More Powerlink2 stuff

Another “HowStuffWorks” post ūüėČ

Changing the alarm state of a Visonic Powermax Pro with the Powerlink2 was fun, but there’s more. The Powerlink web interface also shows the Control Panel status:

Visonic Control Panel status

And, if there are any sensors that prevent the alarm from being armed they’re shown here too. Wouldn’t it be nice to obtain that information in a usable form, so it can be used in our own apps?¬†(everything is called an “app” these days, right) ¬†Stuff like the current status, sensor information and such? Gotta have it! Here we go…

I started a browser, Fiddler and logged in on the Powerlink 2 mobile interface and saw these periodic calls being made:

GET  HTTP/1.1 Accept: */* Accept-Language: nl
Referer:
Content-Type: application/octet-stream
Accept-Encoding: gzip, deflate
User-Agent: blabla
Host: xx.xx.xx.200
Connection: Keep-Alive
Cookie: PowerLink=43e66dc8f6485151c9179d40b0e1831f; mobile=802fece964ec8e77ca2e533d479cc93f

Quite easy to mimic. So I did and logged the responses:

{ "id": "1", "js": { "reply": { "index": "24", "configuration": { "sensors": [ { "name": "Sensor", "index": "1", "type": "Delay 1", "location": "Front Door" }, { "name": "Sensor", "index": "2", "type": "Perimeter-Follow" , "location": "Hall" } ], "system": { "name": "Control Panel", "disarm": [  ], "status": "Ready", "arm": "0", "latchkey_enable": "Latchkey Enable", "ip_mode": "dynamic", "ip": "xx.xx.xx.200", "subnet": "255.255.255.0", "gateway": "xx.xx.xx.60", "dns1": "xx.xx.xx.1" } }, "alarms": [  ], "alarmframetimes": [  ] } }, "text": "" }

This is the ‘initial’ response, as in the first response we get to the request shown above. Here we see the sensors, their index number (needed later on), type and location and we also see the Control Panel status: Ready. OK; lets see what the response is made of when we repeat the same request a few times:

{ "id": "1", "js": { "reply": [  ] }, "text": "" }

Few seconds later another request, response is still the same:

{ "id": "1", "js": { "reply": [  ] }, "text": "" }

Nothing changes. Let’s open the Hall sensor (no, not this one, but a regular MCT-302) :

{ "id": "1", "js": { "reply": { "index": "25", "update": { "sensors": [ { "index": "1" }, { "index": "2", "status": "Open" } ], "system": { "not_ready": [  ], "disarm": [  ], "status": "Not Ready", "arm": "0" } } } }, "text": "" }

Aha! The sensor with index 2 changed to status “Open” and the Control Panel Status changed to “Not ready”. On the Powermax LCD display I see: HALL OPEN. Yep, the Control Panel is showing the right text; it’s working ūüėČ

Next response, with the Hall sensor still open:

{ "id": "1", "js": { "reply": [  ] }, "text": "" }

And again…

{ "id": "1", "js": { "reply": [  ] }, "text": "" }

Time to close the sensor again, now I get this:

{ "id": "1", "js": { "reply": { "index": "26", "update": { "sensors": [ { "index": "1" }, { "index": "2" } ], "system": { "disarm": [  ], "status": "Ready", "arm": "0" } } } }, "text": "" }

No more “problem sensors” and the Control Panel is back to “Ready”. Also notice this index number increasing with every change (24, 25, 26…). Track this one in your software and use it in the subsequent requests you do. If you don’t, you’re gonna miss all the information you want…

And as expected, the next responses are:

{ "id": "1", "js": { "reply": [  ] }, "text": "" }
{ "id": "1", "js": { "reply": [  ] }, "text": "" }

With this information it should be relatively easy to create a driver for it and use the provided information for whatever you want.

I also added the quick&dirty example code I used while playing with the Powerlink 2. Now I’m gonna find me a large firm cardboard box, put the Powermax Pro in it and send it back to Pieter. I’m sure he’ll want to start using it by now!

Next!

Hacking the Visonic Powerlink 2

Yesterday a friend of mine,¬†Pieter Knuvers, paid us a visit. We have a lot in common of which passion for Domotica is one, and we also think alike on a lot of other related subjects and on how to deal with them. We discussed several projects we’re (both) working on and what we can do do to make the best of it all nearly the whole afternoon.

He also brought his Visonic PowerMax Pro with him. Inside this Powermax there’s a Powerlink2 module, with which it’s possible to Ethernet-enable the Visonic Powermax Pro. Now wouldn’t it be great if we could find a way to control this Powermax from our Domotica systems? Of course! I see a lot of benefits to this, total integration of an alarm system into a Home Automation solution. In a secure way of course. Pieters idea to let his Domotica system decide when his alarm system can be disarmed is a very logical step, especially when you’ve already let your Domotica system know who you are by means of another secure subsystem…

And since we both created our own Domotica systems from scratch ourselves, it would just be a matter of finding out how, and integration would just be a matter of adding some extra code to our systems and we would be good to go! On the other hand, I also thought about the implications of being able to control an alarm system by its web interface; it would actually be a good thing if this wasn’t too easy… ¬†Nevertheless, let’s see if we can get this alarm system to obey our commands ūüėČ

OK, here we go. We plugged in a UTP cable, started a browser and entered the IP address of the Visonic Powerlink2: x.x.x.200. The Powerlink module automatically assigns itself the .200 address of your local subnet. We started with our good friend Wireshark again to do some research, but later that evening I switched to Fiddler, cause while going through the Wireshark output, I had the feeling that Fiddler would be a better choice this time. I logged in on the Powerlink2 web interface and pushed the DISARM button. This resulted in the following HTTP request:

GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=129823770199311-xml HTTP/1.1
Host: xxx.xxx.xxx.200
Connection: keep-alive
Referer:
Content-Type: application/octet-stream
Accept: */*
User-Agent: blabla
Accept-Encoding: gzip,deflate,sdch
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PowerLink=85a0bab15d60db242cc73c717aa46f7c; mobile=636f92fd8f357d0b10a2f70a845e2305

Hmm, that shouldn’t be too hard… first thing I looked at was that big number in the GET. It wasn’t random, cause with every GET it only seemed to get higher. Some time related number perhaps? OK, let’s look inside a /web/js/powerlink.js file I downloaded from the Visonic Powerlink2. Well what do we have here (sometimes 1 line of code is enough to ‘know’ what’s going on, I wouldn’t try to try to understand the complete script):

JsHttpRequest.extend(<blabla>, id:(new Date().getTime())+""+JsHttpRequest.COUNT++,hash:_a,span:null});

Ahhh.. getTime() returns the number of milliseconds since midnight of January 1, 1970, aka Unix epoch. That’s not hard to reproduce. The rest of this HTTP request should not be too hard to create either. Now let’s focus on the login process. I thought this would be much more complex. Let’s have a look at what Fiddler is showing me when I enter username & password and hit the LOGIN button:

POST .../mobile/login/index/?JsHttpRequest=12982287732070-xml HTTP/1.1
Accept: */*
Accept-Language: nl
Referer:
Content-Type: application/octet-stream
Accept-Encoding: gzip, deflate
User-Agent: blabla
Host: xxx.xxx.xxx.200
Content-Length: 42
Connection: Keep-Alive
Pragma: no-cache
Cookie: PowerLink=077d58c208ef9aaef1fe8d464015d929; mobile=e6efb2eae139ca6fe327b603d6c23e76
login=admin&password=admin&time=1298228773

Actually, I didn’t like what I saw.. do I really see my username and password being sent, unencrypted? Oh no… come on, Visonic.. ¬†But that’s an issue for another blog post; let’s stay focused ūüôā The response was:

HTTP/1.1 200 OK
Date: Sat, 01 Jan 2000 16:47:48 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=1200, pre-check=1200
Last-Modified: Thu, 10 Jun 2010 02:27:30 GMT
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from xxx.xxx.xxx.200
Connection: close
Transfer-Encoding: chunked

40
{ "id": "12982287732070", "js": { "result": "ok" }, "text": "" }
0
OK, this tells me that the result is ok, and I get that big number returned in the response… high level of rocket-science involved here…
I had seen enough, it was time to mimic this conversation from a small app, starting with performing a¬†successful¬†login. Done … Now the first difference I saw was that the response from the Visonic contained the following header:
Set-Cookie: mobile=353bbda17768c82ba9aa5331efc7157a; path=/
Yeah, right. ¬†My app is not a browser so there’s no cookie, so my app is asked to set one. OK, I will simulate that. I extracted the bold part from this header and used it in the next HTTP call, in which I wanted to disarm the alarm:
GET .../mobile/dam/arm/mode/disarm_state?JsHttpRequest=12982439146581-xml HTTP/1.1
Cookie: mobile=353bbda17768c82ba9aa5331efc7157a Host: xxx.xxx.xxx.200

Yeeha! Some female voice said to me: “Disarm. Ready to arm”. Was I dreaming? Again.¬†“Disarm. Ready to arm”. Hmm, that’s not bad… I’m getting all excited just by listening to a female “computer voice” !?

OK; now let’s arm this thing:

GET .../mobile/dam/arm/mode/away_state?JsHttpRequest=12982439148311-xml HTTP/1.1

“Arming away. Please exit now.'”¬†I did it !?!¬†Actually, I can’t believe I did…it’s too easy !!! But it works, time after time after time… I know Ethernet enabled thermostats and DSL modems that do a better job here…