Difference between revisions of "Reverse engineering ELRO Flamingo HA31 wireless alarm"

From Randomdata wiki
Jump to: navigation, search
m (Analysis)
 
(3 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
*External sounder
 
*External sounder
 
*Accessories to mount the sensors etc
 
*Accessories to mount the sensors etc
[[File:Elro_flamingo_ha31_package.jpg|200px]]
+
[[File:Elro_flamingo_ha31_package.jpg|300px]]
  
 
=Analysis=
 
=Analysis=
After unwrapping the package the outside looks decent, the central has a extra contact on the back so if you break it of the wall it does activate the alarm. When we did opened the casing we where kinda of surprised about the quality of the PCB's, yes it's cheap Chinese quality but it does do the job.<br>
+
After unwrapping the package the outside looks decent. The unit has an extra contact on the back of it which will get switched on when ever you try to dismount the unit from the wall. If you do take it of the wal it will activate the alarm. After unscrewing the unit we where kind of surprised about the quality of the PCB's. Yes, all in all it IS cheap Chinese quality. But appearantly it does it's job.<br>
 
[[File:Elro_flamingo_ha31_backdips.jpg|200px]]<br>
 
[[File:Elro_flamingo_ha31_backdips.jpg|200px]]<br>
We also found 4 dip-switches (also accessible if you open one of the standard openings), you can create your "home code" with 4 dip-switches. In theory that means you can create 2*2*2*2 = 16 codes which isn't a lot. It's easy to activate the alarm of your neighbor if he/she uses the same system.<br>
+
We also found 4 dip-switches (also accessible via one of the standard openings). These switches are used to make up your own "house code". With only four switches to use for making up your own house code, it is in theory possible to create at max 16 unique codes (2*2*2*2). It's easy to activate the alarm of your neighbor if he/she uses the same system.<br>
 
<br>
 
<br>
 
The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver.
 
The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver.
 
Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a [http://www.hobbyelektronica.nu/23/05.pdf NLdatasheet] of the chip, it's a chip mostly used for door bells.<br>
 
Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a [http://www.hobbyelektronica.nu/23/05.pdf NLdatasheet] of the chip, it's a chip mostly used for door bells.<br>
After opening the sensors we did saw the "other-side", same story...bad PCB's and... a doorbell chip..<br>
+
After opening the sensors we did saw the "other-side", same story...bad PCB's and... the doorbell chip..[http://www.digchip.com/datasheets/parts/datasheet/922/M1EA.php]<br>
[[File:Elro_flamingo_ha31_centralwchip.jpg|200px]][[File:Elro_flamingo_ha31_sensorchip.jpg|200px]][[File:Elro_flamingo_ha31_PIRchip.jpg|200px]]<br>
+
[[File:Elro_flamingo_ha31_centralwchip.jpg|200px]][[File:Elro_flamingo_ha31_sensorchip.jpg|200px]][[File:Elro_flamingo_ha31_PIRpsb.jpg|200px]]<br>
 
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.<br>
 
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.<br>
 
<br>
 
<br>
Line 30: Line 30:
 
*brute force all codes and functions on the keypad
 
*brute force all codes and functions on the keypad
 
*Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
 
*Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
 +
*Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"
 +
[[Category:Projects]]
 +
[[Category:Reverse enginering]]

Latest revision as of 14:53, 22 April 2013

Intro

The Elro flamingo HA31 is a alarm with wireless sensors.
The set contains:

  • A central unit with keypad, battery holder and a power-adapter
  • PIR motion sensor
  • Door contact sensor
  • External sounder
  • Accessories to mount the sensors etc

Elro flamingo ha31 package.jpg

Analysis

After unwrapping the package the outside looks decent. The unit has an extra contact on the back of it which will get switched on when ever you try to dismount the unit from the wall. If you do take it of the wal it will activate the alarm. After unscrewing the unit we where kind of surprised about the quality of the PCB's. Yes, all in all it IS cheap Chinese quality. But appearantly it does it's job.
Elro flamingo ha31 backdips.jpg
We also found 4 dip-switches (also accessible via one of the standard openings). These switches are used to make up your own "house code". With only four switches to use for making up your own house code, it is in theory possible to create at max 16 unique codes (2*2*2*2). It's easy to activate the alarm of your neighbor if he/she uses the same system.

The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver. Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a NLdatasheet of the chip, it's a chip mostly used for door bells.
After opening the sensors we did saw the "other-side", same story...bad PCB's and... the doorbell chip..[1]
Elro flamingo ha31 centralwchip.jpgElro flamingo ha31 sensorchip.jpgElro flamingo ha31 PIRpsb.jpg
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.

So how about the wireless signal and encoding?
The system is simple:
All dips on: Elro flamingo ha31 wireless alldipson.png
All dips off:Elro flamingo ha31 wireless alldipsof.png
Dips 1001: Elro flamingo ha31 wireless dips1001.png

Todo's

  • Investigate the main logic board
  • brute force all codes and functions on the keypad
  • Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
  • Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"