Alarm System Hacking

mf_logo_rgb_tm

I’ve created this webpage as reference information for my presentation at the 2018 Maker Faire.

In Atlantic Canada the requirement to dial 10 digit phone numbers came into effect on August 23, 2014. I received notification a couple of months before that from my monitoring company that I had to schedule a service appointment to have my alarm system dial out number changed and the cost was going to be something like $150! I really needed to do that myself and it became quite the project.

My alarm is the PC-2550, circa 1990. It was easy to find technical and programming information on the panel and mine had the programming sheets inside.

I did some experimenting and found out that my panel was ‘locked’ with a key code. Then after some research I found out that alarm monitoring companies often (always?) lock the panel so it can’t be “tampered with”. But it also prevents any other monitoring company from reusing the panel. Of course that is no problem for them because they all want to sell you a new system. Is it an industry conspiracy? I don’t know.

First I did a lot of searching to see if there were any known installer codes or anything like that. I tried all the obvious things such as 4 digits related to my phone number or my account number or anything like that. No luck.

I soon realized that for a 4 digit code there were ‘only’ 10,000 combinations which is too much to try and enter by hand but if I could automate a keypad input I could use a brute force hack to try all 4 digit numbers until I found it. So that meant figuring out how the keypads communicated with the panel.

The best source of technical information I found was this forum (note that only the first 28 posts existed at the time). It was certainly good enough information to get started. 

As usual for this kind of thing the first thing to do is look at the data with an osilloscope. Below is a picture of the data (clock and data lines) and a short video showing the pattern change when the keypad keys are pressed.

keypaddata

The top trace is the clock line and the botton is data and as you can see from the video, the data is sent continuously. The data going to the keypad controls the lights and the beeper and the data bits are valid on the falling edge. The rising edge of the clock is when the data from the keys on the keypad is sent to the panel. 

The processor I used to connect to the panel was the Arduino Mega 2560 because I had one in my collection and I thought I might need the extra serial ports. As it turned out it just needed four digital I/O lines so any Arduino would have done.

Here is the schematic of the circuit I used to connect to the panel:

AlarmPanelInterface_schem2

It was easy to figure out the data going to the keypad but it was a real challenge to emulate the keypad key presses. After a lot of experimenting I did get it to work and about one week before the deadline I was able to start the process of testing all the possible key code. It ran for a few days and then success!

I’m not going to explain my code here but if someone is interested I will be happy to share. I haven’t tried the libraries that came later and are on Github and referenced in the forum but I may get to it some day.