EEVblog Electronics Community Forum

Electronics => Projects, Designs, and Technical Stuff => Topic started by: evzone on October 01, 2019, 08:47:36 pm

Title: Checksum calculation for an old alarm intrusion panel
Post by: evzone on October 01, 2019, 08:47:36 pm

I am in the process of decoding the serial communication protocol of an old alarm intrusion panel in order to interface it with an IoT device (ESP8266 based) over an IP network. Although I managed to find a couple of functions and commands I cannot understand how the checksum is calculated at the end of the frame. The main issue I see is that the checksum remains the same even though some of the bytes are different in two sequential frames. It looks really hard to identify any pattern.

For those who are interested in decoding or having any experience on this topic here is a bunch of frames. The bytes are in hex and the last byte of each frame is the checksum.

If needed I can provide more frames and information about them. Thanks in advance for any tips...

Code: [Select]

01 68 00 00 00 00 00 00 00 00 71                   .h........q
01 68 01 00 00 00 00 00 00 00 71                   .h........q
01 68 02 00 00 00 00 00 00 00 72                   .h........r
01 68 03 00 00 00 00 00 00 00 74                   .h........t
01 68 04 00 00 00 00 00 00 00 74                   .h........t
01 68 05 00 00 00 00 00 00 00 76                   .h........v
01 68 06 00 00 00 00 00 00 00 77                   .h........w
01 68 07 00 00 00 00 00 00 00 77                   .h........w
01 68 08 00 00 00 00 00 00 00 78                   .h........x
01 68 09 00 00 00 00 00 00 00 7A                   .h........z
01 68 08 08 00 00 00 00 00 00 7F                   .h.........
01 68 10 00 00 00 00 00 00 00 80                   .h........€
01 68 08 09 00 00 00 00 00 00 81                   .h.........
01 68 11 00 00 00 00 00 00 00 82                   .h........‚
01 68 09 09 00 00 00 00 00 00 83                   .h........ƒ
01 68 12 00 00 00 00 00 00 00 83                   .h........ƒ
01 68 13 00 00 00 00 00 00 00 83                   .h........ƒ
01 68 14 00 00 00 00 00 00 00 85                   .h........…
01 68 15 00 00 00 00 00 00 00 85                   .h........…
01 68 16 00 00 00 00 00 00 00 86                   .h........†
01 68 17 00 00 00 00 00 00 00 88                   .h........
01 68 18 00 00 00 00 00 00 00 89                   .h........‰
01 68 19 00 00 00 00 00 00 00 89                   .h........‰

Title: Re: Checksum calculation for an old alarm intrusion panel
Post by: teksturi on October 02, 2019, 05:01:34 am

I checked this little bit, but couldn't find anything. If you have more frames that would of course help because there is not that much data yet. How can you be sure that these frames are correct? Do you test randomly or do you monitor data? Also it would be awesome that you take some known frame and test it with every checksum. Sometimes algorithm can result that there is not only one correct checksum.

Also sometimes it is not relevant that you even know how to calculate checksum. If you know every command that you want to use and if there is value that can be changed you just brute force those and be happy. Of course it would be fun to know how these are calculated.

Edit: It would be also awesome that you tell what are you hacking :P If someone else is then thinking same it can find these thread with Google.

Title: Re: Checksum calculation for an old alarm intrusion panel
Post by: ledtester on October 02, 2019, 05:16:36 am

Can you tell when you've got the wrong checksum? That is, does the system respond differently when the correct checksum is present vs when it isn't?

Title: Re: Checksum calculation for an old alarm intrusion panel
Post by: evzone on October 02, 2019, 04:56:29 pm

Good to see some replies, thank you! :-+

Some background information about the communication protocol decoding:

The alarm intrusion system is an old Bosch CC408 panel.
The two endpoints are the CC408 panel and the ALINK windows application
The frames are sniffed by using a virtual serial port with an ESP8266 wifi-serial bridge
All frames are captured when the connection is established between ALINK and CC408.
There are not any lost frames or other errors detected during the communication.

Below there are some more frames captured. TX is ALINK and RX is CC408. The frames starting with 04 68 report the zones status and the time just before the checksum.

Code: [Select]

TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 32 bb             .h`........2.
TX  0e 08 00 00 00 00 00 00 00 00 1e                   ...........
RX  08 68 00 13 45 8e 32 00 00 00 8d                   .h..E.2....
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 32 bb             .h`........2.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 32 bb             .h`........2.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 32 bb             .h`........2.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 32 bb             .h`........2.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 32 bb             .h`........2.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  0e 08 00 00 00 00 00 00 00 00 1e                   ...........
RX  08 68 00 13 45 8e 33 00 00 00 8f                   .h..E.3....
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 33 bd             .h`........3.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  0e 08 00 00 00 00 00 00 00 00 1e                   ...........
RX  08 68 00 13 45 8e 34 00 00 00 8f                   .h..E.4....
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  0c 1b 00 00 00 00 00 00 00 01 31                   ..........1
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  0c 1b 00 00 00 00 00 00 00 01 31                   ..........1
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  0c 07 00 00 00 00 00 00 00 01 1c                   ...........
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 00 00 00 00 00 14 34 bd             .h`........4.
TX  0c 1b 00 00 00 00 00 00 00 01 31                   ..........1
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 34 fc             .h`..@.....4.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  0c 1a 00 00 00 00 00 00 00 01 2f                   ........../
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  0e 08 00 00 00 00 00 00 00 00 1e                   ...........
RX  08 68 00 13 45 8e 35 00 00 00 91                   .h..E.5....
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 35 fe             .h`..@.....5.
TX  0e 08 00 00 00 00 00 00 00 00 1e                   ...........
RX  08 68 00 13 45 8e 35 00 00 00 91                   .h..E.5....
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 36 ff             .h`..@.....6.
TX  01 00 10 00 60 51 00 00 00 00 c9                   ....`Q.....
RX  04 68 60 a0 00 40 00 00 00 00 14 36 ff             .h`..@.....6.

Title: Re: Checksum calculation for an old alarm intrusion panel
Post by: evzone on March 15, 2022, 09:57:31 pm

Bringing up again this topic for any brilliant mind to find out the checksum algorithm.

Title: Re: Checksum calculation for an old alarm intrusion panel
Post by: free_electron on March 15, 2022, 10:48:48 pm

show the data in binary. count zeroes. count using a 8 bit integer or a 16 bit integer and see what you get. it's not the actual value but the number of bits that are zero in the value

0 = 0000_0000 -> 8
1 = 0000_0001 -> 7
2 = 0000_0010 -> 7
3 = 0000_0011 -> 6
4 = 0000_0100 -> 7

that's why you see clusters of repeating checksums even though the actual data is only one decimal or hexdecimal value different.

you have to search along those lines.

Title: Re: Checksum calculation for an old alarm intrusion panel
Post by: evzone on March 24, 2022, 05:03:11 am

Thank your direction, I will give it a try ;)

SMF 2.0.19 | SMF © 2021, Simple Machines
Simple Audio Video Embedder
SMFAds for Free Forums | Powered by SMFPacks Advanced Attachments Uploader Mod