Go Down

Topic: Need help hacking inner range concept 2000 house alarm system (Read 1 time) previous topic - next topic


Long story short
Bought House, no passwords.

Inner Range Concept 2000
I placed my arduino between the keypad and the motherboard. Reads voltages ok on either analog or digital but how do I turn that into something I can make sense of?


FYI, this is not a joke or scam and im willing to provide any evidence you require (such as a screenshot of it sitting on todays paper, bear in mind time zones cause im in Australia). I actually did buy a house 2 years ago with no codes for the alarm, I finally got around to doing something about it but I need help with the programing to decipher the voltages. Inner range said I can send it back to them to be reset but it must be sent to them by a licensed security alarm company. I can send it back and most likely will have to but this way is much cooler and allows a lot more play for home automation.


Ok, been fiddling and have found what I believe to be a value being generated by the arduino which is either 01011010 (91) or 10100101 (165). Im guessing the arduino is using this as some sort of known state. When I turn on the alarm but do not let it communicate with the keypad, I get a line of zero's from the keypad and another from the motherboard. One of them is always longer than the other which leads me to believe that they are the stop bits. Since, whilst not exactly a novice im still not an expert at this (intermediate at best), I will still need a lot of help. From the age of the alarm, im assuming serial communication with baud rate (9600).

What I think I need to do now is write some code to filter out the arduino signal and detect the stop bits. Next, find a way to read a byte and then detect the numbers I press on the keypad being passed to the motherboard. If you have any experience and would like some input on this, please feel free to jump in with some code or suggestions.

Notes: Whilst I do not know if the motherboard transmits the stored code to the keypad, I must assume that it does not and that the code typed into the keypad is transmitted to the motherboard for comparison. This means I will have to emulate the keypad and sequentially enter codes untill the correct one is found. The problem is that 3 tries and your out for 60s, a quick power off and back on may dispense with that but could risk damaging the board. What im expecting is that the keypad will identify its-self to the motherboard, the motherboard will acknowledge and then wait for a command from the keypad.

Objective: To emulate the keypad in order to auto hack the code by increment. 3 tries, 60sec timeout.


Currently stuck. Tried PulseIn() but its not accurate enough to return the true values being transmitted between the keypad and motherboard. When I try to map the pulse widths to 256, I keep getting ball park figures. Does anyone have any ideas?

Go Up

Please enter a valid email to subscribe

Confirm your email address

We need to confirm your email address.
To complete the subscription, please click the link in the email we just sent you.

Thank you for subscribing!

via Egeo 16
Torino, 10131