cybergibbons Posted May 22, 2013 Author Posted May 22, 2013 Precisely Joe. This is just an easy target to show that. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
james.wilson Posted May 22, 2013 Posted May 22, 2013 I appreciate the insight still. It just highlights the unquestioning way industry accepts statements and that we ought to be questioning them where established third party certification has not been carried out. I do agree, 3rd party certification of product should be mandatory for 3rd party certificated companies. I wonder if our own insurance we carry would have a lower premium based on approval level and all products in use carrying a 3rd party approved cert? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
cybergibbons Posted May 22, 2013 Author Posted May 22, 2013 I still don't see how you can get the mapping from only one complete pair. Have you looked into any other popular ones? Tunstall or Texe for example. Tunstall are someone who Menvier took over who Cooper took over? If you can point me towards a program to generate them... Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
sixwheeledbeast Posted May 22, 2013 Posted May 22, 2013 Tunstall are someone who Menvier took over who Cooper took over? Correct. Tunstall is the name of the anti-code on most Cooper stuff. Quote
SoupDragon Posted May 27, 2013 Posted May 27, 2013 (edited) Great blog btw, it's really got my attention. Correct me if I'm wrong but I'd like to run a few things by you: a) We need access to the panel keypad in the first place, thus triggering the alarm. We need the code to unset the alarm and to be presented with an anti-code, all within a timelimit. Ah the issue of customers resetting panels without the need for an ARC. Now I see the issue. b) Would the method of producing these products (the algrothm) be stored within the firmware of an alarm system? If not how does the alarm know that you have entered the right anti code? Edited May 27, 2013 by SoupDragon Quote
cybergibbons Posted May 27, 2013 Author Posted May 27, 2013 Great blog btw, it's really got my attention. Correct me if I'm wrong but I'd like to run a few things by you: a) We need access to the panel keypad in the first place, thus triggering the alarm. We need the code to unset the alarm and to be presented with an anti-code, all within a timelimit. Ah the issue of customers resetting panels without the need for an ARC. Now I see the issue. b) Would the method of producing these products (the algrothm) be stored within the firmware of an alarm system? If not how does the alarm know that you have entered the right anti code? Thanks. With a) it seems that the main issue is that customers could reset the panel when the ARC doesn't want them to. b) I suspect exactly the same algorithm is used in the panel as in the program. I think the algorithm was written for whatever 8-bit processor was used in those days. Might as well show the algorithm used, the only bit of it that needs to be secrete is the vector at the top which I have changed. I don't know if you know any programming or python, but it's really simple. # Taken from the data in the exe vector = [3,3,5,5,8,1,3,9,8,0,5,9,3,9,4,1,1,0,9,4,3,0,2,2,8,4,3,2,8,4,9,4,1,3,3,3,3,8,5,3,0,2,4,3,2,1,8,9,0,5,4,3,9,5,8,3,9,9,1,0,0,9,9,3,3,8,2, 1,4,9,1,4,9,2,9,0,9,5,3,9,5,3,3,5,9,1,0,2,9,3,2,1,2,9,8,0,4,9,4,2,3,9,4,0,1,8,5,3,3,9,9,1,0,5,9,3,8,9,4,8,4,2,3,1,0,3,9,4,8,2,0,4,3,3, 1,0,5,2,8,3,3,5,2,8,3,2,9,5,2,1,2,4,4,3,0,4,2,3,4,1,8,2,9,1,0,5,1,8,2,4,3,5,1,0,3,8,5,3,2,1,1,3,9,3,2,3,5,8,3,9,0,3,2,3,5,3,8,4,0,3,9, 1,9,3,0,2,9,3,8,1,4,2,8,4,0,1,9,1,0,1,2,1,3,5,3,3,9,0,2,1,4,1,2,3,4,3,4,9,5,3,5,9,3,1,3,9,4,0,3,2,3,3,4,4,2,1] def generate_reset(quote, version): i = 0 tens = 0 reset = [] while i <= 4 : j = 0 result = 0 while j <= 4: offset = (version + tens + quote[j]) % 256 result = result + vector[offset] tens = tens + 10 j = j + 1 reset.append(result%10) i = i + 1 return reset print(generate_reset(quote = [0,0,0,0,2], version=131)) Notice that there is no multiplication, division, or anything fancy. The % symbol means "modulus" which most people know as "remainder". So "% 256" means "divide by 256 and give me the remainder". You normally get this for free in a microcontroller - an 8-bit number is limited to 256 values, so it just wraps round anyway. Panel firmware would contain it - in fact, now that I know certain panels have it, I can find the long string of characters called "vector" in some of them. The problem with panel firmware is that it is very hard for me to work out what is data and what is code. In x86 exes, there are normally a lot more hints available to me. I can also easily run an x86 exe and step through the running code to see how it works. With a microcontroller in an alarm, I can't easily do this. 1 Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
SoupDragon Posted May 27, 2013 Posted May 27, 2013 (edited) Thanks for sharing the code, looks to me like some sort of check-sum style algorithm but without strong crypto (military grade, HA). Adding 1 to version and -11111 to quote results in the same result from what I can see, not where the key has 0 in it though. It's week, have you found anything else? Edited May 27, 2013 by SoupDragon Quote
GalaxyGuy Posted May 27, 2013 Posted May 27, 2013 Panel firmware would contain it - in fact, now that I know certain panels have it, I can find the long string of characters called "vector" in some of them. The problem with panel firmware is that it is very hard for me to work out what is data and what is code. In x86 exes, there are normally a lot more hints available to me. I can also easily run an x86 exe and step through the running code to see how it works. With a microcontroller in an alarm, I can't easily do this. Pretty much what I've seen when looking at security device firmware. No obfuscation or encryption of any constant vectors used. Especially easy to find them when you have an accompanying exe with the same sequence. Pretty sure I could pattern match the executable against a technistore panel binary and have that vector in a couple of minutes. Quote
cybergibbons Posted May 27, 2013 Author Posted May 27, 2013 The same is true for encryption in some wireless systems. The receiver in the panel doesn't have the overhead to deal with a key per detector, so it just uses a single system wide key. That means all detectors, ever, use the same key... Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
cybergibbons Posted May 28, 2013 Author Posted May 28, 2013 Thanks for sharing the code, looks to me like some sort of check-sum style algorithm but without strong crypto (military grade, HA). Adding 1 to version and -11111 to quote results in the same result from what I can see, not where the key has 0 in it though. It's week, have you found anything else? The biggest problem by far is the small key compared to the code size, so I've kind of stopped looking into this one. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.