Hacking the Visonic Powerlink 2

Yesterday a friend of mine, Pieter Knuvers, paid us a visit. We have a lot in common of which passion for Domotica is one, and we also think alike on a lot of other related subjects and on how to deal with them. We discussed several projects we’re (both) working on and what we can do do to make the best of it all nearly the whole afternoon.

He also brought his Visonic PowerMax Pro with him. Inside this Powermax there’s a Powerlink2 module, with which it’s possible to Ethernet-enable the Visonic Powermax Pro. Now wouldn’t it be great if we could find a way to control this Powermax from our Domotica systems? Of course! I see a lot of benefits to this, total integration of an alarm system into a Home Automation solution. In a secure way of course. Pieters idea to let his Domotica system decide when his alarm system can be disarmed is a very logical step, especially when you’ve already let your Domotica system know who you are by means of another secure subsystem…

And since we both created our own Domotica systems from scratch ourselves, it would just be a matter of finding out how, and integration would just be a matter of adding some extra code to our systems and we would be good to go! On the other hand, I also thought about the implications of being able to control an alarm system by its web interface; it would actually be a good thing if this wasn’t too easy…  Nevertheless, let’s see if we can get this alarm system to obey our commands

OK, here we go. We plugged in a UTP cable, started a browser and entered the IP address of the Visonic Powerlink2: x.x.x.200. The Powerlink module automatically assigns itself the .200 address of your local subnet. We started with our good friend Wireshark again to do some research, but later that evening I switched to Fiddler, cause while going through the Wireshark output, I had the feeling that Fiddler would be a better choice this time. I logged in on the Powerlink2 web interface and pushed the DISARM button. This resulted in the following HTTP request:

GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=129823770199311-xml HTTP/1.1
Host: xxx.xxx.xxx.200
Connection: keep-alive
Referer: http://xxx.xxx.xxx.200/mobile
Content-Type: application/octet-stream
Accept: */*
User-Agent: blabla
Accept-Encoding: gzip,deflate,sdch
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PowerLink=85a0bab15d60db242cc73c717aa46f7c; mobile=636f92fd8f357d0b10a2f70a845e2305

Hmm, that shouldn’t be too hard… first thing I looked at was that big number in the GET. It wasn’t random, cause with every GET it only seemed to get higher. Some time related number perhaps? OK, let’s look inside a /web/js/powerlink.js file I downloaded from the Visonic Powerlink2. Well what do we have here (sometimes 1 line of code is enough to ‘know’ what’s going on, I wouldn’t try to try to understand the complete script):

JsHttpRequest.extend(<blabla>, id:(new Date().getTime())+""+JsHttpRequest.COUNT++,hash:_a,span:null});

Ahhh.. getTime() returns the number of milliseconds since midnight of January 1, 1970, aka Unix epoch. That’s not hard to reproduce. The rest of this HTTP request should not be too hard to create either. Now let’s focus on the login process. I thought this would be much more complex. Let’s have a look at what Fiddler is showing me when I enter username & password and hit the LOGIN button:

POST .../mobile/login/index/?JsHttpRequest=12982287732070-xml HTTP/1.1
Accept: */*
Accept-Language: nl
Referer: http://xxx.xxx.xxx.200/mobile/login/index/
Content-Type: application/octet-stream
Accept-Encoding: gzip, deflate
User-Agent: blabla
Host: xxx.xxx.xxx.200
Content-Length: 42
Connection: Keep-Alive
Pragma: no-cache
Cookie: PowerLink=077d58c208ef9aaef1fe8d464015d929; mobile=e6efb2eae139ca6fe327b603d6c23e76
login=admin&password=admin&time=1298228773

Actually, I didn’t like what I saw.. do I really see my username and password being sent, unencrypted? Oh no… come on, Visonic..  But that’s an issue for another blog post; let’s stay focused The response was:

HTTP/1.1 200 OK
Date: Sat, 01 Jan 2000 16:47:48 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=1200, pre-check=1200
Last-Modified: Thu, 10 Jun 2010 02:27:30 GMT
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from xxx.xxx.xxx.200
Connection: close
Transfer-Encoding: chunked

40
{ "id": "12982287732070", "js": { "result": "ok" }, "text": "" }
0

Set-Cookie: mobile=353bbda17768c82ba9aa5331efc7157a; path=/

GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=12982439146581-xml HTTP/1.1
Cookie: mobile=353bbda17768c82ba9aa5331efc7157a Host: xxx.xxx.xxx.200

Yeeha! Some female voice said to me: “Disarm. Ready to arm”. Was I dreaming? Again. ”Disarm. Ready to arm”. Hmm, that’s not bad… I’m getting all excited just by listening to a female “computer voice” !?

OK; now let’s arm this thing:

GET .../mobile/dam/arm/mode/away_state?JsHttpRequest=12982439148311-xml HTTP/1.1

“Arming away. Please exit now.’” I did it !?! Actually, I can’t believe I did…it’s too easy !!! But it works, time after time after time… I know Ethernet enabled thermostats and DSL modems that do a better job here…