This Blog is part of a Series! Check out the rest if you haven’t already:
- Home Security & I’m Back: A story about how I built my own security system and wrote some software for it.
- Alarm System Part 1: The Old Security System: What came with the house when I bought it, and an overview of the chips on the board and a deep dive into how the EEPROM works.
- Alarm System Part 2: System Teardown: Tearing out the EEPROM and socketing it for testing.
- Alarm System Part 3: Dumping the EEPROM
- Alarm System Part 4: The Keypad: What’s making this thing work?
- Alarm System Part 5: How to Hack a Home Security System: Getting in!
At this point, I’ve dumped the EEPROM off the panel, and discovered that there can be some data stored in the PIC Microcontroller on the panel as well. The datasheet for that is >300 pages, so I’m not planning on digging yet to see what I can find there.
While I wait for the replacement EEPROM chips to show to replace the one I mangled, I decided to look around in the actual keypad. That has a speaker, a few LEDs as a display, and has to communicate somehow over serial back to the panel.
Only two items were really of interest on the front or back, a CSI 93C46LI 1K EEPROM, and a PIC 16C63A Microcontroller which apparently has built in analog/digital functionality. Maybe to drive the on-board piezo speaker?
Before I got the sticker off of the microcontroller, I was hoping it was just a really long EEPROM, but it is not — on the flip side, it also has no capacity to store any data without constant power, so that helps.
My real quick review of the hex dump of the panel’s EEPROM didn’t show anything immediately obvious as to what it was. It may click later, I’m hoping. I’m making an assumption here that the PIN (installer and the user PINs) are stored on the panel side, in what we already dumped, or in that microcontroller’s EEPROM space. That would make sense, you wouldn’t want to store that sort of security data “client side” where the keypad is, right? RIGHT?
Well, I’m not sure what the answer is to that — but to find out, I need to pull off this EEPROM and socket that, and then read what’s on it. Oddly enough, the microcontroller IS socketed, so that’s cool if I need to yank that later.
To prepare, I decided I’d source the EEPROM chip first. Every single damn place, it was obsolete and not for sale anymore. I did manage to find it a few places, like “electrical.com” which I’m still pissed made me enter my entire card number to even calculate shipping.
And when I did see the shipping, I really started to question if I really needed it. Maybe…
Damn it eBay.
Eventually, I found a source that sold a 2-pack, from CANADA with shipping for $8.44 USD out the door. I ordered it.
Leave a Reply