Friday, March 25, 2011

Hacking a Passive Infared (PIR) Sensor with a PIC


I got my hands on a quorum RR-150 PIR sensor from Electronic Goldmine. My goal was to make a receiver for the sensor. The PIR sensor uses a PT-2262 encoder chip connected with a DIP switch to generate random variations. The signal generated is 434 MHz




First things first. I needed to make sense of the signal pattern that was coming out of the PT-2262 encoder chip. I connected a RCR-433-AS receiver module to the DisCo USB oscilloscope  I took a couple of screenshots of the pattern with different DIP settings to decipher it.





The DIP switch has 6 switches out of which 2 through 6 are connected to the PT2262 encoder. The 1st switch appears to control whether the remaining 5 switches are connected to Vdd or Vss. Turning on the DIP switch sets the port to Vdd or Vss (depending on switch 1) and turning it off leaves the port floating which is detected as a distinct state by the encoder.

The output pattern looks similar to this. There is a total of 25 bits in the pattern. The last 15 bits seem similar irrespective of the DIP switch setting. So that would be the signature to look for when detecting for this particular PIR sensor.


The datasheet for PT 2622 indicates the following patterns for '1', '0' and floating








DIP switch set at: 1-off 2-off 3-off 4-off 5-off 6-off
The first 5 bits all show floating patterns.







DIP switch set at: 1-off 2-on 3-off 4-on 5-off 6-on 
Since the first switch is set to off the switches are all connected to Vss. So 'on' is represented by a '0' and a 'off' is represented by a floating pin.





DIP switch set at: 1-on 2-on 3-off 4-off 5-off 6-off
Since the first switch is on, all the switches are connected to Vdd. So 'on' is represented by '1' and off is still floating pin.


So there is it...With this, we can now detect a unique signature pattern off the PIR and also detect the DIP switch setting.


Operation:

The pic I choose for the project is a midrange 12F683. Its perfect for this project because for its compact form fact (8 pin DIP) and Timer gating capability. (Timer gating is when the timer is incremented only when there is an input on the Timer Gating pin)

In order to read these signals, The output from the RF receiver module  is connected to the T1G port of the pic. This will increment timer when the input goes high. After a full pulse is received, the pic checks to see if the pulse is a long pulse or a short pulse based on the duration of the pulse.

After determining the type of the pulse, the bit type (1, 0 or floating) is constructed  based on the sequence of the pulses. (ie. 2 shorts pulses is '0', 2 long pulses is '1', a short pulse followed by a long pulse is floating 'f') and store it in an array. Holding the push button down for 5 secs enables 'learning mode' which is used to store the code into the EEPROM. 


Schematic:


Parts List:
  • IC1 - 12F683 PIC
  • LED1 - 3mm LED
  • R1 - 220 Ohm resistor
  • R2 - 39 Ohm resistor
  • S1 - Push button switch
  • K1 - Relay (170 ohm)
  • IC2 - 78L05 5v Voltage regulator
  • C1 - 0.1uF capacitor
  • Radiotronix RCR-433-RP RF receiver module
Source code for this project is available here under GPL licence.

To request the programmed chip, click here 




    17 comments:

    1. Source code link not work can you make new please!

      ReplyDelete
    2. This is a project please fix the download link, I would love to play with your code.

      ReplyDelete
    3. can you share your code? good video

      ReplyDelete
      Replies
      1. the link to the code is in the posting.

        Delete
      2. the link to the code is in the posting.

        Delete
    4. Hi Deepak,

      I have an Arduino Uno board.
      Is it difficult too rewrite the program for the Arduino?

      Greetings,
      Jack

      ReplyDelete
    5. for arduino library is:
      http://code.google.com/p/rc-switch/

      ReplyDelete
    6. I want to know if you can build a device that receives infrared motion sensors from all of a building and then send them to the alarm panel and alarm in this way can no longer trigger ......... my email address is andres.andres23 @ yahoo.es

      ReplyDelete
    7. I am so glad that I have found your post. I have a number of these sensors as well as window/door open sensors from the same company that broadcast on the same frequency for a long time now but can not use them. I would like to buy the programmed chip from you but the above link did not work. I have learned that it is not as easy to build a receiving unit like I thought it would be, but am still willing to keep trying. I hope that you can get back to me about obtaining the coded chip. I would really appreciate it. My email is: greedy42dave@yahoo.com and I look forward to hearing from you.Thanks.

      ReplyDelete
    8. Hi, This project is really interesting. Please could you post a working download link for the 12f683 code, it does not work here. Thanks.

      ReplyDelete
    9. nice concept and the design of motion sensor is easy for making?

      ReplyDelete
    10. if you are interested in earning some money hacking 869Mhz please contact me direct tony-hunter@hotmail.com thanks

      ReplyDelete
    11. Hi...the link to the source code is broken...could you share the code please?...thanks in advance

      ReplyDelete
    12. The link for the code isn't working can you send it by mail info@tehag.nl thanks

      ReplyDelete
    13. The link for the code isn't working can you send it on mail niho22@gmail.com

      ReplyDelete
    14. IS ANYONE OUT THERE

      ReplyDelete

    Roomba Dashboard - A cli dashboard for irobot create 2

    Roomba Dashboard Background: Roomba-Dash is a cli dashboard for the IRobot Create 2 platform. I got the roomba because I wanted to bu...