DSRC-based fare systems
Toll roads in Russia are becoming a harsh reality. Someone is pleased with this, given the obvious fact that the toll road operator provides “better” travel conditions. Someone points to multi-kilometer lines at payment points, while someone, in principle, does not like the idea of paying for what was previously offered for free. Regardless of our attitude to the issue of toll roads, they already exist, and they will be created in the future. In the framework of this article, I would like to consider in more detail the electronic means of non-stop fare payment used on modern Russian toll roads.
DSRC transponders are used as a means of non-stop payment for travel in Europe and Russia - inexpensive “boxes” attached to the windshield and providing information exchange over the air with antennas at charging points. Colleagues from the OSSP company, the operator of the M-4 highway, provided me with experiments for one of their transponders, which we will analyze for the purpose of studying. But before you start breaking the transponder, you need to give credit to the hub theme and consider the architecture that underlies the system of non-stop fare payment.
The transponder and antenna implement the protocol stack from the 1st, 2nd and 7th levels of the OSI model, as shown in the figure.

The architecture of the DSRC stack (ISO 12834-2003)
The main difference between DSRC and its closest relative Wi-Fi is that DSRC is “imprisoned” for communication with a fast moving object. That is, while the car is traveling in the antenna coverage area, the transponder must wake up, establish a connection and exchange information. According to experience, at a speed of 90 km / h you can quite reliably transmit 1 MB of information. It turned out to transfer up to 4 MB, but there were already risks of disconnect. The Japanese are actively testing the DSRC of the new standard, when it is possible to reliably exchange 10-20 MB of information per session, but they have not yet reached the industrial implementation.
During the passage of a vehicle under the antenna, approximately the following occurs:

Connecting a DSRC Antenna and a Transponder
The following picture shows the encapsulation of data frames at different levels.

The DSRC frame format is a
preamble for synchronizing the transponder and antenna.
Start flag - 0111 1110.
LID - link identifier for broadcast 11111111, for other cases - four octets of randomly selected numbers during connection establishment to identify the exchange channel with a specific transponder.
MAC control field contains information about the contents of the packet - uplink or downlink, command or response to the command, etc.
LLC control contains the type of command or response to the command, LLC status, respectively, contains the result of the command
LPDU - in fact, application-level information (we will consider it separately). An application block can be transmitted in parts if it does not fit in one physical packet. In general, for those who know the TCP / IP stack, there is nothing fundamentally new here.
The CRC frame ends with a checksum and stop bits similar to the start flag.
At the application level, information is exchanged within the framework of the respective applications. Currently, the following applications are most common:
At payment points, the EFC application is used to organize non-stop travel.
During the interaction of the antenna and the transponder, a travel transaction is formed, which can be supplemented by vehicle measurement data. Depending on the introduced tariffs and charging rules, a car can be classified, photographed, license plate recognition, and even weight control at the payment point. Each transponder, before being issued to the client, goes through the initialization stage, during which an EFC information block is stored in its memory, which the transponder must transmit during the information exchange.
The information block in the "maximum configuration" represents about 50 standardized attributes that can be divided into the following groups:
In Russia, DSRC is used at a payment point in St. Petersburg (Northwest High Speed Diameter), in Moscow (M-1 highway bypassing Odintsovo), M-4 (in the Domodedovo area), as well as closer to Voronezh on the same highway. On the designed and constructed routes, electronic toll lanes will also be created.
The main problem with the use of EFC is the inability to drive with one transponder on all toll roads. If at the technological level this problem is completely solvable, then at the application level a large amount of additional work is required related to the organization of the exchange of encryption keys and the organization of netting between operator companies.
EFC tariff schemes are used minimally sufficient. That is, the transponder itself is not a means of payment and is not tied to a vehicle. In fact, our transponder is just a digital mark of a certain subscriber. At the collection point, each car is classified and the amount of the tariff is deducted from the account linked to the transponder depending on the classification results. That is, the transponder can be rearranged without problems from a passenger car to a truck and vice versa.
Such a simplified approach has its advantages and disadvantages. A plus is the ability to initialize transponders during production. A bar code is applied to each transponder, which is compared with the user’s contract during the sales process, after which the user can freely use the transponder. If, for example, the tariff were tied to a car, at the points of sale it would be necessary to install special programmers that would allow the necessary attributes to be written into the transponder's memory - for example, the car number and its class.
The second plus of the simplified scheme is the simplicity of ensuring transponder compatibility among different operators. Regardless of the classification system of each operator, a fare transaction is generated without errors. Otherwise, it would be necessary to align the principles of car classification by all operators.
And the disadvantages include the impossibility of autonomous payment control (without contacting the user registration database).
The circuit works this way. During the sale, as I said, the transponder number and the user contract are compared. In the operator’s accounting system, a balance is maintained on the electronic account of the transponder. Transponders with a balance sum below a certain mark fall into the warning zone - the “orange list”. If the amount is not enough to cover the fare, such transponders fall into the “red” or “black” list. Colored transponder lists are distributed to all toll points and loaded into the lane controllers (or immediately into the memory of antennas of some manufacturers).
When the car approaches the charging point in a special band, it falls into the coverage area of the antenna of that band, which reads the transponder identifier. The strip controller (or antenna software) reconciles with the “color” list. If the transaction has formed normally and the transponder number is not in the list, the band controller software gives a signal to open the barrier. At the same time, the car passes the payment point at a speed of about 30 km / h without stopping. If the transponder is in the “orange” zone, the driver receives a warning, for example, the special “Low balance” sign lights up and the barrier opens. If the funds are not enough, then the barrier does not open, and the user has to pay for the fare in cash.

DSRC Antennas at M-4 Charging Point
To pay for travel on the M-4, transponders TS3203 manufactured by Kapsch are used. Fully compatible Q-Free, Norbit, GEA and other transponders can also be used.

Appearance of the TS3203 transponder
By agreement with the road operator, the manufacturer applies a barcode and number to the transponder body. These transponder identifiers are transmitted as a file with a batch of transponders. Data from the file is loaded into the operator’s settlement system for subsequent comparison with contracts during sales. The transponders contain in memory an encrypted data block of the operator, which he can read with his keys. Keys are downloaded and stored on EFC band antennas. Thus, transponders are completely ready for sale and use.

Factory marking of the transponder
Inside, we see a simple board and a tweeter, through which the transponder reports a successful transaction or error. As you can see, tamper protection is completely absent. There are no fuses or photo resistors.

Transponder board
On the other side of the board is a battery tightly pressed into the holder. According to the Kapsch specification , the batteries should last for 7 years with 2000 transactions per year.

Reverse side of the board
The core of the transponder is a proprietary ASIC chip containing memory, a processor, and all the logic. The Kapsch analog core is traditionally called Ella, the digital core is Alex. In previous versions, these cores were implemented as separate microcircuits ( photo ).

Close-up board
As we have seen, the DSRC transponder is a reliable and cheap device. That is why electronic tolling is everywhere done with DSRC. DSRC technology has only one drawback - to calculate the tariff, it is necessary to install antennas at all exits from the highway (or in the middle of each section, as in Austria). If we want to close the large road network with “payment”, then we need to carefully look towards the systems based on satellite navigation, which I already wrote about ( with continuation ).
DSRC transponders are used as a means of non-stop payment for travel in Europe and Russia - inexpensive “boxes” attached to the windshield and providing information exchange over the air with antennas at charging points. Colleagues from the OSSP company, the operator of the M-4 highway, provided me with experiments for one of their transponders, which we will analyze for the purpose of studying. But before you start breaking the transponder, you need to give credit to the hub theme and consider the architecture that underlies the system of non-stop fare payment.
DSRC stack
The transponder and antenna implement the protocol stack from the 1st, 2nd and 7th levels of the OSI model, as shown in the figure.

The architecture of the DSRC stack (ISO 12834-2003)
The main difference between DSRC and its closest relative Wi-Fi is that DSRC is “imprisoned” for communication with a fast moving object. That is, while the car is traveling in the antenna coverage area, the transponder must wake up, establish a connection and exchange information. According to experience, at a speed of 90 km / h you can quite reliably transmit 1 MB of information. It turned out to transfer up to 4 MB, but there were already risks of disconnect. The Japanese are actively testing the DSRC of the new standard, when it is possible to reliably exchange 10-20 MB of information per session, but they have not yet reached the industrial implementation.
During the passage of a vehicle under the antenna, approximately the following occurs:
- The transponder receives a beacon and wakes up. The beacon signal contains a BST data structure with a list of services (applications) that are supported at this point. The time between receiving the first antenna signal (any one that does not necessarily contain BST) and the transponder is ready for operation is 5 ms.
- The antenna and transponder determine the channel through which the exchange will be carried out. A lot of cars are driving along the road, and channel separation is necessary.
- Using the VST data structure, the transponder reports the application (or applications) that it needs. For example, EFC - electronic fare payment.
- The antenna and transponder establish a secure connection and exchange data within the selected application.

Connecting a DSRC Antenna and a Transponder
The following picture shows the encapsulation of data frames at different levels.

The DSRC frame format is a
preamble for synchronizing the transponder and antenna.
Start flag - 0111 1110.
LID - link identifier for broadcast 11111111, for other cases - four octets of randomly selected numbers during connection establishment to identify the exchange channel with a specific transponder.
MAC control field contains information about the contents of the packet - uplink or downlink, command or response to the command, etc.
LLC control contains the type of command or response to the command, LLC status, respectively, contains the result of the command
LPDU - in fact, application-level information (we will consider it separately). An application block can be transmitted in parts if it does not fit in one physical packet. In general, for those who know the TCP / IP stack, there is nothing fundamentally new here.
The CRC frame ends with a checksum and stop bits similar to the start flag.
Application Stack Level DSRC
At the application level, information is exchanged within the framework of the respective applications. Currently, the following applications are most common:
- Actually, EFC is electronic charging, AID = 1 (application identifier in the VST table). The application layer is discussed in detail in the ISO 14906-2011 standard.
- Localization augmentation communication (LAC) - protocol for writing to the memory of the control unit antenna location data, AID = 21, standard ISO 13141-2010
- Compliance Checking Communication (CCC) - exchange of vehicle control information to verify compliance with charging rules, ISO 12813-2009
At payment points, the EFC application is used to organize non-stop travel.
During the interaction of the antenna and the transponder, a travel transaction is formed, which can be supplemented by vehicle measurement data. Depending on the introduced tariffs and charging rules, a car can be classified, photographed, license plate recognition, and even weight control at the payment point. Each transponder, before being issued to the client, goes through the initialization stage, during which an EFC information block is stored in its memory, which the transponder must transmit during the information exchange.
The information block in the "maximum configuration" represents about 50 standardized attributes that can be divided into the following groups:
- User contract information. These attributes are always filled, since without them it is impossible to form a transaction and write off funds from the user's account.
- Information for the check (financial part, accompanying information on the requirements of local legislation, etc.)
- Information about the car - something similar to the data of our TCP, only in digital form. Only the attributes necessary for charging and control are filled.
- Information about the transponder: serial number, smart card number (for control units into which a smart card is inserted - basically this scheme is used in Japan), control unit status.
- Information about the driver and passengers (if the number of passengers is taken into account in the tariff)
- Information on means of payment, if the transponder is at the same time a means of payment (both in Japan and in some Asian countries)
- Redundant fields for other DSRC applications are LAC, CCC and what else will come up in the future.
How is it all physically implemented
In Russia, DSRC is used at a payment point in St. Petersburg (Northwest High Speed Diameter), in Moscow (M-1 highway bypassing Odintsovo), M-4 (in the Domodedovo area), as well as closer to Voronezh on the same highway. On the designed and constructed routes, electronic toll lanes will also be created.
The main problem with the use of EFC is the inability to drive with one transponder on all toll roads. If at the technological level this problem is completely solvable, then at the application level a large amount of additional work is required related to the organization of the exchange of encryption keys and the organization of netting between operator companies.
EFC tariff schemes are used minimally sufficient. That is, the transponder itself is not a means of payment and is not tied to a vehicle. In fact, our transponder is just a digital mark of a certain subscriber. At the collection point, each car is classified and the amount of the tariff is deducted from the account linked to the transponder depending on the classification results. That is, the transponder can be rearranged without problems from a passenger car to a truck and vice versa.
Such a simplified approach has its advantages and disadvantages. A plus is the ability to initialize transponders during production. A bar code is applied to each transponder, which is compared with the user’s contract during the sales process, after which the user can freely use the transponder. If, for example, the tariff were tied to a car, at the points of sale it would be necessary to install special programmers that would allow the necessary attributes to be written into the transponder's memory - for example, the car number and its class.
The second plus of the simplified scheme is the simplicity of ensuring transponder compatibility among different operators. Regardless of the classification system of each operator, a fare transaction is generated without errors. Otherwise, it would be necessary to align the principles of car classification by all operators.
And the disadvantages include the impossibility of autonomous payment control (without contacting the user registration database).
The circuit works this way. During the sale, as I said, the transponder number and the user contract are compared. In the operator’s accounting system, a balance is maintained on the electronic account of the transponder. Transponders with a balance sum below a certain mark fall into the warning zone - the “orange list”. If the amount is not enough to cover the fare, such transponders fall into the “red” or “black” list. Colored transponder lists are distributed to all toll points and loaded into the lane controllers (or immediately into the memory of antennas of some manufacturers).
When the car approaches the charging point in a special band, it falls into the coverage area of the antenna of that band, which reads the transponder identifier. The strip controller (or antenna software) reconciles with the “color” list. If the transaction has formed normally and the transponder number is not in the list, the band controller software gives a signal to open the barrier. At the same time, the car passes the payment point at a speed of about 30 km / h without stopping. If the transponder is in the “orange” zone, the driver receives a warning, for example, the special “Low balance” sign lights up and the barrier opens. If the funds are not enough, then the barrier does not open, and the user has to pay for the fare in cash.

DSRC Antennas at M-4 Charging Point
To pay for travel on the M-4, transponders TS3203 manufactured by Kapsch are used. Fully compatible Q-Free, Norbit, GEA and other transponders can also be used.

Appearance of the TS3203 transponder
By agreement with the road operator, the manufacturer applies a barcode and number to the transponder body. These transponder identifiers are transmitted as a file with a batch of transponders. Data from the file is loaded into the operator’s settlement system for subsequent comparison with contracts during sales. The transponders contain in memory an encrypted data block of the operator, which he can read with his keys. Keys are downloaded and stored on EFC band antennas. Thus, transponders are completely ready for sale and use.

Factory marking of the transponder
Inside, we see a simple board and a tweeter, through which the transponder reports a successful transaction or error. As you can see, tamper protection is completely absent. There are no fuses or photo resistors.

Transponder board
On the other side of the board is a battery tightly pressed into the holder. According to the Kapsch specification , the batteries should last for 7 years with 2000 transactions per year.

Reverse side of the board
The core of the transponder is a proprietary ASIC chip containing memory, a processor, and all the logic. The Kapsch analog core is traditionally called Ella, the digital core is Alex. In previous versions, these cores were implemented as separate microcircuits ( photo ).

Close-up board
As we have seen, the DSRC transponder is a reliable and cheap device. That is why electronic tolling is everywhere done with DSRC. DSRC technology has only one drawback - to calculate the tariff, it is necessary to install antennas at all exits from the highway (or in the middle of each section, as in Austria). If we want to close the large road network with “payment”, then we need to carefully look towards the systems based on satellite navigation, which I already wrote about ( with continuation ).