What is it

It's a alarm system, used with wireless accessories. We have a central and a remote control:

Error creating thumbnail: Unable to save thumbnail to destinationError creating thumbnail: Unable to save thumbnail to destination

Setup

We opened the device, no internal alarm trigger's where used. The system contains 2 board:

• Logic board
• 433 receiver

We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:
We opened the remote to change the dipswitches:
Error creating thumbnail: Unable to save thumbnail to destinationError creating thumbnail: Unable to save thumbnail to destination

Results

After sniffing a few times this the result:
"Put alarm off" with all dips off:

"Put alarm off" with all dips on:

As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".
Also we have seen the last 4 pulses are used to control the system:
Wide=1
Small=0

System off: 1100
System on: 1110
System Delayed on: 1011
Panic button: 0011

Other codes will be added after analysing (PIR, door detection etc)
After replay function we also did test these codes:
Alarm trips when set: 1111
Does nothing: 0000

What to do

• Create pulse system to brute force the system and check for hidden codes
• Use a 433 transmitter to create a remote brute forcer
• Get a new/more current system and test it
• Reverse a bunch of other alarm systems