CD&F (Siren Controller)

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search

Civil Defense & Fire (CD&F) Controllers function on two-tone Motorola QuikCall style paging to wirelessly activate warning sirens. The device can be activated via radio or locally via dry contacts. Not much is known about these or the company, but here is what I have discovered.

The Smaller CD&F I own, opened up


Overview & Goals

Contrary to modern offerings like the FC from Federal Signal[1], these devices are simple two-tone paging decoders that listen at a fixed radio frequency (VHF high or low band) and activate a relay on a timer when the correct signal is sent. There are also provisions for push button activation or remote non-RF activation via telephone relay with dry contacts. These controllers tended to be known by siren enthusiasts as unreliable and flaky, though I have theories on why that is later on. Regardless, they are completely analog in circuitry which offers some relative simplicity in understanding and reverse engineering.

My goals in experimentation and reverse engineering this thing are as follows:

  • Retune the onboard radio receiver to function within the 2 meter amateur radio band instead of the VHF high band my unit is configured for.
  • Reverse engineer and document the functionality of the tone decoding circuitry and determine the maximum and minimum limits for the tone frequencies based on the onboard components.
  • Recreate schematics of each daughterboard to help with figuring out their functionality.
  • Document the theory of operation and create a rough block diagram for functionality.
  • Document any theories, issues that arise and their fixes, as well as things to watch out for
  • Potentially design a new tone decoder daughterboard using more common components
  • Design and add a small audio amplifier circuit and speaker to listen to the recevier audio feed locally


History

Not much information is available about these devices on the internet unfortunately, as they were only commonplace back in the 1980's and 1990's The company, however, was located at 140 North Tyler Street in Elm Creek, Nebraska. The company was registered with the FCC on 4/14/98 by a R. E. Kugler. Some municipalities still have these devices deployed in old systems because "if it ain't broke, don't fix it" always prevails of course. There appears to exist at least 3 types that I have personally seen online including my own unit. The most I have discovered amounts to what I have seen regarding FCC filings from the 1986 to 1990 under the company name (under grantee code F49[2]) and what I have seen in various sources of media from Google images and YouTube videos. The FCC ID's associated with F49 are as follows:

  • F49LCR-2[3] registered on 02/09/90 with an operating frequency range of 150-174 MHz
  • F49LCR-1[4] registered on 02/09/90 with an operating frequency range of 25-50 MHz
  • F49EMR-3[5] registered on 02/09/90 with an operating frequency range of 130-148 MHz
  • F49EMR-2[6] registered on 02/09/90 with an operating frequency range of 148-174 MHz (Possibly suggests use of Maxon Data Radio?)
  • F49EMR-1[7] registered on 02/09/90 with an operating frequency range of 25-54 MHz
  • F49CDF-2[8] registered on 02/09/90 with an operating frequency range of 148-174 MHz(Possibly suggests use of Maxon Data Radio?)
  • F49CDF-1[9] registered on 02/09/90 with an operating frequency range of 25-54 MHz
  • F498POCDF-2[10] registered on 02/09/90 with an operating frequency range of 148-174 MHz (Possibly suggests use of Maxon Data Radio?)
  • F498POCDF-1[11] registered on 02/09/90 with an operating frequency range of 25-54 MHz


My unit is marked F49LCR-2 and is tuned for 152.240 MHz. I will refer to any models by their FCC ID unless I come across their actual names.

Speculation

My current research shows the existence of at least 2 or three types of these devices. Obviously there are more devices produced by the company, but I have zero clue what they are.


Specifications

Physical

Again, not much known aside from anything made by CD&F to funciton in the VHF high or VHF low bands. My motherboard can take up to 4 tone filter modules, though my unit seems to be hard wired for the first two? Has 2 identical decoder modules (slots A and B), a timer module, and a relay driver module.


F49LCR-2:

  • Height: 325mm (12.75") & (387mm (15.25") from bracket top and bottom
  • Width: 232mm (9.13") top section & 229mm (9") bottom section
  • Depth: 92mm (3.62") top section & 85mm (3.34") bottom section
  • Antenna length (installed): 470mm (18.5")
  • Weight: Approx. 9 lbs


Terminal Strip Pinout (left to right):

  • 1 - COM for dry contacts
  • 2 - Stop dry contact
  • 3 - Start dry contact
  • 4 - Relay N/O
  • 5 - Relay N/O
  • 6 - AC in (to xfmr)
  • 7 - AC in (to xfmr)


Pretty self explanatory with the diagrams

  • Terminal closeup. Do note that normally the primary side of the transformer with the fuse goes on the far right two.

Transformer:[12]

  • Input: Configurable 115 or 230v AC
  • Output: Rated at 12.6v DC (Unloaded is higher)
  • Max Current: 1.5A
  • Max VA: 18.9


  • Transformer Primary

  • Transformer Secondary


Marked as "F-325X Filament Transformer" on the primary, "MagneTek Triad" on the secondary. Seems to suggest prior life in tube equipment but amazingly it's still made, just modernized. If you want, you can even buy a new one on Mouser for ~$15

Primaries are in series for 230v, parallel for 115v. More info on configuring in the transformer wiring section below.


Photos

  • Front with door closed

  • Door open showing mainboard

  • Top of the enclosure, showing the antenna mount

  • Bottom of the enclosure, showing conduit and vent holes as well as an unused SO-239 connector to replace the whip antenna.

  • Back of the enclosure, showing the integrated mounting holes.

  • Side of the enclosure with latch. First flips out, then rotate the wing to loosen the clamp.

  • Side of the enclosure with the hinge. The hinge cannot be removed from the door, but the door and hinge can be removed from the enclosure with three screws and nuts.

  • Info written near the bottom center of the mainboard. Shows FCC-ID, serial, receive frequency, input voltage, and ship date.

  • Configured tone information handwritten on the CD&F main board near the top center. Sequence 1 is to activate, sequence 2 is to deactivate.

  • Bare mainboard of the CD&F. All cards removed for visibility.

  • Back of the CD&F mainboard. There is conformal coating on the back which makes it difficult to probe things. It can be removed with acetone or MEK.

  • Closeup of the double conversion super heterodyne radio receiver circuitry in the CD&F.

  • Closeup of the rear of the double conversion super heterodyne radio receiver circuitry in the CD&F. Mirrored to match Cdf_rx_closeup.jpg.


Transformer wiring

The F-325X "filament" transformer used to power the entire board can be reconfigured for 115 or 230v primary voltage and is detailed on the windings themselves. The secondary should be on a 3 pin molex style connector with both wires green. The output of the transformer should be around 12v AC, but as with any unregulated supply it will be a bit higher than expected.


  • 115v Operation: Tie together the black and red/black striped wire together and tie the yellow/black striped wire and the green/black striped wire together. You now have two pairs of wires for live and neutral.


  • 230v Operation: Tie the yellow/black striped and red/black striped wires together and insulate them properly. You can now attach live and neutral to the black and black/green striped wire.


I suggest you confirm winding integrity with a multimeter and/or use a dim bulb tester to prevent any catastrophies from happening.

Architecture & Operation

This is going in order from control signal thru processing, all the way to output contact closure.

RF comes in via 3 pin antenna connector (top right) and goes thru double conversion superhet, then into MC3357P IF.

Demod audio comes out from pin 9 of the MC3357P and goes into the commoned P1 pins of the 4 decoder board sockets.

Tone filters A1 and A2 take input on P1, VCC on P2, GND on P3, and P4 is the logic NOT output of the XR2211A IC on the tone filter PCB. This output is normally high, and gets pulled low when the input signal on P1 falls within the set passband. Both filters are in parallel on the input, VCC, and GND, but the outputs of all four sockets are separate and go to the decoder boards. The decoder boards are composed of logic gates and supporting circuitry to detect the order of pulses from the tone filters and perform the appropriate action in cooperation with the timer board. When the signal to start the timer is decoded, the LED on the first decoder board blinks breifly, then the timer board signals the relay driver to engage the relay. The indicator lights on the timer board and the relay driver also illuminate. On my unit, the unit times out after approximately 3 minutes of being activated if no stop signal is received on the radio or locally via contact closure.


Receiver Circuit

The receiver on board the F49LCR-2 is a double conversion superheterodyne circuit. RF comes in via the 3 pin header (only 2 used) and immediately goes into what I presume is a preamplifier with a MPS5179 RF transistor[13].

The Local Oscillator (LO) crystal on by unit is marked "154.240" on top of the can, and "47.180" on the side. After messing with some math, I discovered the LO gets tripled (presumably by some magic with the other transistors and passives nearby) to 141.54 MHz.

The incoming RF is then mixed and subtracted with the tripled LO signal to get the 10.7 MHz intermediate frequency (IF). You can calculate different LO crystal frequencies or input frequencies with the following equation, assuming you have one or the other: 

10.7 = rxFreq - (crystFreq * 3)

The downstream Motorola MC3357P[14] IC takes the standard 10.7 MHz IF input and converts it down again to 455 kHz and does some filtering, then using its internal quadrature FM detector demodulates the audio into a 200-350mV RMS audio signal on pin 9 of the IC.

There is some more audio filtering that pin 9 feeds into, but afterwards the cleaned up audio goes right into the tone filter boards on a common trace.


Retuning for the 2 Meter Amateur Radio Band

Original Plan

My original plan was to source some kind of crystal between 44.43 to 45.7 MHz which corresponds to 146 to 147.975 MHz when plugged into the above equation. Upper limit of 147.975 chosen assuming a transmitted signal of 25kHz NFM. After doing some more reasearch though, I discovered the Si5351 and it's breakout board from Adafruit which is a programmable clock generator that can output 3 separate clock signals from 8 kHz to 160 MHz. What a useful chip! This has the advantage of costing about the same as a vintage hard to find crystal of a specific frequency while also being able to be reprogrammed easily via I2C. The only downside is that the chip has no ROM so any configuration is lost upon power down. Despite this, that IC combined with a low power I2C enabled microcontroller attached to a suitable source of power from the board should yeild a highly versatile replacement to the old crystal.

Si5351 Breakout

I ordered the board and when it arrived, I attached it to an arduino nano with 5v, GND, SCL and SDA (A4 and A5 on the nano). After programming the board and checking it with my new DSO, it showed 45.55 MHz as programmed using the aforementioned arduino and the Etherkit Si5351 example sketch. I removed the crystal from the LO circuit and attached the Si5351 CLK0 to the collector of Q4 as is done with the original crystal and also grounded the breakout board to the other crystal pad. Initial tests show nearly identical functionality from stock, even without tuning any filter components onboard. The receiver now responds to signals on 147.350 MHz, comfortably near the top of the 2 meter band. With that, I taped the arduino and breakout board together, insulated, and hijacked power from the main LM7812 regulator to power it.

  • Testing the breakout board with temporary connections.

  • Final mod. The arduino and breakout taped together and insulated, using the original crystal through holes and taking power from the main L7812 regulator.

  • Connections for Vin and GND on the arduino going to the main 12v regulated supply.



Tone Filters

The tone filters are simple little daughterboards based on the Exar/MaxLinear XR2211ACP[15] FSK/Tone decoder IC. The board contains the necessary passive components to enable tone decode functionality of the IC. Audio comes in from the recieve circuit on pin P1 and runs through the IC. When a tone matched the configured settings, the receiver module drops pin P4 low, otherwise it is held high. Thats pretty much it. The variable resistor is used to change the set frequency of the module, but I do not know to what extent yet. Testing needs to be done.

Example values for my tones are as follows:

  • A1 (1153.4 Hz): 5.747kOhms
  • A2 (1285.8 Hz) 4.9 to 5kOhms, contact was rough


  • Tone filters top side

  • Tone Filters bottom side (mirrored to match top side)

Tone filter module pinout:

  • P1 - Audio in
  • P2 - VCC (12v)
  • P3 - GND
  • P4 - Logic NOT signal out (default high, drops low when signal is in passband)
  • P5 - Logic Out (Not used on this board, but is the opposite of P4)


Tone filter troubleshooting:

If you suspect the tone filters are not functioning properly, check that you have installed them in the correct order and are running the right sequence of tones through the unit. If that fails, I have encountered issues with the main board as well as these modules that required reflowing all solder joints due to being brittle and most likely cracking and making poor connections.

Do be aware, on the mainboard and parts of the tone decoders there is conformal coating. Acetone or MEK should help remove this. I suggest removing before soldering to not contaminate the solder joints


Decoder Modules

The decoder modules take in the logic low pulses from the tone filters and use some logic circuitry to eventually send a signal to the timer module to start a cycle.


ICs:

U1 - Motorola MC14069UBCP[16] (Hex Inverter)

U2 - Motorola MC14050BCP[17] (Hex Buffer)

U3 - Motorola MC14073BCP[18] (B-Series Triple 3−Input AND Gate)

U4 - Motorola MC1455P1[19] (555 Timer)


Pinout (left to right):


  • Left
    • P1-1:
    • P1-2:
    • P1-3:
    • P1-4:
    • P1-5: Vin (+12v)


  • Right
    • P2-1: GND
    • P2-2:
    • P2-3:
    • P2-4:
    • P2-5:


  • Decoder modules topside

  • Decoder modules bottom side (mirrored to match top side)


Timer Module

More examination needs to be done, but this module appears to latch the relay for a configured amount of time. I have seen multiple of these on other models that can do more signals such as "Attack" or "Fire", some with more DIP switches populated. The covered DIP switches of SW1 control parameters of the timing cycle, feeding configuring the 8 bits of the Maxim timer IC. Those bits configure the time delay by connecting each of the pins 1 through 8 on the IC through the a 10kOhm resistor (R3) to VCC.


The stock DIP switch config for the steady 3 min cycle timer is, from left to right (Up = ON): up, down, up, down, down, up, down, up. This sets pins 1, 3, 6 and 8 high, and 2,4,5,and 7 low (the DIP switch numbers are backwards in reference to the IC pins). This equates to a RC time constant of 165.


Pin 13 of the IC is the RC input which is fed by a 1.1MOhm resistor and a 1uF 35v tantalum capacitor. Cross referencing those values in the datasheet chart, we get a RC timebase of ~1Hz, though measuring via scope it shows the period to be 0.66Hz (1.5sec/cycle exactly). The confusing part is that with these figures, we get a cycle time of ~110 seconds, not 180. Still not super clear how this works.

  • Wide view of the RC oscillator via pin 13

  • Decoder modules bottom side (mirrored to match top side)


At low values it seems to be pretty accurate (eg. 5 sec), but with my test of "180s" (8, 6, 5 and 4 high) yielded approximately 3m18s (almost 200s). Timing the stock setting gets 2m57s, or 177s.


ICs (Steady Cycle Timer 031-0389-000):


U1 - Motorola MC14081BCP[20] (B-Series CMOS Quad 2−Input AND Gate)

U2 - Motorola MC14011BCP[21] (B-Series CMOS Quad 2−Input NAND Gate)

U3 - N/A (Populated on other boards)

U4 - Maxim ICM7240IPE[22] (Programmable Timer/Counter IC)


Pinout (left to right):

There are no markings on this board but I will use the same naming convention as the others.


  • Left
    • P1-1: Signal Out to Relay Driver
    • P1-2: STOP (Local control via terminal strip) I assume this pulls pin 10 of the ICM7240 to GND(?) to reset the chip cycle. COM is referenced to GND on the terminal strip.
    • P1-3: START (Local control via terminal strip) I assume this pulls pin 11 of the ICM7240 to GND(?) to trigger the cycle.
    • P1-4: Trigger Input? (Goes to STOP terminal on terminal block as well as P2-4 on decoder module B?)
    • P1-5: Vin (+12v)


  • Right
    • P2-1: GND
    • P2-2: N/C on Main Board
    • P2-3: Coupled to GND via C44
    • P2-4: N/C on Main Board
    • P2-5: N/C on Main Board


  • Timer module topside

  • Timer module bottom side (mirrored to match top side)


Relay Driver Module

The relay driver is super simple, consisting of just 2 transistors (NTE85 and 2N3414), some resistors and 2 diodes. Not to mention the two LEDs as well. The whole purpose of the driver seems to be level shifting and driving the coil using the main DC supply of the board. Not much else to it.

  • Relay module topside

  • Relay module bottom side (mirrored to match top side)

  • Reverse engineered schematic of the relay driver.

Pinout (left to right):


  • Left
    • P1-1: N/C on Main Board, but traces route to it on driver board
    • P1-2: Signal Input from timer
    • P1-3: N/C on driver board
    • P1-4: N/C on driver board
    • P1-5: Vin (+17v)


  • Right
    • P2-1: GND
    • P2-2: Relay Coil
    • P2-3: Relay Coil
    • P2-4: N/C on Main Board, but traces route to it on driver board
    • P2-5: N/C on Main Board, but traces route to it on driver board


General Notes/Things to Watch Out For

  • On the back of the main board and parts of the tone filters there is a conformal coating. I suggest removing it before reflowing joints to prevent contamination of the solder. Acetone or M.E.K. seems to do well along with mechanical removal. Be careful with your application of force, you can very easily strip off the solder mask! Ask me how I know!
  • These devices are quite old, and excessive handling and stress seems to not play nice to the solder joints. I have fixed both the tone filters and receiver section by reflowing every joint with leaded solder.
  • Due to the XR2211A IC being obsolete and quite hard to source nowadays, I may try to design my own tone decoder board using the LM567 IC which is still available in SMD form factors. The LM567 also outputs a logic low when signal is detected, but the design will have to incorperate a LDO 5v regulator to power the chip from the 12v the cards get.
  • I have not adjusted any of the filter components on the receiver circuit yet, but I did run an experiment by leaving the device plugged in with the antenna attached inside my house while sending the activation signal from a few dense suburban blocks away. The board operated perfectly with 5W from my Anytone 878, turning on and off.


  1. https://www.fedsig.com/product/fc-siren-controller
  2. https://fccid.io/F49
  3. https://fccid.io/F49LCR-2
  4. https://fccid.io/F49LCR-1
  5. https://fccid.io/F49EMR-3
  6. https://fccid.io/F49EMR-2
  7. https://fccid.io/F49EMR-1
  8. https://fccid.io/F49CDF-2
  9. https://fccid.io/F49CDF-1
  10. https://fccid.io/F498POCDF-2
  11. https://fccid.io/F498POCDF-1
  12. https://www.mouser.com/datasheet/2/410/F_325X-1892699.pdf
  13. https://www.mouser.com/datasheet/2/149/mps5179-493155.pdf
  14. https://www.discriminator.nl/ic/mc3357.pdf
  15. https://assets.maxlinear.com/web/documents/xr2211av104.pdf
  16. https://www.mouser.com/datasheet/2/308/1/MC14069UB_D-2315482.pdf
  17. https://www.mouser.com/datasheet/2/308/1/mc14049b_d-1193035.pdf
  18. https://www.mouser.com/datasheet/2/308/1/MC14001B_D-2315187.pdf
  19. https://www.onsemi.com/pdf/datasheet/mc1455-d.pdf
  20. https://www.mouser.com/datasheet/2/308/1/MC14001B_D-2315187.pdf
  21. https://www.mouser.com/datasheet/2/308/1/MC14001B_D-2315187.pdf
  22. https://www.analog.com/media/jp/technical-documentation/data-sheets/1360.pdf
Retrieved from "https://wiki.recessim.com/w/index.php?title=CD%26F_(Siren_Controller)&oldid=2432"