Difference between revisions of "Reverse engineering ELRO Flamingo HA31 wireless alarm"

From Randomdata wiki
Jump to: navigation, search
m (jpg > png)
m
(2 intermediate revisions by one user not shown)
Line 7: Line 7:
 
*External sounder
 
*External sounder
 
*Accessories to mount the sensors etc
 
*Accessories to mount the sensors etc
[[File:Elro_flamingo_ha31_package.jpg|200px]]
+
[[File:Elro_flamingo_ha31_package.jpg|300px]]
  
 
=Analysis=
 
=Analysis=
Line 15: Line 15:
 
<br>
 
<br>
 
The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver.
 
The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver.
Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a [http://www.hobbyelektronica.nu/23/05.pdf NLdatasheet] of the chip, it's a chip mostly used for door bells.
+
Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a [http://www.hobbyelektronica.nu/23/05.pdf NLdatasheet] of the chip, it's a chip mostly used for door bells.<br>
After opening the sensors we did saw the "other-side", same story...bad PCB's and... a doorbell chip..
+
After opening the sensors we did saw the "other-side", same story...bad PCB's and... the doorbell chip..[http://www.digchip.com/datasheets/parts/datasheet/922/M1EA.php]<br>
[[File:Elro_flamingo_ha31_centralwchip.jpg|200px]][[File:Elro_flamingo_ha31_sensorchip.jpg|200px]][[File:Elro_flamingo_ha31_PIRchip.jpg|200px]]<br>
+
[[File:Elro_flamingo_ha31_centralwchip.jpg|200px]][[File:Elro_flamingo_ha31_sensorchip.jpg|200px]][[File:Elro_flamingo_ha31_PIRpsb.jpg|200px]]<br>
 
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.<br>
 
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.<br>
 
<br>
 
<br>
Line 29: Line 29:
 
*brute force all codes and functions on the keypad
 
*brute force all codes and functions on the keypad
 
*Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
 
*Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
 +
*Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"

Revision as of 20:39, 2 August 2012

Intro

The Elro flamingo HA31 is a alarm with wireless sensors.
The set contains:

  • A central unit with keypad, battery holder and a power-adapter
  • PIR motion sensor
  • Door contact sensor
  • External sounder
  • Accessories to mount the sensors etc

Elro flamingo ha31 package.jpg

Analysis

After unwrapping the package the outside looks decent, the central has a extra contact on the back so if you break it of the wall it does activate the alarm. When we did opened the casing we where kinda of surprised about the quality of the PCB's, yes it's cheap Chinese quality but it does do the job.
Elro flamingo ha31 backdips.jpg
We also found 4 dip-switches (also accessible if you open one of the standard openings), you can create your "home code" with 4 dip-switches. In theory that means you can create 2*2*2*2 = 16 codes which isn't a lot. It's easy to activate the alarm of your neighbor if he/she uses the same system.

The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver. Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a NLdatasheet of the chip, it's a chip mostly used for door bells.
After opening the sensors we did saw the "other-side", same story...bad PCB's and... the doorbell chip..[1]
Elro flamingo ha31 centralwchip.jpgElro flamingo ha31 sensorchip.jpgElro flamingo ha31 PIRpsb.jpg
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.

So how about the wireless signal and encoding?
The system is simple:
All dips on: Elro flamingo ha31 wireless alldipson.png
All dips off:Elro flamingo ha31 wireless alldipsof.png
Dips 1001: Elro flamingo ha31 wireless dips1001.png

Todo's

  • Investigate the main logic board
  • brute force all codes and functions on the keypad
  • Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
  • Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"