Page 1 of 10

Visonic Powerlink RS232 Hack

Posted: Tue Jul 19, 2011 8:40 am
by utz
I try to mimic the functionality of a powerlink by my own piece of software/hardware. Basically, my aim is to control my powermax+ alarm panel directly via RS232 using my home automation system. Thus, I need to reverse engineer the RS232 protocol of the powermax+. So far, I am able to establish communication with the powermax and receive events from the panel (sensors such as movement/door; arming/disarming/... events). What I now need to figure out is how commands look like sent to the panel. However, as I do not have a powerlink it is hard for me to figure this out. I thought, maybe someone here that owns a powerlink could send a few commands from his powerlink to the powermax (such as arming/disarming/...) and sniff the rs232 communication.... (Some more discussion can be found here: http://forum.micasaverde.com/index.php?topic=6884.0)

The protocol elements that I figured out so far are:

Code: Select all

Messages To Panel:
AB Message (15Byte): 0D AB 0A 00 01 00 00 00 00 00 00 00 43 06 0A
Sent to start panel reporting

02 Message (4Byte): 0D 02 FD 0A
Must be sent to panel to acknowledge messages

Messages From Panel:
02 Message (5Byte): 0D 02 43 BA 0A
Acknowledge AB message sent to panel

A5 Message (15 Byte): 0D A5 XX <TYPE> <ARM> <DEVICE> <ZONE> <EVENT> XX XX XX XX XX XX 0A
General event indication
TYPE, byte 4: 
	0x04 - event (for type see byte 6)
ARM, byte 5: 
	0x00 - disarmed  
	0x01 - arming home
	0x02 - arming away
	0x03 - follow mode
	0x04 - alarm activated home
	0x05 - alarm activated away
DEVICE, byte 6:
	0x0X - alarm event (alarm activated)
	0x2X - sensor event (evaluate byte 8 to determine type of event)
		the lower 4 bit of byte 6 indicate
		bit 1 - 0:not ready to arm 
			1:ready to arm
		bit 2 - 0:no alarm in memory
			1:alarm in memory
		bit 3 - 0:no tamper
			1:system tamper
	0x4X - arming event (evaluate byte 5 to determine type of arming)
		the lower 4 bit of byte 6 indicate
		bit 1 - 0:not ready to arm
			1:ready to arm
		bit 2 - 0:no alarm in memory
			1:alarm in memory
	0x6x - same as 0x2X but while arming (exit delay) 
ZONE, byte 7
	the zone id
EVENT, byte 8
	0x01 - tamper open
	0x02 - tamper close
	0x03 - open
	0x04 - close
	0x05 - movement
	(I expect others will be: flood, fire, ...) 

A7 Message (15 Byte): 0D A5 XX XX XX <TYPE> XX XX XX XX XX XX XX XX 0A
General panel status indication
TYPE, byte 6:
	0x0X - alarm
		0x06 tamper alarm on (sensor)
		0x07 tamper alarm on (panel)
	0x1X - alarm off
		0x13 low battery alarm of
		0x16 tamper alarm off (sensor)
		0x17 tamper alarm off (panel)	
	0x21 - low battery alarm
	0x51 - armed home
	0x52 - armed away
	0x55 - disarmed
	0x60 - admin login on panel
	0x61 - admin logout on panel
Example A5 messages

Code: Select all

Window Zone 07 open
0D A5 00 04 00 20 07 03 00 03 AF 0F 43 27 0A
Window Zone 07 close
0D A5 00 04 00 21 07 04 00 03 AF 0F 43 25 0A
Movement Zone 11
0D A5 00 04 00 21 0B 05 00 03 AF 0F 43 20 0A
Movement in Zone 11 with tamper alarm in memory
0D A5 00 04 00 23 0B 05 00 03 AF 0F 43 1E 0A
Door Open in Zone 01 while arming away (exit delay)
0D A5 00 04 02 60 01 03 00 03 00 00 43 A9 0A
Door Close in Zone 01 while arming away (exit delay)
0D A5 00 04 02 61 01 04 00 03 00 00 43 A7 0A
Arming Away
0D A5 00 04 02 41 00 00 00 03 AF 0F 43 0E 0A
Arming Home
0D A5 00 04 01 41 00 00 00 03 AF 0F 43 0F 0A
Disarming
0D A5 00 04 00 41 00 00 00 03 AF 0F 43 10 0A
Not ready to arm
0D A5 00 04 00 40 00 00 00 03 AF 0F 43 11 0A

Example A7 Messages
Disarmed
0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DC 0A
Armed Home
0D A7 01 00 20 51 00 00 00 03 AF 0F 43 E0 0A
Armed Away
0D A7 01 00 21 52 00 00 00 03 00 00 43 9D 0A
Tamper With Panel
0D A7 01 00 00 07 00 00 40 03 AF 0F 43 0B 0A 
Tamper Restore On Panel
0D A7 01 00 00 17 00 00 00 03 AF 0F 43 3B 0A
Tamper With Sensor 
0D A7 01 00 0F 06 0F 01 00 03 AF 0F 43 2D 0A
Tamper Restore With Sensor 
0D A7 01 00 0F 16 0F 02 00 03 AF 0F 43 1C 0A

Re: Visonic Powerlink2 Hacked

Posted: Wed Jul 20, 2011 10:56 pm
by Rene
Very interesting!

Re: Visonic Powerlink2 Hacked

Posted: Thu Jul 21, 2011 6:00 pm
by Odin
Another new user here - I bought powerlink 2 also and am interested in seeing how far we get with 'opening' it to enhance my automation ideas.

Saying that I can't even get the thing to email me alerts/alarms etc!

Re: Visonic Powerlink2 Hacked

Posted: Thu Jul 21, 2011 6:58 pm
by utz
My goal is to replace the powerlink completely by a pc (or home automation system). So far I managed to get the powermax reporting to a PC (so I can now use the powermax similar to what an rfxcomm receiver is doing). What I need to do is to figure out what to send the other way (from PC to powermax). Maybe someone that is the proud owner of a powerlink can have a look at the communication between powerlink and powermax(for example using http://www.lammertbies.nl/comm/cable/RS ... nitor.html)?

Alternatively, if you can hack into the powermax it may be possible to do this without a sniffer cable. The powermax is a unix and there is software to look at the communication there (/dev/tty).

Maybe even simpler, maybe there is a logfile on the powermax which reveals the data send over serial.

Anyone able to help?

I just do not want to buy a powerlink myself just to analyze the communication and then throw the thing in the bin (a bit expensive procedure).

Re: Visonic Powerlink2 Hacked

Posted: Fri Jul 22, 2011 5:39 pm
by utz
Thanks Odin.

Some description (including password) on how to get into the powerlink can be found here: http://voksenlia.net/powerlink/

I assume you have an external powerlink that is connected via a serial cable to the powermax (I am asking as there are as well internal powerlink modules that are installed within a powermax and then it is harder to get to the communication link).

You cant look at a logfile on the powermax (It is an embedded system and does not have a filesystem as such (there are log messages in memory but they are not useful))

The rs232 cable is just for communication, it does not power any of the units (as far as I know but I will check).

If it is needed to sniff the rs232 link (as we cant get to it via the powerlink) I can see if I can produce a sniffer cable and then I post it to you (That would take a bit time as I have to get the pieces, solder it together and in particular test it)

Re: Visonic Powerlink RS232 Hack

Posted: Mon Jul 25, 2011 11:15 pm
by Rene
I quickly wrote a HouseAgent plugin that emulates the Powerlink as described above and started analyzing the messages coming in.

I have an update of the information provided sofar.
The 0x0D byte is clearly the preamble and the 0x0A byte the postamble. The byte before the postamble is the checksum which is calculated as follows:
1. Sum all bytes except for the preamble, postamble and the checksum itself offcourse.
2. Divide this sum by 255.
3. Take the one complement of the remainder.

In Python this looks as follows (where message contains only the bytes that need to be added to the sum):

Code: Select all

for char in message:
    checksum += ord(char)
checksum = (checksum % 255) ^ 0xFF
Some more values for the different bytes I found in the messages (The first byte of the message is byte 1, as used in the previous post (I would have used 0 instead)):

For a 0xA5 message (byte 2 of the message):

Code: Select all

BYTE 4:
		0x01 = Initiate arming home or away (no further information)
		0x02 = Keep Alive
		0x04 -> Information??
		0x07 -> During arming home and away

BYTE 5 when BYTE 4 = 0x04:
		0x00 = DISARMED
		0x01 = ARMING HOME (EXIT DELAY)
		0x02 = ARMING AWAY (EXIT DELAY)
		0x03 = ARMED AWAY (ENTRY DELAY)
		0x04 = ARMED HOME
		0x05 = ARMED AWAY

BYTE 6 when BYTE 4 = 0x04:
		0x01 -> during arming away and just after armed away, status panel = Ready
		0x11 -> Rate of beeps during exit delay increased (last 10 seconds)
		0x20 -> Status not ready
		0x21 -> Status ready
		0x40 -> Arm or disarm event and status panel = Not Ready (net voordat A7 op disarmed gaat)
		0x41 -> Arm or disarm event and status panel = Ready
		0xA0 -> Just after disarm event and status panel = Not Ready
		0xA1 -> Just after disarm event and status panel = Ready
		0XE0 -> During entry delay while beeps are sounding

BYTE 9 when BYTE 4 = 0x04:
		0x01 -> for every sensor event

BYTE 10 when BYTE 4 =x 0x04:
		0x22 -> During exit delay and entry delay
		0x30 -> For every sensor event
		0x32 -> During exit delay and entry delay
		0x34 -> During exit delay and when keyfob AUX is pressed
		0x36 -> During exit delay and when keyfob AUX is pressed
For a 0xA7 message:

Code: Select all

BYTE 2:
		0x01 -> A status change of the panel initiated by an event(kan ook keyfob zijn!)
BYTE 4:	
		0x00 -> Panel event?
		0x1F = Keyfob N1 event
		0x21 = Keyfob N3 event
		0x27 -> ?

BYTE 5:
		0x51 -> Armed Home via Keyfob
		0x52 -> Armed Away via Keyfob
		0x53 -> Armed Home via Panel
		0x55 -> Disarmed via Keyfob/panel

BYTE 6:	Zone number (sometimes) 

Re: Visonic Powerlink RS232 Hack

Posted: Mon Jul 25, 2011 11:23 pm
by Digit
This is becoming very interesting, I was about to buy a Powerlink :lol:

Re: Visonic Powerlink RS232 Hack

Posted: Mon Jul 25, 2011 11:29 pm
by Rene
It is, so help us ;-)

The thing I am most curious of, but which can not be found without a Powerlink, are the commands used to arm and disarm the panel from the Powerlink interface.

Re: Visonic Powerlink RS232 Hack

Posted: Tue Jul 26, 2011 12:48 am
by Digit
I will :D
There are some options, which I will have a look at asap...

Re: Visonic Powerlink RS232 Hack

Posted: Tue Jul 26, 2011 10:56 am
by utz
@Rene
Thanks for decoding the checksum part. I tried a variety of CRC algorithms and XOR approaches but could not get it.

I wrote a plugin for my home automation system and it is up and running for over a week. So, I think the communication link can be considered stable.

We should maybe think about a place to document the protocol (maybe a wiki or something)

Re: Visonic Powerlink RS232 Hack

Posted: Wed Jul 27, 2011 3:18 pm
by Willem4ever
When byte 4 = 2 (status / idle message) bytes 5,6,7,8 show the zones which are open

0d a5 0 2 2 20 0 0 0 0 0 0 43 f2 0a In the example zone 2 and zone 14 are open

Re: Visonic Powerlink RS232 Hack

Posted: Wed Jul 27, 2011 7:43 pm
by Rene
Confirmed: In the keep alive message (Byte 4 = 0x02), bytes 5, 6, 7 and 8 indicate which zones are open. Each bit corresponds with a zone. Bit 0 of byte 5 corresponds to zone 1, bit 1 with zone 2, bit 1 of byte 6 with zone 9 etc.

Byte 9 and 10 when byte 4 = 0x04 have something to do with X10 and PGM outputs. But I cannot figure out what they exactly mean.

Re: Visonic Powerlink RS232 Hack

Posted: Wed Jul 27, 2011 10:18 pm
by utz
I created a wiki page here: http://powermax.wikia.com/wiki/Powermax_Wiki

The idea is to use this place to collaboratively come up with the protocol specification.

Please edit if you find out more about the protocol.

If it does not work let me know (I never used this wiki before, so I do not know if it works out)

Re: Visonic Powerlink RS232 Hack

Posted: Thu Jul 28, 2011 9:51 am
by Willem4ever
I found that the below calculation doesn't always work correctly

Code: Select all

for char in message:
    checksum += ord(char)
checksum = (checksum % 255) ^ 0xFF
Now taking the data streams below and ONLY adding up all the bytes (incl checksum itself) in the stream with the exception of the pre-amble and the post-amble

0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DC 0A
Checksum = 2fd
0D A5 00 04 00 20 07 03 00 03 AF 0F 43 27 0A
Checksum = 1fe
0D A7 01 00 12 4E 00 00 00 03 00 00 43 B0 0A
Checksum = 1fe
0D 02 FD 0A
Checksum = ff

-----

Now taking the below perl example results in the following output ($hd contains the full message, incl. pre-amble and post-amble - $z contains the length )

Code: Select all

for ($x=1;$x < $z-1;$x++) {
    $chk += $hd[$x];
}
$chk = ($chk / 0x100)  + ($chk % 0x100);
0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DC 0A
Checksum = ff
0D A5 00 04 00 20 07 03 00 03 AF 0F 43 27 0A
Checksum = ff
0D A7 01 00 12 4E 00 00 00 03 00 00 43 B0 0A
Checksum = ff
0D 02 FD 0A
Checksum = ff

Now the proof to the pudding by altering the stream
0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DB 0A
Checksum = fe
0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DD 0A
Checksum = 100
0D 02 FE 0A
Checksum = 1

Re: Visonic Powerlink RS232 Hack

Posted: Thu Jul 28, 2011 10:50 am
by utz
How to read messages?

Currently we do not know the full set of messages that may come out of the powermax. Messages can have any length and they can have 0D and 0A in the message body. So we cannot just simply read until we get 0A. Would it be a good idea to read until we have some 0A and the checksum between the last 0D and 0A works out?

My implementation currently ignores unknown messages and I only read the ones I know (A5, A7, ...) as I know their length upfront.

Any suggestion?