Jump to content
Security Installer Community

Recommended Posts

Posted

I appreciate the insight still.  It just highlights the unquestioning way industry accepts statements and that we ought to be questioning them where established third party certification has not been carried out.

I do agree, 3rd party certification of product should be mandatory for 3rd party certificated companies.

I wonder if our own insurance we carry would have a lower premium based on approval level and all products in use carrying a 3rd party approved cert?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

Posted

I still don't see how you can get the mapping from only one complete pair.

Have you looked into any other popular ones? Tunstall or Texe for example.

Tunstall are someone who Menvier took over who Cooper took over?

If you can point me towards a program to generate them...

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted (edited)

Great blog btw, it's really got my attention. Correct me if I'm wrong but I'd like to run a few things by you:

 

a) We need access to the panel keypad in the first place, thus triggering the alarm. We need the code to unset the alarm and to be presented with an anti-code, all within a timelimit.

Ah the issue of customers resetting panels without the need for an ARC. Now I see the issue.

 

b) Would the method of producing these products (the algrothm) be stored within the firmware of an alarm system? If not how does the alarm know that you have entered the right anti code?

Edited by SoupDragon
Posted

Great blog btw, it's really got my attention. Correct me if I'm wrong but I'd like to run a few things by you:

 

a) We need access to the panel keypad in the first place, thus triggering the alarm. We need the code to unset the alarm and to be presented with an anti-code, all within a timelimit.

Ah the issue of customers resetting panels without the need for an ARC. Now I see the issue.

 

b) Would the method of producing these products (the algrothm) be stored within the firmware of an alarm system? If not how does the alarm know that you have entered the right anti code?

 

Thanks.

 

With a) it seems that the main issue is that customers could reset the panel when the ARC doesn't want them to.

 

b) I suspect exactly the same algorithm is used in the panel as in the program. I think the algorithm was written for whatever 8-bit processor was used in those days.

 

Might as well show the algorithm used, the only bit of it that needs to be secrete is the vector at the top which I have changed. I don't know if you know any programming or python, but it's really simple.

# Taken from the data in the exe
vector = [3,3,5,5,8,1,3,9,8,0,5,9,3,9,4,1,1,0,9,4,3,0,2,2,8,4,3,2,8,4,9,4,1,3,3,3,3,8,5,3,0,2,4,3,2,1,8,9,0,5,4,3,9,5,8,3,9,9,1,0,0,9,9,3,3,8,2,
         1,4,9,1,4,9,2,9,0,9,5,3,9,5,3,3,5,9,1,0,2,9,3,2,1,2,9,8,0,4,9,4,2,3,9,4,0,1,8,5,3,3,9,9,1,0,5,9,3,8,9,4,8,4,2,3,1,0,3,9,4,8,2,0,4,3,3,
         1,0,5,2,8,3,3,5,2,8,3,2,9,5,2,1,2,4,4,3,0,4,2,3,4,1,8,2,9,1,0,5,1,8,2,4,3,5,1,0,3,8,5,3,2,1,1,3,9,3,2,3,5,8,3,9,0,3,2,3,5,3,8,4,0,3,9,
         1,9,3,0,2,9,3,8,1,4,2,8,4,0,1,9,1,0,1,2,1,3,5,3,3,9,0,2,1,4,1,2,3,4,3,4,9,5,3,5,9,3,1,3,9,4,0,3,2,3,3,4,4,2,1]




def generate_reset(quote, version):
    i = 0
    tens = 0
    reset = []


    while i <= 4 :
        j = 0
        result = 0


        while j <= 4:
            offset = (version + tens + quote[j]) % 256
            result = result + vector[offset]
            tens = tens + 10
            j = j + 1


        reset.append(result%10)
        i = i + 1


    return reset


print(generate_reset(quote = [0,0,0,0,2], version=131))

Notice that there is no multiplication, division, or anything fancy. The % symbol means "modulus" which most people know as "remainder". So "% 256" means "divide by 256 and give me the remainder". You normally get this for free in a microcontroller - an 8-bit number is limited to 256 values, so it just wraps round anyway.

 

Panel firmware would contain it - in fact, now that I know certain panels have it, I can find the long string of characters called "vector" in some of them. The problem with panel firmware is that it is very hard for me to work out what is data and what is code. In x86 exes, there are normally a lot more hints available to me. I can also easily run an x86 exe and step through the running code to see how it works. With a microcontroller in an alarm, I can't easily do this.

  • Upvote 1

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted (edited)

Thanks for sharing the code, looks to me like some sort of check-sum style algorithm but without strong crypto (military grade, HA).

 

Adding 1 to version and -11111 to quote results in the same result from what I can see, not where the key has 0 in it though. It's week, have you found anything else?

Edited by SoupDragon
Posted

Panel firmware would contain it - in fact, now that I know certain panels have it, I can find the long string of characters called "vector" in some of them. The problem with panel firmware is that it is very hard for me to work out what is data and what is code. In x86 exes, there are normally a lot more hints available to me. I can also easily run an x86 exe and step through the running code to see how it works. With a microcontroller in an alarm, I can't easily do this.

 

Pretty much what I've seen when looking at security device firmware. No obfuscation or encryption of any constant vectors used. Especially easy to find them when you have an accompanying exe with the same sequence. Pretty sure I could pattern match the executable against a technistore panel binary and have that vector in a couple of minutes.

Posted

The same is true for encryption in some wireless systems. The receiver in the panel doesn't have the overhead to deal with a key per detector, so it just uses a single system wide key. That means all detectors, ever, use the same key...

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted

Thanks for sharing the code, looks to me like some sort of check-sum style algorithm but without strong crypto (military grade, HA).

 

Adding 1 to version and -11111 to quote results in the same result from what I can see, not where the key has 0 in it though. It's week, have you found anything else?

 

The biggest problem by far is the small key compared to the code size, so I've kind of stopped looking into this one. 

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.