Hacking a Passive Infared (PIR) Sensor with a PIC
I got my hands on a quorum RR-150 PIR sensor from Electronic Goldmine. My goal was to make a receiver for the sensor. The PIR sensor uses a PT-2262 encoder chip connected with a DIP switch to generate random variations. The signal generated is 434 MHz
First things first. I needed to make sense of the signal pattern that was coming out of the PT-2262 encoder chip. I connected a RCR-433-AS receiver module to the DisCo USB oscilloscope I took a couple of screenshots of the pattern with different DIP settings to decipher it.
The DIP switch has 6 switches out of which 2 through 6 are connected to the PT2262 encoder. The 1st switch appears to control whether the remaining 5 switches are connected to Vdd or Vss. Turning on the DIP switch sets the port to Vdd or Vss (depending on switch 1) and turning it off leaves the port floating which is detected as a distinct state by the encoder.
The output pattern looks similar to this. There is a total of 25 bits in the pattern. The last 15 bits seem similar irrespective of the DIP switch setting. So that would be the signature to look for when detecting for this particular PIR sensor.
The first 5 bits all show floating patterns.
DIP switch set at: 1-off 2-on 3-off 4-on 5-off 6-on
Since the first switch is set to off the switches are all connected to Vss. So 'on' is represented by a '0' and a 'off' is represented by a floating pin.
DIP switch set at: 1-on 2-on 3-off 4-off 5-off 6-off
Since the first switch is on, all the switches are connected to Vdd. So 'on' is represented by '1' and off is still floating pin.
So there is it...With this, we can now detect a unique signature pattern off the PIR and also detect the DIP switch setting.
The pic I choose for the project is a midrange 12F683. Its perfect for this project because for its compact form fact (8 pin DIP) and Timer gating capability. (Timer gating is when the timer is incremented only when there is an input on the Timer Gating pin)
In order to read these signals, The output from the RF receiver module is connected to the T1G port of the pic. This will increment timer when the input goes high. After a full pulse is received, the pic checks to see if the pulse is a long pulse or a short pulse based on the duration of the pulse.
After determining the type of the pulse, the bit type (1, 0 or floating) is constructed based on the sequence of the pulses. (ie. 2 shorts pulses is '0', 2 long pulses is '1', a short pulse followed by a long pulse is floating 'f') and store it in an array. Holding the push button down for 5 secs enables 'learning mode' which is used to store the code into the EEPROM.
- IC1 - 12F683 PIC
- LED1 - 3mm LED
- R1 - 220 Ohm resistor
- R2 - 39 Ohm resistor
- S1 - Push button switch
- K1 - Relay (170 ohm)
- IC2 - 78L05 5v Voltage regulator
- C1 - 0.1uF capacitor
- Radiotronix RCR-433-RP RF receiver module
To request the programmed chip, click here