Page 1 of 7

EVL 4, DSC and lost installer code - hacking my own system

Posted: Thu Jan 03, 2019 7:34 pm
by Smith
Installer code for my system lost, probably many years ago (installed early 90s). Company which installed it is long bankrupt.

I assume none of the owners of the building thru all these years knew it, they just used the arming codes.

I feel I don't have hairy knuckles enough to reset and reprogram the entire system unless I really have to. So, my plan for the moment is to try to "hack" my own system to obtain the installer code. Is there any obvious gotchas before I try it? I can obviously power cycle the system in case something locks up. If I fuck it up I'm in no worse position than I would be if I had to redo everything from scratch.

But before I waste the time and listen to 10000 "beeps" for 4-5h from the physical pad it might be good with some feedback..

I am perhaps foolishly making the assumption that the EVL4 does not respond to a "001 please send status report" command if the system is in programming mode. (Maybe there is some other, or better, way to check this?)

So the idea would be to go thru all the 10000 codes (that is .. send "*80000" to "*89999" keystrokes), ask for a status report, and then send "#" to go out of programming mode in case it was entered for that code.

The point where the system is unavailable should theoretically be when I had input the installer code keystrokes.

Hit or shit ?

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Fri Jan 04, 2019 10:47 am
by K-Man
No, that won't work, or at least that would be the hard way. You need to do something like...

1) Send *8 via 071
2) Wait for 922 status prompt
3) Issue installers code
4) If it wasn't correct you will get a 670, sleep 1
If is was correct you will get a 680
5) Goto 2

BUT, if your panel is from the early 90s it wouldn't be a power series panel and none of this would work. The Envisalink only works with V2 power panels which first came out in the mid 90's .

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Fri Jan 04, 2019 11:51 am
by Smith
K-Man wrote:No, that won't work, or at least that would be the hard way. You need to do something like...

1) Send *8 via 071
2) Wait for 922 status prompt
3) Issue installers code
4) If it wasn't correct you will get a 670, sleep 1
If is was correct you will get a 680
5) Goto 2

BUT, if your panel is from the early 90s it wouldn't be a power series panel and none of this would work. The Envisalink only works with V2 power panels which first came out in the mid 90's .
Ah, this is most excellent advice! Thank you!

I think it is a "power series" because I already have a Envisalink and they're communicating :)

I just also found out that its "installer lockout" is enabled.

(What I'm also wondering in my situation here is if there might be some wrong attempt count with regards to the installer code .. )

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Fri Jan 04, 2019 12:35 pm
by mikep
There is a way to recover the installer code using a serial port and the DSC software, asking on one of the DSC installer security forums might uncover it if you can find an old guy there to respond.

IIRC the installer lockout prevents using the hardware system reset (you won't hear the relay clicks).

Hard to say if trying all of the codes will work, you may run into keypad lockouts which means it'll take longer than you hoped - you'll want to watch for any unexpected response to see if that happens.

At some point it might be easier just to buy a new DSC panel to swap for the old one - then you'll have everything you need except for the hairy knuckles to program it :).

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Fri Jan 04, 2019 1:20 pm
by GrandWizard
mikep wrote:There is a way to recover the installer code using a serial port and the DSC software, asking on one of the DSC installer security forums might uncover it if you can find an old guy there to respond.
You are talking about PC-LINK DLS and that has its own secret code as well. You could attempt a downloading session but if the installer went to the bother of completely locking out the panel I doubt he would have left the DLS code as default.

Oh yeah, on older DSC panels you can only start a PC-LINK DLS session from installers mode so you're snookered.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Sat Jan 05, 2019 6:59 am
by Smith
GrandWizard wrote:
mikep wrote:There is a way to recover the installer code using a serial port and the DSC software, asking on one of the DSC installer security forums might uncover it if you can find an old guy there to respond.
You are talking about PC-LINK DLS and that has its own secret code as well. You could attempt a downloading session but if the installer went to the bother of completely locking out the panel I doubt he would have left the DLS code as default.

Oh yeah, on older DSC panels you can only start a PC-LINK DLS session from installers mode so you're snookered.
This is all super good advice, thank you!

The manual mentions "keypad lockout" in regards to incorrect access code entries, but not installer code entries. I guess I am about to find out about that!

I know this is not the DSC Power forum, but I wonder two things anyway in the "thinking aloud" category..

1) if I can just read / write the contents of the eeprom

2) if something like this would easily slot in to replace the panel in case i screw it up completely :D (after not shaving my knuckles for a few days I might be able to set it up )

https://www.ebay.com/itm/DSC-HS2128PCBN ... 2992842914

Anyway I will post any success, progress, insights of failures here. This seems to be a quite common issue. I hate this idea that someone else has locked a piece of equipment that I actually own. It offends the senses of what "owning" something means. In this case it means I can't modify the setup of my own system as i see fit.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Sat Jan 05, 2019 7:40 am
by Smith
K-Man wrote:No, that won't work, or at least that would be the hard way. You need to do something like...

1) Send *8 via 071
2) Wait for 922 status prompt
3) Issue installers code
4) If it wasn't correct you will get a 670, sleep 1
If is was correct you will get a 680
5) Goto 2
This seems to work when i test it, but the only difference is that I get a "650 system ready", instead of a "670 invalid access code". I wonder if this is significant. It's the same thing at the keypad, there is no real feedback with regards to "wrong installer's code", it just reverts back to the outmost menu when you type *8 and a random code.

I also get some "510" messages indicating the LED state changes, I assume this is that the Ready LED state goes off, and then on again.

Now.. last question, if I do manage to enter Installers mode after hours of beeping, sending "##" to the partition should back out of this mode, right? And "##" at the outmost menu does nothing.

Code: Select all

1) Send *8 via 071 
2) Wait for 922 status prompt
3) Issue installers code
4) If it wasn't correct you will get a 650
    If is was correct you will get a 680 -- record somehow what the correct installer's code was
5) sleep 1
6) Send "##" via 071, to back out of installers menu if entered, or basically "no op" if the response was 650 above
7) Advance to a new installers code to try. 
8) Goto 1

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Sat Jan 05, 2019 10:50 am
by K-Man
Smith wrote: This seems to work when i test it, but the only difference is that I get a "650 system ready", instead of a "670 invalid access code".

Now.. last question, if I do manage to enter Installers mode after hours of beeping, sending "##" to the partition should back out of this mode, right? And "##" at the outmost menu does nothing.
It must have something to do with the age of the panel, My 5020 goes right back to asking for the installers code.
Anyhow, yes, once in installers mode you just hit a bunch of "#" to get out.

Also, there shouldn't be any beeping on your other keypads. They should be silent.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Sat Jan 05, 2019 10:58 am
by K-Man
Smith wrote: 1) if I can just read / write the contents of the eeprom

2) if something like this would easily slot in to replace the panel in case i screw it up completely :D (after not shaving my knuckles for a few days I might be able to set it up )

https://www.ebay.com/itm/DSC-HS2128PCBN ... 2992842914
1) Yes, if you're an electrical engineer you should be able to unsolder the EEPROM and create a jig to read back the contents via I2C. But then what? You'd be looking for an unknown set of 2-4 bytes in a 64K haystack.

2) All DSC panels fit in the same footprint within the "can". But you can't buy that one, it is a NEO and not supported. You need a Power panel like the PC1832.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Sat Jan 05, 2019 12:59 pm
by mikep
It was a long time ago so I don't recall the exact sequence, but the old guy taught me something about rebooting the system while DLS was running on the PC and connected to the DSC connected over the serial port. The programming contents downloaded at boot and the installer code was revealed there. I was able to get into it and do everything, and at least as far as I could tell it was an installer provided system and locked down when I started. IIRC the "easy" reset didn't work (no relay clicks) - but as I said, a very long time ago...

I don't think I'd bother next time, programming isn't that hard and some is necessary anyway so the panel doesn't call the old security company numbers every time anything happens. Even easier if you can get DLS to work. DSC 1616's are only $20-$50 and 1832's < $100 on ebay and all of the existing wires and hardware should be a direct swap.