Visonic Powerlink RS232 Hack

[Rene]

I added a lot of information to the wiki. One remark, The byte numbering is a bit odd, I would start numbering at the byte containing the command (0xA5, 0xA7) starting with 0.

[Bwired]

agree with Rene, now it can be confusing

[utz]

agree with Rene, now it can be confusing

I dont mind. If you all prefer counting that way we can change. Its a wiki, so if anyone finds time just change...

[Odin]

Wow guys I've just come back from 2 weeks holiday and found you have moved things on very nicely. Well done and thanks for all the efforts.

I have a Powermax Complete panel and the newer powerlink module so I'm hoping that I can hook into this - when things have settled down at home I will see if this works with my Complete panel and provide input.

I was just wondering if the protocol is already exposed from the previous root account logon hacking attempt?

[Bwired]

The story continues, there is a lot of information in the Visonic.
I found some other messages which can be used to retrieve information from the powermax like:

- Which Zones you have
- Keyfobs
- Passwords
- Panelsettings
- Comm settings
- Eventlist (log)
- Full download
- x10 etc

For this to retreive you need to login first, after that the info can be fatched.
Looks like it can be combined with the other messages like 05 and 07, the login does not interupt so it seems, still needs testing

The output needs to be translated, so who helps on this.

Code: Select all

Login, need to do first
0D 24 00 00 AA AA 00 00 00 00 00 00 86 0A
after login you can send the below requests

** Request Pincode
0D 3E FA 01 10 00 B0 34 00 00 00 00 D0 0A
Answer: (pincode 2025 and 1234)
0D 02 FD 0A 0D 3F FA 01 10 20 05 12 34 00 00 00 00 00 00 00 00 00 00 00 00 09 0A  

** Request Zones
0D 3E 00 09 78 00 B0 04 14 90 73 06 6D 0A

** Request last 250 Events (log) very handy, all actions like arm, disarm etc are in there
0D 02 FD 0A 0D 3E DF 04 28 03 B0 03 01 04 02 27 D0 0A

** Request Keyfobs
0D 02 FD 0A 0D 3E 78 09 40 00 B0 00 20 21 15 00 F8 0A

** logout, not needed i quess
0D 0F F0 0A

[Willem4ever]

Not 02 messages, actually you have 2 messages here first one is an ack, second is the last events ?? I guess you are snooping the remote programmer

0D 02 FD 0A

0D 3E DF 04 28 03 B0 03 01 04 02 27 D0 0A

[Bwired]

yep, very easy to get
changed the topic, you where right

[Rene]

Found a lot today, now the time to document

Request log messages:

Code: Select all

0xA0 0x00 0x00 0x00 <pin> <pin> 0x00 0x00 0x00 0x00 0x00 0x43

Response:

Code: Select all

0xA0 0xFB 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x03 0x00 0x43
      |    |
      |    Row
      Total number of rows

0xA0 0xFB 0x02 0x07 0x38 0x16 0x06 0x08 0x0B 0x4D 0x33 0x43
      |    |    |    |    |    |    |     |   |    |
      |    |    |    |    |    |    |     |   |    Telephone line failure
      |    |    |    |    |    |    |     |   ?
      |    |    |    |    |    |    |     Year 
      |    |    |    |    |    |    Month
      |    |    |    |    |    Day
      |    |    |    |    |
      |    |    |    |    Hour
      |    |    |    Minute
      |    |    ?
      |    Row
      Total number of rows
.
.
0xA0 0xFB 0xFB .............
           |
           Row (So the last row)

[Rene]

The system state flags (byte 4) in a 0xA5 command with byte 2 = 0x04:
byte 4 & 0x01 = 0x01 -> Ready
byte 4 & 0x01 = 0x00 -> Not Ready
byte 4 & 0x02 = 0x02 -> Alerts in memory
byte 4 & 0x02 = 0x00 -> No alerts in memory
byte 4 & 0x04 = 0x04 -> Trouble
byte 4 & 0x04 = 0x00 -> No trouble
byte 4 & 0x08 = 0x08 -> Bypass on
byte 4 & 0x08 = 0x00 -> Bypass off
byte 4 & 0x10 = 0x10 -> Last 10 seconds (in entry or exit delay)

[Rene]

I do not what it is doing but I see the Powerlink send the following request regularly:

Code: Select all

0xAB  0x06  0x00  0x00  0x00  0x00  0x00  0x00  0x00  0x00  0x00  0x43

The response is (also when send from your own code):

Code: Select all

0xA5 0x09 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x43
          |      |
          |      Row
          Total number of rows
0xA5 0x09 0x02 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x04 0x00 0x06 0x00 0x00 0x00 0x01 0x00 0x00 0x43
0xA5 0x09 0x05 0x00 0x00 0x00 0x07 0x00 0x00 0x12 0x34 0x43
0xA5 0x09 0x06 0xFF 0xFF 0x01 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x07 0x00 0x00 0x00 0x00 0x00 0x01 0x10 0x00 0x43
0xA5 0x09 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43
0xA5 0x09 0x09 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43

And from then on the Powermax sends every 30 seconds the following message:

Code: Select all

0xAB 0x03 0x00 0x1E 0x00 0x34 0x36 0x30 0x36 0x00 0x00 0x43

and every 20 seconds:

Code: Select all

0xAB 0x05 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x43

[Rene]

Arm home instant:

Code: Select all

0xA1 0x00 0x00 0x14 <pin> <pin> 0x00 0x00 0x00 0x00 0x00 0x43

[Rene]

BTW I had problems with the checksum again so I modified the calculation as follows (in Python):

Code: Select all

for char in message:
            checksum += ord(char)
        checksum = checksum % 255
        if checksum % 255 != 0:
            checksum = checksum ^ 0xFF

[utz]

Nice progress. Arming/Disarming works for me now too. Does anyone know if there is a way to figure out the current state of the panel? For example, if you have to reboot your home automation server and you need to find out what state the panel is in?

[Rene]

I am working on that. When monitoring the traffic between Powermax en Powerlink I periodically notice a complete dump of the Powermax (it seems). I already decoded lots of this, the definition of the zones, keyfobs, pin codes etc. However, I still do not know how to trigger this dump.

This morning I was playing a bit and noticed you don't have to issue any command when you make the serial connection to trigger the Powermax sending messages. I also figured out that the Powermax send a message when you try to install a Powerlink from the menu. When you respond to this message, the your code is enrolled as a Powerlink and some behaviour of the Powermax changes.

[Willem4ever]

This is how to get the status from the powermax !!! Issue a 0xA2 message and the status is returned to you - yeah it is that simple ....

Code: Select all

2011-08-07 12:34:05.157518  0d a2 00 00 00 00 00 00 00 00 00 00 43 1a 0a - OUT
2011-08-07 12:34:05.726058  0d 02 43 ba 0a - C_OK - IN - DUP
2011-08-07 12:34:05.745951  0d a5 09 01 00 00 00 00 00 00 00 00 43 0d 0a - C_OK - IN
2011-08-07 12:34:05.746029  0d 02 fd 0a - OUT
2011-08-07 12:34:05.816539  0d a5 09 02 03 24 00 00 00 00 00 00 43 e4 0a - C_OK - IN
2011-08-07 12:34:05.816574  0d 02 fd 0a - OUT
2011-08-07 12:34:05.885910  0d a5 09 03 00 00 00 00 00 00 00 00 43 0b 0a - C_OK - IN
2011-08-07 12:34:05.885945  0d 02 fd 0a - OUT
2011-08-07 12:34:05.955915  0d a5 09 04 00 60 04 05 00 04 00 00 43 9c 0a - C_OK - IN
2011-08-07 12:34:05.955992  0d 02 fd 0a - OUT
2011-08-07 12:34:06.015953  0d a5 09 05 00 00 00 07 00 00 12 34 43 bb 0a - C_OK - IN
2011-08-07 12:34:06.015992  0d 02 fd 0a - OUT
2011-08-07 12:34:06.086038  0d a5 09 06 ff 3f 00 00 00 00 00 00 43 c8 0a - C_OK - IN
2011-08-07 12:34:06.086081  0d 02 fd 0a - OUT
2011-08-07 12:34:06.155936  0d a5 09 07 00 00 00 00 00 11 00 00 43 f5 0a - C_OK - IN
2011-08-07 12:34:06.155970  0d 02 fd 0a - OUT
2011-08-07 12:34:06.226056  0d a5 09 08 00 00 00 00 00 00 00 00 43 06 0a - C_OK - IN
2011-08-07 12:34:06.226122  0d 02 fd 0a - OUT
2011-08-07 12:34:06.295948  0d a5 09 09 00 00 00 00 00 00 00 00 43 05 0a - C_OK - IN
2011-08-07 12:34:06.295985  0d 02 fd 0a - OUT