-
Notifications
You must be signed in to change notification settings - Fork 2
Protocol
This is an attempt to reverse engineer the protocol that is used by the Jablotron 6x alarm to communicate over the JA-80T serial cable with the ComLink software.
| baud rate | 9600 |
|---|---|
| data bits | 8 |
| stop bits | 1 |
| parity | None |
| flow control | None |
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Record type |
| .. | variable | payload |
| -2 | 1 byte | some kind of checksu |
| -1 | 1 byte | 0xFF - indicates end of message |
List of known record types
| Record type | description |
|---|---|
| 80 - 8f | key pressed |
| a0 - af | Audio/Beeps |
| b0 - bf | Internal commands |
| e0 - e2 | General status (send periodically) |
| e3 | Service event |
| e4 | User event |
| e5 | Alarm settings/time ??? |
| e6 | Alarm settings (individual checkboxes) |
| e7 | Some other event (send periodically) |
| e8 | Some different event |
| e9 | Sensor seen motion in service mode |
| ec | Settings from GSM communicator |
record types 80 are being send by the switchboard to echo the pressed keys, as well these codes could be send over serial line to switchboard to emulate the key presses (in the input mode the 0xFF terminator is omitted)
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Key being pressed |
| 01 | 1 byte | 0xFF - indicates end of message |
this is the mapping of the keypad keys to their serial codes, special keys like with the pictograms are emulated as e.g. F1, F2 ... etc. (see the manual) The serial codes 0x8A - 0x8D do get accepted by the switchboard and are confirmed by beeps but do not do anything.
| Code | Key |
|---|---|
| 0x80 | 0 |
| 0x81 | 1 |
| 0x82 | 2 |
| 0x83 | 3 |
| 0x84 | 4 |
| 0x85 | 5 |
| 0x86 | 6 |
| 0x87 | 7 |
| 0x88 | 8 |
| 0x89 | 9 |
| 0x8E | N |
| 0x8F | F |
record types a0 - aa are likely requests for peripherials to emit various kinds of beeps.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Beep type |
| 01 | 1 byte | 0xFF - indicates end of message |
there are following types of audio beeps spotted so far:
| Code | Description |
|---|---|
| 0xa0 | single short beep - (e.g. when key gets pressed) |
| 0xa1 | single long beep - (e.g. when entering service mode) |
| 0xa2 | two long beeps - (e.g. when disarmed) |
| 0xa4 | 4 short beeps (e.g. when N gets pressed) |
| 0xa8 | infinite beeping (e.g. after being armed) |
| 0xaa | seen when arming/disarming |
b0 - bf seems to be internal commands that various periferials use to request data from other periferials. You may send these codes without the trailing 0xff to dispatch the request yourself and the command will be echoed back (with trailing 0xff)
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Comman |
| 01 | 1 byte | 0xFF - indicates end of message |
commands seen so far:
| Mode | Description |
|---|---|
| 0xb1 | responds with e3 and e7 events 4d 1b |
| 0xb2 | responds with e3 and e7 ... 05 b1 and fires tamper alarm :-( |
| 0xb3 | responds with e3 and e7 16 b1 |
| 0xb4 | ??? - end of response / confirmation ? |
| 0xb5 | list of e4 events from switch board |
| 0xb6 | ??? - (does nothing when send) |
| 0xb7 | ??? - seen when switching to service mode (does nothing when send) |
| 0xb8 | ??? - seen when switching to user mode (does nothing when send) |
| 0xb9 | responds with e8 10 |
| 0xba | responds with e7 event 48 1b |
| 0xbb | responds with e3 and e7 .. 53 1b |
| 0xbc | responds with e3 and e7 .. 54 1b |
| 0xbd | ??? - (does nothing when send) |
| 0xbe | ??? - (does nothing when send) |
| 0xbf | responds with e4 17 04 19 56 46 1b 5f ff |
Record type e0 is general status, it is send periodically every second or so by the alarm. When the arming is delayed the e0 events get replaced by e1 events and when the delay is about to expire with e2 events. Once fully armed they go back to e0.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | e0 - general status |
| 01 | 1 byte | mode |
| 02 | 1 byte | binary status of leds ??? |
| 03 | 1 byte | content of display ??? |
| 04 | 1 byte | strength of GSM signal ??? |
| 05 | 1 byte | always zero in my case |
| 06 | 1 byte | checksum |
| 07 | 1 byte | 0xFF - indicates end of message |
Mode:
| Value | Mode |
|---|---|
| 0x00 | service mode |
| 0x20 | user mode |
| 0x40 | disarmed |
| 0x70 | armed B ? |
Led status:
| Value | Activates LED |
|---|---|
| 0x01 | Power LED |
| 0x02 | Alarm LED |
Display:
| Value | Content of display |
|---|---|
| 0x01 | Number 1 |
| 0x02 | Number 2 |
| 0x59 | Empty display |
| 0x5b | symbol "-" |
| 0x5f | two vertical bars |
Examples of e0 messages:
| message | description |
|---|---|
| e0 40 01 59 75 00 3d ff | in normal mode nothing on display |
| e0 40 01 5b 75 00 06 ff | after pressin F on keypad |
| e0 40 01 5b 75 00 06 ff | after pressing 5 on keypad, display shows symbol '-' |
| e0 20 01 09 75 00 38 ff | user mode |
| e0 20 01 17 75 00 07 ff | user mode |
| e0 20 03 02 75 00 34 ff | user mode, sensor 1 seen motion |
| e0 20 03 01 75 00 43 ff | user mode, sensor 2 seen motion |
| e0 00 01 1a 75 00 57 ff | service mode |
| e0 00 03 02 75 00 11 ff | service mode, sensor 2 seen motion |
| e0 00 01 1a 7f 00 15 ff | service mode, happens sometimes |
| e0 73 21 5f 76 00 53 ff | arming B mode (display shows 2 vertical bars) |
| e0 73 21 5f 75 00 2d ff | arming B mode |
| e0 73 21 5f 72 00 58 ff | arming B mode |
| e0 73 21 5f 75 00 2d ff | arming B mode |
| e0 41 11 59 75 00 76 ff | fully armed A + B |
| e1 51 21 59 75 00 37 ff | delayed leave |
| e2 51 21 59 75 00 26 ff | delay is about to expire |
| e2 44 05 14 75 02 1f ff | tamper alarm, digital bus ;-) |
Record type e3 is probably some time stamped service event from the alarm. It often happens that the same event is send as e3 and as well as e7 right away.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | e3 - service event |
| 01 | 1 byte | day (BCD encoded) |
| 02 | 1 byte | month (BCD encoded) |
| 03 | 1 byte | hour (BCD encoded) |
| 04 | 1 byte | minute (BCD encoded) |
| 05 | 1 byte | Event type |
| 06 | 1 byte | Event data |
| 07 | 1 byte | checksum |
| 08 | 1 byte | 0xFF - indicates end of message |
Examples of event types / event data
| Event type | Event data | Message |
|---|---|---|
| 0x08 | 0x00 | ?? right after arming |
| 0x09 | 0x00 | Switchboard, control panel, system armed |
| 0x41 | 0x1c | Serial port, service mode started |
| 0x42 | 0x1c | Serial port, service mode ended |
| 0x44 | 0x1b | Phone line, message send to number 1 |
| 0x46 | 0x1b | Phone line, message send to number 2 |
| 0x48 | 0x1b | Phone line, message send to number 3 |
| 0x50 | 0x00 | Switchboard, control panel, all tamper sensors OK |
TBD