Hello everyone, This post is going to be about one of my favorite things in the world of home security. It’s not cameras it’s the awesome inferred chamberlain driveway sensor. This IR sensor shall be known as the JLFCWPIR for the remainder of this article. Now the JLFCWPIR is a awesome, cheap, stable and relativity unjamable IR sensor. This is much better than most motion sensor because it uses both motion and heat to trigger an event. The only problem with it is it has no logging of any kind and there is a limited number of units a base station can manage. However , if you set up enough of these around your house no one is getting past with out you knowing. That is if you are home. My first hack on this device was simple. I knew little about hardware RF stuff at the time so I just bought another base station removed the speaker from the device and hooked it up to arduino that ran a program to count the number of beeps that it would have made. I then took the units and synced them to both base stations at the same time so the main base station would still beep, but I would have an arduino that put out a number. After this I hooked up the arduino to a raspberry pi via UART and wrote another program to send me a SMS via Gmail. This worked like a charm I could be anywhere and get a SMS that someone walked past my sensor. This also meant I had logging of times that a person did so. However I was dissatisfied with this. The counting had to wait until the sequence could be completed (1-6 seconds) so by the time I got a text someone was already at my front door. So I proceeded to explore other methods.

The hardware: The micro controller:PIC18F25K20 The radio:SI4432

References :

UL writeup for the FCC

A dump of the main stations firmware

Pictures: Profile Profile Profile Profile Profile Profile Profile

Step one the breakout:

So I looked deeper into the base station trying to find a UART port it seems that the UART was not configured. Next I looked at the SPI and I2C pins and there was still no readout besides chatter between the radio and the PIC chip. Eventually I hooked up a programmer to the PIC interface and went at it. I was able to dump the firmware and got some information out of it but was unable to find an enumerator.Also, I was not able to upload new firmware becaus the fuse was blown.

Step two – The RTL-SDR: Now logically I thought the best way to do this would be the cheapest way possible. Now I already had a $20 sdr so I thought it would be a piece of cake now that I had the firmware. However after writing a program in GRC I found that the sdr had a built in settle time of 5ms but the hop time of the JLFCWPIR was 2.5ms. I could not follow the FHSS signal fast enough through its 25MHz bandwidth. At this point I gave up and went back to my old method. However recently I got a hackrf and ran a test.

What could it possibly be transmitting.