The present invention relates in general to vehicle electronic security systems, and, more specifically, to a method and apparatus for programming a secret key into a key transponder unit in a robust manner that avoids partially programmed transponders being left in an undetermined state which results in the scrapping of the transponder units.
Specially coded electronic transponders have been used as part of vehicle security systems to help ensure that access to the vehicle and/or starting of a vehicle engine is limited to a person carrying a transponder that is recognized by the vehicle. In one common form, a passive anti-theft system embeds a transponder in the head of a vehicle ignition key. When the key is turned in a lock in order to crank the vehicle engine, an electronic reader interrogates the transponder for a unique identification code that has been previously programmed into the reader. If the correct code is received, then the vehicle is allowed to start. The same key-mounted transponder can also be used in connection with a passive entry system that controls door locks in response to communication between a vehicle base station and the transponder. The transponder may alternatively be mounted in a fob which also functions as a remote keyless entry (RKE) transmitter or in any other device to be carried by a user.
In order to avoid placing a power source such as a battery into the key head, a passive (i.e., batteryless) transponder capable of being charged electromagnetically by the reader has been employed. A charge pulse coupled from the reader to the transponder pumps up a charge on a capacitor that then supplies power to allow the transponder to transmit its identification code to the reader.
The earliest passive anti-theft systems transmitted information only in one direction (i.e., from the transponder to the reader). One potential vulnerability of such systems involves the cloning by an unauthorized person of the identification code into the transponder of another key unit. In this scenario, the unauthorized person obtains temporary possession of the legitimate key (e.g., at a valet parking service or during servicing of the vehicle at a repair shop) and interrogates it with a reader that then saves the identification code for later programming into another transponder. This facilitates stealing the vehicle at a later time.
To prevent such cloning of a transponder's code, systems with two-way communication have been introduced wherein the vehicle reader must authenticate to the electronic key before the electronic key will transmit the unique password that gains access to or starts the vehicle. The two-way (i.e., mutual) authentication increases security and eliminates the ability of a potential thief to learn the secret transponder password without first knowing a unique, secret code used for encrypting communications which is given to the key transponder by the base station (e.g., vehicle reader or factory programming unit) during programming. Thus, a typical communication sequence of the security system involves 1) the electronic key providing an unprotected, freely-given ID code to the reader, 2) the reader using a secret encryption algorithm and a secret key to generate encrypted secret data and then sending it to the key transponder, 3) the key transponder decrypting the data using the secret key and comparing it to stored data, 4) if the decryption produces a successful match, then the key transponder sending its secret password to the reader, and 5) the reader comparing the secret password with its stored value for authorized keys with the ID code identified in step 1 and granting vehicle access accordingly. Typically, the secret encryption key is unique to a particular vehicle and the vehicle uses the same secret key on each of its programmed electronic keys. Alternatively, more than one secret encryption key could be used by a vehicle to distinguish between different key transponders.
It is very important that the programming of a key transponder be very robust in the sense that when attempting to write a new secret encryption key it must be accurately copied into the transponder memory in full. Any errors or malfunctions that cause only partial writing of a secret key can lead to an undeterminable value being stored in the transponder, thereby making it impossible to communicate further with the transponder. The secret code is typically several bytes long (most typically 6 bytes or 48 bits) and is stored in an electrically erasable programmable read only memory (EEPROM) in the transponder. An EEPROM is usually organized into separately addressable pages which are shorter than the length of the secret key (e.g., pages of 4 bytes). The pages must be written separately by issuing separate write commands to the transponder. The amount of time required for multiple write operations increases the risk that transient conditions will disrupt proper storing of the desired data. Various circumstances such as inadvertent removal of the electronic key from the reader/programmer before programming is completed, a power interruption during programming, or radio interference during programming can result in interruption of the process of writing a new secret key. Programming in a vehicle assembly plant by the manufacturer is especially problematic because it is hard to maintain low electrical noise in the vicinity of the reader/programmer, for example.