Page 4 of 5

Re: Visonic Powerlink2 Hacked

PostPosted: Tue Jun 21, 2011 7:32 am
by mhn
Thanks.

It sounds like the Powermax is quiet a mess. :-|

Re: Visonic Powerlink2 Hacked

PostPosted: Fri Jul 22, 2011 6:42 am
by Odin
Utz, I am willing to help you with this as I wish to open up the powerlink module myself and there may be complementary gains to be had here.

How do I get the root password for the powerlink module? if we know this then I can logon and have a root around. A port scan reveals tcp ports 22,23 and 6310 are open.

alternatively how do I look at the log file on the powermax?

If necessary I am willing to try the RS232 method - I assume this is also powering the powerlink module from the powermax unit?

If you are on skype maybe you can private msg me your id and we can talk that way and ultimately share our knowledge later.

Re: Visonic Powerlink2 Hacked

PostPosted: Mon Aug 08, 2011 5:02 pm
by Odin
I am getting the folloiwng http request being sent to Visonic every minute or so -

GET /scripts/update.php?serial=03cegc&id=03cegc&account=001234&ver_hw=123&ver_sw=6.1.11&ver_var=6000&upgrade_status=0&configuration_status=0 HTTP/1.1

This gets the following response:

status =0&ka_time =120&allow =0&

Does anyone know what the reponse would be if the powerlink was registered?

Re: Visonic Powerlink2 Hacked

PostPosted: Sun Sep 25, 2011 11:56 pm
by rl40
I have been wondering the same thing. I do know you do not want to change the allow=0 to allow=1 in the response. I echoed this from my own server (by setting the C.S. reporting IP address to my server). This will disable access to the web interface. Changing it back does restore access. I did panic when I first changed the status and I couldn't access the PowerLink until I remembered I changed it.

Re: Visonic Powerlink2 Hacked

PostPosted: Tue Nov 01, 2011 4:21 pm
by Tozz
I just received my Powerlink2, and hacked some PHP together to (dis)arm my system. All working fine ;)

While running WireShark on my network I discovered the PowerLink2 is sending data back to (I assume) Visonic. It also includes the login username. I cant see any reason they would need to know when I login to my own system, so I firewalled their subnet. You might want to do the same.

Re: Visonic Powerlink2 Hacked

PostPosted: Sun Nov 06, 2011 12:34 am
by manno
Hi Tozz, I am curious to what you have seen as far as the data being sent back to Visonic. Did you have their IP addresses listed in any of the IP RCVR options in the PowerMax? I ask because I have also setup an alerting system via local php but had to use my internal IP server address in the IP RCVR. Also running tcpdump on my router to catch anything sent to/from my powerlink device and have not seen anything sent or received to Visonic as of yet. Was also wonder if you would be kind enough to send me the subnet that you firewalled so that I can do the same. Agree, no one should know the status of my system other than me. This whole system kind of really irritates me since it's expensive and doesn't allow a whole lot of user control.

Re: Visonic Powerlink2 Hacked

PostPosted: Fri Mar 09, 2012 10:04 am
by MrGrape
Hey all,

My first post, I've been reading a lot on this board and I'm impressed by all expertise around here! I've been playing around with my PowerMax Pro and Powerlink2 over the last few evenings, and managed to get a php script running to (dis)arm my alarm panel and read the sensor information and all. I can post it later if somebody is interested.

My question is about the application of the last part, reading the sensor information. What is a practical way to use this sensor information in a home automation environment? Suppose you would want something to happen when the front door opens. Would you poll for a status update of the sensor every 1 second or so? It doesn't seem very economical to poll the sensors 86400 times a day to catch maybe 10 changes of state. Wouldn't it put a big strain on the server, the network, and on the CPU of the PowerMax itself? Or isn't this the way to go, and I'd better use a receiver like RFXCOM instead to get my sensor updates?

Thanks!

Re: Visonic Powerlink2 Hacked

PostPosted: Fri Mar 09, 2012 10:48 am
by Bwired
that is not a good option to poll every 1 second agree.
We all have been down this road and most of them switched to the rs232 connection to the Visonic.
viewtopic.php?f=68&t=6581
This one is event driven, so the powermax triggers your app when something changes.

Its also possible to receive all the Visonic dectetors with Rfxcom or the Alphatronics receiver.
advantage regarding the rfxcom is that you can receive a lot off other devices as well.

Re: Visonic Powerlink2 Hacked

PostPosted: Fri Mar 09, 2012 5:00 pm
by MrGrape
Thanks, I didn't realize the RS232 option was event driven, I'll look into that for sure! My main concern was (and still is...) running yet another cable from my PC to my alarmpanel (big house, different floors, uncooperative wife :lol:). I might try and see if I can find some nice "RS232-over-LAN" solution for that!

Maybe the Rfxcom with a 868MHz extension or a similar device isn't such a bad idea after all...

Re: Visonic Powerlink2 Hacked

PostPosted: Fri Mar 09, 2012 9:40 pm
by Digit
(RS232, 485, USB, 1-Wire, etc) over Ethernet is the best solution IMO. It may cost a bit more, but it's very flexible and reliable.

Re: Visonic Powerlink2 Hacked

PostPosted: Wed Aug 22, 2012 8:46 pm
by asd09fj2d
Can anyone post their PHP scripts. I am just trying to set my system up to set status Arm/Away/Home.

Re: Visonic Powerlink2 Hacked

PostPosted: Sat Jan 18, 2014 6:53 pm
by lmaurice
I'm also interested in PHP scripts just for arming or disarming.
If anyone has it....

Best regards,
Laurent

Re: Visonic Powerlink2 Hacked

PostPosted: Sat Jan 18, 2014 8:23 pm
by lmaurice
For the moment, I tried something like that.
<?php

echo 'Hello ';

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/login.login.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,
"user=Admin&pass=Admin");

// in real life you should use something like:
// curl_setopt($ch, CURLOPT_POSTFIELDS,
// http_build_query(array('postvar1' => 'value1')));

// receive server response ...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$server_output = curl_exec ($ch);

echo $server_output;

curl_close ($ch);


$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/security.main.status.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);


curl_setopt($ch, CURLOPT_POSTFIELDS,
"set=ArmAway");


// receive server response ...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$server_output = curl_exec ($ch);

echo $server_output;

curl_close ($ch);

echo "end";
?>


I received a OK from the connexion part, but nothing from the Arm one.

Bes regards,
Laurent

Re: Visonic Powerlink2 Hacked

PostPosted: Sun Jan 19, 2014 11:24 am
by lmaurice
Hello everybody,

When playing the php script, I receive from the Powerlink2 server :
For the connexion :
HTTP/1.1 200 OK Date: Sat, 08 Jan 2000 08:18:27 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.9 Set-Cookie: PowerLink=0ca39037aa045d091773570af5387066; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, max-age=1200, pre-check=1200 Last-Modified: Thu, 20 Oct 2011 10:26:17 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html OK1

For the arming request :
HTTP/1.1 200 OK Date: Sat, 08 Jan 2000 08:18:28 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.9 Cache-Control: private, max-age=1200, pre-check=1200 Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Thu, 20 Oct 2011 10:26:17 GMT Pragma: no-cache Set-Cookie: PowerLink=108ea8c259cd6f02dbda59dc2e90774d; path=/ Connection: close Transfer-Encoding: chunked Content-Type: text/html

But, nothing happen on the alarm itself.
Maybe, I have something to do with the Cookies numbers provided.
I don't know.
If someone can help me, it would be very kind.

Thank you in advance,
Laurent

Re: Visonic Powerlink2 Hacked

PostPosted: Sun Jan 19, 2014 1:22 pm
by lmaurice
Finally, I achieved it.
You will find below a php script which works for arming or disarming the Powermax Pro.
You just have to change the IP address of the Powerlink2, the connection informations and the action to perform (Disarm, ArmAway or ArmHome).

Best regards,
Laurent

<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/login.login.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,"user=Admin&pass=Admin");
curl_setopt($ch, CURLOPT_COOKIEJAR, '/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/cookies.txt');

$server_output = curl_exec ($ch);


curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/security.main.status.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,"set=Disarm"); // ArmAway, ArmHome or Disarm


$server_output = curl_exec ($ch);

curl_close ($ch);

?>