Page 4 of 10

Re: Visonic Powerlink RS232 Hack

PostPosted: Fri Aug 05, 2011 9:19 pm
by Rene
I added a lot of information to the wiki. One remark, The byte numbering is a bit odd, I would start numbering at the byte containing the command (0xA5, 0xA7) starting with 0.

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 9:20 am
by Bwired
agree with Rene, now it can be confusing :)

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 4:03 pm
by utz
Bwired wrote:agree with Rene, now it can be confusing :)


I dont mind. If you all prefer counting that way we can change. Its a wiki, so if anyone finds time just change...

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 6:51 pm
by Odin
Wow guys I've just come back from 2 weeks holiday and found you have moved things on very nicely. Well done and thanks for all the efforts.

I have a Powermax Complete panel and the newer powerlink module so I'm hoping that I can hook into this - when things have settled down at home I will see if this works with my Complete panel and provide input.

I was just wondering if the protocol is already exposed from the previous root account logon hacking attempt?

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 9:32 pm
by Bwired
The story continues, there is a lot of information in the Visonic.
I found some other messages which can be used to retrieve information from the powermax like:

- Which Zones you have
- Keyfobs
- Passwords
- Panelsettings
- Comm settings
- Eventlist (log)
- Full download
- x10 etc

For this to retreive you need to login first, after that the info can be fatched.
Looks like it can be combined with the other messages like 05 and 07, the login does not interupt so it seems, still needs testing :)

The output needs to be translated, so who helps on this.

Code: Select all
Login, need to do first
0D 24 00 00 AA AA 00 00 00 00 00 00 86 0A
after login you can send the below requests

** Request Pincode
0D 3E FA 01 10 00 B0 34 00 00 00 00 D0 0A
Answer: (pincode 2025 and 1234)
0D 02 FD 0A 0D 3F FA 01 10 20 05 12 34 00 00 00 00 00 00 00 00 00 00 00 00 09 0A 

** Request Zones
0D 3E 00 09 78 00 B0 04 14 90 73 06 6D 0A

** Request last 250 Events (log) very handy, all actions like arm, disarm etc are in there
0D 02 FD 0A 0D 3E DF 04 28 03 B0 03 01 04 02 27 D0 0A

** Request Keyfobs
0D 02 FD 0A 0D 3E 78 09 40 00 B0 00 20 21 15 00 F8 0A

** logout, not needed i quess
0D 0F F0 0A

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 9:40 pm
by Willem4ever
Not 02 messages, actually you have 2 messages here first one is an ack, second is the last events ?? I guess you are snooping the remote programmer ;-)

0D 02 FD 0A

0D 3E DF 04 28 03 B0 03 01 04 02 27 D0 0A

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 9:45 pm
by Bwired
yep, very easy to get :D
changed the topic, you where right

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 10:09 pm
by Rene
Found a lot today, now the time to document ;-)

Request log messages:
Code: Select all
0xA0 0x00 0x00 0x00 <pin> <pin> 0x00 0x00 0x00 0x00 0x00 0x43


Response:
Code: Select all
0xA0 0xFB 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x03 0x00 0x43
      |    |
      |    Row
      Total number of rows

0xA0 0xFB 0x02 0x07 0x38 0x16 0x06 0x08 0x0B 0x4D 0x33 0x43
      |    |    |    |    |    |    |     |   |    |
      |    |    |    |    |    |    |     |   |    Telephone line failure
      |    |    |    |    |    |    |     |   ?
      |    |    |    |    |    |    |     Year
      |    |    |    |    |    |    Month
      |    |    |    |    |    Day
      |    |    |    |    |
      |    |    |    |    Hour
      |    |    |    Minute
      |    |    ?
      |    Row
      Total number of rows
.
.
0xA0 0xFB 0xFB .............
           |
           Row (So the last row)

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 10:17 pm
by Rene
The system state flags (byte 4) in a 0xA5 command with byte 2 = 0x04:
byte 4 & 0x01 = 0x01 -> Ready
byte 4 & 0x01 = 0x00 -> Not Ready
byte 4 & 0x02 = 0x02 -> Alerts in memory
byte 4 & 0x02 = 0x00 -> No alerts in memory
byte 4 & 0x04 = 0x04 -> Trouble
byte 4 & 0x04 = 0x00 -> No trouble
byte 4 & 0x08 = 0x08 -> Bypass on
byte 4 & 0x08 = 0x00 -> Bypass off
byte 4 & 0x10 = 0x10 -> Last 10 seconds (in entry or exit delay)

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 10:28 pm
by Rene
I do not what it is doing but I see the Powerlink send the following request regularly:
Code: Select all
0xAB  0x06  0x00  0x00  0x00  0x00  0x00  0x00  0x00  0x00  0x00  0x43


The response is (also when send from your own code):
Code: Select all
0xA5 0x09 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x43
          |      |
          |      Row
          Total number of rows
0xA5 0x09 0x02 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x04 0x00 0x06 0x00 0x00 0x00 0x01 0x00 0x00 0x43
0xA5 0x09 0x05 0x00 0x00 0x00 0x07 0x00 0x00 0x12 0x34 0x43
0xA5 0x09 0x06 0xFF 0xFF 0x01 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x07 0x00 0x00 0x00 0x00 0x00 0x01 0x10 0x00 0x43
0xA5 0x09 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x09 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43


And from then on the Powermax sends every 30 seconds the following message:
Code: Select all
0xAB 0x03 0x00 0x1E 0x00 0x34 0x36 0x30 0x36 0x00 0x00 0x43


and every 20 seconds:
Code: Select all
0xAB 0x05 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 10:30 pm
by Rene
Arm home instant:
Code: Select all
0xA1 0x00 0x00 0x14 <pin> <pin> 0x00 0x00 0x00 0x00 0x00 0x43

Re: Visonic Powerlink RS232 Hack

PostPosted: Sat Aug 06, 2011 10:40 pm
by Rene
BTW I had problems with the checksum again so I modified the calculation as follows (in Python):

Code: Select all
for char in message:
            checksum += ord(char)
        checksum = checksum % 255
        if checksum % 255 != 0:
            checksum = checksum ^ 0xFF

Re: Visonic Powerlink RS232 Hack

PostPosted: Sun Aug 07, 2011 10:23 am
by utz
Nice progress. Arming/Disarming works for me now too. Does anyone know if there is a way to figure out the current state of the panel? For example, if you have to reboot your home automation server and you need to find out what state the panel is in?

Re: Visonic Powerlink RS232 Hack

PostPosted: Sun Aug 07, 2011 10:48 am
by Rene
I am working on that. When monitoring the traffic between Powermax en Powerlink I periodically notice a complete dump of the Powermax (it seems). I already decoded lots of this, the definition of the zones, keyfobs, pin codes etc. However, I still do not know how to trigger this dump.

This morning I was playing a bit and noticed you don't have to issue any command when you make the serial connection to trigger the Powermax sending messages. I also figured out that the Powermax send a message when you try to install a Powerlink from the menu. When you respond to this message, the your code is enrolled as a Powerlink and some behaviour of the Powermax changes.

Re: Visonic Powerlink RS232 Hack

PostPosted: Sun Aug 07, 2011 11:39 am
by Willem4ever
This is how to get the status from the powermax !!! Issue a 0xA2 message and the status is returned to you - yeah it is that simple ....

Code: Select all
2011-08-07 12:34:05.157518  0d a2 00 00 00 00 00 00 00 00 00 00 43 1a 0a - OUT
2011-08-07 12:34:05.726058  0d 02 43 ba 0a - C_OK - IN - DUP
2011-08-07 12:34:05.745951  0d a5 09 01 00 00 00 00 00 00 00 00 43 0d 0a - C_OK - IN
2011-08-07 12:34:05.746029  0d 02 fd 0a - OUT
2011-08-07 12:34:05.816539  0d a5 09 02 03 24 00 00 00 00 00 00 43 e4 0a - C_OK - IN
2011-08-07 12:34:05.816574  0d 02 fd 0a - OUT
2011-08-07 12:34:05.885910  0d a5 09 03 00 00 00 00 00 00 00 00 43 0b 0a - C_OK - IN
2011-08-07 12:34:05.885945  0d 02 fd 0a - OUT
2011-08-07 12:34:05.955915  0d a5 09 04 00 60 04 05 00 04 00 00 43 9c 0a - C_OK - IN
2011-08-07 12:34:05.955992  0d 02 fd 0a - OUT
2011-08-07 12:34:06.015953  0d a5 09 05 00 00 00 07 00 00 12 34 43 bb 0a - C_OK - IN
2011-08-07 12:34:06.015992  0d 02 fd 0a - OUT
2011-08-07 12:34:06.086038  0d a5 09 06 ff 3f 00 00 00 00 00 00 43 c8 0a - C_OK - IN
2011-08-07 12:34:06.086081  0d 02 fd 0a - OUT
2011-08-07 12:34:06.155936  0d a5 09 07 00 00 00 00 00 11 00 00 43 f5 0a - C_OK - IN
2011-08-07 12:34:06.155970  0d 02 fd 0a - OUT
2011-08-07 12:34:06.226056  0d a5 09 08 00 00 00 00 00 00 00 00 43 06 0a - C_OK - IN
2011-08-07 12:34:06.226122  0d 02 fd 0a - OUT
2011-08-07 12:34:06.295948  0d a5 09 09 00 00 00 00 00 00 00 00 43 05 0a - C_OK - IN
2011-08-07 12:34:06.295985  0d 02 fd 0a - OUT