Using Visonic PowerMax C.S. Reporting to my own server.
Posted: Fri Sep 23, 2011 2:03 am
Hello,
I am new in this forum so I hope people here find this information useful. I know it is long and I am sorry about that.
I recently purchased a PowerMax Pro with a PowerLink 2 and in doing web searching I found some of the hacking efforts that are going on. It is all great work but what I did not find was anybody looking into the C.S. Reporting stuff in the PowerMax Pro. I decided to try to get the C.S. reporting working to my own server (that I would write). Looking at the specs for Visonics IPMP server (http://www.visonic.com/Products/Wireles ... t-platform) I noticed that it spoke SIA protocol and supported 128bit AES encryption and needed port 443 open (more on this later). I could be shot down before I even started if it did use encryption. I decided to try anyway. Online I found the spec for the SIA protocol (http://www.mobile-download.net/tools/As ... 070319.pdf) and it seemed fairly easy to understand so I proceeded. It does say that an SIA server should listen on UDP and TCP but that UDP was preferred. The first thing I did was to set up Apache on my laptop. I fired up WireShark and then on the PowerMax Pro I set the C.S. Reporting IP address to my laptop.
In WireShark I found that the Powerlink 2 sends an HTTP GET to port 8080 of the server.
"GET /scripts/update.php?serial=XXXXXX&id=ID&account=001234&ver_sw=6.3.2&ver_hw=123&ver_var=6000&upgrade_status=0&configuration_status=0"
where XXXXXX is the serial number of my and the account is the default. I went into the LAN diagnostics of the PowerMax and it failed. I figured that if the GET is not acked back properly C.S reporting does not work, so on my local web server I added an <htdocs>/scripts/update.php file but I didn't know what should it return so in a web browser I sent the above GET to MyHome.visonic.com.
"http://MyHome.Visonic.com:8080/scripts/ ... n_status=0"
(with my serial number) and it returned
"status =4&ka_time =5&allow =0&id =XXXXXX&"
(again XXXXXX is the serial number I sent in the GET). I don't know what it would respond if I was actually registered with MyHome.visonic.com but I will worry about that later. I can mimic that so in the update.php I just echoed "status =4&ka_time =5&allow =0&id =XXXXX&".
With that I could go into the panel and run the Lan diagnostics and it passed.
Next I started to play with the values in the echo, things I found are don't set the status to 1 and leave it there. If you do you will not be able to log into the web interface of the Powerlink 2. Also somewhere along the way I changed the status to different values. More on that later...
Now after acking to the GET I brought up WireShark again and noticed that the Powerlink was trying to connect to my server on port 5001 through TCP. The Visonic server uses TCP and not UDP. That makes it easer so I wrote a small server that would listen on port 5001/TCP and dump whatever it received to a binary file. I also made a class that would parse the message received (if it had the SIA preamble which they did). I needed to parse the message because SIA dictates that every message received needs to send an ACK back and the ACK needs info from the original message.
Once I got the ack working correctly I noticed that I would receive 2 different types of SIA messages. There may be more types but so far I have only received 2. Of course these are Visonic proprietary and the message bodies do not follow the spec exactly but... drum role please, they are NOT encrypted! The first type of message I received had an id of (SIA ID's are ASCII) "VIS-CMD" and its message body was all ASCII. You can tell it is not encrypted (other than it is readable) because the SIA protocol says that an encrypted message will have an ID that starts with an * so if this message was encrypted it's ID would be "*VIS-CMD". anyway here is the body of the message.
[hw_version="123" sw_version="6.3.2" variant="6000" config_update="0" sw_upgrade="0" layout="large"]
As I was playing with the status that I mentioned above the "sw_upgrade" changed to "3" and then to "255". I don't know why?
The second type of message I received is the interesting one, it's ID is "VIS-BBA", again not encrypted. It's message body was not ascii but 16 bytes of data. I would also get one of these every time someone would open a door or something would happen on the Powermax panel. Hmm, what could that be. This is what it looked like.
[0D A5 00 04 00 01 00 00 00 00 05 00 00 43 0D 0A]
Where have I seen this before? Maybe right here
http://www.domoticaforum.eu/viewtopic.php?f=22&t=6517
and
http://www.domoticaforum.eu/viewtopic.php?f=68&t=6581
and
http://forum.micasaverde.com/index.php?topic=6884.0
Yes it is true that the C.S. reporting is using the protocol described in this forum on the pages above. What about the AES encryption that the Visonic Server says it supports? That is where the open port 443 comes in, it (Visonics IPMP server) must be using https to send stuff back and get more information from/to the Powerlink since that is the only port on the local network required to be open to the outside world.
My test C.S. server is far from ready to be made available but I will when I get it further along. It is currently in a proof of concept stage. I just wanted to see if the C.S reporting used encryption and if not could i decipher it. I am writing it in C++ on OS X so it should be usable elsewhere. Now a little about how it all works. The server is a multi threaded server that listens on port 5001. Every time a client (the PowerLink) connects it sends that socket to a new thread to handle the connection. The Powerlink connects, sends the packet, waits for an ack, and disconnects.
Something else I have ben playing with is the IPhone and Android app MyVisonic. How do I get them to work without registering at Visonic? Once again it is time for Wireshark (or Fiddler). Start it up and then start the iphone app (on an wifi ipad since I don't have an IPhone). Enter my Powerlink username/password, in the Powerlink ID spot I did not know what to put so I entered "ZZZZZ" and in the server spot I entered my web server address. When I hit connect it failed but Wireshark showed me it was trying to get to https://<my server address>/ZZZZZ. I then went to my server and added a folder named ZZZZZ and in there created an index.php that redirected the url to the https address on the Powerlink. This time when I hit connect it actually connected. This same trick did not work on the Android version of the MyVisonic app but it does work on the IPhone app on a wifi ipad.
I am new in this forum so I hope people here find this information useful. I know it is long and I am sorry about that.
I recently purchased a PowerMax Pro with a PowerLink 2 and in doing web searching I found some of the hacking efforts that are going on. It is all great work but what I did not find was anybody looking into the C.S. Reporting stuff in the PowerMax Pro. I decided to try to get the C.S. reporting working to my own server (that I would write). Looking at the specs for Visonics IPMP server (http://www.visonic.com/Products/Wireles ... t-platform) I noticed that it spoke SIA protocol and supported 128bit AES encryption and needed port 443 open (more on this later). I could be shot down before I even started if it did use encryption. I decided to try anyway. Online I found the spec for the SIA protocol (http://www.mobile-download.net/tools/As ... 070319.pdf) and it seemed fairly easy to understand so I proceeded. It does say that an SIA server should listen on UDP and TCP but that UDP was preferred. The first thing I did was to set up Apache on my laptop. I fired up WireShark and then on the PowerMax Pro I set the C.S. Reporting IP address to my laptop.
In WireShark I found that the Powerlink 2 sends an HTTP GET to port 8080 of the server.
"GET /scripts/update.php?serial=XXXXXX&id=ID&account=001234&ver_sw=6.3.2&ver_hw=123&ver_var=6000&upgrade_status=0&configuration_status=0"
where XXXXXX is the serial number of my and the account is the default. I went into the LAN diagnostics of the PowerMax and it failed. I figured that if the GET is not acked back properly C.S reporting does not work, so on my local web server I added an <htdocs>/scripts/update.php file but I didn't know what should it return so in a web browser I sent the above GET to MyHome.visonic.com.
"http://MyHome.Visonic.com:8080/scripts/ ... n_status=0"
(with my serial number) and it returned
"status =4&ka_time =5&allow =0&id =XXXXXX&"
(again XXXXXX is the serial number I sent in the GET). I don't know what it would respond if I was actually registered with MyHome.visonic.com but I will worry about that later. I can mimic that so in the update.php I just echoed "status =4&ka_time =5&allow =0&id =XXXXX&".
With that I could go into the panel and run the Lan diagnostics and it passed.
Next I started to play with the values in the echo, things I found are don't set the status to 1 and leave it there. If you do you will not be able to log into the web interface of the Powerlink 2. Also somewhere along the way I changed the status to different values. More on that later...
Now after acking to the GET I brought up WireShark again and noticed that the Powerlink was trying to connect to my server on port 5001 through TCP. The Visonic server uses TCP and not UDP. That makes it easer so I wrote a small server that would listen on port 5001/TCP and dump whatever it received to a binary file. I also made a class that would parse the message received (if it had the SIA preamble which they did). I needed to parse the message because SIA dictates that every message received needs to send an ACK back and the ACK needs info from the original message.
Once I got the ack working correctly I noticed that I would receive 2 different types of SIA messages. There may be more types but so far I have only received 2. Of course these are Visonic proprietary and the message bodies do not follow the spec exactly but... drum role please, they are NOT encrypted! The first type of message I received had an id of (SIA ID's are ASCII) "VIS-CMD" and its message body was all ASCII. You can tell it is not encrypted (other than it is readable) because the SIA protocol says that an encrypted message will have an ID that starts with an * so if this message was encrypted it's ID would be "*VIS-CMD". anyway here is the body of the message.
[hw_version="123" sw_version="6.3.2" variant="6000" config_update="0" sw_upgrade="0" layout="large"]
As I was playing with the status that I mentioned above the "sw_upgrade" changed to "3" and then to "255". I don't know why?
The second type of message I received is the interesting one, it's ID is "VIS-BBA", again not encrypted. It's message body was not ascii but 16 bytes of data. I would also get one of these every time someone would open a door or something would happen on the Powermax panel. Hmm, what could that be. This is what it looked like.
[0D A5 00 04 00 01 00 00 00 00 05 00 00 43 0D 0A]
Where have I seen this before? Maybe right here
http://www.domoticaforum.eu/viewtopic.php?f=22&t=6517
and
http://www.domoticaforum.eu/viewtopic.php?f=68&t=6581
and
http://forum.micasaverde.com/index.php?topic=6884.0
Yes it is true that the C.S. reporting is using the protocol described in this forum on the pages above. What about the AES encryption that the Visonic Server says it supports? That is where the open port 443 comes in, it (Visonics IPMP server) must be using https to send stuff back and get more information from/to the Powerlink since that is the only port on the local network required to be open to the outside world.
My test C.S. server is far from ready to be made available but I will when I get it further along. It is currently in a proof of concept stage. I just wanted to see if the C.S reporting used encryption and if not could i decipher it. I am writing it in C++ on OS X so it should be usable elsewhere. Now a little about how it all works. The server is a multi threaded server that listens on port 5001. Every time a client (the PowerLink) connects it sends that socket to a new thread to handle the connection. The Powerlink connects, sends the packet, waits for an ack, and disconnects.
Something else I have ben playing with is the IPhone and Android app MyVisonic. How do I get them to work without registering at Visonic? Once again it is time for Wireshark (or Fiddler). Start it up and then start the iphone app (on an wifi ipad since I don't have an IPhone). Enter my Powerlink username/password, in the Powerlink ID spot I did not know what to put so I entered "ZZZZZ" and in the server spot I entered my web server address. When I hit connect it failed but Wireshark showed me it was trying to get to https://<my server address>/ZZZZZ. I then went to my server and added a folder named ZZZZZ and in there created an index.php that redirected the url to the https address on the Powerlink. This time when I hit connect it actually connected. This same trick did not work on the Android version of the MyVisonic app but it does work on the IPhone app on a wifi ipad.