Author Topic: How to Recover the Dealer & Installer Codes from a GE Interlogix Concord 4 Alarm  (Read 3523 times)

0 Members and 1 Guest are viewing this topic.

Offline latentsemantics

  • Newbie
  • Posts: 2
  • Country: us
Here’s how to recover the Installer & Dealer Codes from a GE/Interlogix Concord 4 Alarm

Full system access to a Concord 4 alarm requires entering the proper security passcodes. But even if those codes are unknown, you can still retrieve them directly from the alarm itself using the method described here. All that’s required are a few inexpensive parts, a PC and the ability to upload a short Java program.

The Master, Installer and Dealer 4-digit codes for the Concord 4 are stored as pairs of 2-digit hexadecimal integers at known consecutive addresses within a 24C256L EEPROM chip. This memory chip sits in a socket located on the alarm panel circuit board where shown (1rst image below). It’s easy to pull out the chip and then read the codes from it using an Arduino clone microcontroller board that runs a simple “sketch” (Java program) uploaded from a PC. And the cost is low: the Arduino software is a free download and all the microcontroller components are available on eBay for less than $10 total. Here’s everything you’ll need:

Hardware:
  • Arduino UNO R3 Compatible ATmega328P CH340 USB Microcontroller Board (these start at below $4, but pay more as needed to get a clone board that comes pre-installed with the Arduino bootloader software)
  • AT24C256 Serial I2C EEPROM Arduino Data Storage Module (complete with a memory chip for under $2)
  • 4 Male-to-Female DuPont connector wires ($1 for 40 wires)
  • USB Male-A to Male-B cable (you probably already have one of these)
Recommended tool:
  • Chip extractor tweezers ($1) (2nd image below)
Software:
  • Arduino Software (IDE) installed on a Windows PC (IDE is also offered for MacOS, Linux, Android & iOS) (free)
  • CH340G USB-to-serial chip driver (should load automatically the first time you connect the UNO R3 clone to your Windows computer, but the driver can also be downloaded and installed manually; a driver for MacOS is available as well; no driver needed for Linux) (free)
Assembling the hardware
First, remove the memory chip pre-installed on the EEPROM module (with extractor tweezers if you have them) and put it aside. Set the module device address to 50 hex by using the included jumpers to short pins A0, A1 & A2 to GND (right-most jumper positions). Write-protect the module by connecting pin WP to VCC (left-most jumper position). (This will prevent a software mistake or other glitch from accidentally overwriting the alarm memory chip.) Then connect the Uno R3 to the EEPROM board using 4 DuPont wires as follows: UNO GND -> EEPROM GND, UNO 5V -> EEPROM VCC, UNO Analog 4 -> EEPROM SDA, UNO Analog 5 -> EEPROM SCL.

Now make sure the Concord 4 panel is turned off (disconnect both AC & battery) and carefully pull the 24C256L memory chip from its socket, taking note of the chip’s orientation (half-moon indent points toward top of panel). Insert the properly-oriented chip into the socket on the EEPROM module and connect the UNO R3 to your computer with the USB A/B cable. Open the Arduino IDE on the computer and verify that it can see the attached UNO R3. I've included a photo of the hardware setup with the alarm chip seated and the computer connected (3rd image below).

Software for reading the Concord 4 EEPROM
You can find several online tutorials and videos that demonstrate how to interface the UNO R3 microcontroller to an I2C EEPROM chip. Inspired by the Java code in those demos, here’s a simple sketch for the microcontroller that reads and displays the contents of any selected memory location in the Concord 4 EEPROM:

//--------------- Begin Sketch ---------------
/*
   EEPROM I2C Byte Reader (Latent Semantics 10/16/2017)
   What it does:
   - Receives byte decimal address from Serial Monitor
   - Displays decimal address, byte hex value
   - Repeats
*/

 #include <Wire.h> // for I2C access

 #define ChipAddress 0x50 // EEPROM device address

String AddressString;
int ByteAddress;
byte ByteValue;

void setup()
{
  Serial.begin(9600);
  Wire.begin(); 
  Serial.println("< EEPROM I2C Byte Reader is running. >");
  Serial.println("Type decimal address in box above and press Enter or click Send...");
  Serial.println("[DEC ADR][HEX VAL]"); 
  Serial.println();
}

void loop()
{
  if (Serial.available() > 0)
  {
    AddressString = Serial.readString();
    ByteAddress = AddressString.toInt();
    // set the pointer position:
    Wire.beginTransmission(ChipAddress);
    Wire.write((int)(ByteAddress >> 8 )); // MSB
    Wire.write((int)(ByteAddress & 0xFF)); // LSB
    Wire.endTransmission();
   
    Wire.requestFrom(ChipAddress,1); // get the byte of data
    if (Wire.available()) ByteValue = Wire.read(); // assign the byte of data

    Serial.print(ByteAddress);   
    Serial.print("        ");     
    Serial.print(ByteValue, HEX);
    Serial.println(); // end the print line
  }
}
//--------------- End Sketch ---------------


Copy this sketch into the Arduino IDE window, compile and upload it to the UNO R3, and then open the IDE Serial Monitor window. The running sketch will first print a header in the monitor window, following which you can repeatedly type and send decimal addresses to the UNO R3 to receive and view each EEPROM byte of interest.

Viewing the passcodes
To illustrate, I show here the Serial Monitor output with the code addresses and values from my “dealer locked” Concord 4 EEPROM (4th image below). Bytes 994 & 995 are the System Master Code (“1234”, the factory default), bytes 997 & 998 are the Installer Code (“1926”) and bytes 5874 & 5875 are the Dealer Code (“2399”).

You should examine these same addresses in your own Concord 4 EEPROM chip to learn the passcodes to your system. Then unplug the UNO R3 from your PC, remove the chip and re-install it in the alarm panel. Power-up the panel and use an attached alphanumeric keypad to enter the Installer/Dealer codes you just found. You’ll gain full access to system programming, including stored phone numbers, and you can of course reset all the passcodes as desired (see the Concord 4 Installation Manual for details). Now you’re in control!




« Last Edit: November 27, 2017, 03:06:03 pm by latentsemantics »
 

Offline master916

  • Newbie
  • Posts: 1
  • Country: us
I was trying to see if I could find my project just like this one on google and could only find this post here so I re-posted it on github since pastebin doesn't seem to allow it to be searchable. I figured I would share what mine was since it adds some simple ease of use to it if you only want it for recovering codes, but could combine what you used for hardware to make it smaller and cleaner looking.

https://github.com/master916/Concord-4-code-readouts-using-Arduino/blob/master/Concord%204%20Back%20Door
 

Offline latentsemantics

  • Newbie
  • Posts: 2
  • Country: us
Thanks Master916 for posting the link to your handy Arduino sketch for recovering the passcodes from the Concord 4 EEPROM.

Coincidentally, a bit before my original post, Deron Grzetich detailed still a different technique for reading the EEPROM at the Malos Ojos Security Blog:

http://www.malos-ojos.com/?p=823

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf