Visonic Powerlink RS232 Hack

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

Re: Visonic Powerlink RS232 Hack

Postby Willem4ever » Thu Aug 04, 2011 7:03 am

Examples for pincode 1234

disarm

0d a1 00 00 00 12 34 00 00 00 00 00 43 d4 0a

arm away

0d a1 00 00 05 12 34 00 00 00 00 00 43 cf 0a

You will get a ack from the panel

0d 02 43 ba 0a

Followed by a 'type 8' message when your pin is incorrect

0d 08 43 b4 0a
User avatar
Willem4ever
Global Moderator
Global Moderator
 
Posts: 804
Joined: October 2006
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Thu Aug 04, 2011 10:57 am

Cool. If any of you finds time, can you document this here... (I wont have time before the weekend): http://powermax.wikia.com/wiki/Powermax_Wiki
I try to get all the information on the protocol in one place.
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Bwired » Thu Aug 04, 2011 7:06 pm

working here also
vis1.jpg
vis1.jpg (22.21 KiB) Viewed 11354 times
http://www.bwired.nl Online Home, Domotica, Home Automation. Weblog. http://blog.bwired.nl
User avatar
Bwired
Administrator
Administrator
 
Posts: 5308
Joined: March 2006
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Rene » Thu Aug 04, 2011 7:11 pm

Thanks to Marcel from WaakZaamWonen I am back in business. My PowermaxPro panel seemed to be broken and lucky as I was, Marcel had a replacement. And best of all free of charge. Thanks Marcel!
Rene.
User avatar
Rene
Global Moderator
Global Moderator
 
Posts: 1689
Joined: October 2008
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Fri Aug 05, 2011 10:37 am

Willem4ever, what would be the response to a wrong pin code? Is there an extra message for that or is it just that you do not get the 08 message?
Also, do you need to send an ACK back for 08 messages or is it like 02 messages that do not need an ack?

... just trying to document all bits in the wiki as we go along finding out more bits.

Willem4ever wrote:Examples for pincode 1234
0d a1 00 00 05 12 34 00 00 00 00 00 43 cf 0a
You will get a ack from the panel
0d 02 43 ba 0a
Followed by a 'type 8' message when your pin is incorrect
0d 08 43 b4 0a
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Willem4ever » Fri Aug 05, 2011 10:44 am

This is the sequence of a disarm with the wrong pincode (using my code)

2011-08-05 11:37:15 0d a1 00 00 00 12 34 00 00 00 00 00 43 d4 0a - OUT
2011-08-05 11:37:15 0d 02 43 ba 0a - C_OK - IN
2011-08-05 11:37:15 0d 08 43 b4 0a - C_OK - IN
2011-08-05 11:37:15 0d 02 fd 0a - OUT

I do not ack an ack and the Powermax seems happy with that :-) but I do ack error '8'
User avatar
Willem4ever
Global Moderator
Global Moderator
 
Posts: 804
Joined: October 2006
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Fri Aug 05, 2011 11:43 am

Willem4ever, sorry I got it mixed up. the 08 message is only there when code is wrong ...
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Willem4ever » Fri Aug 05, 2011 11:58 am

Hi Utz,

In case of correct pincode you only get an ack (2)

In case of a wrong pincode you get an ack(2) followed by (8)
User avatar
Willem4ever
Global Moderator
Global Moderator
 
Posts: 804
Joined: October 2006
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Bwired » Fri Aug 05, 2011 12:04 pm

Everything works like a train in the Bwired setting.
arming and disarming from my application works also great.
In this topic hoewever some differences between the translations of the bytes (status, sensors etc)
But that is not a big problem, just a matter of reversing stuff

very great job all!!
This is a major breaktrough in controlling (friendly hacking) the Visonic Powermax alarm panels (like Powermax Pro and Plus)
And the most important thing is, that until now its a very stable setup.

Nice thing is that we had this option for more then 10 years under our noses :D
http://www.bwired.nl Online Home, Domotica, Home Automation. Weblog. http://blog.bwired.nl
User avatar
Bwired
Administrator
Administrator
 
Posts: 5308
Joined: March 2006
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Fri Aug 05, 2011 1:19 pm

I noticed as well that people have different views on what all the bits mean in the different messages. Thats why I tried to get a central place that people can edit to collect the truth; I used this wiki space here: (http://powermax.wikia.com/wiki/Powermax_Wiki). However, if you people here have a better place on where to collect and allow collaborative editing I am happy to move the things there. I hope to get at the end a proper protocol specification that people can use for implementation of their different home automation systems.
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Alexander » Fri Aug 05, 2011 2:11 pm

and now hope there aren't any burglars that know anything about hacking to disable your alarm from remote :D
Alexander
Alexander
Global Moderator
Global Moderator
 
Posts: 1532
Joined: March 2007
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Fri Aug 05, 2011 2:13 pm

Rene wrote:I have an update of the information provided sofar.
The byte before the postamble is the checksum which is calculated as follows:
1. Sum all bytes except for the preamble, postamble and the checksum itself offcourse.
2. Divide this sum by 255.
3. Take the one complement of the remainder.

In Python this looks as follows (where message contains only the bytes that need to be added to the sum):
Code: Select all
for char in message:
    checksum += ord(char)
checksum = (checksum % 255) ^ 0xFF



I think what they actually do for checksum is:
1) Fill an 8bit register with 0xFF
2) Substract the next byte in the message from the value in the register (ignoring overflows)
3) After the message is received the register contains the checksum value

so you can do
Code: Select all
checksum = 0xFF
for each char in message do
    checksum = checksum - char


or, to just change your code a bit:
Code: Select all
for char in message:
    checksum += ord(char)
checksum = FF - (checksum % 255)


That is important for people like me that have to program in Lua which cant do bitwise operations like ^
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Rene » Fri Aug 05, 2011 3:59 pm

Guess what, your algorithm is the only right one. I just had a bad checksum where the sum of the bytes was 0xFF. My algorithm resulted in a checksum of 0xFF, where it should have been 0x00. Your algorithm results in 0x00!
Rene.
User avatar
Rene
Global Moderator
Global Moderator
 
Posts: 1689
Joined: October 2008
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Willem4ever » Fri Aug 05, 2011 5:36 pm

What is the datastream causing the problem ?
User avatar
Willem4ever
Global Moderator
Global Moderator
 
Posts: 804
Joined: October 2006
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Rene » Fri Aug 05, 2011 8:38 pm

I do not recall, but the sum of the bytes was 255.
Rene.
User avatar
Rene
Global Moderator
Global Moderator
 
Posts: 1689
Joined: October 2008
Location: Netherlands

PreviousNext

Return to Visonic Alarm systems

Who is online

Users browsing this forum: No registered users and 1 guest