Hacking Ademco BiDirectional Protocol
I want to interface into my Ademco alarm system, and the easiest way to do it is to intercept serial commands from the RF recieve module to the main unit. Here’s what a waveform looks like..
From the looks of it, the duration of each packet is the same, so each bit should represent the same unit of time. The first three transitions are the same for all packets, and the third transition is 2.5 bits long, so I would assume that’s a preable. The rest of the data are in multiples of 420us. I wrote a script to decode packets, and here’s a dump of a random capture. Each line represents one message, like the one above…
1000000001001010111010001111110110001110101010001101101010001
1000000001001000011010001010101011001101111011001110011010001
1111110110001111111111001101111110001111011110001111111111111
1100000000001110111000001011011010001001101011001011111011001
1000000001001101101010001010011011001010111010001110111011001
1000000001001010010111001111101011001101100011001010110011001
1000000001001001100010001001100010001111110110001101010110001
1000000001001111110110001100111010001011011010001101101010001
1000000001001010111010001111110110001110101010001101101010001
1000000001001000011010001010101011001101111011001110011010001
Next I get to try to find some sort of pattern to the above mess, and hopefully the data is not encrypted — which I doubt it would be.. If anyone has any ideas, please let me know!
Reza,
I’m trying to follow your steps here. How far did you get?
What transceiver did you use for sniffing 345Mhz? I haven’t been able to find one yet.
Thanks,
I didn’t get much past that and stopped playing with it. I’m not sure where the 345Mhz comes from, I didn’t see anything that fast. I used a open-collector comparator to do my line level shifting from 12V to 3.3V then used either my Logic or USBee to record the pattern then transcoded it by hand into binary.
Thanks for the info, I assume that your were intercepting the wireless protocol. If you want information on the wired one, please send me an email, I have some that it might help you.
In regards to your other project, the tricorder, I have been working on a similar but different one, it has an accelerometer, a single channel EKG and BT. I’m curious as of the Bluecore 6, it’s HCI as far as I know. Did you develop the BT stack or are you running UNIX in your MCU? I was working with the Pillips BGB203 that had SPP integrated with an AT command set but, got discontinued. I switched to RN41 module instead.
For EKG, I’m using a 3 leads with 3M foam electrodes but, I know that it’s possible to do it without the ground reference, even with capacitive electrodes that work over clothing.
Email me if you are interested if conversing some more.
P
I’ve published on Circuit Cellar #201 an article titled “Reverse-Engineered ECP Bus”. In there I detailed some of the internals of Ademco’s shared bus. I have no idea if they use a similar communication over wireless connections, but you may want to have a look at it just in case.
@Philip
Philip PLEASE send me info on Ademco’s wired protocol. I have a Vista 21IP and need all the help I can get.