Visonic Powerlink RS232 Hack

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

User avatar
Willem4ever
Global Moderator
Global Moderator
Posts: 805
Joined: Mon Oct 30, 2006 3:48 pm
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Willem4ever »

Examples for pincode 1234

disarm

0d a1 00 00 00 12 34 00 00 00 00 00 43 d4 0a

arm away

0d a1 00 00 05 12 34 00 00 00 00 00 43 cf 0a

You will get a ack from the panel

0d 02 43 ba 0a

Followed by a 'type 8' message when your pin is incorrect

0d 08 43 b4 0a
utz
Starting Member
Starting Member
Posts: 31
Joined: Sun Jul 17, 2011 5:21 pm

Re: Visonic Powerlink RS232 Hack

Post by utz »

Cool. If any of you finds time, can you document this here... (I wont have time before the weekend): http://powermax.wikia.com/wiki/Powermax_Wiki
I try to get all the information on the protocol in one place.
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink RS232 Hack

Post by Bwired »

working here also
vis1.jpg
vis1.jpg (22.21 KiB) Viewed 24125 times
http://www.bwired.nl Online Home, Domotica, Home Automation. Weblog. http://blog.bwired.nl
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Rene »

Thanks to Marcel from WaakZaamWonen I am back in business. My PowermaxPro panel seemed to be broken and lucky as I was, Marcel had a replacement. And best of all free of charge. Thanks Marcel!
Rene.
utz
Starting Member
Starting Member
Posts: 31
Joined: Sun Jul 17, 2011 5:21 pm

Re: Visonic Powerlink RS232 Hack

Post by utz »

Willem4ever, what would be the response to a wrong pin code? Is there an extra message for that or is it just that you do not get the 08 message?
Also, do you need to send an ACK back for 08 messages or is it like 02 messages that do not need an ack?

... just trying to document all bits in the wiki as we go along finding out more bits.
Willem4ever wrote:Examples for pincode 1234
0d a1 00 00 05 12 34 00 00 00 00 00 43 cf 0a
You will get a ack from the panel
0d 02 43 ba 0a
Followed by a 'type 8' message when your pin is incorrect
0d 08 43 b4 0a
User avatar
Willem4ever
Global Moderator
Global Moderator
Posts: 805
Joined: Mon Oct 30, 2006 3:48 pm
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Willem4ever »

This is the sequence of a disarm with the wrong pincode (using my code)

2011-08-05 11:37:15 0d a1 00 00 00 12 34 00 00 00 00 00 43 d4 0a - OUT
2011-08-05 11:37:15 0d 02 43 ba 0a - C_OK - IN
2011-08-05 11:37:15 0d 08 43 b4 0a - C_OK - IN
2011-08-05 11:37:15 0d 02 fd 0a - OUT

I do not ack an ack and the Powermax seems happy with that :-) but I do ack error '8'
utz
Starting Member
Starting Member
Posts: 31
Joined: Sun Jul 17, 2011 5:21 pm

Re: Visonic Powerlink RS232 Hack

Post by utz »

Willem4ever, sorry I got it mixed up. the 08 message is only there when code is wrong ...
User avatar
Willem4ever
Global Moderator
Global Moderator
Posts: 805
Joined: Mon Oct 30, 2006 3:48 pm
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Willem4ever »

Hi Utz,

In case of correct pincode you only get an ack (2)

In case of a wrong pincode you get an ack(2) followed by (8)
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink RS232 Hack

Post by Bwired »

Everything works like a train in the Bwired setting.
arming and disarming from my application works also great.
In this topic hoewever some differences between the translations of the bytes (status, sensors etc)
But that is not a big problem, just a matter of reversing stuff

very great job all!!
This is a major breaktrough in controlling (friendly hacking) the Visonic Powermax alarm panels (like Powermax Pro and Plus)
And the most important thing is, that until now its a very stable setup.

Nice thing is that we had this option for more then 10 years under our noses :D
http://www.bwired.nl Online Home, Domotica, Home Automation. Weblog. http://blog.bwired.nl
utz
Starting Member
Starting Member
Posts: 31
Joined: Sun Jul 17, 2011 5:21 pm

Re: Visonic Powerlink RS232 Hack

Post by utz »

I noticed as well that people have different views on what all the bits mean in the different messages. Thats why I tried to get a central place that people can edit to collect the truth; I used this wiki space here: (http://powermax.wikia.com/wiki/Powermax_Wiki). However, if you people here have a better place on where to collect and allow collaborative editing I am happy to move the things there. I hope to get at the end a proper protocol specification that people can use for implementation of their different home automation systems.
Alexander
Global Moderator
Global Moderator
Posts: 1532
Joined: Sat Mar 10, 2007 11:19 pm
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Alexander »

and now hope there aren't any burglars that know anything about hacking to disable your alarm from remote :D
Alexander
utz
Starting Member
Starting Member
Posts: 31
Joined: Sun Jul 17, 2011 5:21 pm

Re: Visonic Powerlink RS232 Hack

Post by utz »

Rene wrote: I have an update of the information provided sofar.
The byte before the postamble is the checksum which is calculated as follows:
1. Sum all bytes except for the preamble, postamble and the checksum itself offcourse.
2. Divide this sum by 255.
3. Take the one complement of the remainder.

In Python this looks as follows (where message contains only the bytes that need to be added to the sum):

Code: Select all

for char in message:
    checksum += ord(char)
checksum = (checksum % 255) ^ 0xFF
I think what they actually do for checksum is:
1) Fill an 8bit register with 0xFF
2) Substract the next byte in the message from the value in the register (ignoring overflows)
3) After the message is received the register contains the checksum value

so you can do

Code: Select all

checksum = 0xFF
for each char in message do
    checksum = checksum - char
or, to just change your code a bit:

Code: Select all

for char in message:
    checksum += ord(char)
checksum = FF - (checksum % 255)
That is important for people like me that have to program in Lua which cant do bitwise operations like ^
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Rene »

Guess what, your algorithm is the only right one. I just had a bad checksum where the sum of the bytes was 0xFF. My algorithm resulted in a checksum of 0xFF, where it should have been 0x00. Your algorithm results in 0x00!
Rene.
User avatar
Willem4ever
Global Moderator
Global Moderator
Posts: 805
Joined: Mon Oct 30, 2006 3:48 pm
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Willem4ever »

What is the datastream causing the problem ?
User avatar
Rene
Global Moderator
Global Moderator
Posts: 1689
Joined: Wed Oct 08, 2008 3:54 pm
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Post by Rene »

I do not recall, but the sum of the bytes was 255.
Rene.
Post Reply

Return to “Visonic Alarm systems”