It swings both ways, especially for RF comms
In a few of the previous posts, I’ve discussed some principles used in the radio communications in alarms. I’ve mentioned that some features are harder to implement well using one-way radios. What is...
View ArticleWhy am I hacking your alarm?
Since I’ve started posting about alarm systems, a number of people have questioned by motives. I can understand why – these are security products and I can see how many people would think poking around...
View ArticleTomographic motion detection
Typical alarms use PIR (passive infrared), microwave or ultrasound detectors for motion detection. PIR are by far the most common type of detector – they work by detecting changes in infrared emitted...
View ArticleWhat’s inside a WebWayOne SPT?
I managed to find a reasonable resolution image of a WebWayOne SPT (supervised premises transceiver, the device that communicates with the ARC (alarm receiving centre)). Just some quick notes about...
View ArticleReversing an anti-code
A contact in the alarm industry recently asked if I could take a look at a quick reverse engineering job. I’m trying to gain some credibility with these guys, so I naturally accepted the challenge....
View ArticleWe need an antidote to the anti-code
In the last post, I briefly went over the process of reverse engineering the algorithm behind an anti-code generator for an alarm system. It turned out that the algorithm was very simple indeed. For a...
View ArticleProgramming a Texecom Premier Elite 12-W using a FTDI cable
The Texecom Premier Elite series of alarms can be programmed using Windows software called Wintex. This makes setting up these alarms far easier than using the keypad menus – they have hundreds of...
View ArticleWireless alarm recommendations
Several times I have been asked which wireless alarm system I would recommend, so I thought I would write a quick blog post. I’ll start with some simple points: Wired is always going to be more secure...
View ArticleWhy have I removed all the CSL Dualcom posts?
As part of my reverse engineering of the CSL Dualcom alarm signalling boards, I have uncovered some issues that I would classify as vulnerabilities. I have recently informed CSL Dualcom about one the...
View ArticleiSmartAlarm – quick “teardown”
I noticed this post on the alarm forum at DIYnot. It mentions the iSmartAlarm – an alarm I’ve heard nothing about before. Smart tends to mean “connected to the Internet” which tends to mean “massive...
View ArticleReverse engineering a CSL Dualcom GPRS part 10 – analysing the logic trace 2
Last post, we looked at the comms between the board and the GPRS modem. There was a long, interesting, string send to a remote server:LjS1WQjg8FHqR1a4P4DVsjO8eUITXY6ifHPlaFhkZ2SJWhen we look out to the...
View ArticleReverse engineering a CSL Dualcom GPRS part 11 – disassembling firmware
I find reverse engineering is about building up a broad picture instead of working in-depth on any one aspect of the system. Dip into one bit, check what you are seeing is reliable and makes sense, dip...
View ArticleReverse engineering a CSL Dualcom GPRS part 12 – board buzz out
We’ve now got the code disassembled. The disassembler has no concept of what is connected to the microcontroller though, so we need to work out which ports/pins/peripherals are used by which parts of...
View ArticleReverse engineering a CSL Dualcom GPRS part 13 – checking the SIM card
The ICCID is written on the outside of the Dualcom GPRS, stored in the EEPROM, read in from the GRPS modem, and read in from EEPROM immediately before a long, random looking, string is sent to a remote...
View ArticleReverse engineering a CSL Dualcom GPRS part 14 – interpreting disassembly
A few posts ago, we managed to disassemble the firmware from the CSL Dualcom site. The entire listing is available here as a zip. There is a lot of blank space in the file which needs to be trimmed...
View ArticleReverse engineering a CSL Dualcom GPRS part 15 – interpreting disassembly 2
In addition to finding the most frequently called functions, we should go through the memory map and identify importants parts of it. One part of this that is very important to how the device operates...
View ArticleReverse engineering a CSL Dualcom GPRS part 16 – SMS remote commands
Sorry for the slow-down in posts – I stored up a load of posts, then posted them too quickly. Since the last post, I have identified a lot of functionality in the code, including: TX/RX subs for all...
View ArticleCSL Dualcom CS2300-R signalling unit vulnerabilities
Today, CERT/CC will be disclosing a series of vulnerabilities I have discovered in one particular alarm signalling product made by CSL Dualcom – the CS2300-R. These are: CWE-287: Improper...
View ArticleQuestions for CSL Dualcom
When CSL made their statement last Friday, it was noticeable that they didn’t actually claim that any of my report was false. To me, that implies that the content of the report is true. CSL should be...
View ArticleMultiple serious vulnerabilities in RSI Videofied’s alarm protocol
RSI Videofied are a French company that produce a series of alarm panels that are fairly unique in the market. They are designed to be battery powered and send videos from the detectors if the alarm is...
View Article
More Pages to Explore .....