Paradox alarm with IP150 interface integration

Hi,

I’ve moved into a house with a Paradox MG5050 panel and brought my Vera with me. It would be great to integrate the panel, as the motion sensors are all over already. I bought the IP150 for the Paradox, since the PRT3 is not an option on this panel. So obviously I’d like to tie the 2 together.

I know that supposedly the IP150 hasn’t been cracked for integrating with, but I have bought an app for iOS called House Alarm which acts in the same way as the iParadox app. The panel sees it as Winload, the programming software, so it seems the guy has either reverse engineered the protocol or got hold of the protocol from Paradox.

The IP150 can also be run without SSL, so it should be able to be read, and it also has a HTML interface, which could be scraped.

So, anyone willing to help create a plugin for the IP150?

Hi,

Perhaps someone could help me decipher the protocol using wireshark?

The API is available, but only under NDA to Paradox. That was when I stopped reading anything about going that route…

Would that mean that any plugin wouldn’t be able to be shared with Vera community? i.e. the info would need to be obfuscated or encrypted?

So I spoke to the fellow who developed the other iOS app for Paradox and he said he reverse engineered the protocol. So I’ve done a little digging.

First, when you load the webpage from the IP150, the status area loads a table in the header that defines the partitions and names of each zone. e.g.

tbl_areanam = new Array("Area 1","Area 2");
tbl_zone = new Array(1,"Garage PIR",1,"Lounge PIR",1,"arm disarm p1",1,"arm disarm p1",2,"arm /disarm",1,"2nd Bedroom PIR",1,"Main Bedroom PIR",2,"garage flat",1,"TV room upstairs",2,"flat lounge",1,"Passage PIR",1,"Office PIR",2,"Panics",0," ",2,"room flat",1,"Front Door Beam",1,"Side Beam",2,"Flat Entry Beam",0," ",0," ",0," ",0," ",0," ",0," ",0," ",0," ",0," ",0," ",0," ",0," ",0," ",0," ");

So 1,“Garage PIR” = Partition 1, first zone is Garage PIR. The table allows for 32 zones.

Second, the system uses AJAX to request the status every second, and gets a page back with each zones status. e.g.

tbl_statuszone = new Array(0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);

So in this example, all zones are closed except for zone 2. Again, all 32 zones are accounted for.

So, other than handling login, it should be super easy to get the status of zones on a Paradox using the IP150. Any one want to guide me through putting this in a plugin?

I’ve been attempting the same reverse engineering on and off for a while now. Today I actually sat down to see what I could figure out.

When you reach the login_page.html for the module, the one thing to note is that there is a ses value generated and returned to the page. You need this, and this is the only location I’ve found where you get a new one.

You can get a few javascript files that have most of the useful funtions. commun.js and agaxRequest.js.

I’ve also been capturing packets from the aforementioned ipad app. There are multiple html pages that the ip150 feeds up, but the only other one that seems to provide the status of the system is statuslive.html. It’s also the page that you send request to for arming/disarming etc.

I’m going to be trying to do some work to see if I can get a .Net module working. Personally I will be working on a smartthings app, but this is the only place I’ve come across others attempting or at least wanting to do something with the ip150.

Aah, good to find a fellow IP150 hacker. :wink:

I don’t really have any programming skills, just good at copying and pasting etc. I fear I might need to try and access everything with some kind of in-between app which can then feed Vera info. I am also busy setting up Openhab, so maybe a feeder app might be best so it can be applied to multiple software/hubs.

I have noticed that the subsequent page seems to have a random code attached to the url, so perhaps this could be included in a html get command? If I am logged into the unit, I am able to request status live.html from another tab, and I get it back. Obviously nothing to see in the browser, but all the info is in the source.

Yes, some sort of in between module/web service will be needed to keep things simple. For now though I’m just working on trying to get something working in .net code.

Here’s what I’ve figured out today…

I can request the login_page.html and parse the session value it provides. Using this I can compute the two hashes required to “login”. The first is a standard md5 against your password with the session value appended to the end. The second is a slightly custom rc4 hash of the panel code. This is considered the “username”. I’ve tested and verified that the functions I’ve created in .net match and provide the same results as the javascript code.

Now, the next part is where things are going to get difficult. The next call needs to be to the default.html page, passing the two hashes generates (this is the u= & p= you see in the url). The problem
I have now is that this requires javascript to be run, otherwise the page returns an error. Thus, calling the page from code with standard WebClient doesn’t work.

The only option I know of here (and currently trying) is using PhantomJS headless browser via selenium. This obviously complicates things. I’m assuming that the developer of the ios app is just using safari classes in the background to do the requests.

If this works, I should be able to get the information about the alarm (zones etc). My current assumption is that this then logs you into the alarm webserver and allows other pages to be called. I’ve not found any “cookies” that would make me think otherwise.

Following that page, you need to request waitlive.html, not sure why yet or what it does. After it’s been called just repeat calls to statuslive.html.

Of coarse these require parsing to obtain the information we need. But that’s the easy part.

For arming/disarming etc, it’s simply a call to statuslive.html passing additional parameters. I’ve not played with that yet.

Anyway, that’s as much as I have figured out right now. Hopefully this phantomjs will work, otherwise it’s going to get even more painful to do I think.

Wow, good progress.

I see the DSC alarm also has an IP interface with access codes. I wonder if that code might help us figure out this one, it is in Java though. Here is a link to the Openhab connector and here is the Vera one.

Well, good news is I’ve managed to be able to control the alarm via code. It’s just basic testing right now, but I can also pull all information about zones etc (just need to write parsing functions). This information can then be presented however necessary.

Here’s the other info (good or bad depending on how you look at it). The only way (I’m able) to do this is via the selenium webdriver using phantomJS headless browser. This means though it could be controlled via several languages with similar code. java, c#, php. I’m using c#. It also means that it will only run on an os that can run phantomJS. But, windows,mac osX, linux are all options. I’d like to see if I can run it on a rpi. Using this approach is actually pretty easy, just I always dislike having to use major external options like this - but if it works it works.

The other thing to note is that it does require “state” to be active and available. As a result, creating something clean like a restful api isn’t really possible unless you want to connect/disconnect for every api call. For arming etc this might be ok, but it wouldn’t be feasible to keep live status.

So, I’m thinking that some sort of long running process (daemon or windows service) would need to be running all the time to push status changes to either the vera or other. I’ve been working with servicestack as of late, and might possibly try combining the two approaches. If I create a servicestack self contained service that also serves up a restful api, I could possibly keep state of the alarm connection within. Anyway, many options exist there I think.

Long story short, I’m happy to say this is big enough progress to know it’s going to be possible to have a way to control the alarm and get it’s status.

Hopefully I have time over the weekend to get some more useful things done. I will keep you updated.

That is awesome!

I did a little research and it seems phantomJS should run an rPI, but may take a looong while to compile. But the guy has got a binary available. I believe Paradox does have an API, but it required an NDA, but then there should actually be some hooks somewhere. I’ve been searching for the firmware to perhaps decompile to try find what the API calls might be.

Hmm, my last post the other day doesn’t exist.

Anyway, I have a version of the firmware here somewhere if you want. It’s a PUF file. 1.23.001 I think is the version. A bit older than the version I’m running. I’m not able to try and sniff anything out as the “official” alarm app won’t work with my version of the evo, which is rather stupid. I would suspect that using either jMeter or wireshare you could sniff out the endpoints it’s reaching for the official api. That would make things a hell of a lot better.

That being said, I’ve made good progress this weekend in my limited time. I can fully control the system as well as get all information about state/status. That being said, it’s difficult to fully test what the values represent - I don’t want to go setting off my system all day while testing. The neighbors would not be happy. I think I’ve managed to get a lot from the javascript though - just not fully tested.

The one thing I’m trying to find the best approach for is constant polling of status. My want/need for this is to be able to generate real-time door open/close events and motion sensor events that can be passed on to another application.

The other cool thing I’ve put together is a simple “push notification” model. I’ve got a very simple tcp listener setup that’s acting as a smtp endpoint. THus, if you setup the ipmodule to send emails via this listener (on same local network) I can get notifications of alarms and troubles without being logged in to the system. I then parse the emails and send events with their results. Simple but effective.

I can sniff if you’d like, I’ve got Wireshark ready. I’ve used the official app, the web interface and [url=http://www.housealarm.io]House Alarm[/].

On House Alarm, i’ve noticed that unit thinks it is being logged into with Winload, the programming software, and it does monitor zones, so you can watch if a zone gets tripped or not. It also provides Push notifications, using the email function, but that is full iOS notifications.

I’m also looking for the real time status, as I want that to be a motion detector for Vera, so hopefully monitor presence with it. I’m sure OpenHAB would be able to tie into it. I’ll try do some sniffing and see what I can find.

I’ve attached the firmware file. Just remove the .txt

Yeah, I have the house alarm app and used jmeter to sniff around what it was doing. I think it’s basically doing what I’m doing - but probably using a hidden web window behind the app. The way they do push is where I got the idea for the same but via local setup. You do get status updates on zones, but only if the app is open and running. It logs out of the site when you close the app.

If you can run the official Paradox alarm app on ios device and track it’s traffic that would be super helpful. Might be able to get some api calls that we could use. I’ve only had luck using jmeter for recording data from my ipad. I’ve not bother to setup a dev environment for it to trace it with other methods.

Ok, I’ve done a quick capture, file is attached, (remove .txt). It seems Paradox has crippled the lite version since I last used it, you can’t arm/disarm/bypass now without upgrading. I used to Arm with it.

Anyway, the capture should show log in, and viewing live zone information at least.

Ok great. I’ll see if I can figure anything out. Been a while since I’ve really dug into a pcap trace. :S

Well, unfortunately I wasn’t able to get enough useful information from that trace. It doesn’t seem to include any of the url endpoints it (should) be hitting. I’m not terribly great at deciphering network packets either. Any chance you know how to use jmeter recording functionality? I know for certain it captures url endpoints in a much easier format.

Progress update…

I now have a self-hosted restful API that runs as a windows service. (although so far only tested as a console application). I use servicestack, selenium webdriver and phantomJS to basically connected to and query the IP150 self-hosted web portal for the alarm.

I only have a few simple things hooked up right now.

  • login to the alarm web portal. This keeps an open connection as long as the service is running or you hit the logout.html page manually in a browser
  • fetch your current alarm information and attempt to parse into Device objects
  • manually call status updates
  • start a threaded loop asking for status updates every 1.5 seconds. These updates produce two events. First a general update event with all the information contained in the status page, second I produce individual device events where the current status differs from the previous.
  • ability to shutdown and stop the process.

It’s far from perfect and still a lot needs to be done. Events for troubles and alarms, connecting up webhooks to the events etc. Also want to work on simple push notifications (same updates you can get via emails from the web portal) so that you don’t have to always have the system “logged in” if you use the phone app or otherwise.

If you’re interested in testing out a compiled console app version PM me and i’ll let you know how to test it.

Hi guys, I’m trying to write a plugin for the HomeSeer HA platform and have been watching this thread with interest. If I look at the iParadox app, I get some other useful information like troubles and most importantly the ability to bypass zones (something that the web interface does not support - which is bizarre). I can’t believe the iParadox app is using Safari in the background is it? There must be a more elegant API than that (how does BabyWar for WinLoad communicate for instance?).

Are we really reduced to the overly complex reliance on a JS-running headless web browser to make this work?

@beerygaz Well, unless we can reverse engineer the API via the “software port” then yes we are reduced to this method. The iParadox app isn’t using safari in the background, it’s using the official API. However, no one has yet fessed up to being able to use it. There is an NDA required. I’ve even tried legitimately to get access with no luck.

I’m limited in what I can figure out at this point due to my system not being supported with the official app. I’m guessing due to low level calls that can be made via API vs the web interface. The second I can get API info I’d switch to using it. Until then, this is what I have got working.