# Reverse-Engineering a (Home) Alarm System (also a stun gun update)

Don’t trust things you don’t understand, indeed: guy gets a house with a pre-installed alarm system and goes through figuring out how it works. (Sadly his eventual plan is to control it from a smartphone. I guess if it works for his threat model.)

Granted, this is a pretty simple alarm system. But being able to disassemble your own security systems is more important from a defensive view anyway.

Killing electronics update:

Did some quick tests this morning with a signal generator standing in for the stun gun (to avoid killing my ‘scope). For a signal applied to a somewhat conductive volume, dV/dx (the voltage measured by sticking two points into that volume somewhere between the signal-source electrodes) varies heavily by position. The closer you get to the source electrodes, the higher the voltage drop between the measurement electrodes. (This jives with the math*, more or less).

With the scope probes very near one of the signal generator probes, I saw a signal that was ~80-90% (Vp-p) of the original signal generator output. This suggests that the stun gun may still be able to create high voltage potentials in the target devices. That in turn means it may be able to cause oxide punchthrough failures (which appear to be cause more by overvoltage) even if the components and geometry surrounding a target chip prevent enough current from reaching it to fry the internal lines.

* according to the Internets’ solution of the Possion equation, seen two dimensionally, V(x,y) = c\, \left( ln(\sqrt{(x-x_1)^2+(y-y_1)^2}) –
ln(\sqrt{(x-x_2)^2+(y-y_2)^2})\right) where (x1,y1) and (x2,y2) are the positions of the signal generator / stun gun probes. http://www.math.union.edu/~dpvc/jsmath/jsMath-lab.html if you want to render the TeX.

http://sharpk60.blogspot.de/2012/07/reverse-engineering-my-home-security.html

“I found an installer’s manual online which helped a bit in deciphering things, but mostly I learned quite a bit from looking at the diagram on the inside of the control box (pictured below). It appears like all of the sensors are connected to the main control board via a screw terminal block

By inspecting what was wired and examining door frames for the tell-tale plastic circles that indicate a magnetic door sensor, I determined that I had 3 door sensors, a motion sensor, a panic button, and a siren.

I started off by checking the resistance of each zone loop with my multimeter. The motion sensor has to be powered so I supplied 12 volts to it and it worked like a charm. The panic button also worked. I hooked up 12 volts to the siren and it worked too.

When I tried the door sensors all of them registered as open circuits regardless of the position of the door. I started troubleshooting: I pulled one of the door sensor out of its whole and checked that it did indeed close the switch when a magnet was near, and I checked that all of the magnet and switches were close enough that the switch should trigger when the door was closed. After that I started pulling up carpet to find the wires that were run under the carpet, and eventually I determined that the wires were accidentally cut during installation of new carpet.

I tracked down all 4 of these wire breaks (that’s right, one of the door channels actually had two breaks in it) and fixed them, which involved prying up lots of carpet in my living room. But eventually I got all of the door sensors working again.

And the good news is that all of these sensors act as switches and should be easy to interface to my own security monitoring hardware. The only thing I haven’t reverse engineered yet is the DSC 1500RK keypad. I wasn’t able to find solid information on the serial protocol it uses, so I’ll leave that for later.”