Visonic Powerlink2 Hacked

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

Re: Visonic Powerlink2 Hacked

Postby mhn » Tue Jun 21, 2011 7:32 am

Thanks.

It sounds like the Powermax is quiet a mess. :-|
mhn
Member
Member
 
Posts: 399
Joined: July 2009
Location: Denmark

Re: Visonic Powerlink2 Hacked

Postby Odin » Fri Jul 22, 2011 6:42 am

Utz, I am willing to help you with this as I wish to open up the powerlink module myself and there may be complementary gains to be had here.

How do I get the root password for the powerlink module? if we know this then I can logon and have a root around. A port scan reveals tcp ports 22,23 and 6310 are open.

alternatively how do I look at the log file on the powermax?

If necessary I am willing to try the RS232 method - I assume this is also powering the powerlink module from the powermax unit?

If you are on skype maybe you can private msg me your id and we can talk that way and ultimately share our knowledge later.
Odin
Starting Member
Starting Member
 
Posts: 27
Joined: July 2011

Re: Visonic Powerlink2 Hacked

Postby Odin » Mon Aug 08, 2011 5:02 pm

I am getting the folloiwng http request being sent to Visonic every minute or so -

GET /scripts/update.php?serial=03cegc&id=03cegc&account=001234&ver_hw=123&ver_sw=6.1.11&ver_var=6000&upgrade_status=0&configuration_status=0 HTTP/1.1

This gets the following response:

status =0&ka_time =120&allow =0&

Does anyone know what the reponse would be if the powerlink was registered?
Odin
Starting Member
Starting Member
 
Posts: 27
Joined: July 2011

Re: Visonic Powerlink2 Hacked

Postby rl40 » Sun Sep 25, 2011 11:56 pm

I have been wondering the same thing. I do know you do not want to change the allow=0 to allow=1 in the response. I echoed this from my own server (by setting the C.S. reporting IP address to my server). This will disable access to the web interface. Changing it back does restore access. I did panic when I first changed the status and I couldn't access the PowerLink until I remembered I changed it.
Thanks.
rl40
Starting Member
Starting Member
 
Posts: 6
Joined: September 2011
Location: Rochester, NY

Re: Visonic Powerlink2 Hacked

Postby Tozz » Tue Nov 01, 2011 4:21 pm

I just received my Powerlink2, and hacked some PHP together to (dis)arm my system. All working fine ;)

While running WireShark on my network I discovered the PowerLink2 is sending data back to (I assume) Visonic. It also includes the login username. I cant see any reason they would need to know when I login to my own system, so I firewalled their subnet. You might want to do the same.
Tozz
Member
Member
 
Posts: 95
Joined: October 2007
Location: Netherlands

Re: Visonic Powerlink2 Hacked

Postby manno » Sun Nov 06, 2011 12:34 am

Hi Tozz, I am curious to what you have seen as far as the data being sent back to Visonic. Did you have their IP addresses listed in any of the IP RCVR options in the PowerMax? I ask because I have also setup an alerting system via local php but had to use my internal IP server address in the IP RCVR. Also running tcpdump on my router to catch anything sent to/from my powerlink device and have not seen anything sent or received to Visonic as of yet. Was also wonder if you would be kind enough to send me the subnet that you firewalled so that I can do the same. Agree, no one should know the status of my system other than me. This whole system kind of really irritates me since it's expensive and doesn't allow a whole lot of user control.
manno
Starting Member
Starting Member
 
Posts: 16
Joined: September 2011

Re: Visonic Powerlink2 Hacked

Postby MrGrape » Fri Mar 09, 2012 10:04 am

Hey all,

My first post, I've been reading a lot on this board and I'm impressed by all expertise around here! I've been playing around with my PowerMax Pro and Powerlink2 over the last few evenings, and managed to get a php script running to (dis)arm my alarm panel and read the sensor information and all. I can post it later if somebody is interested.

My question is about the application of the last part, reading the sensor information. What is a practical way to use this sensor information in a home automation environment? Suppose you would want something to happen when the front door opens. Would you poll for a status update of the sensor every 1 second or so? It doesn't seem very economical to poll the sensors 86400 times a day to catch maybe 10 changes of state. Wouldn't it put a big strain on the server, the network, and on the CPU of the PowerMax itself? Or isn't this the way to go, and I'd better use a receiver like RFXCOM instead to get my sensor updates?

Thanks!
MrGrape
Starting Member
Starting Member
 
Posts: 3
Joined: September 2011

Re: Visonic Powerlink2 Hacked

Postby Bwired » Fri Mar 09, 2012 10:48 am

that is not a good option to poll every 1 second agree.
We all have been down this road and most of them switched to the rs232 connection to the Visonic.
viewtopic.php?f=68&t=6581
This one is event driven, so the powermax triggers your app when something changes.

Its also possible to receive all the Visonic dectetors with Rfxcom or the Alphatronics receiver.
advantage regarding the rfxcom is that you can receive a lot off other devices as well.
User avatar
Bwired
Administrator
Administrator
 
Posts: 5304
Joined: March 2006
Location: Netherlands

Re: Visonic Powerlink2 Hacked

Postby MrGrape » Fri Mar 09, 2012 5:00 pm

Thanks, I didn't realize the RS232 option was event driven, I'll look into that for sure! My main concern was (and still is...) running yet another cable from my PC to my alarmpanel (big house, different floors, uncooperative wife :lol:). I might try and see if I can find some nice "RS232-over-LAN" solution for that!

Maybe the Rfxcom with a 868MHz extension or a similar device isn't such a bad idea after all...
MrGrape
Starting Member
Starting Member
 
Posts: 3
Joined: September 2011

Re: Visonic Powerlink2 Hacked

Postby Digit » Fri Mar 09, 2012 9:40 pm

(RS232, 485, USB, 1-Wire, etc) over Ethernet is the best solution IMO. It may cost a bit more, but it's very flexible and reliable.
User avatar
Digit
Global Moderator
Global Moderator
 
Posts: 3388
Joined: March 2006
Location: Netherlands

Re: Visonic Powerlink2 Hacked

Postby asd09fj2d » Wed Aug 22, 2012 8:46 pm

Can anyone post their PHP scripts. I am just trying to set my system up to set status Arm/Away/Home.
asd09fj2d
Starting Member
Starting Member
 
Posts: 1
Joined: August 2012

Re: Visonic Powerlink2 Hacked

Postby lmaurice » Sat Jan 18, 2014 6:53 pm

I'm also interested in PHP scripts just for arming or disarming.
If anyone has it....

Best regards,
Laurent
lmaurice
Starting Member
Starting Member
 
Posts: 11
Joined: January 2014

Re: Visonic Powerlink2 Hacked

Postby lmaurice » Sat Jan 18, 2014 8:23 pm

For the moment, I tried something like that.
<?php

echo 'Hello ';

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/login.login.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,
"user=Admin&pass=Admin");

// in real life you should use something like:
// curl_setopt($ch, CURLOPT_POSTFIELDS,
// http_build_query(array('postvar1' => 'value1')));

// receive server response ...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$server_output = curl_exec ($ch);

echo $server_output;

curl_close ($ch);


$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/security.main.status.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);


curl_setopt($ch, CURLOPT_POSTFIELDS,
"set=ArmAway");


// receive server response ...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$server_output = curl_exec ($ch);

echo $server_output;

curl_close ($ch);

echo "end";
?>


I received a OK from the connexion part, but nothing from the Arm one.

Bes regards,
Laurent
lmaurice
Starting Member
Starting Member
 
Posts: 11
Joined: January 2014

Re: Visonic Powerlink2 Hacked

Postby lmaurice » Sun Jan 19, 2014 11:24 am

Hello everybody,

When playing the php script, I receive from the Powerlink2 server :
For the connexion :
HTTP/1.1 200 OK Date: Sat, 08 Jan 2000 08:18:27 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.9 Set-Cookie: PowerLink=0ca39037aa045d091773570af5387066; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, max-age=1200, pre-check=1200 Last-Modified: Thu, 20 Oct 2011 10:26:17 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html OK1

For the arming request :
HTTP/1.1 200 OK Date: Sat, 08 Jan 2000 08:18:28 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.9 Cache-Control: private, max-age=1200, pre-check=1200 Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Thu, 20 Oct 2011 10:26:17 GMT Pragma: no-cache Set-Cookie: PowerLink=108ea8c259cd6f02dbda59dc2e90774d; path=/ Connection: close Transfer-Encoding: chunked Content-Type: text/html

But, nothing happen on the alarm itself.
Maybe, I have something to do with the Cookies numbers provided.
I don't know.
If someone can help me, it would be very kind.

Thank you in advance,
Laurent
lmaurice
Starting Member
Starting Member
 
Posts: 11
Joined: January 2014

Re: Visonic Powerlink2 Hacked

Postby lmaurice » Sun Jan 19, 2014 1:22 pm

Finally, I achieved it.
You will find below a php script which works for arming or disarming the Powermax Pro.
You just have to change the IP address of the Powerlink2, the connection informations and the action to perform (Disarm, ArmAway or ArmHome).

Best regards,
Laurent

<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/login.login.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,"user=Admin&pass=Admin");
curl_setopt($ch, CURLOPT_COOKIEJAR, '/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/cookies.txt');

$server_output = curl_exec ($ch);


curl_setopt($ch, CURLOPT_URL,"http://192.168.1.200/web/ajax/security.main.status.ajax.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,"set=Disarm"); // ArmAway, ArmHome or Disarm


$server_output = curl_exec ($ch);

curl_close ($ch);

?>
lmaurice
Starting Member
Starting Member
 
Posts: 11
Joined: January 2014

PreviousNext

Return to Visonic Alarm systems

Who is online

Users browsing this forum: No registered users and 1 guest

cron