Alarm system: request to expose keypad codes entered as part of deconz_alarm_events

Hi,
DeCONZ 2.29.3 beta has some great improved support for keypads and alarms via deconz. Thanks for the work in this!
I wanted to know if it was possible to have deconz expose the 4 digit codes that get entered by users.
Similar to how ZHA does it.
“event_type: zha_event
data:
device_ieee: 00:0d:6f:00:15:74:86:bc
unique_id: 00:0d:6f:00:15:74:86:bc:1:0x0501
device_id: dc8c2629e4a29da1cc7af0c10cb262c2
endpoint_id: 1
cluster_id: 1281
command: arm
args:
arm_mode: 0
arm_mode_description: Disarm
code: “1234”
zone_id: 0
params: {}
origin: LOCAL
time_fired: “2024-02-04T17:32:26.071555+00:00”
context:
id: 01HNTJVD2QESPJXK66XK735CK6
parent_id: null
user_id: null”

Right now in Home assistant when I listen for deconz_alarm_event, I see something like this below for invalid code events.
The actual code entered is not passed though. I don’t get any events for successful arming events either.

event_type: deconz_alarm_event
data:
id: ancillarycontrol_30
unique_id: 00:0d:6f:00:13:44:55:65
device_id: dda560983f98da2de1d7b8ce095068fb
event: invalid_code
origin: LOCAL
time_fired: “2025-04-10T18:36:00.031166+00:00”
context:
id: 01JRGFSJMZDJ8R3BJBKWKCD8TK
parent_id: null
user_id: null

I’d like to ultimately figure out how to use HA to configure codes for different users, one time user codes, etc…
I’m looking for functionality similar to what this plugin provides for HA when used with ZHA. It relies on the entered codes being exposed though. If we can expose the codes through deconz I will attempt to modify this project to have it work with deconz as well as ZHA.

It would be great if the user entered code could be passed for valid arm/disarm requests as well as invalid arm disarm events.

@Smanar Hope it is ok to tag you. You helped me with my last request and I wanted to get your thoughts on this ask?

If entered codes can be exposed like it is with other zigbee controllers then it could open up more useful use cases.

Hello, no problem, I have already see your post but I didn’t answer because I don’t have much hope.

I have already tried, when I have created the ACE stuff, it was refused for security reason, too dangerous if the code is visible on http traffic, so Manup have created the AlarmSystem, all is handled directly by deconz, not by third app, more security because the code is only vsible on zigbee traffic.

And for information, I have started something long time ago to manage code and make the use of RFID possible, not refused, but still in waiting list ADD code/RFID support to keypad device. by Smanar · Pull Request #5918 · dresden-elektronik/deconz-rest-plugin · GitHub

I can help you to make the code if you are able to compile the c++ code (it mean if you have a real OS, not thoses fuc… dockers), but few chance to see the code on deconz one day.

Thanks for the reply @Smanar.
If I understand correctly. Your PR allows for rfid and or multiple codes to be set that can arm or disarm the alarm system. And it keeps the codes secure.
That is an improvement!
I still think exposing invalid codes entered would be a nice feature. These exposed codes would not disarm or arm the the alarm system. They are invalid for the alarm system function so why not allow exposing them? And then they could be used for triggering other actions.

I think for now I’ll just wait for the release of your pr!
Thanks.

My PR will be never valided ^^.

They are invalid for the alarm system function so why not allow exposing them?

Because some time they can be valid.

I was thinking to only expose the code entered, if invalid.
But maybe that’s not possible.

Why is your pr never going to be included?

That would make a brute force easier. Knowing which ones are wrong.

If it doesn’t disarm wouldn’t you know it was wrong as well? You would know that now when entering a wrong code right?

Also true, but it requires the attacker to know what they tried.

Also: a passive attacker (one that isn’t brute forcing but just listening) is also getting the codes.

For example, your code is 1223 and you make a mistake (1224 and perhaps later 1222) it’s easier for that attacker to figure out the code.

Ok makes sense.
still would be nice to have the option if this were being used for other use cases that are not security related. I’ll stand down on requesting to expose codes. :smile:

@Smanar ‘s PR though I think does keep the codes hidden though (but I might be mistaken here) and allowed multiple codes to be configured to allow for say a guest pass. That would still be nice.