Go Down

Topic: hacking a dsc or ademco alarm keypad (Read 11176 times) previous topic - next topic


Sorry I don't have any pictures, but I have a bunch of different model alarm keypads that I got from salvaging, anyway has anyone had any experience hacking these? Im talking more about the protocol they talk with, im assuming some sort of serial as the back of the keypad has 4 connections, r,b,y,g which I would guess are +pwr,gnd, tx,rx
Im gonna figure it out eventually but if someones done it it'd be nice to know its possible or even worth it


Have any luck with this? I am looking to replace my PC5010. It would be nice to make use of the existing keypads. I imagine that the keypads have some sort of encryption to prevent sniffing keypress'


No unfortunately,  seems its a proprietary protocol and while can be somehwat decyphered its not reliable as it doesn't appear to be the same everytime, I ended up just taking th parts out and probably gonna use that case for something else for open source


probably just disconnect the controller from the keypad, and go from there, in the end its a simple matrix of switches going somewhere to get all buggered up and sent serially via proprietary BS to a controller


Unforunetly for the one I happen to have 3 keypads of has an unkown 16 pin lcd screen that doesn't appear to be compatible with the lcd library, probably different pinout as when the supposed backlight pins are connected it shorts out the usb power
woulda been nice to have the screen atleast : /


I would like this as well. I have found a thread on another site: http://www.diysecurityforum.com/index.php?topic=10480.0, discussing interfacing with an Ademco/Honeywell Keypad (Looks the same for DSC too), and they found the interface uses 4800 bps Serial. Anyone have an idea on how to do this with an Arduino?


I imagine you could just do serial.begin(4800)
If you get any actual data on that let us know, I took apart they keyspads I got but I get more every so often and would love to just hook up 4 wires and not have to touch the inside or rewire my own controller in the same space


See also http://forum.arduino.cc/index.php?topic=200820.0 .


I've got a little experience on this which I can share, and a lot of experience with the Honeywell Galaxy range of alarm panels (through profession not malice), if anybody else fancies attempting this.

A bit of background...
Somewhere along the line Honeywell and Ademco became one, so some of the older Galaxy panels are branded Ademco, the newer ones Honeywell.  These panels are big news, you'll find them in many of the most security conscious installations within the last 20 years or so in various incarnations and software revisions, and yet somehow Honeywell very kindly kept the prices down enough to allow the average home owner to have a slice.  It has a couple of built in timers making it handy for heating controls, night lighting, etc, and it can do proximity setting, door access, and many other gimmicky things.

The system uses a 2-wire communication bus from its main panel.  Some main board variants allow alarm sensor connections at the panel, others are simply a hub and require that you connect expansion units which give inputs and outputs in order to receive information from alarm sensors. Each of these expansion units is given an address by rotary switch, and the range of expansions goes on to include remote keypads, comms modules, etc. all individually addressed up to the capacity of the panel variant.  There are several of these available on a well known auction site, just search for "Honeywell galaxy".  Infact ADT branded accessories for this system are sought after and fetch good money.

The easiest and official way to extract panel state and remotely control the system is to use Honeywell's software in conjunction with a serial or ethernet comms expansion module.  But that's too easy.

I havent asked Honeywell for their official bus protocol, simply because I know what the answer will be, these are security systems after all.  I have one of these systems at home and since that means a 2 wire bus already hard wired around the house, it seemed like a good idea to piggyback on and use the same data stream or something superimposed to connect to a bunch of Uno's around the house.  Either that, or design my own 'expansion module' using an Uno which would mimic Honeywell's official kit and perhaps open the system up to more outputs, or who knows what.  I'm led to believe that Honeywell will work 'alongside' developers if they can see a good profit in it.  I doubt they will ever join the open source collective (but hey Honeywell if you are reading, prove me wrong!)

The Galaxy bus is run alongside a 12v pair of wires, this is standard voltage for burglar alarms in this country, and will power an Uno through its raw pin.  The data stream itself maxes out well below 5 volts.  

Initially I was just looking for a way to get a notification to my phone on certain alarm events, and to provide feedback to the panel to rearm, reset, etc etc, while in the long run it would be nice to have a way of adding for example a repeater LCD display instead of a full remote keypad.  This was either to be by using an ethernet shield and having my phone call up a webpage over the net, alternatively to send serial information into a windows app on a nearby PC which I'd then VNC into over the web.

I experimented with both ideas and eventually had very poor reliability with the ethernet shield, randomly losing response on the LAN, and not being able to to much other processing onboard with the Uno's limited memory being consumed in one big gulp by the ethernet code.  In the end I opted to use an Uno to translate the alarm panel's output states into a serial chunk which it would then pass on to the windows app to be turned into pretty pop up boxes. 
I also included an email function which used SMTP to send an email straight to my phone, which would then prompt me to VNC in to the windows app and view the alarm system state.

The panel's standard outputs are easily programmed and offer a variety of events.  These are 12v outputs so I had to use a simple divider to make it max out at about 4v, suitable to drive an Uno input pin.  I designed a simple app in VB.NET, forwarded all web VNC to the nearby PC, and it worked perfectly.  Emails worked great on alarm events, I could follow my dogs around the house by viewing the PIR relay states, I could also connect remotely when leaving work and have the heating ready warmed up, the hallway lights on, and after hacking an old E-on power saver plug, I had the kettle boiled ready.  Although, I may have underestimated the relay ratings on that one, story for a rainy day.

Anyway I digress.  Having run this setup for a while my curiosity got the better of me and I yearned to know more about the Honeywell bus and its language, in order to design my own first 'expansion module' for the panel.  To start with I opted for the 'slave LCD' idea.  I could have simply hacked an official remote keypad and shaved off the key section, but thats too easy.  This curiosity led me to a well known search engine, and eventually here. 

Heres what I've learnt so far, and I'll keep on hacking at it until I get thoroughly fed up and either crack the code or give up and go back to the tried and tested method.  I've only really looked into the stream to find LCD information but as it turns out that's fairly easy to sniff.

First step was to see if I could get any sense out of the bus at all, and whether it followed any recognised public domain protocols, for all I knew it could even be canbus.
I didnt want to risk destroying a decent laptop while working closely with 12v and with the potential to be sleepy one day and mix a power pair, sending 12v up my USB port.  So I selected a convenient poxy old dell thing with winXP and a handy DB9 serial port.
I wired a DB9 connector with a single pair for now since I only wanted to sniff.  I assumed, and still assume to this point, that one bus line is TX and the other is RX, with a common ground.  I used pin 2(RXin) and pin 5(GND) at the DB9.
I then loaded up the old trusty hyperterminal, and messed about with a few port speeds while generally probing around the PCB on the remote keypad on my home alarm with the bare ends of the wires that connect to the DB9.

After much balancing and the odd swear word, I found that the LCD information is right there, clear as day, in plain text, on the "B" line on the bus.  And, its clear to see at the commonly used 9600-8-N-1 port setting.  The "A" line does appear to give me some jargon ASCII back but having found what I need at the moment I'm not looking into that just yet. 
Its not completely straightforward though.  The LCD text is wrapped in all sorts of hieroglyphics.  I guess this is other system information in some encrypted manner, and that brings me to this point to day, and my search for clues.  It's opened the door for my custom LCD slave build, I've got a simple VB app thrown together at the moment which looks for the start and end of some known phrases and fires off an email on the result, which seems to work. 

I'm sticking with this for now and I quite like the VNC idea, it means I dont have to concern myself with writing phone apps.  Next step is to translate all the VB code into a sketch so that an Uno can handle the sniffing and parse the strings out that I need, I'll connect a standard LCD in to that too and hey presto, unofficial LCD repeater for Ademco/Honeywell panels.  Of course my curiosity wont end there and I'll still need to investigate further to see what other useful stuffs I can do with the panel bus.

So this may or may not assist others in their hunt for the elusive Honeywell protocol, but I thought it worth sharing a bit of background and my experience so far.  Afternoon all


It's worth me adding,  I dont work for Honeywell, but these panels are the nads.  If you're looking at home security and want to impress your mates with proximity fobs and night lights, its well worth doing a bit of looking around on that well known auction site.

Go Up