-
Notifications
You must be signed in to change notification settings - Fork 2
Protocol
This is an attempt to reverse engineer the protocol that is used by the Jablotron 6x alarm to communicate over the JA-80T serial cable with the ComLink software.
baud rate | 9600 |
---|---|
data bits | 8 |
stop bits | 1 |
parity | None |
flow control | None |
offset | size | description |
---|---|---|
00 | 1 byte | Record type |
.. | variable | payload |
-2 | 1 byte | some kind of checksu |
-1 | 1 byte | 0xFF - indicates end of message |
List of known record types
Record type | description |
---|---|
80 - 8f | key pressed |
a0 - af | Audio/Beeps |
b0 - bf | Internal commands |
c0 - c1 | ??? |
de | ??? |
e0 - e2 | General status (send periodically) |
e3 | Service event |
e4 | User event |
e5 | Alarm settings/time ??? |
e6 | Alarm settings (individual checkboxes) |
e7 | Some other event (send periodically) |
e8 | Some different event |
e9 | Sensor seen motion in service mode |
ea | ??? |
eb | ??? |
ec | Settings from GSM communicator |
fe | ??? |
record types 80 are being send by the switchboard to echo the pressed keys, as well these codes could be send over serial line to switchboard to emulate the key presses (in the input mode the 0xFF terminator is omitted)
offset | size | description |
---|---|---|
00 | 1 byte | Key being pressed |
01 | 1 byte | 0xFF - indicates end of message |
this is the mapping of the keypad keys to their serial codes, special keys like with the pictograms are emulated as e.g. F1, F2 ... etc. (see the manual) The serial codes 0x8A - 0x8D do get accepted by the switchboard and are confirmed by beeps but do not do anything.
Code | Key |
---|---|
0x80 | 0 |
0x81 | 1 |
0x82 | 2 |
0x83 | 3 |
0x84 | 4 |
0x85 | 5 |
0x86 | 6 |
0x87 | 7 |
0x88 | 8 |
0x89 | 9 |
0x8E | N |
0x8F | F |
record types a0 - aa are likely requests for peripherials to emit various kinds of beeps.
offset | size | description |
---|---|---|
00 | 1 byte | Beep type |
01 | 1 byte | 0xFF - indicates end of message |
there are following types of audio beeps spotted so far:
Code | Description |
---|---|
0xa0 | single short beep - (e.g. when key gets pressed) |
0xa1 | single long beep - (e.g. when entering service mode) |
0xa2 | two long beeps - (e.g. when disarmed) |
0xa4 | 4 short beeps (e.g. when N gets pressed) |
0xa8 | infinite beeping (e.g. after being armed) |
0xaa | seen when arming/disarming |
b0 - bf seems to be internal commands that various periferials use to request data from other periferials. You may send these codes without the trailing 0xff to dispatch the request yourself and the command will be echoed back (with trailing 0xff)
offset | size | description |
---|---|---|
00 | 1 byte | Comman |
01 | 1 byte | 0xFF - indicates end of message |
commands seen so far:
Mode | Description |
---|---|
0xb1 | responds with e3 and e7 events 4d 1b |
0xb2 | responds with e3 and e7 ... 05 b1 and fires tamper alarm :-( |
0xb3 | responds with e3 and e7 16 b1 |
0xb4 | ??? - end of response / confirmation ? |
0xb5 | list of e4 events from switch board |
0xb6 | ??? - (does nothing when send) |
0xb7 | ??? - seen when switching to service mode, silent alarm fired or disarmed |
(does nothing when send) | |
0xb8 | ??? - seen when switching to user mode (does nothing when send) |
0xb9 | responds with e8 10 |
0xba | responds with e7 event 48 1b (last message in the log ?) |
0xbb | responds with e3 and e7 .. 53 1b |
0xbc | responds with e3 and e7 .. 54 1b |
0xbd | ??? - (does nothing when send) |
0xbe | ??? - (does nothing when send) |
0xbf | responds with e4 17 04 19 56 46 1b 5f ff |
There is a routine for handling c0 and c1 in the comlink software however the meaning of these codes is still unknown.
The 0xde events are having special case in the comlink software to be ignored. Not sure what they are supposed to do.
Record type e0 is general status, it is send periodically every second or so by the alarm. When the arming is delayed the e0 events get replaced by e1 events and when the delay is about to expire with e2 events. Once fully armed they go back to e0. e2 is as well used all the time during the entry dealay or when silent alarm is fired.
offset | size | description |
---|---|---|
00 | 1 byte | e0/e1/e2 - general status |
01 | 1 byte | mode |
02 | 1 byte | binary status of leds ??? |
03 | 1 byte | content of display ??? |
04 | 1 byte | strength of GSM signal/battery?? |
05 | 1 byte | zero one or two |
06 | 1 byte | checksum |
07 | 1 byte | 0xFF - indicates end of message |
Mode:
Value | Value (binary) | Mode |
---|---|---|
0x00 | 0000 0000 | service mode |
0x20 | 0010 0000 | user mode |
0x40 | 0100 0000 | disarmed |
0x41 | 0100 0001 | armed |
0x44 | 0100 0100 | tamper/silent alarm |
0x45 | 0100 0101 | alarm triggrd |
0x49 | 0100 1001 | entry delay |
0x51 | 0101 0001 | arming |
0x61 | 0110 0001 | zone A armed |
0x63 | 0110 0011 | zone B armed |
0x69 | 0110 1001 | entry delay B |
0x71 | 0111 0001 | zone A arming |
0x73 | 0111 0011 | zone B arming |
Led status:
Value | Activates LED |
---|---|
0x01 | Power |
0x02 | Alarm |
0x04 | Tamper |
0x07 | Malfunction |
0x10 | Lock LED ON |
0x20 | Lock LED Blinking |
0x40 | Wireless communication |
0x80 | ??? |
Display:
Value | Content of display |
---|---|
0x01 | 1 |
0x02 | 2 |
0x03 | 3 |
0x04 | 4 |
0x05 | 5 |
0x06 | 6 |
0x07 | 7 |
0x08 | 8 |
0x09 | 9 |
0x0A | 10 |
0x0B | 11 |
0x0C | 12 |
0x0D | 13 |
0x0E | 14 |
0x0F | 15 |
0x10 | 16 |
0x11 | A |
0x12 | b ? |
0x13 | C |
0x14 | d |
0x17 | U |
0x1a | P |
0x1c | L |
0x1d | J |
0x21 | c1 |
0x22 | c2 |
0x23 | c3 |
0x24 | c4 |
0x25 | c5 |
0x26 | c6 |
0x27 | c7 |
0x28 | c8 |
0x41 | number 1 (alarm LED blinking) |
0x53 | ' C' (alarm LED blinking) |
0x59 | Empty display or ',,' |
0x5b | symbol "-" |
0x5e | ', ' |
0x5f | ' ,' |
0x?? | H |
0x?? | F |
0x?? | E |
Zero one or two:
this field is most of the time zero, however it's nonzero in these cases:
| Value | When seen | | 0x01 | When armed and delayed PIR sensor was triggered | | 0x02 | When time for delayed entry expired and alarm was triggered |
Examples of e0 messages:
message | description |
---|---|
e0 40 01 59 75 00 3d ff | in normal mode nothing on display |
e0 40 01 5b 75 00 06 ff | after pressin F on keypad |
e0 40 01 5b 75 00 06 ff | after pressing 5 on keypad, display shows symbol '-' |
e0 20 01 09 75 00 38 ff | user mode |
e0 20 01 17 75 00 07 ff | user mode |
e0 20 03 02 75 00 34 ff | user mode, sensor 1 seen motion |
e0 20 03 01 75 00 43 ff | user mode, sensor 2 seen motion |
e0 00 01 1a 75 00 57 ff | service mode |
e0 00 03 02 75 00 11 ff | service mode, sensor 2 seen motion |
e0 00 01 1a 7f 00 15 ff | service mode, happens sometimes |
e0 73 21 5f 75 00 2d ff | arming B mode |
e0 73 21 5f 72 00 58 ff | arming B mode |
e0 73 21 5f 75 00 2d ff | arming B mode |
e0 41 11 59 75 00 76 ff | fully armed A + B |
e1 51 21 59 75 00 37 ff | delayed leave |
e2 51 21 59 75 00 26 ff | delay is about to expire |
e2 44 05 14 75 02 1f ff | tamper alarm, digital bus ;-) |
e0 71 21 5e 76 00 03 ff | arming sector A (lock LED is blinking) |
e0 61 21 5e 75 00 3e ff | armed sector A (lock LED is continuously on ?) |
e0 61 11 5e 7f 00 10 ff | armed sector A (lock LED is continuously on) |
e0 73 21 5f 75 00 2d ff | arming sector B (lock LED is blinking) |
e0 63 21 5f 75 00 6e ff | sector B armed (lock LED is continuously on ?) |
e0 63 11 5f 75 00 02 ff | sector B armed (lock LED is continuously on) |
e0 51 21 59 76 00 27 ff | sector A armed + arming sector B (lock is blinking + slow beeps) |
e1 51 21 59 74 00 1d ff | sector A armed + arming sector B (lock is blinking + slow beeps) |
e2 51 21 59 75 00 26 ff | sector A armed + arming sector B (lock is blinking + fast beeps) |
e0 41 21 59 75 00 1a ff | both sectors armed (lock led is continuously on, no beeps ?) |
e0 41 11 59 75 00 76 ff | both sectors armed (lock led is continuously on, no beeps) |
e2 49 11 59 75 01 3f ff | armed, delayed PIR sensor triggered, entry delay started |
e2 45 31 59 75 02 37 ff | armed, entry delay expired, alarm triggered |
e0 45 13 01 75 02 70 ff | alarm triggered, sirene on, key pressed on keypad |
e0 40 03 41 76 00 05 ff | alarm successfully disabled, alarm LED blinking, Display: "1" |
e2 44 03 13 76 00 13 ff | silent alarm on |
e2 44 03 13 75 00 6d ff | silent alarm on |
e2 44 03 13 74 00 47 ff | silent alarm on |
e0 40 03 53 75 00 7d ff | silent alarm deactivated, alarm LED blinking, Display: " C" |
Record type e3 is probably some time stamped service event from the alarm. It often happens that the same event is send as e3 and as well as e7 right away.
offset | size | description |
---|---|---|
00 | 1 byte | e3 - service event |
01 | 1 byte | day (BCD encoded) |
02 | 1 byte | month (BCD encoded) |
03 | 1 byte | hour (BCD encoded) |
04 | 1 byte | minute (BCD encoded) |
05 | 1 byte | Event type |
06 | 1 byte | Event source |
07 | 1 byte | checksum |
08 | 1 byte | 0xFF - indicates end of message |
Examples of event types / event source
Event type | Message |
---|---|
0x04 | Silent alarm ? |
0x05 | Tamper alarm |
0x08 | system armed |
0x09 | system disarmed |
0x0e | Exited programming mode ? |
0x16 | ??? |
0x1a | ??? |
0x41 | service mode started |
0x42 | service mode ended |
0x44 | message send to number 1 |
0x46 | message send to number 2 |
0x48 | message send to number 3 |
0x4d | ??? |
0x4e | ??? |
0x50 | all tamper sensors OK |
0x53 | ??? |
0x54 | ??? |
code | Event source |
---|---|
0x00 | Switchboard, control pane |
0x1c | Digital bus / Serial Port |
0x1b | Phone line |
0x21 | Wired sensor 1 |
0x22 | Wired sensor 2 |
0x7c | Serial Port (was silent alarm) |
User event stored in memmory. Same format as e3. List of all user events stored in system could be requested by b5
Unknown event. Example: e5 04 11 17 07 71 ff
(received on 12.10.2018 0:12)
Configuration of the switchboard.
Example:
e6 03 01 01 4d ff - 1 chkbx
e6 03 02 01 33 ff - 2 chkbx
e6 03 03 01 19 ff - etc
e6 03 04 00 2a ff
e6 03 05 01 46 ff
....
e6 03 09 00 1d ff
e6 02 05 00 4c ff
e6 02 06 00 32 ff
e6 02 07 00 18 ff
e6 02 08 01 3d ff
Some other timestamped event often exactly repeats the content of previous e3 event. e7 event could be requested by ba.
some simple timeless status event.
Examples:
e8 0c 64 ff
e8 0b 53 ff - when switched to user mode
e8 0d 22 ff - when setting time
e8 0e 4b ff - when disarming section B
e8 0e 4b ff - when armed + delay
e8 0e 4b ff - when switched to service mode
e8 0e 4b ff - when alarm was deactivated by entering master code
e8 01 63 ff - when silent alarm fired via serial line while system was disarmed (F7 + CODE)
these events are seen when in service mode and testing sensors.
offset | size | description |
---|---|---|
00 | 1 byte | e9 - service event ? |
01 | 1 byte | Event type |
02 | 1 byte | Event source |
03 | 1 byte | RF signal ? (all zeros for me) |
04 | 1 byte | checksum |
05 | 1 byte | 0xFF - indicates end of message |
Event type
(these are in fact the codes being send to PCO, so chances are they will match the internal event types)
code | Event |
---|---|
0x01 | alarm in immediate zone |
0x02 | alarm in delayed zone |
0x03 | fire alarm |
0x04 | silent alarm |
0x05 | alarm - num attempts exceeded |
0x06 | alarm after power on |
0x07 | tamper alarm |
0x08 | tamper recovered |
0x09 | alarm timed out |
0x0A | alarm canceled by user |
0x0B | armed |
0x0C | disarmed |
0x0D | armed partially (home) |
0x0E | armed without code |
0x0F | external communication failure |
0x10 | external communication recovered |
0x11 | malfunction |
0x12 | malfunction recovered |
0x13 | AC disconnected for longer than 30 min |
0x14 | AC disconnected |
0x15 | AC recovered |
0x16 | Battery depleted |
0x17 | Battery OK |
0x18 | Service mode started |
0x19 | Service mode ended |
0x1A | Remote access started |
0x1B | Remote access ended |
0x1C | VF receiver jamming |
0x1D | internal communication failure |
0x1E | internal communication recovery |
0x1F | test transmission |
0xea and 0xeb messages have been never seen by me, but the comlink sofware loads them "similarly" as 0xe8 and 0xec. As well the handling routine for 0xea and 0xeb is the same so likely these would have same structure.
these events are used by the GSM communicator to dump / set it's configuration. If you are in service mode you may send these messages (need to contain valid checksum and trailing 0xFF) and talk to the GSM communicator.
offset | size | description |
---|---|---|
00 | 1 byte | ec - GSM configuration/text |
01 | 1 byte | GSM message type ? |
02 | 1 byte | settings/message ID ? |
03 | variable | variable payload |
-2 | 1 byte | checksum |
-1 | 1 byte | 0xFF - indicates end of message |
GSM message type:
seen ID's
id | description |
---|---|
0x00 | terminates the list of GSM configuration (ec 00 00 12 ff) |
0x01 | configuration containing zero terminated strings (e.g. phone numbers) |
0x02 | seen when dumping GSM config (single value) |
0x03 | binary ? configuration for 40 checkboxes ? |
0x2X | configurable texts starting from ID X*100 |
0x40 | used to request configuration dumps |
Format of the 0x2X text message type
offset | size | description |
---|---|---|
00 | 1 byte | ec - GSM message |
01 | 4 bits | 0x2 - GSM text |
01 | 4 bits | base ID |
02 | 1 byte | message ID (+ base ID * 100) |
03 | 3 bytes | string lenght |
X | 3 bytes | Character (e.g. 20 00 00 = space) |
-5 | 1 byte | 0x00 |
-4 | 1 byte | 0x00 |
-2 | 1 byte | checksum |
-1 | 1 byte | 0xFF - indicates end of message |
Known commands you may send to GSM communicatior:
(you have to be in programming mode)
command | description |
---|---|
ec 40 05 19 ff | Dump customizable texts from GSM communicator |
ec 40 07 36 ff | Dump configuration of the GSM communicator |
unknown, seen when exiting user mode in format fe ff