicle; determining a phase difference of the series of tones and a frequency difference of the series of tones; determining a distance between the first network device and the second network device based on the phase difference and the frequency difference; and based on the distance, at least one of blocking access to the vehicle or controlling operation of the vehicle.
In other features, the method further comprises: for each of the tones, changing a corresponding frequency during transmission of the tone; generating a curve relating the phase variation of each tone to the frequency variation for the tone, respectively; determining the slope of the curve; and determining the distance based on the slope of the curve.
In other features, the method further comprises randomizing a channel selected for transmitting the series of tones.
In other features, the method further includes randomizing a direction in which tones are transmitted between the first network device and the second network device. The tones include one or more tones of the series of tones.
In other features, the method further comprises: transmitting and receiving a series of tones via a transmitter and a receiver; and determining the distance based on the phase difference and the corresponding frequency difference of the series of tones.
In other features, the method further comprises: responding to the series of tones via a second tone exchange responder of a second network device by transmitting the series of tones or the second series of tones back to a first tone exchange initiator of the first network device, wherein the first tone exchange initiator comprises a transmitter; and transmitting, via a second tone exchange initiator of the second network device, a third series of tones to a first tone exchange responder of the first network device, wherein the first tone exchange responder comprises a receiver.
In other features, the method further comprises determining the distance based on at least one of: (i) The phase difference of the second series of tones and the frequency difference of the second series of tones, or (ii) the phase difference of the third series of tones and the frequency difference of the third series of tones.
In other features, the first network device is implemented in a vehicle. The second network device is a portable access device.
In other features, a system for accessing a vehicle or providing operational control of a vehicle is provided. The system includes an initiator device and a sniffer device. The initiator device includes: a first antenna module including a plurality of polarized antennas; a transmitter configured to transmit a first tone signal from the vehicle to a responder device via a first antenna module, wherein the responder device is a portable access device; a first receiver configured to receive a second tone signal from the responder device in response to the first tone signal. The sniffer device comprises: a second antenna module comprising a plurality of polarized antennas; and a second receiver configured to receive the first tone signal from the transmitter and the second tone signal from the responder device via the second antenna module. The sniffer device is configured to determine a state of the first and second tone signals comprising respective phase delays. The initiator device or sniffer device is configured to (i) estimate at least one of a first distance from the vehicle to the responder device or a second distance from the responder device to the sniffer device based on states of the first and second tone signals comprising respective phase delays; and (ii) based on at least one of the estimated first distance or second distance, preventing at least one of access to the vehicle or operational control of the vehicle.
In other features, the initiator device or sniffer device is configured to estimate the first distance and the second distance, and to block at least one of access to the vehicle or operational control of the vehicle based on the first distance and the second distance.
In other features, the initiator device or sniffer device is configured to detect a range-extending relay attack performed by the attack device to obtain at least one of access to the vehicle or operational control of the vehicle based on at least one of the first distance or the second distance. The second tone signal is relayed from the responder device to the vehicle and altered by the attacking device. The initiator device is configured to perform countermeasures in response to detecting the extended range relay attack.
In other features and at any time, at least one of the plurality of polarized antennas of the first antenna module is not cross polarized with at least one of the plurality of polarized antennas of the second antenna module.
In other features and at any time, at least one of the plurality of polarized antennas of the first antenna module is not cross polarized with an antenna of the responder device.
In other features, the initiator device or sniffer device is configured to: determining a first amount of time for the first tone signal to travel from the initiator device to the responder device based on a state of the first tone signal when received at the responder device; determining a second amount of time for the second tone signal to travel from the responder device to the sniffer device based on a state of the second tone signal when received at the sniffer device; and estimating the first distance and the second distance based on the first amount of time and the second amount of time.
In other features, the initiator device or sniffer device is configured to: generating a first representation of a first tone signal in natural logarithmic form when received at a responder device; generating a second representation of the first tone signal in natural logarithmic form when received at the sniffer device; generating a third representation of the second tone signal in natural logarithmic form when received at the sniffer device; and estimating a first distance and a second distance based on the first representation, the second representation, and the third representation.
In other features, a method for accessing a vehicle or providing operational control of a vehicle is provided. The method comprises the following steps: transmitting a first tone signal from an initiator device of the vehicle to a responder device via a first antenna module, wherein the first antenna module comprises a plurality of polarized antennas, and wherein the responder device is a portable access device; receiving, at the initiator device, a second tone signal from the responder device in response to the first tone signal; receiving, at the sniffer device and via a second antenna module, a first tone signal from the transmitter and a second tone signal from the responder device, wherein the second antenna module comprises a plurality of polarized antennas; determining, at the sniffer, states of the first and second tone signals comprising respective phase delays; estimating at least one of a first distance from the vehicle to the responder device or a second distance from the responder device to the sniffer device based on states of the first and second tone signals including respective phase delays; and based on at least one of the estimated first distance or second distance, at least one of blocking access to the vehicle or controlling operation of the vehicle.
In other features, the method includes: estimating a first distance and a second distance; and based on the first distance and the second distance, at least one of blocking access to the vehicle or controlling operation of the vehicle.
In other features, the method further comprises: detecting a range-extending relay attack performed by the attack device to obtain at least one of access to the vehicle or operational control of the vehicle based on at least one of the first distance or the second distance, wherein the second tone signal is relayed from the responder device to the vehicle and changed by the attack device; and executing countermeasures in response to detecting the extended range relay attack.
In other features and at any time, at least one of the plurality of polarized antennas of the first antenna module is not cross polarized with the linear polarized antenna or at least one of the plurality of polarized antennas.
In other features and at any time, at least one of the plurality of polarized antennas of the first antenna module is not cross polarized with an antenna of the responder device.
In other features, the method further comprises: determining a first amount of time for the first tone signal to travel from the initiator device to the responder device based on a state of the first tone signal when received at the responder device; determining a second amount of time for the second tone signal to travel from the responder device to the sniffer device based on a state of the second tone signal when received at the sniffer device; and estimating the first distance and the second distance based on the first amount of time and the second amount of time.
In other features, a system for accessing a vehicle or providing operational control of a vehicle is provided. The system includes a first network device and a control module. The first network device includes a first antenna module and a control module. The first antenna module includes: a plurality of polarized antennas; a transmitter configured to transmit an initiator packet from the vehicle to the second network device via the first antenna module, wherein the initiator packet includes a synchronous access word (word) and a first Continuous Wave (CW) tone, wherein one of the first network device and the second network device is implemented within the vehicle, and wherein the other of the first network device and the second network device is a portable access device, and wherein at any time at least one of the plurality of polarized antennas of the first antenna module is not cross-polarized with an antenna of the second network device; a receiver configured to receive a response packet from the second network device, wherein the response packet includes the synchronization access word and the first CW tone. The control module is configured to: (i) Determining that a round trip timing difference between the initiator packet and the response packet is greater than a predetermined threshold; (ii) Detecting a range-extended relay attack performed by the attack device to obtain at least one of access to the vehicle or operational control of the vehicle based on the round trip timing difference being greater than a predetermined threshold; and (iii) in response to detecting the extended range relay attack, at least one of blocking access to the vehicle or controlling operation of the vehicle.
In other features, the control module is configured to: determining a start time and an end time of the sync access word based on the initiator packet; and detecting a time difference based on the start time and the end time.
In other features, the control module is configured to: determining a start time and an end time for the synchronous access word relative to the first CW tone of the response packet based on the initiator packet; determining whether a start time and an end time of a synchronous access word of the response packet match the determined start time and end time; and detecting the determination time difference if the start time and the end time of the synchronous access word of the response packet do not match the determined start time and end time.
In other features, the control module is configured to: determining a first length of a sync access word of the initiator packet; comparing the first length with a second length of the sync access word of the response packet; and detecting a range-extended relay attack if the difference between the first length and the second length is greater than a predetermined amount.
In other features, the control module is configured to: determining a first length of a first CW tone of an initiator packet; comparing the first length with a second length of the first CW tone of the response packet; and detecting a range-extended relay attack if the difference between the first length and the second length is greater than a predetermined amount.
In other features, the first CW tone of the initiator packet is at the end of the initiator packet; and the first CW tone of the response packet is at the beginning of the response packet.
In other features, the initiator packet includes a second CW tone. The response packet includes a second CW tone.
In other features, the first CW tone of the initiator packet is at the beginning of the initiator packet. The second CW tone of the initiator packet is at the end of the initiator packet. The first CW tone of the response packet is at the beginning of the response packet. The second CW tone of the response packet is at the end of the response packet.
In other features, the initiator packet and the response packet have the same format.
In other features, the response packet indicates an amount of phase difference between the second CW tone of the initiator packet and the first CW tone of the response packet. The first CW tone of the response packet has a phase relationship with the phase locked loop of the responder.
In other features, the control module is configured to determine a phase difference between a first CW tone of the response packet and a second CW tone of the initiator packet. The second CW tone of the initiator packet is in phase relation with the phase locked loop of the initiator. The first device and the second device are configured to determine a phase difference of the second frequency and a phase difference of the third frequency. The control module is configured to determine a distance between the devices based on (i) a phase difference between the first CW tone and the second CW tone, (ii) a phase difference for the second frequency, and (iii) a phase difference for the third frequency.
In other features, the control module is configured to compare a frequency, a power level, a bit, and an amplitude of a portion of the received signal including the response packet with a frequency, a power level, a bit, and an amplitude of a portion of the transmitted signal including the initiator packet, and determine whether a range-extended relay attack has occurred based on the resulting difference.
In other features, a method for accessing a vehicle or providing operational control of a vehicle is provided. The method comprises the following steps: transmitting an initiator packet from the vehicle to the second network device via a first antenna module of the first network device, wherein the first antenna module comprises a plurality of polarized antennas, wherein the initiator packet comprises a synchronous access word and a first Continuous Wave (CW) tone, wherein one of the first network device and the second network device is implemented within the vehicle, and wherein the other of the first network device and the second network device is a portable access device, and wherein at any time at least one of the plurality of polarized antennas of the first antenna module is not cross-polarized with an antenna of the second network device; receiving a response packet from the second network device, the response packet including the synchronous access word and the first CW tone; determining that a timing difference between the initiator packet and the response packet is greater than a predetermined threshold; detecting a range-extended relay attack performed by the attack device in order to obtain at least one of access to the vehicle or operation control of the vehicle, based on the timing difference being greater than a predetermined threshold; and in response to detecting the extended range relay attack, at least one of blocking access to the vehicle or controlling operation of the vehicle.
In other features, the method further comprises: determining a start time and an end time of the sync access word based on the initiator packet; and detecting a time difference based on the start time and the end time.
In other features, the method further comprises: determining, based on the initiator packet, a start time and an end time of the sync access word relative to the first CW tone of the response packet; determining whether a start time and an end time of a synchronous access word of the response packet match the determined start time and end time; and detecting the determination time difference if the start time and the end time of the synchronous access word of the response packet do not match the determined start time and end time.
In other features, the first CW tone of the initiator packet is at the end of the initiator packet; and the first CW tone of the response packet is at the beginning of the response packet.
In other features, the initiator packet includes a second CW tone. The response packet includes a second CW tone. The first CW tone of the initiator packet is at the beginning of the initiator packet. The second CW tone of the initiator packet is at the end of the initiator packet. The first CW tone of the response packet is at the beginning of the response packet. The second CW tone of the response packet is at the end of the response packet.
In other features, the method further comprises: the round trip time of the initiator packet is determined based on the amount of phase delay. The response packet indicates an amount of phase delay between the first CW tone of the initiator packet and the first CW tone of the response packet.
In other features, a system for detecting a range-extending relay attack is provided. The system includes a transmitter, a receiver, and a control module. The transmitter is configured to transmit a radio frequency signal from one of the vehicle and the portable access device to the other of the vehicle and the portable access device. The receiver is configured to receive a response signal responsive to the radio frequency signal from one of the vehicle and the portable access device. The control module is configured to: converting the response signal into an in-phase signal and a quadrature signal; detecting a range-extended relay attack performed by an attack device to obtain at least one of access to a vehicle or operational control of the vehicle based on the radio frequency signal, the in-phase signal, and the quadrature signal, wherein at least one of: (i) The first radio frequency signal is relayed from the vehicle to the portable access device via the attack device, or (ii) the first response signal is relayed from the portable access device to the vehicle via the attack device; and executing countermeasures in response to detecting the extended range relay attack.
In other features, the system further comprises an antenna module. The antenna module is implemented at one of a vehicle and a portable access device where the transmitter and the receiver are implemented. The antenna module includes a plurality of polarized antennas. At any time, at least one polarized antenna of the plurality of polarized antennas of the antenna module is not cross polarized with an antenna of the other of the vehicle and the portable access device.
In other features, the control module is implemented at the vehicle. In other features, the control module is implemented at the portable access device.
In other features, the control module is configured to: determining a phase difference based on the in-phase signal and the quadrature-phase signal; measuring a round trip time of the radio frequency signal based on the phase difference; and detecting the extended-range relay attack based on the round trip time.
In other features, the control module is configured to: sampling the in-phase signal and the quadrature signal; and determining a received bit based on the in-phase signal and the quadrature signal.
In other features, the control module is configured to: upsampling the received bits based on the in-phase signal and the quadrature signal; upsampling the other signal; cross-correlating a result of up-sampling the received bits based on the in-phase signal and the quadrature-phase signal with a result of up-sampling the other signal; and determining a phase based on the result of the cross-correlation.
In other features, the other signal includes a reference bit pattern. The control module is configured to determine a sign of the differential arctangent signal and generate a reference bit pattern based on the sign. In other features, the other signal comprises a radio frequency signal filtered via a gaussian low pass filter.
In other features, a method for detecting a range-extending relay attack is provided. The method comprises the following steps: transmitting a radio frequency signal from one of the vehicle and the portable access device to the other of the vehicle and the portable access device via the transmitter; receiving a response signal responsive to the radio frequency signal from one of the vehicle and the portable access device via the receiver; converting the response signal into an in-phase signal and a quadrature signal via the control module; detecting, via the control module, a range-extended relay attack performed by the attacking device for at least one of gaining access to the vehicle or controlling operation of the vehicle based on the radio frequency signal, the in-phase signal, and the quadrature signal, wherein at least one of: (i) Relaying the radio frequency signal from the vehicle to the portable access device via the attack device, or (ii) relaying the response signal from the portable access device to the vehicle via the attack device; and executing countermeasures in response to detecting the extended range relay attack.
In other features, the antenna module is implemented at one of a vehicle and a portable access device in which the transmitter and the receiver are implemented. The antenna module includes a plurality of polarized antennas. At any time, at least one polarized antenna of the plurality of polarized antennas of the antenna module is not cross polarized with an antenna of the other of the vehicle and the portable access device.
In other features, the control module is implemented at the vehicle. In other features, the control module is implemented at the portable access device.
In other features, the method further comprises: determining a phase difference based on the in-phase signal and the quadrature-phase signal; measuring a round trip time of the radio frequency signal based on the phase difference; and detecting the extended-range relay attack based on the round trip time.
In other features, the method further comprises: sampling the in-phase signal and the quadrature signal; and determining a received bit based on the in-phase signal and the quadrature signal.
In other features, the method further comprises: upsampling the received bits based on the in-phase signal and the quadrature signal; cross-correlating the result of up-sampling the received bits with the result of up-sampling the other signal; and determining a phase based on the result of the cross-correlation. In other features, the other signal includes a reference bit pattern. In other features, the other signal comprises a radio frequency signal filtered via a gaussian low pass filter.
Further areas of applicability of the present disclosure will become apparent from the detailed description, claims and drawings. The detailed description and specific examples are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.
Drawings
The present disclosure will become more fully understood from the detailed description and the accompanying drawings, wherein:
FIG. 1 is a side view of an object illustrating an RF main higher power signal traveling along a bounce path (bounce path) due to cross polarization of an RF antenna;
FIG. 2 is a functional block diagram of an example of a vehicle access system including an access module, an RF antenna, and a portable access device according to an embodiment of the present disclosure;
FIG. 3 is a functional block diagram of an example of a vehicle including the access module of FIG. 2, according to an embodiment of the present disclosure;
FIG. 4 is a functional block diagram of an example of the access module of FIG. 2, according to an embodiment of the present disclosure;
fig. 5 is a functional block diagram of an example of an RF antenna module of a vehicle according to an embodiment of the present disclosure;
fig. 6 is a functional block diagram of an example of a portable network device according to an embodiment of the present disclosure;
fig. 7 is an example of a polarization axis diagram illustrating a polarization diversity example arrangement according to an embodiment of the disclosure;
fig. 8 is an example of a polarization axis diagram illustrating another polarization diversity example arrangement according to an embodiment of the disclosure;
FIG. 9 is an example electric field plot and polar plot illustrating the electric field mode and null of a linear antenna;
FIG. 10 is an exemplary voltage-electric field diagram of a linearly polarized antenna;
fig. 11A is a top perspective view of an example of at least a portion of a multi-axis polarized RF antenna assembly including a linearly polarized antenna and a circularly polarized antenna according to an embodiment of the present disclosure;
fig. 11B is a bottom perspective view of the at least a portion of the multi-axis polarized RF antenna assembly of fig. 11A;
FIG. 12 is an exemplary polar plot of radiated power associated with the linearly polarized antenna of FIGS. 11A-11B;
FIG. 13 is an example polar plot of radiated power associated with the circularly polarized antenna of FIGS. 11A-11B;
FIG. 14 is a functional block diagram of an example of RF circuitry and a portion of a portable access device according to an embodiment of the present disclosure;
FIG. 15 is a block diagram of an example of a portion of a key fob having two linearly polarized slot antennas, a metal trim, and a spare key according to embodiments of the present disclosure;
FIG. 16 is a block diagram of an example of a portion of the key fob of FIG. 15 without a metallic trim and a spare key, but with an x-axis linearly polarized slot antenna and a y-axis linearly polarized slot antenna;
FIG. 17 is an example polar plot of radiated power associated with the x-axis linearly polarized slot antenna of the portion of the key fob of FIG. 16;
FIG. 18 is an example polar plot of radiated power associated with the y-axis linearly polarized slot antenna of the portion of the key fob of FIG. 16;
fig. 19 is an example of a return loss versus frequency plot for the linearly polarized slot antenna of fig. 16;
FIG. 20 is a block diagram of an example of a portion of the key fob of FIG. 15 without a metallic trim but including a spare key;
FIG. 21 is an example polar plot of radiated power associated with the x-axis linearly polarized slot antenna of the portion of the key fob of FIG. 20;
FIG. 22 is an example polar plot of radiated power associated with the y-axis linearly polarized slot antenna of the portion of the key fob of FIG. 20;
fig. 23 is an example of a return loss versus frequency plot for the linearly polarized slot antenna of fig. 20;
FIG. 24 is a block diagram of an example of a portion of the key fob of FIG. 15 with a portion of a metallic trim and a spare key;
FIG. 25 is an example polar plot of radiated power associated with the x-axis linearly polarized slot antenna of the portion of the key fob of FIG. 24;
FIG. 26 is an exemplary polar plot of radiated power associated with the y-axis linearly polarized slot antenna of the portion of the key fob of FIG. 24;
fig. 27 is an example of a return loss versus frequency plot for the linearly polarized slot antenna of fig. 24;
FIG. 28 is an exemplary polar plot of radiated power associated with the x-axis linearly polarized slot antenna of the portion of the key fob of FIG. 15;
FIG. 29 is an exemplary polar plot of radiated power associated with the y-axis linearly polarized slot antenna of the portion of the key fob of FIG. 15;
fig. 30 is an example of a return loss versus frequency plot for the linearly polarized slot antenna of fig. 15;
FIG. 31 is a block diagram of an example of a portion of a key fob having a closed linearly polarized slot antenna, an open linearly polarized slot antenna, a metal trim, and a spare key according to embodiments of the present disclosure;
FIG. 32 is an example polar plot of radiated power associated with the x-axis linearly polarized slot antenna of the portion of the key fob of FIG. 31;
FIG. 33 is an exemplary polar plot of radiated power associated with the y-axis linearly polarized slot antenna of the portion of the key fob of FIG. 31;
fig. 34 is an example of a return loss versus frequency plot for the linearly polarized slot antenna of fig. 31;
fig. 35 illustrates a method of determining which antenna combination to use to exchange packets between an RF antenna module of a vehicle and a portable access device for round trip time-of-flight measurements in accordance with an embodiment of the present disclosure;
FIG. 36 illustrates another method of determining which antenna combination to use to exchange packets between an RF antenna module of a vehicle and a portable access device for making a return time-of-flight measurement in accordance with an embodiment of the present disclosure;
fig. 37 is a time-of-flight measurement plot.
Fig. 38 is a functional block diagram of an exemplary BLE radio with a superheterodyne receiver and transmitter according to an embodiment of the present disclosure;
FIG. 39 is an example GFSK parameter definition graph;
figure 40 is a functional block diagram of a system for transmitting BLE packets;
figure 41 shows an example preamble and access address for different types of BLE packets;
figure 42 is an example diagram of a BLE packet signal illustrating corresponding bits;
figure 43 is another example diagram of other BLE packet signals illustrating corresponding bits;
fig. 44 is an overlapping diagram of the BLE packet signals of fig. 44, wherein one BLE packet signal has been shifted with respect to another BLE packet signal;
FIG. 45 illustrates an example method of detecting a range-extended relay attack in accordance with an embodiment of the present disclosure;
FIG. 46 is a functional block diagram of an example of a vehicle and portable access device including a corresponding round trip time initiator and round trip time responder according to an embodiment of the present disclosure;
FIG. 47 is a functional block diagram of the vehicle and portable access device of FIG. 46 illustrating the transmission of radio frequency signals through corresponding antennas;
FIG. 48 is a functional block diagram of the vehicle and portable access device of FIG. 46 under attack by an extended range relay attack device;
figure 49 is a functional block diagram of two example BLE radios according to an embodiment of the disclosure;
FIG. 50 is a functional block diagram of an example location and distance determination system including an back-travel time sniffer, according to an embodiment of the present disclosure;
FIG. 51 is a functional block diagram of an example location and distance determination system including a plurality of round trip time sniffers, according to an embodiment of the present disclosure;
FIG. 52 is a functional block diagram of an example network device configured to perform tone swapping for distance determination and attack detection according to an embodiment of the present disclosure;
FIG. 53 is a functional block diagram of an example location determination system including a tone sniffer, according to an embodiment of the present disclosure;
FIG. 54 illustrates a method of determining a distance between an initiator and a responder and between the responder and a sniffer, according to an embodiment of the present disclosure;
FIG. 55 is a functional block diagram of an example passive tone swapping and phase difference detection system according to an embodiment of the present disclosure;
FIG. 56 is a functional block diagram of an example of an active tone exchange and phase difference detection system according to an embodiment of the present disclosure;
fig. 57 is a diagram of an example initiator and responder packet for RSSI and time-of-flight measurements, wherein the packet includes a Continuous Wave (CW) tone and a preamble, according to an embodiment of the disclosure;
fig. 58 is a diagram of an example initiator and responder packet for RSSI and time-of-flight measurements, where the packet includes CW tones but no preamble, according to an embodiment of the disclosure;
fig. 59 is a diagram of an example initiator and responder packet for RSSI and time-of-flight measurements, where the packet has the same format and includes multiple CW tones but does not include a preamble, according to an embodiment of the disclosure;
FIG. 60 is a diagram illustrating an example initiator and response packet having the same format in accordance with another embodiment of the present disclosure;
fig. 61 is a functional block diagram of an antenna path determination system for a network device having a corresponding antenna module according to another embodiment of the present disclosure;
fig. 62 is an example radio model corresponding to the structure, function, and operation of the BLE radio of fig. 38;
fig. 63 illustrates a method of exchanging packets between RF antenna modules of a BLE radio to detect a extended range relay attack in accordance with another embodiment of the present disclosure;
FIG. 64A is an exemplary plot of signals from the sampling module, gaussian LPF, and integrator, respectively, of the model of FIG. 62;
FIG. 64B is an example plot of signals from the resampling module of the model of FIG. 62;
FIG. 64C is an example plot of signals from the arctangent module of the model of FIG. 62;
FIG. 64D is an exemplary graph showing the signal from the differentiator relative to the signal from the Gaussian LPF of the model of FIG. 62;
fig. 65 illustrates representations of different pairs of antenna shaft assemblies, each including two linearly polarized antennas, according to another embodiment of the present disclosure;
FIG. 66 illustrates a perspective view of a pair of antenna shaft assemblies having the same number of antennas, one antenna disposed in a metal container and the other antenna located outside of the metal container, according to another embodiment of the present disclosure;
FIG. 67 illustrates a perspective view of another pair of antenna shaft assemblies having a different number of antennas, one of the antennas disposed in a metal container and the other antenna located outside of the metal container, according to another embodiment of the present disclosure;
FIG. 68 is a diagram illustrating distance limiting while performing fast bit swapping, where the prover sequence may be cryptographically secure and known independent of the verifier sequence; and
FIG. 69 is a diagram illustrating preventing response bits from being sent out prematurely while performing fast bit swapping, where the prover sequence may be cryptographically secure and dependent on the verifier sequence.
Fig. 70 is a side view of multiple antennas illustrating the angle of arrival;
FIG. 71 illustrates an AOA method according to the present disclosure including the use of a MUSIC algorithm;
FIG. 72 is an example graph of covariance according to the present disclosure;
FIG. 73 is an exemplary graph of feature vectors and array manifold responses according to the present disclosure;
FIG. 74 is another exemplary graph of feature vectors and array manifold responses according to the present disclosure;
fig. 75 is an example MUSIC power spectrum according to the present disclosure;
fig. 76 is a functional block diagram of an antenna selection system according to the present disclosure;
FIG. 77 illustrates an example reconstruction method according to this disclosure;
FIG. 78A is a top view of a vehicle illustrating an example placement of sensors according to the present disclosure;
FIG. 78B is a side view of the vehicle of FIG. 78A;
FIG. 78C is a rear view of the vehicle of FIG. 78A illustrating bounce reflections and corresponding paths of a transmitted signal detected at a sensor according to the present disclosure;
FIG. 79A is a top view of a vehicle illustrating another example placement of a sensor according to the present disclosure;
Fig. 79B is a side view of the vehicle of fig. 79A. 79A; and
fig. 79C is a rear view of the vehicle of fig. 79A, illustrating bounce reflections and corresponding paths of a transmitted signal detected at a sensor according to the present disclosure.
In the drawings, reference numbers may be repeated to indicate similar and/or identical elements.
Detailed Description
The RF device may measure distance through an unmodulated carrier tone exchange. For example, in U.S. patent No.8,644,768B2, which is incorporated herein by reference, a system and method for distance measurement between two nodes of a radio network is provided that uses an unmodulated carrier tone exchange.
The RF device may measure or constrain the distance by round trip timing of the fast exchange of cryptographically secure messages (cryptographically secure message). For example, in Distance-Bounding Protocols (Extended abstract), which is set forth in the crypto theory and application program for cryptology advances by Brands and Chaum (EUROCRYPT' 93), which is also incorporated herein by reference, a sequence of fast bit exchanges between a verifier and a prover is used. As shown in fig. 68, the prover sequence may be cryptographically secure and known independent of the verifier sequence. As shown in fig. 69, the prover sequence may be cryptographically secure and dependent on the verifier sequence.
RF devices measuring distance by round trip timing may develop early discovery and subsequent attack as described in "attach on Time-of-Flight Distance Bounding Channels" by Hancke and Kuhn in the first wireless network security ACM conference (WiSec' 08) procedure, also incorporated herein by reference. RF devices that measure distance through an unmodulated carrier tone exchange may be subject to signal delay flip attacks as described in "On the Security of Carrier Phase-based Ranging" set forth in Olafsdotter, ranganathan and Capkun in IACR Cryptology ePrint Archive 2016, which are also incorporated herein by reference.
While conventional PEPS systems allow for keyless entry and start-up of the vehicle, conventional PEPS systems may be vulnerable to extended range relay attacks. Extended range relay station attacks may refer to an attacker using a relay device to detect, amplify, and relay signals between a key fob (or other smart portable network device) and a vehicle such that the access module of the vehicle operates as if the key fob had been in close proximity to the vehicle and very close to the vehicle. For example, when an attacker touches the door handle of the vehicle with his hand and/or with a relay device, the access module may generate and send an LF wake signal. As a result, a valid relay device is detected and the access module sends an LF wake-up signal to the key fob, which is received at the relay device. The relay device receives, amplifies and forwards (or rebroadcasts) the LF wakeup signal to the actual key fob. For example, the key fob may be located within a residence and the vehicle may be parked outside or in front of the residence. The key fob may receive the amplified wake-up signal and generate a response signal and/or begin communicating over the RF link. The response signals and/or RF communication signals are amplified and relayed between an antenna on the vehicle and one or more antennas of the key fob. This may be done via a relay device. As a result, the relay device is treated as a key fob by the access module, and the relay device "entices" the access module to operate as if the key fob were in the location of the relay device, which causes the access module to provide unauthorized access to the interior of the vehicle.
In addition, as described further below, the antenna system of current PEPS systems may prevent the PEPS system from accurately estimating the distance between the key fob and the vehicle and accurately estimating the location of the key fob relative to the vehicle. Distance and location may be determined based on time-of-flight measurements. The time of flight and corresponding received signal strength are measured. The Received Signal Strength Indicator (RSSI) with the greatest magnitude generally corresponds to the direct or shortest distance between the key fob and the vehicle. The time-of-flight measurement associated with the maximum RSSI is used to calculate the distance between the key fob and the vehicle.
Examples set forth herein include a combined LF and RF PEPS key fob that uses RF Round Trip Timing (RTT) measurements to prevent extended range relay attacks. Other examples include RTT measurements, carrier phase based ranging, and combinations of RTT measurements and carrier phase based ranging in PEPS systems. These examples also set forth a number of other features, which are further described below.
Fig. 1 shows an example of when cross-polarization of antennas may result in inaccurate distance determination between a first RF antenna of a key fob and a second RF antenna of a vehicle. If the first RF antenna of the key fob is positioned relative to the second RF antenna of the vehicle such that the first RF antenna is cross polarized with the second RF antenna, the determined distance corresponds to a bounce path rather than a direct path. For example, antennas are cross polarized when the polarizations of the antennas are perpendicular to each other. An example of this is shown in fig. 1.
Fig. 1 shows the polarization axes 12, 14 of an object 10 and a corresponding RF antenna. The antenna is a linearly polarized antenna. The first RF antenna has a first polarization axis 12 and is in the vehicle. The second RF antenna has a second polarization axis 14 and is in the key fob. Due to the relative positions of the first RF antenna, the second RF antenna, and the object 10, the RF signal 16 transmitted from the antennas may bounce off the object 10. The signal energy (or voltage) corresponding to the bounce path is greater than the signal energy (or voltage) corresponding to the direct path 18 between the antennas. This is due to the cross polarization of the RF antennas. An access module that determines the distance between antennas based on the signal path with the greatest signal energy or voltage may erroneously determine the distance between antennas as the length of the bounce path 16 instead of the length of the direct path 18.
Aligning null (null) in the co-polarized antenna arrangement also results in the bounce path being used. This occurs when the first and second RF antennas are pointing in the same direction. The antenna may be positioned such that the wire extends longitudinally through the antenna. This is further described with respect to fig. 9-10.
Examples set forth herein include polarization diversity for RF signal transmission between an RF antenna of a vehicle and an RF antenna of a portable access device (e.g., a key fob, a mobile phone, a wearable device, etc.). Additionally, examples include pseudo-random bi-directional data exchange. Polarization diversity is provided to ensure that at any instant at least one transmit antenna has at least one polarization axis that is not cross polarized, but slightly co-polarized with the polarization axis of at least one receive antenna, without co-linear null co-polarization. As used herein, the phrase "at any instant in time" refers to all times when corresponding devices are in communication with each other and/or all times when one or more signals are transmitted between devices and received by one or more devices. In addition to allowing accurate range determination, this also helps to prevent extended range relay attacks. The pseudo-random bi-directional data exchange described below also helps to prevent extended range relay attacks.
Example embodiments will now be described more fully with reference to the accompanying drawings.
Fig. 2 illustrates a vehicle access system 28 that functions as a PEPS system and a PAK system. The vehicle access system 28 includes a vehicle 30 and may include a key fob 32, a mobile phone 34, and/or other portable access device, such as a wearable device, a laptop computer, or other portable network device. The portable access device may be, for example, a supportSuch as a smart phone, smart watch, wearable electronic device, key fob, tablet device, or other device associated with a user of the vehicle 30. The user may be the owner, driver or passenger of the vehicle 30 and/or a technician for the vehicle 30.
The vehicle 30 includes an access module 36, an LF antenna module 38, and an RF antenna module 40. The access module 36 may wirelessly transmit LF signals to the portable network device via the LF antenna module 38 and may wirelessly communicate with the portable computer via the RF antenna module 40. The RF antenna module 40 provides polarization diversity between each antenna of the portable network device and the antenna of the RF antenna module 40. Polarization diversity, as described further below, provides a minimum number of polarization axes, combinations of polarization axes, and arrangements of polarization axes at the portable network device and vehicle 30 to ensure that at least one transmit antenna has at least one polarization axis that is not cross-polarized with the polarization axis of at least one receive antenna at any time. In other words, at any instant in time, the at least one RF antenna of the vehicle has at least one polarization axis that is not cross-polarized with the polarization axis of the at least one RF antenna of each portable access device. Although a particular number of LF antenna modules and RF antenna modules are shown, any number of LF antenna modules and RF antenna modules may be used.
The access module 36 may communicate with the LF antenna module 38 and the RF antenna module 40 wirelessly and/or via a vehicle interface 45. As an example, the vehicle interface 45 may include a Controller Area Network (CAN) bus, a Local Interconnect Network (LIN) for lower data rate communications, a clock expansion peripheral interface (CXPI) bus, and/or one or more other vehicle interfaces.
The LF antenna module 38 may be at various locations on the vehicle and transmit low frequency signals (e.g., 125kHz signals). Each LF antenna module includes a LF antenna and may include a control module and/or other circuitry for LF signal transmission. The RF antenna module 40 may also be located at various locations on the vehicle and transmit RF signals according to a BLE communication protocol, such as Bluetooth Low Energy (BLE) signals. Alternatively, the RF antenna module 40 may communicate in accordance with other wireless communication protocols, such as wireless fidelity (Wi-Fi). An example of an antenna is shown in fig. 11 (refer to fig. 11A and 11B collectively).
In one embodiment, to improve signal coverage with respect to the vehicle and improve transmission and reception characteristics, the RF antenna module 40 is located in the roof 46 of the vehicle 30. As an example, each RF antenna module 40 may include a pair of RF antennas, one linearly polarized antenna, and one circularly polarized antenna. The number and location of RF antenna modules may be preselected based on the size and shape of the vehicle 30. In one embodiment, two RF antenna modules are included and are spaced apart from one another, as shown in fig. 2, such that the corresponding electric fields overlap one another, extend around the vehicle in a 360 ° pattern and pass over the periphery of the vehicle. The electric field provides a resultant electric field as shown in fig. 1, represented by the dashed circle 48. The dashed circle provides an overall shape that is "rectangular-like". In larger vehicles, more antenna modules 40 may be added to make the shape more "rectangular". In a small vehicle, only one of the RF antenna modules 40 may be included.
A different number of antennas with a different number of antenna polarizations may be utilized. Fig. 65-67 illustrate some other example antenna implementations. Fig. 65-67 include fewer antennas and antenna polarizations that are used to measure or limit distance when different sets of frequencies and/or RF channels are used to measure or constrain the distance and/or reflection of metal in a vehicle. This is done to create virtual polarization diversity. The antenna system can tolerate a certain erroneous measurement rate due to cross polarization and/or zero alignment. In fig. 65-67, 7100A-J refer to an antenna shaft assembly, 7100A-71001 refer to an antenna shaft assembly having two polarization axes, and 7100J refers to an antenna shaft assembly having one polarization axis. Reference numerals 7101A-71011 and 7102A-7102I refer to polarized antenna axes of two polarized antenna axis assemblies. Reference numeral 7101J refers to a single polarization axis of 7100J. Reference numerals 7103AB, 7103CD, 7103EF, 7103GH, and 7103JI refer to RF paths between a pair of antenna assemblies. There are many RF paths between antenna axes, some with more link margin, some with less link margin, some with more phase rotation time delay, and some with less phase rotation time delay. The different round trip timing and unmodulated carrier tone swap ranging algorithms disclosed, described, and/or referenced herein have the ability to find or measure a shorter path with a link margin of several decibels (dB) up or down compared to the highest link margin path (which may not be shortest). The more round trip timing or tone exchange measurements are made across more frequencies (or channels), the more mathematically complex the algorithm and the more time consuming the timing, the less the link margin in the shorter indirect path found.
The additional antenna axis provides polarization diversity in the RF path between the antenna axis components, which provides path diversity. Reference numeral 7200 refers to a simplified representation of an open three-sided metal box and/or car body for RF radio waves in the gigahertz or several gigahertz range. Reference numeral 7201 refers to a simplified representation of a metal plate and/or a cover and/or a roof of a vehicle for RF radio waves in the gigahertz or several gigahertz range. Fig. 66 and 67 can also be viewed upside down, where 7200 is a simplified representation of an open concave shape of the roof of the vehicle and 7201 is a simplified representation of the floor of the vehicle.
The RF connection between 7100A and 7100B is strong along the RF path 7101AB because both pairs of antenna axes between the antenna axis assemblies are co-polarized. For arbitrarily oriented multi-pair two-axis antennas, even though the co-polarized area is wide, there may be 5 degrees in the 90 degree rotation angle, and the link margin may be 6dB higher than the intermediate link margin, which is rare. This is because three angular rotations are required to steer the arbitrarily oriented antenna axis assembly pair into this configuration, and because the antenna axis is symmetrical every 90 degrees, which occurs arbitrarily at about the (5/90) × (5/90) or 1.71E-4 portion of time. The RF connection between 7100C and 7100D along RF path 7101CD is not as strong as 7101AB, but it is good because no antenna paths are co-polarized or cross-polarized and null misalignment. The RF connection between 7100E and 7100 f along RF path 7101EF is weak because each antenna path between the individual antenna axes is either cross polarized or involves a null of at least one antenna. This is rare because again 3 angular rotations are required to steer a pair of arbitrarily oriented antenna axis pairs into this configuration. In addition, for any directional antenna pair of a two-axis antenna pair, there is, for example, a null region of 5 degrees cross polarization and alignment, such as 20dB or pow2dB (sin (pi 5/180) A2) below the link margin, three angular rotations are required to steer the any directional antenna pair into this configuration, and the antenna axes are symmetrical every 90 degrees, which occurs approximately at the (5/90) 5/90 or 1.71E-4 portions of time.
Referring to fig. 7-8, it is apparent that there are three mostly orthogonal polarization axes on one side and two mostly orthogonal polarization axes on the other side, the null being misaligned upon cross-polarization. In the case of three mostly orthogonal polarization axes on one side and one polarization axis on the other side, the zero position can be aligned via two rotations so that it occurs arbitrarily.
In general, the more antenna axes on each side of the connection, the lower the likelihood of a low link margin direct path. Preventing or reducing the possibility of a low link margin direct path is beneficial because round trip timing ranging and unmodulated carrier tone switching ranging tend to measure a direct path where the link margin is greater relative to a reflected path. Conversely, the lower the link margin in the direct path relative to the reflected path, the greater the likelihood that the ranging technique will measure the distance along the reflected path.
In fig. 66, when: the size of the metal box is reasonable relative to the decision constraint of the measured range; the change in distance is measured based on different reflection paths within the metal box; and one side of the ranging connection is placed in a metal box, planning on several direct paths may reduce the number of polarization axes needed to obtain a reasonable measurement. When one of the antenna axes of 7100G is oriented such that the null points along the strongest and/or shortest reflection path toward 7100H, the other antenna axis in 7100G will find a bounce path with a strong link margin to one of the antenna axes 7101H or 7102H. This is especially true when averaging across multiple channels (e.g., 37 data channels within a BLE data link). Some of the channel and antenna axis path combinations may fade rapidly due to multipath, but not most. In any arbitrary orientation of the pair of antenna axes 7100G, the link margin to the pair of antenna axes 7100H is about the same and the distance measured along the 7103IJ reflection path is about the same. The manner in which the reflection path 7103GH bounces off the roof 7201 or side wall of 7200 will vary, but the overall path variation will be limited by the size and location of the 7200 and 7201 components. When 7100G is raised to a height where a direct path exists, this path change limit will change, which will shorten the measured distance by eliminating the reflection of path 7103 GH. The range measured between 7100G and 7100H along the reflected path or a shorter direct path will set a comparison constraint that indicates that 7100G (which may be part of the portable device) is within a distance threshold of 7100H. 7100H may be part of the PEPS module 211 or the pamm module 212. These ranging measurements between a pair of 7100 modules may be obtained and compared to be less than a constraint. The results of the measurements, distances, and/or comparisons may be used as part of a "if-then-not-else" comparison in a software decision tree to indicate that the portable access device 400 is within a engagement area, an unlocking area, and/or a movement area of the vehicle.
Fig. 67 is similar to fig. 66, except that antenna shaft assembly 7100J includes a single polarized antenna shaft 7101J. In an embodiment, the antenna shaft assembly 7100J includes only a single polarized antenna shaft. 7101J may be oriented such that the null is oriented along the strongest and/or shortest reflection path toward 7100H. In this case, the round trip timing and unmodulated carrier tone switching technique will tend to measure distance along a path (not depicted) that is away from bin 7200 and then bounces back into the bin. In addition to having a 5 degree wide alignment null region, such as 20dB down or pow2dB (sin (pi 5/180) A2, because two angular rotations are required to steer the arbitrarily oriented antenna pair into the configuration, and because the antenna is symmetrical every 90 degrees, the orientation occurs approximately at the (5/90) or 3E-3 portion of time.
Different polarizations of the antennas may be used to create polarization diversity. Multiple polarized antennas (or antenna axes) may create polarization diversity. A linear axis and another linear axis, a linear axis and two linear axes including a circularly polarized antenna, or three independent linear axes (linearly polarized antennas) are all possible. Especially if there is metal nearby, virtual polarization diversity is created.
The 7101H or 7101J antenna spool pairs may be placed lower in a metal box that is the vehicle body or higher in a metal box that is the roof of the vehicle to achieve these virtual antenna axis array effects.
Fig. 3 shows a vehicle 200 as an example of the vehicle 108 of fig. 1. The vehicle 200 includes a PAK system 202, the PAK system 202 including a vehicle control module 204, an infotainment module 206, and other control modules 208 (e.g., body control modules). The modules 204, 206, 208 may communicate with each other via a Controller Area Network (CAN) bus 209 and/or other vehicle interfaces (e.g., the vehicle interface 45 of fig. 2). The vehicle control module 204 may control operation of the vehicle system. The vehicle control module 204 may include the PEPS module 211, the PAK module 212, and the parameter adjustment module 213 shown in FIG. 4, among other modules. The vehicle control module 204 may also include one or more processors configured to execute instructions stored in a non-transitory computer-readable medium, such as memory 218, which may include read-only memory (ROM) and/or Random Access Memory (RAM).
The PEPS module 211 may perform PEPS operations to provide access to the interior of the vehicle and to allow for the starting and/or operation of the vehicle. The PAK module 212 operates in conjunction with the PEPS module 211 and performs PAK operations, as described herein. The PEPS module 211 may include a PAK module 212, or the modules 211, 212 may be implemented as a single module. The parameter adjustment module 213 may be used to adjust parameters of the vehicle 200.
The PAK system 202 can further comprise: a memory 218; a display 220; an audio system 221; and one or more transceivers including an LF antenna module 38 and an RF antenna module 40. The radio frequency antenna module 40 may include and/or may be connected to radio frequency circuitry 223. The PAK system 202 can further comprise: a telematics module 225; a sensor 226; and a navigation system 227 including a Global Positioning System (GPS) receiver 228. The RF circuitry 223 may be used to communicate with a mobile device (e.g., the mobile device 102 of fig. 1), including transmitting at 2.4 gigahertz (GFIz)A signal. RF circuitry 223 may include BLE radios, transmitters, receivers, and the like for transmitting and receiving RF signals.
The one or more transceivers 222 may include an RF transceiver that includes RF circuitry 223 and implements an access application with code for checking time-stamped data received and transmitted by the RF antenna module 40. The access application may confirm whether the RF antenna module receives the correct data, for example, at the correct time. The access application may be stored in the memory 218 and implemented by the PEPS module 211 and/or the PAK module 212. Other example operations for accessing an application are described further below.
Access to applications may be implementedA protocol stack configured to provide a channel map, an access identifier, a next channel, and a time for the next channel. The access application is configured to output a timing signal for a time stamp of a signal transmitted and received via the RF antenna module 40. The access application may obtain the channel mapping information and timing information and share that information with other modules in the vehicle.
The telematics module 225 may communicate with a server via a cellular tower station. This may include the transmission of certificates, license information, and/or timing information including global clock timing information. The telematics module 225 is configured to generate location information and/or errors in the location information associated with the vehicle 200. The telematics module 225 may be implemented by a navigation system 227.
The sensors 226 may include sensors for PEPS and PAK operations, cameras, object detection sensors, temperature sensors, accelerometers, vehicle speed sensors, and/or other sensors. The sensor 226 may include a touch sensor to detect, for example, a person touching a door handle to initiate a process of waking up the portable access device. The sensor 226 may be connected to other control modules 208, such as a body control module, which may communicate with the LF and RF antenna circuits and/or modules disclosed herein. The GPS receiver 228 may provide speed and/or direction (or heading) of the vehicle and/or global clock timing information.
Memory 218 may store sensor data and/or parameters 230, credentials 232, connection information 234, timing information 236, tokens 237, keys 238, and applications 239. The applications 239 may include application programs executed by the modules 38, 40, 204, 206, 208, 210, 211, 212, 223 and/or the transceiver 222. As examples, the applications may include access applications, PEPS applications, and/or PAK applications executed by transceiver 222 and modules 210, 211, and/or 212. Although the memory 218 and the vehicle control module 204 are shown as separate devices, the memory 218 and the vehicle control module 204 may be implemented as a single device. A single device may include one or more of the other devices shown in fig. 2.
The vehicle control module 204 may control operation of the engine 240, the converter/generator 242, the transmission 244, the window/door system 250, the lighting system 252, the seating system 254, the mirror system 256, the braking system 258, the motor 260, and/or the steering system 262 according to parameters set by the modules 204, 206, 208, 210, 211, 212, 213. The vehicle control module 204 may perform PEPS and/or PAK operations, which may include setting some of the parameters. PEPS and PAK operations may be based on signals received from the sensor 226 and/or the transceiver 222. The vehicle control module 204 may receive power from a power source 264, which may be provided to the engine 240, the converter/generator 242, the transmission 244, the window/door system 250, the lighting system 252, the seating system 254, the mirror system 256, the braking system 258, the motor 260, the steering system 262, and/or the like. Some of the PEPS and PAK operations may include unlocking the doors of the window/door system 250, enabling fuel and spark for the engine 240, starting the motor 260, powering any of the systems 250, 252, 254, 256, 258, 262, and/or performing other operations as further described herein.
The engine 240, the converter/generator 242, the transmission 244, the window/door system 250, the lighting system 252, the seating system 254, the rearview mirror system 256, the braking system 258, the motor 260, and/or the steering system 262 may include actuators controlled by the vehicle control module 204 to, for example, adjust fuel, spark, air flow, steering wheel angle, throttle position, pedal position, door locks, window position, seat angle, and the like. The control may be based on the output of the sensor 226, the navigation system 227, the GPS 228, and the above data and information stored in the memory 218.
Fig. 4 shows an access module 210. The access module 210 includes a PEPS module 211, a PAK module 212, a parameter adjustment module 213, and may also include a link authentication module 300, a connection information distribution module 302, a timing control module 304, a sensor processing and positioning module 306, a data management module 308, and a security filtering module 310. The PAK module 212 can include an RTC 312 that maintains local clock time.
The link authentication module 300 may authenticate the portable access device of fig. 2 and establish a secure communication link. For example, the link authentication module 300 may be configured to implement challenge-response authentication or other password verification algorithms in order to authenticate the portable access device.
The connection information distribution module 302 is configured to communicate with some of the sensors 226 of fig. 3 and provide the sensors with the necessary communication information to enable the sensors to find and then follow or eavesdrop on the secure communication link. This may occur once the sensor is synchronized with a communication gateway, which may be included in or implemented by one of the transceivers 222. As an example, the vehicle 200 and/or the PAK system 202 can include any number of sensors disposed at any location on the vehicle 200 for detecting and monitoring mobile devices. The connection information distribution module 302 is configured to obtain information corresponding to the communication channel and channel switching parameters of the communication link and to send the information to the sensor 226. In response to the sensor 226 receiving this information from the connection information distribution module 302 via the vehicle interface 45 and synchronizing the sensor 226 with the communication gateway, the sensor 226 may locate and follow or eavesdrop on the communication link.
The timing control module 304 may: if the RTC and/or the currently stored date are not handled by the PAK module 212, maintaining the RTC and/or the currently stored date; transmitting current timing information using the sensor; generating a timestamp for incoming and outgoing messages, requests, signals, certificates, and/or other items; calculate round trip time, etc. Round trip time may refer to the amount of time between the time a request is generated and/or sent and the time a response to the request is received. When the link authentication module 300 performs challenge-response authentication, the timing control module 304 may obtain timing information corresponding to the communication link. The timing control module 302 is also configured to provide timing information to the sensor 226 via the vehicle interface 209.
After link authentication is established, the data management module 308 gathers the current location of the vehicle 108 from the telematics module 225 and shares that location with the portable access device. The portable access device optionally includes a GPS module and application software that, when executed, compares the estimated relative position of the portable access device with respect to the vehicle 108. Based on the estimated location of the portable access device relative to the vehicle 108, the portable access device may send a signal to one of the transceivers 222 requesting the vehicle to perform certain actions. As an example, the data management layer 308 is configured to obtain vehicle information obtained by any module (e.g., location information obtained by the telematics module 225) and transmit the vehicle information to the portable access device.
The security filtering module 310 detects physical layer and protocol violations (translations) and filters the data accordingly before providing the information to the sensor processing and positioning module 306. The security filter module 310 marks the data as injected so that the sensor processing and positioning module 306 can discard the data and alert the PEPS module 211. Data from the sensor processing and positioning module 306 is transmitted to the PEPS module 211 such that the PEPS module 211 is configured to read vehicle status information from the sensors to detect a user's intent to access a feature and compare the location of the mobile device 102 to a set of locations authorizing certain vehicle features, such as unlocking a door or trunk of the vehicle and/or starting the vehicle.
Fig. 5 is a functional block diagram of the RF antenna module 40, which includes a control module 350 connected to a multi-axis polarized RF antenna assembly 352. The multi-axis polarized RF antenna assembly 352 may include a linearly polarized antenna, other linearly polarized antennas, and/or a circularly polarized antenna (e.g., a right-hand circularly polarized antenna or a left-hand circularly polarized antenna). An example of a multi-axis polarized RF antenna is shown in fig. 11. Control module 350 may include or be part of a BLE communication chipset. Alternatively, the control module 350 may include or be part of a Wi-Fi or Wi-Fi direct communication chipset. The multi-axis polarized RF antenna assembly 352 may be included as part of the RF antenna module 40 or may be located remotely from the control module 350. Some or all of the operations of the control module 350 may be implemented by one or more of the modules 204, 210, 211, 212 of fig. 3.
The control module 350 (or one or more of the modules 204, 210, 211, 212 of fig. 3) may establish a secure communication connection with a portable access device (e.g., one of the portable access devices 32, 34 of fig. 2). For example, control module 350 may establish a secure communication connection using BLE communication protocols, which may include sending and/or receiving timing and synchronization information. The timing and synchronization information may include information for the secure communication connection such as timing of a next communication connection event, timing intervals between communication connection events, communication channels of a next communication connection event, channel mapping, channel hopping intervals or offsets, communication delay information, communication jitter information, and the like. The control module 350 may detect (or "tap") packets sent by the portable access device to the vehicle control module 204 and measure signal information of signals received from the portable access device. The channel hopping interval or offset may be used to calculate a channel for a subsequent communication connection event.
The control module 350 may measure the received signal strength of the signal received from the portable access device and generate a corresponding RSSI value. Additionally or alternatively, the control module 350 may make other measurements on signals received from the portable access device, such as angle of arrival, time difference of arrival, and the like. The control module 350 may then send the measured information to the vehicle control module 204, which may then determine the location and/or distance of the portable access device relative to the vehicle 30 based on the measured information. The location and distance determination may be based on similar information received from one or more other RF antenna modules and/or other sensors.
As an example, the vehicle control module 204 may determine the location of the portable access device based on, for example, a pattern of RSSI values corresponding to signals received by the RF antenna module 40 from the portable access device. A strong (or high) RSSI value indicates that the portable access device is very close to the vehicle 30, while a weak (or low) RSSI value indicates that the portable access device is further from the vehicle 30. By analyzing the RSSI values, the control module 204 may determine the location and/or distance of the portable access device relative to the vehicle 30. Additionally or alternatively, angle of arrival, angle of departure, round trip timing, unmodulated carrier tone exchange, or time difference of arrival measurements for signals transmitted between the portable access device and the control module 204 may also be used by the control module 204 or the portable access device to determine the location of the portable access device. Additionally or alternatively, the RF antenna module 40 may determine a location and/or distance of the portable access device based on the measured information and communicate the location or distance to the control module 204.
Based on the determined location of the portable access device relative to the vehicle 30 or the distance relative to the vehicle 30, the modules 211, 212 of fig. 3 may then authorize and/or perform vehicle functions, such as unlocking a door of the vehicle 30, unlocking a trunk of the vehicle 30, starting the vehicle 30, and/or allowing the vehicle 30 to be started. As another example, if the distance between the portable access device and the vehicle 30 is less than the first predetermined distance, the modules 211, 212 may turn on an interior or exterior light of the vehicle 30. The modules 211, 212 may unlock a door or trunk of the vehicle 30 if the distance between the portable access device and the vehicle 30 is less than a second predetermined distance. The modules 211, 212 may allow the vehicle 30 to be started if the portable access device is located within the vehicle 30.
Referring again to fig. 5, the control module 350 may include a physical layer (PHY) module 356, a Medium Access Control (MAC) module 358, a time synchronization module 360, and a channel map reconstruction module 362.PHY module 356 receives BLE signals via multi-axis polarized RF antenna assembly 352. Control module 350 may monitor the received BLE physical layer messages and obtain measurements of physical properties of the corresponding signals, including, for example, received signal strength, using the channel map generated by channel map reconstruction module 362. The control module 350 may communicate with the control modules and/or modules 204, 210, 211, 212 of other RF antenna modules via the vehicle interface 45 to determine time differences of arrival, time of arrival, angle of arrival, and/or other timing information. In one embodiment, the control module 350 includes a portion of the RF circuitry 223 of fig. 3.
The time synchronization module 360 is configured to accurately measure the time of receipt of the signal/message on the vehicle interface 45. Control module 350 may tune PHY module 356 to a particular channel at a particular time based on the channel mapping information and the time of receipt and/or other timing information. In addition, the control module may monitor received PHY messages and data that are consistent withPhysical layer specifications such as->Specification version 5.1. The data, time stamps, and measured signal strengths may be reported by the control module 350 to the control module 204 via the vehicle interface 45.
Fig. 6 shows an example portable access device 400, the example portable access device 400 being an example of one of the portable access devices 32, 34 of fig. 2. The portable access device 400 may include a control module 402, a user interface 404, a memory 406, a sensor 407, and a transceiver 408. Transceiver 408 may include a MAC module 410, a PHY module 412, and a plurality of linearly polarized antennas 414.
Control module 402 may include or be part of a BLE communication chipset. Alternatively, the control module 402 may include or be part of a Wi-Fi or Wi-Fi direct communication chipset. The memory 406 may store application code executable by the control module 402. Memory 406 may be a non-transitory computer-readable medium including read-only memory (ROM) and/or Random Access Memory (RAM).
The control module 402 communicates with the modules 204 and 350 of the vehicle and performs authentication and other operations as described further below. The control module 402 may transmit information about the portable access device 400, such as position and/or velocity information obtained from one or more sensors 407 (e.g., global navigation satellite system (e.g., GPS) sensors, accelerometers, and/or angular velocity sensors). The user interface 404 may include a keyboard, a touch screen, a voice activated interface, and/or other user interfaces.
Fig. 7 shows a polarization axis diagram illustrating a polarization diversity example arrangement. In the example shown, two 3-axis antennas located within the vehicle communicate with a 2-axis antenna located in a portable access device (or mobile access network device). With sufficient antenna axes, this antenna topology can prevent the case where there is cross polarization between one of the 3-axis antennas and the 2-axis antenna. Additionally, with enough antenna axes, the system may be configured such that there is at least one pair of antennas in the direct signal path where no null is present (or where no null is indicated). Heuristic measurements of RSSI may be made on Continuous Wave (CW) tone portions of packets while measuring round trip time and phase delay of the packets. This may be repeated over multiple frequencies. This may be done at the vehicle access module and/or the portable access device. Round trip timing and/or exchange of unmodulated carrier tones may be used to ensure ranging. The RSSI and the varying (or incremental) phase of each frequency may be used.
Fig. 8 shows a polarization axis diagram illustrating another polarization diversity example arrangement. In the example shown, two single axis antennas located within the vehicle communicate with a 3 axis antenna located in a portable access device (or mobile access network device). With sufficient antenna axes, this antenna topology can also prevent the case where there is cross polarization between one of the single axis antenna and the 3 axis antenna. Additionally, with enough antenna axes, the system may be configured such that there is at least one pair of antennas in the direct signal path where no null is present (or where no null is indicated). Heuristic measurements of RSSI may be made on Continuous Wave (CW) tone portions of packets while measuring round trip time and phase delay of the packets. This may be repeated over multiple frequencies. This may be done at the vehicle access module and/or the portable access device. The back-and-forth timing is used to ensure ranging. The RSSI and the varying (or incremental) phase of each frequency may be used. The example of fig. 7 may be more viable than the example of fig. 8. This is because it may be difficult to integrate a 3-axis antenna in some portable access devices, such as key fobs.
Fig. 9 shows an electric field plot 900 and a polar plot 902 illustrating the electric field plot and null 906 of a linear antenna. The linear antenna is positioned along a vertical axis 908. The linear antenna has a radiation pattern in the shape of a "doughnut". The bounce path of the transmitted signal is measured when the nulls are aligned between the transmit and receive antennas (nulls are collinear or nearly collinear co-polarized antennas). The examples set forth herein prevent this from being the case between at least one transmit antenna and at least one receive antenna at any time. An algorithm is set forth herein for determining which transmit and receive antennas to use at any time to prevent cross-polarized and/or co-polarized antennas from being used. Once the appropriate antenna pair is selected, a time-of-flight measurement is made to determine the distance between the transmitter and receiver and/or between the vehicle and the portable access device. Fig. 10 shows a voltage-electric field diagram 1000 of a linearly polarized antenna 1002.
Fig. 11A-11B illustrate at least a portion of an example of a multi-axis polarized RF antenna assembly 1100 that includes a linearly polarized antenna 1102 and a circularly polarized antenna 1104. The antennas 1102, 1104 are collocated. The linearly polarized antenna 1102 extends linearly away from the circularly polarized antenna 1104 axially outward from the center of the circularly polarized antenna 1104. Antennas 1102, 1104 may be transmitted 90 ° out of phase with each other. The linearly polarized antenna 1102 may include a conductive element (e.g., a straight line or helix) 1110 extending within a sleeve 1112. The circularly polarized antenna 1104 may be annular.
The linearly polarized antenna 1102 is a monopole antenna. Sleeve 1112 is formed of a dielectric material such as polytetrafluoroethylene. The antennas 1102, 1104 are each concentric with a disc-shaped insulator (or isolator) 1106 and a disc-shaped ground plane 1108. The loop insulator 1106 is stacked as a top layer on the ground plane 1108 (or bottom layer). The circularly polarized antenna 1104 is disposed on the ground plane 1108 inside the recessed region 1114 of the insulator 1106. An insulator recessed region 1114 is disposed between the circularly polarized antenna 1104 and the ground plane 1108.
The circularly polarized antenna has two feed points 1120, 1122, while the linearly polarized antenna 1102 has a single feed point 1124. The RF signals are transmitted and/or received via feed points 1120, 1122, 1124.RF signals are transmitted between antennas 1102, 1104 and RF circuitry 1114 via coaxial cables. The coaxial cable includes inner conductors 1130, 1132, 1134 and an outer shield (not shown). The ground shield is connected to a ground plane 1108. Wires 1130, 1132, 1134 are connected to feed points 1120, 1122, 1124.
During transmission, a signal or voltage is provided across the ground plane 1108 and the conductive element 1110 via a feed point 1124, which feed point 1124 is connected to the conductive element 1110 and the ground plane 1108 via another conductive element 1140. RF signal(s) or voltage(s) are also applied across the ground plane 1108 and the feed points 1120, 1122 of the circularly polarized antenna 1104. The feed points 1120, 1122 are located 90 deg. offset on the surface of the antenna 1104 and are 90 deg. out of phase with each other. The 90 electrical phase shift in combination with the 90 geometric phase shift results in the circularly polarized antenna 1104 radiating a circularly polarized signal. The feed points 1120, 1122 are connected from the ground plane 1108 to the circularly polarized antenna 1104 through the insulator 1106. The aperture 1142 in the center of the ground plane 1108 and the aperture 1144 in the center of the circularly polarized antenna 1104 are large enough to allow the linearly polarized antenna 1102 to radiate without shorting to the ground plane 1108.
The antennas 1102, 1104 may be formed of an electrically conductive material, while the circular isolator 1106 may be formed of a non-conductive (or electrically insulating) material. In one embodiment, the linearly polarized antenna 1102 may be implemented as a straight line, with the sleeve 1112 formed of Polytetrafluoroethylene (PTFE) and the conductive element 1110 formed of copper. In another embodiment, the linearly polarized antenna 1102 is implemented as a spiral, wherein the wire is wrapped around a cylindrical object formed of PTFE. Fig. 12 shows a polar plot 1200 of radiated power associated with the linearly polarized antenna 1102 of fig. 11. Fig. 13 shows a polar plot of the radiated power associated with the circularly polarized antenna 1104 of fig. 12. The antennas 1102, 1104 may be connected to RF circuitry 1114, such as one of the RF circuitry 223 of fig. 3, and may be configured to be mounted in the roof of a vehicle. The antennas 1102, 1104 may be used for time-of-flight measurements between the vehicle and the portable access device, while other LF antennas in the vehicle may be used for authentication of the portable access device.
Although the antenna assembly is mainly described as having a circularly polarized antenna and a linearly polarized antenna, which may be arranged, for example, in the roof of a vehicle, two linearly polarized antennas may alternatively be used. This applies for each example disclosed herein. The two linearly polarized antennas may be located deeper in the vehicle, such as in the floor, dashboard or center console of the vehicle.
Fig. 14 shows a first RF circuit 1400, a second RF circuit 1401, and a portion 1403 of a portable access device (e.g., one of the portable access devices described above). Although a number of RF circuits are shown, any number of RF circuits may be included and may be in communication with the portable access device. The first RF circuit 1400 includes a serial transmit module 1402, an RF transceiver module 1404, a switch 1406, a splitter 1408, a uniaxially polarized (or monopole) antenna 1410, a delay module 1412, and a circularly polarized antenna assembly 1414. Antennas 1410, 1414 may be implemented as multi-axis polarized RF antenna assemblies of fig. 11. Although the RF circuits are shown with a single axis antenna and a circularly polarized antenna, respectively, to provide 3 polarization axes, the RF circuits may include only two single axis polarized antennas, respectively. Many arrangements of linear and circular polarized antenna axes make it possible to achieve polarization diversity in the module, thereby preventing cross-polarization and/or co-linear alignment of nulls. If the RF circuit includes two single axis antennas, the portable access device includes a tri-axis antenna or three single axis antennas that are orthogonal relative to each other to correspond to the x, y, and z axes.
The serial transmit module 1402 may communicate with one or more vehicle modules (e.g., the vehicle control module or access module disclosed above) via a serial bus according to a Serial Peripheral Interconnect (SPI) protocol. Discrete signals (or general purpose I/O signals) may be sent between the modules 1402, 1404 and between the RF transceiver module 1404 and the switch 1406. The RF transceiver module 1404 may communicate with the PEPS module 211 (of fig. 3). The switch 1406 switches between the antennas 1410, 1414. Splitter 1408 can split individual signals received from RF transceiver module 1404 and provide signals to antenna 1410 and antenna 1414 and/or combine signals received from antenna 1410 and antenna 1414. Splitter 1408 may be a 90 ° splitter and splits a single signal into two 90 ° out of phase signals and provides the signals to two feed points (e.g., feed points 1120, 1122 of fig. 11) on a circularly polarized antenna. Splitter 1408 may provide signals to antenna 1414 or receive signals from antenna 1414 via delay module 1412.
The second RF circuit 1401 includes a switch 1420, a splitter 1422, a uniaxially polarized (or monopole) antenna 1424, a delay module 1426, and a circularly polarized antenna 1428. Antennas 1424, 1428 may be implemented as multi-axis polarized RF antenna assemblies of fig. 11. Devices 1420, 1422, 1424, 1426, 1428 may operate similarly to devices 1406, 1408, 1410, 1412, 1414. The switch 1420 may be in communication with the RF transceiver module 1404. Switch 1406 may also connect splitter 1408, uniaxially polarized antenna 1410, and/or switch 1420 to RF transceiver module 1404. Switch 1420 may connect uniaxially polarized antenna 1424 or splitter to switch 1406 or RF transceiver module 1404.
Portion 1403 includes 3-axis LF antenna 1430, LF module 1432, RF module 1434, user interface 1436, first uniaxially polarized antenna 1438, second uniaxially polarized antenna 1440, and switch 1442. The LF module 1432 transmits and receives LF signals via the 3-axis LF antenna 1430. The RF module 1434 transmits and receives RF signals via the switch 1442 and the antennas 1438, 1440. The switch 1442 connects one or more antennas 1438, 1440 to the RF module 1434. Discrete signals and Serial Peripheral Interconnect (SPI) signals may be transmitted between the LF module 1432 and the RF module 1434. Discrete signals may be sent between the RF module 1434 and the switch 1442.
RF signals are transmitted between (i) antennas 1410, 1414, 1424, 1428 and (ii) antennas 1438, 1440. As an example, antennas 1410, 1424 can be associated with the z-axis and antennas 1414, 1428 can be associated with the x-axis and the y-axis, respectively. Antennas 1438, 1440 may be, for example, slot antennas associated with the x-axis and the y-axis, respectively. As described above, the 3-axis LF antenna 1430 may communicate with LF antennas on corresponding vehicles. The LF antennas may be used for the purpose of waking up the downlink. RF antennas may be used for authentication and communication.
Antennas 1410, 1414 may be used for communication with antennas 1438, 1440 or antennas 1424, 1428 may be used for communication with antennas 1438, 1440. Alternatively, one of the antennas 1410, 1424 and either of the antennas 1414, 1428 may be used to communicate with the antennas 1438, 1440. One or more antennas in circuit 1400 may be used when using one or more antennas in circuit 1401. By using one monopole (or linearly polarized) RF antenna and a dipole (or multiaxial polarized) RF antenna (such as a circularly polarized antenna), the number of RF switching channels to be polled is reduced from 3 to 2. In measuring the round trip time and the phase delay of the packet, a heuristic measurement of the RSSI of the continuous wave tones of the packet may be made. This may be repeated across multiple frequencies.
Fig. 15 shows a portion 1500 of a key fob having two linearly polarized slot antennas 1502, 1504, a metal trim 1506, and a spare key 1508. The metal in the key fob may short circuit the field that would otherwise solidify steadily along the long dimension (or Y dimension) of the key fob. As a result, it may be difficult to design an efficient radiator with a structure that would otherwise include a properly operating antenna. Antenna 1502 is an x-axis linearly polarized slot antenna. The antenna 1504 is a y-axis linearly polarized slot antenna. The metal trim piece 1506 may be a cast decorative trim piece. The key fob may also include an LF coil antenna 1510, a processor (not shown), a battery 1512, and a metal plate (or conductive film) 1514. The RF signal is provided to the metal plate 1514 and the openings of the slot antennas 1502, 1504 to radiate electromagnetic waves.
Fig. 16 shows a portion 1600 of the key fob of fig. 15, but without the metallic trim 1506 and spare key 1508. Portion 1600 includes an x-axis linearly polarized slot antenna 1502 and a y-axis linearly polarized slot antenna 1504. The removal of the metallic trim 1506 and the spare key 1508 support radiation from the slot antenna. Although this configuration is configured to work with nearby metals, such as a metal trim and a spare key, the diagrams of fig. 17 and 18 are still shown, which are tilted from the diagrams when the metal trim and spare key are included. Fig. 17 shows a polar plot of the radiated power associated with the x-axis linearly polarized slot antenna 1502 of the portion 1600 of the key fob of fig. 16. Fig. 18 shows an example polar plot of radiated power associated with the y-axis linearly polarized slot antenna 1504 of portion 1600 of the key fob of fig. 17. Fig. 19 shows the return loss (in decibels (dB)) versus frequency plot of the linearly polarized slot antennas 1502, 1504 of fig. 16, where curves S1,1 are the reflected power for a first port or antenna 1502 of a first radio (or transmitter) and S2,2 are the reflected power for a second port or antenna 1504 of a second radio (or transmitter). The structure of the key fob may be provided to provide S1,1 and S2,2 diagrams, wherein the "dip" or minimum return loss for the S1,1 and S2,2 curves are at the same frequency as each other or within a predetermined range to provide improved performance.
Return loss is a way of measuring the extent to which an antenna converts a voltage on a terminal of the antenna into an electric field in space or the extent to which an antenna converts an electric field in space into a voltage on a terminal. Return loss is a decibel measurement of how much power is reflected on a terminal. For example, if the return loss is 0dB, all power is reflected and no power is transmitted on the terminals. As another example, a return loss of-10 dB means that approximately 10% of the power is reflected and 90% of the power is transmitted. When the return loss plot includes a curve that is concave to a reasonable level at the operating frequency (e.g., -6 dB), then the corresponding antenna works well. If the return loss is recessed to-10 dB, the antenna is considered to be a good performing antenna. Return loss is measured as an S parameter. S1,1 is the return loss of port 1. S2,2 is the return loss of port 2.
Fig. 20 shows a portion 2000 of the key fob of fig. 15 without the metallic trim 1506 but including a spare key 1508. Fig. 21 shows a polar plot of the radiated power associated with the x-axis linearly polarized slot antenna 1502 of portion 2000 of the key fob of fig. 20. Fig. 22 shows a polar plot of the radiated power associated with the y-axis linearly polarized slot antenna 1504 of portion 2000 of the key fob of fig. 20. The addition of a spare key may negatively impact the y-polarization but is acceptable for operation. Fig. 23 shows return loss versus frequency plots for the linearly polarized slot antennas 1502, 1504 of fig. 20, where S1,1 is for the antenna 1502 and S2,2 is for the antenna 1504.
Fig. 24 shows a portion 2400 of the key fob of fig. 15 with a portion of a metallic trim 2402 and a spare key 1508. The addition of a metallic trim 2402 near the spare key 1508 may negatively impact operation, as shown in the diagrams and curves of fig. 25-27. Fig. 25 shows a polar plot of the radiated power associated with the x-axis linearly polarized slot antenna 1502 of portion 2400 of the key fob of fig. 24. Fig. 26 shows a polar plot of the radiated power associated with the y-axis linearly polarized slot antenna 1504 of the portion of the key fob of fig. 24. Fig. 27 shows a return loss versus frequency plot for the linearly polarized slot antenna of fig. 24, where S1,1 is for antenna 1502 and S2,2 is for antenna 1504. Figures 19, 23 and 27 show that the antenna works well at the frequency range of interest (e.g., 2.4-2.8 GHz).
Referring to portion 1500 of fig. 15, in the presence of the entire metallic trim piece 1506, the operation of the antenna is further negatively affected, as shown in the diagrams and curves of fig. 28-30. Fig. 28 shows a polar plot of the radiated power associated with the x-axis linearly polarized slot antenna 1502 of section 1500. Fig. 29 shows a polar plot of the radiated power associated with the y-axis linearly polarized slot antenna 1504 of portion 1500. Fig. 30 shows return loss versus frequency plots for linearly polarized slot antennas 1502, 1504, where S1,1 is for antenna 1502 and S2,2 is for antenna 1504.
Since each of the antennas 1502, 1504 has an open end, the y-axis linearly polarized slot antennas 1502, 1504 are open slot antennas. Fig. 31 shows a portion 3100 of a key fob having an open linearly polarized slot antenna 3102, a closed linearly polarized slot antenna 3104, metal trim 3106 and a spare key 3108. Fig. 32 shows a polar plot of the radiated power associated with the x-axis linearly polarized slot antenna 3102 of portion 3100. Fig. 33 shows a polar plot of the radiated power associated with the y-axis linearly polarized slot antenna 3104 of portion 3100. Fig. 34 shows return loss versus frequency plots for the linearly polarized slot antennas 3102, 3104 of fig. 31. Fig. 34 shows that the antenna measured at ports S2,2 is malfunctioning.
When the portable access device has multiple orthogonal antennas as described above, the portable access device is larger compared to the corresponding physical metal key and the portable access device is larger compared to the palm, providing improved round trip time performance for the removal of the decorated metal trim. The improved round trip time performance improves the accuracy of the distance determination.
The systems disclosed herein may be operated using a variety of methods described herein. Several example methods of determining which antenna combination to use are illustrated in fig. 35 and 36. Fig. 35 and 36 illustrate a method of determining which antenna combination to use for exchanging packets between an RF antenna module (or RF circuit) of a vehicle and a portable access device for an round trip time-of-flight measurement. Fig. 35 and 37 present the method from the perspective of the initiator of the round trip time of flight measurement. In one embodiment, this is a vehicle. In another embodiment, this is a portable access device. The reflector/responder will perform explicit steps corresponding to the initiator steps in the process. The round trip time-of-flight measurements may be used to deter extended range relay attacks, as described further below. Fig. 35 illustrates a method of switching antennas between packets. Fig. 36 illustrates a method of switching antennas during transmission of a packet and/or Continuous Wave (CW) tone.
Although the following operations are described primarily with respect to the implementations of fig. 2-6, 11, and 14, these operations may be readily modified to apply to other implementations of the present disclosure. This operation may be performed iteratively.
The method may begin at 3500. The following operations may generally be performed simultaneously by the control module 402 in the portable access device 400 and the modules located on the vehicle (e.g., via the access module 210, the PEPS module 211, and/or the PAK module 212 of fig. 4). There are a number of ways in which the frequency and antenna combination may be selected to be sampled to subsequently identify the best frequency (or channel) and antenna axis. Optionally, at 3501, the module negotiates an initial frequency (or channel) and antenna combination for use in frequency and antenna sounding. This step may be based on a priori protocols, negotiations between modules based on posterior data, and/or commanded by modules based on posterior data. At 3502, a frequency (or channel) to transmit the first (or next) packet is selected.
At 3504, an antenna pair is selected at which to transmit and receive packets. Such as two of the antennas of the RF circuit of the vehicle of fig. 11. At 3506, the packet is transmitted from the first (or transmit) antenna to the portable access device at the selected frequency. The portable access device measures the transmitted RSSI and transmits the packet back as a first RSSI to the second (or receiving) antenna in the selected antenna pair.
At 3508, the second antenna receives the packet and/or a response to the transmission of the packet and the first RSSI. At 3512, a second RSSI is measured for a second transmission of the packet. At 3514, the first RSSI and the second RSSI are stored in memory in association with the packet, the selected frequency, and the selected antenna pair.
At 3516, if another pair of antennas is to be selected, operation 3504 is performed, otherwise operation 3518 is performed. This allows for cycling through each antenna pair arrangement for each selected frequency. The arrangement of pairs of antennas may be cycled through in a pseudo-random and/or predetermined order.
At 3518, if another frequency (or channel) is to be selected, operation 3502 is performed, otherwise operation 3520 is performed. This allows cycling through each frequency (or channel). This allows the RSSI of each frequency (or channel) to be determined. Multipath fast fading may result in some frequencies having lower power levels (or RSSI values). As an example, frequencies over 37 BLE data channels may be cycled in a pseudo-random and/or predefined order to determine the best frequency and/or channel and best antenna pair for transmission of other packets.
Optionally, at 3519, after cycling through a set of predetermined, negotiated, and/or agreed upon frequency and antenna axis pairs, the algorithm may cause the nodes (control modules) to optionally exchange antenna and/or channel RSSI results. Because of the reciprocity of the RF channels, the module may use a heuristic that selects the antenna axis used by the module, rather than sharing the antenna RSSI measurements taken by the module. Due to the reciprocity of RF channels, the module may use heuristics to select channels (frequencies) without results from other channels, but the module may use algorithms that select channels based on results from channels. In this case, the algorithm and system are more immune to interference from other transmitters in the vicinity.
At 3520, after cycling through a predetermined number of frequencies and antenna pairs, the antenna axis combination and/or frequency (channel) with the best RSSI is selected for transmitting the remaining packets. The antenna axis combination with the highest RSSI is the best. For frequencies (or channels), antenna axis combinations that do not have low RSSI and/or do not have high RSSI are preferred. At 3522, identifiers of antenna pairs and/or frequencies (channels) that may be selected may be encrypted. At 3524, the encrypted selected antenna axis pair and/or frequency (channel) may be transmitted to another node. At 3526, packets are transmitted and responses are received using the selected frequency (channel) and antenna pairs. The method may end at 3528.
Although the following operations of fig. 36 are described primarily with respect to the implementations of fig. 2-6, 11, and 14, these operations may be readily modified to apply to other implementations of the present disclosure. These operations may be performed iteratively.
The method may begin at 3700. The following operations may generally be performed concurrently by the control module 402 in the portable access device 400 and the modules located on the vehicle (e.g., via the PEPS module 211 and/or the PAK module 212 of fig. 4). The sampled frequency and antenna combination may be selected using a variety of different techniques to identify the optimal frequency (or channel) and antenna axis. Optionally, in 3701, the module negotiates an initial frequency (or channel) and antenna combination to be used in frequency and antenna sounding. This step may be negotiated between modules based on a priori protocol, based on posterior data, or commanded by modules based on posterior data. At 3702, a frequency (or channel) is selected to transmit the first (or next) packet.
At 3704, an antenna pair is selected to transmit and receive packets. Such as two of the antennas of the RF circuit of the vehicle of fig. 11. At 3706, the packet is transmitted from the first (or transmit) antenna to the portable access device at the selected frequency. With pauses (dwells) during the CW tone portions of the packets, the vehicle switches between a set of negotiated antenna axes. The portable access device switches between a set of negotiated antenna axes using a dwell in each of the vehicle antenna axes "switch" and "dwell", measures the RSSI of the transmit and receive antenna axis arrangements during this reception for periods within the CW tone, and transmits the packet and the first set of measured RSSI back to the vehicle, and then switches between a set of negotiated antenna axes using the dwell during the CW tone portion of the antenna pair selected packet.
At 3708, the vehicle receives the packet and/or a response to the transmission of the packet and the first set of RSSI. At 3712, a second RSSI is measured for a second transmission of the packet. At 3714, the first RSSI and the second RSSI are stored in memory in association with the packet, the selected frequency, and the selected antenna pair.
At 3716, if another packet is to be sent, operation 3718 is performed, otherwise operation 3726 is performed. At 3718, if another antenna pair is to be selected, operation 3720 is performed, otherwise operation 3724 is performed. This allows for cycling through each antenna pair arrangement for each selected frequency. The arrangement of pairs of antennas may be cycled through in a pseudo-random and/or predetermined order.
At 3720, the first transmission of the next packet is started using the previously transmitted antenna of the previously selected antenna pair.
At 3722, switching occurs between the previous antenna pair and the next selected antenna pair. This may occur during the CW tone of the packet currently being transmitted or during another portion of the packet currently being transmitted such that the remainder of the packet is transmitted via the transmit antenna of the next selected antenna pair. Operation 3708 may be performed after operation 3722.
At 3724, if another frequency (or channel) is to be channeling, then operation 3704 is performed, otherwise operation 3718 is performed. This allows cycling through each frequency (or channel). This allows the RSSI of each of the frequencies (or channels) to be determined. Multipath fast fading may result in some frequencies having lower power levels (or RSSI values). As an example, frequencies over 37 BLE data channels may be cycled in a pseudo-random and/or predefined order to determine the best frequency and/or channel and best antenna pair for transmission of other packets. At 3725, the antenna and RSSI result values may be exchanged as described above in 3519.
At 3726, after cycling through a predetermined number of frequency and antenna pairs, the antenna combination and frequency and/or channel with the best RSSI is selected for transmitting the remaining packets.
At 3728, the identifier of the selected antenna pair may be encrypted. At 3730, each remaining packet may be encapsulated to include an encrypted identifier, or modified to include an encrypted identifier. At 3732, the encapsulated or modified packet is transmitted using the selected frequency, channel, and antenna pair and a response is received. The method may end at 3734.
In the above method, packets transmitted to determine the best frequency, channel, and antenna pair may be discarded. The discarded packets are used only to measure the RSSI value. In another embodiment, CW tones are included at the end of the packet and antenna switching occurs during these tones. In another embodiment, a predetermined period of time (e.g., 4 ps) is allocated for each antenna permutation, CW tones are included at the end of the packet, and the antenna pair with the best RSSI (or power value) is selected. The selected frequency, channel, and/or antenna pair may be altered if another nearby network device is transmitting and/or receiving data within the same frequency range. In an embodiment, the manner in which frequencies are selected during the methods of fig. 35 and 36 may be known and may be shared between the access module of the vehicle and the portable access device.
Operations 3526 and 3732 may be performed to authorize the portable access device, detect extended range repeater attacks by the portable access device, provide access to the interior of the vehicle, and/or perform other PEPS system and/or PAK system operations. As an example, a packet may be sent to authorize the portable access device, and when it is determined that the portable access device and/or the corresponding user is authorized to access the vehicle, access to the vehicle interior may be provided. This may include allowing operation of the vehicle. The packets may be sent for time-of-flight measurements, including the time at which the packets were sent to the portable access device and the time at which the responses were made and the corresponding responses received from the portable access device. Based on the measured time of flight value, an access module (e.g., a PEPS module or a PAK module) of the vehicle may determine whether the portable access device is attempting to perform a range-extended relay attack. If the portable access device is attempting to perform an extended range relay attack, the access module performs one or more countermeasures, including blocking access to the vehicle interior. Countermeasures may include notifying the owner of the vehicle of the extended range relay attack. This may be done, for example, via a text message or email sent from the access module to the owner's one or more network devices. One or more alert signals may be generated and the central monitoring station and/or institution may be notified of the attack.
Fig. 37 shows a time-of-flight measurement diagram 3800 including an initiating and measuring device 3802 and a reflecting (or responding) device 3804. The initiating and measuring device 3802 sends a radio message (e.g., a packet) to the reflecting device 3804, which reflecting device 3804 then responds and resends the radio message back to the initiating and measuring device 3802. The time of flight (or the total time of transmission and reception of these signals) is equal to (T 2 -T 1 )、(T 3 -T 2 ) Sum (T) 4 -T 3 ) And, a sum of which: t (T) 2 -T 1 Is the amount of time a radio message travels from the initiating and measuring device 3802 to the reflecting device 3804; t (T) 3 -T 2 Is the amount of time that the reflective device 3804 responds; t (T) 4 -T 3 Is the amount of time that a radio message travels from the reflecting device 3804 to the initiating and measuring device 3802. Example average time-of-flight and distance calculations may be performed according to equations 1-4, where distance refers to the distance between the initiating and measuring device 3802 and the reflecting device 3804.
Average time of flight = [ (total time) - (response time) ]/2 (1)
Average time of flight= [ (T) 4 -T 1 )+(T 3 -T 2 )]/2 (2)
Distance = speed time (3)
Distance = c [ (T) 4 -T 1 )+(T 3 -T 2 )]/2 (4)
When a timer is used for the response time T 3 -T 2 At timing, the amount of timing information may be reduced to adjust the tuning information measured and associated with the response time. If the initiator does not know the amount of time, time T may be determined 3 -T 2 Reported back to the initiator.
Fig. 38 shows an example BLE radio 3900 with a superheterodyne receiver 3902 and a transmitter 3904. BLE radio 3900 may be used as one of transceivers 222 of fig. 3, for example, and may include or be part of one of RF antenna module 40 and RF circuitry 223. In another embodiment, BLE radio 3900 is used as a transceiver in a portable access device, such as transceiver 410 of portable access device 400 of fig. 6. Superheterodyne receiver 3902 converts the received signal to a fixed Intermediate Frequency (IF) using mixing. The superheterodyne receiver 3902 includes an RF (e.g., bandpass) filter 3906, a switching and balun 3908, a low noise amplifier 3910, a down converter 3912, a bandpass filter and amplifier 3914, an analog-to-digital converter 3916, a demodulator 3918, and a correlation and protocol module 3920. The transmitter 3904 includes a processing module 3922, a protocol module 3924, a Gaussian Frequency Shift Keying (GFSK) modulator 3926, a digital to analog converter and low pass filter 3928, an up-converter 3930, and a power amplifier 3932. The crystal oscillator(s) 3934 may generate one or more clock signals that may be distributed to the devices 3914, 3916, 3918, 3920, 3922, 3924, 3936, 3938 and the phase-locked loops 3940, 3942. As an example, the processing module 3922 and the related and protocol module 3920 may be implemented as a single module and as part of one or more of the modules 204, 210, 211, 212 of fig. 3. The operations performed by modules 3922 and 3920 may be implemented by any of modules 204, 210, 211, 212 of fig. 3-4. One or more of devices 3906, 3908, 3910, 3912, 3914, 3916, 3918, 3920, 3924, 3926, 3928, 3930, 3932, 3934, 3936, 3938, 3940, and 3942 may be implemented as part of RF circuitry 223 and/or as part of one or more of modules 204, 210, 211, 212.
The band pass filter 3906 may be connected to a linearly polarized antenna and/or a circularly polarized antenna (denoted 3907). The down converter 3912 down converts the received signal from an RF frequency to an IF frequency based on the signal from the phase locked loop 3942. Up-converter 3930 up-converts the IF signal to an RF signal based on the signal from phase-locked loop 3940.
The GPSK modulator 3926 and demodulator 3918 may modulate and demodulate bits of a signal according to the GFSK protocol. Fig. 39 shows an example GFSK parameter definition diagram including a transmit carrier frequency F illustrating zero-crossings and errors c Is a diagram of (a). As an example, a carrier frequency F is transmitted c It may be + -250 KHz or + -500 KHz, a symbol time of 1ps or 0.5ps, a zero crossing error of 1/8 (1 Mbps) of 1ps or 1/8 (2 Mbps) of 0.5 ps.
Figure 40 shows a functional block diagram of a system 4100 for transmitting BLE packets. An example format of a BLE packet 4101 is shown, including a preamble, an access address, a Protocol Data Unit (PDU), and Cyclic Redundancy Check (CRC) bit fields. This is an example of a packet that may be received by the correlation and protocol module 3940 of fig. 37 and/or generated by the processing module 3922 and/or the protocol module 3924.
The preamble of the packet is AA or 55 such that the last bit of the preamble is different from the first bit of the access address. The access addresses of the peripheral and central devices 4102, 4104 are the same. The sensor 4106 may be used to monitor the packet. The access address is the same for each packet and each connection interval. The access address follows BLE access address rules. Packets within the same connection interval are within the same RF channel. Example preambles and access addresses for BLE 1M packets and BLE2M packets are shown as fig. 41. The preamble is the preamble of a and the preamble of 5 (AA or 55 at 1mbit/s and AAAA or 5555 at 2 mbit/s) such that the last bit of the preamble is different from the first bit of the access address. This is illustrated by the bits in circle 4200.
The access address for the advertising channel packet may be 10001110100010011011111011010110b (0 x8E89BED 6). Each link layer connection between any two devices and each periodic advertisement has a different access address. The access address may be a 32-bit value. Each time a new access address is required, the link layer may generate a new random value that satisfies the following rules. The access address is not an address corresponding to an existing link layer connection on the network device. Access address: an address that is not for an enabled periodic advertisement; there are no six consecutive 0 or 1 s; not an advertising channel packet access address; a sequence that is not only one bit different from the advertisement channel packet access address; and does not include four equal octets. The number of translations of the access address does not exceed 24. The seed of the random number generator is from a physical source of entropy and has at least 20 bits of entropy. If the random number of the access address does not meet the above rules, a new random number will be generated until the rules are met. For implementations that also support BLE encoded physical layers (PHYs), the access address may also have at least three 1's in the least significant 8 bits and no more than 11 transition numbers in the least significant 16 bits. In a normal BLE packet, the preamble will discard the first bit of the access address, and then the access rule will sometimes discard the next bit of the access address (e.g., no more than 6 consecutive 0 or 1 preambles). This may cause ranging security problems because an attacker may predict bits, which may be reduced or eliminated by the implementations disclosed herein.
Fig. 42 shows an example diagram of a BLE packet signal, illustrating that the corresponding bit first BLE signal 4300 represents a bit stream from the protocol module 3924 of fig. 38. When these bits remain the same value, the normal BLE packet does not return to the carrier (or midpoint level). This is called non-return to zero recording. The corresponding bits of the first graph are shown above the graph. The second BLE signal 4302 represents the bit stream from the GFSK modulator (or gaussian filter) 3926. The gaussian filter increases the 1/2 bit time lag and loses a bit of time during the conversion. The corresponding bits of the second BLE curve are displayed below the second BLE curve. As an example, the carrier frequency may be 2.402GHz and the frequency of the BLE packet signal may vary between 2.402250GHz and 2.401750 GHz.
Fig. 43 shows an example diagram of a BLE packet signal, illustrating corresponding bits of a stronger BLE packet signal (e.g., a BLE packet signal with a greater RSSI) after leading edge sensing (leading edge sensing) and transmission in a faster edge case. The first BLE signal 4400 represents the bit stream from the protocol module 3924 of fig. 38. The second BLE signal 4402 represents a bit stream from the GFSK modulator (or gaussian filter) 3926. The third BLE signal 4404 represents a stronger BLE packet signal after transmission with a faster edge after leading edge sensing of the gaussian bit. The third BLE signal 4404 may be generated by an attacking device. It can be seen that the edges are sloped and transition faster than the transition of the second BLE curve 4402. This results in the corresponding bit being earlier than the bit of the second plot (or the output of GFSK modulator 3924). An oval 4406 represents a region where differences can be detected and indicated. The corresponding bits of the first BLE curve 4400 are shown above the first BLE curve 4400. The corresponding bits of the second BLE curve 4402 are shown below the second BLE curve 4402. The corresponding bits of the third BLE curve 4404 are shown below the bits of the second BLE curve 4402 and are shifted to the left with respect to the bits of the second BLE curve 4402.
Fig. 44 shows the second BLE curve 4402 and the third BLE curve 4404 of fig. 43, wherein the third BLE curve 4404 has been shifted relative to the second BLE curve 4402. The following operations may be performed to defend against bit acceleration attacks (bit acceleration attack). Bit acceleration attacks may refer to an attacking device accelerating the transmission of BLE signals to account for delays associated with the attacking device receiving, processing, and/or modifying and forwarding BLE signals, such as BLE signals transmitted from a key fob and/or other portable access device. Fig. 45 illustrates an example method of detecting a range-extended relay attack. Although the following operations of fig. 45 are described primarily with respect to the implementations of fig. 2-6, 11, and 14, these operations may be readily modified to apply to other implementations of the present disclosure. These operations may be performed iteratively. For example, the following operations may be performed by one or more of the modules 210, 211, 212.
The method may begin at 4600. In 4602, a sliding correlation function (sliding correlation function) is used to align the received input waveform with an idealized gaussian waveform (or other suitable predetermined waveform) for known bit patterns and bit rates, including scaling the peaks and aligning the received input waveform with zero offset of the predetermined waveform. This may be accomplished by the correlation and protocol module 3920 of fig. 38. Doing so may identify, for example, a synchronous access word. An example of this is shown in fig. 44.
At 4604, the portion (or portions) 4605 of the received waveform that occur immediately after a zero crossing in time and before the next peak of the predetermined waveform is integrated and accumulated (or summed). This is called positive accumulation.
At 4606, the portion (or portions) 4607 of the received waveform that occurs some time after the peak in time and before the next zero crossing is integrated and accumulated. This is also called positive accumulation.
At 4608, the resulting accumulated values to be determined in 4604 and 4606 are averaged over the number of transitions used to provide an indication of the level of bit acceleration attack. The accumulated values may be averaged separately to provide two averages, or the accumulated values may be added and then averaged to provide a single average.
At 4610, it is determined whether an attack has occurred and/or is likely to have occurred based on the one or more averages and one or more predetermined thresholds. At 4612, if an attack has occurred and/or may have occurred, operation 4614 is performed, otherwise operation 4616 is performed. In 4614, countermeasures, such as one of the previously mentioned countermeasures, are performed, including blocking access and/or operation to the corresponding vehicle. One or more alarms may also be generated. As another example countermeasure, data related to the attack may be stored in memory and/or transmitted to the vehicle owner's network device and/or to a central monitoring station. In 4616, access to and/or control of operation of the vehicle is allowed if an attack is not occurring and/or may not occur. The operation control may include: such as unlocking or locking of the doors of the vehicle, remote starting of the engine of the vehicle, internal climate control adjustment of the vehicle, etc. In 4618, the one or more averages may be discarded and/or the previously collected and accumulated data may be discarded. If a sliding window is used to monitor the received signal, the previous portion of the data may be discarded, while the more recent portion may be reserved for subsequent integration, accumulation, and averaging with the newly received data.
Fig. 46 shows a vehicle 5200 including a Round Trip Time (RTT) responder 5202 and an RTT initiator 5204, and a portable access device 5206 including an RTT initiator 5208 and an RTT responder 5210. As used herein, an "initiator" may refer to a network device that includes BLE radios, transmitters, and/or receivers and initiates a signal or tone exchange. As used herein, a "responder" may refer to a network device that includes a BLE radio, a transmitter, and/or a receiver and that responds to signals and/or tones received from an initiator. The RTT responders 5202, 5210 and RTT initiators 5204, 5208 may be implemented, for example, by the RF antenna module 40, the RF circuit 223 and/or the modules 210, 211, 212 of fig. 3 and include corresponding transmit and receive circuitry. The vehicle 5200 can include an antenna module having a single polarized antenna and a circularly polarized antenna as described above. The RTT responder 5202 and the RTT initiator 5204 may transmit and receive using an antenna. The antennas provide polarization diversity with the antennas (e.g., single polarized antennas) used by RTT initiator 5208 and RTT responder 5210 such that at any time at least one of the above-described antennas of vehicle 5200 has at least one polarization axis that is not cross polarized and that is not co-polarized with the polarization axis of at least one of the antennas of portable access device 5206.
The devices 5202, 5204, 5208, 5210, respectively, may include control modules as described above to perform any of the described operations. The devices 5202, 5204, 5208, 5210 can send and receive RF signals on random channels (e.g., 40 BLE channels over an 80MHz spectrum). The devices 5202, 5208 may communicate with each other, including sending and receiving signals, while the devices 5204, 5210 may communicate with each other, including sending and receiving signals. The communication between the devices 5202, 5208 may be simultaneous with the communication between the devices 5204, 5210. For security reasons and for detecting attacks, the transmission of the signals for determining RTT can be transmitted simultaneously and in a bi-directional manner. The devices 5202, 5204 can share the frequency of communication with the portable access device 5206. The frequencies may be indicated in a predetermined order followed by the devices 5202, 5204, 5208, 5210. If a band pass filter is used to monitor both channels simultaneously, the filter introduces a propagation delay.
A typical bandpass filter delay is 0.5 (or 0.5/bandwidth) per bandwidth. The channel spacing of the protocol, the randomness of the channel selection, the randomness of the transmit direction over time, and the simultaneous transmission all force the bandpass filter to detect bits with group delay that are large compared to the measurable round trip time delay. This further increases the difficulty of the attacking device to perform the extended range relay attack. The vehicle 5200 and portable access device 5206 can set the transmit power level and transmit channel spacing, respectively, such that it is impractical for an attacking device to receive a signal with a sufficiently wide filter to relay with a sufficiently short delay but narrow enough to analyze the signal.
In an embodiment, a signal is sent to measure the direct time of flight and determine if there is a predetermined amount of delay (e.g., 10-500 nanoseconds (ns)) typically associated with a range-extending attack device. When relaying signals between the vehicle 5200 and the portable access device 5206, the range-extending attack device may delay the transmitted signal by a predetermined amount. The bi-directional and simultaneous transmission and reception described above makes it difficult for an attacking device to determine the frequency, channel and direction of the transmitted signal at any time. It is also difficult for an attacking device to avoid relaying signals without a predetermined delay amount.
Fig. 47 shows a vehicle 5200 comprising an RTT responder 5202 and an RTT initiator 5204, and a portable access device 5206 comprising an RTT initiator 5208 and an RTT responder 5210. Fig. 47 shows signal paths through corresponding antennas 5300, 5302, 5304, 5306. In an embodiment, antennas 5300, 5302 have a total of three polarizations, and antennas 5304, 5306 have a total of two polarizations. In another embodiment, antennas 5300, 5302 have a total of two polarizations and antennas 5304, 5306 have a total of three polarizations.
Fig. 48 shows a vehicle 5200 including an RTT responder 5202 and an RTT initiator 5204, a portable access device 5206 including an RTT initiator 5208 and an RTT responder 5210, and an extended range relay attack device 5400. The range extension attack device 5400 includes a control module 5402, the control module 5402 including a bandpass filter 5404, a bit signal direction detector 5406, and a bit acceleration attack module 5408. Bandpass filter 5404 is used to detect incoming bits, but has an associated lag time. The bit signal direction detector 5406 determines the direction in which the bit travels (e.g., from vehicle to portable access device or from portable access device to vehicle). The bit acceleration attack module 5408 cannot accelerate bits without introducing a lag time in portions of the symbols (or bits), which can be detected using a sliding correlation function aligned with the ideal waveform and averaging the symbol (or bit) shape over multiple symbols. The above-described lag time may be detected by the access module of the vehicle when determining whether an attack is occurring.
As shown, the range extension attack device 5400 includes amplifiers 5410, such as Low Noise Amplifiers (LNAs) and power amplifiers, for receiving and transmitting purposes. The range extension attack device 5400 may also include mixers for down-conversion and up-conversion purposes. The amplifier 5410 is connected to an antenna 5412.
In addition to performing the above communications simultaneously, the channel may be pseudo-randomly selected, and the access address may also be pseudo-randomly selected. The random selection may be on-board the vehicle and may be shared with the portable access device in advance. Instead, the selection may be made at the portable access device. Instead, the selection may be made by a secure encryption technique, wherein the keying material is from one or both of the devices contributing to the pseudo-randomly selected channel sequence and/or the access address sequence. In this case, the pseudo-random sequence of access addresses is used as a cryptographically secure bit sequence for the round trip timing measurement exchange. In the case where simultaneous transmission and reception operations are performed on a random channel having a randomly selected access address, where the response is on the same channel as the initiator and the response access address is different from the initiator access address, it is difficult for the range extension attack device to perform the attack without being detected by the access module of the vehicle and/or the control module of the portable access device or devices. The range extension attack device must: listening to all channels in both directions simultaneously; determining the direction of the message passing through the range extension attack equipment; and detecting the bits early and transmitting the bits in both directions in advance for an appropriate amount of time to convince the vehicle's initiator and the one or more portable access devices. The range extension attack device must persuade the vehicle's initiator and one or more portable access devices so that the portable access devices are closer than the actual portable access devices and at the correct distance from the vehicle to allow access and/or operational control of the vehicle. In addition, using gaussian filtering for BLE bits, the attacking device has a small window that is less than about 10-100ns ahead of the bit detection time for detecting and transmitting bits ahead of time.
In an embodiment, the RF signals associated with the simultaneous communications described above are monitored by modules 210, 211, 212 of fig. 3, and the stated initiators and responders monitor and/or determine the RSSI value of the signals and the antenna polarization state (e.g., the degree of polarization between the transmit and receive antennas). Based on the RSSI values and polarization, one or more of the modules 210, 211, 212 determine the best path, frequency, channel, and antenna pair for communication. The signal associated with the shortest path (or minimum interference), the best RSSI value, the maximum polarization, etc. is used to indicate which path, frequency, channel, and antenna pair is to be used. This information can also be used to determine which device is transmitting and which device is receiving at any time. The selection of transceiver chips and channels on each device may be random. In an embodiment, one device (at the vehicle or portable access device) may transmit while another device does not transmit but receives. This role may then be switched so that the first device is receiving and the second device is transmitting and not receiving.
While many of the techniques described above and below include monitoring, generating, receiving, transmitting, and/or measuring various parameters at a vehicle access module, and detecting extended range relay attacks based on this information, these techniques may be modified such that some or all of these operations are performed at a control module (or other module) of a portable access device, such as any of the portable access devices disclosed herein. Similarly, various operations are described as being performed at a portable access device; these operations may be performed at an access module of the vehicle.
Examples of different BLE RF transmit frequencies are 2.410 gigahertz (GHz), 2.412GHz, 2.408GHz, and 2.414GHz. These frequencies and other frequencies may be used by RTT initiators and responders and/or corresponding transmitters and receivers.
In an embodiment, the vehicle and/or other transmitters of the portable access device are used to light-load one or more channels so that the attacking device has a narrow low-pass filter to detect the RF signals transmitted by the initiator and the responder. The one or more channels may include channels used by the initiator and the responder or may be nearby channels. The signals transmitted on the one or more channels may be dummy signals.
Fig. 49 shows two of BLE radios 3900 (denoted 3900A and 3900B). The first BLE radio 3900A is used as an initiating and measuring device. The second BLE radio 3900B is used as a reflective (or responsive) device. The initiating and measuring device 3900A may measure RTT of packets sent from the first BLE radio 3900A to the second BLE radio 3900B, time of the second BLE radio response, and time of packets sent from the second BLE radio 3900B to the first BLE radio 3900A. In another embodiment, the RTT includes the time to send a packet from the processing module 3922A of the first BLE radio 3900A to the correlation and protocol module 3920B of the second BLE radio and from the processing module 3922B or the protocol module 3924B back to the demodulator 3918a or the correlation and protocol module 3920A. This may include measuring travel time: the slave processing module 3922A; a modulator 3926/A, D/a and a low pass filter 3928A, an up converter 3920A, a power amplifier 3932A, a switch and balun 3908A, and a band pass filter 3906A through a protocol module 3924A, GFSK; to BLE radio 3900B; through bandpass filter 3906B, switching and balun 3908B, low noise amplifier 3910B, down-converter 3912B, bandpass filter and amplifier 3914B, A/D3916B and demodulator 3918B to correlation and protocol module 3920B. The time of travel from demodulator 3918B or correlation and protocol module 3920B to protocol module 3924B or processing module 3922B may also be determined. The time from protocol module 3924B or processing module 3922B, through GFSK modulator 3926/B, D/a and low pass filter 3928B, up-converter 3930B, power amplifier 3932B, switch and balun 3908B, band pass filters 3906B and 3906A, switch and balun 3908A, low noise amplifier 3910A, down-converter 3912A, band pass filter and amplifier 3914/A, A/D3916A, and demodulator 3918A or related and protocol module 3920A may also be determined. Although BLE radio 3900A is described as an initiator and BLE radio 3900B is described as a responder, the operational roles may be switched such that BLE radio 3900B is an initiator and BLE radio 3900A is a responder.
The following operations may be performed to accurately determine RTT between two BLE radios of a vehicle (e.g., BLE radios 3900A, 3900B of fig. 49) and/or between a BLE radio of a vehicle and a BLE radio of a portable access device. These operations are performed to prevent attacks and/or to easily detect when an attack is being performed and/or when an attack has occurred. The following operations may be performed alone or in any combination. In an embodiment, a large predetermined number of packets are exchanged back and forth between BLE radios. The initiator may measure and/or estimate RTT of signals transmitted between BLE radios. This may include: time T1 at which the packet is sent from the first BLE radio to the second BLE radio, time T2 at which the second BLE radio responds, time T3 at which the second BLE radio sends the packet back to the first BLE radio, time T4 at which the first BLE radio receives the packet from the second BLE radio.
In an embodiment, the a/D and D/a clocks of the BLE radio and/or phase locked loop are dithered between packets. In addition to dithering the clock where possible, a cryptographic random variation may be added, which is known for BLE radios, for when the Least Significant Bit (LSB) generated by the digital timer is transmitted. The use of random variations in the password makes it impossible for an attacking device to predict the exact moment at which transmission takes place.
In an embodiment, each packet includes a pre-agreed cryptographic random multi-bit identifier (PACRMBI) that is, for example, 16 to 256 bits large. In another embodiment, the packet bit content from the initiator and responder is indistinguishable to the attacking device. The attacking device cannot identify from which direction the packet came based on the bit content of the packet, or whether the packet is an initiator packet or a responder packet.
In an embodiment, the channel of the BLE radio is cryptographically randomized. In an embodiment, the determination of which of the BLE radios is the initiator or the responder is cryptographically randomized. In an embodiment, one or both of the BLE radios transmit a dummy packet that the attacking device cannot distinguish from other packets transmitted by the BLE radios. The choice of whether the BLE radio transmits a dummy packet is cryptographically randomized and can be randomly switched. This makes it difficult for an attacking device to determine which are valid packets and the direction of transmission of the packets between BLE radios.
In an embodiment, the polarization of the antenna set used by the BLE radio is initially cryptographically randomized. A heuristic is used that selects which antenna arrangements between BLE radios provide the best "antenna-channel" in the set of channels. This may include: using heuristics to select higher received signal strengths; compensating antenna gain on the frequency, monitoring a plurality of channels; using the antenna combination with the highest average or median power; and/or using a rayleigh fading estimator or a kalman filter estimator. This may reduce the cryptographically random antenna pattern and concentrate on "antenna-channels" with maximum power and minimum cross-polarization.
In an embodiment, in-phase and quadrature-phase (IQ) streams at the receiver are upsampled (or interpolated) before an IQ stream having an idealized upsampled IQ stream matching the PACRMBI is sent to the correlation and protocol module of one BLE radio of the corresponding BLE radio. As an alternative to using PACKRMBI's, the transmitted message may be encrypted and bit decoded as it is received and then converted into an idealized up-sampled IQ stream. The two upsampling streams may be sent through a correlation and protocol module 3920 that may monitor the upsampling clock edges where there is sufficient correlation to match the PACRMBI. Correlation and protocol module 3920 selects the largest edge of the matched clock edges. Other clock recovery methods may be used to interpolate sub-bit timing in the round trip timing of the bit stream in the communication channel. This may be performed in conjunction with up-sampling correlation or in conjunction with normal clock sampling.
In an embodiment, the amplifier settings are transferred between BLE radios. The amplifier settings are sufficient to compensate for any frequency and amplifier gain variations in propagation delay between BLE radios.
In another embodiment, the measured die temperature in the BLE radios is communicated (or shared) between the BLE radios to compensate for any temperature-based frequency and amplifier gain variations in propagation delay between the BLE radios.
Another operation that may be performed is to communicate balun changes between BLE radios. Another operation is to add a short (e.g., 6 mus) but cryptographically random length (e.g., 4 to 8 mus) continuous wave tone to the packet pair for simultaneous tone exchange ranging while making round trip timing measurements.
Fig. 50 shows a position and distance determination system 5600, the position and distance determination system 5600 comprising an RTT initiator 5602, an RTT responder 5604 and an RTT sniffer 5606.RTT initiator 5602 and RTT responder 5604 may be used as any of the initiators, responders, BLE radios, RF circuits disclosed herein. The RTT sniffer 5606 may be located at the vehicle with one of the RTT devices 5602, 5604 and comprise one of the antenna modules 40 of fig. 2, whereas the RTT device in the vehicle comprises the other of the antenna modules 40. The devices 5602, 5604, 5606 may each include a control module as described above to perform any of the described operations. Polarization diversity as described above is provided: between the antennas of RTT devices 5602, 5604; and between the antenna of one of the RTT devices 5602, 5604 located in the vehicle and the RTT sniffer 5606. Polarization diversity is particularly used when performing round trip timing measurements. Each of the RTT devices 5602, 5604 may include a single polarized antenna and a circularly polarized antenna.
One of the RTT devices 5602, 5604 located in the vehicle may be referred to as a master device, while the other RTT device of the RTT devices 5602, 5604 is referred to as a slave device. When the master device sends a challenge signal to the slave device, the RTT sniffer 5606 acts as a listener and detects (i) when the challenge signal is sent to the RTT sniffer 5606 and/or when the challenge signal is received at the RTT sniffer 5606, and (ii) when the slave device sends a response signal to the challenge signal, and/or (iii) when the RTT sniffer 5606 receives the response signal. The RTT sniffer 5606 may then use triangulation to determine the location of the slave device based on the transmission and/or reception times of the challenge signal and the transmission and/or reception times of the response signal. The master device may also measure round trip timing associated with the challenge signal and the response signal in order to measure a direct path between the antennas rather than a bounce path. This prevents the nulls of the antennas from being aligned and cross polarized.
The master device and RTT sniffer 5606 cooperate to estimate the distance to the slave device. The master device may implement the following equations 5-7 to determine the amount of time T for sending a challenge signal from the master device to the slave device MS Wherein: t (T) SM Is the amount of time that the response signal is sent from the slave device to the master device; t (T) RX Is the time at which the response signal is received at the master device; t (T) TX Is the time at which the challenge signal is sent from the master device; t (T) SDELAY Is the amount of delay time that the slave device responds with a response signal after receiving the challenge signal; fixedOffset 1 Is the first offset amount of time and may be greater than or equal to 0.
T MS +T SM =T RX -T TX -T SDELAY +FixedOffset 1 (5)
T MS =T SM (6)
The RTT sniffer 5606 knows: when a challenge signal is received at RTT sniffer 5606; when a response signal is received at RTT sniffer 5606; and a number of slave clock cycles between the slave device receiving the challenge signal and the slave device transmitting the response signal. The RTT sniffer 5606 (or listener) may determine the time T at which the RTT sniffer 5606 receives the response signal using equation 8 SLRX Time T with RTT sniffer 5606 receiving challenge signal MLRX Difference between, wherein: t (T) SL Is the amount of time that RTT sniffer 5606 receives the response signal; fixedOffset 2 Is a second offset amount of time, may be greater than or equal to 0; t (T) ML Is the amount of time that RTT sniffer 5606 receives the challenge signal; t (T) SLRX Is the time at which the RTT sniffer 5606 receives the response signal; t is as follows MLRX Is the time at which RTT sniffer 5606 receives the challenge signal.
T MS +T SDELAY +T SL +FixedOffset 2 -T ML =T SLRX -T MLRX (8)
Since the master device and RTT sniffer 5606 are cooperative, information is shared so that one or more of these devices can estimate the distance to the slave device based on equations 9-11. Can use T MS And T SL The sum is replaced to provide equations 9-11.
/>
By measuring the arrival time of the challenge signal and the response signal at the RTT sniffer 5606 and sharing this information between the RTT sniffer 5606 and the master device, the distance between the vehicle and the slave device can be estimated. Can pass throughFor example, master usage arrival time and known time T MS And a corresponding known signaling rate to estimate the distance. The RTT of the challenge signal may be determined based on the measured time of arrival. The distance may then be determined based on the RTT and the known signaling rate.
Fig. 51 shows another position and distance determination system 5700, the position and distance determination system 5700 comprising an RTT initiator 5702, an RTT responder 5704, and a plurality of RTT sniffers 5706.RTT initiator 5702 and RTT responder 5704 may be used as any of the initiators, responders, BLE radios, RF circuits disclosed herein. The RTT sniffer 5706 may be located at the vehicle together with one of the RTT devices 5702, 5704 and comprise an antenna module (similar to the antenna module 40 of fig. 2). The devices 5702, 5704, 5706, respectively, may include control modules as described above to perform any of the described operations. The RTT device in the vehicle may also comprise an antenna module similar to the antenna module 40 of fig. 2. Polarization diversity is provided: between the antennas of RTT devices 5702, 5704; and between the antenna of one of the RTT devices 5702, 5704 located in the vehicle and the RTT sniffer 5706. Polarization diversity is particularly used when performing round trip timing measurements to measure the direct path between antennas rather than the bounce path. This prevents the nulls of the antennas from being aligned and cross polarized.
One RTT device located in the vehicle of the RTT devices 5702, 5704 may be referred to as a master device, and the other RTT device of the RTT devices 5702, 5704 is referred to as a slave device. When the master transmits a challenge signal to the slave, the RTT sniffer 5706 functions as a listener and detects when the challenge signal is transmitted and detects when the slave transmits a response signal to the challenge signal. The RTT devices 5702, 5704 may operate similarly to the RTT devices 5602, 5604 of fig. 50. Each RTT sniffer 5706 may operate similarly to RTT sniffer 5606.
Time TAB is the amount of time that a challenge signal is sent from RTT initiator 5702 to RTT responder 5704. The time TBA is the amount of time that the corresponding response signal is sent from the RTT responder to the RTT initiator. The time TAC is the amount of time the first RTT sniffer receives the challenge signal. The time TBC is the amount of time the first RTT sniffer receives the response signal. The time TAD is the amount of time the second RTT sniffer receives the challenge signal. The time TBD is the amount of time the second RTT sniffer receives the response signal. The time TAE is the amount of time the third RTT sniffer receives the challenge signal. The time TBE is the amount of time the third RTT sniffer receives the response signal. When TAB and TAC are known, the TBC may be calculated. When TAB and TAD are known, the TBD may be calculated. When TAB and TAE are known, the TBE can be calculated.
If there are enough RTT sniffers, the time TAB can be calculated. For example, if three RTT initiators know the position of the RTT initiator relative to the master (or initiator), time TAB may be calculated. This can be done using equations 12-17 and assuming that all reflections are transient, where: TRxAC is the time at which the first RTT sniffer receives the challenge signal; TRxBC is the time at which the first RTT sniffer receives the response signal; TRxAD is the time at which the second RTT sniffer receives the challenge signal; TRxBD is the time at which the second RTT sniffer receives the response signal; TRxAE is the time at which the third RTT sniffer receives the challenge signal; TRxBE is the time at which the third RTT sniffer receives the response signal; deltaRxAtC is the time difference between the first RTT sniffer receiving the response signal and the first RTT sniffer receiving the challenge signal; deltaRxAtD is the time difference between the second RTT sniffer receiving the response signal and the second RTT sniffer receiving the challenge signal; deltaRxAtE is the time difference between the receipt of the response signal by the third RTT sniffer and the receipt of the challenge signal by the third RTT sniffer. The location of the slave device (or responder) may also be determined using equations 18-25, where: xa is the x-coordinate of the master; ya is the y-coordinate of the master device; za is the z coordinate of the master device; xb is the x-coordinate of the slave device; yb is the y-coordinate of the slave device; zb is the z-coordinate of the slave device; xc is the x-coordinate of the first RTT sniffer; yc is the y-coordinate of the first RTT sniffer; zc is the z-coordinate of the first RTT sniffer; xd is the x-coordinate of the second RTT sniffer; yd is the y-coordinate of the second RTT sniffer; zd is the z-coordinate of the second RTT sniffer; xe is the x-coordinate of the third RTT sniffer; ye is the y-coordinate of the third RTT sniffer; ze is the z-coordinate of the third RTT sniffer. The x, y, z coordinates of the master and slave devices are known and the x, y, z coordinates of the slave devices are determined. As described above, TBC, TBD, and TBE may be determined in a similar manner.
TAB+TBC-TAC=TRxBC-TRxAC=deltaRxAtC (12)
TAB+TBD-TAD=TRxBD-TRxAD=deltaRxAtD (13)
TAB+TBE-TAE=TRxBE-TRxAE=deltaRxAtE (14)
TBC=deltaRxAtC+TAC-TAB (15)
TBD=deltaRxAtD+TAD-TAB (16)
TBE=deltaRxAtE+TAE-TAB (17)
Equations 18-21 are trilateration equations.
(xb-xa) 2 +(yb-ya) 2 +(zb-za) 2 =TAB 2 (18)
(xb-xc) 2 +(yb-yc) 2 +(zb-zc) 2 =TBC 2 (19)
(Xb-xd) 2 +(yb-yd) 2 +(zb-zd) 2 =TBD 2 (20)
(xb-xe) 2 +(yb-ye) 2 +(zb-ze) 2 =TBE 2 (21)
Equations 22-25 can be obtained by replacing 4 equations with 4 variables.
(xb-xa) 2 +(yb-ya) 2 +(zb-za) 2 =TAB 2 (22)
(xb-xc) 2 +(yb-yc) 2 +(zb-zc) 2 =(deltaRxAtC+TAC-TAB) 2 (23)
(xb-xd) 2 +(yb-yd) 2 +(zb-zd) 2 =(deltaRxAtD+TAD-TAB) 2 (24)
(xb-xe) 2 +(yb-ye) 2 +(zb-ze) 2 =(deltaRxAtD+TAD-TAB) 2 (25)
When three RTT sniffers are used (e.g., RTT sniffer 5706 as shown), trilateration may be performed using three circles to measure distance and determine the position of the slave device relative to one of RTT devices 5702, 5704 and/or the corresponding vehicle. This may be performed at the master device and/or at one or more RTT sniffers. Information determined at the master device and RTT sniffer may be shared with each other. The time, distance and/or location may be determined and thus updated periodically.
In a vehicle, if an object (e.g., a vehicle occupant's head) is present near and/or between the host device's antenna module and one or more RTT sniffers, such that the object may interfere with the signal sent by the host device, the round trip timing measurements may be updated periodically. This operation may be performed to measure the distance between the master device and the RTT sniffer to detect when a corresponding physical environment/system has changed.
Fig. 52 shows a first network device (or vehicle) 5800 and a second network device (or portable network device) 5802. The first network device 5800 includes a tone exchange responder 5804 and a tone exchange initiator 5806. Tone exchanges are also referred to as unmodulated carrier tone exchanges. The second network device 5802 includes a tone exchange initiator 5808 and a tone exchange responder 5810. Devices 5804, 5806, 5808, 5810 may be implemented as any of the other BLE radios, RF circuits, initiators, responders, etc. disclosed herein. At least one of the devices 5804, 5808, and at least one of the devices 5806, 5808 may include or be connected to a single polarized antenna and a circularly polarized antenna. Devices 5804, 5806, 5808, 5810 may include antenna module 40 of fig. 2 and/or the antenna shown in fig. 11, respectively.
Tone exchanges may be performed between the responder 5804 and the initiator 5808 and between the initiator 5806 and the responder 5810. RTT measurements may be sent in the same packet as the exchange tones. The devices 5804, 5806, 5808, 5810 may randomly select a channel for transmission of the packet. The transmission of the packet may occur simultaneously with the reception of the packet. For example, the initiator 5808 may transmit tones to the responder 5804 on a first channel, while the initiator 5808 receives tones from the responder 5804 on a second channel. While initiator 5804 is transmitting and/or receiving tones, initiator 5806 may transmit and/or receive tones.
The network devices 5800, 5802 may be synchronized in advance, for example, by sequential handshaking (or handshaking) to synchronize clocks of the network devices 5800, 5802. The synchronization may be performed to allow network devices to send signals to each other simultaneously. For example, two 1MHz signals transmitting data may both be transmitted at 1 Mbps. The signals may be 2MHz apart from each other. This prevents the attacking device from being able to perform attacks, such as range extension attacks or attacks that involve active manipulation of tones. If an attacker uses a 1MHz wide bandpass filter, the bandpass filter will have a large amount of lag time, and thus the response speed is not fast enough to attack. If an attacker uses a wideband bandpass filter (such as a 4Mhz bandpass filter), the corresponding signal eye will have excessive noise, failing to discern the signal transmitted by the network devices 5800, 5802. As another example, signals may be transmitted from a network device at a symbol transmission rate less than or equal to a predetermined amount of time (e.g., 1ps per symbol). This provides for a fast transmission, thus preventing attacks. In addition, the simultaneous transmission of dual signals further prevents an attacker from being successful, as the attacker would need to detect and affect both signals. As described above, both signals may be transmitted by the same network device or different network devices at different frequencies.
The devices 5804, 5806, 5808, 5810 may change the frequency of the transmitted tone, monitor for phase changes due to frequency changes, and determine the distance between the network devices 5800, 5802 based on the phase changes. This may be referred to as carrier phase based ranging. Alternatively, if a signal is transmitted and received as a result of the signal being reflected back to the source, the phase difference between the transmitted and received signals may be used to determine the modulus of the distance between the source and the reflector. Similarly, the initiator may determine the modulus of the distance between the initiator and the responder based on the phase difference between: (i) A signal sent from the initiator to the responder and (ii) a corresponding signal sent from the responder back to the initiator. The phase difference slope for the frequency variation corresponds to or is equal to the distance with the frequency step limit. The smaller the frequency step size, the greater the analog-to-digital conversion distance (see Olafsdotter, ranganathan and Capkun, "On the Security of Carrier Phase-based Ranging," incorporated herein by reference).
As another example, a Received Signal Strength Indicator (RSSI) parameter may be monitored to determine if the network device is close to the vehicle, and then a series of tone exchanges are performed to measure distance. Tone swapping may be performed to ensure no attacks based on the user's door handle touch. Multiple round trip timing measurements may be performed to determine the distance of the network device relative to the vehicle.
The distance determination techniques described above may be used in conjunction with other techniques disclosed herein for determining RTT values. The direction of travel of the tones between devices 5804, 5806, 5808, 5810 may be random.
In one embodiment, the control module of the first network device 5800 plots a phase change versus frequency change for each of a plurality of tones that are swapped to generate a plurality of linear curves. The control module determines a slope of the curve that provides a ratio of the phase change to the frequency change. The slope is then used to determine a distance between adjacent curves, which is related to a distance between the first network device 5800 and the second network device 5802.
Fig. 53 shows a position determination system 5900, the position determination system 5900 comprising a tone exchange initiator 5902, a tone exchange responder 5904, and a tone exchange sniffer 5906. Tone exchange initiator 5902 and tone exchange responder 5904 may be used as any of the initiators, responders, BLE radios, RF circuits disclosed herein. The tone exchange sniffer 5906 may perform similarly to the RTT sniffer 5606 of fig. 50 and may be located at the vehicle with one of the tone exchange devices 5902, 5904 and include one of the antenna modules 40 of fig. 2, while the tone exchange device in the vehicle includes the other of the antenna modules 40. The devices 5902, 5904, 5906 may each include a control module as described above to perform any of the operations described above. Polarization diversity is provided: between the antennas of tone switching devices 5902, 5904; and between the antenna of one of the tone exchange devices 5902, 5904 located in the vehicle and the tone exchange sniffer 5906. Polarization diversity is used in particular when performing round trip timing measurements.
One of the tone exchange devices 5902, 5904 located in the vehicle may be referred to as a master device, while the other of the tone exchange devices 5902, 5904 is referred to as a slave device. Tone exchange device 5906 acts as a listener when a master device transmits tones to a slave device and when a slave device transmits tones to a master device and detects (i) when tones are transmitted to tone exchange device 5906 and/or when tones are received at tone exchange device 5906, (ii) when a slave device transmits tones to a master device, and/or (iii) when tone exchange device 5906 receives tones transmitted by a slave device. The slave device may act as a reflector and transmit the tones received from the master device back to the master device. The master device and/or sniffer device may block at least one of access to the vehicle or operational control based on the arrival time of the tone, the round trip timing measurement, and/or the estimated distance between the devices.
Fig. 54 illustrates a method of determining the distance between an initiator and a responder and between a responder and a sniffer. Although the following operations of fig. 54 are described primarily with respect to the implementations of fig. 50 and 53, these operations may be readily modified to apply to other implementations of the present disclosure, such as the implementations of fig. 2-6, 11, 14, 39, and 46-49. These operations may be performed iteratively. Although the method is described primarily with respect to the implementation of fig. 53, the method may be applied to other embodiments of the present disclosure.
The method may begin at 6000. At 6002, tone exchange initiator 5902 sends a tone signal including a tone to tone exchange responder 5904. The tone may be represented as:where A is tone exchange initiator 5902, B is tone exchange responder 5904, τ AB Is the time of travel from a to B and is directly related to the distance between tone exchange initiator 5902 and tone exchange responder 5904, ω is frequency, +.>Is the tone at tone exchange initiator 5902The phase of the modulation, t, is time.
At 6004 at tone exchange responder 5904 to delayReceive the tone and at the tone exchange sniffer 5906 with delay +.>A tone is received. At audio exchange responder 5904, the received tone signal is down-converted to baseband, which may be represented by equation 26.
At the audio exchange sniffer 5906, the received tone signal is down-converted to baseband, which may be represented by equation 27.
At 6006, tone exchange initiator 5902 receives the tone from tone exchange responder 5904, tone exchange responder 5904 resends the tone signal back to tone exchange initiator 5902 as a second tone signal. The tone may be represented asThe received second tone signal may be represented by equation 28. The tone exchange sniffer 5906 also receives a second tone signal, which may be represented by equation 29.
/>
At 6008, tone switch initiator 5902 receives a phase signal from tone switch responder 5904 indicating a natural log tone value having a tone phase difference when received at tone switch responder 5904. Thus, tone exchange responder 5904 sends the measured phase to tone exchange initiator 5902, where the values are multiplied as shown in equation 30.
At 6010, based on the received tone signal, the tone exchange sniffer 5906 determines the tone values associated with: a tone phase difference between when transmitted from the tone exchange initiator and when received at the tone exchange sniffer; and a tone phase difference from when the tone exchange responder is transmitted to when it is received at the tone exchange sniffer. The pitch value may be represented asAnd->
At 6012, the initiator 5902 and/or sniffer 5906 determine the distance between the initiator 5902 and the responder 5904 and between the initiator 5902 and the sniffer 5906. The distance value may be determined in a similar manner as described above in sniffing the round trip time, see e.g. equations 12 and 15 and their corresponding description. Phase is used instead of round trip time. The calculation may include using equation 31, where the pitch value is measured or determined at sniffer 5906 And-> Is a priori and at the responder 5The pitch value is determined at 904 +.>
The initiator 5902 and/or sniffer 5906 may take the inverse logarithm of the result of equation 31 to provide time τ BC And τ AB . The distance between the responder 5904 and sniffer 5906 and between the initiator 5902 and the responder 5904 may be determined based on these times and the known transmission rate of the tone signal. The method may end at 6014. The initiator 5902 or sniffer 5906 may block at least one of access to the vehicle or operational control based on the estimated at least one distance.
Fig. 55 shows an example of a passive tone exchange and phase difference detection system 6100. The system 6100 includes a Phase Locked Loop (PLL) 6102, a phase module 6104, a transmitter 6106, a receiver 6108, and an antenna module 6110. The antenna module 6110 may be similar to the antenna module 40 of fig. 2. The transmitter 6106 transmits a first tone, which may be the output of the PLL 6102 and reflected by the reflector 6112 back to the receiver 6108. The output of the PLL and the reflected tone signal are provided to a phase module 6104. The phase module 6104 determines a phase difference between the output of the PLL and the reflected tone signal. The phase module 6104 or other module disclosed herein determines the distance between the transmitter 6106 and the reflector 6112 based on the phase difference. The phase module 6104 or other module disclosed herein may block access to the interior of the vehicle and/or operational control of the vehicle based on the determined distance.
Fig. 56 shows an example of an active tone exchange and phase difference detection system 6200. The system 6200 operates similarly to the system 6100 of fig. 55. The transmitter and receiver 6106, 6108 are represented by block 6202. The reflector 6112 of fig. 55 can be replaced with a responder device 6204 for active tone exchange. The responder device 6204 may receive a first tone signal having a first one or more tones from the transmitter 6106 and respond with a second tone signal. The second tone signal may include the one or more tones and/or one or more other tones. The second tone signal is transmitted back to the receiver 6108.
Fig. 57 shows an initiator packet 6300 and a response packet 6302 for RSSI and time-of-flight measurements. The initiator packet 6300 may include a plurality of fields, such as a preamble, a synchronization access word (e.g., a pseudo-random synchronization access word), a data field including data, a Cyclic Redundancy Check (CRC) field including CRC bits, and a Continuous Wave (CW) tone field including CW tones. Response packet 6302 may include a CW tone field, a preamble, a sync access word, a data field, and a CRC field.
The initiator device may transmit an initiator packet 6300, and the initiator packet 6300 may be received at the responder device. The responder device may then generate a response packet 6302 and send the response packet back to the initiator device. This may be done for tone swapping, phase difference determination, round trip timing measurement. The distance between the devices may then be determined. These measurements and calculations may be performed to detect extended range relay attacks. In an embodiment, the initiator and the responder pre-negotiate what the sync access word will be based on a predetermined list. The synchronous access word includes an access address. The initiator may, for example, measure the amount of time to receive (i) a response packet after the initiator packet is sent and/or (ii) a sync access word. The amount of time and the synchronized access word may be compared to a predetermined amount of time and a predetermined synchronized access word. If the comparison performed yields a match, no extended range relay attack occurs. However, if the received sync access words do not match and/or the amount of time differs from the expected amount of time by more than a predetermined amount, an extended range relay attack may occur.
In an embodiment, the initiator and the responder exchange a predetermined key, a list of sync access words, and the time at which each sync access word will be sent. The sync access word may be randomly selected when initially created. This allows the responder to know the correct key and/or sync access word to respond when an initiator packet is received. The key may be included in the response packet. In another embodiment, the initiator packet and the response packet do not include a preamble, as shown in fig. 58. In an embodiment, the length of the CW tone is 4-10 μs.
In another embodiment, the initiator packet and the response packet have the same format as shown in FIG. 59. Each packet includes: a first CW tone as a first field; synchronizing the access words; a data field; a CRC field; and a second CW tone as a last field. Another example of an initiator packet and a response packet having the same format is shown in fig. 60, where each packet includes: a first CW tone as a first field; a syncword including PACRMBI; a PDU field including a PDU; a Medium Access Controller (MAC) field; a CRC field; and a second CW tone as a last field. The CW tones of fig. 57-60 may be cipher random length tones and may be checked by the initiator when received. For example, an extended range relay attack may occur when the CW tone received from the responder is incorrect. With the embodiment of fig. 59-60, the sync word round trip timing prevents CW tone exchanges from going beyond the ambiguity range (e.g., 75 meters) in 2MHz channel tone steps. The initiator packets and the responder packets mentioned above may be transmitted at the same frequency. By having the initiator packet and the responder packet have the same format, the attacking device cannot distinguish which packet is the initiator packet and which packet is the responder packet. In one embodiment, the CW tone at the end of the packet is not included.
In an embodiment, the timing, frequency, length, power level, amplitude and content of the CW tones and sync access words of the initiator and responder packets are checked at the initiator and responder to determine if they are correct and/or consistent and to identify if an attack has occurred. In an embodiment, the packet of pseudo random numbers is exchanged at a first frequency before changing to a next frequency and exchanging the packet of another pseudo random number.
Since the attacking device generally includes a filter (e.g., a low-pass filter and a band-pass filter) and a mixer (e.g., a down-converter and an up-converter), the attacking device causes a delay in relaying a signal. In order for an attack by an attacking device to go undetected, the attacking device needs to retransmit the received signal without a detectable delay. This makes it difficult for an attacking device to be detected. The attacking device may delay the signal by 500ns, which may spatially delay the signal by 500 feet (ft). In order for an attacking device to advance transmission of a tone or start transmission of a tone at the correct time, the attacking device may need to know in advance what is being transmitted. This is not possible. This is especially true when heterodyne receivers are used to receive the relayed signals. Heterodyne receivers convert the packet/audio into the in-phase (I) -quadrature-phase (Q) domain and are captured in the IQ domain. In the IQ domain, the phase difference is detected. If an attack is present, delays caused by the attack may be detected in the IQ domain based on the phase difference. If the attacking device shortens the tone so that the corresponding sync access word arrives at the correct time, the timing and length of the CW tone may be incorrect and may be detected by the initiator.
In an embodiment, the initiator checks the received CW tone transmitted from the responder for: (i) a length relative to the start of the transmitted sync access word, (ii) a power (or amplitude) consistent prior to the sync access and relative to the sync access word, and (iii) a tone consistent throughout the sync access word. Consistent tones may refer to consistent frequencies, power levels, amplitudes, etc. In another embodiment, the start and end times of the synchronous access word relative to the start of the first CW tone of the transmitted packet may be known within a predetermined amount of time (e.g., within a 10ns range). Thus, if the start time and the end time are within a predetermined range of the start of the first CW tone of the packet, no attack occurs, otherwise an attack may occur.
As another example, a PLL of an initiator that sends a tone may have 3 different tones on a given channel that the PLL is capable of generating: center tone, high tone at a first frequency (e.g., 250 KHz), and low tone at a second predetermined frequency (e.g., -250 KHz). The transmitted tones may be selected and transmitted according to a predetermined agreed upon random sequence and/or tone pattern. An agreement may be made between the initiator and the responder. The PLLs of the initiator and the attacking device may not coincide with each other. If there is a frequency difference between the signal transmitted by the initiator and the signal received in response thereto that is greater than a predetermined threshold, the initiator may determine that an attack has occurred.
In an embodiment, the responder is able to measure and respond with data with a phase delay that the responder detects for the received signal. This may be based on when the responder receives the end CW tone of the packet from the initiator. The responder may measure a phase delay between (i) an end (or ending) CW tone of a packet received from the initiator and (ii) a front end (or first primary CW tone) of a packet transmitted by the responder in response to the packet received from the initiator. The initiator may calculate the total bidirectional round trip time of packets from the initiator to the responder and then back from the responder to the initiator.
In addition to detecting the delay of the signal, the initiator may also detect when the signal (or tone) is amplified by the attacking device. The amplification of the signal/tone may also delay transmission, which may be detected. During tone relay at the attacking device, the tone may be distorted and/or another tone may be transmitted instead of the originally transmitted tone.
The above example allows for more accurate distance measurements with a smaller number of packets, each with synchronous access words and CW tones. The synchronous access word protects the CW tone (and vice versa) from the attacking device modifying the CW tone without detection. Two-way randomized communication is performed that protects both the synchronous access word and the CW tone.
The PLL of the initiator as disclosed herein may be a phase predictable PLL that allows the initiator to predict the phase of the signal when the frequency of the signal is changed. This may eliminate the need to check whether the timing of the CW tone transmitted by the initiator and the CW tone transmitted by the responder is correct. The responder may measure, for example, when an end CW tone is received from the initiator, determine a corresponding phase delay of the end CW tone relative to the responder's generation of a front-end CW tone for the response signal, and send this information along with the front-end CW tone to the initiator. The initiator may then calculate a total round trip time based on the received information.
In an embodiment, the initiator is one of a vehicle or a portable access device and the responder is the other of the vehicle and the portable access device. The order in which the vehicle and portable access device transmit and respond is pseudo-randomly altered. In addition, packets and/or tone signals may be transmitted in response and then may be used as initiator packets and/or initiator tone signals. In one embodiment, the order in which the vehicle and portable access device transmit and respond does not change for a short period of time (e.g., the exchange period is less than the predetermined period of time) and changes for a long exchange period (e.g., the exchange period is greater than or equal to the predetermined period of time). The sequence may be periodically switched. In these examples, the bi-directional data is exchanged using antenna polarization diversity to provide the correct timing measurements.
Processing is implemented to provide accurate measurements of the start and end points of the CW tone and the sync access word. The correlation and protocol module 3920 may maintain a circular queue of bits and lock to compare between the start time and end time and length of the CW tone and sync access word of a transmitted (initiator) packet and the start time and end time and length of the CW tone and sync access word of a received (responder) packet. The correlation and protocol module 3920 may interpolate at the location of the zero crossings. Post-processing of the I data and Q data associated with the synchronous access word may be performed for clock recovery for interpolation when the synchronous access word arrives. The I and Q data may have different slew/spin rates. Interpolation may be performed to determine where the center point of the transition will get the exact timing of the clock recovery. To dial in timing, multiple zero crossings may be detected and aligned. In addition, the I and Q data may be oversampled, as described further below, to best fit/align one or more bits.
Fig. 61 shows an antenna path determination system 6700 for a network device having corresponding antenna modules. The antenna module exhibits polarization diversity. In this example, two polarization axes for each antenna module are shown. Each antenna module includes a vertically oriented antenna and a horizontally oriented antenna. Showing possible channels Vector h VV 、h VH 、h HV And h HH . Ranging module 6710 is shown. Ranging module 6710 is based on channel vector h VV 、h VH 、h HV And h HH To determine the range (or distance) between corresponding antennas of the network device. The ranging module may perform a ranging algorithm to determine a rangeAnd->The determined range->And->Is provided to a minimum module 6712, which minimum module 6712 determines the range +.>And->Which range is the shortest. The shortest path may be selected.
Each channel vector may be generated for one or more selected frequencies. When compared, the range may be generated for channel vectors of the same frequency or different frequencies. As an example, vectors may be generated for at least some of the 80 different tones having a frequency step of 1MHz between adjacent tones and within the industrial, scientific, and medical (ISM) band of 2.4 GHz. The frequency associated with the shortest range may be selected. Other factors such as signal strength, amplitude, voltage, parameter consistency, etc. may also be considered in making this selection. This path selection may be performed by any of the initiators, responders, modules, network devices, etc. disclosed herein and used for round trip timing measurements. This allows the selection of the best antenna path for bi-directional packet and/or tone handshaking to determine round trip time.
Referring now to fig. 38 and 62, example radio models 6800 and RF channels and corresponding RF circuitry corresponding to the structure, function, and operation of BLE radio 3900 (and/or a modified version of BLE radio 3900) of fig. 38 are shown. The radio model 6800 may include a first sampling module 6802, a time offset module 6804, a gaussian low pass filter 6806, an integrator 6808, a first upsampler 6810, an amplifier 6812, a summer 6814, a modulator 6816, a second sampling module 6818, a phase and frequency offset module 6820, a first mixer 6822, a phase delay device 6823, a second mixer 6824, a phase delay module 6826, a second low pass filter 6828, a resampling module 6830, an arctangent module 6832, a differentiator 6834, a symbol determination module 6836, a bit pattern module 6838, a second upsampler 6840, a third upsampler 6842, a cross correlation module 6844, and a peak detector 6846. Devices 6802, 6804, 6806, 6808, 6810, 6812 may represent examples of transmitter portions of a BLE radio 3900 or another BLE radio. Adder 6814 represents the channel between the following radios: (i) another BLE radio; and (ii) BLE radio 3900 of devices 3907, 3906, 3908, 3932, and 3910. There may be a phase shift and frequency shift between the receiving BLE radio and the transmitting BLE radio because the receiving BLE radio may not be phase locked to the transmitting BLE radio. The devices 6816, 6818, 6820, 6822, 6824, 6828, 6830 correspond to the receiver portion of the BLE radio and are associated with RF sampling rates. The devices 6830, 6832, 6834, 6836, 6838 correspond to receiver portions and perform operations on baseband signals. The resampling module 6830 functions as an analog-to-digital converter. Devices 6840, 6842, 6844, and 6846 also correspond to receiver portions and are associated with interpolation to determine phase.
When recovering the bit stream, zero crossings of the reconstructed signal from the differentiator 6834 may be determined. There may be a lot of jitter at the zero crossing, which negatively affects the time-of-flight determination based on the timing of the zero crossing. Small amounts of jitter negatively affect the determination of the transmission time and the reception time.
The upsamplers 6840, 6842 and the cross correlation module 6844 are implemented to reduce jitter associated with sampling and zero crossing determinations. The upsamplers 6840, 6842 perform signal processing to interpolate and inject data points between existing received data points to provide finer temporal resolution.
In one embodiment, the transmitted bit stream is known a priori by the BLE receiver and provided to up sampler 6842 as indicated by arrow 6843. In this example, the symbol determination module 6836 and the bit pattern module 6838 are not included. In another embodiment, the transmitted bit stream is unknown and includes a symbol determination module 6836 and a bit pattern module 6838 and upsampling 6842 to provide an estimated bit stream. As an example, the transmitted bit stream may be an access address indicating what device is transmitting. The estimated bit stream may be determined based on a reference. For example, the reference may be a preamble and/or a bit sequence received before the bit stream is estimated. The preamble and/or the bit sequence provide a temporal reference based on which an estimated bit stream may be generated. The estimated bit stream is generated based on a known clock frequency of the transmitter and is associated with the clock frequency of the transmit signal and the receiver.
The cross-correlation module 6844 performs cross-correlation between the outputs of the upsamplers 6840, 6842 and/or cross-correlation between the upsampler 6840 and the output of the bit pattern module 6838. Cross-correlation is performed to match the envelope of the signal provided to the cross-correlator and to determine the phase difference. The cross-correlation may include: performing the product of the output signals includes taking the product of corresponding data points of the two output signals and summing the products. The product-sum process is iterated while incrementally shifting one of the outputs by one data point in time relative to another of the outputs for each iteration to provide a plurality of resulting product-sum values. One of the maximum product-sum values refers to: when the two outputs are synchronized (or aligned), the waveforms are made to match and align in time. Based on this information, a phase offset (or difference) between the two outputs is determined.
The cross-correlation has improved resolution because the upsampling is performed by the upsamplers 6840, 6842. The cross-correlation module 6846 performs correlation with a signal that is finer in resolution than the originally received signal to obtain finer interpolation of the arrival time of the received packets in the received signal. Higher correlation resolution reduces the signal-to-noise ratio and bit length of the message and may include interpolation at finer resolution. The phase offset may be used for time-of-flight determination as described herein. The peak detection module 6846 evaluates the results of the cross-correlation and indicates (i) when a time-matched peak occurs, and/or (ii) phase shift. In one embodiment, the cross-correlation module 6844 receives the digital value and the peak detection module 6846 determines whether the cross-correlation output (or product sum value) has reached a predetermined threshold. If the predetermined threshold has been reached, the peak detection module indicates "find signal" and determines the phase.
In one embodiment, the output of the upsampler 6840 is provided to the symbol determination module 6836 and the cross correlation module 6844, and does not include the upsampler 6842. In this example, the output of the bit pattern module 6838 is provided directly to the cross correlation module 6844.
The apparatus of fig. 38 and 62 is further described with respect to the method of fig. 63. Although the following operations of fig. 63 are described primarily with respect to the implementations of fig. 2-6, 11, 14, and 38, these operations may be readily modified to apply to other implementations of the present disclosure. These operations may be performed iteratively.
The method may begin at 6900. At 6902, a sampling module 6802 of a first network device (e.g., a network device implemented in a vehicle as part of an in-vehicle system or portable access device) receives the bit stream to be sent from the processing module 3922. The sampling module 6802 samples the bit stream.
At 6904, the time offset module 6804 receives the output of the sampling module 6802 and may introduce a time offset (or delay). The sampling module 6802 and the time offset module 6804 may be implemented by the protocol module 3924. In 6906, a gaussian Low Pass Filter (LPF) 6806 receives the output of the time offset module 6804. The operation of the gaussian LPF 6806 may be implemented by the GFSK modulator 3926. At 6908, integrator 6808 integrates the output of gaussian LPF 6806 and may be implemented by D/a and low pass filter 3928. Example signals 7000, 7002, 7004 from the sampling module 6802, gaussian LPF 6806, and integrator 6808, respectively, are shown in fig. 64A.
At 6910, upsampler 6810 upsamples the output of integrator 6808 to include additional points on a sample-by-sample basis. Upsampler 6810 may be implemented by upconverter 3930. At 6912, the amplifier 6812 provides a frequency deviation gain. At 6914, sampling module 6818 receives the RF tone that may be provided by PLL 3940. The output of the sampling module 6818 is provided to both the modulator 6816 and the phase and frequency shift module 6820. At 6916, modulator 6816 modulates the output of sampling module 6818 based on the output of amplifier 6812 to provide an initiator signal. Modulator 6816 may be implemented at least in part by upconverter 3930.
At 6918, the initiator signal from modulator 6816 may be provided to power amplifier 3932 and sent to the second network device. The second network device may be a network device implemented in a vehicle as part of an in-vehicle system or a portable access device. The initiator signal may be any of the following disclosed herein: an initiator signal, an initiated tone signal, a signal transmitted by a master device, etc.
At 6920, low noise amplifier 3910 receives a response signal in response to an initiator signal. The response signal may include gaussian noise that is included in the received response signal, as represented by summer 6814. In 6922, the mixers 6822, 6824 receive the response signal from the low noise amplifier 3910 and down-convert the response signal to an in-phase (I) baseband signal and a quadrature-phase (Q) baseband signal. The quadrature phase baseband signal may be phase delayed by 90 ° via a phase delay device 6823. This may be implemented at downconverter 3912.
At 6924, lpf 6828 filters the baseband signal. LPF 6828 may include a plurality of LPFs; there is one LPF for each down-converted signal. LPF 6828 may be replaced by and/or implemented by bandpass filters and amplifier 3914. In 6926, the resampling module 6830 samples the filtered baseband signal using sample dithering. The resampling module 6830 may be implemented by the a/D converter 3916. Example signals 7006, 7008 from the resampling module 6830 are shown in fig. 64B.
At 6928, arctangent module 6832 determines an arctangent of the baseband signal to generate an arctangent signal. An example signal 7010 from an arctangent module 6832 is shown in fig. 64C. At 6930, differentiator 6834 differentiates the arctangent signal from arctangent module 6832. An example signal 7012 from a differentiator 6834 shown above the original gaussian filtered signal 7002 is shown in fig. 64D.
At 6932, the sign module 6836 performs a sign function and determines the sign of the output of the differentiator 6834. At 6934, bit pattern module 6838 determines an idealized (or reference) bit pattern based on the output of symbol module 6836. After the operation of the low pass filter 6828 and the arctangent module 6832 have been applied, an idealized bit pattern is obtained to match the bit pattern from the gaussian LPF 6806 or other bit pattern with the received bit pattern. This is done so that the up-sampled values resemble noise-free resampled data.
At 6936, the up-samplers 6840, 6842 up-sample the outputs of the differentiator 6834 and the bit pattern module 6838, respectively. At 6938, the outputs of the upsamplers 6840, 6842 are correlated by the cross correlation module 6844 to generate a correlated signal. The devices 6832, 6834, 6836, 6838, 6844, 6842 may be implemented by the demodulator 3918. At 6940, the peak detector 6846 determines the phase of the resulting correlation signal from the cross correlation module 6844. The cross correlation module 6844 and the peak detector 6846 may be implemented by a correlation and protocol module 3920. In one embodiment, the peak detector 6846 is implemented as a 3-point parabolic peak interpolator (3 point parabolic peak interpolator) over the up-sampled cross correlation module 6844. Two points near the detected peak (within a predetermined distance) are selected and a three-point parabolic interpolation of the upsampled result is obtained.
At 6942, distance, position, round trip time, and/or other parameters are determined based on the phase (or 3-point parabolic interpolation of the upsampled result). The distance may be a distance between the first network device and the second network device. The location may be a location of the second network device relative to the first network device. The round trip time may be the time at which the initiator signal travels to the second network device and the first network device receives the response signal, including the time at which the second network device generates the response signal after receiving the initiator signal.
At 6944, the processing module 3922 may determine whether an extended range relay attack has occurred based on the phase, distance, location, round trip time, and/or other parameters determined at 6942. If an extended range relay attack has occurred, operation 6946 may be performed, otherwise the method may end at 6948. In 6946, the processing module 3922 performs countermeasures, such as any of the countermeasures disclosed herein.
The above-described operations of fig. 35, 36, 45, 54, and 63 are intended as illustrative examples. These operations may be performed sequentially, synchronously, simultaneously, and continuously during overlapping time periods or in a different order depending upon the application. In addition, depending on the implementation and/or sequence of events, no operations may be performed or skipped.
There is a change in transmission timing between (i) the time at which the generated waveform reaches the antenna to be transmitted and (ii) the corresponding time measured by the timer. Factors that may cause this include clock domain crossing, clock period variation, power amplifier gain setting induced power amplifier propagation delay, temperature, and process propagation delay. Process, temperature, and amplifier gain setting variations can be calibrated out of timing measurements.
A second BLE device (e.g., BLE device (or radio) 3900B) similar or identical to the first BLE device (e.g., BLE device (or radio) 3900A of fig. 38) may be added and implemented in the vehicle to represent a reflective (or responder) device as shown in fig. 49. Each BLE radio 3900 may be implemented on a separate system on chip (SoC). The first BLE radio 3900A may transmit an initiator signal that may be received by a receiver portion of the second BLE device.
Time T1 may be generated for the time at which the first bit stream is generated and/or provided to protocol module 3924A of the first BLE radio 3900A to generate an initiator signal that is determined by timer 3938A to be transmitted from the first BLE radio 3900A. Time T2 may be the time when the correlation and protocol module 3920B of the second BLE radio 3900B receives the first bit stream as determined by timer 3938B. The first calibration constant CAL1 may be set equal to or determined based on a difference between a time when the timer 3938A detects generation of the first bit stream and a time when the corresponding initiator signal is transmitted from the antenna 3907A. The second calibration constant CAL2 may be set equal to or determined based on the difference between the times at which the timer 3938B detected the first bit stream received at the correlation and protocol module 3920B. The time of flight of the first bit stream from protocol module 3924A to the associated and protocol module 3920B is (T2-CAL 2) - (T1-CAL 1).
Similarly, time T3 may be generated for generating a second bit stream corresponding to the first bit stream and/or providing the second bit stream corresponding to the first bit stream to protocol module 3924B to generate a response signal to be transmitted from second BLE radio 3900B as determined by timer 3938B. A response signal is generated in response to the initiator signal. Time T4 may be the time when correlation and protocol module 3920A receives the second bit stream as determined by timer 3938A. The third calibration constant CAL3 may be set equal to or determined based on a difference between a time when the timer 3938B detects generation of the second bit stream and a time when the corresponding response signal is transmitted from the antenna 3907B. The fourth calibration constant CAL4 may be set equal to or determined based on the difference between the times at which the timer 3938A detected the second bit stream received at the correlation and protocol module 3920A. The second bit stream from protocol module 3924B to related and protocol module 3920A has a time of flight of (T4-CAL 4) - (T3-CAL 3). The average time of flight \the distance between the first and second BLE radios 3900 may be determined using equations 33-35, wherein equation 33 is based on equation 32 and takes into account the timing variations described above and thus includes corresponding calibration values.
Average time of flight= [ (T) 2 -T 1 )+(T 4 -T 3 )]/2 (32)
Collect similar information and add calibration values:
average time of flight= [ (T) 2 -CAL 2 -T 1 +CAL 1 )+(T 4 -CAL 4 -T 3 +CAL 3 )]/2 (33)
Distance = (c) [ (T) 4 -CAL 4 -T 1 +CAL 1 )+(T 3 -CAL 3 -T 2 +CAL 2 )]/2 (34)
Separate calibration from time measurement:
distance = (c) [ (T) 4 -T 1 )-(T 3 -T 2 )+(CAL 1 -CAL 4 +CAL 2 -CAL 3 )]/2 (35)
Timer 3938B may be started with the processing protocol and/or fine tuning of the transmit time is performed at the second BLE radio 3900B to minimize reporting on T2-T3.
The PLLs 3940A, 3942A of the first BLE radio 3900A may be implemented as a single PLL. Similarly, the PLLs 3940B, 3942B of the second radio 3900B may be implemented as a single PLL. The two PLLs allow the hardware of the transmitting part and the receiving part to be implemented on the same SoC while allowing the transmission time of the initiator signal to be captured using the same BLE circuit used to capture the reception time of the response signal.
According to the present teachings, a multi-axis polarized RF antenna assembly includes: a circularly polarized antenna comprising a conductive annular body having an inner bore; a circular spacer connected to the conductive ring; and a linearly polarized antenna connected to and extending outwardly from the circular polarized antenna and the circular isolator. The linearly polarized antenna includes a sleeve and a conductive element extending through the sleeve. The linearly polarized antenna is orthogonal to the radial extension of the circularly polarized antenna.
In accordance with the present teachings, a multi-axis polarized RF antenna may include a conductive element as a wire.
According to the present teachings, the sleeve may be formed of polytetrafluoroethylene and the conductive element may be formed of copper.
In accordance with the present teachings, a linearly polarized antenna may be configured to extend downwardly from a circularly polarized antenna when in use.
According to the present teachings, the circularly polarized antenna may be a 2-axis antenna and the linearly polarized antenna may be a single-axis antenna.
In accordance with the present teachings, the multi-axis polarized radio frequency antenna may also include a ground layer, and a circular isolator may be disposed on the ground plane, between the conductive element and the ground plane, and between the circular polarized antenna and the ground plane.
According to the present teachings, a circularly polarized antenna may include two feed points that are phase shifted by 90 ° and configured to receive signals that are 90 ° out of phase with each other.
In accordance with the present teachings, a vehicle may include a body and a roof including a multi-axis polarized RF antenna assembly. The multi-axis polarized RF antenna assembly may be oriented in the roof of the vehicle such that the linearly polarized antenna extends downwardly from the circularly polarized antenna.
In accordance with the present teachings, a vehicle may include a multi-axis polarized RF antenna assembly. The multi-axis polarized RF antenna assembly may include a first multi-axis polarized RF antenna assembly configured to be implemented in a vehicle and a second multi-axis polarized RF antenna assembly configured to be implemented in a vehicle, and the second multi-axis polarized RF antenna assembly includes: a second circularly polarized antenna comprising a second conductive annular body having a second inner bore; a second circular spacer connected to the second conductive annular body; and a second linearly polarized antenna connected to and extending outwardly from the second circular isolator. The second linearly polarized antenna may include a sleeve and a conductive element extending through the sleeve of the second linearly polarized antenna. The second linearly polarized antenna may extend orthogonal to a radial direction of the second circularly polarized antenna, and the access module is connected to the first multi-axis polarized RF antenna assembly and the second multi-axis polarized RF antenna assembly and configured to communicate with the portable access device via the first multi-axis polarized RF antenna assembly and the second multi-axis polarized RF antenna assembly.
At any time, at least one of the linearly polarized antenna or the first multi-axis polarized RF antenna assembly is not cross polarized with the antenna of the second multi-axis polarized RF antenna assembly in accordance with the present teachings.
According to the present teachings, the access module may be configured to perform a passive entry passive start operation or a mobile phone, i.e., key, operation, comprising: radio frequency signals are transmitted and received via a first one of the multi-axis polarized RF antenna assemblies and a second one of the multi-axis polarized RF antenna assemblies.
In accordance with the present teachings, the access module may be configured to grant access to the vehicle based on the radio frequency signal.
In accordance with the present teachings, the access module may be configured to execute an algorithm to determine which antenna pair having a first one of the multi-axis polarized RF antenna assemblies and a second one of the multi-axis polarized RF antenna assemblies is to be used for communication with the portable access device.
The portable access device may be a key fob or a cellular telephone according to the present teachings.
In one embodiment, a BLE radio of a cellular telephone is used as a mobile telephone, i.e., a key system, as described herein to micro-locate the position of the mobile telephone relative to a set of receiving sensors. The sensor is located in the vehicle. The sensor is used to detect whether the mobile phone is close enough to the vehicle to allow access to the vehicle (e.g., unlock a door and/or start the vehicle). The access module of the vehicle uses the angle of arrival (AOA) principle. By knowing the angle of arrival of signals sent from the BLE radio to at least two independent sensors in the vehicle, a bidirectional measurement of the source (i.e., BLE radio) can be made on the 2D plane. In this case, a phased antenna array is used to measure the angle of arrival of the incoming signal. Phased antenna arrays include multiple antennas that receive and transmit signals. Each sensor in the vehicle includes one or more antennas. Each sensor may be a phased array sensor comprising: a three-antenna interleaved Circular Polarization (CP) receiver having a single radio receiver; a six antenna interleaved Linear Polarization (LP) receiver with a single radio receiver; a three-antenna interleaved CP receiver having a single radio receiver; a three-antenna stagger-printed antenna CP receiver with a single radio receiver.
The access module detects the direction of an incident AOA signal taking into account multipath effects. As an example, two sinusoidal RF signals transmitted and arriving at the sensor array are added together in the antenna of the sensor array. The sum of the two sinusoidal RF signals is a sine wave having a phase and amplitude that differ depending on the phase angle and amplitude of the two source sine waves. The mathematical model used to predict the AOA direction may indicate an error. In any dynamic multipath environment, such errors can be very large and unstable. To prevent such errors, the MUSIC algorithm disclosed herein may be used to identify the source signal as well as potentially strong multipath reflected signals. The direct path signal is accurately tracked from the cellular telephone. The tracking identifies any additional reflected signal(s). The reflected signal may be identified and discarded.
The access module and control module disclosed herein may implement any MUSIC algorithm mentioned and/or disclosed herein. Direction finding methods can be broadly categorized into two categories, sometimes referred to as classical methods and modern methods. Classical methods include various beamforming methods. Modern methods are often referred to as subspace methods. The MUSIC algorithm is classified as a super-resolution parameter estimation algorithm using a subspace separation method. Subspace methods may require a specific array geometry for two identical but physically shifted arrays. Other methods include maximum likelihood estimation and beamforming.
Fig. 70 shows a side view of a plurality of antennas 7000 in an array, illustrating the angle of arrival θ. The antenna array may be referred to as an array manifold. Each antenna 7000 may be identically and/or similarly constructed as any of the antennas disclosed herein. In one embodiment, the one or more antennas are quadrifilar helix antennas.
The MUSIC algorithm uses a model of the array manifold that describes the response of the array manifold to one or more incident AOA signals. A Uniform Linear Array (ULA) of antennas may be defined as shown in fig. 70, where M is the antenna index in the array starting from 1, M is the total number of antennas, d is the spacing between antenna elements, and θ is the angle of the incident signal. The response of array element m to an incident signal s can be represented by equation 37, where r is the received signal, a is the complex array manifold response, s is the source signal, m is the index number of the antenna element of interest, θ is the physical angle of the incident source signal, λ is the wavelength of the signal, and n (t) represents the noise in the receiver channel. This shows the effect of phase delay as a function of the physical position of the receiving sensor array element, with a complete 180 ° phase shift at d=λ/2. It also illustrates the phase shift as a function of the angle of incidence θ.
For 1<m<M antennas at an incident angle θ n Given the source signal n, the array steering vector a m Defined by equation 38. This assumes an amplitude response at each antenna of 1 and an ideal phase response of the ULA relative to the antenna of 1.
For N incoming signals, the received signal r (t) produces a sum of the source signals flowing through the array manifold and can be represented by equation 39.
In vector notation, array manifold response parameters a and a are defined by equations 40 and 41. Vector a describes the array response of each element to a single source signal N, and a describes the response of all M array elements to all N source signals, and is an MxN matrix, where M and N may each be integers greater than or equal to 2. The N source signals sampled at time instant t are represented as Nx1 vector S (t), as shown in equation 42.
a(θ n )=[a 1n ),a 2n ),...,a Mn )] T (40)
A=[a(θ 1 ),a(θ 2 ),...a(Θ N )] (41)
S(t)=[s 1 (t),s 2 (t),...s N (t)] T (42)
Equation 43 can be used to map N source tones at different source angles of arrival represented in signal S (t) at a given time t through antenna array response manifold model a to a received (measured) data vector r (t), where the channel noise is N (t), where r (t) is the Mx1 vector of the received data at each antenna element.
r(t)=AS(t)+n(t) (43)
This mathematical structure of the array manifold model is used to derive MUSIC algorithms and can also be used for simulation and modeling of the test environment.
Fig. 71 shows an example AOA method including using MUSIC algorithm. Although the operations are described primarily as being performed by an access module of a vehicle (such as one of the access modules disclosed herein), the operations may be performed by a control module of a portable access device. Note that the H operator indicates a Hermitian transpose or conjugate transpose operation. The method may begin at 7400. At 7402, the access module collects T analysis signal samples simultaneously from each antenna, e.gAs shown.
At 7404, the access module estimates a data covariance matrixAs shown in equation 44.
Covariance matrix estimation is calculated according to equation 44 and an example of covariance is shown in fig. 72. It is explained that each arrow represents the covariance between the antenna numbers listed in the X-axis and Y-axis at the bottom of the arrow. The upper arrow indicates the covariance of antenna number 1 relative to antenna number 2 (c 12 ) While the middle left arrow indicates the covariance of antenna number 2 with respect to antenna number 1 (c 21 ) Which is c 12 Is a complex conjugate of (a) and (b). The direction of the arrow is a complex plane table of magnitude and directionShown (X-axis is the real axis and Y-axis is the imaginary axis).
Note that the diagonal (top left to bottom right) represents the autocovariance, which is the unit amplitude and 0 imaginary value. Also, note that: the matrix is Hermetian, which means that for all i and j, ci j =c, where x is the complex conjugate. Thus, all useful information is contained in (i) c 12 、c 23 And c 13 Or (ii) c 21 、c 32 And c 31 (upper right or lower left corner, excluding diagonal lines from upper left to lower right). This results in the possibility of saving data storage and reducing the transmission size.
At 7406, the access module uses Singular Value Decomposition (SVD) or another eigenvalue decomposition technique and calculates an MxM matrix U as shown in equation 45.
In covariance matrix estimationAfter eigenvalue decomposition of (c), the resulting complex eigenvector is provided, an example of which is shown in fig. 73. Fig. 73 shows a feature vector visualization with array manifold response at 35 °. Fig. 74 shows a eigenvector visualization with array manifold response at 0 °.
As in fig. 72, the size and direction of the arrow indicate the real and imaginary components of each point corresponding to the real and imaginary parts on the X and Y axes, respectively. Solid and short dashed arrows represent a 3x3 array of feature vectors. The vector columns (X-axis) are ordered from large (left) to small (right) feature values of the feature vectors. Thus, the leftmost column number 1 represents the signal subspace, while columns 2 and 3 represent the noise subspace.
At 7408, the access module evaluates or otherwise determines the number N of incoming signals. At 7410, an access module divides the matrix U into an M N signal subspace matrix And noise subspace estimation M× (M-N) matrix->To satisfy equation 46.
Together with the eigenvector, the array manifold response at the angle of interest (35 °) is shown by the long dashed arrow. This is derived from equation 40.
At 7412, the access module calculates a MUSIC spectrum P (θ) for a range of θ of interest at a predetermined resolution, as shown in equation 47.
At this point, the noise subspace eigenvectors of the covariance matrix estimate should be perfectly orthogonal to the array manifold response. The result of the denominator of equation 47 is a small number relative to the result at different test angles θ.
Fig. 74 presents the same information as fig. 73, except that the array manifold response is shown at an AOA of 0 °. Note that the feature vector remains unchanged, since the feature vector is derived from the measured data. The array manifold response is rotated and shows the expected response to a direct incident signal, which means that there is no phase shift at any antenna element. In this case, the result of the denominator of equation 47 is a value much larger than the value obtained in the case of fig. 73.
At 7414, the access module performs a peak search on P (θ) to determine an angle of arrival. The value of θ at the maximum value of P (θ) is the angle of arrival of the N incident signals.
In the range from-90 DEG to +90 DEGAfter processing equation 47, the resulting MUSIC power spectrum P (θ) is shown in fig. 76 for a 35 ° source signal AOAShowing the same. Note that there is a clear peak at the 35 ° test AOA. The actual angle is indicated by the vertical dashed line. />The resolution of (2) is 1.
Covariance smoothing methods may be used. As an example, a forward-backward method may be used. Forward-backward methods are implemented using equations 48 and 49, whereinIs a modified covariance matrix estimate, and J is the MxM inverse identity matrix (transfer matrix).
The effective number of coherent tones that can be resolved isA source. For a 3 antenna array, up to 2 coherent tones may be resolved. The method may be used for a three antenna phased array of phased antenna array receiver boards. The method may end at 7416.
As another example, a spatial smoothing method may be used. The spatial smoothing method is a technique that involves subdividing an array into multiple sub-arrays and averaging the covariance matrix results of the sub-arrays together. This results in an effective reduction in the number of antenna array elements.
A forward-backward spatial smoothing (FBSS) method may be used and combined with the forward-backward method. It also reduces the number of antenna elements required. As yet another example, the toprilz completion method may be used and applied to NLA.
Variations of the MUSIC algorithm may be implemented. Is called asThe derivative of the Root-MUSIC (Root MUSIC) algorithm can be used on ULA to find the incident signal AOA without calculating the result at each potential angle. This reduces the required computational power. The reduction in computational complexity comes from operations 7412, 7414 that do not require the execution of MUSIC algorithms, includingThe MUSIC spectrum is computed over a large set of values and the peak(s) of the result are found.
Another example derivation called Spectral-MUSIC is a generalized version of Root-MUSIC, which can be applied to any array geometry, but is typically applied to broadband incoherent sources. Yet another derivation called Smooth MUSIC refers to various methods of smoothing the covariance matrix in the MUSIC algorithm, and is applied between operations 7404 and 7406 of fig. 71.
Another example derivation called CLEAN method includes: once the source signal is identified in a given direction, a model of the source signal is reconstructed from the known array manifold. The reconstructed signal model is subtracted from the measured incident signal to remove the incident signal, thereby "cleaning" the measured data of the undesired source signal and allowing other sources to be viewed.
One problem that arises when implementing the MUSIC algorithm on non-ideal antenna arrays is: two coherent sources with forward-backward covariance smoothing can lead to erroneous position measurements. Standard array calibration techniques cannot solve this problem because the covariance matrix itself can lead to erroneous subspace separation. To address this issue, a variation of the CLEAN method is performed for multiple coherent sources and includes: identifying a source signal using a MUSIC algorithm; removing the source signals one at a time using the CLEAN method using the calibrated array manifold; forcing the source signal to be offset (not at the location of the initial measurement) and recalculate the AOA direction of the remaining signal; operations 7404 and 7406 of fig. 71 are repeated to verify convergence to a new set of incident angles of arrival, if different from the original angle of arrival; and optionally replaces operation 7402 of fig. 71 with a priori knowledge from the system. For example, in tracking the position of the source signal, it may be assumed that the AOA does not change much between subsequent readings.
Fig. 76 shows an antenna selection system 7600 that includes an antenna 7602, a switch 7604, and a radio receiver 7606. The radio receiver 7606 selects one of the antennas from which signals are received via the switch 7604. The antenna selection system 7600 may be implemented in any of the systems disclosed herein. In one embodiment, the antenna selection system 7600 is implemented in a vehicle and the access module disclosed herein controls the operation of the radio receiver 7606.
Antenna selection system 7600 implements and enables BLE AOA data reception in a PAK AOA system. A portion of the BLE radio packet received by one of antennas 7602 includes a CW tone. The radio receiver 7606 samples the CW tone to provide a quadrature analysis signal, which means two sine waves with a phase difference of 90 ° called in-phase and quadrature-phase signals (I and Q signals). The I and Q signals are sampled simultaneously and may be combined to form a complex analysis sample r, where r= iI +q and I is a imaginary constant,thus, the received data is partitioned into interleaved samples from each antenna with multiple repetitions.
Fig. 77 illustrates an example reconstruction method for reconstructing IQ data. The interleaved data is interpolated to form a received data matrix r (t) for use in the MUSIC algorithm. The reconstruction method may be performed by any of the access modules disclosed herein. The signal reconstruction method may begin at 7700.
At 7702, the access module converts the analyzed IQ sample vector r to a phase angle vector using an arctangent functionAt 7704, the access module creates a time vector t corresponding to the sampling vector r based on the data sampling rate.
At 7706, the access module discards samples taken near the antenna switching time. At 7708, the access module expands each repeated portion of the data point in steps of pi. At 7710, the access module measures the average slope. This is the average frequency of the sinusoid.
At 7712, the access module, for each antenna: a) Finding the intercept of the first repetition of the sampled data; b) Projecting the position of the next repetition of the sampled data; c) Determining an average difference between the expected and measured actual positions; d) Plus or minus 2 pi; e) Repeating operations c and d, including repeating the determination of the average difference and the addition or subtraction of 2π until the average difference is less than π; f) Finding the average slope of all the points that have been aligned; g) The new slope is reused for the next signal to repeat operations b-g.
At 7714, the access module measures a standard deviation of the average slope of each antenna.
At 7716, if the standard deviation is above the threshold, the access module checks which antenna may have inaccurate alignment by selecting antenna i based on equation 50
At 7718, the access module repeats operations 7712-7718 for the antenna selected at 7716 until the low standard deviation or maximum retry counter expires.
At 7720, for each antenna m, the access module interpolates straight line points over the original time vector t to obtain a reconstructed phase angle vectorThis may be based on the phase angle vector determined at 7702 +.>
At 7722, the access module recreates the IQ sample vector for each antenna m using equation (51) Where g is the average amplitude of the active subset of the original sample vector r. After operation 7722, the methodThe method may end at 7724. />
In one embodiment, the above method is implemented in a vehicle access system and/or PAK system with a circularly polarized antenna, as disclosed herein. Signals are received at a circularly polarized antenna. As described above, IQ data is determined based on the received signal, and the angle of arrival is determined using a MUSIC algorithm.
Fig. 78A-78C show a vehicle 7800 illustrating an example placement of a sensor 7802 that may be implemented as part of any PAK system disclosed herein and may be connected to any access module disclosed herein. Fig. 78C shows an example bounce reflection and corresponding path of a signal sent from key fob 7804 or other portable access device and detected at sensor 7802. In this example, sensor 7802 is located high up and in the center of vehicle 7800. The sensor 7802 may be located, for example, in a roof 7803 of the vehicle 7800. Sensor 7802 is positioned to cause multiple bounce paths of the transmitted signal before the transmitted signal is received at sensor 7802. For illustration purposes, key fob 7804 is shown low relative to the vehicle, but may be located at a higher position.
Fig. 79A-79C show a vehicle 7900 illustrating another example placement of a sensor 7902. Fig. 79C illustrates an example bounce reflection and corresponding path of a signal sent from a key fob 7904 or other portable access device and detected at sensor 7902. In this example, the sensor 7902 is located low and in the center of the vehicle 7900. The sensor 7902 may be located in the floor 7903 of the vehicle or in the center console 7905. The sensor 7902 is positioned to cause multiple bounce paths of the transmitted signal before the transmitted signal is received at the sensor 7902. For illustration purposes, key fob 7904 is shown low relative to the vehicle, but may be located at a higher position.
The sensors 7802, 7902 may be located in the metallic structure of the vehicle with little possible path directly off the vehicle (i.e., there is little possibility of a line of sight between the key fob 7804, 7904 and the sensors 7802, 7902). The metal structure may include a frame, a metal shell, a partially enclosed metal structure, a unitary structure, etc., which may be at least partially represented by dashed line 7903, as the floor may include at least a portion of the metal structure. Although a single sensor is shown in each of fig. 78A-78C and 79A-79C, two or more sensors may be included in each vehicle. In embodiments, each sensor includes two or more antennas, such as the two or more antennas disclosed and/or mentioned herein. In one embodiment, two sensors are included and each sensor includes two antennas such that there are four antenna paths. In another embodiment, a single sensor is included and the sensor includes three or more antennas. Although there may be no direct line of sight between the key fob and the sensor, because there are several to many signal paths between the key fob and the sensor, it may be possible to determine a short consistent distance between the key fob and the vehicle using the techniques disclosed herein. The distance information is used to determine whether access to the vehicle is permitted.
In one embodiment, ranging based on carrier phase is implemented using MUSIC algorithm or the like to determine the angle of arrival of the signals transmitted by the key fobs 7804, 7904. This may include eigenvalue decomposition. The distance between the key fob 7804, 7904 and the vehicle 7800, 7900 is determined based on the angle of arrival. Access is granted when the key fob 7804, 7904 is within a predetermined distance of the vehicle 7800, 7900. Although there is little likelihood of line of sight, the likelihood of the transmitted signal bouncing multiple times and reaching each of the sensors 7802, 7902 along multiple paths is high. This allows the corresponding access module to determine whether the key fob 7804, 7904 is close to the vehicle 7800, 7900. Multipath signal processing is performed over carrier phase based ranging. This may include time-of-flight signal processing as described above, for example with respect to fig. 37, 52-56, and 62. As an example, the access module of the vehicle 7800, 7900 may unlock a door of the vehicle 7800, 7900 when the key fob 7804, 7904 is within a predetermined distance of the vehicle 7800, 7900.
Ranging on indirect and reflected paths can be performed using BLE carrier phase based ranging by forcing an indirect signal transmission path and exchanging a predetermined number of closely transmitted tones and finding a eigenvalue. A system with fewer sensors (referred to as anchors) may be used by placing the anchors so that the signal mainly follows an indirect path rather than a direct line-of-sight path.
In one embodiment, the RSSI of the transmitted signal is determined to determine whether the key fob 7804, 7904 is inside or outside of the vehicle 7800, 7900. If the key fob 7804, 7904 is outside the vehicle, carrier phase based ranging with eigenvalue decomposition is performed to determine if the key fob 7804, 7904 is within a predetermined distance of the vehicle 7800, 7900.
The above description is illustrative in nature and is not intended to limit the present disclosure, application, or uses. The broad teachings of the present invention can be implemented in a variety of different forms. However, this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be performed in a different order (or simultaneously) without altering the principles of the present disclosure. Furthermore, while each of the embodiments has been described above as having certain features, any one or more of those features described with respect to any of the embodiments of the present disclosure may be implemented in and/or combined with the features of any of the other embodiments, even if the combination is not explicitly described. In other words, the described embodiments are not mutually exclusive and permutations of one or more embodiments with each other are still within the scope of the present disclosure.
Various terms are used to describe spatial and functional relationships between elements (e.g., modules, circuit elements, semiconductor layers, etc.), including "connected," joined, "" coupled, "" adjacent, "" beside … …, "" above … …, "" above … …, "" below … …, "and" disposed. Unless specifically described as "directly", when a relationship between a first element and a second element is described in the above disclosure, the relationship may be a direct relationship without other intermediate elements between the first element and the second element, but may also be an indirect relationship (spatially or functionally) with one or more intermediate elements between the first and second elements. As used herein, the phrase "at least one of A, B and C" shall be interpreted to mean logic (a OR B OR C) using a non-exclusive logical OR, and shall not be interpreted to mean "at least one of a, at least one of B, and at least one of C. "
In the figures, the direction of the arrow, as indicated by the arrow, generally illustrates the flow of information (such as data or instructions) of interest to the figure. For example, when element a and element B exchange various information, but the information sent from element a to element B is related to the illustration, an arrow may be directed from element a to element B. This one-way arrow does not mean that no other information is sent from element B to element a. Further, for information transmitted from element a to element B, element B may transmit a request or reception acknowledgement for the information to element a.
In the present application, including the following definitions, the term "module" or the term "controller" may be replaced with the term "circuit". The term "module" may refer to, be part of, or include: an Application Specific Integrated Circuit (ASIC); digital, analog, or a hybrid analog/digital discrete circuit; digital, analog, or a hybrid analog/digital integrated circuit; a Field Programmable Gate Array (FPGA); processor circuitry (public, private, or grouped) to execute the code; a memory circuit (public, private, or group) storing code for execution by the processor circuit; other suitable hardware that provides the described functionality; or a combination of some or all of the above, such as a system on a chip.
A module may include one or more interface circuits. In some examples, the interface circuit may include a wired or wireless interface that is connected to a Local Area Network (LAN), the internet, a Wide Area Network (WAN), or a combination thereof. The functionality of any given module of the present disclosure may be distributed among a plurality of modules connected via interface circuitry. For example, multiple circuits may allow load balancing. In a further example, a server (also known as a remote, or cloud) module may perform part of the functionality on behalf of a client module.
The term "code" as used above may include software, firmware, and/or microcode, and may be programs, routines, functions, classes, data structures, and/or objects. The term "shared processor circuit" encompasses a single processor circuit that executes some or all code from multiple modules. The term "set of processor circuits" encompasses a processor circuit that executes some or all code from one or more modules in conjunction with additional processor circuits. References to multiple processor circuits encompass multiple processor circuits on a discrete die, multiple processor circuits on a single die, multiple cores of a single processor circuit, multiple threads of a single processor circuit, or combinations of the foregoing. The term "shared memory circuit" encompasses a single memory circuit that stores some or all code from multiple modules. The term "set of memory circuits" encompasses memory circuits that store some or all code from one or more modules in combination with additional memory.
The term "memory circuit" is a subset of the term "computer-readable medium". The term "computer-readable medium" herein does not encompass transitory electrical or electromagnetic signals propagating through a medium (such as on a carrier wave); the term "computer-readable medium" may thus be regarded as tangible and non-transitory. Non-limiting examples of a non-transitory tangible computer readable medium are non-volatile memory circuits (such as flash memory circuits, erasable programmable read-only memory circuits, or masked read-only memory circuits), volatile memory circuits (such as static random access memory circuits or dynamic random access memory circuits), magnetic storage media (such as analog or digital tape or hard disk drives), and optical storage media (such as CDs, DVDs, or blu-ray discs).
The apparatus and methods described in this application can be implemented in part or in whole by special purpose computers created by configuring a general purpose computer to perform the particular functions included in computer programs. The functional blocks, flowchart components, and other elements described above serve as software specifications that can be translated into a computer program by a technician or programmer's routine.
The computer program includes processor-executable instructions stored on at least one non-transitory tangible computer-readable medium. A computer program may also include or rely on stored data. A computer program may encompass a basic input/output system (BIOS) that interacts with the hardware of a special purpose computer, a device driver that interacts with a particular device of a special purpose computer, one or more operating systems, user applications, background services, background applications, and the like.
The computer program may include: 1. descriptive text to be parsed, such as HTML (hypertext markup language), XML (extensible markup language), or JSON (JavaScript Object Notation); (ii) assembly code; (iii) object code generated by the compiler from the source code; (iv) source code executed by the interpreter; (v) Source code for compilation and execution by a just-in-time compiler, and so forth. By way of example only, the source code may be written using a grammar from the following languages: C. c++, C#, objective-C, swift, haskell, go, SQL, R, lisp, Fortran、Perl、Pascal、Curl、OCaml、/>HTML5 (Hypertext markup language version 5), ada, ASP (Active Server Pages), PHP (PHP: hypertext Preprocessor), scala, eiffel, smalltalk, erlang, ruby,Lua, MATLAB, SIMULINK and->
All elements recited in the claims are not intended to be means-plus-function elements within the meaning of 35u.s.c. ≡112 (f), unless an element is explicitly stated using the phrase "means for … …" or, in the case of method claims, an element is explicitly stated using the phrase "operation for … …" or "step for … …".

Claims (20)

1. An access system for a vehicle, the access system comprising:
a plurality of antennas (414,1102,1104,1410,1414,1424,1428,1438,1440,1502,1504,3102,3104,5300,5302,5304,5306,5412,7000,7602) configured to each receive a signal transmitted from a portable access device (32,34,400,5206) to the vehicle (30,200,108,5200,7800,7900), wherein the signal is transmitted at a frequency of 2.4GHz, wherein the plurality of antennas comprises:
a circularly polarized antenna (1104) comprising a conductive annular body having an inner bore;
a circular isolator (1106) connected to the conductive annular body; and
a linearly polarized antenna (1102) connected to the circularly polarized antenna and the circular isolator and extending outwardly therefrom, wherein the linearly polarized antenna comprises:
Sleeve (1112), and
a conductive element (1110) extending through the sleeve,
wherein the linearly polarized antenna is orthogonal to the radial extension of the circularly polarized antenna; and
an access module (36,21) configured to:
down-converting the received signal to generate an in-phase signal and a quadrature-phase signal,
performing carrier phase based ranging, including implementing a MUSIC (multiple signal classification) algorithm to (i) determine a distance between the portable access device and the vehicle, and (ii) determine an angle of arrival of the received signals received at the plurality of antennas,
determining a position of the portable access device relative to the vehicle based on the distance and the angle of arrival, and
access to the vehicle is granted based on the location.
2. The access system of claim 1, wherein the plurality of antennas are disposed in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and the plurality of antennas.
3. The access system of claim 1, wherein the plurality of antennas are disposed in a metallic structure of the vehicle.
4. The access system of claim 1, wherein the plurality of antennas are positioned such that there is no line of sight between the plurality of antennas and the portable access device.
5. The access system of claim 1, further comprising a plurality of sensors (226,407,4106,7802,7902), wherein each sensor of the plurality of sensors includes two or more antennas of the plurality of antennas, and wherein the plurality of sensors are disposed in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and each sensor of the plurality of sensors.
6. The access system of claim 1, wherein the access module is configured to:
monitoring the received signal and generating a received signal strength indication based on the received signal;
determining whether the portable access device is inside or outside the vehicle based on the received signal strength indication; and
when the portable access device is outside the vehicle, a distance between the portable access device and the vehicle is determined.
7. The access system of claim 1, wherein at least one of the plurality of antennas is a circularly polarized antenna (1104).
8. The access system of claim 1, wherein the access module is configured to implement the MUSIC algorithm while:
Collecting an analysis signal sample of a signal received at each of the plurality of antennas to generate a received data matrix;
estimating a data covariance matrix based on the received data matrix;
using a eigenvalue decomposition process to determine an MxM matrix based on the covariance matrix, wherein M is an integer greater than or equal to 2;
determining the number of incident signals;
dividing the MxM matrix into a plurality of matrices;
calculating a MUSIC spectrum based on one of the plurality of matrices; and
a peak search is performed on the MUSIC spectrum to determine the angle of arrival.
9. The access system of any of claims 1 to 8, wherein:
the receiver comprises a phase locked loop (3940,3942) and is phase locked with a transmitter (3904,6106) of the portable access device; and
the access module is configured to perform a tone exchange with a transmitter and determine at least one of the distance or the angle of arrival based on the tone exchange.
10. The access system of any of claims 1 to 8, wherein:
the receiver comprises a phase locked loop (3940,3942) and is phase locked with a transmitter (3904,6106) of the portable access device;
The access module is configured to perform a tone exchange with the transmitter and determine round trip time of flight information based on the tone exchange; and determining the distance based on the round trip time of flight information.
11. A vehicle, comprising:
the access system according to any one of claims 1 to 10;
a vehicle body; and
-a roof (46), a center console (7905), a floor (7903), or an at least partially enclosed metal structure, wherein said plurality of antennas are implemented in at least one of said roof, said center console, said floor, or said at least partially enclosed metal structure.
12. An access method for a vehicle, the access method comprising:
receiving, at each of a plurality of antennas, a signal transmitted from a portable access device (32,34,400,5206) to the vehicle (30,200,108,5200,7800,7900), wherein the signal is transmitted at a frequency of 2.4 GHz;
down-converting the received signal to generate an in-phase signal and a quadrature-phase signal;
sampling the in-phase signal and the quadrature-phase signal to form complex interleaved samples to recreate in-phase and quadrature-phase vectors for each of the plurality of antennas to form a data matrix;
Performing carrier phase based ranging, including implementing a MUSIC (multiple signal classification) algorithm to (i) determine a distance between the portable access device and the vehicle, and (ii) determine an angle of arrival of the received signals received at the plurality of antennas;
determining a location of the portable access device relative to the vehicle based on the distance and the angle of arrival; and
access to the vehicle is granted based on the location.
13. The access method of claim 12, wherein the plurality of antennas are disposed in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and the plurality of antennas.
14. The access method of claim 12, wherein the plurality of antennas are positioned such that there is no line of sight between the plurality of antennas and the portable access device.
15. The access method of claim 12, wherein:
the plurality of antennas in pairs are implemented as part of respective sensors (226,407,4106,7802,7902); and
the sensors are disposed in the vehicle such that the received signal has a plurality of corresponding bounce paths between the portable access device and each of the sensors.
16. The access method of claim 12, further comprising:
monitoring the received signal and generating a received signal strength indication based on the received signal;
determining whether the portable access device is inside or outside the vehicle based on the received signal strength indication; and
when the portable access device is outside the vehicle, a distance between the portable access device and the vehicle is determined.
17. The access method of claim 12, wherein at least one of the plurality of antennas is a circularly polarized antenna (1104).
18. The access method of claim 12, further comprising, while implementing the MUSIC algorithm:
collecting an analysis signal sample of a signal received at each of the plurality of antennas to generate a received data matrix;
estimating a data covariance matrix based on the received data matrix;
using a eigenvalue decomposition process to determine an MxM matrix based on the covariance matrix, wherein M is an integer greater than or equal to 2;
determining the number of incident signals;
dividing the MxM matrix into a plurality of matrices;
calculating a MUSIC spectrum based on one of the plurality of matrices; and
A peak search is performed on the MUSIC spectrum to determine the angle of arrival.
19. The access method of any of claims 12 to 18, further comprising:
-performing a tone exchange with a transmitter (3904,6106) of the portable access device; and
at least one of the distance or the angle of arrival is determined based on the tone exchange,
wherein the receiver (228,3902,6108,7606) of the portable access device performing the tone exchange comprises a phase locked loop and is phase locked with the transmitter of the portable access device.
20. The access method of any of claims 12 to 18, further comprising:
performing a tone exchange with the transmitter (3904,6106) and determining round trip time information based on the tone exchange; and
determining the distance based on the round trip time of flight information,
wherein the receiver (228,3902,6108,7606) of the portable access device performing the tone exchange comprises a phase locked loop (3940,3942) and is phase locked with the transmitter of the portable access device.
CN202080024760.XA 2019-03-29 2020-03-25 Passive entry/passive start system for carrier phase based ranging using MUSIC style feature value decomposition for range determination Active CN113678176B (en)

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
US201962826212P 2019-03-29 2019-03-29
US62/826,212 2019-03-29
US201962850055P 2019-05-20 2019-05-20
US62/850,055 2019-05-20
US16/598,191 2019-10-10
US16/598,191 US10991182B2 (en) 2018-10-12 2019-10-10 Multi-axis polarized RF antenna assemblies for passive entry/passive start systems
US16/824,444 US11227453B2 (en) 2018-10-12 2020-03-19 Passive entry/passive start systems implementing carrier phase based ranging with music style eigenvalue decomposition for distance determinations
US16/824,444 2020-03-19
PCT/US2020/024708 WO2020205369A1 (en) 2019-03-29 2020-03-25 Passive entry/passive start systems implementing carrier phase based ranging with music style eigenvalue decomposition for distance determinations

Publications (2)

Publication Number Publication Date
CN113678176A CN113678176A (en) 2021-11-19
CN113678176B true CN113678176B (en) 2023-08-25

Family

ID=72667461

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080024760.XA Active CN113678176B (en) 2019-03-29 2020-03-25 Passive entry/passive start system for carrier phase based ranging using MUSIC style feature value decomposition for range determination

Country Status (4)

Country Link
JP (2) JP2022527310A (en)
CN (1) CN113678176B (en)
DE (1) DE112020001610T5 (en)
WO (1) WO2020205369A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2022288587A1 (en) * 2021-06-11 2023-11-16 Koherent Oy Method and arrangement for evaluating a distance between at least two antenna units
WO2023120682A1 (en) * 2021-12-23 2023-06-29 株式会社J-QuAD DYNAMICS Automatic unloading system and automatic unloading method
CN115079177B (en) * 2022-07-14 2022-11-15 浙江清环智慧科技有限公司 Distance measuring method and device, electronic equipment and storage medium
WO2024064018A1 (en) * 2022-09-23 2024-03-28 Apple Inc. Systems and methods for improved range and performance for low power radios

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6064537A (en) * 1983-09-19 1985-04-13 Nissan Motor Co Ltd On-vehicle radio transmitter using induced electromagnetic field as medium
US5596234A (en) * 1992-11-19 1997-01-21 Kabushiki Kaisha Tokai-Rika-Denki-Seisakusho Method of disposing antenna of remote control device for vehicle
EP0787875A2 (en) * 1996-02-02 1997-08-06 Trw Inc. Portable transceiver for keyless vehicle entry system having phase delay
WO1997040481A1 (en) * 1996-04-25 1997-10-30 Trw Inc. Remote keyless entry system having a helical antenna
JP2934426B1 (en) * 1998-02-09 1999-08-16 株式会社ワイ・アール・ピー移動通信基盤技術研究所 Arrival wave estimation method
WO2001077468A1 (en) * 2000-04-11 2001-10-18 Robert Bosch Gmbh System for controlling right of access to a vehicle
WO2002001247A2 (en) * 2000-06-27 2002-01-03 Siemens Aktiengesellschaft Method for measuring distance between two objects and method for controlling access to an object or the use thereof, in particular access control and driving authorisation for a motor vehicle
US6535180B1 (en) * 2002-01-08 2003-03-18 The United States Of America As Represented By The Secretary Of The Navy Antenna receiving system and method
DE102016113320A1 (en) * 2015-07-22 2017-01-26 Gm Global Technology Operations, Llc TIME-BASED PASSIVE ACCESS PASSIVE START SYSTEM
FR3040498A1 (en) * 2015-08-31 2017-03-03 Valeo Comfort & Driving Assistance METHOD FOR DETERMINING A DISTANCE BETWEEN A VEHICLE AND A VEHICLE ACCESS AND STARTING IDENTIFIER
FR3060766A1 (en) * 2016-12-21 2018-06-22 Valeo Comfort And Driving Assistance METHOD AND SYSTEM FOR EVALUATING DISTANCE BETWEEN IDENTIFIER AND VEHICLE, ONBOARD SYSTEM AND IDENTIFIER
JP2019044535A (en) * 2017-09-06 2019-03-22 カルソニックカンセイ株式会社 Keyless entry system

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3640873B2 (en) * 1999-08-24 2005-04-20 松下電器産業株式会社 Direction estimation apparatus, directivity control antenna apparatus, and direction estimation method
JP4952387B2 (en) * 2007-06-05 2012-06-13 株式会社豊田中央研究所 Distance measuring device
EP2204669A1 (en) 2008-12-30 2010-07-07 Atmel Automotive GmbH System, method and switch for measuring the distance between two nodes of a wireless network
US9825373B1 (en) * 2015-09-15 2017-11-21 Harris Corporation Monopatch antenna
EP3734317B1 (en) * 2016-04-15 2022-08-03 Denso Corporation System and method for establishing real-time location
CN113490147A (en) * 2016-12-14 2021-10-08 株式会社电装 System and method for establishing location information about portable device and vehicle
JP6914647B2 (en) * 2016-12-15 2021-08-04 株式会社モバイルテクノ Position estimation device, position estimation program and position estimation method
JP6812955B2 (en) * 2017-02-28 2021-01-13 株式会社Soken Position determination system
JP6780570B2 (en) * 2017-04-07 2020-11-04 株式会社Soken Vehicle system equipment and vehicle system
US10393857B2 (en) * 2017-04-12 2019-08-27 Qualcomm Incorporated Methods and systems for measuring angle of arrival of signals transmitted between devices
JP2018194329A (en) * 2017-05-12 2018-12-06 株式会社東海理化電機製作所 Propagation distance estimating device

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6064537A (en) * 1983-09-19 1985-04-13 Nissan Motor Co Ltd On-vehicle radio transmitter using induced electromagnetic field as medium
US5596234A (en) * 1992-11-19 1997-01-21 Kabushiki Kaisha Tokai-Rika-Denki-Seisakusho Method of disposing antenna of remote control device for vehicle
EP0787875A2 (en) * 1996-02-02 1997-08-06 Trw Inc. Portable transceiver for keyless vehicle entry system having phase delay
WO1997040481A1 (en) * 1996-04-25 1997-10-30 Trw Inc. Remote keyless entry system having a helical antenna
JP2934426B1 (en) * 1998-02-09 1999-08-16 株式会社ワイ・アール・ピー移動通信基盤技術研究所 Arrival wave estimation method
WO2001077468A1 (en) * 2000-04-11 2001-10-18 Robert Bosch Gmbh System for controlling right of access to a vehicle
WO2002001247A2 (en) * 2000-06-27 2002-01-03 Siemens Aktiengesellschaft Method for measuring distance between two objects and method for controlling access to an object or the use thereof, in particular access control and driving authorisation for a motor vehicle
US6535180B1 (en) * 2002-01-08 2003-03-18 The United States Of America As Represented By The Secretary Of The Navy Antenna receiving system and method
DE102016113320A1 (en) * 2015-07-22 2017-01-26 Gm Global Technology Operations, Llc TIME-BASED PASSIVE ACCESS PASSIVE START SYSTEM
FR3040498A1 (en) * 2015-08-31 2017-03-03 Valeo Comfort & Driving Assistance METHOD FOR DETERMINING A DISTANCE BETWEEN A VEHICLE AND A VEHICLE ACCESS AND STARTING IDENTIFIER
FR3060766A1 (en) * 2016-12-21 2018-06-22 Valeo Comfort And Driving Assistance METHOD AND SYSTEM FOR EVALUATING DISTANCE BETWEEN IDENTIFIER AND VEHICLE, ONBOARD SYSTEM AND IDENTIFIER
JP2019044535A (en) * 2017-09-06 2019-03-22 カルソニックカンセイ株式会社 Keyless entry system

Also Published As

Publication number Publication date
JP2022527310A (en) 2022-06-01
DE112020001610T5 (en) 2022-01-20
JP2024001192A (en) 2024-01-09
CN113678176A (en) 2021-11-19
WO2020205369A1 (en) 2020-10-08

Similar Documents

Publication Publication Date Title
CN112840381B (en) Passive entry/passive start system for detecting extended range relay station attack
US11714184B2 (en) Up-sampling and cross-correlation for time of arrival determinations in passive entry/passive start systems
US11217048B2 (en) Passive entry/passive start systems implementing music algorithm based angle of arrival determinations for signals received via circular polarized antennas
US11227453B2 (en) Passive entry/passive start systems implementing carrier phase based ranging with music style eigenvalue decomposition for distance determinations
CN113678176B (en) Passive entry/passive start system for carrier phase based ranging using MUSIC style feature value decomposition for range determination
CN113692605B (en) Passive entry/passive start system for implementing MUSIC algorithm-based angle of arrival determination for signals received via circularly polarized antennas
JP7380706B2 (en) Upsampling and cross-correlation for arrival time determination in passive entry/passive start systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant