This time I’ve got my hands on a very cheap motorcycle alarm with remote start capability. Here I will show you why you don’t ever want to buy a cheap alarm for your car/motorcycle and also will give you explanation on what makes it tick.
This alarm was ripped-off from a scooter, because it’s been draining the battery(only 4Ah capacity) in about two weeks time. Because the scooter has been ridden pretty rarely – it has been a big problem for the owner.
Inside this alarm is packed pretty tightly. Because it is a motorcycle alarm, there is not much space inside a bike to put all the usual stuff, like shock sensor, full-size siren, and external high-current relays. And so it’s all packed inside its main body.
You can see the piezo-electric transducer with some additional weight on the left. It acts as a shock sensor, generating elecrticity when vibration is detected.
Unlike in car alarms, this alarm’s siren circuitry is integrated inside of the main module, and the siren itself is just a simple piezoelectric transducer. That’s why you can see the transformer in the middle(bottom), which is used to drive a siren, because in order to get it to scream really loud, you need to step-up voltage from 12V to some higher voltage, required by piezoelectric transducer.
Overall it is made very cheaply. Single-sided paper board; all lowest quality through-hole components; everything is hand-soldered and some bodginess going on because of the lack of board space.
Some components were barely holding in place. A little more vibration and the alarm would’ve failed.
In the middle you can see LM358 and bunch of passives, which is used for shock sensor signal conditioning.
On the right is ULN2003, which is darlington transistors array. It is used for controlling relays, because microcontroller itself isn’t capable of delivering enough current on I/O pins.
At the top you’ll find M3763A-1C, which is single sound/melody horn/siren sound generator. But it cannot drive the siren by itself. Designners of this alarm used one of the darlington drivers from ULN2003 in conjunction with TIP-42C(100V, 6A PNP power transistor) to drive a step-up transformer, which then drives piezoelectric transducer -based siren.
PT2294-L4 is a simple remote control decoder IC, which you can find in many RF remotes and similar consumer electronics. Now this is the most interesting part of all this “security system” bullshit, which I’ll talk about in a second.
The microcontroller used is CF745-04/P, which has microchip logo on it. But the strange thing is, I wasn’t been able to find any information on this chip at all, and at the same time this MCU seem to be pretty popular, because Chinese market is flooded with CF745-04/P offerings. “Original Microchip CF745, bla bla bla..” I searched microchip website and found nothing. Maybe I don’t know where to look? So if you know what this micro is – I would be glad to hear it.
Update: CF745 is an untested version of PIC16C54 manufactured for Chinese market by Microchip, to compete with local MCU manufacturers. Big thanks to amic from EEVblog forum for this explanation!
And of course there’s a simple 433MHz receiver module on top.
Now the most interesting part about this(and other similar) alarm(s) so-called “security”. Well, is it secure? Nope! In fact, it really simplifies job for thieves. If you’ll install such an alarm in your vehicle – they’ll say you a big thank you! And here’s why:
It transmits the same code over and over again. It doesn’t have any rolling code(hopping code) or time-based code. Therefore it is vulnerable to dead-simple replay attack. Anyone who knows a bit of electronics could build a code scanner for such an alarm using simple 433MHz receiver, microcontroller and transmitter with the same frequency. Just leave “the box” not far from the vehicle, let it capture the codes, and easily unlock the vehicle without using any physical force. And in this case, since this alarm has a remote start capability, a thieve can not only unlock your vehicle, but be able to easily start it.
Isn’t that cool? No physical intrusion, just go there and take it for a joy ride! And all that without knowing much about electronics and cryptography..
433MHz receiver receives the signal from remote key fob, then signal goes to PT2294-L4 – remote control decoder, which is connected to microcontroller with 5 lines: four data lines and one VT(Valid Transmission) line. When PT2294 detects the right input sequence from receiver, it sets VT high, which tells MCU that new command is received and it should check state of those four data bits to know which command it is.
Every alarm has its own hard-wired address, which is set by the solder jumpers you can see on the left(yellow rectangle). The decoder chip has 8 tri-stated address pins, and each pin can be set to either “1″, “0″ or “f” (floating). So it effectively makes for 6561 combinations. You can read more about that in PT2294 datasheet, which you’ll find at the bottom of this page.
Here I captured some waveforms on PT2294 data pin(going from 433MHz receiver):
Here you can see three packets which have been received. Each packet contains the same sequence of ones and zeros. So if one packet received incorrectly due to interference, you always can wait for another “undamaged” packet.
Here is close-up of the part of a packet. It’s really easy to parse this data with a microcontroller, and then store it.
And the remote from this alarm looks like this:
In the remote control they’ve used PT2260-R45, which is a remote control encoder IC.
Looks like everything in remote key fob is also hand-soldered. “Top quality” assembly..
You can spot there the same solder jumpers as in the base unit. These jumpers should be set to the same configuration as in the main unit(I guess it should be obvious).
I’ve been interested what kind of voltages and waveforms going to the siren. Since it’s a simple piezoelectric transducer, the voltage amplitude should be pretty big, but the question is: how big?
This is how one “chirp” looks like:
Close up of different parts of waveform:
And finally the amplitude:
Hm.. 150V – pretty cool, huh? You can wire it up to the handlebars and have thieve experience the whole “hundred-and-fifty-volts-joy” thing
Finally I have roughly checked the current consumption of this alarm, which was the main reason why it has been scrapped. On the following photo, I am measuring the current consumption of the 433MHz receiver.
The full current consumption of this alarm in Stand-By mode is about 8mA. Not the worst current consumption, but for motorcycle alarm it could be a bit better.
Let’s do some simple math. Since this alarm uses simple linear regulator, it consumes constant current, not constant power. And we have 4Ah scooter battery.
4Ah / 0.008A = 500 hours = 20 days and 20 hours.
So, battery would be completely dead in about 20 days. Pretty short time, if you’ll ask me. But in reality it’s not 20 days, but even less, because you don’t need to discharge battery completely, to not be able to start a scooter. Even a half of that would be enough.
Ok, so what consumes all that energy? The only separate thing I’ve been able to measure without much trouble is the current consumed by the receiver module, and it is almost exactly 4mA. And I have checked datasheets for the decoder IC, tone generator and LM358. The decoder IC current consumption is unknown, because in datasheet there’s only information on current consumption in stand-by mode with oscillator stopped and all the address pins floating. But it should not be too much – maybe it would be 0.1-0.3mA (that’s just my guess). The tone generation consumption should be zero, if it’s driven from MCU pin. And LM358 is power hungry beast – it consumes about 0.5mA of current typical.
So, everything that is left is our “unknown” MCU and pull-up/pull-down resistors + leakage through other passive components, like caps and MOV. I think, it is possible to shave-off easily about 2.5-3mA of current consumed, by using a bit different parts and with receiver still consuming 4mA. It will stretch battery life up to 800 hours, instead of 500. And if some smart algorithms to be used for controlling receiver on/off state, it might be reduced to some rediculously small value.