Forum Menu




 


Log in Problems?
New User? Sign Up!
AVR Freaks Forum Index

Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Author Message
alank2
PostPosted: Sep 09, 2010 - 07:53 PM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

I'm going to start working on my next project - creating a garage door alert/alarm. It will let me know when I leave my door open for too long and when I arm my alarm system in stay mode at night I want it to disable wireless remotes and alarm if the door is opened.

The one part of this that is a little tougher is monitoring what the alarm system calls "keybus". It is 4 wires (+12v, gnd, data, clock). It has a limit of 1000' and I put my scope on it last night and found it is communicating at 1khz.

It supports multiple devices and the main panel knows if a device is missing or malfunctioning. My question is, with only one data, how might it communicate? Does it make sense that the panel always polls each device (keypad) in order and asks the keypad if a key has been pressed? I am presuming the clock is generated by the main panel. It seems to me that with only one data channel, that something has to be the "master" and constantly ask the slaves if they have anything to report...

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
ka7ehk
PostPosted: Sep 09, 2010 - 09:38 PM
10k+ Postman


Joined: Nov 22, 2002
Posts: 13519
Location: Tangent, OR, USA

Google "KeyBus" returns a lot of info.

Your description of KeyBus does not match very closely what I just read. It talks about 4800 baud, async serial with a shared data line. Nothing about a clock. Here is one place:

http://www.diysecurityforum.com/index.php?topic=10480.0

Some of what I read says that its proprietary to Ademco Security, so the protocol is not publicly available. However, some can be teased out of patents and manuals, discussed on the board referenced above.

Jim

_________________
Jim Wagner
Oregon Research Electronics, Consulting Div.
Tangent, OR, USA

Fournier RF4d - My dream plane!
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 09, 2010 - 11:47 PM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi Jim,

I saw that info too about the 4800 baud. I think the keybus in my system may be a little more lower end than the one in that thread.

I did notice that the clock wasn't always running. It looked like it would go high for >4ms or so and then start cycling at 1khz for 40 bits or so. I should have looked at the transitions a little better to see if the data was being changed before it was going high or low.

I just want to read and decode the data, I don't want to interact with it. High=13.5V and Low=GND. Could I use a simple voltage divider to bring the 13.5V down to 5V? I could then feed that into an AVR using an interrupt on the clock to record the bit and try to reassemble them. I then plan to output that on a UART to see if I can make any sense of it. I found a document in that thread that may document what is coming across.

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
ka7ehk
PostPosted: Sep 10, 2010 - 01:11 AM
10k+ Postman


Joined: Nov 22, 2002
Posts: 13519
Location: Tangent, OR, USA

Yes, a voltage divider should work.

You MAY be able to use the SPI hardware interface on this signal. You will need to figure out which edge is in the middle of the bit; use that edge for latching the data

Jim

_________________
Jim Wagner
Oregon Research Electronics, Consulting Div.
Tangent, OR, USA

Fournier RF4d - My dream plane!
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 11, 2010 - 02:44 AM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

I captured this burst of data, does it make any sense:

0101010101110111111101010101010111010101010101011111010111010101111111010101111111

I was hoping to see some ascii characters in this, but my untrained eyes don't see much.

There might be another 1 before and after this stream.

I'm trying to analyze it...

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
crwper
PostPosted: Sep 11, 2010 - 03:08 AM
Resident


Joined: Aug 22, 2008
Posts: 574
Location: Calgary, Canada

The first thing I notice is that the sequence is made up of two things: "01" and "11". Never a "00" or "10" in there. This makes me think that, e.g., "01" stands for "0" and "11" stands for "1". Is this possible?

Michael

Edit: For what it's worth, applying the mapping given above, I get:

Code:
00000101110000001000000011001000111000111


Edit again: Got the number of bits wrong the first time. That's 41 bits, so I don't see how it would break up into a nice number of bytes.

One more edit: If you assume there's another 1 before and after the sequence, and that "10" means "0" and "11" means "1", then you'd get 42 bits:

Code:
000001011100000010000000110010001110001111


42's a bit nicer of a number. 6 x 7 bits gives:

Code:
0000010 2
1110000 112
0010000 16
0001100 12
1000111 71
0001111 15


Alternatively, 7 x 6 bits would give:

Code:
000001 1
011100 28
000010 2
000000 0
110010 50
001110 14
001111 15


Alright, I'm done messing around for sure this time.
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 11, 2010 - 04:02 AM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi crwper,

Thanks for taking a stab at it. After looking at the waveform again, I think I was picking up a bit at each clock change (positive and negative) instead of just when it goes positive for example. So I may have twice as many bits with dummy bits between each one.

One thing that surprised me is that the data and clock cross each other at the mid point at practically the same time. I guess I expected the data would be set and once settled, triggered by the clock. Should I consider the middle of the clock cycle the place to sample the data instead of the leading or falling edge?





Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 11, 2010 - 04:06 AM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

Also note in the top picture, yellow being the clock. If the top of the yellow is where to sample the data, both the data are low. WHY raise the data between cycles if you are sending to low bits?

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 11, 2010 - 04:33 AM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi crwper,

I think you were on to something.

I got a new sequence:

Code:

00000101010001011000010001001000111000111


If I reverse this and seperate into 7 bits:

Code:

1110001 1100010 0100010 0001101 0001010 100000
0x71'q' 0x62'b' 0x22'"' 0xd     0xa     0x01


What caught my attention is the 0xd 0xa cr/lf. I suppose the last 6 bits could be a header/address or something and that is why there isn't seven.

One thing that puzzles me is that the MSB/LSB thing I get, but why transmit the end of the line first? They start with the lf, then cr, then the characters. That is of course if I am on to something.

I grabbed 1M samples with my scope and pressed some buttons on the alarm system while capturing so I have lots of data I can write a program to scan through tomorrow.

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
ka7ehk
PostPosted: Sep 11, 2010 - 05:27 AM
10k+ Postman


Joined: Nov 22, 2002
Posts: 13519
Location: Tangent, OR, USA

My first thought was something like NRZ or Manchester, but neither of those would be clocked.

Interesting that there is never a high level that is longer than two clock cycles. Makes me think that a "long" high might be one logic level and a "short" one might be the other. An alternative way of looking at it is a long one is one and TWO short ones is the opposite.

Given that it IS a security system, it could very well be that they are trying to make it really obscure!

Jim

_________________
Jim Wagner
Oregon Research Electronics, Consulting Div.
Tangent, OR, USA

Fournier RF4d - My dream plane!
 
 View user's profile Send private message  
Reply with quote Back to top
crwper
PostPosted: Sep 11, 2010 - 05:48 AM
Resident


Joined: Aug 22, 2008
Posts: 574
Location: Calgary, Canada

The timing of the clock edges definitely seems fishy. Usually this kind of thing would occur when the bit had been set, I believe.

Having recently spent some time playing with the Dallas 1-Wire protocol, it seemed to me that the first rising edge might be for timing, and then the line stays high for a "1", or drops low for a "0"--similar to what Jim suggested. However, such a protocol wouldn't be clocked.

To lay it out a bit more clearly, though, it would work like this: The receiver detects the rising edge of the signal, waits 3/4 of a "cycle", then samples the line. The logic resets, and it's ready for the next bit. This sort of system is quite robust to clock errors, compared to, say, RS-232. The presence of the clock, however, would be puzzling.

Michael
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 11, 2010 - 06:03 AM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

Jim: there are examples of it staying high for 3 and perhaps 4 clock cycles.

I analyzed the 1M sample I pulled from the scope and captured the data in the middle of the clock being high. Here are some sequences I received:

Code:

000001010100000010000000110010001110001110
0001000101010101010101010101010101010101010101010101010
000001010100000010000000110010001110001111
0101110100000000000000000000000000000000000000000010111010
00001010010000000000000010000000000000000000000000000000000000000100010110
01100100000000110011010100
1011101100000000000000000101110110
01110101000000000011101010
000001010100010110000100010010001110001111
000001010100010110000100010010001110001110
01100100000001100011100000
000001010100000010011111010010001110001111
0010011101000000100111110100100011100011100000000001111100
000001010100000010011111010010001110001110


These confuse me further...

Perhaps I don't have to understand it if it is consistent. If I can find the sequence indicating the system is entering "stay arm" and the sequence indicating the system is "disarmed" that is all I would need.

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 11, 2010 - 07:37 PM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

What I find odd is the length of the above bit streams:

26, 34, 42, 55, 58, and 74.

Any more ideas?

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 12, 2010 - 03:22 AM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

Here is a scope of an entire stream if it shows anything that might give a hint:



Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 13, 2010 - 01:22 PM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

I got an AVR setup to poll the above signal at 10x its frequency. Voltage divider worked great. I set it up to capture the data and output it via the USART to my PC. There is a lot of repeating strings so I also made it indicate at the end of a line how many times that line was received so it doesn't constantly scroll up the terminal window. It was late and I didn't have time to really play with the alarm system and see what it does, but I did note some interesting things.

The first is that it sends an update everytime a sensor changes. If I walk into the hallway and set off a motion detector I see a line for that and then another line for it going off.

Another is that if i press a numeric button on the keypad like I am entering a code, it does NOT transmit anything. It is almost as if the keypad is smart and waits for the entire sequence, and knows whether it is the right code or not, before it sends anything. I had figured that the keypad would simply pass along the keys and the main alarm board would validate them...

Setting the alarm shows a flurry of activity, perhaps 10 distinct lines or so. I'll try to post some data from it later, perhaps someone can make out something from it.

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 13, 2010 - 10:19 PM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

Here are some more streams of bits if anyone has an idea of how to decode them. They begin with a [bitcount] bits (number of times stream was sent in a row).

Some of the items almost look like they have a checksum at the end, but others do not... I have no idea if they are compressed or encrypted or using some encoding format...

Code:

hall motion

[58] 0010011101000000100000001100100011100011100100000001000010 (         1)
[42] 001001010100000010000001010010001110001110 (         2)
[42] 000001010100000010000001010010001110001110 (        21)
[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[42] 010001010100000010000001010010001110001110 (         2)
[42] 000001010100000010000001010010001110001110 (         7)
[58] 0010011101000000100000010100100011100011100000000000000100 (         1)
[42] 001001010100000010000000110010001110001110 (         2)
[42] 000001010100000010000000110010001110001110 (        70)
[55] 0001000101010101010101010101010101010101010101010101010 (         1)
[42] 000101010100000010000000110010001110001111 (         1)
[42] 000001010100000010000000110010001110001111 (        82)

stay arm

[42] 000101100000011100010001111110110001111010 (         1)
[42] 000001010100000010000000110010001110001111 (         9)
[74] 00001010010000000000000010000000000000000000000000000000000000000100010110 (         1)
[26] 10001100000000110011010100 (         1)
[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[34] 1101101100000000000000000101110110 (         1)
[26] 11110101000000000011101010 (         1)
[42] 100001010100010110000100010010001110001111 (         1)
[42] 000001010100010110000100010010001110001111 (         3)
[26] 01110101000000000011101010 (         1)
[42] 000001010100010110000100010010001110001111 (       280)

stay arm finish

[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100010110000100010010001110001110 (         1)
[42] 000001010100010110000100010010001110001110 (       188)
[58] 0010011101000101000000100100100011100011100000000000011010 (         1)
[42] 011001100000011100010001111110010001110010 (         1)
[82] 1111000101111111100000000000000000000000000000000000000000000000000000000101100000 (         1)
[66] 101001010000100000110010110101111011101001011111111111111111110110 (         1)
[26] 11000101000000000011101010 (         1)
[42] 000001010100010100000010010010001110001111 (         1)
[66] 101001010000100000110010110101111011101101001101000000000110110010 (         1)
[42] 001001010100010100000010010010001110001111 (         2)
[42] 000001010100010100000010010010001110001111 (         3)
[73] 1101010101010101010101010101010101010101010101010101010101010101010101010 (         1)
[58] 0010011101000101000000100111111111111111100000000101100110 (         1)
[42] 001001010100010100000010010010001110001110 (         2)
[42] 000001010100010100000010010010001110001110 (        64)

tried punching in these four codes, all incorrect:
0000
0001
0000
9999

[42] 000001010100000011000111110010001110001111 (         1)
[26] 10011111000000001100000000 (         1)
[58] 1101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100000011000111110010001110001110 (         1)
[42] 000001010100000011000111110010001110001110 (        51)
[42] 000001010100000010000000110010001110001110 (        53)
[42] 000001010100000011000111110010001110001110 (         1)
[26] 10011111000000001100000000 (         1)
[58] 1101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100000011000111110010001110001110 (         1)
[42] 000001010100000011000111110010001110001110 (        47)
[42] 000001010100000010000000110010001110001110 (        51)
[42] 000001010100000011000111110010001110001110 (         1)
[26] 10011111000000001100000000 (         1)
[58] 1101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100000011000111110010001110001110 (         1)
[42] 000001010100000011000111110010001110001110 (        50)
[42] 000001010100000010000000110010001110001110 (        67)
[42] 000001010100000011000111110010001110001110 (         1)
[26] 10011111000000001100000000 (         1)
[58] 1101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100000011000111110010001110001110 (         1)
[42] 000001010100000011000111110010001110001110 (        55)
[42] 000001010100000010000000110010001110001110 (       106)
[55] 0001000101010101010101010101010101010101010101010101010 (         1)
[42] 000001010100000010000000110010001110001111 (        35)

sitting doing nothing

[55] 0001000101010101010101010101010101010101010101010101010 (         1)
[42] 000101010100000010000000110010001110001111 (         1)
[42] 000001010100000010000000110010001110001111 (       338)
[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100000010000000110010001110001110 (         1)
[42] 000001010100000010000000110010001110001110 (       295)
[55] 0001000101010101010101010101010101010101010101010101010 (         1)
[42] 000101010100000010000000110010001110001111 (         1)
[42] 000001010100000010000000110010001110001111 (       317)
[82] 1011000101111111100000000000000000000000000000000000000000000000000000000101100000 (         1)
[42] 000100010100000010000000110010001110001110 (         1)
[42] 000001010100000010000000110010001110001110 (        18)
[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[42] 010001010100000010000000110010001110001110 (         2)
[42] 000001010100000010000000110010001110001110 (       294)
[55] 0001000101010101010101010101010101010101010101010101010 (         1)
[42] 000101010100000010000000110010001110001111 (         1)
[42] 000001010100000010000000110010001110001111 (       338)
[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000001010100000010000000110010001110001110 (       296)
[55] 0001000101010101010101010101010101010101010101010101010 (         1)
[42] 000001010100000010000000110010001110001111 (       317)
[58] 0010011101000000100000001100100011100011100000000000000010 (         1)
[42] 001001010100000010000000110010001110001110 (         2)
[42] 000001010100000010000000110010001110001110 (        18)
[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100000010000000110010001110001110 (         1)
[42] 000001010100000010000000110010001110001110 (       295)
[55] 0001000101010101010101010101010101010101010101010101010 (         1)
[42] 000101010100000010000000110010001110001111 (         1)
[42] 000001010100000010000000110010001110001111 (       338)
[58] 0101110100000000000000000000000000000000000000000010111010 (         1)
[42] 000101010100000010000000110010001110001110 (         1)
[42] 000001010100000010000000110010001110001110 (       171)


Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
alank2
PostPosted: Sep 15, 2010 - 01:32 AM
Posting Freak


Joined: Jul 16, 2009
Posts: 1787


Hi,

Well it was a mess, but after lots of looking at it I found that the 42 byte sequence has a single bit that turns on when it is in stay mode.

Thanks,

Alan
 
 View user's profile Send private message  
Reply with quote Back to top
zrx888
PostPosted: Feb 13, 2012 - 02:17 PM
Newbie


Joined: Feb 02, 2012
Posts: 1


Hello,

Too bad, this topic seems to be abandoned.
Still I make a shot at asking you what alarm system all the above data
captures have been made with ? I'm sort of suprised, as my captures of my
DSC-PC1616 based Keybus system seem so different.

Thanks, Peter
 
 View user's profile Send private message  
Reply with quote Back to top
riviera65
PostPosted: Nov 01, 2012 - 02:58 PM
Newbie


Joined: Oct 31, 2012
Posts: 7


zrx888 wrote:
Hello,

Too bad, this topic seems to be abandoned.
Still I make a shot at asking you what alarm system all the above data
captures have been made with ? I'm sort of suprised, as my captures of my
DSC-PC1616 based Keybus system seem so different.

Thanks, Peter


I agree with you, this is too bad. Here are my captures of my DSC-PC1616 panel. DO you see something similar? Can you help me?
Code:

00000101 0 10000001 00000001 00000000 11000111 00000000 11000111 00000000 11000111 1 no zone
00000101 0 10000001 00000010 00000000 11000111 00000000 11000111 00000000 11000111 1 zone 1
00000101 0 10000001 00000010 00000000 11000111 00000000 11000111 00000000 11000111 1 zone 2
00000101 0 10000000 00000011 00000000 11000111 00000000 11000111 00000000 11000111 1 zone 3
00000101 0 10000000 00000011 00000000 11000111 00000000 11000111 00000000 11000111 1 zone 4

00000101 0 10000011 00001000 00000000 11000111 00000000 11000111 00000000 11000111 1 arm delay
00000101 0 10000011 00001000 00000000 11000111 00000000 11000111 00000000 11000111 1 arm delay short beeps
00000101 0 10000010 00000101 00000000 11000111 00000000 11000111 00000000 11000111 1 armed
[/code]
 
 View user's profile Send private message  
Reply with quote Back to top
riviera65
PostPosted: Nov 16, 2012 - 02:47 PM
Newbie


Joined: Oct 31, 2012
Posts: 7


Hi,

I've found a way to read the messages on the keybus, and I'm starting to interpret them. This thread: http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=1011467#1011467 could help.

Can you help me interpret more codes?
 
 View user's profile Send private message  
Reply with quote Back to top
Display posts from previous:     
Jump to:  
All times are GMT + 1 Hour
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Powered by PNphpBB2 © 2003-2006 The PNphpBB Group
Credits