Resetting Powermax Installer Code Alarm

 admin



Resetting powermax installer code alarm download

I’m not sure I can ‘disclose’ the alarm system manufacturer’s name but they sell their products all over the world (according to their website), by the way I can see them everywhere I go 🙂

Resetting Powermax Installer Code Alarm

D-303145 3 MESSAGE TO THE INSTALLER The PowerMaster-10 control panel is supplied with 2 instruction manuals: Installer's Guide (this manual) – for use of system installer during system installation and configuration. As others have stated, the answer to this question will depend on which actual system the ADT installer put in your property. However, the vast majority of systems that ADT puts in are just branded Honeywell systems. MESSAGE TO THE INSTALLER The PowerMax Pro control panel is supplied with 2 instruction manuals: Installer Guide (this manual - for your exclusive use) User’s Guide (for your use during installation only - Must be handed over to the master user after testing the system). Appendices A.1 and A.2 will help you prepare an installation plan. Mar 21, 2007 Hi all I have just received a new Powermax Plus control panel, the default installer code works fine and I went through the process of setting the system up before I realised the default user code does not work (.). Can you help, this is my first Powermax Plus system and after I had realised t.

A few months ago I decided to open the burglar alarm control panel at my parents’ house.

I then see that, once again, security is not where I would expect 🙂

My parents wanted to make some minor modification regarding the arming rule (e.g. arming garage and kitchen but not bathroom anymore during the night).

They told me that the installer guy asks each time 150 € (~200 $), even for minor (and quick) modifications. I’m quite sure the guy doesn’t know he’s just changing a few bytes when he uses the user interface software from the alarm manufacturer. Anyway, he knows that the operation takes only a few minutes at most, and me too 🙂
Please note that I don’t discuss the fact that the guy has to earn his life but maybe I’m going to think of selling/installing burglar alarms…

So I opened the control panel to look for a model reference inside.
Ouch… the first bad surprise was that removing the cover fired the alarm instantly…
Fortunately we could stop the alarm bell by entering the (known) user code at the keypad.

The second surprise, pretty much worse, was that it was not possible to arm the alarm anymore 😦
Well, the installer code is needed to clear the fault… It seems that this anti-tamper system is also another way for the installer to get 150 bucks more.

From that moment it was even more important to get access to the system, I was urged to make it working again, hum. The good news was that there was a connector which looks familiar (it’s always better than proprietary interfaces…).

So I went on the manufacturer website, thinking of downloading some software…

As you can see, access to this part of the website is for authorized ressellers and installers only…
Too bad but… hey, guess what, you can register… 🙂
I first thought that I would have to wait a few days in order to let them verify my identity and so on. Working in electronic & IT, I was really thinking I could convince them to let my access the software download but… surprise, they trust you straight away, just fill the boring form and you’re done.

I thought of injecting some html to get “Other”, “End user” or even “Hacker” choice in the above listbox but no time for that 🙂

I then installed and ran the freshly downloaded user-friendly awful ancient-delphi-style software, connected computer to the electronic board through classic RS-232.

I could read a lot of things out of the alarm memory/configuration but surprise surprise I cannot modify anything without providing some ‘installer code’. My parents asked the guy but no way to get it… I’m not sure he can legally keep it from us but I then understood there was (?) another reason…

The ‘exciting’ part began and I noticed a few interesting things:

  • The input password box is max 6 characters length.
  • It seems that I can try as many times as I want (as I need).
  • The software reacts very very quickly (for its age :)) when I try passwords, it let me think that the lock was software only and not embedded in the alarm electronic, I could have been wrong but I had this feeling :-).
  • Given the fact that the code can also entered using the physical keypad it’s numeric only (confirmed in the manual).
  • Regarding the alarm manual (also downloaded from the website) the installer code must be at least 4 characters long.
  • The software seems to continue working after I disconnected the computer from the RS-232 electronic board.
Powermax

Given all these observations, I thought of a “brute-force” attack. Nowadays it’s rarely useful (because of the usually large key space used) but here, it could take less than one day. Anyway, there were other more elegant possibilities:

  • Sniffing communication between computer and electronic unit.
  • Sniffing data on the PCB side.
  • Playing with OllyDbg to either grab the code from memory, or inverting some conditional tests to make the software accept any code.
  • Being an electronic guy, I also thought of reading the eeprom/micro-controller.

I had a quick look with OlyDbg (and some other delphi dedicated diasemblers) but too painful for me (I did some crackmes a long time ago but I don’t know much about “cracking”).

So I went for the brute-force attack and the sniffing at the same time 🙂 I quickly wrote a piece of code sending incremented numeric codes, clicking the validate button while reacting to the invalid code messagebox.

I let the brute-forcer app running and, after lunch, picked another computer to sniff data, I didn’t know that software sniffer for RS-232 would exists so I first went on using two RS-232 ports but while googling I found “free device monitoring studio”, never thought that this kind of software would exist but it makes sense!

I confirmed the fact that the software does not exchange data with electronic unit when checking entered codes… So the software would exchange the code when it “connects” to the board the first time.

There were only a few bytes and some of them immediately caught my eyes… wait… these numbers sounds familiar…maybe this is a coincidence but they are the same that my postal code! Would the installer guy use the area postal code as it’s installer code…? And would the box exchange the code with the software in plain text? It seems so, at least for my parents’ alarm 🙂

In the meantime, the brute-forcer app, stopped counting at my postal code, too.

Surprise surprise no more invalid password messagebox when trying to unlock with the local area postal code anymore 🙂 I have now full access to modify whatever I want!

I do not blame the alarm manufacturer, because if the thief is able to remove the cover to connect some PC, this thief is certainly already inside your house (and either the alarm bell is already ringing, or he already took care of that).

Alarm

What scares me is the installer guy who supposedly uses the same (logic) code everywhere (I guess it’s another one for the other local areas but I should be able do guess it :-))

Knowing that there is a logic behind the installer code, bad people could break any surrounding house and gently disarming the alarm system…
Windows are labeled with “protected by [the guy_company_name]”, I think the purpose is to ‘scare’ stupid thieves (or maybe to appeal the other ones :-)).

There is also a communication module (in option) which allows the end user to remotely (modem over phone line) arm/disarm the system, the problem is that this module also allows installer guy to make some changes remotely (still costing 150 bucks :-)?). A ‘more malicious’ attacker might try to remotely connect to random houses (the ones wearing the ‘protected stickers) using the phone book…

At least the installer guy won’t be able to do anything locally/remotely as I changed the installer code (hi thieves, I’m now using the house number haha :-)).

Resetting Powermax Installer Code Alarm Download

cambrioleur

Master Codes and Installer Codes both have different functions. The Installer Code on a panel is used for entering installer programming mode. In this mode, various changes to the function of the system can be made. Meanwhile, the Master Code is used primarily for arming and disarming.


When the Installer Code is entered on a panel, the user will be taken to a different menu than if they enter their Master Code. This menu allows users to add and program new devices, change system settings, and change delay times. The Installer Code can also change the Master Code, but it cannot assign any other user codes. Additionally, the Installer Code can never be used to disarm a system, unless it was the code used to arm the system in the first place.

The Master Code is the primary code for the alarm system. In addition to arming and disarming the alarm system, the Master Code provides access to a user menu. From there, you can add, edit and delete user codes, change the master code, view the event log, set the system clock, program keypad macros, set scheduled events and activate output devices like triggers and relays. The Master Code can always disarm the system, even if it was not armed using that code.

In addition to Master and Installer codes, there are also User Codes. These codes can perform basic arming and disarming functions, as well as zone bypassing, and they are a good way to allow a person to reliably arm and disarm the panel, without having to provide them with the Master Code.

It should be noted that the Installer Code and the Master Code on a panel can never be the same. Each needs to have its own unique four-digit number. Every alarm system brand has a standard default Installer Code and Master Code. Knowing these codes can be helpful for accessing a panel after it has reset to factory default. Below are some of the default codes:

  • Honeywell: Master - 1234 ; Installer - 4112
  • 2GIG: Master - 1111 ; Installer - 1561
  • Qolsys: Master - 1234 ; Installer - 1111

Did you find this answer useful?

We offer alarm monitoring as low as $10 / month

Click Here to Learn More
Here is an FAQ reviewing how to delete zones: https://www.alarmgrid.com/faq/how-do-you-delete-a-honeywell-wireless-device
How can i disable zone on a vista 128?
Thanks Julia! I have being reading through your FAQs here at AG and am learning so much about the system that we bought--much appreciated!
No, reporting of program entry/exit is not a programmable option on that panel. It will not report it.
Well mine is an L7000--is there an option somewhere that I can check to see if it is enabled or disabled?
Entry to, and exit from, programming are not reported on most residential burglary panels. If there were an option to report it, we would not enable it.
I'm wondering about what uses of the Installer code get sent to AlarmNet and the Central Station? It seems clearly that if the Installer code is used to arm or disarm that would get sent, but does its use to enter Programming Mode also get sent to AlarmNet and then to CS? If yes, what use might either or both make of that record?
Great.....Thanks for the info
No, accessing the panel's programming using the 'backdoor' method will not wipe out the existing panel programming.
On a Vista 20P if I reset the panel using the power up option to change the Installer code, does that erase the zones that are currently programmed into the panel? I don't know the current code.

Related Products

LYNX Touch Wireless Security System with 4-1/3 inch Screen
Alarm
Our Price:$221.99

Resetting Powermax Installer Code Alarm Systems

LYNX Touch Wireless Home Security System and Alarm Control Panel
Wireless Home Security System w/ 7-inch Screen
Our Price:$314.99
DIY Wireless Security System w/ 7-inch Screen
Go!Control Wireless Security System

Resetting Powermax Installer Code Alarm System

Related Categories

Resetting Powermax Installer Code Alarm Free

Answered