One of the more frustrating things for me is when someone, or some company, attempts to control me. Typically having the desire for less responsibility, I have no desire to control individuals in this way. Recently, I started looking into what moving my alarm system to a new monitoring service would entail. The primary goal included eliminating the dependence on a landline and getting the flexibility to do reconfigurations myself. I own the alarm system and I felt like I should be able to make those changes.
Upon investigation, I found that my alarm system was a bit challenging to reset the installer code. Searching the Internet yielded several options to try–1234, 9876, 4112 and 6112. Unfortunately, none of those worked for my system and a call to my current alarm service company was met with, “We don’t provide those, we want to protect you from
making accidental changes.” They eventually agreed to try to change the code to another value and called me back a few times. Eventually, their remote effort fizzled out, but I’m
sure they would’ve changed them with an on-site visit and a $75 service fee.
A few searches on the internet suggested copying EEPROMs or analyzing them. I fo
und that my unit used a MIC24LC64 chip and started researching ways to read it.
Disclaimer: Use this process at your own list. It worked for me, but I practiced the process on a separate alarm panel that had no value. Removal of and reading of the EEPROM may result in a damaged chip or loss of configuration if it is not done properly.
EEPROM Reader and Software
For me, the biggest challenge was getting an EEPROM reader working with my computer. The EEPROM reader that I purchased is a “SMAKN® USB Port 24CXX EEPROM Programmer Reader Writer to 24C1024 for XP VISTA WIN7” that I picked up from Amazon for roughly $10. It is cheap and also lacking documentation and software. Getting the software working and reading an EEPROM was a bit of a challenge. My first recommendation is watching this video from YouTube.
As I was looking for the software for this reader I was inundated with links to questionable sites. So it might make sense to do this a computer that doesn’t have personal information and can be easily wiped. After following the YouTube video above, I was able to get the application to work in English and show “Connected”. Even at that point, I was unable to get it to properly read the EEPROM and all the registered showed FF.
Chip Orientation Matters
In the video, Kris calls into question the orientation of the chip. Typically, the handle on a ZIF socket is used to locate PIN 1. There is also often a square footprint on the solder joint at PIN 1. This aligned with what Kris mentioned in the video but did not seem to work wit my MIC24LC64. Additionally, the positioning in the application did not work either. I actually believed that my reader might be bad.
Ultimately, I tried both possible positions on the other end of the socket. With PIN 1 in the middle, the chip was instantly VERY hot (and I assumed I had ruined it). After I turned it around, placing my chip’s PIN 1 (note the notch in one end of the chip–the end with pin 1) in the socket’s PIN 16, I was able to read data it with the CH341 application.
Not knowing what to look for, I had preprogrammed a series of numbers as the installer code on a test unit. I was unsure whether the manufacturer used an ASCII translation or some other method of encoding the number sequence. What I found was that the sequence existed at ‘000001900E-0F’ and was visible in the HEX section of the software. In other words, each number was encoded into a sequencial 4-bit nibble. To test my theory, I reinstalled the EEPROM into the surrogate system and changed it. Sure enough, the change was represented properly when I re-read the output.
Below is a graphic showing a default installer code (4321) and a default master code (1234).
Reading My Main Alarm’s Installer Code
At this point, I decided to pop the chip from my home alarm system and read it. A numeric sequence also appeared at the same location. I reinserted the chip into the panel and powered it back up. Testing the installer code by entering ‘8 – CODE – 00’ revealed that I could now access the System Programming Menu.
I spent far more time reverse engineering my alarm system than the value if I’d paid the company to come out and reset it to a code they could provide to me. However, there is a great satisfaction for me when I learn something from the task at hand. I do think it is also worth mentioning that this code can be used to arm and disarm a system. Operating under the assumption that many alarm companies use a common installer code across all customers, this code may be known by all of the technicians. That’s a bit scary IMO.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.