Tuesday, July 03, 2012

Reverse Engineering my Home Security System

I've been reverse engineering the security system that came installed with my house.  My ultimate goal is to re-use some of the sensors for my own home automation project while bypassing the old control board.

A bit of theory

The system works by monitoring multiple "zones" (up to 6 for the system in my house).  Each zone is really just a digital input that has a switch wired to it that can be open or closed. The control board can be configured on what state constitutes an alarm (for instance, a closed switch on Zone 1 means that the front door is open).  There is a bit more optional complexity that can be added to each zone as well.

The first complexity is that multiple sensors can be added in the loop that the controller monitors.  A good example of this is that you could put several monitored windows one a single zone by wiring the switches in series with one another in such a way that if any of them opened then the whole circuit would open; this would be like wiring the window states into an logical OR gate.  Note that this would also work even if the window switches were normally open (NO) switches, but in that case you would wire the sensors in parallel, such that normally the whole loop would be open but when a window opened one of the switches would close and the controller could detect that state.
Control loop for multiple Normally Closed (NC) sensors 

Control loop for  multiple Normally Open (NO) sensors

Another complexity is that you can use what are called end of line (EOL) resistors in the zone loops.  The idea of these resistors is to provide a third state to the loop besides open or short circuit.  By having a third value on the loop and using that as the nominal value you can detect when a fault condition occurs (either short circuit or open circuit).  The controller can be configured to handle EOL resistors (whether to use 2 or 3 states for a given loop).  In the example below the zone loop should normally read a resistance of R, but when one of the sensors opens then it should read an open circuit.  If the loop reads as shorted then we know that something is wrong with the loop.

Control loop for NC sensors with EOL resistor

Typically all of these sensors will be hard-wired from where the thing they are monitoring actually is.  For instance, if you might have a magnetic reed switch embedded in your front door frame which is wired back to your central control box.  Depending on how the sensor was installed, the wires will be run through the walls, under carpeting, or under the base boards against the wall.

Deciphering my system

My security system is a DSC PC1550 with a DSC 1500RK keypad.  I found an installer's manual online which helped a bit in deciphering things, but mostly I learned quite a bit from looking at the diagram on the inside of the control box (pictured below).  It appears like all of the sensors are connected to the main control board via a screw terminal block

By inspecting what was wired and examining door frames for the tell-tale plastic circles that indicate a magnetic door sensor, I determined that I had 3 door sensors, a motion sensor, a panic button, and a siren.

I started off by checking the resistance of each zone loop with my multimeter.  The motion sensor has to be powered so I supplied 12 volts to it and it worked like a charm.  The panic button also worked.  I hooked up 12 volts to the siren and it worked too.

When I tried the door sensors all of them registered as open circuits regardless of the position of the door.  I started troubleshooting: I pulled  one of the door sensor out of its whole and checked that it did indeed close the switch when a magnet was near, and I checked that all of the magnet and switches were close enough that the switch should trigger when the door was closed.  After that I started pulling up carpet to find the wires that were run under the carpet, and eventually I determined that the wires were accidentally cut during installation of new carpet.

I tracked down all 4 of these wire breaks (that's right, one of the door channels actually had two breaks in it) and fixed them, which involved prying up lots of carpet in my living room.  But eventually I got all of the door sensors working again.

And the good news is that all of these sensors act as switches and should be easy to interface to my own security monitoring hardware.  The only thing I haven't reverse engineered yet is the DSC 1500RK keypad.  I wasn't able to find solid information on the serial protocol it uses, so I'll leave that for later.  My plan is to eventually have my entire house controlled via my smart phone, so I don't care that much if the wall-mounted keypad works or not.

The diagram on the inside of my security control box

3 comments:

DanielDK said...

you might get som einsight from skullkey who got an arduino listening into the DSC keypad bus at

http://www.house4hack.co.za/dsc-keybus-talk

Ken Sharp said...

Thanks for the tip! I'll take a look.

A Secure Life said...

Very interesting Ken, thanks for taking the time to look into how the home security system works! Great post, thanks again for sharing!