Using Visonic PowerMax C.S. Reporting to my own server.

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

Using Visonic PowerMax C.S. Reporting to my own server.

Postby rl40 » Fri Sep 23, 2011 1:03 am

Hello,
I am new in this forum so I hope people here find this information useful. I know it is long and I am sorry about that.

I recently purchased a PowerMax Pro with a PowerLink 2 and in doing web searching I found some of the hacking efforts that are going on. It is all great work but what I did not find was anybody looking into the C.S. Reporting stuff in the PowerMax Pro. I decided to try to get the C.S. reporting working to my own server (that I would write). Looking at the specs for Visonics IPMP server (http://www.visonic.com/Products/Wireles ... t-platform) I noticed that it spoke SIA protocol and supported 128bit AES encryption and needed port 443 open (more on this later). I could be shot down before I even started if it did use encryption. I decided to try anyway. Online I found the spec for the SIA protocol (http://www.mobile-download.net/tools/As ... 070319.pdf)  and it seemed fairly easy to understand so I proceeded. It does say that an SIA server should listen on UDP and TCP but that UDP was preferred. The first thing I did was to set up Apache on my laptop. I fired up WireShark and then on the PowerMax Pro I set the C.S. Reporting IP address to my laptop.

In WireShark I found that the Powerlink 2 sends an HTTP GET to port 8080 of the server.
"GET /scripts/update.php?serial=XXXXXX&id=ID&account=001234&ver_sw=6.3.2&ver_hw=123&ver_var=6000&upgrade_status=0&configuration_status=0"

where XXXXXX is the serial number of my and the account is the default. I went into the LAN diagnostics of the PowerMax and it failed. I figured that if the GET is not acked back properly C.S reporting does not work, so on my local web server I added an <htdocs>/scripts/update.php file but I didn't know what should it return so in a web browser I sent the above GET to MyHome.visonic.com.

"http://MyHome.Visonic.com:8080/scripts/update.php?serial=XXXXXX&id=HouseAlarm&account=001234&ver_sw=6.3.2&ver_hw=123&ver_var=6000&upgrade_status=0&configuration_status=0"

(with my serial number) and it returned 
"status =4&ka_time =5&allow =0&id =XXXXXX&"
(again XXXXXX is the serial number I sent in the GET). I don't know what it would respond if I was actually registered with MyHome.visonic.com but I will worry about that later. I can mimic that so in the update.php I just echoed "status =4&ka_time =5&allow =0&id =XXXXX&".

With that I could go into the panel and run the Lan diagnostics and it passed.

Next I started to play with the values in the echo, things I found are don't set the status to 1 and leave it there. If you do you will not be able to log into the web interface of the Powerlink 2. Also somewhere along the way I changed the status to different values. More on that later...

Now after acking to the GET I brought up WireShark again and noticed that the Powerlink was trying to connect to my server on port 5001 through TCP. The Visonic server uses TCP and not UDP. That makes it easer so I wrote a small server that would listen on port 5001/TCP and dump whatever it received to a binary file. I also made a class that would parse the message received (if it had the SIA preamble which they did). I needed to parse the message because SIA dictates that every message received needs to send an ACK back and the ACK needs info from the original message.

Once I got the ack working correctly I noticed that I would receive 2 different types of SIA messages. There may be more types but so far I have only received 2. Of course these are Visonic proprietary and the message bodies do not follow the spec exactly but... drum role please, they are NOT encrypted! The first type of message I received had an id of (SIA ID's are ASCII) "VIS-CMD" and its message body was all ASCII. You can tell it is not encrypted (other than it is readable) because the SIA protocol says that an encrypted message will have an ID that starts with an * so if this message was encrypted it's ID would be "*VIS-CMD". anyway here is the body of the message.

[hw_version="123" sw_version="6.3.2" variant="6000" config_update="0" sw_upgrade="0" layout="large"]

As I was playing with the status that I mentioned above the "sw_upgrade" changed to "3" and then to "255". I don't know why?

The second type of message I received is the interesting one, it's ID is "VIS-BBA", again not encrypted. It's message body was not ascii but 16 bytes of data. I would also get one of these every time someone would open a door or something would happen on the Powermax panel. Hmm, what could that be. This is what it looked like.

[0D A5 00 04 00 01 00 00 00 00 05 00 00 43 0D 0A]

Where have I seen this before? Maybe right here
viewtopic.php?f=22&t=6517
and
viewtopic.php?f=68&t=6581
and
http://forum.micasaverde.com/index.php?topic=6884.0

Yes it is true that the C.S. reporting is using the protocol described in this forum on the pages above. What about the AES encryption that the Visonic Server says it supports? That is where the open port 443 comes in, it (Visonics IPMP server) must be using https to send stuff back and get more information from/to the Powerlink since that is the only port on the local network required to be open to the outside world.

My test C.S. server is far from ready to be made available but I will when I get it further along. It is currently in a proof of concept stage. I just wanted to see if the C.S reporting used encryption and if not could i decipher it. I am writing it in C++ on OS X so it should be usable elsewhere. Now a little about how it all works. The server is a multi threaded server that listens on port 5001. Every time a client (the PowerLink) connects it sends that socket to a new thread to handle the connection. The Powerlink connects, sends the packet, waits for an ack, and disconnects. 

Something else I have ben playing with is the IPhone and Android app MyVisonic. How do I get them to work without registering at Visonic? Once again it is time for Wireshark (or Fiddler). Start it up and then start the iphone app (on an wifi ipad since I don't have an IPhone). Enter my Powerlink username/password, in the Powerlink ID spot I did not know what to put so I entered "ZZZZZ" and in the server spot I entered my web server address. When I hit connect it failed but Wireshark showed me it was trying to get to https://<my server address>/ZZZZZ. I then went to my server and added a folder named ZZZZZ and in there created an index.php that redirected the url to the https address on the Powerlink. This time when I hit connect it actually connected. This same trick did not work on the Android version of the MyVisonic app but it does work on the IPhone app on a wifi ipad.
Thanks.
rl40
Starting Member
Starting Member
 
Posts: 6
Joined: September 2011
Location: Rochester, NY

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby Bwired » Fri Sep 23, 2011 8:03 am

Thanks for the good information!
I used CS reporting on my powermax pro with powerlink 2.
I thought that would be the ultimate solution, but is was very unstable for me.
The powermax got everytime in errormode, so there was something wrong with my Lan or IPnumber in CS reporting? But there wasn't, reboot or just do a Lan check within the Visonic got it running for a while again.
Also sometimes I got the output, but after a while it just stopped.
I have enough SR232 to IP available so went on with the RS232 option which is the most stable one for me.
User avatar
Bwired
Administrator
Administrator
 
Posts: 5301
Joined: March 2006
Location: Netherlands

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby rl40 » Fri Sep 23, 2011 1:00 pm

So far it does seem to be reliable. The trick was that it connects to the socket, sends the message, MUST receive the ack, and then it disconnects. Handling the constant connect and disconnect caused me a little problem. We shall see how reliable it is as I have only had the PowerMax Pro/Powerlink2 for 2 weeks so I have not done a whole lot reliability of testing.
Thanks.
rl40
Starting Member
Starting Member
 
Posts: 6
Joined: September 2011
Location: Rochester, NY

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby Bwired » Fri Sep 23, 2011 2:00 pm

Depends on firmware also, you have a rather new one I guess. If you have not got any problems till now it will stay working.
Lots off users from this forum could not get the powerlink2 to work at all.
User avatar
Bwired
Administrator
Administrator
 
Posts: 5301
Joined: March 2006
Location: Netherlands

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby rl40 » Fri Sep 23, 2011 4:04 pm

That's true. I am coming to this whole Powermax/Powerlink thing late so my firmware is rather new.
Thanks.
rl40
Starting Member
Starting Member
 
Posts: 6
Joined: September 2011
Location: Rochester, NY

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby manno » Wed Sep 28, 2011 5:45 am

What did you do to get the return ACK working properly on port 5001?

Have you found out anything more about what the status codes are in the return from the GET request on port 8080? Mine was set at 4 and it seemed that the GET requests were happening almost every second. When changing it to 3, the GET requests slowed to about every 5 secs. Why so many requests?
manno
Starting Member
Starting Member
 
Posts: 16
Joined: September 2011

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby rl40 » Thu Sep 29, 2011 12:39 am

The server that I wrote that listens on port 5001 builds and the ack from the SIA message that it received. It then sends the ack back and the Powerlink disconnects until it connects again to send another message.

I have not done much else with any of it as work has gotten in the way of play. My status with the GET was originally 4 also so I changed it to 0. I tried different values and somewhere along the way VIS-CMD SIA message I received on port 5001 had the sw_upgrade value set to 255. I don't have a clue what that means. I have not timed the requests but I will when I get a chance.
Thanks.
rl40
Starting Member
Starting Member
 
Posts: 6
Joined: September 2011
Location: Rochester, NY

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby manno » Fri Sep 30, 2011 7:10 am

What does the ACK format look like? I see the SIA messages coming in like this:

¥î0081"VIS-CMD"0001R0L001234#xxxxxx[hw_version="123" sw_version="6.3.2" variant="1111" config_update="0" sw_upgrade="0" layout="large"]

but not quite sure how to format a reply back.

Thanks for your help!
manno
Starting Member
Starting Member
 
Posts: 16
Joined: September 2011

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby rl40 » Fri Sep 30, 2011 4:12 pm

The SIA message that comes in (described in section 5.5.1 of the SIA protocol spec linked to above) looks like

<LF><crc><0LLL>
<"id"><seq><Rrcvr><Lpref><#acct>[<pad>|...data...][x…data…]<timestamp>
<CR>

There is no padding after the account number and the <timestamp> is not in the messages coming from the Visonic Panel so it looks more like

<LF><crc><0LLL>
<"id"><seq><Rrcvr><Lpref><#acct>[...data...]
<CR>

The <"id"> for this command is "VIS-CMD" (including the quotes), The <crc> is CRC-16 and is from the first quote of the id to the ] char just before the <CR> at the end.

The <crc> is binary data and the rest is ascii data (if I remember correctly.
The Ack from this looks like

<LF><CRC><0LLL>
<"ACK"><seq><Rrcvr><Lpref><#acct>[]
<CR>

from section 5.5.3 of the SIA Protocol spec. The <seq><Rrcvr><Lpref><#acct> sections of the message need to be the same as the original message. This is what I meant by having to build the ack from the message.

The ack for your message would look like

<LF><CRC><0LLL>
"ACK"0001R0L001234#xxxxxx[]
<CR>

where the CRC is the CRC-16 of the ack message and the 0LLL is the ascii representation of the length of the ack from the first quote to the "]" char.
Thanks.
rl40
Starting Member
Starting Member
 
Posts: 6
Joined: September 2011
Location: Rochester, NY

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby probie » Sun Jul 22, 2012 8:53 pm

Hi,

Any updates/progress on this?
I would love to see a working prototype of that c++ program.

Hope to hear from someone.

Best regard,
Mike
probie
Starting Member
Starting Member
 
Posts: 8
Joined: October 2011

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby j666gak » Tue May 07, 2013 12:17 am

Hello,

Thank you very much for this post, it has some great information

I am having problems though! I got the first ACK and then receive the following but nothing else

Code: Select all
\x8B\xF20081"VIS-CMD"0001R0L001234#SERIAL[hw_version="123" sw_version="6.3.2" variant="6000" config_update="0" sw_upgrade="0" layout="large"]


I'm not sure what is meant to be in the 2nd ACK so that may be part of the problem?

I would really appreciate some help


Thanks
j666gak
Starting Member
Starting Member
 
Posts: 2
Joined: March 2013

Re: Using Visonic PowerMax C.S. Reporting to my own server.

Postby alanr » Sun Jan 18, 2015 10:07 pm

I know that this is a very old posting; but it would be great if the O/P would open source the CS software rather than having to reinvent the wheel on it. Alternatively, does anyone have any open source SIA/IP software that could be used? I've already got the scripts in place to handle the update.php and notify.php requests that the PL2 sends out; just need to handle the SIA requests; event if it just ACK's every request, it would do for a start.
alanr
Starting Member
Starting Member
 
Posts: 1
Joined: January 2015


Return to Visonic Alarm systems

Who is online

Users browsing this forum: No registered users and 1 guest