EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

mikep
Posts: 138
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mikep »

WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver
Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Smith »

mikep wrote:WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...
I would imagine you should not expose anything to the internet. Many routers have built in VPN options.

Most router admin/config pages are not SSL/TLS either. I guess if someone manages to get in ..... then they're in.

I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?
mikep
Posts: 138
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mikep »

Agree, the best choice is nothing exposed, especially not the admin panel (even though is SSL capable I still use a VPN to get in). Right, outgoing is a big concern too. Most cloud devices are encrypted and I believe this includes envisalink, but I sure worry about the ownership and protection of the servers where those new, very inexpensive cameras and switches connect.
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver
GrandWizard
Posts: 2263
Joined: Tue Nov 16, 2010 4:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by GrandWizard »

Smith wrote: I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?
Yes the entire service is encrypted end-to-end. As MikeP points out, the local TPI was never intended to be used outside of the LAN because the Envisalink lacks TLS capability on the TPI.

Envisacor's new cloud API, due out shortly, is fully SSL with OAUTH2 authorization so I assume the need for the TPI in most applications will diminish.

Going back to the OP's original topic, I'm really surprised that DSC doesn't have a keypad lockout on the installers code like they do on regular users codes. I wonder if that is the same on newer panels.
Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Smith »

GrandWizard wrote: Yes the entire service is encrypted end-to-end. As MikeP points out, the local TPI was never intended to be used outside of the LAN because the Envisalink lacks TLS capability on the TPI. Envisacor's new cloud API, due out shortly, is fully SSL with OAUTH2 authorization so I assume the need for the TPI in most applications will diminish.
Hopefully the TPI does not get deprecated though, because I can see how it very well fits a need when bridging an existing home alarm system to other things in home automation. (Also for people who set up some more hack-ish solutions like me)
GrandWizard wrote: Going back to the OP's original topic, I'm really surprised that DSC doesn't have a keypad lockout on the installers code like they do on regular users codes. I wonder if that is the same on newer panels.
It's a good question. It's an old PC5015 panel as i wrote before (probably 20+ years old, also the firmware v1.05 is a lot earlier than the latest firmware googlable for the model, which seems to be v2.2).

What I am able to tell you, is that when I could finally see how the panel was configured, I found out that "invalid codes before lockout" was set to 001 and "keypad lockout duration" was set to 000. Perhaps these settings also affects installer's code attempts, not sure.

One way to find out is probably by trying wrong installer's codes on a throwaway panel, just to see what happens.
tcor26@aol.com
Posts: 1
Joined: Wed Mar 13, 2019 5:37 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by tcor26@aol.com »

The attached 40-pin circuit board installer code discovery procedure worked for me on a DSC 1555MX panel with a PC5508Z Keypad to display the Installer Code.
Attachments
DSC Panel Reset Procedure-Installer Lockout On.pdf
(696.55 KiB) Downloaded 9854 times
syntxerr
Posts: 2
Joined: Mon Sep 02, 2019 8:15 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by syntxerr »

Anyone have luck with the code? Mine seems to be crawling so slowly!

Panel is a PC1832 w/ expander, extra PSU PC5200 and wireless module 3G2060R

Also, not sure if this matters but when I run this, the keypad doesn't beep either?
lyha
Posts: 2
Joined: Tue Sep 10, 2019 12:34 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by lyha »

First of all I want to say thanks for posting the perl code.

I've been running the script on a PC1832 and it has been going slow for me as well. About 30 seconds per attempt, and no beeping at the keypad. I've been through 4000-9999 with no success, except for at 6666 (dummy installer code). I'll keep trying and report if I manage to crack it.
lyha
Posts: 2
Joined: Tue Sep 10, 2019 12:34 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by lyha »

SUCCESS!

I was on my last 2000 numbers and was losing faith but to my surprise I came home to the 'success' message! Huge thanks to Smith for starting this thread and the script. I was able to turn off the dialer and stop the communication error messages.
ffxiv
Posts: 1
Joined: Tue Oct 15, 2019 5:18 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by ffxiv »

Similar situation, I don't have the installer code for my Vista20p and it's preventing me from switching monitoring services. My current keypad is a Tuxedo Touch so I can't push * and # at the same time during bootup to get into programming mode (touch screen only allows 1 button press at a time).

Can this perl script be modified to run on a Honeywell panel? Hopefully there isn't a lockout after X number of attempts as well.
Post Reply