Hacking the Visonic Powerlink 2

Yesterday a friend of mine, Pieter Knuvers, paid us a visit. We have a lot in common of which passion for Domotica is one, and we also think alike on a lot of other related subjects and on how to deal with them. We discussed several projects we’re (both) working on and what we can do do to make the best of it all nearly the whole afternoon.

He also brought his Visonic PowerMax Pro with him. Inside this Powermax there’s a Powerlink2 module, with which it’s possible to Ethernet-enable the Visonic Powermax Pro. Now wouldn’t it be great if we could find a way to control this Powermax from our Domotica systems? Of course! I see a lot of benefits to this, total integration of an alarm system into a Home Automation solution. In a secure way of course. Pieters idea to let his Domotica system decide when his alarm system can be disarmed is a very logical step, especially when you’ve already let your Domotica system know who you are by means of another secure subsystem…

And since we both created our own Domotica systems from scratch ourselves, it would just be a matter of finding out how, and integration would just be a matter of adding some extra code to our systems and we would be good to go! On the other hand, I also thought about the implications of being able to control an alarm system by its web interface; it would actually be a good thing if this wasn’t too easy…  Nevertheless, let’s see if we can get this alarm system to obey our commands 😉

OK, here we go. We plugged in a UTP cable, started a browser and entered the IP address of the Visonic Powerlink2: x.x.x.200. The Powerlink module automatically assigns itself the .200 address of your local subnet. We started with our good friend Wireshark again to do some research, but later that evening I switched to Fiddler, cause while going through the Wireshark output, I had the feeling that Fiddler would be a better choice this time. I logged in on the Powerlink2 web interface and pushed the DISARM button. This resulted in the following HTTP request:

GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=129823770199311-xml HTTP/1.1
Host: xxx.xxx.xxx.200
Connection: keep-alive
Content-Type: application/octet-stream
Accept: */*
User-Agent: blabla
Accept-Encoding: gzip,deflate,sdch
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PowerLink=85a0bab15d60db242cc73c717aa46f7c; mobile=636f92fd8f357d0b10a2f70a845e2305

Hmm, that shouldn’t be too hard… first thing I looked at was that big number in the GET. It wasn’t random, cause with every GET it only seemed to get higher. Some time related number perhaps? OK, let’s look inside a /web/js/powerlink.js file I downloaded from the Visonic Powerlink2. Well what do we have here (sometimes 1 line of code is enough to ‘know’ what’s going on, I wouldn’t try to try to understand the complete script):

JsHttpRequest.extend(<blabla>, id:(new Date().getTime())+""+JsHttpRequest.COUNT++,hash:_a,span:null});

Ahhh.. getTime() returns the number of milliseconds since midnight of January 1, 1970, aka Unix epoch. That’s not hard to reproduce. The rest of this HTTP request should not be too hard to create either. Now let’s focus on the login process. I thought this would be much more complex. Let’s have a look at what Fiddler is showing me when I enter username & password and hit the LOGIN button:

POST .../mobile/login/index/?JsHttpRequest=12982287732070-xml HTTP/1.1
Accept: */*
Accept-Language: nl
Content-Type: application/octet-stream
Accept-Encoding: gzip, deflate
User-Agent: blabla
Host: xxx.xxx.xxx.200
Content-Length: 42
Connection: Keep-Alive
Pragma: no-cache
Cookie: PowerLink=077d58c208ef9aaef1fe8d464015d929; mobile=e6efb2eae139ca6fe327b603d6c23e76

Actually, I didn’t like what I saw.. do I really see my username and password being sent, unencrypted? Oh no… come on, Visonic..  But that’s an issue for another blog post; let’s stay focused 🙂 The response was:

HTTP/1.1 200 OK
Date: Sat, 01 Jan 2000 16:47:48 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=1200, pre-check=1200
Last-Modified: Thu, 10 Jun 2010 02:27:30 GMT
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from xxx.xxx.xxx.200
Connection: close
Transfer-Encoding: chunked

{ "id": "12982287732070", "js": { "result": "ok" }, "text": "" }
OK, this tells me that the result is ok, and I get that big number returned in the response… high level of rocket-science involved here…
I had seen enough, it was time to mimic this conversation from a small app, starting with performing a successful login. Done … Now the first difference I saw was that the response from the Visonic contained the following header:
Set-Cookie: mobile=353bbda17768c82ba9aa5331efc7157a; path=/
Yeah, right.  My app is not a browser so there’s no cookie, so my app is asked to set one. OK, I will simulate that. I extracted the bold part from this header and used it in the next HTTP call, in which I wanted to disarm the alarm:
GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=12982439146581-xml HTTP/1.1
Cookie: mobile=353bbda17768c82ba9aa5331efc7157a Host: xxx.xxx.xxx.200

Yeeha! Some female voice said to me: “Disarm. Ready to arm”. Was I dreaming? Again. “Disarm. Ready to arm”. Hmm, that’s not bad… I’m getting all excited just by listening to a female “computer voice” !?

OK; now let’s arm this thing:

GET .../mobile/dam/arm/mode/away_state?JsHttpRequest=12982439148311-xml HTTP/1.1

“Arming away. Please exit now.'” I did it !?! Actually, I can’t believe I did…it’s too easy !!! But it works, time after time after time… I know Ethernet enabled thermostats and DSL modems that do a better job here…

Tagged , , . Bookmark the permalink.

10 Responses to Hacking the Visonic Powerlink 2

  1. Koen says:

    I am using Powerlink2 with Powermax Pro and I can connect to the Powerlink via ethernet but cannot login using the passwords flying around on the internet.

    When asking some local shops they indicate there is a problem I am also suffering from: the Powerlink2 is not able to communicate with the Powermax Pro (when installing it from the Powermax Pro menu it gives an error back).

    Does this sound familiar? Any clue why in my case it is not working?

  2. Robbie Raas says:

    did you ever find a way to reflash a powermax pro? i mean buy a UK version and reflash it to NL ?


  3. Robbie Raas says:

    I wonder if thats possible, i tried to exchange the voice chip but the UK version with NL voice aint working proper.
    So i was wondering , if Visonic has different Speech and Menu’s for different countried, do they flash em seperate of do they have a trick to make it UK or SP or NL…..i wonder

  4. Robbie,
    I really don’t know… maybe try a Visonic related forum like http://www.diysecurityforum.com/index.php?board=4.0 ?

  5. Koen says:

    Maybe the fact that changing the voice chip does not work indicates that the UK and NL versions are different in more areas which could be the reason that the Powerlink2 is working in ‘some’ Powermax Pro systems and in others it does not work…

  6. Pingback: More Powerlink2 stuff

  7. max says:


    Could you share your app to control powerlink?


    • Sorry, no. First because the information in this post didn’t lead to an app, this was just a small “exercise”. The app I do use is based on code made by a friend of mine so I don’t share that – his code is based on the protocol documentation linked to in this post and later this post.

Leave a Reply

Your email address will not be published. Required fields are marked *