The house we moved into this past summer has an alarm system, run by the Honeywell Vista-15P board. The previous owners gave us the master code and user codes, but not the installer code.
Normal Ways of Recovering the Installer Code
There are a couple of ways to get into the system if you don’t know the code.
Default Code
I tried entering the default code (4112) plus 800 (enter programming).
4112 800
Did not work. There was no sound indicating lockout either, so they obviously changed the code.
Back Door
Reset the power to the system. Disconnect the battery and AC power. Re-apply power. Within 50 seconds, press [*] and [#] on the keypad at the same time.
Long Beep. Not good. This means they lasted exited the system with *98 and had option *88 set to 3:
Normally, this means that either you’d need to have the alarm company dial in (or setup a modem and try to get in yourself), or replace the entire board. Replacing the processor chip (PROM) will not work because the codes are stored on the EEPROM chip, which is soldered to the motherboard. Time for some fun.
Reading the EEPROM Chip
That 8-pin chip is the EEPROM, model 24LC32. That’s where all of the program data is stored. You could desolder it, and read it on your reader (TL866), but notice those three pads right on the top? They are pretty useful here.
Connect SCL and SDA to your reader and ground the reader to the panel (I used screw terminal 4). Power up the board. When you’re ready to read, connect the RESET line to Ground, which will shut off the processor allowing dedicated access to the EEPROM chip.
I fired up minicom and ran the following after grounding the RESET line.
$ minipro -p "24LC32" -w "alarm.bin"
Found TL866II+ 04.2.124 (0x27c)
Warning: Firmware is newer than expected.
Expected 04.2.122 (0x27a)
Found 04.2.124 (0x27c)
Reading Code… 0.58Sec OK
Success! Let’s have a look:
$ hexdump -n 16 alarm.bin
0000000 92 18 01 00 00 00 00 10 00 00 00 00 00 00 00 00
0000010
Those first two bytes are the installer code, but in reverse nibble order. The actual code is 2981. Let’s give it a shot:
2981 800
Long beep. That means that we know the correct installer code, but we’re still locked out by option *88. Let’s change it! Option *88 is stored at location 0xFD (253) and is one byte long. Here you can see it’s currently set to 3, which we suspected.
$ hexdump -n 1 -s 253 alarm.bin
00000fd 03
Open up your favorite hex editor and change that byte from 03 to 01. Maybe create a backup, just in case. Rewrite the file back to the EEPROM. Don’t forget to ground the RESET pin.
$ minipro -p "24LC32" -w "alarm.bin"
Found TL866II+ 04.2.124 (0x27c)
Warning: Firmware is newer than expected.
Expected 04.2.122 (0x27a)
Found 04.2.124 (0x27c)
Writing Code… 2.02Sec OK
Reading Code… 0.58Sec OK
Verification OK
As soon as you release the RESET pin, the system will start to boot. Press the [*] and [#] on the keypad at the same time within 50 seconds and you should be in programming mode! Also, you’ll be able to type the installer code (and 800) and enter via that way.