Reverse engineering a wireless burglar alarm, part 8

Last time we worked out that we could drive the CC1150 daughterboard using the Seeeduino Mega Arduino board easily. The Seeeduino Mega uses a ATmega2560 microcontroller, which has a number of features which will help us do this: Hardware SPI interface – this makes high speed SPI connections almost effortless. No nasty bit-banging here. Pin […]

Reverse engineering a wireless burglar alarm, part 7

So, where were we? We’ve worked out how several components of the alarm use the CC1150 to send out signals, and now I want to emulate the signal and then play with it. By far the easiest way to do this is to use the same CC1150 chip as in the authentic transmitters. I can […]

Reverse engineering a wireless burglar alarm, part 6

Last time, we looked at the data the door contact was sending out over the airwaves. We arrived at a simple encoding system where 0 = 100 and 1 = 110. This might not be entirely correct, but we are finding 48 bit long packets containing the same data each time. Now we need to […]

Reverse engineering a wireless burglar alarm, part 5

Last time we worked out that data was being transferred from the microprocessor to the CC1150 chip using synchronous serial mode at 6.5kBaud. This time, we are going to look at that data using the logic analyser and try to interpret it. This is what our data looks like – channel 1 is data, channel […]

Reverse engineering a wireless burglar alarm, part 4

In the last part, we looked at sniffing the SPI traffic between the Elan microprocessor and CC1150 RF chip in a door contact from a Friedland Response alarm system. We worked out which pin was which, and interpreted some of the SPI traffic to check our assumptions were correct. Part of my general philosophy when […]

Reverse engineering a wireless burglar alarm, part 3

In part 1, we used some simple tools available to us to look at the modulation and frequency the Response alarms use (868MHz, 2-FSK) In part 2, we opened the alarm up and looked at the main components in the system (TI CC11xx RF chips with various microprocessors). Now we are going to try and […]

Reverse engineering a wireless burglar alarm, part 2

So we have some idea of the modulation and frequency used by the alarm from our initial investigations. That’s only part of the picture really – but at least we know this isn’t using frequency hopping or anything too challenging. Where to go from here? We take it apart! I’m not even going to power […]

Reverse engineering a wireless burglar alarm, part 1

After Adam’s recent post on reverse engineering a wireless doorbell, I thought I would take you through a similar process, but with a different system. This is a Response SL2 wireless burglar alarm system, purchased from Amazon in late 2011. They seem fairly popular and well-reviewed. We start our research without even touching the alarm, […]