Reverse engineering a wireless burglar alarm, part 7

So, where were we? We’ve worked out how several components of the alarm use the CC1150 to send out signals, and now I want to emulate the signal and then play with it.

By far the easiest way to do this is to use the same CC1150 chip as in the authentic transmitters. I can be absolutely sure the 2-FSK modulation with ~50kHz deviation will be reproduced exactly. There are many other RF transmitter chips out there that can do this, but we know that these work and we already have the correct settings.

So, the first challenge is – where do I get a board with a CC1150 on it? Well, we have plenty of alarm sensors with neat little CC1150 daughterboards on them!

Door contact RF board

Door contact RF board

I chose a door contact as my victim – they are the cheapest and simplest sensors.

The daughterboard has an 8-pin interface, with a 0.1″ pitch pin header connecting the two. I need to desolder the board to use it. Desoldering pin headers is always a pain – you can’t desolder all 8 pins at a time. My technique now is:

  1. Chop the pin header along it’s length, separating the two boards. I have a nice pair of snips for this, but a Dremel with cut-off wheel can do it if they don’t fit.
  2. Chop the plastic spacer away from the pins, leaving you with just half the pins stuck in the board.
  3. Desolder the pins one at a time.

The daughterboard

Now I have a small CC1150 board. I soldered a new pin header onto it, and a pin socket onto the rest of the door contact. This allows me to easily reconnect it to the door contact if I need to.

You’ll notice in the picture above that there is a small bridge wire. I desoldered and resoldered the CC1150 QLP package (just to see if I could) and burned a track in the process.


Testing testing 1-2

Now we need to drive this board using something. There are a plethora of options available to me:

  • An Arduino board
  • A mbed board
  • A Bus Pirate
  • A GoodFET
  • A CC1110 development board (this would skip using the CC1150 board, as it has a built-in transceiver)
  • One of the Ciseco CC11xx boards (again, this would skip the CC1150 board)
  • Any of the other development boards I have lying around…

I decided I would use an Arduino board – specifically the Seeeduino Mega.

Why the Arduino? In reality, I’ve stopped using the Arduino environment and now use AVRGCC, so this is really just a nice little AVR development platform.

It won out over the mbed as I have had SPI issues with the mbed before.

The Bus Pirate and GoodFET are very similar, but require a host PC. I would like this standalone.

It seemed silly to implement this on a CC1110 chip, and I have had problems in implementing proprietary encoding schemes on it before.

Why the Mega? I find myself often using the extra pins and RAM as compared to the ATmega328p used in the Uno

So, now I have a RF board and something to control it. Next, I need to connect the two and write some code!

Arduino misconceptions 6: a 9V battery is a good power source

This one has come up a lot recently on the Arduino subreddit and Electronics stackexchange – can I power my Arduino with a 9V battery?

The quick answer is yes, you can.

The long answer is yes, but only if your goal is to chose the most expensive and short lived batteries possible.

9V PP3 battery (Ashley Pomeroy, Wikipedia)

I think the boards and documentation should have an explicit warning about 9V PP3s for this reason!

9V is not a good input voltage to produce 5V through a linear regulator

The first problem is how to reduce that 9V to 5V that the Arduino board can use. Most Arduino boards have an external voltage input, and a range of 7-12V is recommended. So 9V seems perfect.

The problem is that most Arduino boards use a linear regulator to drop that 9V to 5V. If you are drawing a mere 50mA, 0.2W is being burnt in this linear regulator with 0.25W being used by the Arduno itself. This is very inefficient!

To solve this, either another battery should be used, or a switch-mode regulator used – these are much, much more efficient.

Even worse is if you try to draw large currents – say 250mA – from the 9V source. The regulator needs to now burn 1W of power. It will fry in no time!

9V batteries are very low capacity

An alkaline 9V PP3 has a capacity of between 500 and 600mAh. This really isn’t very high – a typical alkaline AA battery will be at least 2000mAh.

Compare the following:

  • 6 series AA cells – 9V @2000mAh
  • 9V PP4 – 9V @500mAh

Granted, the AAs are bigger but the combined Ah rating is 4 times bigger.

This gets even worse if you look at rechargeable 9V batteries. A typical 9V PP3 NiMH battery has a capacity of less than 200mAh. This is so low it is hardly worth bothering with.

No matter how efficient the regulation is, these batteries are not going to last very long.

Ideal solution

First thing first, you need to ditch that linear regulator. It is meant to regulate external voltages when power loss is not an issue.

Use one of the modern switching regulators like the LTC3525 – this can take an input voltage of between 1.0V and 5.5V and convert it to 3.3V or 5V as required. Bypass the linear regulator on the board.

Couple this new regulator with high capacity AA batteries. The LTC3525 is so versatile it can take one, two or three batteries and drain the last drop out of them.

AA batteries are common, cheap, and high capacity. There are excellent rechargeable batteries available as well. Please stop using the 9V PP3s!

Arduino misconceptions 5: you’ll wear out the flash memory

On the ATmega328P and most other Atmel microcontrollers, code is stored and executed in flash memory. Every time you “upload a sketch”, you are communicating with a small piece of code called the bootloader, which then programs the flash with your code.

Flash has a finite number of program/erase cycles – you can only write to it a certain number of times before bits will either be programmed incorrectly or become stuck at 1 or 0. With an ATmega328P, this will render the device unusable unless you invest a lot of time fiddling with the toolchain.

Now and then, someone will either ask “Will I wear out the chip?” or someone will admonish a newbie for so frequently programming the chip.

The reality of it is you are highly unlikely to wear out the flash memory on an Arduino.

Atmel spec 10,000 cycles. I don’t know the maths behind it, but it means they are highly confident a large proportion of chips will reach this level.

If we put that in real terms – if you are a hugely dedicated hobbyist who spends 2 hours each weekday and 8 hours over the weekend on their Arduino, flashing it once every 5 minutes, you will get almost a year of use before the chip could fail.

For a much more reasonable use case of about 8 hours per week, flashing it every 15 minutes, you get 6 years of use.

For the <£5 that the chip costs, this seems entirely reasonable to me.

Further to this – take into consideration that 10,000 cycles is almost guaranteed. Many will get far higher than this. Dangerous Prototypes have a project called the “Flash Destroyer“, which has the sole purpose of performing program/erase cycles on EEPROM to see how far it will go. A 1,000,000 cycle EEPROM got to 11,500,000 cycles before failure.

So that one year could become 10, and the 6 years become 60.





Arduino misconceptions 4: the Arduino is obsolete now the Raspberry Pi exists

There’s no doubt the Raspberry Pi is extremely popular, and has been in the media far more than the lowly Arduino. But many users, forums and reddit seem to think that the Raspberry Pi is going to make the Arduino obsolete – after all, why would you spend £30 on an Arduino when you could spend £30 on a Raspberry Pi?

The Raspberry Pi is amazing – it’s a powerful ARM board for not very much. It has design flaws – the power by USB being the main one – but it has found a place, mainly as a media server for geeks.

However, for those looking for an Arduino replacement, it has many downsides:

1. The GPIO pins are only 3.3V tolerant. This locks out vast numbers of 5V add-on boards and peripherals that can be used by the Arduino.

2. The GPIO pins can only sink/source very low levels of current. So you need to add drivers to get decent levels of current. The ATmega328P has much stronger drive levels.

3. The whole board is less tolerant of overload of mistreatment. The ATmega328P is actually a very hardy chip.

4. The hardware peripherals built-in are lacking – timers, ADCs, PWM, pin change interrupts and so on. It may have some of these, but if it does, they aren’t widely documented.

5. If I want to use the ATmega328P in my own project, I can build a clone board for £5. I can’t built a Raspberry Pi, at all, and my tools, soldering and assembly skills are very good.

6. I can run an Arduino-like board for months, even years, on a single AA battery with aggressive power saving. This is just not possible with a Raspberry Pi.

7. Linux is not a real-time OS (RTOS). This may not mean much to a lot of people, but interfacing to the real world can be a real pain when IO and interrupts are not serviced predictably.

Arduino misconceptions 3: it isn’t low power enough to be run from battery

People build their projects, then want to battery power them. Their solution is to use a large battery (e.g. a 12V lead acid), connected to the Arduino external power input. The battery lasts mere days, and they become frustrated and move on to processors perceived as low power, like the MSP430 and ARM Cortex M0 series.

What if I said you could run a ATmega328P, RF transceiver and sensors from AA batteries for months at a time? A lot of people just won’t believe it, thinking the ATmega328P is a dated, power hungry chip that needs an ugly wall wart for power.

So why are people struggling with battery power?

1. The standard Arduino board accepts an external power input of between 7-12V, which then passes through a delightfully named NCP1117ST50T3G low dropout linear regulator to get it down to 5V for the rest of the board. If you are using a 12V battery via this regulator, and drawing a measly 50mA, you end up burning 0.35W of power in the regulator and the Arduino only using 0.25W! That linear regulator is an evil thing.

2. Most Arduino boards run at 5V. The ATmega328P runs fine at 3.3V and even down to 1.8V. At 3.3V, the chip uses ~40% of the power, and at 1.8V, it uses ~10%. Massive gains! 1.8V can make interfacing to other systems a bit awkward, but 3.3V is generally fine.

3. Most Arduino boards run at 16MHz by default, but a lot of the time you don’t need to run that quickly. By dropping to use the 1MHz internal oscillator, you reduce the power consumption 8 times. If you go further, you can use 128kHz oscillator and the power consumption drops 70 times!

4. A lot of Arduino code uses delays() and never sleeps. The ATmega328P has a sleep mode which can easily use less than 10µA – if you use an external 32.768kHz watch crystal, you can get this down to fractions of a µA. Learn about these and use them.

Where do you find out all of this info? It’s at the end of the ATmega328P datasheet.

You can workaround all of these – I thoroughly recommend reading JC Wippler’s posts on Jeelabs in his quest to reduce power consumption on Arduino-like board.

Arduino misconceptions 2: Arduino is “slow”

For the second post about Arduino misconceptions, there is the a common idea circulating that the Arduino is “slow”. Most frequently I hear this in the context of reacting to user input, dealing with multiple sensors, using LED or LCD displays, or acting as part of a control loop. People advise faster microcontrollers such as the ARM Cortex series.

Let’s look at the fundamentals here:

  • The ATmega328P on the Arduino boards runs at 16MHz – that’s 16 million cycles per second.
  • The ATmega328P instructions take between 1 and 3 clock cycles (with the exception of the subroutine related instructions which take 4 or 5). The average is somewhere between 1 and 2 for most compiled C code.
  • We can then infer than the ATmega328P can carry out at least 8 million instructions per second!
  • It’s hard to directly translate these instructions to lines of C code. What looks simple in C can take tens of instructions, and what looks complex can be done in one. 
  • We can still say that the ATmega328P is going to tear through your code at a rate of knots, far faster than most people imagine.

So why do people say it is slow? I’d say the following reasons:

  • It is 16MHz, and most people’s PCs and phones operate in the 1GHz range, so it doesn’t sound like much. The ATmega328P is performing entirely different tasks though.
  • It is 8bit, and most modern processors are 32 or 64 bit. This doesn’t have many implications for projects using the Arduino though (but will be related to my next misconception!)
  • The frequent use of delay() in Arduino code. Delay() causes the processor to just churn – it can’t do anything else whilst it is running. So if you have 4 buttons which are meant to turn on 4 respective LEDs for 2s, the system becomes unresponsive if you use delay() for the 2s.
  • The frequent use of Serial.print() in most code for debugging or status reports. Arduino pre-1.0 uses to block when sending data out using the serial port. That meant an 80 character string output at 9600bps (the default, for some reason), would take over 80ms, during which time the processor could do nothing else! Even now that it uses interrupts, strings still take a long time to output.
  • Slow digitalRead and digitalWrite – these two functions are orders of magnitude (~60 cycles) slower than direct port access (~1 cycle!). Heavy I/O can look slow or latent as a result.
  • Bad code – the Arduino is exceptionally easy to use without understanding any of the underlying concepts of microcontrollers. As a result, code is sometimes simply bad.

A faster microncontroller can mask some of these issues, but without understanding some key concepts (interrupt handling and well structured state machines), you are going to be up against the same wall again in no time.

That’s not to say that faster microcontrollers aren’t needed sometimes – anything with heavy number crunching needs something more – but for a lot of situations an Arduino is more than capable in the hands of a good developer.

Arduino misconceptions 1: need to use external pull-up resistors

One of the first things you need to learn when interfacing switches to microcontrollers is the use of pull-up resistors. These ensure that the inputs to the microcontroller settle in either logic high or low when the switch is not made. They are fundamental, so fundamental that Atmel decided to build-in weak pull-up resistors into the ATmega328P used in the Arduino!

Simple pull-up resistor

Yet a lot of tutorials show external pull-up resistors being used with switches. There’s not really a problem with this – just that it is not required 99% of the time. It might be good to teach the concept, but I regularly see posts on forums where people have connected pull-ups incorrectly, causing them problems. I’ve even seen people confident enough to design a PCB, but have multiple external pull-ups for interfacing to a keypad!


So how do you use the internal pull-ups? It is very simple – when the data direction register is set to input, write a high to the output port:

pinMode(pin, INPUT);
digitalWrite(pin, HIGH);

Or, if you have moved away from the Arduino libraries:

DDRx &= ~(1 << pin);
PORTx |= (1 << pin);

What’s the other 1% where these internal pull-ups won’t do? There are two situations:

  1. The switch requires a pull-down rather than pull-up – though this can generally be avoided
  2. You need a strong rather than weak pull-up – sometimes devices draw power from the pull-up, and the 20kOhm internal pull-up is too large.

So, simplify  your circuits and remember this feature!