Wireless Doorbell Teardown

2017-12-18 | By All About Circuits

License: See Original Project Audio

Courtesy of All About Circuits

Wireless Doorbell Teardown

This wireless doorbell comes with two products; the doorbell itself and a wall plugged speaker. The doorbell consists of a single large push button with an LED ring glow effect around the button and the unit can easily be mounted on a wall. The plugged unit also has a large LED ring glow that glows when someone presses the button for a visual alarm (while also playing music when the button is pressed).

The wireless doorbell (right) and alarm (left)

The back of the doorbell shows product information including its power consumption and SKU (stock keeping unit). There is an interesting number on the back which can easily fool a consumer; the 23A power consumption. This number actually refers to the battery type which is 23A and these batteries are common in devices such as old digital cameras and car keys.

The product information for the doorbell

Opening the doorbell is incredibly easy with a small rectangular hole on the bottom which has the word "OPEN" above it. A small screwdriver when placed in the hole can pry the unit open revealing the internal parts, PCB, and power source.

The OPEN slit that is used to gain access to the internals

The doorbell showing the 23A battery

The main PCB consists of a large single tactile switch, many surface mount devices, inductors, and a large coil antenna. All of the surface mount devices and the few through hole parts show that there is an interest in keeping costs as low as possible by relying on automated production techniques using pick and place machines. One other feature that shows the use of pick and place are the two fiducial on the bottom left corner of the PCB and the top right corner. The machine looks for these, aligns itself, and the uses them as offset references.

The main PCB with battery removed

After doing a bit of online reading and successfully identifying the 8 pin SOIC IC, it can be assumed that this wireless doorbell operates using the 433MHz frequency. The IC of particular interest, the HS1527, is a one-time programmable encoder IC that is commonly found in RF remote controlled products. This IC is programmed at the factory and paired with a receiver so that only one doorbell can activate one receiver.

The HS1527 IC

The radio portion of the circuit may be made using discrete parts including transistors, inductors, capacitors, and resistors. The top half of the PCB has no copper pour which is done to prevent the absorption of the emitted radio waves.

The underside of the PCB showing the lack of a pour on the top section of the PCB

The Receiver

The receiver is mains powered and has multiple IO controls on the side. This suggests that the device has some kind of microcontroller at its heart which can play back musical tones and allow for customization of the device. Interestingly, the device being mains powered, has screws which allows for easy access to the internals. Many mains devices don’t use screws or use security screws as to prevent unauthorized access (mainly for safety concerns).

The alarm with the three IO buttons on the side

The two screws keeping the unit together as well as the speaker grill

With the screws removed the unit popped open with relative ease. The front cover itself contains very few parts while the rest of the unit contained most, if not all, of the functional parts. The main PCB itself is screwed down with only two screws on one side while the other side uses plastic wedges to keep that side of the board secure.

The front cover

The unit with the cover removed

Removing the PCB revealed how the circuit was connected to the mains contacts. Unfortunately, I cannot say that I am impressed for several reasons. The first reason is that the wires used to connect to the live and neutral pins are both the same color! If a factory worker gets these the wrong way round then the neutral wire will be live and assuming that this unit has a fuse, the live conductor will not be disconnected under fault conditions. The second reason is the proximity of the metal connections of the speaker to the mains pins.

The main PCB removed from the unit

It turns out that this PCB is mounted on a single sided board which shows a real effort to keep costs down. The lack of a second layer means that EM emissions will be harder to manage and considering that switching circuits are being used it is amazing that this device passed EMC regulations. Having said that, this is a receiver and not a transmitter but all receivers re-emit detected signal (even if it’s a small amount).

The main PCB

Unfortunately, what appears to be the main controller has had its identification sanded off which prevents us from identifying the IC. However, there is clearly a program header nearby and the header is missing its second pin. Personally, I have not seen such a program header before as the header only has 4 lines (possibly ground, power, clock, and data or ground, clock, mode, and data), but others out there may be able to identify it. JTAG has 4 lines excluding ground so this IC could be using a form of JTAG but there are so many proprietary programming systems as well as custom ICs that this could be a self-destruct header or some other unusual interface.

The possible main IC (16 pin SOIC)

One IC of particular interest is the SYN510R which is a 300-450MHz ASK receiver IC). This IC will detect the radio signal from the doorbell and output a digital signal as data bits are received.

The SYN510R IC

Internal workings of the SYN510R – From Datasheet

Summary

This product, like many others, demonstrates a need for keeping costs as low as possible by using many different techniques including automation, reduction of used parts, and the use of modules. But this product also demonstrates the need for secrecy when designing products for mass production with ICs having their identifications sanded down. When ICs are sanded down, it usually means that the functionality of the device could be easily replicated and/or the device holding the information / firmware is not entirely secure and thus the only way to reliably identify the part is to expose the die and observe the silicon for logos and markings.