We have to admit that in the hardware hacking universe, there aren’t generally too many chances to hack elevators. Well, at least not opportunities that don’t also include the risk of incarceration. But fortune favors the bold, and when he found the remains of an elevator control panel in an abandoned Croatian resort hotel, [Davor Cihlar] undertook an extensive and instructive reverse-engineering of the panel.
The video below highlights his efforts, which were considerable given the age and state of the panel. This is a relay-only control panel, after all, with most of the relays missing and a rat’s nest of wires connecting the sockets. So [Davor] put his “RevIng” concept to work. This uses a custom PCB with a microcontroller on-board that plugs into each relay socket and probes the connections between it and every other socket. Very clever stuff, and it presented him with the data needed to develop a ladder-logic diagram of the board, with the help of some custom software.
With the original logic in hand, [Davor] set about building a simulator for the panel. It’s a lovely piece of work, with buttons and lights to mimic the control panel inside the elevator car, as well as the call stations that would have graced each lobby of the hotel. Interestingly, he found logic that prevented the elevator from being called to some floors from anywhere but inside the car. The reason remains a mystery, but we suppose that a hotel built by Penthouse publisher [Bob Guccione] would have plenty of secrets.
We love the supremely satisfying clickiness of this build, and the reverse engineering prowess on display, but we can’t find much practical use for something like this. Then again, DIY elevators are a thing.
Very clever. Not too useful, but very clever. Impressive tools he build to do the reverse engineering.
Have some elevator experience. The reason for the restriction is so you can tie in thing like card readers and keys to prevent after hours access, privately owned floors, etc. you can only call or send the car to floors through interfaces protected by those systems external to the controller. That prevents you from having to lock down every input. Picture this, you get in the car, swipe a badge that unlocks you to select your penthouse. No one else can select that floor.
When you push the call button in your penthouse, it is routed through the car so it looks like your floor was select via the badge interface in the car. That way you do not get locked in your penthouse if you lose the badge.
Or you could take the stairs, like poor people.
Makes perfect sense. Convert a relay system into ladder logic. That’s where ladder logic came from.
In college, one of the labs had a restricted elevator with key call buttons. It took the school years to discover all the hidden magnetic reed switches that bypassed the keys ….if you knew the secret spot to place your magnet.
hmm. I don’t follow. Why were there bypasses? Why did the school care to find them?
students installed them….to gain access.
If you want to know more about relay logic elevators (or just watch some SERIOUS relays do their thing) this video https://www.youtube.com/watch?v=_xjXdjj2m5Q and its follow-ups are probably the best out there.