Reverse Engineering a Vintage Wireless Keypad with an RTL-SDR

Over on his blog, Veghead has posted about how he was able to reverse engineer a wireless alarm panel keypad from 1986 with an RTL-SDR dongle. The goal of his reverse engineering was to be able to eventually hook it up to a modern alarm system.

By first looking at the old FCC label on the keypad, Veghead discovered that the device transmitted between 319 MHz and 340 MHz. He then used his RTL-SDR dongle to take a recording of the transmitted signals, before opening them up in Audacity – a free audio processing program.

By analyzing the waveform in Audacity, Veghead discovered that the alarm panel uses simple ON-OFF Keying (OOK) modulation. Although the frequency of the signal drifted a lot (probably due to aged components), he was able to write a decoder that he called cletus which converts the recorded complex I/Q signal into a real signal and then uses a state machine to turn the waveform into 1’s and 0’s. Finally the program then outputs the correct button that was pressed to the terminal.

Vintage wireless alarm keypad reverse engineered with an RTL-SDR
Vintage wireless alarm keypad reverse engineered with an RTL-SDR
Subscribe
Notify of
guest

1 Comment
Inline Feedbacks
View all comments
John Krebs

I installed a bunch of those systems in the mid 80’s.
Each transmitter had a what they called the comb, a group of pins that you would cut certain pins to assign the transmitter.
These things just boggled the mind of the old timer i was apprenticing and he wound up cutting EVERY one of his wrong.
More than once.
I made sure i knew it inside and out because i wanted to impress, AND it meant keeping me out of a 150 degree Houston attic!
They actually worked well after install but i have no idea how they faired over time because i went into Air Conditioning shortly after.