Thursday, 8 September 2016

Follow up: Wireless home alarm system from ebay 433Mhz

I've finally installed and setup the alarm I bought from eBay a few weeks ago (See post: http://www.thebmwz3.co.uk/2016/08/wireless-home-alarm-system-from-ebay.html ) and found a few extra little notes to add to anyone using it or looking to buy.
Firstly, the setup is actually straight forward, as per my previous blog post on it, configuring it and getting it working was simple enough.



I ordered a sim card (It needs to be an older 2G version) from o2, put some credit on and installed it, works great it sent me a text when power failed, power returned and when the alarm had triggered and the reason for the trigger. Pretty neat. I found that it was better to power off before inserting the sim as sometimes if you inserted it with power on it didn't recognise it and start to use it. A few interesting features I found, firstly if you ring the alarm from another phone it'll answer (give it quite a few rings) and it'll ask for your pin code (just the standard pin/alarm code) and give you the options: 1 to arm, 2 to disarm, 3 to monitor (listen) or 4 for intercom. There are also a couple of hidden options, press 5 and it triggers SOS/panic and goes to alarm straight away. I also found the * option played back what sounded like a technician setting the system up (In a language I didn't recognise so can't tell what he was saying!), I'm assuming that was a pre-recording loaded onto the sound chip by mistake and they probably didn't intend anyone to find it!
Unfortunately it didn't tell you the current state of the alarm which was one thing I was after.

Installing the wireless sensors was easy enough, they came with fixing brackets and also double-sided sticky pads, and it was easy to fit and test.
These are very basic 433Mhz devices, found in a lot of hobby electronics (and arduino kits), and in this alarm they seem to be only 1-way units, i.e. the sensor sends it's alarm state to the control panel, no return path from the alarm to tell it when it's armed (to save battery life), whether it's been tampered, if it's still alive (dead battery), if it's signal is OK (doesn't detect jamming/malicious signals), etc. So this is the true weakness of the system.

Here are the insides of one of the door sensors.



You can see the typical 433Mhz can at the top right (R433A), along with the spring antenna it uses. On the left is the reed switch and top left is the tri-colour LED. On the back are the electronics and it's all controlled by the chip you can see middle right of the photo. The chip is the typical EV1527 OTP encoder with configurable code setting.

I did like that they left in the jumpers for helping to set a 'random' coded sequence on them, the theory being you set these to random positions so they're unique to your alarm and individual sensor setup. I changed mine just because I could and in theory thought anyone near me (There is probably only one house close to me!) wouldn't bother/know this. They also need to be unique otherwise two sensors will share the same code and trigger the same input.

Note that they came with the 23A 12v battery installed, and I've had at least two die since installation, so I'd say go out and buy a pack of them and replace them as soon as you purchase.
This has also exposed another weakness, knowing when the batteries run down. Most of the time you notice the little red flicker when you open the doors, but that means you wait until they're dead before replacing. There is also an odd flicker pattern. When you open the door it goes bright red then flickers 3 or 4 times getting dimmer each time. (Capacitor discharge timer?) If you press the button and hold it the red light flickers then goes orange and green. I've got no idea what the different colours of the lights mean, so when I've replaced the batteries with new ones I'll add extra info here on them, my hope is they are green for good battery and drop to red/orange when low battery (Too much to ask?).

Next was wiring up an external bellbox. Although one came with the unit, I also had a traditional bellbox that I could use. As normal this had various feeds into it, labelled:
holdoff - and + = These are the power supply (12v) to the unit that charged the battery and also acted as the power feed.
STB - = Strobe negative switched trigger
TRG = Siren negative switched trigger
LOOP = negative feed from alarm (This acts as a tamper circuit)

The problem here is that the alarm uses positive switching for it's alarm trigger output (On the back of the alarm it's BZ+ and BZ-, BZ- is common to ground so not switched), so therefore I had to be a little creative. A cheap 12v optocoupled relay looked like the best option (http://r.ebay.com/EvgMbn)

Which you feed with 12v constant and then when the IN terminal goes high it'll activate the relay (If you set the switchable trigger to HIGH). This way it protects the alarm from any noise/spikes from the relay itself and triggers on high. You can then connect the holdoff - (supply) to COM on the relay and then feed NO to the TRG and STB terminals, so when the relay is triggered it'll set the alarm off. It also has the advantage that the battery built into your bellbox can be enabled so if wires are cut, etc, then it will trigger the sounder on it's own.

The next part to tackle was a magnetic door switch (non wireless), this was for the garage doors. So I had the relevant magnetic reed switch, just needed to feed two wires back to the alarm from it, and wire them into the Z1 contact. This is wired in between common/ground and the zone input (with a resistor in series too). The manual wasn't very good at explaining how to wire it, so it was a bit trial and error!



So if you have normally closed contacts (Like most magnetic door switches are) then you put the resistor inline (10k ohm supplied in the box) and connect back to ground.
For a normally open contact you put the resistor in parallel to your sensor and wire it into ground and the zone you need.
(Ignore the Pusitive (!) and power supply lines, I have no idea why they included them on this diagram unless to show electrical isolation)

Setting up the wired zones didn't seem to go right to start with, but I finally figured it out.
Each zone you can setup with one of the following modes:
0) Sensor will not trigger in any status (disabled zones)
1) Sensor will trigger the alarm when in out or home alarm state
2) Sensor will trigger the alarm when set to out state only (for PIRs, etc)
3) Sensor will trigger the alarm in any status (for smoke alarm, panic alarm, etc)

So to set the wired alarm into state 1 you are supposed to use key function
47811 (47 is the menu code, 81 is the wired zone code range [81-88])
However when I did this the alarm didn't confirm the setting, just returned to the menu, like it was an invalid setting. I then tried each one in turn and it seems 81 didn't accept it, but 82-88 did. I have my sensor still in zone1 and it works in mode 1, so not sure if that is a constant setting for that or something similar, but it seems to work.

All in all, I'm quite impressed. It installed without too much challenge and is working great with the remotes.
A few negative points:

  • Remote-only 'home' alarm mode. There is no way of setting the home mode from the panel itself, so you need a remote to set that mode.
  • Positive triggers (for sounders) as noted above, so needed a relay to solve this
  • No indication (that I've found) that it'll alert me to batteries going low on the sensors
  • No remote way of determining if alarm is armed or not
  • Timer is always active on zones, so no matter which zone is triggering the alarm, the timer starts counting before the alarm sounds
I'm also thinking of changing the resistor on the speaker as now it's in 'production' use it's actually a little bit too quiet, so might change this in the near future.

Next up I'm also going to start to sniff the protocol and traffic going through the 433Mhz system and see if I can also 'read' the sensor states and anything else the units chatter about during normal operations, this may prove interesting as may help determine how 'secure' or at least tamper resistant the system will be. Again this is in theory, because as usual an intruder would need to know this was the system in use, and sniff/understand the frequencies involved to try to use them to their advantage. I suspect brute-force attempts to jam it won't work very well from outside the house, otherwise they would need to learn/replay the remote control codes to help de-activate it, as all other signals would trigger the alarm. (All just conjecture at this point in time)

UPDATE 12/sept:
I've done a little sniffing using my Arduino 433Mhz receivers, and sure enough I can see some of the communications. Generally I can see the PIRs sending their current movement state, so when movement is detected they send a stream of their code. I've not seen any values from the door sensors as yet or other sensors but this may be the mode I've been testing using my Arduino. I've also seen some limited codes from the remotes, they don't appear to be rolling code units but I do see several codes sent on each keypress that I'm going to investigate further.
My conclusion is that it's not got a very secure wireless component to it, it uses hobby electronic frequencies which increase the chance of interference and also jamming/hacking into it. I've not yet tried to replay codes and see if the system accepts or rejects them at this point in time.

5 comments:

  1. My friend prefers CCTV alone to wireless home alarm systems, but I find these systems to be highly resourceful and versatile - a fact that you have vividly elaborated in this post. In addition to the one you have reviewed, I found some of the best home alarm systems here: http://survival-mastery.com/diy/homestead/best-home-alarm-system.html

    ReplyDelete
  2. Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work. sunrise alarm clocks

    ReplyDelete
  3. If the economy is weak in the next year, the increasing potential of this market is still very large; secondly, the current wireless products had improved from the 27/49MHz to 204GHz; thirdly, the Nordic will released some exciting products in the next year, including Bluetooth low power consumption chip. This product has expanded the Bluetooth to the wireless field.visit electricalshop.net

    ReplyDelete
  4. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up. http://bestcheapvpn.com

    ReplyDelete