Difference between revisions of "Reverse engineering ELRO HA51 wireless"

From Randomdata wiki
Jump to: navigation, search
m (|200px added)
 
(5 intermediate revisions by the same user not shown)
Line 12: Line 12:
  
 
We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:<br>
 
We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:<br>
We opened the remote to change the dipswitches:
+
We opened the remote to change the dipswitches:<br>
 
[[File:Elro_HA51_remoteinside.jpg|200px]][[File:Elro_HA51_remoteinsidedips.jpg|200px]]<br>
 
[[File:Elro_HA51_remoteinside.jpg|200px]][[File:Elro_HA51_remoteinsidedips.jpg|200px]]<br>
  
 +
=Results=
 
After sniffing a few times this the result:<br>
 
After sniffing a few times this the result:<br>
 
"Put alarm off" with all dips off:<br>
 
"Put alarm off" with all dips off:<br>
[[File:Elro_HA51_433_alloff_alarmoff.jpg]]<br>
+
[[File:Elro_HA51_433_alloff_alarmoff.png]]<br>
 
"Put alarm off" with all dips on:<br>
 
"Put alarm off" with all dips on:<br>
[[File:Elro_HA51_433_allon_alarmoff.jpg]]<br>
+
[[File:Elro_HA51_433_allon_alarmoff.png]]<br>
 
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".
 
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".
 +
<br>
 +
Also we have seen the last 4 pulses are used to control the system:<br>
 +
Wide=1<br>
 +
Small=0<br>
 +
<br>
 +
System off: 1100<br>
 +
System on: 1110<br>
 +
System Delayed on: 1011<br>
 +
Panic button: 0011<br>
 +
<br>
 +
Other codes will be added after analysing (PIR, door detection etc)<br>
 +
After replay function we also did test these codes:<br>
 +
Alarm trips when set: 1111<br>
 +
Does nothing: 0000<br>
 +
 +
=What to do=
 +
*Create pulse system to brute force the system and check for hidden codes
 +
*Use a 433 transmitter to create a remote brute forcer
 +
*Get a new/more current system and test it
 +
*Reverse a bunch of other alarm systems
 +
 +
[[Category:Projects]]
 +
[[Category:Reverse enginering]]

Latest revision as of 15:08, 22 October 2012

What is it

It's a alarm system, used with wireless accessories. We have a central and a remote control:

Elro HA51.jpgElro HA51 remote.jpg

Setup

We opened the device, no internal alarm trigger's where used. The system contains 2 board:

  • Logic board
  • 433 receiver

We hooked up a logic analyzer on the 433 receiver board to "snif" the datastreams:
We opened the remote to change the dipswitches:
Elro HA51 remoteinside.jpgElro HA51 remoteinsidedips.jpg

Results

After sniffing a few times this the result:
"Put alarm off" with all dips off:
Elro HA51 433 alloff alarmoff.png
"Put alarm off" with all dips on:
Elro HA51 433 allon alarmoff.png
As you can see, the first pulse is always short, the next 8 pulses is the code of the system, dip "off" is a small pulse, a wide pulse is dip "on".
Also we have seen the last 4 pulses are used to control the system:
Wide=1
Small=0

System off: 1100
System on: 1110
System Delayed on: 1011
Panic button: 0011

Other codes will be added after analysing (PIR, door detection etc)
After replay function we also did test these codes:
Alarm trips when set: 1111
Does nothing: 0000

What to do

  • Create pulse system to brute force the system and check for hidden codes
  • Use a 433 transmitter to create a remote brute forcer
  • Get a new/more current system and test it
  • Reverse a bunch of other alarm systems