Napco 1632 virtual keypad project

LAST UPDATE 29/7/2018 : This will be the first unfinished project that is posted on this blog. After spending three months, I got some info that the version of the panel I have,  does not support automation. If you notice from the data sniffed from the keypad bus, only keepalives, lcd messages and time sync data exists. If for example a zone triggers an alarm, data sent to the keypad do not refer to the zone number. So you have to always grab the text of the LCD. 

Another thing that lead me to abandon this project, is that NAPCO does not provide any info on this panel like DSC etc. so it is very difficult to reverse engineer. 

I think that security systems such as alarm panels, are not so sophisticated. They stay with the same philosophy over the years, so I might begin a project on making my own security system, using an arduino or a raspberry PI. The only thing sure is that I will not invest on any NAPCO security system or any other system at all after realizing that for example the NAPCO NL-MOD module is just a simple Lantronix Ethernet-to-serial device with a custom firmware and they are selling it for 150 euros… 

I will leave this port active though, for someone who will need the info posted here.

I am currently working on a project regarding some hack on my alarm panel. It’s a napco 1632. I am trying to reverse engineer communications in order to build a webapp to control the panel remotely. There are some options provided by napco, but need separate hardware.

My system is equipped with NL-MOD-UL module that gives you the ability to configure the alarm panel through LAN. This module is connected on the serial port of the panel. The panel has the ability to send real-time status messages through the serial port and receive commands like system arm, but napco hasn’t developed any application to do that. They have only quickloader for configuration and management of the panel.

Newest modules like STARLINK or IBR-ZREMOTE give the ability to control the panel remotely, but the hardware is expensive. So, as I said,  I am trying to reverse engineer for a solution. The newest modules are not connected on the serial  port of the panel but on the keypad bus. I have already ordered a logic analyzer in order to decode the bus. But until I receive my logic analyzer, I did some attempts to read it via an arduino MEGA. I made a circuit with an optocoupler because the voltage is to high for the arduino to handle.

Here is the arduino code : ttl-debug

The bus of napco 1632 has four cables :

  • RED ( +12V )
  • BLACK ( GND )
  • YELLOW ( Keypad TX – Panel RX )
  • GREEN ( Panel TX – Keypad RX )

I was able to read the data that the panel transmits to the keypad. I believe that the bus uses something among TTL or UART. The speed of the bus is :

  • Baudrate : 5208
  • Data bits : 8
  • Parity : Even
  • Stop bits : 1

But I will verify it again with the logic analyzer.

The panel sends all the information displayed on the keypad. My keypad is a DXRP1 which has an LCD of two lines and 16 characters per line. The messages from the panel are sent per line in HEX :

31 3B 00 00 01 20 00 00 00 00 31 36 2D 45 4E 54 52 41 4E 43 45 20 20 20 20 20 11
1 6 E N T R A N C E
31 3B 00 00 01 60 00 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 CD
BLANK LINE

From the above, green HEX is the info displayed in the line. The last red byte is the checksum of the message. CheckSum8 Modulo 256 is used for checksum. The second 27 bytes indicate a blank line. Another info when the system is ready to arm. Information is displayed on both lines of the keypad :

31 3B 00 00 01 20 00 00 02 00 53 59 53 54 45 4D 20 52 45 41 44 59 20 20 20 20 89
S Y S T E M R E A D Y
31 3B 00 00 01 60 00 00 02 00 31 35 2D 30 34 2D 31 38 20 30 38 3A 32 38 50 4D 25
1 5 0 4 1 8 0 8 : 2 8 P M

Also messages for K series keypads like K2AS is transmitted. This keypad has LCD of one line that displays 6 characters  :

31 31 00 00 01 23 00 00 01 00 46 41 55 4C 54 20 23
F A U L T

Again the last byte is the message checksum.

Periodically the panel sends keep alive messages to the keypad. These messages are 13 bytes long. I programmed a second keypad just to verify. These messages are sent almost every 100ms :

Keypad 1:

21 4D 00 00 01 01 40 00 00 90 00 00 40

Keypad 2:

22 4D 00 00 01 01 40 00 00 90 00 00 41

In blue is the ID of the keypad. Keypad 1 is HEX 21, keypad 2 is HEX 22 and so on. The last byte is the message checksum.

The keypad in idle, always transmits the following 4 byte message to the panel. This message is transmitted to the panel 10ms after the above 13 byte keep alive message is received by the keypad :

Keypad 1:

21 44 01 66

Keypad 2:

22 44 01 67

Again the last byte is the message checksum.

There are also some messages that send date and time on the keypad but I was not able to decode them. They might update the clock on the keypads. They are sent from the panel enery 3 seconds. These messages are also 27 bytes long.

Month Day Year Hour Minutes CRC
31 3B 00 06 04 15 18 08 28 00 79 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 AC
31 3B 00 06 04 15 18 08 28 00 09 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 1C
31 3B 00 06 04 15 18 08 28 00 79 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 AC
31 3B 00 06 04 15 18 08 28 00 09 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 1C
31 3B 00 06 04 15 18 08 28 00 79 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 AC
31 3B 00 06 04 15 18 08 28 00 17 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 0E
31 3B 00 06 04 15 18 08 28 00 09 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 1C
31 3B 00 06 04 15 18 08 28 00 79 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 AC
31 3B 00 06 04 15 18 08 29 00 09 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 1B
31 3B 00 06 04 15 18 08 29 00 79 06 00 03 00 00 00 00 00 00 00 00 00 00 00 00 AB

So if any of you reading this blog, have info on the above or tried something similar,  please get in touch. I will update this post with my newest findings.

Wizz…

Update 10/05/2018 : I just received my logic analyzer and I did a test. Keep alive messages are sent by the panel to the keypad between 80ms and 100ms. The keypad responses 10ms after the message received.

Update 23/6/2018 : I have managed to pull the keypad display to my PC, via a python3 script. With the help of a TTL to RS232 conveter, I connected the bus cables (RX and ground) from the optocoupler to the converter and with a RS232 cable to the serial port of the PC. I think I will go with a raspberry PI on this. Here is the python script :

import serial

ser = serial.Serial('/dev/ttyS1', baudrate=5208, bytesize=8, parity=serial.PARITY_EVEN, stopbits=1, timeout=1)
while True:
    reading = ser.read(1)
    if reading == b'\x31':
        reading = ser.read(3)
        if reading == b'\x3b\x00\x00':
            reading = ser.read(22)
            if (reading[1:2]) == b'\x20':
                print("1: " + reading[6:].decode('utf-8'))
            else:
                print("2: " + reading[6:].decode('utf-8'))
                print("-------------------")

Leave a Reply

Your email address will not be published. Required fields are marked *