Page 3 of 10
Re: Visonic Powerlink RS232 Hack
Posted: Thu Aug 04, 2011 8:03 am
by Willem4ever
Examples for pincode 1234
disarm
0d a1 00 00 00 12 34 00 00 00 00 00 43 d4 0a
arm away
0d a1 00 00 05 12 34 00 00 00 00 00 43 cf 0a
You will get a ack from the panel
0d 02 43 ba 0a
Followed by a 'type 8' message when your pin is incorrect
0d 08 43 b4 0a
Re: Visonic Powerlink RS232 Hack
Posted: Thu Aug 04, 2011 11:57 am
by utz
Cool. If any of you finds time, can you document this here... (I wont have time before the weekend):
http://powermax.wikia.com/wiki/Powermax_Wiki
I try to get all the information on the protocol in one place.
Re: Visonic Powerlink RS232 Hack
Posted: Thu Aug 04, 2011 8:06 pm
by Bwired
working here also
- vis1.jpg (22.21 KiB) Viewed 24239 times
Re: Visonic Powerlink RS232 Hack
Posted: Thu Aug 04, 2011 8:11 pm
by Rene
Thanks to Marcel from WaakZaamWonen I am back in business. My PowermaxPro panel seemed to be broken and lucky as I was, Marcel had a replacement. And best of all free of charge. Thanks Marcel!
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 11:37 am
by utz
Willem4ever, what would be the response to a wrong pin code? Is there an extra message for that or is it just that you do not get the 08 message?
Also, do you need to send an ACK back for 08 messages or is it like 02 messages that do not need an ack?
... just trying to document all bits in the wiki as we go along finding out more bits.
Willem4ever wrote:Examples for pincode 1234
0d a1 00 00 05 12 34 00 00 00 00 00 43 cf 0a
You will get a ack from the panel
0d 02 43 ba 0a
Followed by a 'type 8' message when your pin is incorrect
0d 08 43 b4 0a
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 11:44 am
by Willem4ever
This is the sequence of a disarm with the wrong pincode (using my code)
2011-08-05 11:37:15 0d a1 00 00 00 12 34 00 00 00 00 00 43 d4 0a - OUT
2011-08-05 11:37:15 0d 02 43 ba 0a - C_OK - IN
2011-08-05 11:37:15 0d 08 43 b4 0a - C_OK - IN
2011-08-05 11:37:15 0d 02 fd 0a - OUT
I do not ack an ack and the Powermax seems happy with that
but I do ack error '8'
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 12:43 pm
by utz
Willem4ever, sorry I got it mixed up. the 08 message is only there when code is wrong ...
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 12:58 pm
by Willem4ever
Hi Utz,
In case of correct pincode you only get an ack (2)
In case of a wrong pincode you get an ack(2) followed by (8)
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 1:04 pm
by Bwired
Everything works like a train in the Bwired setting.
arming and disarming from my application works also great.
In this topic hoewever some differences between the translations of the bytes (status, sensors etc)
But that is not a big problem, just a matter of reversing stuff
very great job all!!
This is a major breaktrough in controlling (friendly hacking) the Visonic Powermax alarm panels (like Powermax Pro and Plus)
And the most important thing is, that until now its a very stable setup.
Nice thing is that we had this option for more then 10 years under our noses
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 2:19 pm
by utz
I noticed as well that people have different views on what all the bits mean in the different messages. Thats why I tried to get a central place that people can edit to collect the truth; I used this wiki space here: (
http://powermax.wikia.com/wiki/Powermax_Wiki). However, if you people here have a better place on where to collect and allow collaborative editing I am happy to move the things there. I hope to get at the end a proper protocol specification that people can use for implementation of their different home automation systems.
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 3:11 pm
by Alexander
and now hope there aren't any burglars that know anything about hacking to disable your alarm from remote
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 3:13 pm
by utz
Rene wrote:
I have an update of the information provided sofar.
The byte before the postamble is the checksum which is calculated as follows:
1. Sum all bytes except for the preamble, postamble and the checksum itself offcourse.
2. Divide this sum by 255.
3. Take the one complement of the remainder.
In Python this looks as follows (where message contains only the bytes that need to be added to the sum):
Code: Select all
for char in message:
checksum += ord(char)
checksum = (checksum % 255) ^ 0xFF
I think what they actually do for checksum is:
1) Fill an 8bit register with 0xFF
2) Substract the next byte in the message from the value in the register (ignoring overflows)
3) After the message is received the register contains the checksum value
so you can do
Code: Select all
checksum = 0xFF
for each char in message do
checksum = checksum - char
or, to just change your code a bit:
Code: Select all
for char in message:
checksum += ord(char)
checksum = FF - (checksum % 255)
That is important for people like me that have to program in Lua which cant do bitwise operations like ^
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 4:59 pm
by Rene
Guess what, your algorithm is the only right one. I just had a bad checksum where the sum of the bytes was 0xFF. My algorithm resulted in a checksum of 0xFF, where it should have been 0x00. Your algorithm results in 0x00!
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 6:36 pm
by Willem4ever
What is the datastream causing the problem ?
Re: Visonic Powerlink RS232 Hack
Posted: Fri Aug 05, 2011 9:38 pm
by Rene
I do not recall, but the sum of the bytes was 255.