Thursday 8 September 2016

Follow up: Wireless home alarm system from ebay 433Mhz

I've finally installed and setup the alarm I bought from eBay a few weeks ago (See post: http://www.thebmwz3.co.uk/2016/08/wireless-home-alarm-system-from-ebay.html ) and found a few extra little notes to add to anyone using it or looking to buy.
Firstly, the setup is actually straight forward, as per my previous blog post on it, configuring it and getting it working was simple enough.



I ordered a sim card (It needs to be an older 2G version) from o2, put some credit on and installed it, works great it sent me a text when power failed, power returned and when the alarm had triggered and the reason for the trigger. Pretty neat. I found that it was better to power off before inserting the sim as sometimes if you inserted it with power on it didn't recognise it and start to use it. A few interesting features I found, firstly if you ring the alarm from another phone it'll answer (give it quite a few rings) and it'll ask for your pin code (just the standard pin/alarm code) and give you the options: 1 to arm, 2 to disarm, 3 to monitor (listen) or 4 for intercom. There are also a couple of hidden options, press 5 and it triggers SOS/panic and goes to alarm straight away. I also found the * option played back what sounded like a technician setting the system up (In a language I didn't recognise so can't tell what he was saying!), I'm assuming that was a pre-recording loaded onto the sound chip by mistake and they probably didn't intend anyone to find it!
Unfortunately it didn't tell you the current state of the alarm which was one thing I was after.

Installing the wireless sensors was easy enough, they came with fixing brackets and also double-sided sticky pads, and it was easy to fit and test.
These are very basic 433Mhz devices, found in a lot of hobby electronics (and arduino kits), and in this alarm they seem to be only 1-way units, i.e. the sensor sends it's alarm state to the control panel, no return path from the alarm to tell it when it's armed (to save battery life), whether it's been tampered, if it's still alive (dead battery), if it's signal is OK (doesn't detect jamming/malicious signals), etc. So this is the true weakness of the system.

Here are the insides of one of the door sensors.



You can see the typical 433Mhz can at the top right (R433A), along with the spring antenna it uses. On the left is the reed switch and top left is the tri-colour LED. On the back are the electronics and it's all controlled by the chip you can see middle right of the photo. The chip is the typical EV1527 OTP encoder with configurable code setting.

I did like that they left in the jumpers for helping to set a 'random' coded sequence on them, the theory being you set these to random positions so they're unique to your alarm and individual sensor setup. I changed mine just because I could and in theory thought anyone near me (There is probably only one house close to me!) wouldn't bother/know this. They also need to be unique otherwise two sensors will share the same code and trigger the same input.

Note that they came with the 23A 12v battery installed, and I've had at least two die since installation, so I'd say go out and buy a pack of them and replace them as soon as you purchase.
This has also exposed another weakness, knowing when the batteries run down. Most of the time you notice the little red flicker when you open the doors, but that means you wait until they're dead before replacing. There is also an odd flicker pattern. When you open the door it goes bright red then flickers 3 or 4 times getting dimmer each time. (Capacitor discharge timer?) If you press the button and hold it the red light flickers then goes orange and green. I've got no idea what the different colours of the lights mean, so when I've replaced the batteries with new ones I'll add extra info here on them, my hope is they are green for good battery and drop to red/orange when low battery (Too much to ask?).

Next was wiring up an external bellbox. Although one came with the unit, I also had a traditional bellbox that I could use. As normal this had various feeds into it, labelled:
holdoff - and + = These are the power supply (12v) to the unit that charged the battery and also acted as the power feed.
STB - = Strobe negative switched trigger
TRG = Siren negative switched trigger
LOOP = negative feed from alarm (This acts as a tamper circuit)

The problem here is that the alarm uses positive switching for it's alarm trigger output (On the back of the alarm it's BZ+ and BZ-, BZ- is common to ground so not switched), so therefore I had to be a little creative. A cheap 12v optocoupled relay looked like the best option (http://r.ebay.com/EvgMbn)

Which you feed with 12v constant and then when the IN terminal goes high it'll activate the relay (If you set the switchable trigger to HIGH). This way it protects the alarm from any noise/spikes from the relay itself and triggers on high. You can then connect the holdoff - (supply) to COM on the relay and then feed NO to the TRG and STB terminals, so when the relay is triggered it'll set the alarm off. It also has the advantage that the battery built into your bellbox can be enabled so if wires are cut, etc, then it will trigger the sounder on it's own.

The next part to tackle was a magnetic door switch (non wireless), this was for the garage doors. So I had the relevant magnetic reed switch, just needed to feed two wires back to the alarm from it, and wire them into the Z1 contact. This is wired in between common/ground and the zone input (with a resistor in series too). The manual wasn't very good at explaining how to wire it, so it was a bit trial and error!



So if you have normally closed contacts (Like most magnetic door switches are) then you put the resistor inline (10k ohm supplied in the box) and connect back to ground.
For a normally open contact you put the resistor in parallel to your sensor and wire it into ground and the zone you need.
(Ignore the Pusitive (!) and power supply lines, I have no idea why they included them on this diagram unless to show electrical isolation)

Setting up the wired zones didn't seem to go right to start with, but I finally figured it out.
Each zone you can setup with one of the following modes:
0) Sensor will not trigger in any status (disabled zones)
1) Sensor will trigger the alarm when in out or home alarm state
2) Sensor will trigger the alarm when set to out state only (for PIRs, etc)
3) Sensor will trigger the alarm in any status (for smoke alarm, panic alarm, etc)

So to set the wired alarm into state 1 you are supposed to use key function
47811 (47 is the menu code, 81 is the wired zone code range [81-88])
However when I did this the alarm didn't confirm the setting, just returned to the menu, like it was an invalid setting. I then tried each one in turn and it seems 81 didn't accept it, but 82-88 did. I have my sensor still in zone1 and it works in mode 1, so not sure if that is a constant setting for that or something similar, but it seems to work.

All in all, I'm quite impressed. It installed without too much challenge and is working great with the remotes.
A few negative points:

  • Remote-only 'home' alarm mode. There is no way of setting the home mode from the panel itself, so you need a remote to set that mode.
  • Positive triggers (for sounders) as noted above, so needed a relay to solve this
  • No indication (that I've found) that it'll alert me to batteries going low on the sensors
  • No remote way of determining if alarm is armed or not
  • Timer is always active on zones, so no matter which zone is triggering the alarm, the timer starts counting before the alarm sounds
I'm also thinking of changing the resistor on the speaker as now it's in 'production' use it's actually a little bit too quiet, so might change this in the near future.

Next up I'm also going to start to sniff the protocol and traffic going through the 433Mhz system and see if I can also 'read' the sensor states and anything else the units chatter about during normal operations, this may prove interesting as may help determine how 'secure' or at least tamper resistant the system will be. Again this is in theory, because as usual an intruder would need to know this was the system in use, and sniff/understand the frequencies involved to try to use them to their advantage. I suspect brute-force attempts to jam it won't work very well from outside the house, otherwise they would need to learn/replay the remote control codes to help de-activate it, as all other signals would trigger the alarm. (All just conjecture at this point in time)

UPDATE 12/sept:
I've done a little sniffing using my Arduino 433Mhz receivers, and sure enough I can see some of the communications. Generally I can see the PIRs sending their current movement state, so when movement is detected they send a stream of their code. I've not seen any values from the door sensors as yet or other sensors but this may be the mode I've been testing using my Arduino. I've also seen some limited codes from the remotes, they don't appear to be rolling code units but I do see several codes sent on each keypress that I'm going to investigate further.
My conclusion is that it's not got a very secure wireless component to it, it uses hobby electronic frequencies which increase the chance of interference and also jamming/hacking into it. I've not yet tried to replay codes and see if the system accepts or rejects them at this point in time.

32 comments:

  1. My friend prefers CCTV alone to wireless home alarm systems, but I find these systems to be highly resourceful and versatile - a fact that you have vividly elaborated in this post. In addition to the one you have reviewed, I found some of the best home alarm systems here: http://survival-mastery.com/diy/homestead/best-home-alarm-system.html

    ReplyDelete
  2. Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work. sunrise alarm clocks

    ReplyDelete
  3. If the economy is weak in the next year, the increasing potential of this market is still very large; secondly, the current wireless products had improved from the 27/49MHz to 204GHz; thirdly, the Nordic will released some exciting products in the next year, including Bluetooth low power consumption chip. This product has expanded the Bluetooth to the wireless field.visit electricalshop.net

    ReplyDelete
  4. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up. http://bestcheapvpn.com

    ReplyDelete
  5. The information you have posted is very useful. The sites you have referred was good. Thanks for sharing.. TutuApp VIP Download

    ReplyDelete
  6. This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. AppEven Download

    ReplyDelete
  7. DOWNLOAD PAID APPS FOR FREE WITH TUTUAPP FROM PLAYSTORE DOWNLOAD TUTUAPP FOR MORE INFO

    Tutuapp

    Tutuapp Android

    ReplyDelete
  8. This type of message always inspiring and I prefer to read quality content, so happy to find good place to many here in the post, the writing is just great, thanks for the post. appvn download

    ReplyDelete
  9. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. video alarm

    ReplyDelete
  10. Since outfitted guards must have a weapon amid the work move, they should be authorized with the legislature and get a unique confirmation. Despite the fact that these open doors require greater duty, they will give a more elevated amount of pay.veriato360 employee monitoring software

    ReplyDelete
  11. Fantastic blog you have here. You’ll discover me looking at your stuff often. Saved! wlan passwort hacken

    ReplyDelete
  12. Need house-hold comforts in time for summer?
    We install and service smart vent, extraction systems and heat pumps. Melbourne Security Installers

    ReplyDelete
  13. Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work. Home Security Systems

    ReplyDelete
  14. In addition, as an Indonesian cloud hosting company that prioritizes security, we will also hold the Dewatalks 2018 event. This year's seo-blogger event will discuss all about web security by bringing in speakers who are experts in the field of website security. Waiting for the next news about seobloggers! Serious Security Alarms

    ReplyDelete
  15. I feel happiness to read the content that you are posting.locksmith Norcross GA

    ReplyDelete
  16. A little help will be useful, though. You can put a little casing or visor over your camera just to help it along, unless you want the sky above your house monitored?
    BestSecurityPlace

    ReplyDelete
  17. I’d like to thank you for writing on this topic. The information you provided was very useful. I will visit again in the near future.

    Slomins Reviews

    ReplyDelete
  18. like to thank you for writing on this topic. The information you provided was very useful. I will visit again in the near future know more

    ReplyDelete
  19. You writing is always fabulous. This is third time I’ve read your blog and I find the information very useful.
    Slomins

    ReplyDelete
  20. Notwithstanding, recollect that an individual alarm itself isn't a spare all choice, you will in any case need to play it safe in some random circumstance to help make yourself progressively secure.alarm timer

    ReplyDelete



  21. Tutu Helper is the one of the best ios,android App store to get the tons of free app and game. Here the latest version of TutuApp of free.
    Tutu Helper Apk
    TutuApp free
    tutuapp pokemon go

    ReplyDelete


  22. Tweakbox App is the one of the best ios,android App store to get the tons of free app and game. Here the latest version of tweakbox of free.
    Tweakbox Apk
    Tweakbox for ios
    Tweakbox for android

    ReplyDelete

  23. Whatsapp plus is one of the best mod app for official whatsapp for free, get unlimited features of

    whatsapp plus for free. Here Click to download the latest version whatsapp plus apk.
    WhatsApp Plus APK
    WhatsApp Plus Download

    ReplyDelete
  24. Amazing knowledge and I like to share this kind of information with my friends and hope they like it they why I do.. オンラインカジノ

    ReplyDelete
  25. Thank you for such a well written article. It’s full of insightful information and entertaining descriptions. Your point of view is the best among many. gps tracker watch for kids

    ReplyDelete

Note: only a member of this blog may post a comment.