I’m not sure I can ‘disclose’ the alarm system manufacturer’s name but they sell their products all over the world (according to their website), by the way I can see them everywhere I go 🙂 A few months ago I decided to open the burglar alarm control panel at my parents’ house. I then see that, once again, security is not where I would expect 🙂 My parents wanted to make some minor modification regarding the arming rule (e.g.
Dsc Pc1616 Keypad
Arming garage and kitchen but not bathroom anymore during the night). They told me that the installer guy asks each time 150 € (200 $), even for minor (and quick) modifications. I’m quite sure the guy doesn’t know he’s just changing a few bytes when he uses the user interface software from the alarm manufacturer. Anyway, he knows that the operation takes only a few minutes at most, and me too 🙂 Please note that I don’t discuss the fact that the guy has to earn his life but maybe I’m going to think of selling/installing burglar alarms So I opened the control panel to look for a model reference inside. Ouch the first bad surprise was that removing the cover fired the alarm instantly Fortunately we could stop the alarm bell by entering the (known) user code at the keypad. The second surprise, pretty much worse, was that it was not possible to arm the alarm anymore 😦 Well, the installer code is needed to clear the fault It seems that this anti-tamper system is also another way for the installer to get 150 bucks more. From that moment it was even more important to get access to the system, I was urged to make it working again, hum.
The good news was that there was a connector which looks familiar (it’s always better than proprietary interfaces). So I went on the manufacturer website, thinking of downloading some software As you can see, access to this part of the website is for authorized ressellers and installers only Too bad but hey, guess what, you can register 🙂 I first thought that I would have to wait a few days in order to let them verify my identity and so on. Working in electronic & IT, I was really thinking I could convince them to let my access the software download but surprise, they trust you straight away, just fill the boring form and you’re done. I thought of injecting some html to get “Other”, “End user” or even “Hacker” choice in the above listbox but no time for that 🙂 I then installed and ran the freshly downloaded user-friendly awful ancient-delphi-style software, connected computer to the electronic board through classic RS-232. I could read a lot of things out of the alarm memory/configuration but surprise surprise I cannot modify anything without providing some ‘installer code’.
My parents asked the guy but no way to get it I’m not sure he can legally keep it from us but I then understood there was (?) another reason The ‘exciting’ part began and I noticed a few interesting things:. The input password box is max 6 characters length.
It seems that I can try as many times as I want (as I need). The software reacts very very quickly (for its age:)) when I try passwords, it let me think that the lock was software only and not embedded in the alarm electronic, I could have been wrong but I had this feeling:-). Given the fact that the code can also entered using the physical keypad it’s numeric only (confirmed in the manual). Regarding the alarm manual (also downloaded from the website) the installer code must be at least 4 characters long. The software seems to continue working after I disconnected the computer from the RS-232 electronic board. Given all these observations, I thought of a “brute-force” attack. Nowadays it’s rarely useful (because of the usually large used) but here, it could take less than one day.
Anyway, there were other more elegant possibilities:. Sniffing communication between computer and electronic unit. Sniffing data on the PCB side. Playing with OllyDbg to either grab the code from memory, or inverting some conditional tests to make the software accept any code. Being an electronic guy, I also thought of reading the eeprom/micro-controller. I had a quick look with OlyDbg (and some other delphi dedicated diasemblers) but too painful for me (I did some crackmes a long time ago but I don’t know much about “cracking”). So I went for the brute-force attack and the sniffing at the same time 🙂 I quickly wrote a piece of code sending incremented numeric codes, clicking the validate button while reacting to the invalid code messagebox.
I let the brute-forcer app running and, after lunch, picked another computer to sniff data, I didn’t know that software sniffer for RS-232 would exists so I first went on using two RS-232 ports but while googling I found “free device monitoring studio”, never thought that this kind of software would exist but it makes sense! I confirmed the fact that the software does not exchange data with electronic unit when checking entered codes So the software would exchange the code when it “connects” to the board the first time. There were only a few bytes and some of them immediately caught my eyes wait these numbers sounds familiarmaybe this is a coincidence but they are the same that my postal code! Would the installer guy use the area postal code as it’s installer code?
Dsc Pc1616 Installer Lockout
And would the box exchange the code with the software in plain text? It seems so, at least for my parents’ alarm 🙂 In the meantime, the brute-forcer app, stopped counting at my postal code, too.
Surprise surprise no more invalid password messagebox when trying to unlock with the local area postal code anymore 🙂 I have now full access to modify whatever I want! I do not blame the alarm manufacturer, because if the thief is able to remove the cover to connect some PC, this thief is certainly already inside your house (and either the alarm bell is already ringing, or he already took care of that).
What scares me is the installer guy who supposedly uses the same (logic) code everywhere (I guess it’s another one for the other local areas but I should be able do guess it:-)) Knowing that there is a logic behind the installer code, bad people could break any surrounding house and gently disarming the alarm system Windows are labeled with “protected by the guycompanyname”, I think the purpose is to ‘scare’ stupid thieves (or maybe to appeal the other ones:-)). There is also a communication module (in option) which allows the end user to remotely (modem over phone line) arm/disarm the system, the problem is that this module also allows installer guy to make some changes remotely (still costing 150 bucks:-)?). A ‘more malicious’ attacker might try to remotely connect to random houses (the ones wearing the ‘protected stickers) using the phone book At least the installer guy won’t be able to do anything locally/remotely as I changed the installer code (hi thieves, I’m now using the house number haha:-)).
Hi, I have a DSC 1550 security system and previous owner didn't leave us a code therefore I'm not able to arm the system. I read some posts in these forums and attempted to perform hardware reset to find out if the system was locked by the installer.
(I read that if you hear 10 short clicks after powering system back up - while shorting eprom pins- that would indicate that installer lockout is turned on and the system is basically useless without installer code.) Well, after connecting AC power back up I did hear several clicks but they were so fast I couldn't tell how many. At that point siren turned on and all the lights on the keypad started blinking. Once I connected battery siren stopped.
Ready and trouble light were on. I checked trouble code and it was 6. I was able to resolve the trouble code but it does seem that the panel is locked out. I tried.81550 and.81500 but that did nothing. None of the default codes worked either. I also tried software reset to no avail.
Is it safe to assume the panel is locked out? The only thing that confuses me is that after the hardware reset it appears that all of the zones are still functioning (wouldn't I have to reprogram it if it is reset to factory settings?). I basically want to confirm that I've tried everything (and have done it correctly) before I replace control panel. I found second hand DSC 1550 panel online that's reset to factory setting with no lockout I was going to go with that. Not planning to have my system monitored (just to be able to arm it), looking for cheapest option. Btw, company that installed system is no longer in business so no way of finding out what the codes are.
Thanks for any feedback you may provide. First, realize that this is a long (10+ years) discontinued model. If you did the hardware default (you could have determined the lockout status without using the eeprom short), the system reverted to the default zone configuration, which might be close enough to how your zones are actually wired that they appear to be functional. Installer manual: In the alarm forum FAQ sticky at the top of the forum topic list, there is a procedure that will override the installer lockout on some PC 1550 models.
Hi, I'm back again. I got second hand 1550 control panel that's been reset to factory settings and has default installer code. I replaced my existing panel and wired the new one with exact same configuration. When I turned power on initially trouble light was lit and all zones were lit and alarm would sound every 2min.
I found out that EOL resistor requirement will keep all zones lit so I went into programming option via.8 1500 12 5 to change it to N.C. That turned all the zone lights off except zone 6. Zone 6 is still lit along with the trouble light. Trouble code is 1, indicating low battery.
I'm not able to figure out from installers manual how to turn off/program zone 6. I know it's a fire zone and it can't be bypassed. Any idea on how to do this? All other zones seem to be operational (on entry/exit doors, etc). Getting closer but still need some help. Thanks a lot for all the input.