Author Topic: Reverse engineering an old (late 80s) wireless alarm sensor IC  (Read 1045 times)

0 Members and 1 Guest are viewing this topic.

Offline elidcoif

  • Newbie
  • Posts: 3
  • Country: 00
  • Computer Engineer
Reverse engineering an old (late 80s) wireless alarm sensor IC
« on: November 30, 2021, 11:05:21 pm »
Hello everyone,

I've recently come into possession of an old home security system, the ITI SX-V. For those interested here is the user manual and here is the installation manual, but in a nutshell it's a completely wireless alarm system from the late 80s, made in the USA, operating at 319.5 MHz. I think it's extremely interesting and well-made, and I'm currently working on reverse engineering the whole system (in a general sense, not exclusively at the electronics level) for my own fun, including the RF protocol, RAM contents, etc.

I'm here to ask you for some help analyzing the door/window sensors. Here is the top view of the PCB. I have attached more high resolution pictures, including the bottom view, at the end of this post.



The main problem is that sensors use a custom (?) IC and I can find no information about it online. The part number printed on it, I.T.I. 15-165 9503, brings nowhere. Ideally, I would like to learn how to program it, since programming can only be done using a custom programmer, which I don't have. My hope is that it's actually a rebranded non-proprietary IC, so I can find a datasheet with more information, but I have little knowledge in this field (I'm a computer engineer – not an electronics) and I'm not sure where to look. I couldn't find anything similar on Google, Digikey and Mouser.

It would be very helpful if any of you happens to know more about this kind of sensors or IC, recognizes it as a rebranded part, or just has an idea about how it could communicate with a programmer. I'm also very open to suggestions about what to test in order to find out more.

Here is basically everything I know about it and how it works:
  • It has two reed switches (one on the left and one on the top side) to detect door opening and closing, a screw terminal (on the right) for optional external switches, and a tamper switch (to the left of the IC)
  • It is programmed using a custom programmer (here is one I found on eBay) through the 5-pin connector at the center. The three parameters you can program are: house code (8 bits), sensor number (6 bits), sensor type
  • It only has volatile RAM. If battery runs out, it must be reprogrammed. This is why I care about how to program it
  • It sends periodic "supervisory signals" (once every 69 minutes) to the central unit reporting that it's still alive
  • It's transmit-only, no RX. Since it does not receive any "ack"/confirmation from the central unit, each transmission is repeated multiple times (4x for closing, 8x for opening/tamper, 2x for supervisory signals) in order to avoid collisions and increase success probability
  • The RF signal uses OOK with return-to-zero encoding
  • Transmissions (only) include: house code, sensor number and sensor status (open/close, tamper switch status)
And here is the (very little) pin information I was able obtain by probing, in case it can help (I numbered pins counterclockwise starting from the top left):
  • Pin 2 outputs a low-frequency version of the transmitted signal
  • Pin 4 is GND
  • Pin 5 outputs the sensor status (open = high, closed = low)
  • Pin 6 seems to be connected with the oscillator
  • Pin 8 is VCC
Thank you!
« Last Edit: November 30, 2021, 11:17:36 pm by elidcoif »
 

Offline DC1MC

  • Super Contributor
  • ***
  • Posts: 1488
  • Country: de
Re: Reverse engineering an old (late 80s) wireless alarm sensor IC
« Reply #1 on: December 01, 2021, 03:37:23 am »
In calling dibs on ATtiny25/45/85  ;D
 

Offline floobydust

  • Super Contributor
  • ***
  • Posts: 5228
  • Country: ca
Re: Reverse engineering an old (late 80s) wireless alarm sensor IC
« Reply #2 on: December 01, 2021, 04:11:56 am »
It is likely a pre-programmed microcontroller. The board's LP xtal is on pins 6,7 which rules out some MCU's, like Microchip 12C508 uses pin2,3 for LP xtal, and it has EEPROM. Also ATtiny uses pin 2,3 as well.
I would check the pinout of DIP-8 MCU's verses the schematic of the transmitter board. I thought ITT did have their own custom silicon. Another similar transmitter is Ademco and maybe DSC; one of which might have bought ITT's security division.
 

Offline DC1MC

  • Super Contributor
  • ***
  • Posts: 1488
  • Country: de
Re: Reverse engineering an old (late 80s) wireless alarm sensor IC
« Reply #3 on: December 01, 2021, 04:32:43 am »
It is likely a pre-programmed microcontroller. The board's LP xtal is on pins 6,7 which rules out some MCU's, like Microchip 12C508 uses pin2,3 for LP xtal, and it has EEPROM. Also ATtiny uses pin 2,3 as well.
I would check the pinout of DIP-8 MCU's verses the schematic of the transmitter board. I thought ITT did have their own custom silicon. Another similar transmitter is Ademco and maybe DSC; one of which might have bought ITT's security division.

There is no ITT here, but ITI (Interlogix), and they will never-ever release anything about their custom IC  :scared:, that I claim (without proof  >:D) that in this particular case can be drop-in replaced with an ATtiny.
 

Offline elidcoif

  • Newbie
  • Posts: 3
  • Country: 00
  • Computer Engineer
Re: Reverse engineering an old (late 80s) wireless alarm sensor IC
« Reply #4 on: December 01, 2021, 01:13:07 pm »
Thanks for your answers. The ATtiny sounds a bit too recent for this sensor, but the pin layout actually checks out. I have a TL8266-based programmer, I may set it to ATtiny and give it a try
 

Offline elidcoif

  • Newbie
  • Posts: 3
  • Country: 00
  • Computer Engineer
Re: Reverse engineering an old (late 80s) wireless alarm sensor IC
« Reply #5 on: December 05, 2021, 07:26:41 pm »
Update. Unfortunately trying to read the IC as an ATtiny yielded no results. The programmer wasn't even able to get the CHIP-ID.

However, after desoldering it from the board I noticed that it also has some codes underneath!



The long one doesn't ring a bell for me, but it may still be useful. Number 9503 that also appears on the top side looks very much like a date code: 1995 something.

Finally, I decided to take a look at a wireless keypad, part of the same alarm system. Its board has a very similar layout to the sensor, but it uses a different IC.



It looks like another custom one (it has an ITI part number) but it also has a manufacturer logo which I wasn't able to identify. It may be the same as the one from the sensor chip. Does anybody have any idea?

 

Offline DC1MC

  • Super Contributor
  • ***
  • Posts: 1488
  • Country: de
Re: Reverse engineering an old (late 80s) wireless alarm sensor IC
« Reply #6 on: December 05, 2021, 08:23:38 pm »
From here on it depends what actually want to do:

- Keep the installed sensors /control panel as they are and reprogram them, then the best bet is to get the EBAY programmer and a Salae Logic Analyzer clone and try to reverse the programming protocol. It seems that there are a lot of installation/programming  manuals online, so once you've got the programmer, program them and record the protocol and then put it in an Arduino and re-sell the programmer.

- Keep the sensors, but replace the chips with some compatible ATtiny, or similar, that can produce same signal to maintain the infrastructure in place but maybe modernize the control panel (remote access and stuff). In this situation you could do your own firmware and don't care about the original chips, because in 30 years the company got sold so many times that I doubt the original documentation remained, as well as the protocol/procedure to program their stuff is the most guarded secret of these companies to defend cheap clones and burglars disabling them.

Best of luck,
DC1MC
 

Offline floobydust

  • Super Contributor
  • ***
  • Posts: 5228
  • Country: ca
Re: Reverse engineering an old (late 80s) wireless alarm sensor IC
« Reply #7 on: December 06, 2021, 01:51:44 am »
If you can reverse-engineer it, then you can do break-ins by spoofing a door-closed message while you bust it down. Or drive around and false trigger people's home alarm systems.
Have to look at the packets it transmits, for encryption etc. rolling code technology came out way after the 80's I think.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf