I recently bought a 500x USB microscope off ebay. Let's use that as an excuse to have a look at two arch rivals from the late 2000's: Q-Free and Fenrits electronic toll tags.
Here's the microscope. It's actually just a very near-sighted webcam with a mount, but it does the job. The quality is so-so. Up close it's not very good, but if you zoom out a little it's acceptable. I guess there's something about the saying "you get what you pay for." With a little extra lighting and some patience on the zoom wheel it's OK.
The one we'll have a look at first is the Q-Free tag that was recently removed from my car. I was told the battery is dead, and the tag should be disposed of. Heh, no. I was very interested in what's inside this one.
Now, the first thing I noticed is the tamper pin. When you remove the tag from its mounting bracket, this spring-like pin will drop to a contact surface and pull a pin on the DSRC controller up. A "tamper bit" is set and the toll road officials will be notified the next time you pass. If it's an automated booth, like we have here in Norway, your photo will be taken for further inspection. This is to prevent from tags from being moved between cars.
It's also interesting to see that the PCB is directly exposed at this point. This must mean that the mounting bracket forms a pretty good seal, condering the amount of moisture that accumulates on the inside of a windshield.
On the front side of the housing there are 9 drilled holes that also caught my attention.
These are guides to a set of test pins on the PCB, probably used to personalize the tag so it identifies your vehicle.
Here is the bottom side of the PCB exposed. The silver housing is a grounded RF noise shield for the PCB antenna located on the other side. Interestingly, there's also an additional reflector inside the case as well. The battery is labelled "Size 1/2 AA" and is a 3.6V Tadiran Lithium SL850/P.
This is the front side of the PCB. There's a handwritten number on top, B331. I don't know what this means, or why it's written there. Maybe it's a batch number. Anyway, let's inspect the three IC's, starting to the left going clockwise. The first IC is a 7404 NAND gate, so there's really nothing surprising going on there. However the next IC on is the DSRC controller 27PA5885N-2C. I couldn't find any datasheets for this IC, which leads me to think it may be a proprietary ASIC. It even has a dedicated 12MHz crystal.
Here's a close-up of the IC. The second line says "DSRC EFC CTRL", which probably stands for "Dedicated Short Range Communications Electronic Fee Collection Controller." This little guy deals with the communication, 3DES encryption and the local storage.
The next IC is AT25160 a serial EPROM (pdf). This chip can also be programmed via the test pins I mentioned earlier, and this is probably where all the personalized data is stored, as well as a short transaction log. I suspect that this is also the place the DES keys are stored. I will try to dump the contents of this one later on, but I doubt I will find anything useful.
I used to work for a Q-Free competetor called Fenrits. We did some low volume production for Norway, and attempted to take some international market. Unfortunately the competition was too hard, and eventually the production was halted rendering employees reduntant. I kept a tag as a souvenir, and let's have a look at it and compare it to the one from Q-Free.
This tag has the optional buzzer mounted, as well as a debug port (bottom pins). Other than that, the tag is pretty much standard. You'll notice that it does not have an on-board battery, but a connector on the side for replaceable batteries. This was a major selling point back then. There's also completely different design on the PCB antenna, as opposed to the square one on the Q-Free tag.
This is the Fenrits FZB240i, which is a proprietary RF ASIC manufactured by Fenrits. When it detects activity in the 5.8GHz range, it wakes up the FZP460i and feeds it the demodulated bit stream. It also generates the clock for the mcu, if I remember correctly.
This is the main FZP460i MCU that maintains all the 3DES, communication, storage, keys and transaction logs. It's capable of implementing a variety of protocols with minimal effort.
All tag personalization was done via the radio link. We also experimented with patching and upgrading the firmware via the same RF link, which would have simplified and extended the life span of the tags dramatically. Unfortunately, the shop was closed before we got a chance to break the news.