Difference between revisions of "Reverse engineering ELRO HA51 wireless"

From Randomdata wiki
Jump to: navigation, search
m (|200px added)
Line 17: Line 17:
 
After sniffing a few times this the result:<br>
 
After sniffing a few times this the result:<br>
 
"Put alarm off" with all dips off:<br>
 
"Put alarm off" with all dips off:<br>
[[File:Elro_HA51_433_alloff_alarmoff.jpg]]<br>
+
[[File:Elro_HA51_433_alloff_alarmoff.png]]<br>
 
"Put alarm off" with all dips on:<br>
 
"Put alarm off" with all dips on:<br>
[[File:Elro_HA51_433_allon_alarmoff.jpg]]<br>
+
[[File:Elro_HA51_433_allon_alarmoff.png]]<br>
 
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".
 
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".

Revision as of 20:27, 30 July 2012

What is it

It's a alarm system, used with wireless accessories. We have a central and a remote control:

Elro HA51.jpgElro HA51 remote.jpg

Setup

We opened the device, no internal alarm trigger's where used. The system contains 2 board:

  • Logic board
  • 433 receiver

We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:
We opened the remote to change the dipswitches: Elro HA51 remoteinside.jpgElro HA51 remoteinsidedips.jpg

After sniffing a few times this the result:
"Put alarm off" with all dips off:
Elro HA51 433 alloff alarmoff.png
"Put alarm off" with all dips on:
Elro HA51 433 allon alarmoff.png
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".