Difference between revisions of "Reverse engineering ELRO Flamingo HA31 wireless alarm"

From Randomdata wiki
Jump to: navigation, search
(Analysis)
 
Line 31: Line 31:
 
*Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
 
*Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
 
*Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"
 
*Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"
 +
[[Category:Projects]]
 +
[[Category:Reverse enginering]]

Latest revision as of 15:53, 22 April 2013

Intro

The Elro flamingo HA31 is a alarm with wireless sensors.
The set contains:

  • A central unit with keypad, battery holder and a power-adapter
  • PIR motion sensor
  • Door contact sensor
  • External sounder
  • Accessories to mount the sensors etc

Elro flamingo ha31 package.jpg

Analysis

After unwrapping the package the outside looks decent. The unit has an extra contact on the back of it which will get switched on when ever you try to dismount the unit from the wall. If you do take it of the wal it will activate the alarm. After unscrewing the unit we where kind of surprised about the quality of the PCB's. Yes, all in all it IS cheap Chinese quality. But appearantly it does it's job.
Elro flamingo ha31 backdips.jpg
We also found 4 dip-switches (also accessible via one of the standard openings). These switches are used to make up your own "house code". With only four switches to use for making up your own house code, it is in theory possible to create at max 16 unique codes (2*2*2*2). It's easy to activate the alarm of your neighbor if he/she uses the same system.

The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver. Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a NLdatasheet of the chip, it's a chip mostly used for door bells.
After opening the sensors we did saw the "other-side", same story...bad PCB's and... the doorbell chip..[1]
Elro flamingo ha31 centralwchip.jpgElro flamingo ha31 sensorchip.jpgElro flamingo ha31 PIRpsb.jpg
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.

So how about the wireless signal and encoding?
The system is simple:
All dips on: Elro flamingo ha31 wireless alldipson.png
All dips off:Elro flamingo ha31 wireless alldipsof.png
Dips 1001: Elro flamingo ha31 wireless dips1001.png

Todo's

  • Investigate the main logic board
  • brute force all codes and functions on the keypad
  • Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
  • Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"