An Improved Design and Implementation of a Range-Controlled Communication System for Mobile Phones

The Short-range-controlled communication system (RCC) based on a subscriber identity module (SIM) card is a replacement for the standard near-field communication (NFC) system to support near-field payment applications. The RCC uses both the low-frequency (LF) and high-frequency (HF) wireless communication system. The RCC communication distance is controlled under 10 cm. However, current RCCs suffer from compatibility issues, and the LF communication distance is lower than 0.5 cm in some phones with completely metallic shells. In this paper, we propose an improved LF communication system design, including an LF transmitter circuit, LF receiver chip, and LF-HF communication protocol. The LF receiver chip has a rail-to-rail amplifier and a self-correcting clock recovery differential Manchester decoder, which do not have the limitations of accurate gain and high system clock. The LF receiver chip is fabricated in a 0.18 μm CMOS technology platform, with a die size of 1.05 mm × 0.9 mm and current consumption of 41 μA. The experiments show that the improved RCC has better compatibility, and the communication distance reaches to 4.2 cm in phones with completely metallic shells.


System Building Blocks
The RCC uses short-range LF communication to restrict the HF communication distance to [0, 10 cm] with proposed LF-HF protocols. Figure 1 shows the building blocks of the RCC, where communication is occurring between two devices: the master device with a reader circuit board and the slave device with an improved RF-SIM card. The reader circuit board consists of a microcontroller unit (MCU) that is responsible for communication, an HF transceiver, and an LF transmitter. The slave device includes an SE chip, an HF transceiver, and an LF receiver. The LF circuit operates in the simplex mode, the message is transformed from the LF transmitter in the master device to LF receiver in the slave device, and there is no power transmission in the LF system. Assuming the tuning coil of LF transmitter is circular with a radius r, turn number N r , and changing current I r for sending information. The changing current creates a magnetic field. The coupling coil in the SIM card is irregularly shaped, with turn number N s and area S. Assuming that two coils of the transmitter and receiver have an interval of x. The voltage V s induced in the receiver coil is as follows [20]: V s ≈ N r N s µ 0 Sr 2 /(2 (r 2 + x 2 ) 3 )dI r /dt (1) µ 0 in (1) is the magnetic permeability of air or vacuum with a value of 4π × 10 −7 . Equation (1) is applicable for two coils in the air. Actually, the two coils are not totally parallel. There is shell material between the two coils, which also affect the V s : π f µγ QcosαN r N s µ 0 Sr 2 /(2 (r 2 + x 2 ) 3 )dI r /dt (2) In Equation (2), Q is the quality factor of the resonant circuit; e −t √ π f µγ is the magnetic-field attenuation factor [15]; t denote the thickness; f denotes the working frequency of LF; µ denotes the permeability; γ denotes the conductivity of the shielding material; and α is the angle between the transmitter coil and the coupling coil, when the two coils are parallel, α = 0.
LF uses magnetic coupling modulation to transform the differential Manchester code at the cm level. A large x signifies better implement of RCC reader equipment and user experience. The RCC is proposed to replace the NFC. Because the LF transmitter coil is always put in the place of the NFC reader coil in the reader equipment, so r and N r are constrained. The SIM card size is small, the micro-SIM card is 12 mm × 15 mm, the nano-SIM card has a smaller size of 12 mm × 9 mm. If the die size of the LF receiver chip is small, the LF receiver chip can have a package-in-package (PIP) bonding design with the SE chip, which can save some space to increase the tuning coil number. The die size of the LF receiver in previous work [20] was too large to perform PIP bonding with the SE chip. One method to obtain a larger x is to obtain a higher V s ; another method is to decrease the signal loss in analog frontend circuit of the LF receiver.

Low-Frequency Transmitter
The transmitting LF signal is modulated in the MCU as V m and sent to the LF transmitter circuits in the master device, as shown in Figure 1. From Equation (1), a large changing current is needed to generate a powerful magnetic field so that the LF receiver can function effectively. We use separate components to produce a large changing current, as shown in Figure 2. Two class-D amplifier chips are used to convert voltage V m into current I r at the LF coil and deliver wireless messages to the LF receiver. V 1 and V 2 are reference voltages without a precision requirement, and a simple resistance voltage divider circuit is used to generate V 1 and V 2 . V m is obtained using the pulse width modulation (PWM) method; the PWM is widely used to produce a sine-wave current for motor driver applications. The transmitting LF signal is a differential Manchester code, and the modulation is in the PWM mode, as shown by V PW M in Figure 2. A carrier waveform is added to increase the changes in I r . The frequency of carrier waveform is usually at the MHz level and determined by the MCU.

Low Frequency Receiver
Limited by the size of the SIM card, the LF receiver is designed in a single chip with an LF analog frontend and digital logic. The analog frontend circuit is used to process the induced weak V s to the ideal digital signal V SI M in Figure 1. The SIM card, based on [20], has a high fail communication rate in phones with a completely metal shell, because the distance of LF communication is lower than 0.5 cm. The induced weak V s goes through three programmable gain amplifiers (PGA), a buffer is used to obtain large loading capacities, and six digital-to-analog convertors (DAC) and six comparators are used to convert the analog signal to a digital differential Manchester code and obtain the magnetic field intensity, as shown in Figure 3a. The magnetic-field intensity is used to judge whether the SIM card is in or out of the magnetic field. The signal processing path is too long, and there may be some signal loss or noise interference in these long processing paths. In this paper, we propose an improved analog frontend for LF receiver as shown in Figure 3b, a two-stage high gain rail-to-rail amplifier is used to amplify V s , and a comparator is used to obtain V SI M . The "in or out" decision of the magnetic field is made using digital logic.

Antenna Matching Circuits
Before the V s goes the rail-to-rail amplifiers, a matching circuit is inserted, as shown in Figure 4. In [20], R1, C1, C2, and R2, C3, C4 comprise two Π match networks. This kind of match network is usually used in NFC impedance matching of antenna coils to obtain the maximum communication distance [21][22][23]. The induced voltage in the 13.56 MHz NFC system is as high as the V level. The induced voltage V s in this proposed LF system is as low as the µV level. A Π matching network consumes the induced power and makes V s even worse. Because the matching circuits are printed on SIM card substrate, we also bonded some SIM card from [20] with different values of resistance and capacitance, as shown in Figure 4. One removes R2, C3 and C4, and the other removes R2, C3, C4, and C2. The experiment shows the distance x is improved in both of the two new methods. The best is that with R1 and C1. Some phones with complitely metallic shells with this kind of SIM card can have a 0.2 ∼ 0.4 cm improvement. R 1 and C 1 comprise a lowpass filter (LPF), and the cut-off frequency f c = 1/(2πR 1 C 1 ).
The LF working frequency channel in this paper is at the kHz level, and f c is set at 100 kHz in this system. The coils in the micro-SIM card and nano-SIM card are not the same size, and the values of R 1 and C 1 in these two kinds of SIM card are also different. The best distance is obtained at R 1 = 100 Ω and C 1 = 47 pF for the micro sim card, and R 1 = 10 Ω and C 1 = 2.2 nF for the nano-SIM card.

Rail-to-Rail Amplifiers
According to Equation (1), for example, the reader coil is 60 mm by 60 mm with 88 turns, and the coil in the nano SIM card is 11.8 mm by 8.8 mm with 18 turns. The voltage peak-to-peak value of the reader is 3.8 V, and the impedance of the reader coil is 56 ohm. V s = 50 µV at x = 8 cm, and V s = 20 µV at x = 12 cm according to Equation (1) in [20]. The max x is obtained when all amplifiers are at max gain, the total gain is 96,000, and the maximum value of x in theory is 16 cm; however, the actual maximum value x is 12 cm in [20], which means there are signal losses in analog frontend circuits.
In the RCC, the slave device should obtain the status whether it is in or out of the magnetic field. When V s is amplified by three amplifiers, six DACs and six comparators are used to detect magnetic field intensity. The six DACs are programed with different values, and the six comparators can obtain six signals with different period windows of value "1", thus the action of in or out of magnetic field can be caculated by comparing the six period windows. A buffer is needed to increase signal drive capability because it will send it to six comparators. In this paper, we do not use the method involving the analog circuits of six DACs and six comparators. We use digital logic to detect the in or out of magnetic-field action. The LF reader sends several continuous preamble frame at the start of RCC communication and during the idle time. We can obtain the in or out status by recording whether it receives preamble frame at times.
The induced signal at the receiver coil is small, and the cascade amplifiers are used to produce the expected ideal waveform V SI M ; this process has no requirement in terms of gain accuracy. Three similar amplifiers are used with programmable gain in [20], as shown in Figure 3a. R7, C7, and R8, C8 are two low-pass filters. C10, C11, and C12 are blocking capacitors (cap bl ) which are used to add common voltage V REF . The blocking capacitors are large (at the pF level) and suffer mismatch issues. These filters and blocking capacitors increase the signal loss in the amplify process.
In this paper, we simplify the design of analog frontend circuits as shown in Figure 3b. Two-stage rail-to-rail amplifiers with fixed gain of 51,200 are used instead of three programmable gain amplifiers, as shown in Figure 5. Because there is a LPF in coil matching circuit in Figure 4, there is no extra LPF in proposed rail-to-rail amplifiers, nor are the large blocking capacitors needed. In Figure 5, M1, M4 and M2, M5 are rail to rail input stage. M8, M9, M10, M11, M14 and M15 are first-stage amplifier. M16 and M17 are second-stage amplifier [24,25], and these two transistors also form a class AB amplifier. Table 1 gives the transistor dimensions of the two amplifiers. For example, M0 consists of 8 transistors with a width of 12 µm and a length of 4 µm. The simulation shows the phase margin of rail-to-rail amplifiers is larger than 52 • . The LF communication distance x is only a few cm. Considering that different mobile phones have different magnetic field shielding strengths, and the LF reader coil is installed some distance from the surface of the master device, x needs to be improved as much as possible to allow space for installment and to improve the application convenience of the RCC. In place of x, V amp is similar to the ideal waveform V SI M . For x + i, V amp is worse than V SI M , and a comparator is used to produce the ideal waveform V SI M . The comparator is used to compare the V REF and V amp and to output "0" or "1". Table 1. Transistor dimensions of the two amplifiers.

Self-Correcting Clock Recovery Differential Manchester Decoder
There are many methods of differential Manchester decoding. The basic method is based on the accurate clock counter to identify "1" and "0" [26]. This method requires high chip-clock accuracy and consistency, and the period of the LF working frequency T m being fixed at the transmitter and receiver. In CMOS technology, the clock generated by the oscillator using a resistive and capacitive network (RCOSC) is different from that in chips. The clock frequency deviation can range from −50 to +50% at the worst if the oscillator is not trimmed.
In previous work [20], a high-level threshold register and a low level threshold register were used to generate a decoding clock, and this design can adjust to a clock frequency deviation of ±30%. However, this method needs a high system clock to get a large value of high and low-level threshold register. Meanwhile, when the working frequency of LF is changed, a new value of high-and low-level threshold registers should be reloaded by the SE chip.
In this paper, a self-recovery clock method is used to eliminate the dependence on system clock precision and adjusted to different LF working frequencies, as shown in Figure 6. In the differential Manchester code, a clock is generated at the fall and rise edge of V md . In the generated clocks, there are some redundant clocks, so a delay time is used to mask the redundant clocks, and what are left arethe recovery decoding clocks. The process is as follow: First, two consecutive high-level and low-level periods are counted as T h and T l . When T h : T l is ≈ 1:2 or 2:1, T m can be obtained by T m = max(T h , T l ), this happens when the differential Manchester code is changing (1 → 0 or 0 → 1). Signal c is obtained by detecting the rising and falling edges of V md . Signal d is obtained by broadening the pulse period of c to 3/4 T m . Using inverted d to mask the redundant pulse c ' in c, the recovery clock clk m is obtained, and the decoded message a can be obtained by sampling V md using clk m . Compared with the original clock counter method, this method can adapt to a variety of signal periods.

Low Power Design
The proposed analog frontend circuits are simple compared to those in [20]. The other circuits are auxiliary circuits including a bandgap (BG), two voltage regulators (VR), and a RCOSC. The BG provides the reference voltage V REF and current I re f for the analog frontend circuits. Figure 7 gives the circuits of bandgap [27]. V REF = 1V in this work. MS1, MS2, MS3, MS4, MS5 and MS6 are boot circuits for bandgap. Table 2 gives the transistor dimensions of the banggap circuits. One VR is for the analog frontend circuits which is 2 V, and the other one is for the digital logic and is 1.8 V. The SPI interface is designed to be asynchronous to avoid the need for a high working frequency clock. This means that the clock signal of SPI interface is used directly. The primary threats to asynchronous circuits are glitches in the SPI interface pins. We add a resistance-capacitance (RC) passive filter and a Schmidt trigger with hysteresis comparison in input-output (IO) circuits to remove glitches. Because the proposed differential Manchester decoding method uses a self-recovery clock and is asynchronous to system clock, the system clock has no accuracy or high-frequency requirements. A low frequency 50 KHz RCOSC can be used without trimming. The RCOSC is designed in low power mode that works in the subthreshold region with a current consumption of less than 500 nA [28]. The dynamic power of digital logic can be calculated as P d = CV 2 f [29]. Because the RCOSC frequency is low, i.e., 50 KHz compared to 360 KHz in [20], the power consumption of digital logic also decreases.

Range-Controlled Communication Protocols
The HF communication distance is at the meter level, and the LF communication distance is at the centimeter level. The RCC protocol restricts HF to work only when LF establishes a connection.

Frame Format of Low-Frequency Communication
The frame format of LF is composed of the preamble, control domain, valid data, and cyclic redundancy check (CRC) bits, as shown in Figure 8a. The preamble is used for frame synchronization and consists of eight "1" bits and one "0" bit to form "111111110", this is helpful to obtain T m for the proposed differential Manchester decoder. The form of preamble also means that eight continuous "1" bits cannot exist in next frame data to ensure the preamble form is unique. The scrambling mechanism is added at the LF reader to avoid eight consecutive "1" bits in the sequence. A scrambling code "0" is added after every seven consecutive "1" bits in the data stream as shown in Figure 8b. The LF receiver automatically processes the scrambling code to obtain the transmission data. The control domain defines the frame type (data frame or command frame) and data length. CRC is used to verify the control domain and valid data. The generated polynomial of CRC is x 8 + x 2 + x + 1.

Protocol for Range-Controlled Communication
Data transmission in LF is encrypted. The encryption process is carried out in the MCU of the master device, and decryption is carried out by the SE chip [30]. RCC must be carried out within the effective distance of LF, as described in Figure 9. The workflow of the proposed protocol session includes four stages: activation, access, transaction, and stop. In the activation phase, the initiator first sends 20 preambles, then generates ID m , and calculates the HF activation response (ATI) frequency channel f ATI according to ID m . If the HF frequency channel is currently occupied, ID m needs to be regenerated until the selected ATI frequency channel is idle.
The initiator sends the INQUIRY command with ID m and f ATI through the LF channel. The responder is activated after receiving the INQUIRY command and generates ID s and the HF frequency channel f access for the access and transaction stages. The responder also must ensure that the generated f access is currently idle. The responder sends an ATI message, including ID s and f access through the HF channel at the working frequency f ATI . The responder enters the access phase after sending the ATI. If initiator doesnot receive the ATI message, it goes back to activation phase.
The HF channel in the access and transaction stages operates at frequency f access . The initiator sends a connection request CONNECT_REQ through the HF channel in the access phase. The responder receives the CONNECT_REQ command and sends the response CONNECT_RSP to the initiator within 8 ms. The responder enters the transaction stage after sending CONNECT_RSP.
The initiator sends an encrypted data exchange request APDATA_REQ through the HF channel in the transaction stage. At the same time, the LF channel is used to send the corresponding encryption key. Once the responder receives APDATA_REQ and the encryption key, it parses and executes the APDU command encapsulated in APDATA_REQ, then encapsulates the response in APDATA_RSP and sends it to the initiator. If the responder receives the wrong APDATA_REQ or the receiving time is beyond 100 ms, it will return to the activation stage. The responder will send APDATA_RSP or the long time wait frame (LTW) to the initiator within 500 ms and remain in the transaction stage. To maintain the transaction phase, the initiator sends the LINKCTL_REQ frame through the HF channel every 44 ms during the idle time of the transaction phase.
When the transaction stops normally or the responder's status is abnormal, the initiator must send a CLOSE_REQ command to close the connection through the HF channel. After receiving the first correct CLOSE_REQ command, the responder immediately closes the transaction and returns to the activation stage.

Setup
The LF receiver chip was fabricated using a 0.18 µm technology platform, as shown in Figure 10a. The die area is 1.05 mm × 0.9 mm, and the current consumption is 41 µA. The measurement environment of RCC is illustrated in Figure 10b. HF is a 2.45 GHz chip. The RCC reader board has a separate antenna printed circuit board (PCB) with an LF coil and an HF antenna, and it is usually installed on the surface of point-of-sales (POS) equipment. A USB2UART cable is used to connect the RCC reader board and computer and print RCC information on the computer. A development test board with the LF receiver chip, SE chip and HF chip is used to measure the waveform of the LF chip in air. Some LF receiver chips are packaged in chip-on-board mode (COB), and a empty flexible substrate of the SIM card is used because the LF receiver coil and coil matching circuits are inside it.
We also fabricated SIM cards with the SE chip, HF chip, and LF receiver chip. Figure 11 presents an X-ray graph of the SIM cards. The substrate of SIM card is double-sided PCB. The micro-SIM card has a large card size: the LF coil is outside, and the HF antenna is inside. The nano-SIM card is small: the LF coil and HF antenna are superimposed, the LF coil is on the bottom side and the HF antenna is on the top side. Because the die size is smaller than that of an SE chip, the SE chip and LF receiver have a package-in-package (PIP) design in both types of SIM card, and N r is increased four turns compared to that presented in [20]. The coil matching circuit is still a LPF, as shown in Figure 4.   Figure 12 shows the output voltage of V amp at 25 • C in air by COB at 4 KHz. The maximum communication distance is 12.3 cm. When the x distance is shorter than 11.5 cm, V amp is very close to the ideal waveform V SI M , as shown in Figure 12a, and it can be directly sent to digital differential Manchester decoder. When x ∈ (11.5 cm, 12.2 cm), V amp becomes worse, as shown in Figure 12b, and a comparator with judge threshold of V REF is used to obtain the digital signal V md , which can still be decoded correctly. When x > 12.2 cm, the waveform of V amp is even worse, as shown in Figure 12c, thus, the qualified digital V md is too bad to be decoded, and LF communication fails.

Waveform of LF Analog Frontend Circuits
We perform the LF data transmission experiments in the air by COB at 4 KHz like these: the LF reader sends a frame of 16 byte data 1000 times. If the LF receiver chip receives a frame, and the CRC check is correct, a data correct interrupt signal will be sent out and SE will read the data through SPI interface. N se is the number of times that SE has read the correct data which is equal to LF reader sends. We calculate the data transmission error rate as p e = (1000−N se )/1000. The results show that p e = 0 when x < 11.5 cm. When x ∈ (11.5 cm, 12.2 cm), p e ∈ (10%, 60%), and p e = 100% when x > 12.2 cm. In previous work [20], we find that when LF reader sends a frame with continuous "1", x will decrease. The worst situation was occured when the LF reader sends a frame of 16 byte "FF", x decreases as much as 2.5 cm. Since we use the new rail-to-rail amplifiers, we do not observe the distance decreases in data transmission experiments.

Comparison with Previous Work
In Table 3, we present a comparison of LF receiver chips. Compared to previous work, we do not use the LPF and large blocking capacitors (cap bl ) to avoid signal loss, and two-stage amplifiers are used instead of the previous three-stage amplifiers. The gain is 51,200 which can get the same communication distance as previous work. Besides, there is only one comparator (Comp) compared to six DACs and six comparators, and the OSC frequency is decreased from 360 KHz to 50 KHz. The proposed LF receiver chip proposed in this paper has a smaller die size and current consumption. In [20], the development board was placed in different temperatures to study the effects on the LF receiver. We performed the same experiments, and Table 4 shows the comparison results. COB ori is the COB in [20] with two Π coil matching circuits. COB ant is the COB with the LF receiver in [20], and an improved LPF coil matching circuit in Figure 4. COB pro is the COB with the LF receiver proposed in this paper and an LPF coil matching circuit. COB ant achieves an almost 0.3 cm distance improvement compared to COB ori . COB pro achieves the same x as COB ant , and because COB pro has no current leakage at low temperatures, the distance decrease in low temperature for COB ori does not occur in COB pro . The proposed range-controlled communication system can adjust to different LF frequencies varying from 2 kHz to 4 kHz. The RCC has nearly 80 interactive communications in the transaction phase for one payment operation. The previous research have found that the larger the x, the larger the successful communication ratio. We compared the communication distance for the SIM card at 25 • C in different mobile phones of different companies for 2 kHz and 4 kHz. The test results are summarized in Table 5. SI M ori is the SIM card in [20], and SI M pro is the SIM card with the LF receiver proposed in this paper. The proposed SIM card has more than a 3 cm improvement as compared with previous work, and it still has 4.2 cm in phones with a metal shell, as VIVO V3M and Huawei Mate 9. The results also show that in the metal phones, the SIM card has a better distance at 2 KHz than 4 KHz, and the other phones behave better at 4 KHz than 2 KHz. The reason for this may be that the 2 KHz frequency has a better signal penetration than 4 KHz, and 4 KHz has lager magnetic-field intensity than 2 KHz. It is better to change LF frequency to obtain a better x for phones. In the activation phase, when it fails, the initiator changes the LF frequency, and re-performs the activation operation. Many wafers are produced to support the RCC application. These wafers are given a circuit probing (CP) test before being packaged in the SIM card. The CP test vector collects the output of LDO and low power RCOSC. The foundry monitor the process variation in the manufacture process, and they found that one piece of wafer's PHR_60X2_RES window is lower than the target value of 1075, as shown in Figure 13. THE CP test found that the output frequency of RCOSC is lower to −50% in this wafer. We packaged 200 SIM cards using the LF receiver chip in this wafer, and re-performed the experiment in Table 5 to study the effect of this situation. The results are the same as in Table 5. This means that in the proposed RCC methods, the frequency of RCOSC has little effect on communication distance x. Some smartphones use more than two SIM cards on one card seat. The inner SIM card is placed in the middle of the mobile phone, and the HF signal is poorly disturbed by the device, with the situation worsening if the phone made with a completely metallic shell. In this case, we found that the RCC distance is determined by HF. In the activation phase, the LF reader synchronously transmits the transmission power parameter of HF. If the HF response is not received or the received signal strength indication (RSSI) is too low, the initiator returns to the activation phase and increases the transmission power parameter of HF to ensure that the communication distance is completely determined by LF.

Conclusions
In this paper, we present a range-controlled communication system using an improved LF communication system. The circuit of the LF transmitter comprises class-D amplifiers to obtain a large magnetic field. The LF receiver consists of rail-to-rail amplifiers and only one comparator. The LF receiver chip is fabricated using a 0.18 µm CMOS technical platform with a die area of 1.05 mm × 0.9 mm and current consumption of 41 µA. The differential Manchester decoding circuit in the LF receiver is designed as a self-recovery clock recovery circuit to adopt different LF frequencies, such as 2 kHz and 4 kHz. The proposed protocol restricts the HF communication distance by using LF to transmit the working frequency and communication key of the HF channel.