Reverse engineering ELRO Flamingo HA31 wireless alarm
The Elro flamingo HA31 is a alarm with wireless sensors.
The set contains:
- A central unit with keypad, battery holder and a power-adapter
- PIR motion sensor
- Door contact sensor
- External sounder
- Accessories to mount the sensors etc
After unwrapping the package the outside looks decent, the central has a extra contact on the back so if you break it of the wall it does activate the alarm. When we did opened the casing we where kinda of surprised about the quality of the PCB's, yes it's cheap Chinese quality but it does do the job.
We also found 4 dip-switches (also accessible if you open one of the standard openings), you can create your "home code" with 4 dip-switches. In theory that means you can create 2*2*2*2 = 16 codes which isn't a lot. It's easy to activate the alarm of your neighbor if he/she uses the same system.
The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver. Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a NLdatasheet of the chip, it's a chip mostly used for door bells.
After opening the sensors we did saw the "other-side", same story...bad PCB's and... a doorbell chip..
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.
So how about the wireless signal and encoding?
The system is simple:
All dips on:
All dips off:
- Investigate the main logic board
- brute force all codes and functions on the keypad
- Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)