hH? - ua3730 bug


UA3730 Codelock Bug

Syncom explains...
The UA3730 IC is a nice little 18 pin DIL package which provides a handy interface between a 4x3 numberpad, and burglar alarms, doors, locks, security switches... The chip can hold a passcode from 1 to 12 digits long, which may be optionally changed either from the number pad, or with a switch located in a secure area.

The IC provides 3 outputs, as well as an irritating 'beep' whenever a key is pressed. The outputs are Alarm, Toggle, and pulse. The alarm output goes low if pin 12 is connected to pin 8, or if the wrong code is entered three times. The toggle output changes state whenever the correct code is entered, remaining in that new state until the code is next entered. The pulse output is low for 2 seconds when the correct code is entered.

The code is entered by typing the numbers, then pressing # or K. The code is changed by entering the current code, * (or M) then the new code, followed by * (or M), but only if pin 13 is connected via pin 14 and a resistance to +5v.

If the lock is in the mode which allows the code to be changed by pressing *, the code can be found. Suppose the code is 2420. Here's what happens as you type numbers.

   1 -beep-, 2 -beep-, 3 -beep-, 4 -beep-, # -beep- -beeeep-,
   2 -beep-, 5 -beep-, 8 -beep-, 0 -beep-, # -beep- -beeeep-,
   4 -beep-, 3 -beep-, 2 -beep-, 1 -beep-, # -beep- -beeeep- -beep- -beep-...
      ...followed by flashing lights and sirens, etc...

                             ....but....
   1 -beep-, 2 -beep-, 3 -beep-, 4 -beep-,  *  -beep- -beeeep-,
   2 -beep-, 5 -beep-, 8 -beep-, 0 -beep-,  *  -beep- -beeeep-,
   4 -beep-, 3 -beep-, 2 -beep-, 1 -beep-,  *  -beep- -beeeep-,
   2 -beep-, 5 -beep-, 6 -beep-, 9 -beep-,  *  -beep- -beeeep-,
      ...no flashing lights...
   2 -beep-, 4 -beep-, 2 -beep-, 0 -beep-,  *  -beep-
        ---- Only one beep after * if the code is right. ----

Here -beep- represents 0.1 secs, -beeeep- represents 0.2 secs of tone.
I've measured this at about 1600 to 1800Hz, but my frequency counter doesn't really have a high enough sample rate to get data from a .2 second burst.

After xxxx* and only one beep, the chip is waiting for you to enter a new passcode. Type the new code, and press * to save. To abort the change, press #. After 60 seconds of idle time, the circuit resets its error counters.

If you have access to the chip...
Check the output level of pin 16!!! If the voltage is at 0v, beware! Pin 16 is the toggle output. If you know the alarm/door/whatever is controlled by this output, it is safe to reset the chip, taking pin 16 high again. If the pin 16 voltage is around 5v (above 2.6 will do), you're safe to reset the chip. To reset the chip, use a screwdriver or simmilar to connect pins 3 and 4 together, or a wire to connect pin 4 to 0v. There will be a single beep. The level at pin 16 will be high, and the passcode will be set to 0#. Then check the level at pin 13. If it measures high (above 2.6v) the chip is set to be keypad reprogrammed.

NOTE: This goes to 0v if the chip is in 'standby' (>60 secs idle time), press * before measuring voltage at pin 13!

Reset the chip (short pins 3+4), then type 0*abcd*, and the code is set to abcd. The code may be 1 to 12 digits long. If the voltage on pin 13 is about 0.2 to 0.4 volts (around 50Hz square wave) the chip may be reprogrammed without resetting. To acheive this, connect pin 13 to 0v, then type the passcode followed by *, and disconnect the 0v from pin 13.

When subtle is a requirement...
For a quick unlock pulse, tap pin 17 to pin 3.
To force the alarm output to 'normal' connect pin 15 to pin 9 (note: should an alarm occur, the chip may be damaged by this.)


Disclaimer: All the info given here is incomplete, there's always something missing. This is basically to cover our own backs, but for someone with a bit of sense it shouldn't be too hard to fill in the blanks. The authors of this page and the carriers do not take any responsibility whatsoever for any action you may carry out as a result of you reading or using this information. Any documentation provided is given for research purposes only.


Home