AN714
Wireless Home Security Implementing K
EE
L
OQ®
and the
PICmicro
®
Microcontroller
Author:
Richard L. Fischer
Microchip Technology Inc.
No matter what level of security features are imple-
mented, one vulnerable link in low power RF wireless
based security systems is the actual RF signal itself. An
RF based system could allow for the would be intruder/
thief to use a code scanning or a code grabbing system
to possibly gain unauthorized access to the home, car
or other less secure system.
Code scanning is an effective tool for the would be thief
on systems with limited number of possible code com-
binations which are found in quite a number of remote
control systems. Patience, time and a hand-held micro-
processor based system are all the intruder would
need.
Code grabbing is a far easier way of gaining unautho-
rized access. In this method, the thief would monitor
and capture the RF signal used in opening the home
garage door or car. The thief would then wait until an
opportune moment and then retransmit this code to
gain access.
It is apparent that secure remote control systems can
be implemented, if two conditions are met. The K
EE
L
OQ
code hopping system meets both these conditions with
ease.
1.
A large number of possible combinations must
be available.
A 66-bit transmission code is used to make scan-
ning impossible. The 32-bit encrypted portion pro-
vides for more than 4 billion code combinations. A
complete scan would take 17 years! If the 34-bit
fixed portion is taken into account, the time
required for a complete scan jumps to 5,600 billion
years.
2.
The system may never respond twice to the
same transmitted code.
The random code algorithm will never respond to
the same code twice over several lifetimes of a typ-
ical system.
Every time a remote control button is pushed, the sys-
tem will transmit a different code. These codes appear
random to an outsider, therefore, there is no apparent
relationship between any code and the previous or next
code.
For more information on code scanning, code grabbing
and an introduction to K
EE
L
OQ
Code Hopping, see
Technical Brief TB003, titled “An Introduction to
K
EE
L
OQ
Code Hopping”. Refer to the Secure Data
INTRODUCTION
This application note describes a Microchip system
solution for a low end/power wireless home security
system. This design implements an HCS200 encoder
for the intruder sensor signal encryption, one
PIC12C508A PICmicro
®
for sensor monitoring and RF
signal initiation, HCS515 decoders for decrypting the
received intruder sensor signal and a PIC16C77
PICmicro for base station panel monitoring and control.
Other support logic is included, such as a battery
back-up circuit, simple single stage lead acid battery
charger and external siren control, but the focus of the
application is the implementation of Microchip
K
EE
L
OQ®
and PICmicro products for a complete solu-
tion.
APPLICATIONS
Applications implementing low power RF wireless sys-
tems are entering the marketplace with ever increasing
acceptance, fueled in part by growing awareness of the
consumer. Low power wireless systems usually trans-
mit less than 1mW of power and do not require user
licenses for operation. These systems operate over dis-
tances of 5 to 100 meters, depending on the applica-
tion.
Wireless systems are being implemented in the auto-
motive, residential, personal and commercial arenas
with increasing growth rates every year. Wireless sys-
tems in these areas include, but are not limited to: vehi-
cle alarm arming and disarming, home garage and
gate door openers, home lighting control, home secu-
rity and fire alarm systems, pagers, cellular phones,
utility meters for near-field readings, warehouse inven-
tory control systems and RF LANs.
In many of these applications, different levels of secu-
rity are required. The level of security required is
dependent on the application and customer demands.
For instance, a warehouse inventory control or utility
meter system may require little or no security features
whereas automobile access and home security alarm
systems will require more.
©
1999 Microchip Technology Inc.
DS00714A-page 1
AN714
Products Handbook, Microchip document number
DS40168 for additional information on K
EE
L
OQ®
prod-
ucts.
With the arrival of the Microchip K
EE
L
OQ
code hopping
security products, secure remote control systems can
be implemented. Microchip provides a complete secu-
rity solution with a full range of encoders and decoders
that incorporate the Company’s patented K
EE
L
OQ
code
hopping technology algorithm, allowing you to get the
most advanced security technology. K
EE
L
OQ
encoders
are designed to be the transmitters and K
EE
L
OQ
decod-
ers, the receiver of secure remote keyless entry (RKE)
systems.
The K
EE
L
OQ
encoders feature on-chip, error corrected
EEPROM for non-volatile operation and, therefore,
reduce the required components normally external to
the encoder. The only additional circuitry required are
push buttons, battery and RF circuitry.
The K
EE
L
OQ
decoders are single-chip solutions that
employ normal and secure learning mechanisms, and
operate over a wide voltage range. Microchip decoders
are also full-featured with serial interface to PICmicro
microcontrollers, allowing designers to integrate the
decoder with system functionality.
• System remote arm and disarm by means of the
existing garage door opener (not completely
implemented in the current release)
The three main hardware components, which comprise
this home security system are, the Base Station Panel,
Intruder Sensor Modules and the Battery Charger/
Accessory Unit.
SYSTEM DESCRIPTION
The following sections provide a greater in depth look
into each of the three main hardware components.
BASE STATION PANEL
The home security base station panel provides for:
• Monitoring of sensor module initiated RF signals
• User interface and system setup via the 4x4 key-
pad
• Visual feedback via the 2x16 character Liquid
Crystal Display (LCD) module
• On-board piezo buzzer control
• Real-time clock
• Monitoring of a single stage battery charger unit
• Automatic DC power selection circuit
The base station can be functionally divided into 4 main
components:
1.
2.
3.
4.
K
EE
L
OQ
HCS515 decoder interface.
Power supply switching circuit.
Battery charger unit monitoring.
LCD and 4x4 keypad interface.
SYSTEM OVERVIEW
The Microchip K
EE
L
OQ
solution is being implemented
into more and more systems requiring proven security.
Systems such as, but not limited to:
•
•
•
•
•
•
•
•
•
•
Automotive security
Gate and garage door openers
Identity tokens
Software protection
Commuter access
Industrial tagging
Livestock tagging
Parking access
Secure communications
Residential security
Base Station Operation
One of the more important tasks the base station’s
microcontroller (PIC16C77) must handle, is to monitor
and process the output data of the two HCS515 decod-
ers. Each decoder is capable of learning up to seven
sensor modules or “zones”. Within each zone, there are
four different message types which the PIC16C77 must
decode and process (See Appendix A, Figure 6 for the
following text description).
For example, a sensor module may send an alarm,
okay, test or learn transmission. In turn, the PIC16C77
reads the data (up to 80-bits) from the HCS515
decoder, evaluates the message contents and initiates
the appropriate action. If an alarm condition occurs, the
external siren will be activated and the internal panel
piezo buzzer, (BZ1) will sound, if enabled. For any valid
signal reception, such as a test, learn, sensor okay
condition or alarm transmission, the history profile for
that sensor module will be updated. This update con-
sists of a time stamp and the sensor’s module battery
status. If the sensor battery status indicates a low bat-
tery state, then the base panel piezo buzzer will beep
(if enabled) four times every minute until the condition
is resolved. The user can determine which sensor mod-
ule battery is low through proper keypad selections and
individual zone battery status displayed on the LCD.
One simple example implementing the K
EE
L
OQ
solu-
tion is a home security system. The home security sys-
tem described herein utilizes K
EE
L
OQ
code hopping
security products and a PICmicro microcontroller.
Some specific system design goals for this low end/
power security system were:
• Wireless solution
• Secure RF transmissions
• Battery operation of intruder sensors for a mini-
mum of 1.5 years
• Sensor module flexibility to operate with various
off-the-shelf switches for doors and windows
• Microcontroller based system
• Battery back-up system which provided for up to
10 hours of operation at a load draw of 400mA
DS00714A-page 2
©
1999 Microchip Technology Inc.
AN714
The base station can be placed into a “learn” mode so
as to learn up to seven sensors (zones). Through
proper keypad selections, the PICmicro commands the
HCS515 decoder into the learn mode. (See Figure 1
and Table 1). Once placed in this mode, two consecu-
tive transmissions by the sensor are required to com-
plete a successful learn. Once a sensor is learned, a
“key” name for that zone must be selected. A menu will
automatically appear on the LCD for this selection pro-
cess. Currently up to 15 different key names are avail-
able to choose from. The selected key name is then
stored in the HCS515 EE user space.
The history profile of each sensor is written to the avail-
able user EEPROM in the HCS515 decoder. The total
EEPROM data space available in the HCS515 is
2Kbits. System data space is 1Kbits and user memory
space is the remaining 1Kbits. System data space is
not accessible by the user (See Table 2 for the user
EEPROM memory map). The demodulated data input
into the decoders is obtained from a super regenerative
data receiver referenced RF1 (See Appendix A, Figure
7, Part Number RR3-433.92 - Manufactured by Tele-
controlli). The receiver has a typical RF sensitivity of
-105dBm and consumes 3mA, maximum.
A Microchip microcontroller supervisory circuit,
MCP130-475, is used to ensure the required system
panel operating voltage range is adhered to. The
brown-out feature on the PIC16C77 was not used since
the base panel system operating voltage range is 4.5 to
5.5V
DC
.
The base station panel is designed to operate from one
of two available DC input sources: the converted AC
line power or the 12V lead-acid battery back-up (See
Appendix A, Figure 5 for the following text description).
Both DC sources are fed into the panel via connector,
JP1. From JP1, each source is input to separate adjust-
able voltage regulators. The primary DC source regula-
tor, U2, has its Vout set to 5.50V
DC
, while the secondary
DC source regulator, U3, has its Vout set to 5.05V
DC
.
Both regulator outputs are fed into separate inputs of
the automatic battery back-up switch, U1.
Switch U1, is an 8-pin monolithic CMOS I.C. which
senses the DC level of the two input sources and con-
nects the supply of the greater potential to its output,
pin 1. This is a break-before-make switch action and
switching typically occurs in 50µs. Capacitor C9 is used
to minimize the switching transient during the transition.
One limitation of the switch is its current switching
capabilities. Maximum continuous current of the switch
is exceeded by this panel design so two PNP transis-
tors were added which provides for greater power
switching.
The implementation of the PNP transistors is such that
when the primary source is the greater of the two, pin 6
of U1, labeled “PBAR”, is effectively tied to ground
internally and therefore Q1 is biased into saturation.
During this configuration, Q3 is in the off state because
pin 3, labeled “SBAR”, is at hi-impedance.
When the secondary DC source is the greater of the
two, Q3 will be biased into saturation and Q1 will be off.
In either state, the load is handled through the transis-
tors and the “VO” pin of U1 is no longer required. How-
ever, the “VO” pin is configured for driving LEDs, which
indicate the DC source selected.
The PIC16C77 receives status back relating to the
switch selection via the signal labeled “PSOURCE”.
The state of this feedback signal is active low when the
primary DC source is selected, and active high if the
secondary source is selected.
This power switching circuit also allows for the
PIC16C77 to select the secondary source, even if the
primary source is present. If the signal labeled “BAT-
SEL” is asserted high by the PIC16C77, NPN transistor
Q2 will be turned on and effectively reduce Vout of U2
to 1.25V
DC
. U1 will detect the drop and switch to the
backup source. This feature can be used as a test-
mechanism. Finally, V
OUT
of U3 supplies the voltage ref-
erence, V
REF
, for the Analog-to-Digital module on the
PIC16C77. This signal is labeled “VBAT”.
As with any home security system, it is important to
provide for backup power in the event of a primary
source failure. A simple single stage back-up/charger
unit is provided for this requirement. Based upon a load
draw of 400mA, 10 hours of operation are provided for.
This is a worse case scenario, which includes a 170mA
(typical) current draw from the external siren.
The PIC16C77 samples the battery voltage, once per
minute. If the sampled battery voltage is less than
~12.75V
DC
, then the current limit resistor, R15, is
switched in or if >12.75V
DC
, then bypassed (See
Appendix A, Figure 9 and Appendix A, Figure 10). The
user can view the battery voltage on the LCD by press-
ing the appropriate keys on the 4x4 keypad. (See
Table 1).
The system LCD and 4x4 keypad provide for system
status feedback and setup. Status information, such as
sensor module battery state, zone faults and
time-of-day are displayed on the 2x16 character LCD.
The LCD is updated by the PIC16C77 through data
transfers on PORTD (See Appendix A, Figure 6 and
Appendix A, Figure 7).
System parameter setup such as enabling the internal
piezo buzzer, time-of-day setup, zone naming and
alarm initiating is provided through the 4x4 keypad.
System test modes are also entered through the key-
pad. The keypad is interfaced to PORTB which utilizes
the interrupt on change feature.
©
1999 Microchip Technology Inc.
DS00714A-page 3
AN714
FIGURE 1:
4x4 Keypad Layout
100
RB3
100
RB2
100
RB1
100
RB0
100
PANIC
ALT
1
4
7
T
2
5
8
0
3
100
RB4
RB5
100
6
9
100
AUX
ESC
RB6
#
82K
82K
82K
82K
RB7
PIC16C77
V
DD
DS00714A-page 4
©
1999 Microchip Technology Inc.
AN714
TABLE 1:
4x4 Keypad Selections versus Respective System Response
Secondary 4x4
Keypad Entry
Final 4x4
Keypad Entry
N/A
N/A
N/A
1
2
3
6
1
2
7
AUX
6
N/A
1
2
7
1
2
System Response
Arm System Immediately w/o entry of User Code and w/o
Arm time delay
Arm System via entry of User Code and enable arm time
delay ( 5 minutes )
Enable Internal Piezo Buzzer to sound if selected
Select Battery as Power Source to System
Monitor Battery Voltage if primary is Selected
Review Battery on/off cycle time and daily cycle count
Review number of learned transmitters ( sensor modules/
zones )
Review sensor module battery status and check
time-of-day last received
Check on Alarm conditions for system. ( was an Alarm sig-
nal received )
Place HCS515 decoder in ‘Learn’ mode and execute
Place HCS515 decoder in ‘Erase All’ mode and execute
Toggle if time-of-day will be displayed on LCD
Set / Change time-of-day via keypad entries
Keys 1 & 4 for incrementing/decrementing hours count
Keys 2 & 5 for incrementing/decrementing minutes count
Keys 3 & 6 for incrementing/decrementing seconds count
Entry of 4-digit User Code. The 4-digit Master Code must
be known and entered before the User code can be
changed. Master code in ROM via SQTP
Set time for key wait expiration.
Disable System Armed State with Entry of User Code
Clear LCD Screen
Disable Internal Piezo Buzzer from sounding if selected
Clear Alarm Zone Trip Status for LCD
Toggle LCD Backlight
Primary 4x4
Keypad Entry
PANIC
T
#
1
ALT
5
8
N/A
9
ESC
#
0
1
PANIC
ESC
N/A
N/A
N/A
N/A
N/A
N/A
©
1999 Microchip Technology Inc.
DS00714A-page 5
京公网安备 11010802033920号
EEWORLD
