Reverse engineering ELRO Flamingo HA31 wireless alarm
The Elro flamingo HA31 is a alarm with wireless sensors.
The set contains:
- A central unit with keypad, battery holder and a power-adapter
- PIR motion sensor
- Door contact sensor
- External sounder
- Accessories to mount the sensors etc
After unwrapping the package the outside looks decent. The unit has an extra contact on the back of it which will get switched on when ever you try to dismount the unit from the wall. If you do take it of the wal it will activate the alarm. After unscrewing the unit we where kind of surprised about the quality of the PCB's. Yes, all in all it IS cheap Chinese quality. But appearantly it does it's job.
We also found 4 dip-switches (also accessible via one of the standard openings). These switches are used to make up your own "house code". With only four switches to use for making up your own house code, it is in theory possible to create at max 16 unique codes (2*2*2*2). It's easy to activate the alarm of your neighbor if he/she uses the same system.
The internal of the central system does contain 3 PCB's, one with the numeric keypad attached to the main logic board and a wireless 433 receiver. Between the wireless receiver and the main board are 2 wires, it's power and "signal". The wireless control board doesn't contain a lot of hardware but most interesting is the chip, it is a M1D chip. After google-ing we found a NLdatasheet of the chip, it's a chip mostly used for door bells.
After opening the sensors we did saw the "other-side", same story...bad PCB's and... the doorbell chip..
After hooking up an analyzer to the central wireless receiver it also became clear what was happening, if the door bell rings (aka sensor got activated) a pulse is send to the main logic board and the alarm will be triggered if it's armed.
So how about the wireless signal and encoding?
The system is simple:
All dips on:
All dips off:
- Investigate the main logic board
- brute force all codes and functions on the keypad
- Create a re-player for the 16 codes to activate all alarms and call it: "Alarm-B-on" (named after Mitch his TV-B-Gobe)
- Create a 433Mhz jammer and test what you need in what range, create a heatmap in a "normal" house"