Hardware Hacking - Protecting Dev' Board I/O by Hacking an Alarm Panel
by Sarlacii
A previous 2600 article "Hardware Hacking - An Introduction Via Dev' Boards" in 29:4 discussed the popularity of development boards (Raspberry Pi, Atmel Xplained Pro, BeagleBoard, Arduino, etc.) for delving into the world of hardware hacking.
Odds are you will have come across one of these development boards yourself in a device that makes use of one, or perhaps you've started to do some development of your own.
In the latter case, one of the immediate issues you will come across is how exactly to interface with the outside world, in a way that does not destroy your new device.
This article explores some of the basic methods for interfacing such digital and analog input/output (I/O) ports with external signals, and details a cost-effective hack using any alarm panel for obtaining suitable protection without costly PCB layouts. Please note that the descriptions are kept simple on purpose, and are not intended to be exhaustive or mathematically complete... this is not a university text book, just a hacking treatise to spark the mind.
Most development boards consist of a MCU (microcontroller unit, a.k.a. "uC") that has the majority of its ports run out directly to nice "Berg-pin" headers. These are standard 2.54 mm spaced pin headers, made famous by the likes of Molex, but used and cloned by everyone. Some of the clones feature 2.5 mm (metric) spaced pins. Either way, you source the matching receptacles from your local electronics store, often using the press-fit socket type that takes a ribbon cable, and you are set to go with connecting your development board to outside signals. The problem, however, is that you have to be careful, as the pins of the MCU generally run straight to the breakout header, as mentioned above, and thus do not include any form of protection or signal conditioning. This keeps them as generic as possible, but at the cost of immediate application.
The need for protection, in layman's terms, comes about because of two issues. One is voltage breakdown. The other is overheating.
Regarding voltage breakdown, an MCU is rated to withstand a specific voltage on each pin. This is usually pegged to some sort of percentage (say five percent) above the MCU's power supply voltage (5V or 3.3V being common). Incidentally, the place to find this limit is in the MCU's datasheet, which will be available from the manufacturer's website using the part number of the MCU.
It's a treasure-trove of information, and the electrical limits section is worth reading, even if the rest is TLDR! Any signal that exceeds this maximum voltage may permanently damage the port pin by breaking down the junctions and insulation within the MCU silicon die. Once this happens, that pin, and perhaps the entire MCU, is junk.
The second issue relates to the amount of current that an MCU's pins can source or sink. Ohm's Law governs the interactions of voltage (V), current (I), and resistance (R): V = I * R
Resistance effectively represents the heating effect a certain current flow has through a conductor at a specified voltage. It's a linear relationship in its simplest form, ignoring the complications of "reactance." For now, it's good enough to know that you need sufficient resistance in the path to prevent your MCU from internal overheating, owing to a current flow that is too high. As with voltage, the MCU's data sheet will tell you what the limits are.
So, how do we actually prevent an external signal from causing either over-voltage or over-current damage to our port pins (i.e., how do we add resistance?)?
R1 pin <>---WWWW---<> external signalFigure 1: Simple in-line, or "series" resistor (R1) to protect an input/output.
In Figure 1, a resistor R1 is placed in series with the external signal and port pin. This limits the amount of current that can flow, as well as the voltage at the pin.
A value of 1k is generally good enough for external devices that need some current to work (like an output to an LED), or 10k for signals that are low-current (like CMOS devices).
In the latter case, you may be talking from your MCU via a serial pin to a modern TTL-to-RS232 converter that takes your MCU's 5V digital I/O and boosts it to +/- 12V for sending to a PC port on a computer. The IC used to do this translation, for example, might be a MAX232 that has high resistance ports. These ports do not draw much in the way of current (in the order of nano amperes) and as such a high resistance like 10k will not affect the signal (leaving aside all the complicated electronics etc.).
Check out "digital protection," "MCU protection," and "analog input protection" and others on the Internet for more detailed information.
The next issue, however, is finding a way to protect all the ports that you wish to use. If it's only one pin you're using, then you can make do with a few needful, leaded, components twisted together.
But if you wish to do a whole lot of things, you might consider making your own interface board with numerous components on it to protect a variety of pins. A cheap way could be to use something like stripboard (e.g., Veroboard) to make up what you need using leaded components. But again, you then have to figure out what you need and how to wire it up. You might also consider doing your own PCB (printed circuit board) layout, but that requires even more of a learning curve to master the PCB layout program, components, and again the wiring... and also costs anything from $150 to $300 to get it made.
My hack is to go out and find a security shop or, even better, a security installation company.
From either you obtain an "intruder alarm panel," for example, a Paradox 5050, DSC 1632, Texecom Veritas/Premier, or IDS 805 unit - the list is long.
The older types of panel (which you may well get for free from the installation company as swap-outs from upgraded systems!) are better, as the components used on the board will hopefully be older technology, and thus bigger (0805 or 1206 Surface Mount Technology [SMT], or even leaded components).
Bigger components are easier to play with, since the trend to 0603 or smaller components with most electronics means that components are so small they are hard to see, let alone work with using tweezers and a soldering iron.
A standard alarm panel does quite a few things, many of which require the very type of interfacing components discussed above. These panels also come with very detailed installer manuals, available on the Internet, that detail the operation of the various features and their associated terminal blocks. This aids the hacking process by removing the fog of war that would otherwise obscure the function of each particular terminal on the panel.
Firstly, there are zone input terminals, which generally use a resistor divider to measure for zone triggers from connected sensors, as shown in Figure 2 above. An external 3.3 kohm resistor divides the supply voltage (3.3 / (3.3 + 5.6) * 5 = 1.85V), which is then fed to an ADC on the main MCU.
This allows the connection of other resistors to detect different events. These zone inputs can be used to protect both digital I/O and ADC inputs.
Secondly, the panel will have some programmable outputs.
These may use relays, or simply switch transistors. The use of transistors, even a low current type like the very common BC817, is helpful to our cause, as a development board's output can easily drive the transistor which can then be used to drive a larger load (that draws more current). This is exactly what the outputs do for the alarm panel in the case of driving a relay onboard, or similar load externally, so again it saves a lot of fiddling to simply take over the circuits for our own purpose.
Thirdly, a siren output will be present on the PCB.
The good old fashioned way of driving a siren is simply via a large relay on the PCB (assuming an active siren, the most common type). The drive circuit from the MCU on the alarm panel will include a transistor to step up the power applied to the relay coil, as well as the important reverse EMF protection across the relay coil.
If this protection isn't present, men often an attempt to turn the relay on will work once, but never again after power is removed that first time.
This is owing to a "starter-motor" effect (reverse EMF) that occurs on any magnetic coil. Instead of trying to figure it all out, a simple solution is to use the siren relay as-is. Read the side of the relay, near where the siren connects. It'll generally be a smallish square plastic box... with writing on to give the part number and perhaps a few vital statistics, like drive voltage (12V) and the switching ability (1A at 12V, 0.2A at 125 VAC etc.). This will tell you about what sort of power you will be able to feed through the relay, like driving an LED versus switching a mains-supplied light.
Fourthly, the panel will include a few extra power terminals for peripheral sensors. These make life much easier for our development board hacking, as we now have a bunch of lovely terminals to connect all the extra electronics to, as well as providing power for our development board itself.
It's common to find 12V and GND (0V) terminals, with perhaps high current "TX" outputs, for connecting current-hungry radio transmitters. These are usually good to carry a few amperes at 12 VDC. Also present on the PCB will be ancillary power supplies for the MCU.
Use a multimeter (voltage measuring device) to trace the power lines from the regulators and/or switch mode power supplies. These can be useful for powering our development board directly, or other sensors, as the power supplies will be properly regulated with noise immunity already designed in.
The last nice feature to take advantage of, fifthly, is the fact that most alarm panels come with battery backup.
Check the manual for details, but in almost all the cases you will find two battery leads, with a red and black cable, sticking off the alarm PCB near the power terminals. These most often clip onto a 12V, 7 Ah, sealed, lead-acid battery (a.k.a., "alarm battery" or "alarm gel-cell") that is charged automatically from the alarm panel's onboard power supply. Nice!
Connecting a suitable battery will give your development board access to uninterrupted power, good for hours depending on what you draw off the battery. A simplistic calculation is to say that if you have a 7 Ah battery, that means you can draw 1A for seven hours, or 7A for one hour, etc.
The curve is not exactly linear, but that's good enough for a rough indication of how long the backup will last. If you require better estimates, then go online and look at the calculations available for commercial Uninterruptible Power Supply (UPS) systems. You'll get a good idea from there.
The next step is to read off the part number of the existing MCU on the alarm panel PCB so that you can look up its datasheet on the Internet. There you will find a pin map for all the pins on the device, which will help you identify what track is connected to where.
For example, the pin map will show you the Vcc (positive power) pins, and Vdd/GND (negative power) pins. It'll also show you the I/O pins, allowing you to trace them to the zone inputs and programmable output transistors.
Read through the datasheet and trace all the lines from the MCU pins that match the functionality you need, like the line to that very useful driver circuit for the siren output relay.
Then cut the existing MCU loose from the PCB. Use a sharp box-cutter or blade, pressing on the little pins up against the side of the plastic die.
Crunch through the pins until the die pops free. If the MCU is old enough to be leaded, then you may only need to just pop it free of its IC holder.
Either way, clean off the left over pins using your soldering iron, if required, and there you have access to the very PCB traces that carried the previous MCU's signals!
You can now simply solder on a wire to the trace that you want to use, and then run the wire back to your development board's header. Run all the wires you need, benefiting from the already present protective circuits.
One caveat, of course, is to ensure that you trace each line from MCU to terminal block, to discover exactly what the existing circuit looks like!
They are all subtly different, and may need a little simple modification to suit your needs, for example, removing a resistor to allow digital reads instead of using an ADC pin and so forth.
However, hacking some protection for your development board is so much easier now, as you have existing pads, copper layers, power, and tracks to work with!
Happy alarm panel hacking!
- 2600 - Winter 2012-2013
- 10 Ways to Destroy an Arduino - Rugged Circuits
- "Arduino Protection: How to Make Sure Your Project Won't Kill Your Arduino - Tinker Hobby
- Microcontroller Interfacing
(Missing Figure 2?)