Hacking the Visonic Powerlink 2

Yesterday a friend of mine, Pieter Knuvers, paid us a visit. We have a lot in common of which passion for Domotica is one, and we also think alike on a lot of other related subjects and on how to deal with them. We discussed several projects we’re (both) working on and what we can do do to make the best of it all nearly the whole afternoon.

He also brought his Visonic PowerMax Pro with him. Inside this Powermax there’s a Powerlink2 module, with which it’s possible to Ethernet-enable the Visonic Powermax Pro. Now wouldn’t it be great if we could find a way to control this Powermax from our Domotica systems? Of course! I see a lot of benefits to this, total integration of an alarm system into a Home Automation solution. In a secure way of course. Pieters idea to let his Domotica system decide when his alarm system can be disarmed is a very logical step, especially when you’ve already let your Domotica system know who you are by means of another secure subsystem…

And since we both created our own Domotica systems from scratch ourselves, it would just be a matter of finding out how, and integration would just be a matter of adding some extra code to our systems and we would be good to go! On the other hand, I also thought about the implications of being able to control an alarm system by its web interface; it would actually be a good thing if this wasn’t too easy…  Nevertheless, let’s see if we can get this alarm system to obey our commands 😉

OK, here we go. We plugged in a UTP cable, started a browser and entered the IP address of the Visonic Powerlink2: x.x.x.200. The Powerlink module automatically assigns itself the .200 address of your local subnet. We started with our good friend Wireshark again to do some research, but later that evening I switched to Fiddler, cause while going through the Wireshark output, I had the feeling that Fiddler would be a better choice this time. I logged in on the Powerlink2 web interface and pushed the DISARM button. This resulted in the following HTTP request:

GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=129823770199311-xml HTTP/1.1
Host: xxx.xxx.xxx.200
Connection: keep-alive
Referer:
Content-Type: application/octet-stream
Accept: */*
User-Agent: blabla
Accept-Encoding: gzip,deflate,sdch
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PowerLink=85a0bab15d60db242cc73c717aa46f7c; mobile=636f92fd8f357d0b10a2f70a845e2305

Hmm, that shouldn’t be too hard… first thing I looked at was that big number in the GET. It wasn’t random, cause with every GET it only seemed to get higher. Some time related number perhaps? OK, let’s look inside a /web/js/powerlink.js file I downloaded from the Visonic Powerlink2. Well what do we have here (sometimes 1 line of code is enough to ‘know’ what’s going on, I wouldn’t try to try to understand the complete script):

JsHttpRequest.extend(<blabla>, id:(new Date().getTime())+""+JsHttpRequest.COUNT++,hash:_a,span:null});

Ahhh.. getTime() returns the number of milliseconds since midnight of January 1, 1970, aka Unix epoch. That’s not hard to reproduce. The rest of this HTTP request should not be too hard to create either. Now let’s focus on the login process. I thought this would be much more complex. Let’s have a look at what Fiddler is showing me when I enter username & password and hit the LOGIN button:

POST .../mobile/login/index/?JsHttpRequest=12982287732070-xml HTTP/1.1
Accept: */*
Accept-Language: nl
Referer:
Content-Type: application/octet-stream
Accept-Encoding: gzip, deflate
User-Agent: blabla
Host: xxx.xxx.xxx.200
Content-Length: 42
Connection: Keep-Alive
Pragma: no-cache
Cookie: PowerLink=077d58c208ef9aaef1fe8d464015d929; mobile=e6efb2eae139ca6fe327b603d6c23e76
login=admin&password=admin&time=1298228773

Actually, I didn’t like what I saw.. do I really see my username and password being sent, unencrypted? Oh no… come on, Visonic..  But that’s an issue for another blog post; let’s stay focused 🙂 The response was:

HTTP/1.1 200 OK
Date: Sat, 01 Jan 2000 16:47:48 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=1200, pre-check=1200
Last-Modified: Thu, 10 Jun 2010 02:27:30 GMT
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from xxx.xxx.xxx.200
Connection: close
Transfer-Encoding: chunked

40
{ "id": "12982287732070", "js": { "result": "ok" }, "text": "" }
0
OK, this tells me that the result is ok, and I get that big number returned in the response… high level of rocket-science involved here…
I had seen enough, it was time to mimic this conversation from a small app, starting with performing a successful login. Done … Now the first difference I saw was that the response from the Visonic contained the following header:
Set-Cookie: mobile=353bbda17768c82ba9aa5331efc7157a; path=/
Yeah, right.  My app is not a browser so there’s no cookie, so my app is asked to set one. OK, I will simulate that. I extracted the bold part from this header and used it in the next HTTP call, in which I wanted to disarm the alarm:
GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=12982439146581-xml HTTP/1.1
Cookie: mobile=353bbda17768c82ba9aa5331efc7157a Host: xxx.xxx.xxx.200

Yeeha! Some female voice said to me: “Disarm. Ready to arm”. Was I dreaming? Again. “Disarm. Ready to arm”. Hmm, that’s not bad… I’m getting all excited just by listening to a female “computer voice” !?

OK; now let’s arm this thing:

GET .../mobile/dam/arm/mode/away_state?JsHttpRequest=12982439148311-xml HTTP/1.1

“Arming away. Please exit now.'” I did it !?! Actually, I can’t believe I did…it’s too easy !!! But it works, time after time after time… I know Ethernet enabled thermostats and DSL modems that do a better job here…

Proliphix Plugin finished

Today I finished the Homeseer Proliphix Plugin I wrote about before. In short, the updated Plugin has been enhanced with the following features:

  • Celsius support;
  • Support for the IMT series thermostats;
  • Support for the IMT series Humidity sensor.

Although I received the code only for adding Celsius support, I’m sure the Homeseer guys won’t mind I added those other 2 items as well 🙂

I was fortunate to have a IMT350 here, sent to me by a Domoticaforum member who found out that the IMT350 wasn’t supported by the current version of the Plugin and asked me to have a look at it. So I did, and in the process I added support for the IMT350 to the Plugin.

Together with another Homeseer user who volunteered as beta tester for the Plugin, we accomplished the 3rd item in the list, support for the Humidity sensor. While I was writing the code for the IMT350, I realized that the first thing that would be missing, was support for the humidity sensor and I just couldn’t leave it like that; it felt like delivering an unfinished product, so I decided to throw in some extra lines of code to make the Humidity sensor readings accessible as well. After some ‘research’ (I’m not a Homeseer user, you know) I found out how to do this, and also found a way to get Humidity readings into HSTouch (with the help of that same beta volunteer who tested my findings). Below a HSTouch screenshot, including the humidity:

Another project finished, still dozens to go!