«

»

Why You Don’t Want To Buy a Cheap Alarm (Motorcycle Alarm Teardown)

This time I’ve got my hands on a very cheap motorcycle alarm with remote start capability. Here I will show you why you don’t ever want to buy a cheap alarm for your car/motorcycle and also will give you explanation on what makes it tick.

This alarm was ripped-off from a scooter, because it’s been draining the battery(only 4Ah capacity) in about two weeks time. Because the scooter has been ridden pretty rarely – it has been a big problem for the owner.

Inside this alarm is packed pretty tightly. Because it is a motorcycle alarm, there is not much space inside a bike to put all the usual stuff, like shock sensor, full-size siren, and external high-current relays. And so it’s all packed inside its main body.

You can see the piezo-electric transducer with some additional weight on the left. It acts as a shock sensor, generating elecrticity when vibration is detected.

Unlike in car alarms, this alarm’s siren circuitry is integrated inside of the main module, and the siren itself is just a simple piezoelectric transducer. That’s why you can see the transformer in the middle(bottom), which is used to drive a siren, because in order to get it to scream really loud, you need to step-up voltage from 12V to some higher voltage, required by piezoelectric transducer.

Overall it is made very cheaply. Single-sided paper board; all lowest quality through-hole components; everything is hand-soldered and some bodginess going on because of the lack of board space.

Some components were barely holding in place. A little more vibration and the alarm would’ve failed.

In the middle you can see LM358 and bunch of passives, which is used for shock sensor signal conditioning.

On the right is ULN2003, which is darlington transistors array. It is used for controlling relays, because microcontroller itself isn’t capable of delivering enough current on I/O pins.

At the top you’ll find M3763A-1C, which is single sound/melody horn/siren sound generator. But it cannot drive the siren by itself. Designners of this alarm used one of the darlington drivers from ULN2003 in conjunction with TIP-42C(100V, 6A PNP power transistor) to drive a step-up transformer, which then drives piezoelectric transducer -based siren.

PT2294-L4 is a simple remote control decoder IC, which you can find in many RF remotes and similar consumer electronics. Now this is the most interesting part of all this “security system” bullshit, which I’ll talk about in a second.

The microcontroller used is CF745-04/P, which has microchip logo on it. But the strange thing is, I wasn’t been able to find any information on this chip at all, and at the same time this MCU seem to be pretty popular, because Chinese market is flooded with CF745-04/P offerings. “Original Microchip CF745, bla bla bla..” I searched microchip website and found nothing. Maybe I don’t know where to look? So if you know what this micro is – I would be glad to hear it.

Update: CF745 is an untested version of PIC16C54 manufactured for Chinese market by Microchip, to compete with local MCU manufacturers. Big thanks to amic from EEVblog forum for this explanation!

And of course there’s a simple 433MHz receiver module on top.

Now the most interesting part about this(and other similar) alarm(s) so-called “security”. Well, is it secure? Nope! In fact, it really simplifies job for thieves. If you’ll install such an alarm in your vehicle – they’ll say you a big thank you! And here’s why:

It transmits the same code over and over again. It doesn’t have any rolling code(hopping code) or time-based code. Therefore it is vulnerable to dead-simple replay attack. Anyone who knows a bit of electronics could build a code scanner for such an alarm using simple 433MHz receiver, microcontroller and transmitter with the same frequency. Just leave “the box” not far from the vehicle, let it capture the codes, and easily unlock the vehicle without using any physical force. And in this case, since this alarm has a remote start capability, a thieve can not only unlock your vehicle, but be able to easily start it.

Isn’t that cool? No physical intrusion, just go there and take it for a joy ride! And all that without knowing much about electronics and cryptography..

433MHz receiver receives the signal from remote key fob, then signal goes to PT2294-L4 – remote control decoder, which is connected to microcontroller with 5 lines: four data lines and one VT(Valid Transmission) line. When PT2294 detects the right input sequence from receiver, it sets VT high, which tells MCU that new command is received and it should check state of those four data bits to know which command it is.

Every alarm has its own hard-wired address, which is set by the solder jumpers you can see on the left(yellow rectangle). The decoder chip has 8 tri-stated address pins, and each pin can be set to either “1″, “0″ or “f” (floating). So it effectively makes for 6561 combinations. You can read more about that in PT2294 datasheet, which you’ll find at the bottom of this page.

Here I captured some waveforms on PT2294 data pin(going from 433MHz receiver):

Here you can see three packets which have been received. Each packet contains the same sequence of ones and zeros. So if one packet received incorrectly due to interference, you always can wait for another “undamaged” packet.

Here is close-up of the part of a packet. It’s really easy to parse this data with a microcontroller, and then store it.

And the remote from this alarm looks like this:

In the remote control they’ve used PT2260-R45, which is a remote control encoder IC.

Looks like everything in remote key fob is also hand-soldered. “Top quality” assembly..

You can spot there the same solder jumpers as in the base unit. These jumpers should be set to the same configuration as in the main unit(I guess it should be obvious).

I’ve been interested what kind of voltages and waveforms going to the siren. Since it’s a simple piezoelectric transducer, the voltage amplitude should be pretty big, but the question is: how big?

This is how one “chirp” looks like:

Close up of different parts of waveform:

And finally the amplitude:

Hm.. 150V – pretty cool, huh? You can wire it up to the handlebars and have thieve experience the whole “hundred-and-fifty-volts-joy” thing :-D

Finally I have roughly checked the current consumption of this alarm, which was the main reason why it has been scrapped. On the following photo, I am measuring the current consumption of the 433MHz receiver.

The full current consumption of this alarm in Stand-By mode is about 8mA. Not the worst current consumption, but for motorcycle alarm it could be a bit better.

Let’s do some simple math. Since this alarm uses simple linear regulator, it consumes constant current, not constant power. And we have 4Ah scooter battery.
4Ah / 0.008A = 500 hours = 20 days and 20 hours.
So, battery would be completely dead in about 20 days. Pretty short time, if you’ll ask me. But in reality it’s not 20 days, but even less, because you don’t need to discharge battery completely, to not be able to start a scooter. Even a half of that would be enough.

Ok, so what consumes all that energy? The only separate thing I’ve been able to measure without much trouble is the current consumed by the receiver module, and it is almost exactly 4mA. And I have checked datasheets for the decoder IC, tone generator and LM358. The decoder IC current consumption is unknown, because in datasheet there’s only information on current consumption in stand-by mode with oscillator stopped and all the address pins floating. But it should not be too much – maybe it would be 0.1-0.3mA (that’s just my guess). The tone generation consumption should be zero, if it’s driven from MCU pin. And LM358 is power hungry beast – it consumes about 0.5mA of current typical.

So, everything that is left is our “unknown” MCU and pull-up/pull-down resistors + leakage through other passive components, like caps and MOV. I think, it is possible to shave-off easily about 2.5-3mA of current consumed, by using a bit different parts and with receiver still consuming 4mA. It will stretch battery life up to 800 hours, instead of 500. And if some smart algorithms to be used for controlling receiver on/off state, it might be reduced to some rediculously small value.

Datasheets:

7 comments

No ping yet

    1. admin says:

      Yes, it is PIC16C54.
      amic on EEVblog explained this:

      http://www.eevblog.com/forum/product-reviews-photos-and-discussion/motorcycle-alarm-teardown-(or-why-you-don't-want-to-buy-a-cheap-alarm)/msg141969/#msg141969

      CF745 is an “untested” version of the PIC16C54 intended for the Chinese domestic market only. There is also CF775 which is a similarly untested PIC16C57.

      Untested means Microchip didn’t test the parts before packaging and shipping, and that various functions might not work at all or be up to spec. The advantage is they sell these at really low cost, it’s their strategy of selling “genuine” PIC parts in an attempt to displace the various Chinese clones around. (Don’t know if they also add some rejects too, since these are intended to be imperfect parts for non-critical applications.)

      Thanks!

  1. Motorcycle Fairing Kits For Sale says:

    I like what you guys tend to be up too. This sort of clever work and reporting!
    Keep up the fantastic works guys I’ve incorporated you guys to my personal blogroll.

  2. grooximarrith says:

    Of course thereBut they want to pick it out, to make sure it big enough and that it has enough compartments. [url=http://www.smogcertificate.com/tnfcoat.htm]north face coat[/url] All of our shoes are well made and extremely with top material, all of our customers can purchase them without doubts.In a brief moment of anthropomorphization, I sympathized. [url=http://www.imensis.co.mz/tnf.htm]cheap north face jackets for women[/url] It is not unusual on weekends to see fifty hikers relaxing together on the rocky summit.The purpose was to defend the port of San Juan.

  3. NANDUS says:

    Well considering 12$ compared to a “regular one” 90$ and up (still made in china) it is worth to buy it and it does it`s job! I bought mine 3years ago and still on duty on my r1. After all if you really wanna steal a bike just lift it , load it on a truck and you have it!
    what does a “real alarm” more do compared to this cheap one?

  4. mobile games says:

    Hello, I want to subscribe for this blog to take latest updates, thus where can i
    do it please assist.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>