Visonic Powerlink2

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Bwired »

I bought the Visonic Complete NOT because there was standard NO X10 support.
My supplier told the Complete had Powerlink2 support....
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink2

Post by Rene »

After I had build in the Powerlink2 I was wondering to which connector on the panel I had to put the flat cable. Found the answer in a previous post from Pieter. However, on my version of the panel I can put the cable in two different ways on this connector. Tried both, to no avail. The Ethernet link will not be activated (my switch says 'port down'). Then I discovered an option in the Powermax Pro module to learn in the Powerlink. Did that and I think this was successful because I heard a long beep just as when you learn in sensors. But, still no Ethernet connection. Yesterday I have been busy mailing back and forth with eBay Bob from the shop I bought the module from but he did not have a glue also. Monday he will contact Visonic. I will keep you all posted.

Did some of you which also have the Powermax Pro and the Powerlink2 experience any problems?
Rene.
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Bwired »

I think it can have something to do with the Firmware of the Powermax Pro.
I have a brand new Powermax Pro ans the Powerlink2 worked instantly on IP xxx.xxx.xxx.200
I did even not need to set the Learn Option in the menu of the powermax.
See below the Powerlink2 inside the Visonic Powermax Pro connected by a ribboncable.
Powerlink2
Powerlink2
powerlink.jpg (179.69 KiB) Viewed 34143 times
http://www.bwired.nl Online Home, Domotica, Home Automation. Weblog. http://blog.bwired.nl
fishtank
Starting Member
Starting Member
Posts: 3
Joined: Mon Feb 07, 2011 12:44 pm

Re: Visonic Powerlink2

Post by fishtank »

I purchased the POwerlink2 last week and installed it in a PowerMax Pro system. There was no user or installation manual so I searched the web for relevant info....

I got the thing connected but when surfing to x.y.z.200 I got to the login screen and when logging in with the default credentials I came to a progress bar and that was it! After this I was unable to even get the login screen again. Only when disconnecting and reconnecting the device again I got another chance at the login screen. But result remains the same (over and over again).

When I choose "Install Powerlink" in the PowerMax Pro's menu I get the error-message tone. It seems something goes wrong but I do not have a clue what.

Anyone some suggestions?

The Powerlink is "pingable". Telnet also works...
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Bwired »

see also
http://www.domoticaforum.eu/viewtopic.php?f=17&t=2859

Below is regarding to the Powerlink1
and: http://voksenlia.net/powerlink/

Introduction
A couple of years ago I announced in a forum that I had been able to bypass the regular user interface on Visonic's Powerlink module for their Powermax +/Pro alarms. I didn't want to give out the details publicly for security reasons. However, I receive requests about this almost weekly, and I've also learned that there are many valid reasons for bypassing the regular interface (such as to reset the user account) and that Visonic is less than helpful in order to help out in such cases. So I feel now that having the backdoor key is a requirement for user to be able to use their rather expensive powerlinks. Besides, I'd like to see more people hacking with their powerlinks and explore further.

I want to stress a security concern whether or not you use the backdoor. Never expose Powerlink to an insecure wlan (such as wep or no encryption at all), as an intruder then easily could disarm the alarm from the street outside your home. The default root password cannot easily be changed.

The root password
There are two ways of logging into Powerlink. Either by ftp, which will take you straight to the root filesystem, or by telnetting to port 7523 for a regular Unix login session. The root password depends on the software version. For version 2.1.1 the password is vispl211. For version 3.1.* (only verified for 3.1.7) the password is vispl31x. An alternative way that works for several versions is to log in as "root2" using the password visonic.

The passwords were no big secret, really. It turns out that the way cameras communicate with Powerlink is to upload pictures through ftp using the root acount. Ftp is totally unencrypted, so the password can easily be found by sniffing packets on the lan using a program like wireshark. /etc/password revealed the root2 user and the password was very weak and trivial to obtain. If none of the mentioned passwords work, I suggest to use the network sniffing method to find it. Having Powerlink and your PC on an old network hub will do the trick. Or try to guess the password. There seems to be a pattern...

Secure your system
One of the other things that the network sniffing revealed was that Powerlink communicates with one of Visonic's servers in Israel (212.179.58.186 = myhome.visonic.com), passing on information such as changes in the alarm's status. This alone is a reason good enough why any user should know the backdoor to be able to disable this "feature". Even worse, the communication is via unencrypted http meaning that not only do you tell Visonic whether you're at home or not, but anyone with access to the network between you and Visonic can (theoretically) spy on you. Some information can actually be deduced from the URL's which probably means that if you live in an EU/EEA country, your ISP is required to store all this information up to two years due to the infamous Data Retention Directive, so that your government can have a record of when you leave your house and when you get home, and when you go to bed and get up if you regularly arm to the "home" mode. Stasi would drool if they had been shown the technology.

An example of the kind of information going out of your Powerlink is a POST /scripts/notify.php request with the following data:

<?xml version='1 0'?>
<notify>
<pmax_account>001234</pmax_account>
<index>39</index>
<serial>0208018292</serial>
<time>87765</time>
<priority>2</priority>
<event id='81' type='Arm Home'/>
<profile id='3' type='Open / Close'/>
<device id='3' type='User'/>
<location id='1' type='Admin'/>
<zone id='-1'/>
<userlist>
</userlist>
</notify>

I don't know why this kind of information is sent to Visonic. Perhaps it's needed for optional services such as e-mail notifications. But I find it absolutely unacceptable, if not criminal, that this is done without the user's knowledge and consent, and I find it questionable even if the user knew and agreed. I strongly suggest that all users turn this stuff off. That will also block Visonic from upgrading your system remotely (or brick it for that matter). This is how you do it:

Run telnet to your Powerlink at port 7523, log in.
Run: /misc/wc-pxa255/binaries/cli -d
Select "7" ("DB operations").
Select "2" ("Write To DB").
Select "2" ("pmax tables db").
Type "57" ("table id").
Type "1" ("item number").
Type "1" ("parameter").
Type "127.0.0.1".
Type "q q q".
The server is now set to 127.0.0.1 (localhost) and no data will leave your Powerlink, which will simply ignore the requests to itself.

Remote control of your Powerlink
We've now seen that there is a commandline tool for manipulating Powerlink. It can be used to check the status, to arm, disarm, etc. Some features are not available in all Powerlink versions, though. I wrote a Perl script to make the commands available on a PC and to interpret the reply. You can download it here. You may need to change the first lines of the script to suit your needs and setup.

If the script complains about missing files, run cpan and install the missing packages. Search the internet if you're unsure about this.

The syntax is powermax.pl <command>. The most useful commands are:

Get status: 1 1
Set status: 1 2
Get sensors status: 2 1
Get sensors configuration: 2 2
Get keyfobs status: 2 3
Get keyfobs configuration: 2 4
Get 1w-keypad status: 2 5
Get 1w-keypad configuration: 2 6
Get 2w-keypad status: 2 7
Set sensor type: 2 8 <1-30> <0-10> (1:Emergency 2:Flood 3:Gas 4:Delay 1 5:Delay 2 6:Interior-Follow 7:Perimeter 8:Perimeter-Follow 9:24 Hours Silent 10:24 Hours Audible)
Set sensor name: 2 9 <0-30> (0:Attic 1:Back door 2:Basement 3:Bathroom 4:Bedroom 5:Child room 6:Closet 7:Den 8:Dining room 9:Downstairs 10:Emergency 11:Fire 12:Front door 13:Garage 14:Garage door 15:Guest room 16:Hall 17:Kitchen 18:Laundry room 19:Living room 20:Master bathroom 21:Master bedroom 22:Office 23:Upstairs 24:Utility room 25:Yard 26:Custom1 27:Custom2 28:Custom3 29:Custom4 30:Custom5)
Set sensor chime: 2 10 <1-30>
Mute siren: 2 11
Get siren status: 2 12
Get user settings: 3 1
Set auto arm time: 3 2
Set private tel no: 3 3 <1-4> <12345678????????>
Set voice: 3 4
Set auto arm: 3 5
Set squawk option: 3 6
Set time format: 3 7
Set date format: 3 8
Get panel definitions: 4 1
Set bypass (sensor off): 4 2 <0-2> (0:no bypass 1:force arm 2:manual bypass)
Get communications definitions: 5 1
Get X10 Status: 6 1
Set X10 Status: 6 2 <1-15|all>
Get logfile: 8 1
So to arm Powermax, run powermax.pl 1 2 away regular on your PC.

Adding functionality
Powerlink runs Linux on an ARM processor. This makes it easy to program. The main limitation, however, is that the root filesystem is readonly. The filesystem is cramfs, which by design and for better compression is readonly. Luckily, the /var directory is a separate filesystem which is writeable making it possible to store data and programs permanently. Unfortunately, everything related to the boot process is on the root filesystem, so there seems to be no way of making new programs run automatically after a reboot.

I noticed that Powermax has a logfile /tmp/log/wc_log. This is a circular buffer which includes all communication between Powermax and Powerlink (at least in version 2.1.1, but this has changed somewhat in version 3.1.7), including information about sensor activity. So I wrote a program that keeps track of the sensor activity. This makes it possible to keep a detailed log, and I also found it useful for switching on lights in a room using X10 if someone enters it. The program has two parts: a Perl program to run on your PC which will create a log file, and a precompiled binary which the Perl program will upload to Powerlink and run there. The binary does the buffer reading on your Powerlink. The program is by no means complete. It has to interpret the communication between Powerlink and Powermax, which requires some reverse engineering, and I've only done this partly. The source code of the binary is available here. The binary was created with gcc for ARM. If you want to compile for ARM yourself, you can either set up a cross-compiler, or you can compile natively on an ARM machine. I have a few Linksys NSLU2 running Debian (little endian) which can be used for making binaries for Powerlink.

Using different hardware
Now things get interesting. Since Powerlink has a widely used ARM processor, can we simply copy the entire filesystem from Powerlink, put it on some other hardware and run the software and that way solve the problem with the readonly root filesystem? The answer is yes! This is exactly what I've done. I created a directory on a Linksys NSLU2, copied the entire Powerlink filesystem to that directory, chroot'ed to that directory and ran the boot scripts. I had made an RS232 to RJ45 cable to connect the NSLU2 to Powermax and made sure that the cable could be accessed through the device file that Powerlink expects (/dev/ttyS1, if I remember correctly). And it worked!

I never used the NSLU2 as a Powerlink replacement. I only did this to the point that I had verified that it works, and I didn't make notes. So for those who'd like to replicate this, I can only offer the information that it works. I believe it should work on other ARM based Linux boxes as well, such as SheevaPlug or GuruPlug. Unfortunately I have no notes of the pinout for the cable and I don't have the cable at home anymore.

If you see this as a way to get a pirate Powerlink and to save money (there are several ARM based Linux boxes available for less than $100), I can't help you. I will not send you the Powerlink filesystem. It contains copyrighted programs. So you need your own Powerlink if you wish to replace the hardware.

Reflashing the Powerlink
So the root filesystem is readonly, but it doesn't mean that it can't be changed. It just means that you need to reflash the Powerlink in order to change it. Let's have a look at it:

# cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00040000 "Blob"
mtd1: 00100000 00040000 "Kernel_A"
mtd2: 00c80000 00040000 "Cramfs_A"
mtd3: 00400000 00040000 "Jffs2"
mtd4: 00100000 00040000 "Kernel_B"
mtd5: 00c80000 00040000 "Cramfs_B"

/dev/mtdblock0 contains the bootloader. /dev/mtdblock3 contains the /var filesystem, and /dev/mtdblock[12] and /dev/mtdblock[45] are alternate versions of the firmware, most likely selectable in the bootloader. The dual boot setup is probably there for safe upgrading.

It's possible to reflash by writing to /dev/mtdblock*, but you have to be absolutely sure of what you're doing if you do this. I will not touch my flash unless I have access to the bootloader.

The bootloader remains elusive. I've not found a way to access it. The bootloader is GPL'd code and Visonic has changed it. They're required to publish the code as well as their changes, which could reveal whether it's possible to reach the bootloader via ethernet, but they've not responded to my requests for the code. Others have also requested the code, but heard nothing back or got a rude reply. So it seems that Visonic is pretty determined in violating the license.

Final remarks
I hope that the above information will be sufficient for other hackers to get started, and perhaps pick up the trail where I left it. If you go further or otherwise do something interesting with your Powerlink, please send me an e-mail. I've only scratched the surface of the possibilities. I've received many questions whether it's possible to use other cameras than Visonic's expensive and extremely low quality cameras. I haven't tried. It should work. Either the camera needs to be programmed to behave like a Visonic camera (directly or through a PC), or Powerlink can be changed (might require changes to the root filesystem). Someone just needs to try it out.
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink2

Post by Rene »

To what point have you come with regards to the Powerlink2?
Rene.
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Bwired »

I see a lot going on and possibilities (java, xml etc)
I think Visonic locked more up then in Powerlink1
Telnet and ftp password bot working on powerlink2
This needs to be in the manual, but there is no manual :evil:

for example
i was able to control the powermax with this
http://10.0.0.200/mobile/dam/arm/mode/home_state

but i needed to be logged in, username/password in front does not work

spend not much time yet....
check also http://www.domoticaforum.eu/viewtopic.p ... 859#p46857
Digit
Global Moderator
Global Moderator
Posts: 3388
Joined: Sat Mar 25, 2006 10:23 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Digit »

username/password in the url only works with very basic authentication, maybe they use another authentication method.
You can check the http headers with Wireshark to see if that's the case.
Or ... :lol:
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Bwired »

I bet on the Or :D
visonic.jpg
visonic.jpg (118.28 KiB) Viewed 34084 times
Digit
Global Moderator
Global Moderator
Posts: 3388
Joined: Sat Mar 25, 2006 10:23 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Digit »

Don't see much of what i was looking for, actually :(
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink2

Post by Rene »

Die interface van de Powerlink is dus in php gemaakt?
Rene.
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Bwired »

There is also a mobile and html version. Enough stuff to investigate :)
The main one is a bit PHP with lots of Java
Below the HTML version, main version is to big.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.1//EN"
    "http://www.openmobilealliance.org/tech/DTD/xhtml-mobile11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
  <meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8"/>
  <meta name="format-detection" content="telephone=no"/>
  <meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0; minimum-scale=1.0; user-scalable=0;" />
  <meta name="HandheldFriendly" content="true" />
      <title>Visonic PowerLink :: ID</title>
  <link type="text/css" rel="stylesheet" media="all" href="/mobile/css/main.css"/>
  <script type="text/javascript" src="/mobile/index/js?0.002"></script>
</head>
<body>    
  <div id="outer">
    <div id="head_block">
      <div id="head_block_inner"></div>
      <img id="logo_powerlink" src="/images/wo_logo_pl.png" width="70" height="23" alt="Power Link"/>
      <img id="logo_visonic" src="/images/wo_logo_vs.png" width="70" height="14" alt="Visonic"/>
      <a id="logout" href="/mobile/login/logout"><img src="/images/wo_0.gif" class="spr logout" alt="logout"/></a>
    </div>
    <div id="message" class="dn"></div>
    <div id="content_outer">
      <div id="content">
        <div class="notready"></div>
 
        <div id="view_index" class="dn"></div>
                    <div id="view_alarms" class="dn">
          <div class="alarm_box">
            <div id="alarm_image" class="image"></div>
            <div id="alarm_text" class="text"></div>
            <div class="bottom">
              <a href="javascript:$Navigator.back();" class="btn"><img src="/images/wo_0.gif" alt="back" class="spr32 back"/></a>
            </div>
          </div>
        </div>
        <div id="view_events" class="dn">
          <div id="log_list" class="list"></div>
          <div class="bottom">
            <a href="javascript:$Navigator.back();" class="btn"><img src="/images/wo_0.gif" alt="back" class="spr32 back"/></a>
            <a href="javascript:$Navigator.exec('logRefresh');" class="btn"><img src="/images/wo_0.gif" alt="refresh" class="spr32 refresh"/></a>
          </div>
        </div>
        <div id="view_sensors" class="dn">
          <div id="sensor_list" class="list"></div>
          <div class="bottom">
            <a href="javascript:$Navigator.back();" class="btn"><img src="/images/wo_0.gif" alt="back" class="spr32 back"/></a>
          </div>
        </div>
      
                    <div id="view_alerts" class="dn">
          <div id="alert_list" class="list"></div>
          <div class="bottom">
            <a href="javascript:$Navigator.back();" class="btn"><img src="/images/wo_0.gif" alt="back" class="spr32 back"/></a>
          </div>
        </div>
      
                    <div id="view_camera_list" class="dn">
          <div id="camera_list" class="list"></div>
          <div class="bottom">
            <a href="javascript:$Navigator.back('index');" class="btn"><img src="/images/wo_0.gif" alt="back" class="spr32 back"/></a>
          </div>
        </div>
 
        <div id="view_camera" class="dn">
        <!--
          Possible className combine:
            portrait : sets "portrait" view
            static  : when live-view camera has no movement control
            alarm : when displayed "alarm view"
            play  : when alarm view played
            blocked : when camera is not allowed in current state
          !NOTICE! "static" can not be combined with "alarm"
        -->
          <div class="camera_box">
            <div class="box">
              <span id="camera_name" class="name"></span>
              <div class="box_viewport"><div>
                <a href="javascript:;"><img id="camera" src="/images/wo_cam_blank.gif" alt=""/><img class="back_img" src="/images/wo_cam_blank.gif" alt=""/></a>
                <span id="camera_stamp" class="stamp"></span>
                <span id="camera_block" class="block"></span>
              </div></div>
              <div class="camera_control">
                <div class="btn"><a href="javascript:$Navigator.back('camera_list');"><img src="/images/wo_0.gif" class="spr32 back" alt="back"/></a></div>
                <div class="btn spr ctrl"><div class="inner">
                  <a href="javascript:$Navigator.exec('cameraCommand:up');" class="ctrl_up"><img src="/images/wo_0.gif" alt=""/></a>
                  <a href="javascript:$Navigator.exec('cameraCommand:left');" class="ctrl_left"><img src="/images/wo_0.gif" alt=""/></a>
                  <a href="javascript:$Navigator.exec('cameraCommand:tglplay');" class="ctrl_middle"><img src="/images/wo_0.gif" alt=""/></a>
                  <a href="javascript:$Navigator.exec('cameraCommand:right');" class="ctrl_right"><img src="/images/wo_0.gif" alt=""/></a>
                  <a href="javascript:$Navigator.exec('cameraCommand:down');" class="ctrl_down"><img src="/images/wo_0.gif" alt=""/></a>
                </div></div>
                <div class="btn"><a href="javascript:$Navigator.exec('cameraSwitch');"><img src="/images/wo_0.gif" class="spr32 alarm" alt="back"/></a></div>
              </div>
            </div>
            <div class="hlp"><div class="h_tl"></div><div class="h_tm"></div><div class="h_tr"></div><div class="h_ml"></div><div class="h_mm"></div><div class="h_mr"></div><div class="h_bl"></div><div class="h_bm"></div><div class="h_br"></div></div>
          </div>
          <br class="cb"/>
        </div>
      
                    <div id="view_devices" class="dn">
          <div id="home_filter" class="buttons bgw"></div>
          <div id="home_list" class="list"></div>
          <div class="bottom">
            <a href="javascript:$Navigator.back();" class="btn"><img src="/images/wo_0.gif" alt="back" class="spr32 back"/></a>
          </div>
        </div>
      
      </div>
      <div class="hlpr"><div class="cr_bl"></div><div class="cr_br"></div></div>
    </div>
  </div>
</body>
</html>
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink2

Post by Rene »

How did you conclude they use Java? The page is served by apache and php, at least that is what the http header mentions.
Rene.
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2

Post by Bwired »

javascript.
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink2

Post by Rene »

Ah, OK. That is not Java.
Rene.
Post Reply

Return to “Visonic Alarm systems”