Visonic Powerlink RS232 Hack

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

Visonic Powerlink RS232 Hack

Postby utz » Tue Jul 19, 2011 7:40 am

I try to mimic the functionality of a powerlink by my own piece of software/hardware. Basically, my aim is to control my powermax+ alarm panel directly via RS232 using my home automation system. Thus, I need to reverse engineer the RS232 protocol of the powermax+. So far, I am able to establish communication with the powermax and receive events from the panel (sensors such as movement/door; arming/disarming/... events). What I now need to figure out is how commands look like sent to the panel. However, as I do not have a powerlink it is hard for me to figure this out. I thought, maybe someone here that owns a powerlink could send a few commands from his powerlink to the powermax (such as arming/disarming/...) and sniff the rs232 communication.... (Some more discussion can be found here: http://forum.micasaverde.com/index.php?topic=6884.0)

The protocol elements that I figured out so far are:
Code: Select all
Messages To Panel:
AB Message (15Byte): 0D AB 0A 00 01 00 00 00 00 00 00 00 43 06 0A
Sent to start panel reporting

02 Message (4Byte): 0D 02 FD 0A
Must be sent to panel to acknowledge messages

Messages From Panel:
02 Message (5Byte): 0D 02 43 BA 0A
Acknowledge AB message sent to panel

A5 Message (15 Byte): 0D A5 XX <TYPE> <ARM> <DEVICE> <ZONE> <EVENT> XX XX XX XX XX XX 0A
General event indication
TYPE, byte 4:
   0x04 - event (for type see byte 6)
ARM, byte 5:
   0x00 - disarmed 
   0x01 - arming home
   0x02 - arming away
   0x03 - follow mode
   0x04 - alarm activated home
   0x05 - alarm activated away
DEVICE, byte 6:
   0x0X - alarm event (alarm activated)
   0x2X - sensor event (evaluate byte 8 to determine type of event)
      the lower 4 bit of byte 6 indicate
      bit 1 - 0:not ready to arm
         1:ready to arm
      bit 2 - 0:no alarm in memory
         1:alarm in memory
      bit 3 - 0:no tamper
         1:system tamper
   0x4X - arming event (evaluate byte 5 to determine type of arming)
      the lower 4 bit of byte 6 indicate
      bit 1 - 0:not ready to arm
         1:ready to arm
      bit 2 - 0:no alarm in memory
         1:alarm in memory
   0x6x - same as 0x2X but while arming (exit delay)
ZONE, byte 7
   the zone id
EVENT, byte 8
   0x01 - tamper open
   0x02 - tamper close
   0x03 - open
   0x04 - close
   0x05 - movement
   (I expect others will be: flood, fire, ...)

A7 Message (15 Byte): 0D A5 XX XX XX <TYPE> XX XX XX XX XX XX XX XX 0A
General panel status indication
TYPE, byte 6:
   0x0X - alarm
      0x06 tamper alarm on (sensor)
      0x07 tamper alarm on (panel)
   0x1X - alarm off
      0x13 low battery alarm of
      0x16 tamper alarm off (sensor)
      0x17 tamper alarm off (panel)   
   0x21 - low battery alarm
   0x51 - armed home
   0x52 - armed away
   0x55 - disarmed
   0x60 - admin login on panel
   0x61 - admin logout on panel


Example A5 messages
Code: Select all
Window Zone 07 open
0D A5 00 04 00 20 07 03 00 03 AF 0F 43 27 0A
Window Zone 07 close
0D A5 00 04 00 21 07 04 00 03 AF 0F 43 25 0A
Movement Zone 11
0D A5 00 04 00 21 0B 05 00 03 AF 0F 43 20 0A
Movement in Zone 11 with tamper alarm in memory
0D A5 00 04 00 23 0B 05 00 03 AF 0F 43 1E 0A
Door Open in Zone 01 while arming away (exit delay)
0D A5 00 04 02 60 01 03 00 03 00 00 43 A9 0A
Door Close in Zone 01 while arming away (exit delay)
0D A5 00 04 02 61 01 04 00 03 00 00 43 A7 0A
Arming Away
0D A5 00 04 02 41 00 00 00 03 AF 0F 43 0E 0A
Arming Home
0D A5 00 04 01 41 00 00 00 03 AF 0F 43 0F 0A
Disarming
0D A5 00 04 00 41 00 00 00 03 AF 0F 43 10 0A
Not ready to arm
0D A5 00 04 00 40 00 00 00 03 AF 0F 43 11 0A

Example A7 Messages
Disarmed
0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DC 0A
Armed Home
0D A7 01 00 20 51 00 00 00 03 AF 0F 43 E0 0A
Armed Away
0D A7 01 00 21 52 00 00 00 03 00 00 43 9D 0A
Tamper With Panel
0D A7 01 00 00 07 00 00 40 03 AF 0F 43 0B 0A
Tamper Restore On Panel
0D A7 01 00 00 17 00 00 00 03 AF 0F 43 3B 0A
Tamper With Sensor
0D A7 01 00 0F 06 0F 01 00 03 AF 0F 43 2D 0A
Tamper Restore With Sensor
0D A7 01 00 0F 16 0F 02 00 03 AF 0F 43 1C 0A
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink2 Hacked

Postby Rene » Wed Jul 20, 2011 9:56 pm

Very interesting!
Rene.
User avatar
Rene
Global Moderator
Global Moderator
 
Posts: 1689
Joined: October 2008
Location: Netherlands

Re: Visonic Powerlink2 Hacked

Postby Odin » Thu Jul 21, 2011 5:00 pm

Another new user here - I bought powerlink 2 also and am interested in seeing how far we get with 'opening' it to enhance my automation ideas.

Saying that I can't even get the thing to email me alerts/alarms etc!
Odin
Starting Member
Starting Member
 
Posts: 27
Joined: July 2011

Re: Visonic Powerlink2 Hacked

Postby utz » Thu Jul 21, 2011 5:58 pm

My goal is to replace the powerlink completely by a pc (or home automation system). So far I managed to get the powermax reporting to a PC (so I can now use the powermax similar to what an rfxcomm receiver is doing). What I need to do is to figure out what to send the other way (from PC to powermax). Maybe someone that is the proud owner of a powerlink can have a look at the communication between powerlink and powermax(for example using http://www.lammertbies.nl/comm/cable/RS ... nitor.html)?

Alternatively, if you can hack into the powermax it may be possible to do this without a sniffer cable. The powermax is a unix and there is software to look at the communication there (/dev/tty).

Maybe even simpler, maybe there is a logfile on the powermax which reveals the data send over serial.

Anyone able to help?

I just do not want to buy a powerlink myself just to analyze the communication and then throw the thing in the bin (a bit expensive procedure).
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink2 Hacked

Postby utz » Fri Jul 22, 2011 4:39 pm

Thanks Odin.

Some description (including password) on how to get into the powerlink can be found here: http://voksenlia.net/powerlink/

I assume you have an external powerlink that is connected via a serial cable to the powermax (I am asking as there are as well internal powerlink modules that are installed within a powermax and then it is harder to get to the communication link).

You cant look at a logfile on the powermax (It is an embedded system and does not have a filesystem as such (there are log messages in memory but they are not useful))

The rs232 cable is just for communication, it does not power any of the units (as far as I know but I will check).

If it is needed to sniff the rs232 link (as we cant get to it via the powerlink) I can see if I can produce a sniffer cable and then I post it to you (That would take a bit time as I have to get the pieces, solder it together and in particular test it)
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Rene » Mon Jul 25, 2011 10:15 pm

I quickly wrote a HouseAgent plugin that emulates the Powerlink as described above and started analyzing the messages coming in.

I have an update of the information provided sofar.
The 0x0D byte is clearly the preamble and the 0x0A byte the postamble. The byte before the postamble is the checksum which is calculated as follows:
1. Sum all bytes except for the preamble, postamble and the checksum itself offcourse.
2. Divide this sum by 255.
3. Take the one complement of the remainder.

In Python this looks as follows (where message contains only the bytes that need to be added to the sum):
Code: Select all
for char in message:
    checksum += ord(char)
checksum = (checksum % 255) ^ 0xFF


Some more values for the different bytes I found in the messages (The first byte of the message is byte 1, as used in the previous post (I would have used 0 instead)):

For a 0xA5 message (byte 2 of the message):
Code: Select all
BYTE 4:
      0x01 = Initiate arming home or away (no further information)
      0x02 = Keep Alive
      0x04 -> Information??
      0x07 -> During arming home and away

BYTE 5 when BYTE 4 = 0x04:
      0x00 = DISARMED
      0x01 = ARMING HOME (EXIT DELAY)
      0x02 = ARMING AWAY (EXIT DELAY)
      0x03 = ARMED AWAY (ENTRY DELAY)
      0x04 = ARMED HOME
      0x05 = ARMED AWAY

BYTE 6 when BYTE 4 = 0x04:
      0x01 -> during arming away and just after armed away, status panel = Ready
      0x11 -> Rate of beeps during exit delay increased (last 10 seconds)
      0x20 -> Status not ready
      0x21 -> Status ready
      0x40 -> Arm or disarm event and status panel = Not Ready (net voordat A7 op disarmed gaat)
      0x41 -> Arm or disarm event and status panel = Ready
      0xA0 -> Just after disarm event and status panel = Not Ready
      0xA1 -> Just after disarm event and status panel = Ready
      0XE0 -> During entry delay while beeps are sounding

BYTE 9 when BYTE 4 = 0x04:
      0x01 -> for every sensor event

BYTE 10 when BYTE 4 =x 0x04:
      0x22 -> During exit delay and entry delay
      0x30 -> For every sensor event
      0x32 -> During exit delay and entry delay
      0x34 -> During exit delay and when keyfob AUX is pressed
      0x36 -> During exit delay and when keyfob AUX is pressed


For a 0xA7 message:
Code: Select all
BYTE 2:
      0x01 -> A status change of the panel initiated by an event(kan ook keyfob zijn!)
BYTE 4:   
      0x00 -> Panel event?
      0x1F = Keyfob N1 event
      0x21 = Keyfob N3 event
      0x27 -> ?

BYTE 5:
      0x51 -> Armed Home via Keyfob
      0x52 -> Armed Away via Keyfob
      0x53 -> Armed Home via Panel
      0x55 -> Disarmed via Keyfob/panel

BYTE 6:   Zone number (sometimes)
Rene.
User avatar
Rene
Global Moderator
Global Moderator
 
Posts: 1689
Joined: October 2008
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Digit » Mon Jul 25, 2011 10:23 pm

This is becoming very interesting, I was about to buy a Powerlink :lol:
User avatar
Digit
Global Moderator
Global Moderator
 
Posts: 3388
Joined: March 2006
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Rene » Mon Jul 25, 2011 10:29 pm

It is, so help us ;-)

The thing I am most curious of, but which can not be found without a Powerlink, are the commands used to arm and disarm the panel from the Powerlink interface.
Rene.
User avatar
Rene
Global Moderator
Global Moderator
 
Posts: 1689
Joined: October 2008
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Digit » Mon Jul 25, 2011 11:48 pm

I will :D
There are some options, which I will have a look at asap...
User avatar
Digit
Global Moderator
Global Moderator
 
Posts: 3388
Joined: March 2006
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Tue Jul 26, 2011 9:56 am

@Rene
Thanks for decoding the checksum part. I tried a variety of CRC algorithms and XOR approaches but could not get it.

I wrote a plugin for my home automation system and it is up and running for over a week. So, I think the communication link can be considered stable.

We should maybe think about a place to document the protocol (maybe a wiki or something)
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Willem4ever » Wed Jul 27, 2011 2:18 pm

When byte 4 = 2 (status / idle message) bytes 5,6,7,8 show the zones which are open

0d a5 0 2 2 20 0 0 0 0 0 0 43 f2 0a In the example zone 2 and zone 14 are open
User avatar
Willem4ever
Global Moderator
Global Moderator
 
Posts: 804
Joined: October 2006
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Postby Rene » Wed Jul 27, 2011 6:43 pm

Confirmed: In the keep alive message (Byte 4 = 0x02), bytes 5, 6, 7 and 8 indicate which zones are open. Each bit corresponds with a zone. Bit 0 of byte 5 corresponds to zone 1, bit 1 with zone 2, bit 1 of byte 6 with zone 9 etc.

Byte 9 and 10 when byte 4 = 0x04 have something to do with X10 and PGM outputs. But I cannot figure out what they exactly mean.
Rene.
User avatar
Rene
Global Moderator
Global Moderator
 
Posts: 1689
Joined: October 2008
Location: Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Wed Jul 27, 2011 9:18 pm

I created a wiki page here: http://powermax.wikia.com/wiki/Powermax_Wiki

The idea is to use this place to collaboratively come up with the protocol specification.

Please edit if you find out more about the protocol.

If it does not work let me know (I never used this wiki before, so I do not know if it works out)
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Re: Visonic Powerlink RS232 Hack

Postby Willem4ever » Thu Jul 28, 2011 8:51 am

I found that the below calculation doesn't always work correctly

Code: Select all
for char in message:
    checksum += ord(char)
checksum = (checksum % 255) ^ 0xFF

Now taking the data streams below and ONLY adding up all the bytes (incl checksum itself) in the stream with the exception of the pre-amble and the post-amble

0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DC 0A
Checksum = 2fd
0D A5 00 04 00 20 07 03 00 03 AF 0F 43 27 0A
Checksum = 1fe
0D A7 01 00 12 4E 00 00 00 03 00 00 43 B0 0A
Checksum = 1fe
0D 02 FD 0A
Checksum = ff

-----

Now taking the below perl example results in the following output ($hd contains the full message, incl. pre-amble and post-amble - $z contains the length )

Code: Select all
for ($x=1;$x < $z-1;$x++) {
    $chk += $hd[$x];
}
$chk = ($chk / 0x100)  + ($chk % 0x100);


0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DC 0A
Checksum = ff
0D A5 00 04 00 20 07 03 00 03 AF 0F 43 27 0A
Checksum = ff
0D A7 01 00 12 4E 00 00 00 03 00 00 43 B0 0A
Checksum = ff
0D 02 FD 0A
Checksum = ff

Now the proof to the pudding by altering the stream
0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DB 0A
Checksum = fe
0D A7 01 00 20 55 00 00 00 03 AF 0F 43 DD 0A
Checksum = 100
0D 02 FE 0A
Checksum = 1
User avatar
Willem4ever
Global Moderator
Global Moderator
 
Posts: 804
Joined: October 2006
Location: Uithoorn / Netherlands

Re: Visonic Powerlink RS232 Hack

Postby utz » Thu Jul 28, 2011 9:50 am

How to read messages?

Currently we do not know the full set of messages that may come out of the powermax. Messages can have any length and they can have 0D and 0A in the message body. So we cannot just simply read until we get 0A. Would it be a good idea to read until we have some 0A and the checksum between the last 0D and 0A works out?

My implementation currently ignores unknown messages and I only read the ones I know (A5, A7, ...) as I know their length upfront.

Any suggestion?
utz
Starting Member
Starting Member
 
Posts: 31
Joined: July 2011

Next

Return to Visonic Alarm systems

Who is online

Users browsing this forum: No registered users and 1 guest