In part 1, we used some simple tools available to us to look at the modulation and frequency the Response alarms use (868MHz, 2-FSK)

In part 2, we opened the alarm up and looked at the main components in the system (TI CC11xx RF chips with various microprocessors).

Now we are going to try and look at the communication between the microprocessors and the TI CC1150 chips. They have an SPI serial interface, allowing the user to set various registers to control the rich and complex feature set.

I have a number of tools available to me that can sniff SPI. The cheapest is the Bus Pirate. This has an SPI sniffer interface along with a basic logic analyzer. It works well, 90% of the time. If timings are curious or the protocol deviates slightly from normal, it tends to fall over.

I also have an oscilloscope. It is hard work decoding serial though – it doesn’t have any built in protocol analysers.

So I go to my good old friend, the Saleae Logic 8-channel logic analyser. I have had this a number of years and it has rarely let me down. It’s simply brilliant for dealing with embedded systems, and the software is very easy to use and cross-platform.

I’m going to work with the door sensor initially – they are the cheapest and simplest sensors. I was planning on selling unopened sensors, and the PIRs fetch decent prices on ebay (as an aside, the provenance of alarm detectors on eBay is questionable – could this be an attack vector?).

The RF daughterboard has a 8 pin header. We need to work out which is ground, and then we can safely connect the Saleae Logic. We do this using a continuity tester between the battery connector and pins. It looks like pin 1 is ground.

Another pin will be the supply, but at this stage, it doesn’t really matter which. I just need to confirm it is <5V to avoid damaging the logic analyser. I connect the board to the power supply and confirm that no voltages are higher than 3V, regulated down from the two CR2032 batteries.

Small wires are soldered to the pin header to make connecting the logic analyser easier.

We then start the logic analyser with no triggering and press the test button on the contact.

Excellent – this looks very much like we have data!

I could at this stage buzz out the pins to the CC1150 chip to work out what the pins do, but the daughterboard is soldered down so the chip is hard to access. I’d rather just have a guess at the pins – we know it is SPI after all.

SPI requires the following pins:

• CS – chip select, generally active low.
• SCLK – the clock for the data.
• MOSI – master out, slave in data.
• MISO – master in, slave out data.

CS is nearly always going to be the slowest changing pin – let’s zoom in to the beginning of the trace and see what we have:

From this, I’d wager that CS is channel 0.

Now, to look at this trace, it would be easy to assume that channel 3 is a clock – look how regular it is! However, in SPI, because we are transferring at least 8-bits of data, we need at least 8 transitions each time CS is asserted. Channel 3 isn’t nearly fast enough.

What about channel 4 being the clock? The pulses look to short (and on some traces, they are very irregular as well!):

But if we look a little closer, we can clearly see 8 pulses per CS. There is no requirement for the clock pulses to be regular and they also don’t need to have a 50% duty cycle.

The two other channels with changes are 3 and 5. One will be MOSI, the other MISO – we aren’t really bothered which right now as it won’t have any impact on decoding the data.

I’ll now set up the Saleae Logic’s protocol decoder for SPI on these channels. There are a number of configuration settings, let’s leave them on the defaults and see what happens – it will throw errors or produce obviously squiffy data if incorrect.

The little orange and green boxes represent decoded data – we just need to zoom in to see what that data is now. I can then export this as CSV to examine in an external program. We have no errors, so we can check if the decoding has worked by examining the packets against the datasheet.

This is exactly what I would expect to see when a micro is controlling a CC1150. Let’s work out what is going on.

We are just going to lock at MOSI – the packets the microcontroller is sending to the CC1150.

The first packet is an 1 byte packet, where 0x30 is sent. If we search for 0x30 in the datasheet, we find out that there are a series of 1 byte packets called “strobe commands” on page 42, table 25 . They all trigger changes in the internal state machine. 0x30, SRES, reset – fairly obvious meaning!

Next we have a series of 2 byte packets. You can see the first byte of each packet is generally just incrementing one by one. Again, we look through the datasheet and on page 43, table 26, we have a list of the configuration registers. Notice how we skip some numbers – 0x0C, 0x0D – this is because they are only used for reception, not transmission, and the CC1150 is a transmitter only.

I could go through these one by one, explaining how they are configuring the radio. But let’s just look at the most important ones for now, referring to the datasheet.

FREQ2, FREQ1, FREQ0 are stored in 0x0D, 0x0E, 0x0F and are set to 0x21, 0x65, 0x6A respectively. From page 47 of the data sheet, we need to concatenate these (0x21656a) and then use a simple formula to work out the frequency. This gives a result of 868,299,865Hz – almost exactly as we measured.

MDMCFG2, 0x12, contains modulator settings. Bits 6-4 are the modulation format – so let’s look at them. The value written to 0x12 is 0x00,  so bits 6-4 are 0b000. This corresponds to 2-FSK, as we observed before.

DEVIATN, 0x15, tells us the deviation settings (i.e. how far apart the two frequencies will be in 2-FSK). A simple formula is used. Bits 6-4 give us the exponent, and 2-0 give us the mantissa. 0x15 is set to 0x50, so the exponent is 0b101 and the mantissa 0b000. From this we get 50781.25Hz – again, this corresponds to our ~100kHz gap between the two peaks from part 1.

We are now confident that we the SPI traffic we are looking at is correct. Now we need to work out how data is being sent between the two. There are so many different ways this can be done using the CC1150, so we will need to drill into the settings and sniffed traffic in more detail – which we will do in the next part.

So we have some idea of the modulation and frequency used by the alarm from our initial investigations. That’s only part of the picture really – but at least we know this isn’t using frequency hopping or anything too challenging.

Where to go from here? We take it apart! I’m not even going to power anything up in this instalment – just see what the system is made up of.

The alarm consists of several components…

• A solar powered bell box on the outside wall, with flashing LEDs, PP3 and 6V sealed lead-acid batteries, and a tamper switch.
• A keypad that mounts inside. This has 3 indicator LEDs, a tamper switch and is powered by a PP3 battery.
• PIR detectors. These have a single red indicator LED, tamper switch and are powered by a PP3 battery.
• Door contacts. These have a single red indicator LED, tamper switch, auxialliary contacts, and are powered by two CR2032 lithium batteries.

All use double sided PCBs, which appear well designed and are well made. Quality control stickers are on each board, as are small stickers on microcontrollers that look like firmware versions.

PIR

What do we see in here?

• An Elan EM78P418N microprocessor (PDF datasheet). These are essentially Chinese PIC clones that have one-time programmable (OTP) ROM in them. Generally OTP ROM is cheaper than EEPROM. I don’t expect I would have much luck reading the code out as. It might have in-circuit debugging, but the documentation is poor and I have had no luck with other Elan micros.
• An empty space for the crystal (X1), that indicates the Elan microprocessor is using an internal RC oscillator. This means that the microprocessor is not going to be doing anything requiring accurate timing, whether than be fast asynchronous protocols or waking at specific times. It does mean that at some point they considered using one – why would that be?
• An empty space for an 8-pin device, U1. There aren’t many 8 pin devices in use these days, only really serial EEPROMS. Pins 1-4 are common and likely ground. The Elan microprocessor has no EEPROM. Optional EEPROMs are interesting – usually the microprocessor will check for the presence of the chip, then check for a “programmed” flag. If the EEPROM is not programmed, it will write the default values and set the “programmed” flag. I might be able to add an EEPROM and see what it could store.
• A small RF daughterboard, with a TI CC1150 sub-1GHz transmitter (PDF datasheet) and 26MHz crystal. This is one of the CC11xx family – another well known member being the CC1110 SoC transceiver used in the GirlTech IM-ME. They are incredibly versatile and configurable. Importantly, we know that the PIR can only transmit, and not recieve. Many devices used a daughterboard for RF as I believe this can pass certification independent of the whole product and be easily re-used.
• The rest of the components are the power supply or PIR detector.

Door Contact

• Another Elan EM78P418N microprocessor. It makes sense to use the same technology across the range if possible.
• An empty space for a 8-pin SOIC again.
• No empty space for a crystal – it was never a consideration to use an external crystal for this board.
• The same RF daughterboard as in the PIR.
• The coloured wires are my addition!

Keypad

• Yet another Elan EM78P418N microprocessor.
• An 8-pin SOIC! HO18 08B1 – not much info on this. Pins 1-4 are grounded so I expect this to be a serial EEPROM.
• No empty space for a crystal.
• The same RF daughterboard again. This means the panel can only transmit, not receive. It is not aware of the state of other components,
• The pin headers and wires are my additions.

Bell box

• An ATmega88 10MU122 microprocessor (PDF datasheet) – much more exciting (and much more familiar)! These use EEPROM and if the fuses are set right, I can read the EEPROM easily. I always find it interesting when products contain different processor architectures – maintaining two sets of code is an extra burden, so this choice is not made lightly.
• A cylindrical can crystal with no markings – often these are 32.768kHz crystals for timekeeping. The ATmega88 has a internal RC oscillator which can be quite accurately calibrated, but nowhere near as accurate as an external crystal. Interesting how this is the only component with an external crystal.
• No EEPROM or space for an EEPROM – probably because the ATmega88 has it built in unlike the Elan micros.
• A 6-pin populated pin header – Atmel’s in-circuit programming connector is 6-pin. I wouldn’t ever expect anyone to open this and reprogram it though – so why is the header on there?
• An RF daughterboard that is very similar – expect this time it is a CC1101 transceiver rather than just a transmitter. Interesting! This means that the only component of the alarm system that can receive and transmit is the bell box. This may have implications later.

Summary

So, for the RF side of things, all of the components are using the TI CC11xx chips. These support 2-FSK, fitting in with the findings in part 1. This is nice – I have worked with other systems using two or even three different RF frontends, and it makes things much more complex. We are also quite lucky – the CC11xx chips are very capable of frequency hopping spread spectrum at a high rate. We’re also lucky these aren’t the SoC versions as these have an AES encryption engine which makes strong encryption almost trivial.

Like Adam, I’d rather avoid RF. Luckily, the interface between the CC1101 and CC1150 is by SPI – I can simply sniff the connection between the RF daughterboard and microprocessor to see both the configuration and data. This is a privilege you don’t have if the CC1110 SoC is used – the transceiver and microprocessor are integrated with no easy way to access the config.

Next time, I will look at sniffing the SPI traffic between the microprocessors and RF boards.

After Adam’s recent post on reverse engineering a wireless doorbell, I thought I would take you through a similar process, but with a different system.

This is a Response SL2 wireless burglar alarm system, purchased from Amazon in late 2011. They seem fairly popular and well-reviewed.

We start our research without even touching the alarm, by using google. Their product page:

Operates on the 868MHz frequency with 20 Bit ID code and 1 million unique codes for added security

 So we already have a hint to where to look in the spectrum. Interesting how they say both “20 Bit ID code” and “1 million unique codes” – it is redundant information, but “20 Bit” sounds technical, so they probably add it for impact.

Notice that a number of keywords haven’t been used here:

• Narrowband
• FHSS
• Spread spectrum
• Rolling code
• KeeLoq
• Encrypted
• Bi-directional

It’s likely that if the alarm used any of these, they would be making it known.

(As an aside, Friedland did initially tell me the SL series of alarms used rolling code – being a bit free and loose with specs seems to be common in the alarm world…)

Let’s start off looking at this as if we couldn’t access any of the components. I’ll use my RF Explorer spectrum analyser to take a look at what is going on. The RF Explorer can be used standalone, but if you are next to a PC, the Windows client is really great and much quicker to use.

I start by tuning it to 868MHz with a span of 5MHz. This will be wide enough to receive the transmission if it uses spread spectrum, multiple channels, or if the frequency is out. I trigger the alarm, and as you can see I end up with a broad peak at around 868.3MHz. Let’s go in further.

Now I can see that I have two peaks, spaced about 100kHz apart. From this static image, you can’t clearly see what is happening over time – is this 2-FSK modulation (where data is encoded as two frequencies), or is it AM on two frequencies (rubbish frequency hopping spread spectrum)? The RF Explorer can’t really tell me – so it’s about time I whipped out my software defined radio…

Why did I start with the RF Explorer? The amplitude measurements are far more accurate and it can show me a much wider range (600MHz) of spectrum all in one go.

This is a TV tuner dongle. Some rather clever people worked out that it has a wideband RF frontend and can be tuned from about 25MHz to about 1750MHz, presenting us with a ~2.8Mbps baseband signal to work with. It is essentially the same as the FunCube used by Adam, but a lot cheaper. It does have some quirks and limitations though – it can be very deaf in certain areas and you see spurious signals due to the super-heterodyne design of the receiver.

I can now see the signal from the alarm in a piece of software called SDR# – this not only shows me a spectrum analyser view (amplitude vs frequency), but also a waterfall diagram (frequency vs time). I can see that the two peaks are nearly continuous – I am likely dealing with 2-FSK modulation.

I can record the baseband signal and look at it in an audio editor as well:

This clearly looks like data now.

At this moment, I have several options:

• Use gnuradio to build a software receiver for 2-FSK. I will still be none the wiser to the protocol, and it will be receive only.
• Crack open the alarm and take a further look…

Part two will show how I opened the alarm and started to work out what the system was doing….