Tag Archives: electronics

Scantronic 9651 Cracked – Part 1: Getting started

Posted on July 1, 2011 by Damo| Leave a comment

The Scantronic alarm panel + keypad I mentioned in my previous post have now arrived! I have hooked up power and a backup battery and the kit seems to work great – right away I got down to investigating the mysteries of the keypad protocol that I introduced in my last post on this topic.

The Control Unit

The Control Unit - The brains of the operation

So there it is, the main control unit of the Scantronic 9651.  Right now I’m not exactly powering it up correctly; in an effort to avoid killing myself I’ve opted not to use the inbuilt magnetic transformer (240 VAC to 20 VAC – yes VAC again – The base unit does run on AC).  I have decided to use my bench power supply combined with a 2.4Ah sealed lead-acid battery to power the panel for now, and it seems to work fine despite the “MAINS FAIL” messages displayed occasionally.

My initial test setup

My initial test setup - My initial setup for testing the panel

As you can see above, my initial testing of the panel involves my handy little DSO Nano.  This is an excellent little device (actually one of the earlier versions of the now numerous handheld digital oscilloscopes produced by Seeed Studio) and it allows me to see the digital waveforms produced by the panel and the keypad in real time, as well as recording the waveforms for viewing later on a PC or Mac.

DSO Nano Oscilloscope

DSO Nano Oscilloscope - Showing a waveform of the actual signals produced by the panel and keypad (this is actually the DATA pin).

I started by recording some of the frequently occurring signals produced on the “DATA” line and trying to decipher them.  It looks to me like a PWM (Pulse Width Modulation) waveform, of which the clock will of course be provided on the “CLK” pin.

Right there I start to get a bit stumped – the DSO I have only lets me display one channel (I.e. one waveform) at a time, and I need both the clock and the PWM signal to start to really understand what is going on.  Basically – I’m looking for a logic analyser.  These are cool little devices that let you analyse which lines of a logical system are high or low (1 or 0) and record them, show them alongside one another, track their changes and much more.  The proper lab-based ones are, as always with proper lab-based things, expensive.  The knock-off USB based ones are cheap, but the software looks terrible.  I need to chat to some people that know about these things before I can make a purchase and not run the risk of buying something completely and utterly pants or wasting my money on some 50 kilogram box of bolts from a 1990s electronics lab.

I’ll keep looking.

→ Leave a comment

Posted in C#, Electronics, Geekery, Interests of the Moment, Software, Tear-downs

Tagged , , , , , , , , , , , , ,

Scantronic 9651 keypad/PC interface idea

Posted on June 21, 2011 by Damo| Leave a comment

One of the various bits of rubbish I’ve got hanging around is an old Scantronic 9651 keypad (actually a Scantronic 930).  For the uninitiated: Scantronic is a range of security alarms manufactured by Cooper Safety. In the security installers industry, they tend to be branded by individual companies that do the actual install jobs; for example, my control keypad is branded by ADT.

Long story short, I’d like to hook this up to my Mac so I could write some kind of emulation software or otherwise use it as a control device.  “Why?” I hear you ask, and I retort: “If you are still asking `Why?` at this point, why are you still reading my blog?”.  Onwards with the geekery…

The Scantronic Keypad - Branded by ADT

It is my understanding that these keypads function as serial terminals that send keystrokes to, and receive screen updates from the main controller board.  Up to 5 keypads can be connected to one controller board to allow control of the system from several different locations around a site.  They are to be connected in a daisy-chain or star configuration (I.e. in parallel).  This information is quite readily available in the form of the various manuals that Cooper release with their products.  The protocol that dictates how the keystrokes and screen updates are communicated is however, a more closely guarded secret.

The headers that I think are associated with the serial communication between the keypad and the controller board are labelled “SIG” and “SRQ”.  My initial thought was that the “SIG” pin would convey 1s and 0s as high and low voltage values with the 0V pin.  A check with the oscilloscope shows that this isn’t the case.  Further investigation shows that during key presses when the keypad is powered up, all the pins maintain their voltages as usual, with no variation at all.  Curious.

I investigated the behaviour of the keypad without messing with the headers at all.  Internally, there are two DIP-style switches that are labelled “PROG” and “TEST”.  The “PROG” switch places the keypad in a programming mode (a rudimentary interface allowing the enabling and disabling of the backlight and sounder, as well as the modification of the keypad address).  The “TEST” switch places the keypad in a testing mode, flashing all the LEDs in a sequential manner and testing the LCD display.  When the keypad is in it’s “normal” mode (I.e. with both the internal switches set to off), it seems to accept 16 keystrokes after powering up, then starts beeping with each keystroke in a way that suggests the keystroke was declined.  This behaviour gives me the impression that there is some kind of buffer in effect here.  Curiouser.

As a continuation of this thought, perhaps the “SRQ” pin comes in to this.  I would theorise that the controller board sends some kind of identifiable pulse unique to each keypad address on a regular basis on the “SRQ” pin - say, every 5 seconds each of the 5 possible keypad addresses are “polled” by the controller board.  This would mean that each keypad has 1 second to dump its buffer of keystrokes on the “SIG” pin in a TDMA-style arrangement whereby up to 5 keypads may share one communication medium (in this case, the “SIG” pin).  Though of course, there is always the possibility that I am wrong.  Another possibility is of course that this keypad is fried.  The time in my cupboard under a load of electronic rubbish and quality time with our good friend Mr. Electrostatic discharge might well have finished this guy off.  After all, it IS nearly as old as me…

Nearly as old as me

This thing is like... way old!

I have an ace up my sleeve here however.  I have just won a wonderful like-new Scantronic 9651 Controller board with an additional 930 keypad!  Hopefully I will be able to inspect the behaviour of the controller boards respective “SIG” and “SRQ” pins and crack this whole thing wide open, at which point I will of course publish a wonderful blog post detailing all the geeky goodness.

Until then, play safe!

→ Leave a comment

Posted in Electronics, Geekery, Hardware, Tear-downs

Tagged , , , , , , , , , , ,

In bits: Motorola MTH650 Handportable TETRA Terminal

Posted on March 29, 2011 by Damo| 2 Comments

I’ve not posted for a while because I’ve been a bit poorly, and then as a further impact of that I’ve been lagging with some university work and not had time to do anything fun that I can post about recently.  However, here’s something to make up for it.

I thought I’d post a few pictures of a particularly shagged Motorola MTH650 handset I came across for a great price on eBay.  It’s still functional but unfortunately it seems to have suffered a fair beating in it’s lifetime. I bought it purely as a novelty and a nice thing to play around with really.

Continue reading

→ 2 Comments

Posted in Geekery, Hardware, Interests of the Moment, Tear-downs

Tagged , , , , , , , , ,

Interest of the Moment: Radio et al

Posted on March 8, 2011 by Damo| Leave a comment

So I thought I’d start a category to contain all the random crap I that seems to drift in and out of my interests list.  It could prove to be amusing and I’m sure someone with a lot of time on their hands could generate some sort of tag-cloud versus time style graph further down the line that will prove deeply embarrassing to all parties involved.  Onwards.

A while I go, I obtained a Radio Scanner for the purpose of entertaining myself without a screen or keyboard right in front of me.  It was kind of nice to be in bed, listening to some arguing bus/truck drivers or PMR users. It really came into it’s own when I moved to the city – there’s lots more activity here than there was in little rural Radcliffe and it was quite exciting to get regular Close Calls* (I wasn’t even sure that feature was really working back in Radcliffe).

I got bored quickly though – there’s only so many things you can hear on a radio scanner before you’ve heard it all – and that happens surprisingly quickly when you’re not moving around at all I suppose.  Looking for something else exciting and interesting, I saw more advanced scanners that just seem to add more compatibility for trunking and storage – these didn’t really interest me so much.  The actual trunking radios are quite clever things – particularly the TETRA standard.  Capable of working in several configurations – Trunked (using the network infrastructure – essentially lots of cell sites – to communicate), Direct (Back-2-Back direct communication between two terminals) and crossovers between the two like Repeater and Gateway (effectively proxying traffic between terminals) – the system is extremely versatile.

A really nice TETRA Terminal

Motorola MTP850

It’s not just voice that can be transferred over TETRA, the standard also supports data and an SMS-like text message service (SDS – Short Data Services).  Something I’d love to play with would be implementing IP/TETRA (Read: Internet Protocol over Terrestrial Trunked Radio) between a few machines with attached TETRA terminals.  The interesting network characteristics like the repeater and gateway functionality would make for a great data link layer – albeit with a fairly low bit rate.  Although I feel pretty confident that I’d be able to hash something together in C# or Objective-C to give the idea some legs; unfortunately there’s a few things in the way of experimentation here. The terminals are a little (!!) expensive. Given that they’re normally not purchased by members of the public, their price ranges reflect the target audience of government (Read: public safety, police, fire, ambulance, disaster control et al.) and large corporations.  Secondly, Ofcom are standing by to stomp out the fun – perhaps with good reason.  The terminals tend to operate in the 380-410 MHz area – and that’s not allowed without some kind of licence (exactly what kind, I have not figured out yet – I dare not inquire in case men with black suits and guns start asking questions – there’s no such thing as curiosity and innocence these days).  The airwaves do need to be kept clear for the proper users of the technology though of course.  If I can figure out how to proceed legally and on-record then I shall endeavor to do so.

The ETSI TETRA Standard LogoI should probably say at this point the usual safety clause: Anyone reading this that has put together the words “police” and “listen” – drop that thought now.  One of the other wonderful features of TETRA is it‘s security – it supports End to End encryption between terminals and network infrastructure (and you bet they use it!) – on that note yet another plus for IP/TETRA.  The UK TETRA network is operated by Airwave Solutions (I believe they also have something to do with O2 – God help us!). As far as I can tell – there was once a public TETRA network called Dolphin in the UK – but it didn’t last long – call quality was apparently atrocious and the handsets were more expensive than conventional GSM machines that, for most users, would do the same thing.

Another interesting radio-related thing I came across was the USRP2 from Ettus Research LTD.  It’s essentially a machine that lets you generate and transmit arbitrary waveforms and also receive radio transmissions.  It has been applied to GSM, RFID, FM and many more radio applications.  Unfortunately it’s pocket-burningly expensive and not really the sort of thing I can see myself understanding or owning in the foreseeable future.  The people that do understand it and can afford it have done some really exciting things with it though – definitely worth a look on YouTube.

I’ll keep browsing and I’m open to suggestions on fun wireless things to play with.

* My scanner was a Uniden Bearcat UBC3500XLT.  I sold it last week on eBay! The Close Call feature lets the scanner continually observe the band for activity and automatically emit a sound or tune in when something is detected. Really great feature if there’s a lot going on right across the band.  The only problem I had with the scanner was the squelch setting (Read: the setting that chooses how strong a signal the scanner stops for) was a bit granular – at least I thought it was, maybe it was the best one around and I’m being picky; but it always either seemed too eager to stop for static or too ignorant to stop for anything at all.

→ Leave a comment

Posted in Geekery, Interests of the Moment

Tagged , , , , , , , ,