{"id":61,"date":"2024-07-04T00:39:28","date_gmt":"2024-07-04T00:39:28","guid":{"rendered":"https:\/\/paulhansel.com\/?p=61"},"modified":"2026-03-09T04:37:33","modified_gmt":"2026-03-09T04:37:33","slug":"popping-the-tire-pressure-monitoring-relearn-tool-bubble","status":"publish","type":"post","link":"https:\/\/paulhansel.com\/?p=61","title":{"rendered":"Popping the tire pressure monitoring relearn tool bubble"},"content":{"rendered":"\n

[2026-03-01]: Ever thought about how these could be used for surveillance? These guys did! https:\/\/www.darkreading.com\/ics-ot-security\/tire-pressure-sensors-silent-tracking<\/a><\/em><\/p>\n\n\n\n

[2024-07-06: Updated to include simulation results and more scope traces.]<\/em><\/p>\n\n\n\n

If you own a car, you\u2019ve no doubt encountered this mystery at least once. The tire pressure monitoring system tells you your flat tire is on the driver\u2019s side front, but it\u2019s actually on the passenger side rear.<\/p>\n\n\n\n

This is a relatively modern car ownership pain point. The law that mandated tire pressure sensors be installed on every passenger car was only passed in 2007<\/a>. Before then, only upmarket cars had tire pressure sensors, and they were often based on tire rotation rate. [A tire low on air will have a slightly smaller radius, so it\u2019ll try to spin faster than other tires.] Congress decided that the national rate of accidents due to tire blowouts was too high, so they asked Detroit to do something or face fines.<\/p>\n\n\n\n

Such was the birth of Tire Pressure Monitoring Systems, or TPMS.<\/p>\n\n\n\n

Today\u2019s typical solution is simple and cheap: exactly what a struggling auto OEM needs to hit the compliance goal. It\u2019s almost an exact copy-paste of the technology found in fobs used for keyless door unlocking \u2013 but instead of four variously placed active RF sensors for the fob, there\u2019s just one transceiver for the whole TPMS.<\/p>\n\n\n\n


——<\/td>		Wireless key fob system<\/td>Tire pressure sensor system<\/td><\/tr>
Easily replaceable battery?<\/td>Yup<\/td>Not for most people<\/td><\/tr>
315 or 433 MHz wireless system-on-chip?<\/td>Check<\/td>Check<\/td><\/tr>
Encryption & key exchange?<\/td>Check<\/td>No need!<\/td><\/tr>
Atmospheric pressure sensor<\/td>Nope<\/td>Check<\/td><\/tr>
Time of flight proximity sensor<\/td>Check<\/td>Nope<\/td><\/tr>
Integrated re-learn feature<\/td>Check<\/td>Nope<\/td><\/tr>
Battery lifetime<\/td>3 years<\/td>5-10 years<\/td><\/tr><\/tbody><\/table>
Table of qualities contrasting tire pressure monitoring systems with keyless security systems.<\/figcaption><\/figure>\n\n\n\n

We return to the mystery of today. Why does a supercomputer with a million times the processing power of the Apollo guidance system \u2013 my car \u2013 put all the tire pressures in the wrong position? As a driver highly concerned about safety, I\u2019d rather know which tire has an all-too-hip stainless steel straw in its inner sidewall without having to look under each wheel on the shoulder of I-95.<\/p>\n\n\n\n

There\u2019s an easy answer: the tire guy decided not to bother reprogramming the tire pressure sensor map because most of his customers don\u2019t bother reading it and would never notice. Few time managers would allocate 10 minutes of a 45 minute job where you\u2019re only making $10-20 to do something 99% of your customers don\u2019t want. Trying to track down a slow leak when the tire map is all mixed up is almost pointless, but most consumers don\u2019t bother \u2013 they just drive until the slow leak is a fast leak, and only then get the tire replaced.<\/p>\n\n\n\n

I reasoned that having a mismatched TPMS map doesn\u2019t really affect my car\u2019s safety or usability. People drove for more than 50 years without these sensors at all, let alone a perfect map of which tires were at which pressure. If most people only find it useful to get early warning of a super-flat tire, I probably don\u2019t need the precision. I\u2019ll just get over it, right? Ordinarily, this is where the story would have ended. But not in China\u2019s America.<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

The siren call of cheap eBay listings wailed in the distance.<\/p>\n\n\n\n

The consumer in me complains, \u201cit\u2019s only $1, there\u2019s nothing to lose!\u201d The minimalist urges caution; who needs another piece of plastic garbage? But my engineering and economics training brought more questions to the fore: how can these tools possibly be so cheap given the sophistication of what they\u2019re supposed to do? And given how cheap they are, why isn\u2019t there\u2026 an iPhone app or software-defined radio widget that does the same thing?<\/p>\n\n\n\n

I had to know the answer. Those eBay drop-shippers needed to boost their new accounts\u2019 transaction counts before they resold them. All too happily, we made a market.<\/p>\n\n\n\n

\"Photo<\/figure>\n\n\n\n
\n

EL50448 Curse of Re-Education<\/h2>\n\n\n\n
    \n
  1. Go to the tire pressure page on the dash<\/li>\n\n\n\n
  2. Hold the check button on the steering wheel a while time until the relearn menu comes up<\/li>\n\n\n\n
  3. Go to the front left (driver\u2019s side front) tire, point the relearn tool\u2019s antenna directly at the TPMS sensor in the wheel, and press the tool\u2019s button until the car honks.<\/li>\n\n\n\n
  4. Go to the right front (passenger side front) and repeat.<\/li>\n\n\n\n
  5. Go to the rear right (passenger side rear) and repeat.<\/li>\n\n\n\n
  6. Go to the rear left (driver side rear) and repeat.<\/li>\n\n\n\n
  7. Exalt in your newly certified tire pressure display.<\/li>\n<\/ol>\n<\/div>\n\n\n\n

    Supposedly, I work full-time on things like wireless protocols, sensor networks, power saving modes, enumeration and authentication. [Reminder that the ideas and content here are only my own.]<\/code> This stuff should be right up my alley. But seeing a nominally complicated re-pairing device selling on eBay for $1 gives me \u201cTemu Microwave Oven for $5\u201d vibes.<\/p>\n\n\n\n

    \"EL50448<\/figure>\n\n\n\n

    After quickly checking that it worked on the car (it did!), I cracked it open.<\/p>\n\n\n\n

    \"Beginning<\/figure>\n\n\n\n

    Not a bad design, mechanically speaking. With two plastic clamshell pieces, featuring snap lock positioners, the PCB is held in place and its button pressed solidly into position. A rubber gasket retains the ferrite coil antenna in the plastic antenna housing.<\/p>\n\n\n\n

    \"Internal<\/figure>\n\n\n\n

    The BOM is impressively small. In order of disassembly, quoted around 100k qty, with some guessing:<\/p>\n\n\n\n