search

taligentx / dscKeybusInterface

An Arduino/esp8266/esp32 library to directly interface with DSC security systems.
GNU General Public License v3.0
497 stars 125 forks source link

Info on 0x8D and 0x94 cmds used for keybus communication with wireless expander module #188

Open kricon opened 3 years ago

kricon commented 3 years ago

Command 0x8D seems to be used for programming RF module, and it sends data from panel to RF module after programming entry is done. Note that PC5102 and RF5108 RF modules have onboard PGM1 and PGM2 outputs and have more programming sections. Also, there is some difference between versions, earlier only supports 2 partitions and use section 59-60 for assigning function keys to partitions1-2, RF5132 v5.0 assign function keys per partitions1-8 (61-69) and RF5132 v5.1 assign function keys per key1-16 (61-76). It seems that RF module also save and have record of user codes 17-32 used for keyfobs 1-16. After changing Wls key assign user codes [017][1], you need to enter/remove associated user codes otherwise you wont be able to disarm system. It's interesting how panel send different Byte3 data for different RF module versions (sample log outputs below), but with checking Byte2 or comparing Bytes6-7 you should be able to differ for what action/section is command send. This is mostly copy-paste from dump of notes I took thru last days, maybe not nice sorted or labeled out but I've verified byte3 data and sections several times on v3.14, v5.0 and v5.1 rf modules.

Byte2: 0x31 for user programing [*5], 0x11 for rf module programming [804]/[904] Byte4: 0x00 after user action, 0x01 waiting for user action, 0x02 user data input if RF module present, 0x00 if not Byte5: digits 1-2 hex data/options1-8 Byte6: digits 3-4 hex data, otherwise 0xFF Byte7: digits 5-6 hex data, otherwise 0xFF Byte8: unknown, probably digit7-8 data, always 0xFF Byte9: CRC ? Byte3 (mostly taken from v5.0 unless otherwise noted):

 *  0x01 - user 17 code input (contains data on bytes5-6 or 5-7 if 6-digit codes used), byte2 0x31
 *  0x01 - zones 1-8 supervision on v3.14 [804][82], byte2 0x11
 *  0x02 - key 1 ESN input (ESN data on bytes5-6-7), byte2 0x11
 *  0x02 - zones 9-16 supervision on v3.14 [804][83], byte2 0x11
 *  0x03 - user 17 input confirmation (doesn't contain data), byte2 0x31
 *  0x03 - zones 17-24 supervision on v3.14 [804][84], byte2 0x11
 *  0x04 - user 18 code input (contains data on bytes5-7), byte2 0x31
 *  0x04 - zones 25-32 supervision on v3.14 [804][85], byte2 0x11
 *  0x05 - key 2 ESN input on v5.0 (contains data on bytes5-7), byte2 0x11
 *  0x05 - keys1-8 partition assignment on v3.14, data on byte
 *  0x06 - user 18 input confirmation (doesn't contain data), byte2 0x31
 *  0x06 - keys 9-16 partition assignment on v3.14 (on if on partition 2)
 *  0x07 - user 19 code input (contains data on bytes5-7), byte2 0x31
 *  0x07 - RF options on v3.14 [804][90], byte2 0x11
 *  0x08 - key 3 ESN input on v5.0 (contains data on bytes5-7), byte 2 0x11
 *  0x09 - user 19 input confirmation (doesnt't contain data)
 *  0x0A - user 20 code input (contains data on bytes5-7)
 *  0x0B - key 4 ESN input
 *  0x0C - user 20 input confirmation
 *  0x0D - user 21
 *  0x0E - key 5 ESN input
 *  0x0F - user 21 confirm
 *  0x10 - user 22
 *  0x10 - 0x13 Partition 1 function key 1-4 [804][59] on v3.14
 *  0x11 - key 6 esn
 *  0x12 - user 22 confirm
 *  0x13 - user 23
 *  0x13 - 0x14 Partition 2 function key 1-4 [804][60] on v3.14
 *  0x14 - key 7 esn
 *  0x15 - user 23 confirm
 *  0x16 - user 24
 *  0x17 - key 8 esn v5.0/v5.1
 *  0x18 - user 24 confirm
 *  ---------------
 *  0x2E - user 32
 *  0x2F - key 16 esn v5.0/v5.1
 *  0x30 - user 32 confirm
 *  0x31 - 0x37 unknown
 *  0x38 - Wireless supervisory window [804][81] (data on byte5) v5.0/v5.1
 *  0x39 - RF jamming zone [804][93] (data on byte5) v5.0/v5.1
 *  0x3A - RF other options [804][90] (data on byte5) v5.0/v5.1
 *  0x3B - 0x40 unknown
 *  0x41 - global zone placement test (which zone on byte5, byte6 0x55 when waiting to activate)  
 *  0x42 - 0x43 unknown
 *  0x44 - zone 1 ESN input on v5.0
 *  0x44 - supervision hours on v3.14 [804][81]
 *  0x45 - zone 1 ESN input on v3.14
 *  0x46 - unknown
 *  0x47 - zone 2 ESN input on v5.0
 *  0x48 - zone 2 ESN input on v3.14
 *  0x49 - unknown
 *  0x4A - zone 3 ESN input on v5.0
 *  0x4B - zone 3 ESN input on v3.14
 *  ---------------
 *  0xA1 - zone 32 ESN input on v5.0/v5.1
 *  0xA2 - zone 32 ESN input on v3.14 
 *  0xA3 - unknown
 *  0xA4 - 0xA7 Partition/key 1 function key 1-4 [804][61]
 *  0xA8 - 0xAB Partition/key 2 function key 1-4 [804][62]
 *  0xAC - 0xAF Partition/key 3 function key 1-4 [804][63]
 *  0xB0 - 0xB3 Partition/key 4 function key 1-4 [804][64]
 *  0xB1 - Key 1 ESN input on v3.14 [804][41], data on byte5-6-7
 *  0xB4 - 0xB7 Partition/key 5 function key 1-4 v5.0 [804][65], data on byte5, byte6-7 0xFF (probably way to differ versions?)
 *  0xB4 - Key 2 ESN input on v3.14 [804][42], byte5 0xFF, data input on byte5-6-7
 *  0xB7 - Key 3 ESN input on v3.14 [804][43], byte5 0xFF, data input on byte5-6-7
 *  0xB8 - 0xBB Partition/key 6 function key 1-4 [804][66]
 *  0xBA - Key 4 ESN input on v3.14 [804][44] 
 *  0xBC - 0xBF Partition/key 7 function key 1-4 [804][67]
 *  0xBD - Key 5 ESN input on v3.14 [804][45]
 *  0xC0 - 0xC3 Partition/key 8 function key 1-4 [804][68]
 *  0xC0 - Key 6 ESN input on v3.14 [804][46]
 *  0xC3 - Key 7 ESN input on v3.14 [804][47]
 *  0xC4 - 0xC7 Key 09 function key 1-4 [804][69] on v5.1
 *  0xC4 - 0xD3 Keys 1-16 partition assignments v5.0 [804][69] (Data on byte5)
 *  0xC6 - Key 8 ESN input on v3.14 [804][48]
 *  0xC8 - 0xCB Key 10 function key 1-4 [804][70] on v5.1  
 *  0xC9 - Key 9 ESN input on v3.14 [804][49]
 *  0xCC - Key 10 ESN input on v3.14 [804][50]  
 *  0xCC - 0xCF Key 11 function key 1-4 [804][71] on v5.1
 *  0xCF - Key 11 ESN input on v3.14 [804][51]  
 *  0xD0 - 0xD3 Key 12 function key 1-4 [804][72] on v5.1
 *  0xD2 - Key 12 ESN input on v3.14 [804][52]  
 *  0xD4 - 0xD7 v5.0 zone 1-32 supervision (8 zones per section, enabled zones on byte5)
 *  0xD4 - 0xD7 Key 13 function key 1-4 [804][73] on v5.1
 *  0xD5 - Key 13 ESN input on v3.14 [804][53]  
 *  0xD8 - Key 14 ESN input on v3.14 [804][54]
 *  0xD8 - 0xDB Key 14 function key 1-4 [804][74] on v5.1
 *  0xDB - Key 15 ESN input on v3.14 [804][55]
 *  0xDC - 0xDF Key 15 function key 1-4 [804][75] on v5.1
 *  0xDE - Key 16 ESN input on v3.14 [804][56]  
 *  0xE0 - 0xE3 Key 16 function key 1-4 [804][76] on v5.1
 *  0xE4 - 0xF3 Keys 1-16 partition assignments on v5.1 [804][77] (Data on byte5)
 *  0xF4 - 0xF7 v5.1 zone 1-32 supervision (8 zones per section, enabled zones on byte5)

Unknown ones can be for earlier versions which supported 4 handheld keypads with 4 function keys per partition (each section for each function) [57]-[64]. [65]-[72] for partition 1/2 function keys 1-4. [90] for handheld keypads partition assingment

 *  10001101 0 00010001 01000001 00000001 00000111 01010101 11111111 11111111 00111010 [0x8D] Wls programming key response    // Before WLS zone 4 placement test
 *  10001101 0 00010001 01000001 00000001 00001001 01010101 11111111 11111111 00111100 [0x8D] Wls programming key response    // Before WLS zone 5 placement test
 *  10001101 0 00010001 01000001 00000001 00001011 01010101 11111111 11111111 00111110 [0x8D] Wls programming key response    // Before WLS zone 6 placement test
 *  10001101 0 00010001 01000001 00000001 00001101 01010101 11111111 11111111 01000000 [0x8D] Wls programming key response    // Before WLS zone 7 placement test
 *  10001101 0 00010001 01000001 00000001 00100001 01010101 11111111 11111111 01010100 [0x8D] Wls programming key response    // Before WLS zone 17 placement test
 *  10001101 0 00010001 01000001 00000001 00111111 01010101 11111111 11111111 01110010 [0x8D] Wls programming key response    // Before WLS zone 32 placement test
 *  10001101 0 00010001 01000001 00000001 01111111 01010101 11111111 11111111 10110010 [0x8D] Wls programming key response    // Before WLS zone 64 placement test
 *  10001101 0 00010001 01000011 00000000 00000001 11111111 11111111 11111111 11011111 [0x8D] Wls programming key response    // Location is good, same for all zones
 *  10001101 0 00010001 01000011 00000000 00000100 11111111 11111111 11111111 11100010 [0x8D] Wls programming key response // Location is bad, same for all zones
 *  10001101 0 00010001 01000001 00000001 11111111 11111111 11111111 11111111 11011100 [0x8D] Wls programming key response    // Wireless zone is not-assigned
 *  10001101 0 00010001 10100100 00000000 00000011 11111111 11111111 11111111 01000010 [0x8D] Wls programming key response    // Enter 03 for [804][61] function 1
 *  10001101 0 00010001 10100101 00000000 00000100 11111111 11111111 11111111 01000100 [0x8D] Wls programming key response    // Enter 04 for [804][61] function 2
 *  10001101 0 00010001 10100101 00000000 00000011 11111111 11111111 11111111 01000011 [0x8D] Wls programming key response    // Enter 03 for [804][61] function 2
 *  10001101 0 00010001 10101000 00000000 00000011 11111111 11111111 11111111 01000110 [0x8D] Wls programming key response    // Enter 03 for [804][62] function 1
 *  10001101 0 00010001 10101001 00000000 00000100 11111111 11111111 11111111 01001000 [0x8D] Wls programming key response    // Enter 04 for [804][62] function 2
 *  10001101 0 00010001 11000000 00000000 00000011 11111111 11111111 11111111 01011110 [0x8D] Wls programming key response    // Enter 03 for [804][68] function 1
 *  10001101 0 00010001 11000011 00000000 00110000 11111111 11111111 11111111 10001110 [0x8D] Wls programming key response    // Enter 30 for [804][68] function 4
 *  10001101 0 00010001 00111000 00000000 00010000 11111111 11111111 11111111 11100011 [0x8D] Wls programming key response    // Enter 10 for [804][81] Wls supervisory window
 *  10001101 0 00010001 00111000 00000000 10010110 11111111 11111111 11111111 01101001 [0x8D] Wls programming key response    // Enter 96 for [804][81] Wls supervisory window
 *  10001101 0 00010001 11000100 00000000 00000001 11111111 11111111 11111111 01100000 [0x8D] Wls programming key response    // Enter 01 for [804][69] Keyfob 1 partition assigment
 *  10001101 0 00010001 11000101 00000000 00000001 11111111 11111111 11111111 01100001 [0x8D] Wls programming key response    // Enter 01 for [804][69] Keyfob 2 partition assigment
 *  10001101 0 00010001 11000110 00000000 00000010 11111111 11111111 11111111 01100011 [0x8D] Wls programming key response    // Enter 02 for [804][69] Keyfob 3 partition assigment
 *  10001101 0 00010001 11010100 00000000 11111111 11111111 11111111 11111111 01101110 [0x8D] Wls programming key response    // All 1-8 enabled in [804][82] supervision options
 *  10001101 0 00010001 11010100 00000000 11110000 11111111 11111111 11111111 01011111 [0x8D] Wls programming key response    // 5-8 zones enabled in [804][82] supervisiory options
 *  10001101 0 00010001 11010101 00000000 00001111 11111111 11111111 11111111 01111111 [0x8D] Wls programming key response    // 1-4 zones enabled in [804][83] supervisiory options
 *  10001101 0 00010001 11010111 00000000 01111111 11111111 11111111 11111111 11110001 [0x8D] Wls programming key response    // 1-7 zones enabled in [804][85] supervisiory options
 *  10001101 0 00010001 00111010 00000000 01000000 11111111 11111111 11111111 00010101 [0x8D] Wls programming key response    // Only option 7 enabled in [804][90] options
 *  10001101 0 00010001 00111001 00000000 00001000 11111111 11111111 11111111 11011100 [0x8D] Wls programming key response    // Set RF jamming zone 08 in [804][93] subsection
 *  10001101 0 00010001 00111001 00000000 00000111 11111111 11111111 11111111 11011011 [0x8D] Wls programming key response    // Set RF jamming zone 07 in [804][93] subsection
 *  
 *  10001101 0 00110001 00001010 00000010 00100000 00100000 00000000 11111111 00001001 [0x8D] byte2-0x31 byte3-0x0A //user code 20, enter code 2020, data on byte5-6
 *  10001101 0 00110001 00001100 00000000 00000000 11111111 11111111 11111111 11000111 [0x8D] byte2-0x31 byte3-0x0C //immediately afterwards, check if user code is already used?
 *  
 *  10001101 0 00110001 00001010 00000010 00100000 00100000 00100000 11111111 00101001 [0x8D] byte2-0x31 byte3-0x0A //user code 20, entered code 202020, data on byte5-7, confirmation not send!
 *
 *  10001101 0 00110001 00001010 00000010 00010010 00110100 00000000 11111111 00001111 [0x8D] byte2-0x31 byte3-0x0A //user code 20, entered code 1234 (which is in use as master code)
 *  10001101 0 00110001 00001100 00000000 00000000 11111111 11111111 11111111 11000111 [0x8D] byte2-0x31 byte3-0x0C //immediately afterwards, check if user code is available?
 *  10001101 0 00110001 00001010 00000010 00100000 00100000 00100000 11111111 00101001 [0x8D] byte2-0x31 byte3-0x0A //immediately afterwards if nonvalid code, send the previous one (2020)
 *  
 *  10001101 0 00110001 00001010 00000010 00010010 00110100 01010110 11111111 01100101 [0x8D] //user code 20, entered code 123456 (which is used as master code)
 *  10001101 0 00110001 00001010 00000010 00100000 00100000 00100000 11111111 00101001 [0x8D] //immediately reverts to previous set code which is 202020
 *  
 *  10001101 0 00110001 00010000 00000010 00100010 00100010 00000000 11111111 00010011 [0x8D] byte2-0x31 byte3-0x10//user code 22, entered code 2222
 *  10001101 0 00110001 00010010 00000000 00000000 11111111 11111111 11111111 11001101 [0x8D] byte2-0x31 byte3-0x12//send immediately afterwards (as confirmation?)
 *  
 *  10001101 0 00010001 00010000 00000000 00000011 11111111 11111111 11111111 10101110 [0x8D] byte2-0x11 byte3-0x10 //v3.14 [59] partition1 function key1 = 03
 *  10001101 0 00010001 01000100 00000000 00010000 11111111 11111111 11111111 11101111 [0x8D] byte2-0x11 byte3-0x44 //v3.14 [81] supervisory window data (10) on byte5
 *  10001101 0 00010001 01000100 00000010 00000000 00000000 00000000 11111111 11100011 [0x8D] byte2-0x11 byte3-0x44 //v5.0 [01] entered 000000 as Zone1 ESN
 *  10001101 0 00010001 00111000 00000000 00010000 11111111 11111111 11111111 11100011 [0x8D] byte2-0x11 byte3 0x38 //v5.0 supervisory window 10 on RF5132
 *  
 *  10001101 0 00010001 01001011 00000010 00000000 00000000 00000000 11111111 11101010 [0x8D] //v3.14 [804] [03], entered zone3 ESN as 000000
 *  10001101 0 00010001 01001011 00000010 00000010 00000010 00000010 11111111 11110000 [0x8D] //v3.14 zn03 esn 020202
 *  10001101 0 00010001 01001011 00000010 00100000 00100000 00100000 11111111 01001010 [0x8D] //v3.14 zn03 esn 202020
 *  Byte 0   1    2        3        4        5        6        7        8        9
 *
kricon commented 3 years ago

Command 0x94 seems to be used for requesting and getting data from RF module to panel. Probably similar to 0x8D. Note that this is mostly dump from notes of logs I took, taken from v5.0.

Byte2 - unknown, 0x11 when panel send, 0xFF when module send Byte3 - HEX data containing which section (0x41 for section 41 etc) - probably same as 0x8D byte3. Byte7 bit0 - option 2 Byte7 bit1 - option 3 Byte7 bit2-5 options 4-7 Byte7 bit6 - option 8 Byte7 bit7 - unknown Bytes7-10 also contains ESN, with first digit starting on Byte7 bit6 and sixth digit ends on Byte10 bit7. Same is for getting byte3 adress from 0x8D list above, offset with Byte7 startbit6 and Byte8 endbit7.

 2800.42: 10010100 0 00010001 10010011 10000010 10111010 00001000 01100011 10001000 01100011 11000000 [0x94] Unknown data //trying to enter nonexistant section 93 byte3 0x93
 2800.42: 11111111 1 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111100 [Module/0x94] Unknown data //section doesnt exist

 2933.92: 10010100 0 00010001 10010001 10000010 10111000 00000000 00000000 00000000 01000001 01000000 [0x94] Unknown data //[804][91] byte3 contains which section (0x91)
 2933.92: 11111111 1 11111111 11111111 11111111 11111111 11111111 10000010 11110111 00000000 01110111 [Module/0x94] Unknown data //section exist
 2933.95: 01100100 0 00001000 01101100 [0x64] Partition 1 | Beep: 4 beeps //opening section [91]
 2934.04: 10010100 0 00010001 00000101 00000000 10101010 00000000 00000000 00000000 01001100 11110111 [0x94] Unknown data //byte5 0xAA request section data from module?
 2934.04: 11111111 1 11111111 11111111 11111111 11111111 11111111 10000000 00000000 00000000 01111101 [Module/0x94] Unknown data //Enabled options: none
 3196.07: 11111111 1 11111111 11111111 11111111 11111111 11111111 10000011 10000000 00000000 00000001 [Module/0x94] Unknown data //Enabled options 1-2-3
 3244.35: 11111111 1 11111111 11111111 11111111 11111111 11111111 10000001 10000000 00000000 01111111 [Module/0x94] Unknown data //Enabled options 1-2
 3364.90: 11111111 1 11111111 11111111 11111111 11111111 11111111 10000000 10000000 00000000 01111110 [Module/0x94] Unknown data //Enabled options 1
 4126.36: 11111111 1 11111111 11111111 11111111 11111111 11111111 11000000 00000000 00000000 00111101 [Module/0x94] Unknown data //Enabled options 8

 4418.58: 10010100 0 00010001 00000011 10000010 00101010 00000000 00000000 00000000 01000001 01000000 [0x94] Unknown data //[804][03] request section
 4418.58: 11111111 1 11111111 11111111 11111111 11111111 11111111 10100101 11110110 00000001 10011010 [Module/0x94] Unknown data //section exist
 4418.61: 01100100 0 00001000 01101100 [0x64] Partition 1 | Beep: 4 beeps //opening section [804][03]
 4418.70: 10010100 0 00010001 01001011 00000000 11110000 00000000 00000000 00000000 01001100 10011010 [0x94] Unknown data //request section data from module? 202020 ESN
 4418.70: 11111111 1 11111111 11111111 11111111 11111111 11111111 10010000 00010000 00010000 00101101 [Module/0x94] Unknown data //byte7-8-9 contains ESN data?
 4818.46: 11111111 1 11111111 11111111 11111111 11111111 11111111 11010101 01010101 01010101 01111100 [Module/0x94] Unknown data //confirmation above ESN data AAAAAA
 4926.74: 11111111 1 11111111 11111111 11111111 11111111 11111111 11010101 01010101 01010111 11111111 [Module/0x94] Unknown data //confirmation above ESN data AAAAAF  
 4418.78: 00001010 0 10000001 11101100 00000010 00000000 00000000 00000000 00000000 01111001 [0x0A] Ready Backlight - Input 6 digits | Zone lights: 2 
 4418.87: 11100110 0 00100000 10000001 11101100 00000000 00000000 00000000 00000000 10000000 11110011 [0xE6.20] Status lights: Ready Backlight - Input 6 digits | Zone lights: none
 4418.88: 11111111 1 11111111 10100101 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0xE6] Unknown data
 4418.96: 10010100 0 00010001 01001011 00000010 11110010 00000000 00000000 00000000 01000000 01000000 [0x94] Unknown data
 4419.05: 10010100 0 00010001 01001011 00000010 11110010 00000000 00000000 00000000 01001100 11111100 [0x94] Unknown data
 4419.05: 11111111 1 11111111 11111111 11111111 11111111 11111111 10010000 00010000 00010000 00101101 [Module/0x94] Unknown data //Byte7-10 probably contains ESN (202020)
 4419.10: 01101110 0 00100000 00100000 00100000 00000000 11001110 [0x6E] Unknown data //ESN data: 202020 Byte3 bit4-7 digit1 (HEX 0x02), bit0-3 digit2 (HEX0x00) - Byte4 and Byte5 same.
 4419.19: 10010100 0 00010001 01001011 00000000 11110000 01100111 00000000 00000000 01001111 01010000 [0x94] Unknown data
 4419.28: 10010100 0 00010001 01001011 00000000 11110000 01100111 00000000 00000000 01001100 11111100 [0x94] Unknown data
 4419.28: 11111111 1 11111111 11111111 11111111 11111111 11111111 10010000 00000000 00000000 00001101 [Module/0x94] Unknown data

Entering section [804][03] which contains 555555 as ESN:
 1009.84: 11111111 1 00000000 11111111 11111111 11111111 [Module/0x05] Partition 1 Key: 0 
 1011.44: 11111111 1 00001111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0x0A] Partition 1 Key: 3 
 1011.53: 10010100 0 00010001 00000011 10000010 00101010 00000000 00000000 00000000 01000001 00100000 [0x94] Unknown data //byte3 0x03
 1011.61: 10010100 0 00010001 00000011 10000010 00101010 00000000 00000000 00000000 01001100 11111100 [0x94] Unknown data //byte3 0x03, bytes 9 and 10 different from above
 1011.61: 11111111 1 11111111 11111111 11111111 11111111 11111111 10100101 01110110 00000001 10011010 [Module/0x94] Unknown data //offset byte7 starting bit6 - byte8 end bit7 is 0x4A - same used for byte3 later
 1011.64: 01100100 0 00001000 01101100 [0x64] Partition 1 | Beep: 4 beeps
 1011.73: 10010100 0 00010001 01001010 00000000 11101111 00000000 00000000 00000000 01001100 10011010 [0x94] Unknown data //byte3 is 0x4A which is correct for Zone 03 ESN input on v5.0 from 0x8D list above
 1011.82: 10010100 0 00010001 01001010 00000000 11101111 00000000 00000000 00000000 01001100 11111100 [0x94] Unknown data //byte3 is 0x4A which is correct for Zone03 ESN input, byte10 different from line above
 1011.82: 11111111 1 11111111 11111111 11111111 11111111 11111111 10101010 11111111 11111111 10100111 [Module/0x94] Unknown data
 1011.86: 00000101 0 10000001 11101100 10010001 11000111 [0x05] Partition 1: Ready Backlight - Input 6 digits | Partition 2: disabled
 1011.94: 00001010 0 10000001 11101100 00000101 00000000 00000000 00000000 00000000 01111100 [0x0A] Partition 1: Ready Backlight - Input 6 digits | Zones 1-32 lights: 1 3 
 1012.08: 11111111 1 10100101 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0x0A] Partition 1 Key: Receive data 
 1012.17: 10010100 0 00010001 01001010 00000010 11110001 00000000 00000000 00000000 00111110 00100000 [0x94] Unknown data
 1012.25: 10010100 0 00010001 01001010 00000010 11110001 00000000 00000000 00000000 01001100 11111100 [0x94] Unknown data
 1012.25: 11111111 1 11111111 11111111 11111111 11111111 11111111 10101010 10101010 10101010 11111101 [Module/0x94] Unknown data
 1012.31: 01101110 0 01010101 01010101 01010101 00000000 01101101 [0x6E] LCD display: 55555500
 1012.40: 10010100 0 00010001 01001010 00000000 11101111 00110110 10000000 00000000 01001111 01010000 [0x94] Unknown data
 1012.48: 10010100 0 00010001 01001010 00000000 11101111 00110110 10000000 00000000 01001100 11111100 [0x94] Unknown data
 1012.48: 11111111 1 11111111 11111111 11111111 11111111 11111111 10101010 11111111 11111111 10100111 [Module/0x94] Unknown data

0x52 aswell seems to be related to wireless expansion, something for keyfobs?

10233.39: 11111111 1 11111111 11111111 11111111 00111111 11111111 11111111 11111111 11111111 [Module/0x05] Wireless key notification 
10233.49: 01010010 0 11111111 11111111 11111111 11111111 [0x52] [CRC Error]
10233.49: 11111111 1 10101010 11111111 11111111 10101000 [Module/0x52] Unknown data
10233.79: 01010111 0 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [0x57] Wireless key query
10233.79: 11111111 1 10101011 10101010 10101010 10101010 11111111 11111111 11111111 11111111 10100101 [Module/0x57] Wireless key battery restored: 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

0xE6.25 after exiting installer programming:

 5223.40: 11101011 0 00000000 00100000 00110011 10000000 10000000 00000001 10101100 00000000 11101011 [0xEB] 2020.12.28 00:32 | Exit installer programming
 5223.61: 11111111 1 11111111 11111111 11111111 11111101 11111111 11111111 11111111 11111111 [Module/0x1B] Wireless notification //decoded in pull request for easier tracking in log
 5223.67: 00100111 0 10000001 00000001 10000001 00000001 00000000 00101011 [0x27] Partition 1: Ready Backlight - Partition ready | Partition 2: Ready Backlight - Partition ready | Zones 1-8 open: none 
 5223.68: 11111111 1 11111111 00101101 11111111 11111111 11111111 11111111 [Module/0x27] Partition 2 Key: # 
 5223.79: 01001100 0 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 [0x4C] Module tamper query
 5223.79: 11111111 1 11110000 11111111 11111111 00000000 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0x4C] Keypad tamper: Slot 2 7 8 
 5223.90: 01011000 0 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 10101010 [0x58] Module status query
 5223.99: 11100110 0 00100101 11111111 11111111 11111111 11111111 11111111 [0xE6.25] [CRC Error]
 5223.99: 11111111 1 11111111 11111111 11111111 11111111 11111111 11111100 [Module/0xE6.25] Unknown data
kricon commented 3 years ago

Does anyone have panel version v4.60 or above with an PK5500 keypad? They include new section [898] for automatic Wireless enrollment without manually enetering ESN. Hopefully, you can enter it and took first status message even without having RF module. It brings "Wireless enrollment mode", "Confirm ESN?", "Press (*) or Zone #:" and "Press (*) or Zone Type:" new partition status messages not yet decoded.

EDIT: as per DSC bulletin panels have Fire Alarm Bells Silenced message. Probably, it is shown when zone defined as [07] or [87] is silenced/delayed but I wasn't able to trigger that message on PC1832 v4.2 with PK5500 v1.1. It will be nice to have that message decoded as well. It could be only keypad-related thing, that keypad itself check if no partition is in alarm and fire alarm is going on but I doubt it as EOL setting would not change that status.

Also, it would be interesting to see output from v4.60 with an RFK keypad v1.30 or up, because it uses 3 digits for [804] installer programming subsection and it includes Receiver Placement Test for RF Interference. RFK5564 likely have 0x8D/0x94 byte3 differences for 64 zones.

I would put help wanted label on this issue. 0x94 can also be used for other module subsection-programming such as PC5100 2-wire adressable or PC5936 audio interface as it get send after trying to enter their sections but I dont have the modules to verify it: 0x94 send byte2 0x14 when trying to enter [801] for PC5400 printer module with corresponding subsection on byte3. 0x94 send byte2 0x15 when trying to enter [802] for PC59XX VOX module with corresponding subsection on byte3. 0x94 send byte2 0x19 when trying to enter [805] for PC5100 programming with corresponding subsection on byte3.

I suppose 0x8D and 0x94 cmds waits to be included in new development branch, after merge of current development branch into master, because as of now, there is no space left for Arduino Uno with KeybusReader.ino sketch.

This is an example of entering subsection [20] of section [804] on v5.0 RF module, changing zone 20 ESN from 555555 to 999999:

7378.09: 00010001 0 10101010 10101010 10101010 10101010 10101010 10101010 10101010 [0x11] Module supervision query
7378.09: 11111111 1 11111111 11111100 11111111 11110011 11111111 11111111 11111111 [Module/0x11] Keypad slots: 8 | PC/RF5132 
7379.64: 11111111 1 00001010 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0x0A] Partition 1 Key: 2 
7380.03: 11100110 0 00101100 00000001 00000000 00000000 00000000 00000000 00010011 [0xE6.2C] Partition 1 | Enabled zones 33-64: none
7380.12: 10110001 0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 10110001 [0xB1] Enabled zones 1-32 | Partition 1: none| Partition 2: none
7380.21: 11111111 1 11111111 00000000 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0xE6.20] Partition 1 Key: 0 
7380.30: 10010100 0 00010001 00100000 10000010 01000111 00000000 00000000 00000000 01000000 01000000 [0x94] Unknown data
7380.38: 10010100 0 00010001 00100000 10000010 01000111 00000000 00000000 00000000 01001100 11111100 [0x94] Unknown data
7380.38: 11111111 1 11111111 11111111 11111111 11111111 11111111 10111110 11110110 00000001 10110011 [Module/0x94] Unknown data
7380.42: 01100100 0 00001000 01101100 [0x64] Partition 1 | Beep: 4 beeps
7380.50: 10010100 0 00010001 01111101 00000000 00100010 00000000 00000000 00000000 01001100 10110011 [0x94] Unknown data
7380.59: 10010100 0 00010001 01111101 00000000 00100010 00000000 00000000 00000000 01001100 11111100 [0x94] Unknown data
7380.59: 11111111 1 11111111 11111111 11111111 11111111 11111111 10101010 11111111 11111111 10100111 [Module/0x94] Unknown data
7380.67: 00001010 0 10000001 11101100 00000101 00000000 00000000 00000000 00000000 01111100 [0x0A] Partition 1: Ready Backlight - Input: 6 digits | Zones 1-32 lights: 1 3 
7380.75: 11100110 0 00100000 10000001 11101100 00000000 00000000 00000000 00000000 10000000 11110011 [0xE6.20] Partition 1: Ready Backlight - Input: 6 digits | Zones 33-64 lights: none
7380.83: 00000101 0 10000001 11101100 00010000 11000111 00010000 11000111 00010000 11000111 [0x05] Partition 1: Ready Backlight - Input: 6 digits | Partition 2: disabled | Partition 3: disabled | Partition 4: disabled
7380.91: 11111111 1 10100101 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0x0A] Partition 1 Key: Receive data 
7381.00: 10010100 0 00010001 01111101 00000010 00100100 00000000 00000000 00000000 00111110 01000000 [0x94] Unknown data
7381.09: 11111111 1 11111111 11111111 11111111 11111111 11111111 10101010 10101010 10101010 11111101 [Module/0x94] Unknown data
7381.09: 10010100 0 00010001 01111101 00000010 00100100 00000000 00000000 00000000 01001100 11111100 [0x94] Unknown data
7381.14: 01101110 0 01010101 01010101 01010101 00000000 01101101 [0x6E] LCD display: 55555500
7381.23: 10010100 0 00010001 01111101 00000000 00100010 00110110 10000000 00000000 01010000 11010001 [0x94] Unknown data
7381.32: 10010100 0 00010001 01111101 00000000 00100010 00110110 10000000 00000000 01001100 11111100 [0x94] Unknown data
7381.32: 11111111 1 11111111 11111111 11111111 11111111 11111111 10101010 11111111 11111111 10100111 [Module/0x94] Unknown data
7382.05: 11111111 1 11111111 11111100 11111111 11110011 11111111 11111111 11111111 [Module/0x11] Keypad slots: 8 | PC/RF5132 
7382.05: 00010001 0 10101010 10101010 10101010 10101010 10101010 10101010 10101010 [0x11] Module supervision query
7386.04: 00010001 0 10101010 10101010 10101010 10101010 10101010 10101010 10101010 [0x11] Module supervision query
7386.04: 11111111 1 11111111 11111100 11111111 11110011 11111111 11111111 11111111 [Module/0x11] Keypad slots: 8 | PC/RF5132 
7386.45: 11111111 1 11110111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0x0A] Partition 1 Key: Menu navigation 
7386.62: 11111111 1 11111111 11110111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0xE6.20] Partition 1 Key: Menu navigation 
7386.79: 11111111 1 11111111 11110111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0xE6.20] Partition 1 Key: Menu navigation 
7387.04: 11111111 1 11110111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0x05] Partition 1 Key: Menu navigation 
7387.21: 11111111 1 11111111 11110111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0xE6.20] Partition 1 Key: Menu navigation 
7387.63: 11111111 1 11111111 11110111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0xE6.20] Partition 1 Key: Menu navigation 
7387.80: 11111111 1 11111111 10101010 11111111 11111111 11111111 11111111 11111111 11111111 11111111 [Module/0xE6.20] Partition 1 Key: Submit data 
7387.85: 01110000 0 11111111 11111111 11111111 11111111 11111111 [0x70] LCD keypad data query
7387.85: 11111111 1 10011001 10011001 10011001 00000000 11001011 [Module/0x70] LCD keypad data entry: 99999900
7387.97: 10001101 0 00010001 01111101 00000010 10011001 10011001 10011001 11111111 11100111 [0x8D] Wls programming key response
7388.00: 01100100 0 00000100 01101000 [0x64] Partition 1 | Beep: 2 beeps
7388.03: 01100100 0 00001000 01101100 [0x64] Partition 1 | Beep: 4 beeps
7388.09: 01011101 0 00100000 00000000 00000000 00000000 00000000 01111101 [0x5D] Partition 1 | Status lights flashing: Program | Zones 1-32 flashing: none
7388.17: 11100110 0 00011000 00000001 00100000 00000000 00000000 00000000 00000000 00011111 [0xE6.18] Partition 1 | Status lights flashing: Program | Zones 33-64 flashing: none
7388.25: 00001010 0 10000001 11110111 00000000 00000000 00000000 00000000 00000000 10000010 [0x0A] Partition 1: Ready Backlight - *8: 2 digit subsection entry | Zones 1-32 lights: none
7388.34: 11100110 0 00100000 10000001 11110111 00000000 00000000 00000000 00000000 10000000 11111110 [0xE6.20] Partition 1: Ready Backlight - *8: 2 digit subsection entry | Zones 33-64 lights: none
7388.42: 00000101 0 10000001 11110111 00010000 11000111 00010000 11000111 00010000 11000111 [0x05] Partition 1: Ready Backlight - *8: 2 digit subsection entry | Partition 2: disabled | Partition 3: disabled | Partition 4: disabled
7390.04: 00010001 0 10101010 10101010 10101010 10101010 10101010 10101010 10101010 [0x11] Module supervision query
7390.04: 11111111 1 11111111 11111100 11111111 11110011 11111111 11111111 11111111 [Module/0x11] Keypad slots: 8 | PC/RF5132
kricon commented 2 years ago

I've found out that on PC5010 v2.00 panels you can have multiple users having same access code - event buffer will log only the lowest one.

Update for 0x94 panel command, byte 4 is always 0x82 when byte 3 contains subsection which was requested to be accessed.

More info on Byte4: when its 0x02 it contains HEX data on bytes 5-7. It's way to differ RF5132 v3.x/v5.x versions for 0x8D cmd. However, I'm not so sure that you can differentiate v5.0/v5.1 even for 0x8D. For 0x94 cmd it seems impossible to be sure for which version it's from just single line.