DIGOO DG-HOSA – Part 1 (Teardown and Hardware)

Banggood page

This project started with the idea of purchasing a cheap security system off one of the Chinese stores. After a little hunting, I found Digoo DG HOSA 433MHz 2G&GSM&WIFI Smart Home Security Alarm System Protective Shell Alert with APP which looked interesting so picked one up to tear apart. I was curious about how various communication methods were implemented.

This is the first part of this adventure the next part will be exploring the firmware of the device. With that let's take a look at the hardware.

Teardown Time

After the device showed up, I quickly got down to taking the device apart. In my haste, I didn't take many good photos of it intact. The front side of the board is straight forward; it contains the screen, button array for all user input, and a lot of useful test points. The front side is pictured below.

Board Front

The most significant information found on the front side of the board is the notation PG-103, which is also found in the firmware (spoiler). After some searching, I found this device is also branded as the PGST PG-103. This kind of rebranding of hardware is not unusual for a lot of Chinese devices.

Now switching to the back of the board, which is the business side of the board with the main chips and modules providing the various communication methods. When opening that device I encountered the intrusion detection button. This button causes the device to go into an alarm mode and require a reset of the device to come back online. For my testing, I bypassed this button bridging both sides of it.

Back of Board
Board Back

Component List

When inspecting the board, I found a few significant components and modules on the board. I was not surprised to see that most of the major communication parts are off the shelf modules. The components listed below are highlighted in the image above and the relevant data sheets where available are linked.

The main processor is a GigaDevice GD32 chip which is a series that is very similar to the of STMicroelectronics STM32 chips. The GD32F105 chip uses an ARM-based instruction set and has the same pinout as the STM32F105 component.

Block Diagram

The high-level block diagram for the device is pretty straight forward. The GD32F105 chip is the primary processing and control of the external communication modules. This allows for a modular architecture all of the peripherals.

 |  Cellular             +-----------+
 |  Quictel M26          |           |
 +-----------------------+           |
 +-----------------------+  +--------+-------+
 |  WIFI                 +--+   CPU          |
 |  HF-LPB120-1          |  |   GD32F105RCT6 |
 +-----------------------+  +--------+-+-----+
 +-----------------------+           | |
 |  433mhz receiver      |           | |
 |  SYN511R              +-----------+ |
 +-----------------------+             |
 +-----------------------+             |
 |  Keypad Controller    +-------------+
 |  Holtek BS83B16A-3    |

Pin Out

When exploring the board there are many test points on the board and tracing them out I was able to trace out most of the pins to where they connect on the controller.

  • SYN515R Pin 10 (DO) -> CPU PB9 (62)
  • Unknown -> CPU PA5
  • Unknown -> CPU PA6
  • Unknown -> CPU PA8
  • U7 SCL -> Unknown
  • U7 SDA -> Unknown
  • DAC_OUT -> CPU PA4 (20)
  • WIFI UART TX -> CPU PA2 (16)
  • WIFI UART RX -> CPU PA3 (17)
  • GSM UART TX -> CPU PA12 (45)
  • GSM UART RX -> CPU PA13 (46)
  • U1 (F117) Pin 6 -> CPU PB 8


After investigating the hardware I was able to extract the firmware and start the reversing process. I will cover what I have found in future posts. For now, if you are interested in more higher resolution photos of the board I have posted them on my Flickr account.

Author: Ben Mason

Technical Architect - Computer Networking - Security - Electronics Hobbyist - Sometimes Photographer - Spaceflight - Cat Enthusiast - HAM KC1GDJ

11 thoughts on “DIGOO DG-HOSA – Part 1 (Teardown and Hardware)”

  1. Hi, I recently bought the PG-103 SmartAlarm in order to reverse engineering it (for FUN). However, I’m new in the world of reverse engineering, so I’m trying my best with radare2. Can you give me some guidance on how to extract the firmware and how to reprogram it with the same firmware? I mean, what is starting memory address for extracting and reprogram ALL the firmware in order to play with the Alarm and restore it to the original status.

    Also, I’m interested in finding if this Alarm is locked to a Chinese server or if I can be connected to a personal server. Have you found anything about this?

    1. From the looks of the firmware, it is a pretty custom integration to the provided service. It woudl take a lot of work to RE the protocol or alter the firmware integrate to a new system.

    1. I am working on the next part describing the extraction of the firmware, the RE of the current firmware has bene slow going withe other projects and my day job taking up a lot of my time.

  2. Any further news about reversing firmware? I have another model, based on same cpu family, it would be interesthing to make alarm more usable.

    1. I’ve been slowly working on the firmware in Radare2 but other projects have taken up a lot of my time recently. What is the other model you have? I would be curious about the similarities.

  3. Hello . I have locked keyboard and forgot password. Do you know how can I “reset” it?

    1. Yes, it has a 3.7v 500mah LiPo battery that is not pictured and was attached to the outer case.

Leave a Reply

Your email address will not be published. Required fields are marked *