Reverse engineering ELRO HA51 wireless: Difference between revisions
No edit summary |
No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:<br> | We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:<br> | ||
We opened the remote to change the dipswitches: | We opened the remote to change the dipswitches:<br> | ||
[[File:Elro_HA51_remoteinside.jpg|200px]][[File:Elro_HA51_remoteinsidedips.jpg|200px]]<br> | [[File:Elro_HA51_remoteinside.jpg|200px]][[File:Elro_HA51_remoteinsidedips.jpg|200px]]<br> | ||
=Results= | |||
After sniffing a few times this the result:<br> | After sniffing a few times this the result:<br> | ||
"Put alarm off" with all dips off:<br> | "Put alarm off" with all dips off:<br> | ||
| Line 21: | Line 22: | ||
[[File:Elro_HA51_433_allon_alarmoff.png]]<br> | [[File:Elro_HA51_433_allon_alarmoff.png]]<br> | ||
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on". | As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on". | ||
<br> | |||
Also we have seen the last 4 pulses are used to control the system:<br> | |||
Wide=1<br> | |||
Small=0<br> | |||
<br> | |||
System off: 1100<br> | |||
System on: 1110<br> | |||
System Delayed on: 1011<br> | |||
Panic button: 0011<br> | |||
<br> | |||
Other codes will be added after analysing (PIR, door detection etc)<br> | |||
After replay function we also did test these codes:<br> | |||
Alarm trips when set: 1111<br> | |||
Does nothing: 0000<br> | |||
=What to do= | |||
*Create pulse system to brute force the system and check for hidden codes | |||
*Use a 433 transmitter to create a remote brute forcer | |||
*Get a new/more current system and test it | |||
*Reverse a bunch of other alarm systems | |||
[[Category:Projects]] | |||
[[Category:Reverse enginering]] | |||
Latest revision as of 14:08, 22 October 2012
What is it
It's a alarm system, used with wireless accessories. We have a central and a remote control:
Setup
We opened the device, no internal alarm trigger's where used. The system contains 2 board:
- Logic board
- 433 receiver
We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:
We opened the remote to change the dipswitches:
Results
After sniffing a few times this the result:
"Put alarm off" with all dips off:
"Put alarm off" with all dips on:
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".
Also we have seen the last 4 pulses are used to control the system:
Wide=1
Small=0
System off: 1100
System on: 1110
System Delayed on: 1011
Panic button: 0011
Other codes will be added after analysing (PIR, door detection etc)
After replay function we also did test these codes:
Alarm trips when set: 1111
Does nothing: 0000
What to do
- Create pulse system to brute force the system and check for hidden codes
- Use a 433 transmitter to create a remote brute forcer
- Get a new/more current system and test it
- Reverse a bunch of other alarm systems