Visonic Powerlink2 Hacked

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

mhn
Member
Member
Posts: 399
Joined: Tue Jul 21, 2009 9:27 pm
Location: Denmark

Re: Visonic Powerlink2 Hacked

Post by mhn »

Thanks.

It sounds like the Powermax is quiet a mess. :-|
Odin
Starting Member
Starting Member
Posts: 27
Joined: Tue Jul 12, 2011 11:33 am

Re: Visonic Powerlink2 Hacked

Post by Odin »

Utz, I am willing to help you with this as I wish to open up the powerlink module myself and there may be complementary gains to be had here.

How do I get the root password for the powerlink module? if we know this then I can logon and have a root around. A port scan reveals tcp ports 22,23 and 6310 are open.

alternatively how do I look at the log file on the powermax?

If necessary I am willing to try the RS232 method - I assume this is also powering the powerlink module from the powermax unit?

If you are on skype maybe you can private msg me your id and we can talk that way and ultimately share our knowledge later.
Odin
Starting Member
Starting Member
Posts: 27
Joined: Tue Jul 12, 2011 11:33 am

Re: Visonic Powerlink2 Hacked

Post by Odin »

I am getting the folloiwng http request being sent to Visonic every minute or so -

GET /scripts/update.php?serial=03cegc&id=03cegc&account=001234&ver_hw=123&ver_sw=6.1.11&ver_var=6000&upgrade_status=0&configuration_status=0 HTTP/1.1

This gets the following response:

status =0&ka_time =120&allow =0&

Does anyone know what the reponse would be if the powerlink was registered?
rl40
Starting Member
Starting Member
Posts: 6
Joined: Wed Sep 21, 2011 9:59 pm
Location: Rochester, NY

Re: Visonic Powerlink2 Hacked

Post by rl40 »

I have been wondering the same thing. I do know you do not want to change the allow=0 to allow=1 in the response. I echoed this from my own server (by setting the C.S. reporting IP address to my server). This will disable access to the web interface. Changing it back does restore access. I did panic when I first changed the status and I couldn't access the PowerLink until I remembered I changed it.
Thanks.
Tozz
Member
Member
Posts: 95
Joined: Sun Oct 28, 2007 5:20 pm
Location: Netherlands

Re: Visonic Powerlink2 Hacked

Post by Tozz »

I just received my Powerlink2, and hacked some PHP together to (dis)arm my system. All working fine ;)

While running WireShark on my network I discovered the PowerLink2 is sending data back to (I assume) Visonic. It also includes the login username. I cant see any reason they would need to know when I login to my own system, so I firewalled their subnet. You might want to do the same.
manno
Starting Member
Starting Member
Posts: 16
Joined: Tue Sep 20, 2011 4:11 am

Re: Visonic Powerlink2 Hacked

Post by manno »

Hi Tozz, I am curious to what you have seen as far as the data being sent back to Visonic. Did you have their IP addresses listed in any of the IP RCVR options in the PowerMax? I ask because I have also setup an alerting system via local php but had to use my internal IP server address in the IP RCVR. Also running tcpdump on my router to catch anything sent to/from my powerlink device and have not seen anything sent or received to Visonic as of yet. Was also wonder if you would be kind enough to send me the subnet that you firewalled so that I can do the same. Agree, no one should know the status of my system other than me. This whole system kind of really irritates me since it's expensive and doesn't allow a whole lot of user control.
MrGrape
Starting Member
Starting Member
Posts: 3
Joined: Tue Sep 13, 2011 10:26 am

Re: Visonic Powerlink2 Hacked

Post by MrGrape »

Hey all,

My first post, I've been reading a lot on this board and I'm impressed by all expertise around here! I've been playing around with my PowerMax Pro and Powerlink2 over the last few evenings, and managed to get a php script running to (dis)arm my alarm panel and read the sensor information and all. I can post it later if somebody is interested.

My question is about the application of the last part, reading the sensor information. What is a practical way to use this sensor information in a home automation environment? Suppose you would want something to happen when the front door opens. Would you poll for a status update of the sensor every 1 second or so? It doesn't seem very economical to poll the sensors 86400 times a day to catch maybe 10 changes of state. Wouldn't it put a big strain on the server, the network, and on the CPU of the PowerMax itself? Or isn't this the way to go, and I'd better use a receiver like RFXCOM instead to get my sensor updates?

Thanks!
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2 Hacked

Post by Bwired »

that is not a good option to poll every 1 second agree.
We all have been down this road and most of them switched to the rs232 connection to the Visonic.
http://www.domoticaforum.eu/viewtopic.php?f=68&t=6581
This one is event driven, so the powermax triggers your app when something changes.

Its also possible to receive all the Visonic dectetors with Rfxcom or the Alphatronics receiver.
advantage regarding the rfxcom is that you can receive a lot off other devices as well.
MrGrape
Starting Member
Starting Member
Posts: 3
Joined: Tue Sep 13, 2011 10:26 am

Re: Visonic Powerlink2 Hacked

Post by MrGrape »

Thanks, I didn't realize the RS232 option was event driven, I'll look into that for sure! My main concern was (and still is...) running yet another cable from my PC to my alarmpanel (big house, different floors, uncooperative wife :lol:). I might try and see if I can find some nice "RS232-over-LAN" solution for that!

Maybe the Rfxcom with a 868MHz extension or a similar device isn't such a bad idea after all...
Digit
Global Moderator
Global Moderator
Posts: 3388
Joined: Sat Mar 25, 2006 10:23 am
Location: Netherlands
Contact:

Re: Visonic Powerlink2 Hacked

Post by Digit »

(RS232, 485, USB, 1-Wire, etc) over Ethernet is the best solution IMO. It may cost a bit more, but it's very flexible and reliable.
asd09fj2d
Starting Member
Starting Member
Posts: 1
Joined: Wed Aug 22, 2012 9:35 pm

Re: Visonic Powerlink2 Hacked

Post by asd09fj2d »

Can anyone post their PHP scripts. I am just trying to set my system up to set status Arm/Away/Home.
lmaurice
Starting Member
Starting Member
Posts: 11
Joined: Sun Jan 12, 2014 1:17 pm

Re: Visonic Powerlink2 Hacked

Post by lmaurice »

I'm also interested in PHP scripts just for arming or disarming.
If anyone has it....

Best regards,
Laurent
lmaurice
Starting Member
Starting Member
Posts: 11
Joined: Sun Jan 12, 2014 1:17 pm

Re: Visonic Powerlink2 Hacked

Post by lmaurice »

For the moment, I tried something like that.
<?php

echo 'Hello ';

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/login.login.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,
"user=Admin&pass=Admin");

// in real life you should use something like:
// curl_setopt($ch, CURLOPT_POSTFIELDS,
// http_build_query(array('postvar1' => 'value1')));

// receive server response ...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$server_output = curl_exec ($ch);

echo $server_output;

curl_close ($ch);


$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/security. ... s.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);


curl_setopt($ch, CURLOPT_POSTFIELDS,
"set=ArmAway");


// receive server response ...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$server_output = curl_exec ($ch);

echo $server_output;

curl_close ($ch);

echo "end";
?>


I received a OK from the connexion part, but nothing from the Arm one.

Bes regards,
Laurent
lmaurice
Starting Member
Starting Member
Posts: 11
Joined: Sun Jan 12, 2014 1:17 pm

Re: Visonic Powerlink2 Hacked

Post by lmaurice »

Hello everybody,

When playing the php script, I receive from the Powerlink2 server :
For the connexion :
HTTP/1.1 200 OK Date: Sat, 08 Jan 2000 08:18:27 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.9 Set-Cookie: PowerLink=0ca39037aa045d091773570af5387066; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, max-age=1200, pre-check=1200 Last-Modified: Thu, 20 Oct 2011 10:26:17 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html OK1

For the arming request :
HTTP/1.1 200 OK Date: Sat, 08 Jan 2000 08:18:28 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.9 Cache-Control: private, max-age=1200, pre-check=1200 Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Thu, 20 Oct 2011 10:26:17 GMT Pragma: no-cache Set-Cookie: PowerLink=108ea8c259cd6f02dbda59dc2e90774d; path=/ Connection: close Transfer-Encoding: chunked Content-Type: text/html

But, nothing happen on the alarm itself.
Maybe, I have something to do with the Cookies numbers provided.
I don't know.
If someone can help me, it would be very kind.

Thank you in advance,
Laurent
lmaurice
Starting Member
Starting Member
Posts: 11
Joined: Sun Jan 12, 2014 1:17 pm

Re: Visonic Powerlink2 Hacked

Post by lmaurice »

Finally, I achieved it.
You will find below a php script which works for arming or disarming the Powermax Pro.
You just have to change the IP address of the Powerlink2, the connection informations and the action to perform (Disarm, ArmAway or ArmHome).

Best regards,
Laurent

<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/login.login.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,"user=Admin&pass=Admin");
curl_setopt($ch, CURLOPT_COOKIEJAR, '/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/cookies.txt');

$server_output = curl_exec ($ch);


curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/security. ... s.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,"set=Disarm"); // ArmAway, ArmHome or Disarm


$server_output = curl_exec ($ch);

curl_close ($ch);

?>
Post Reply

Return to “Visonic Alarm systems”