Teardown: Impassa SCW9057G-433 Alarm System

This series of monthly teardowns was started in early 2018 as an experiment, and since you fine folks keep reading them, I keep making them. But in truth, finding a new and interesting gadget every month can sometimes be a chore. Which is why I’m always so thankful when a reader actually sends something in that they’d like to see taken apart, as it absolves me from having to make the decision myself. Of course it also means I can’t be blamed if you don’t like it, so keep that in mind as well.

Coming our way from the tropical paradise of Eastern Pennsylvania, this month’s subject is an ADT branded Impassa SCW9057G-433 alarm system that was apparently pulled off the wall when our kind patron was moving house. As you might have guessed from the model number, this unit uses 433 MHz to communicate with various sensors and devices throughout the home, and also includes a 3G cellular connection that allows it to contact the alarm monitoring service even if the phone line has been cut.

Diagram of Impassa home security setup
The alarm can connect to a wide array of 433 MHz devices.

From how many of these are on eBay, and the research I’ve done on some home alarm system forums, it appears that you can actually pick one of these up on the second-hand market and spin your own whole-house alarm system without going through a monitoring company like ADT. The extensive documentation from Impassa covers how to wire and configure the device, and as long as the system isn’t locked when you get it, it seems like wiping the configuration and starting from scratch isn’t a problem.

If it’s possible to put together your own homebrew alarm system with one of these units at the core, then it seems the least we can do is take it apart and see what kind of potentially modifiable goodies are waiting under that shiny plastic exterior.

Continue reading “Teardown: Impassa SCW9057G-433 Alarm System”

ESP8266 Adds WiFi To A 433 MHz Weather Station

There’s no shortage of cheap weather stations on the market that pull in data from several wireless sensors running in the 433 to 900 MHz range and present you with a slick little desktop display, but that’s usually where the flow of information stops. Looking to bridge the gap and bring all that local climate data onto the Internet, [Jonathan Diamond] decided to reverse engineer how his weather station worked.

The first phase of this project involved an RTL-SDR receiver, GNURadio, and a sprinkling of Python. [Jonathan] was able to lock onto the signal and piece together the data packets that reported variables such as temperature, wind speed, and rainfall. Each one of these was a small puzzle in itself, and in the end, there’s still a few bits which he hasn’t quite figured out. But he at least had enough to move onto the next step.

Tapping into the radio module.

Now at this point, he could have pulled the data right out of the air with his RTL-SDR. But looking to push his skills to the next level, [Jonathan] decided to open up the base station and isolate its receiver. Since he already decoded the packets on the RF side, he knew exactly what he was looking for with his oscilloscope and logic analyzer. Once he was tapped into the feed coming from the radio, the final step was writing some code for the ESP8266 that could listen on the line, interpret the data packets, and push the resulting variables out over the network.

In this case, [Jonathan] decided to funnel all the data into Weather Underground by way of the Personal Weather Station API. This not only let him view the data through their web interface and smartphone application, but brought their hyperlocal forecasting technology into the mix at no extra charge. If you’re not interested in sharing your info with the public, it would be a trivial matter to change the firmware so the data is published to a local MQTT broker, or whatever else floats your proverbial boat.

If you’re really lucky, your own weather station may already have an ESP8266 onboard and is dumping all its collected data to the serial port. But if not, projects like this one that break down how to reverse engineer a wireless signal can be a great source of inspiration and guidance should you decide to try and crack the code.

ESP32 Adds New Features To 1990s Home Alarm System

Given how fast technology is progressing, some consumer gadgets lend themselves to being replaced every few years. Mobile phones are a particularly good example of a device that you probably won’t want to hold onto for more than 4 years or so, with TVs not far behind them. On the other hand, something like a home alarm system can stay in the fight for decades. As long as it still goes off when somebody tries to pop a window, what more do you need?

Well if you’re like [Brett Laniosh], you might want the ability to arm the system and check its current status from your phone. But instead of getting a whole new system, he decided to upgrade his circa 1993 Gardiner Gardtec 800 alarm with an ESP32. As it so happens, the original panel has an expansion connector which he was able to tap into without making any modifications to the alarm itself. If you’ve got a similar panel, you might even be able to use his source code and circuit schematics to perform your own modification.

Optocouplers link the ESP and alarm panel.

Now we know what you’re thinking. Surely there’s a risk involved when trusting an ESP32 connected to the Internet with the ability to disarm your home alarm system. [Brett] has considered this, and made sure that the web server running on the microcontroller can only be accessed from the local network. If he does want to connect from beyond WiFi range, he does so through a VPN. In other words, his code is never directly exposed to the wilds of the Internet and is always hiding behind some kind of encryption.

The WiFi connection allows [Brett] to arm and disarm the alarm system remotely, check if it’s been triggered, and reset it if necessary, all from his smartphone. But he’s also added in a 433 MHz receiver so he can use simple handheld fobs to arm the system if he doesn’t want to go through the phone. Even if you dropped out the Internet connectivity, this alone is a pretty nice upgrade.

For those not afraid to take the more invasive route, you could potentially reverse engineer and reprogram your old alarm panel. Or you could even so the full DIY route and create your own low-cost alarm system using the ESP32 and off-the-shelf modules.

433 On A Stick

Cheap 433 MHz wireless switches are a tempting way to enter the world of home automation, but without dedicated hardware, they can be less easy to control from a PC. That’s the position [TheStaticTurtle] was in, so the solution was obvious. Build a USB 433 MHz transceiver.

At the computer end is a CH340 USB-to-serial chip and the familiar ATmega328 making this a compact copy of the Arduino. At the RF end are a pair of modules for transmit and receive, unexpectedly with separate antennas. This device is a second revision, after initial experiments with a single antenna connector and an RF switch proved not to work. On the software side the Arduino uses the rc-switch library, while on the PC side there’s a Python library to make sense of it all. The code and hardware files are all on GitHub, should you wish to experiment.

The problem of making a single antenna transceiver is not for the faint-hearted RF engineer, as while diode switches seem on paper to deliver the goods, they can be extremely difficult to get right and preserve linearity. We’re curious that a transceiver module wasn’t used instead, but we’re guessing that cost played a significant part in the equation.

Over the years we’ve featured quite a few fascinating 433 MHz projects, like this TP-Link router conversion.

DIY ESP32 Alarm System Leverages 433 MHz Sensors

There’s a huge market for 433 MHz alarm system hardware out there, from PIR motion detectors to door and window sensors. If you want to put them to work, all you need is a receiver, a network-enabled microcontroller, and some code. In his latest video, [Aaron Christophel] shows how easy it can be.

In essence, you connect a common 433 MHz receiver module to an ESP32 or ESP8266 microcontroller, and have it wait until a specific device squawks out. From there, the code on the ESP can fire off using whatever API works for your purposes. In this case [Aaron] is using the Telegram API to send out messages that will pop up with a notification on his phone when a door or window is opened. But you could just as easily use something like MQTT, or if you want to go old-school, have it toggle a relay hooked up to a loud siren.

Even if you aren’t looking to make your own makeshift alarm system, the code and video after the break are a great example to follow if you want to get started with 433 MHz hardware. Specifically, [Aaron] walks the viewer through the process of scanning for new 433 MHz devices and adding their unique IDs to the list the code will listen out for. If you ever wondered how quickly you could get up and running with this stuff, now you’ve got your answer.

In the past we’ve seen the Raspberry Pi fill in as an RF to WiFi gateway for these type of sensors, as well as projects that pulled them all together into a complete home automation system on the cheap.

Continue reading “DIY ESP32 Alarm System Leverages 433 MHz Sensors”

HoloLens Brings Video Game Kart Racing To Life

There aren’t a lot of video game experiences we can easily recreate in the physical realm. You’ll quickly find that jumping on mushrooms in the real world doesn’t have nearly the same appeal as it does in Super Mario, and we won’t even get into the dangers of trying to recreate Frogger on your local multi-lane. But video game style go-kart racing? We have all the technology to pull that off, somebody just has to put all the pieces together.

Which is precisely what [Ian Charnas] is trying to do with his latest project. Using Microsoft’s HoloLens augmented reality headset, electric go-karts, 433 MHz wireless transceivers, and some Arduinos sprinkled in, he’s created the closest thing to Mario Kart that us flesh and blood mortals are likely to experience anytime soon.

The HoloLens headset worn by each driver overlays the necessary graphical elements like pickups and weapon effects, as well as puts over-the-top cartoon heads on the other racers. But of course, that’s only half of the story. Seeing the pickups and gadgets doesn’t do you any good if they don’t have any effect on the actual race.

To that end, [Ian] has come up with a way to control the performance of the go-karts using an electronic “backpack” that mounts to each kart. So speed boosting pickups actually make the kart go faster, and if a driver gets hit with a weapon fired at them, they get slowed down.

That’s the high-level version, anyway. There’s obviously a lot going on behind the scenes, some of which are detailed on the Hackaday.io page. One of the interesting notes is that the HoloLens needs visual markers to orient itself, which in the video after the break can be seen as black and white posters dotting the walls alongside the track. As the project progresses, [Ian] is hoping that these can be camouflaged in creative ways (such as being made to look like audience members or checkered flags) to make the overall experience more immersive.

According to [Ian], the next step is to find partners who want to help elevate this from a one-off project to something that you might actually see at an amusement park. We wish him luck, if for no other reason than we really want to play the thing ourselves. In the meantime, we’ll have to settle for racing hacked Power Wheels.

Continue reading “HoloLens Brings Video Game Kart Racing To Life”

Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised

It seems a bit unfair to pile on a product that has already been roundly criticized for its security vulnerabilities. But when that product is a device that is ostensibly deployed to keep one’s family and belongings safe, it’s plenty fair. And when that device is an alarm system that can be defeated by a two-dollar wireless remote, it’s practically a responsibility.

The item in question is the SimpliSafe alarm system, a fully wireless, install-it-yourself system available online and from various big-box retailers. We’ve covered the system’s deeply flawed security model before, whereby SDRs can be used to execute a low-effort replay attack. As simple as that exploit is, it looks positively elegant next to¬†[LockPickingLawyer]’s brute-force attack, which uses a $2 RF remote as a jammer for the 433-MHz wireless signal between sensors and the base unit.

With the remote in close proximity to the system, he demonstrates how easy it would be to open a door or window and enter a property guarded by SimpliSafe without leaving a trace. Yes, a little remote probably won’t jam the system from a distance, but a cheap programmable dual-band transceiver like those offered by Baofeng would certainly do the trick. Not being a licensed amateur operator, [LockPickingLawyer] didn’t test this, but we doubt thieves would have the respect for the law that an officer of the court does.

The bottom line with alarm systems is that you get what you pay for, or sadly, significantly less. Hats off to [LockPickingLawyer] for demonstrating this vulnerability, and for his many other lockpicking videos, which are well worth watching.

Continue reading “Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised”