MG5000 fw 4.76 with IP150 v 4.10 - Problem logging in

[renzorlive]

Hello Tertius, First of all, thank you for your work and developing this software. After managing to configure the MQTT server this is what I am getting when trying to connect to my control panel.

2017-10-01 02:09:53,599 INFO logging complete  

2017-10-01 02:09:53,601 ERROR test  

2017-10-01 02:09:53,607 INFO Setting loglevel to debug  

2017-10-01 02:09:53,618 DEBUG Logging Set to debug  

2017-10-01 02:09:53,627 INFO logging set to debug  

2017-10-01 02:09:53,635 INFO config.ini file read successfully: 2  

2017-10-01 02:09:53,644 INFO State01:Attempting connection to MQTT Broker: 127.0.0.1:1883  

2017-10-01 02:09:53,658 INFO Connected to MQTT broker with result code 0  

2017-10-01 02:09:53,658 INFO State01:MQTT client subscribed to control messages on topic: Paradox/C/#  

2017-10-01 02:09:53,674 INFO State02:Connecting to IP Module  

2017-10-01 02:09:53,684 INFO Connecting to 192.168.1.19  

2017-10-01 02:09:53,697 INFO Logging into alarm system...  

2017-10-01 02:09:53,736 DEBUG 32->   0xaa 0x8 0x0 0x3 0x8 0xf0 0x0 0xa 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0x70 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee  

2017-10-01 02:09:55,993 ERROR State02:Error attempting connection to IP module (3): string index out of range  

[rogercrespo]

So I have:

• disable firewall in computer and router
• redirect domains upgrade.insightgoldatpmh.com and upgr.insightgoldatpmh.com to my computer IP
• login to IP150 and perform (...)reset.html
• execute CMD in admin mode with command: TVPfwd.exe 192.168.0.129 10000 3.95.136.210 10000 IP150_V1_32_001_ENG_downgrade_from_v4.xx.PuF
• execute in-field version 5.0.11 and use Internet tab and connect with success and start transfer

nothing happens in CMD, in the txt file I only get START. after a while I get an error:

Any idea what might be causing this?

[clau-bucur]

I've managed to downgrade to 1.32 and now I can't access in in iParadox, and I get "Unknown result code" upon connection (Babyware works). Anyone has any clues? Could be that 1.32 is not compatible with the latest iParadox or what?

[clau-bucur]

So I have:

* disable firewall in computer and router

* redirect domains upgrade.insightgoldatpmh.com and upgr.insightgoldatpmh.com to my computer IP

* login to IP150 and perform (...)reset.html

* execute CMD in admin mode with command: TVPfwd.exe 192.168.0.129 10000 3.95.136.210 10000 IP150_V1_32_001_ENG_downgrade_from_v4.xx.PuF

* execute in-field version 5.0.11 and use Internet tab and connect with success and start transfer

....... Any idea what might be causing this?

Mine worked, with 4.40.004 and the latest (4.42.002 it was I think). I forwarded these domains: upgrade.insightgoldatpmh.com upgr.insightgoldatpmh.com softwareupdate.paradox.com insightgoldatpmh.com dp-gw-na.amazon.com paradox.com

Then I powered-on IP150 while holding the reset button pressed, until IO2 started to blink. Actually I followed the instructions here: https://github.com/Tertiush/ParadoxIP150v2/issues/22#issuecomment-412213729

[russianro]

Quick one.. i tried to upgrade to last version as i have swan fee but end up with an error as i don't have the forwarding correctly configured.... Now the IP150 module is not working anymore ... ping responsive with no port opened unknown version as firmware and IO2 blinking always ... any help that might help Bootloader Ver 2.13.001 ... tied all version with infield but without any success Thanks, A

[clau-bucur]

@nezmogus

If anybody interested in more detailed firmware file structure or communication protocol with paradox upgrade server, let me know. I will write what i know.

Hi! Nice job on the firmware, I successfully could downgrade the IP150 from 4.4 to 1.39. I'd like to make a tool with more features, to make other version able to run on new IP150 modules. Please share with me how did you decrypted and then rebuilt the PUF file, I'd make a tool that will do that automatically with all versions. Thank you!

@resetcoder can you please share the 1.39 PUF you downgraded with? I tried to make my own PUF based on @nezmogus instructions from here, but it won't work. It loads all the 448 packets but then restarts and tries to upgrade again...

[rjuch]

Hi Guys & @nezmogus

Can someone confirm if we no longer have to downgrade the IP150 for ParadoxIP150v2 to work. Does v4.4 work?

Struggling to connect to my Ip150 from in-field software, I don't know what my PanelID is supposed to be or where i find this?

[bgbaker]

Hi Guys & @nezmogus

Can someone confirm if we no longer have to downgrade the IP150 for ParadoxIP150v2 to work. Does v4.4 work?

Struggling to connect to my Ip150 from in-field software, I don't know what my PanelID is supposed to be or where i find this?

I could connect by leaving the Panel ID blank

[bgbaker]

Hi everyone

I hope nobody minds me posting this here. Not sure where else would be of assistance. I was using Tertius code with Home Assistant but was lacking some features like bypassing zones etc when the iParadox app stopped working. I decided to upgrade the firmware on my IP150 so that I could use the Swan/ Insite Gold setup. I was over-eager and impatient and used the in-field software to go to v4.40 from v1.26 with bootloader 2.12 (Over IP) The whole process ran fine until it got to the "Initiate" phase where it says it timed out. I thought this might be expected but since then there is no IP connectivity - not even ping. The status on the device is flashing "Link" as if it is connected but no "Internet" I then read that there was some different process to go to 4.40 with 2.12 boot loader. Have I bricked this thing? Anybody have any ideas? Maybe USB to serial interface flashing? Really hoping there is some kind of solution

[nezmogus]

IMPORTANT: before downgrading, set IP150 network configuration to DHCP! When IP settings are left incorrect, IP150 cannot connect to Paradox's recovery server and stays bricked if downgrade process fails. How i know, if IP150 is bricked, you cannot change IP settings anymore.

I can't comment anything about downgrade process from v4.4 and above, because i don't have spare IP150 to play with. Sorry

[yusufk]

I accidentally upgraded as well. Version 4.42 allows local connectivity, but something has changed with login. There is no longer a username, so the login fails. Uses the same user panel code though. Any idea what needs to be changed to fix login?

[yusufk]

Found this: https://github.com/ParadoxAlarmInterface/pai/wiki And it works like a charm!

[FigJam23]

Does this downgrade still work or is there a updated way , I've been trying to do it via my ddwrt router but have had no luck . As it's quite a old thread I was hoping there's another way to downgrade . As like many I made mistake of upgrading to version 4.0 and now I can't even upgrade as spits errors and reverts back to version 4.0. the website upgrade.insightgoldatpmh.com Returns failed results if pasted into browser as if it's a dead link. Has that link been updated or changed . Please help as this is driving me nuts 😂

[tekand]

Does anybody know any source for 150S? Or for a v4 150? Seems like everybody moved on to 150+. :(

[yozik04]

Does anybody know any source for 150S? Or for a v4 150? Seems like everybody moved on to 150+. :(

Let it auto upgrade

[tekand]

Tere @yozik04, I was given to understand based on this thread that the local management only works until 4.40 (but best with 1.x, which comes with model 150S). Sadly the ones I found online for purchase were only the 150+ model with firmware v5. As far as I know they removed the local web interface from the 150+ and it is only usable with SWAN. I prefer not to put out my alarm system to the internet, but would like to connect it to my local HomeAssistant. Do I understand it correctly? I have very limited knowledge on the topic.

[yozik04]

v5 works perfectly fine for people. All versions above 4.40+ including 5.x allow local connection.

[plouis7]

^^ v4xx (don't know 5.x) doesnt allow IP150 default password change. The latest InsiteGold allows remote static IP connection. Tested with the module downgraded here some time ago. But I had to default the modules password to "paradox"...so that InsiteGold could login. So..if you want to access the module from WAN...the pass is...only 4 numbers 9999 combinations..because "paradox" it's fixed.

Don't know exactly how it works..I assume that PAI and ParadoxIP150v2..requires additional hardware inside LAN to run... I use Alarmin.

However, last night I performed a downgrade on a IP150 module with a factory fw 4.42, boot 2.14 (nov 2019) In previous downgrade done some time ago I used a ddwrt router to do the DNS IP redirect. Today that router it's indide a box (changed provider) so I performed the other method: -changed the DNS entry in routers DHCP server to point to a static IP..a LAN windows PC; perhaps it is possible to do this only for IP150 inside DHCP settings page. -installed there Dual DHCP DNS Server on that desktop PC..and done the DualServer.ini: [SERVICES] DNS [LISTEN_ON] 192.168.1.2 [DNS_ALLOWED_HOSTS] 192.168.1.1-192.168.255.254 [DNS_HOSTS] upgrade.insightgoldatpmh.com=192.168.1.2 ;upgr.insightgoldatpmh.com=192.168.1.2 [FORWARDING_SERVERS] 192.168.1.1 -ping paradox upgrade server upgrade.insightgoldatpmh.com to see if it redirects to LAN (IP changed to LAN); this could require router restart, PC restart ETC. -start the proxy server provided by nezmogus..following his instructions; -perform a firmware reset with the needle inside pinhole 5s + a final push; (alarmin configures the PUSH service..and I experienced nasty calls to SMTP during a firmware downgrade..when I forgot to do the reset); to work..you must first disconnect the module from the router; -start the upgrade process with InField..select there any firmware..it doesn't matter what...it counts only that the process to start, then watch TVPfwd console to see if it works. -here I encounted a (the) problem; the process stopped after receiving few/more than few packets; if you unplug the IP module's serial cable...plug it again..the process will resume...form packet 1...as you could see in console. -I succeeded after 20-30 retries...(plug-unplug serial cable)...from which only 2 times the module finished receiving the whole payload; why it does that...I couldn't find; had the same issues with the previous downgraded module; Perhaps it's a comunication problem..related to the transfer speed..baud rates etc. -once during this operations I restored the DNS inside the router..and let the module to acces its upgrade server; few minutes later the module was functional with a 4.40 version (not factory 4.42); so keep in mind that the module upgrades itself...without the need of InField. InFileld it's needed only to start the procedure...and force the module to upgrade. -at the end I did a reset and the firmware glued. a strange thing it's that it doesn't appear anymore when searching with ParadoxIP_Locate V1.6, so..it's missing something. -also a strange thing it's that InField (latest..upx-ed), after downgrade.. doesn't show that firmware selection box prefilled with some fw names without the button to perform a search. so I assume the controls (that button...the label with firmware what's new) are shown or hidden in function of the firmware IP150 has, when selecting it in that listbox.

i'm courious what's new in 5.x fw.

oh..alarmin didn't worked fine with 4.42 fw. could login..retrive info..but refuses to comunicate..arm etc. that's why I did downgrade.

le: if IP module requests server to upgrade and shows a lower boot version ie 2.12..2.13...then the server builds a firmware called IP150_BU_2_14.PUF. I believe that it's a fw file which contains also the boot sector to be updated to 1.14. then we can compare with latest fw made by the server for the latest boot version 2.14 -> IP150_LATEST.PUF (this doesnt update the boot since it's at day) and see where the boot region lies inside the puf file. then search old firmware for that region where old boots (ie 2.12) may lie. for boot downgrade I believe that we need a puf file which contains also the boot sector. the puf used to downgrade on this thread surely doesn't contain the boot files...but we may try the others :)

Take a look here...pufs to update the boot loader...where to find them for downgrade, but why downgrade? :) IP150_v4.1_Upgrade_Procedure-1.pdf

le2: tried to downgrade/upgrade downgraded vrsion ...with different versions of InField...none worked but the last version 5.2.3...let me made a downgrade to 1.2 firmware (a puf selected random by me). At restart guess what...I didn't unplugged the net to do myself a reset..and the bootloader updated to the latest fw :) now the same InFiled which had Find button..looks like this

I'll try to downgrade again tomorrow...to see if it works from this version. le: yeah, it worked. One cause of this.. Could be a bad serial connection header..the little one which enters IP150. Tried to unplug it and the wires came out without the header. Clamped a little the pins..inserted back and the things changed in better(conn not dying after few packets..but neithter working 100%)...managed to finish the "upgrade". So downgraded from the last fw 5.2 w bl 2.14. I would have tried other lower versions but someone didn't shared the decrypt/encrypt code...and dont bother finding it..perhaps in hextopuf or how it is called. didn't tested the advice of inserting the last 48bytes footer from higher fws..there it's the fw version field...

[plouis7]

Hmm.. discovered that Alarmin (IP150 downgrade to 1.32) doesn't work with PGM's...while InsiteGold does.

the latest IP150 fw 5.2:

"The new firmware 5.2.19 comes with the following features and improvements: -Fixes unsuccessful internet ping generating “IP No Service” trouble -Implemented module reboot if Swan polling/internet ping/reporting/DHCP lease fail twice (within approximately 15 minutes)"

IP150 v5.2.19 Upgrading Procedure.pdf

I made a IP150 fw decryptor.

[plouis7]

If you want to downgrade to other versions than 1.32 which nezmogus prepared, use this: pufc.zip to make a file supported by TVPfwd.exe it won't downgrade the bootloader, but keep in mind that you have to choose a good fw...by looking at it (decrypt) and see that it's in fact fw not bootloader, as you may see below.

if we look at IP150 v5.2.19.zip we see that most of the file it's empty...but about 4k of this...intel hex file format :020000040800F2 :100000004822002079E80008E9E5000845E80008F2 :10001000EDE50008EFE50008F1E50008000000004C :10002000000000000000000000000000F3E50008F0 :10003000F5E5000800000000F7E50008F9E5000814 :1000400069E9000

so I assume that it's a boot loader update; even the description says that update has only few minor features..which could be (in my opinion) only inside the bootloader ...the reset stuff sould be coded inside the bootloader. the file version inside .puf it's 4.0.20...which doesn't match the description.

dumped the BL as hex intel file (the latest as in the firmware above) and loaded inside hextopuf. If I select IP150..the structure base is at 0x807FFE0; if I change to IP150 v3.2 and later so that's the time with bootloaders > 2.12...the structure base is locate at 0x807FFD0. "located" by hextopuf programmer to serve the new bootloader's desire. The structure base it'a a 16byte structure...just before FOOTER. struct FWBase{ BYTE btDevId; BYTE btFamId; BYTE btProdId; BYTE btVerMaj; BYTE btVerMin; BYTE btBuild; DWORD dwFwStart; //application start address here it is mapped the firmware 0x70000 bytes long DWORD dwFwEnd; //end address WORD w?? } ; I believe this struct is essential and tells bootloader where to write the firmware; starting with bootloader 2.13..the position in .puf file (as seen in hextopuf) has changed 16bytes above the first one, so that the old firmwares won't be seen as good by the new bootloader. In fact hextopuf (a utility inside latest babyware installation) populates its internals during hex file loading...it searches for the base address...FWBase struct. The problem with the bootloader loaded in hextopuf is that no .hex bytes maps inside start-end address (0x08010000-0x0807FFFF)...except the struct base bytes..start&stop markers...so it produces a blank .puf file. Looking inside the .hex file (notepad++ opens it well) we see that the bootloader maps at other adresses...0x08000000...so that's why we can't have a standard puf..and the M4 Cortex will load the bootloader as a hex file. upgrade.insight$oldatpmh.com send this file to IPModule :) ..the...EIP equiv,, where the program starts.. it's for this bootloader :040000050800E90DF9 (before last line in the file) If we convert the .hex to bin (http://hex2bin.sourceforge.net/)...we can look at what's inside the bootloader...//HEADER_ETHBOOT ... FOOTER_ETHBOOT// and those 2 domains "upgrade." and "upgr." @ insight$oldatpmh.com , bootloader version at 0x3c04 ..aka 2.14 and something which looks like a date 4/06/2018 BootLoaderIP150_2.14.zip

nice hex viewer

bootloaders after (?) 2.13 automatically repair the firmware by downloading a new one. who wants to do tests for downgrading the bootloader knowing that in case of mistakes...noone will repair the module? :)

le: I didn't found any fw file containing bootloaders lower than 2.14. for 2.12 we need to dump it from EEPROM I guess...from a module with bootloader 2.12. for that, a program which connects to the IP module and issues eeprom read must be written. but why? :) what's the benefit..? we loose instant recovery in case of firmware crash. then we can change old fws but only between 1.x. directly from infield.

look that I forgot to test if fw > 4.x kept the change password.html page for the web access. they offer wan static ip conect from latest insitegold but no module password enter/change..wtf!

[deonvdw]

.puf file parsing utility - something I put together the last week or two. Looks like plouis7 has been doing a lot of the same stuff with pufc... SNAP.

[nezmogus]

What kind of problems you have while parsing puf files? If my memory does not lie to me, I have to guess only two bytes, so i brutaforce all variants and choosing right ones...

On Fri, Jan 8, 2021, 21:55 deonvdw notifications@github.com wrote:

.puf file parsing utility https://github.com/deonvdw/pufparse - something I put together the last week or two. Looks like plouis7 has been doing a lot of the same stuff with pufc... SNAP.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Tertiush/ParadoxIP150v2/issues/22#issuecomment-756962506, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFM4SSJ34KQVLMUUI64BITSY5PJTANCNFSM4D5G5BDA .

[plouis7]

the extended version. xor xor when we know the input and the result . since the ex key is missing I assume that it is also stored in the .hex file used to build the puf. puf it's in fact a container. Ip150 has only one thing to program size 0x700000...but other devices requires multiple blocks all stored inside the same puf. The ip150 mpu it s labeled and public.mine... Stm32F417 so we could find infos about ram eeprom spi etc.

i ve searched for fw 3.2 they say it s the first with modified bootloader 2.13. found none. Wanted to compare it with the available 2.14.

https://www.pentestpartners.com/security-blog/how-to-do-firmware-analysis-tools-tips-and-tricks/ The bootloader and the firmware are stored in flash starting from 0x08000000

[deonvdw]

What kind of problems you have while parsing puf files? If my memory does not lie to me, I have to guess only two bytes, so i brutaforce all variants and choosing right ones...

@nezmogus: I'm trying to write a more general parser for puf files and not just focus on the IP150. Herre are some of the problems I ran into:

• Bytes/fields with unknown purpose in the puf header and the various sub structures. Would be nice to really understand these
• Understand how to parse image files type 5 ("Language Set" for e.g. K07C_1_11_002_LS2.PUF)
• Not doing a great job parsing the images in MG6250_V1.20.000_English_V22.0.PUF - not handling image file type 7 length properly?
• Off-by-one error parsing image entry for SP6000_V2_31_075.puf
• Seeming inconsistencies within the puf file for number of devices/chips e.g. TM50_EVO_V1_50_009_ENG_PAR_V1_50_000.puf
• Seeming inconsistencies within the puf file for image sizes e.g. PCS250_V4.10.006.puf

You asked :)

@plouis7: No need to brute force two bytes - ( (x xor A) xor B) is the same as (x xor (A xor B)). We are just flipping bits here, the order of the xor operation can be swapped. And of course A xor B is a constant if A and B are constants.

[deonvdw]

i ve searched for fw 3.2 they say it s the first with modified bootloader 2.13. found none. Wanted to compare it with the available 2.14.

@plouis7: You can find bootloader 2.13 in firmware IP150_V4.20.008.puf. Should also be in IP150 V5.02.009.puf.

I don't think we'll find bootloader 2.12 in any puf file... that was probably the baseline firmware IP150s were manufactured with.

[xmm42]

The extended encryption of an area in the .PUF file is actually pretty simple:

package puf

var (
    lookup = []byte{0x1, 0x2, 0x4, 0x8, 0x10, 0x20, 0x40, 0x80}
    key    = []byte{0x6, 0x1, 0x2, 0x4, 0x0, 0x3, 0x5, 0x7, 0x1, 0x5, 0x6, 0x0, 0x3, 0x7, 0x4, 0x2, 0x2, 0x4, 0x1, 0x3, 0x5, 0x6, 0x7, 0x0, 0x6, 0x2, 0x5, 0x7, 0x1, 0x3, 0x0, 0x4, 0x3, 0x2, 0x6, 0x1, 0x00, 0x4, 0x7, 0x5, 0x4, 0x6, 0x1, 0x7, 0x2, 0x0, 0x5, 0x3, 0x2, 0x7, 0x4, 0x5, 0x0, 0x3, 0x1, 0x6}
    key2   = []byte{0x77, 0x12, 0xAF, 0x71, 0x5C, 0x2F, 0xCD, 0x69, 0xE3, 0x90, 0x26, 0xBD, 0x2C, 0x66, 0xBE, 0x72, 0x7F, 0x5D, 0x18}
)

func DecryptPEFEx(data []byte, familyID byte, productID byte) []byte {
    if len(data) == 0 {
        return nil
    }

    dest := make([]byte, len(data))

    k := 0
    l := 0
    for i := 0; i < len(data); i++ {
        b := byte(0)

        for j := 0; j < 8; j++ {
            if lookup[j]&data[i] != 0 {
                b |= lookup[key[j+k*8]]
            }
        }

        k++
        if k > 6 {
            k = 0
        }

        c := key2[l]
        l++
        if l > 0x12 {
            l = 0
        }

        dest[i] = c ^ b ^ productID ^ familyID
    }

    return dest
}

This code can largely be optimized/cleaned up (I just monkey-typed what I could see in the disassembler). But anyway cheers. I'm planning to release the work I've done on .PUF file, I have pretty much the whole file structure reverse engineered.

[plouis7]

So 0xC5 = 0x6C ^ 0xA9 was in fact prodID..familyID for ip150.

[deonvdw]

The ip150 mpu it s labeled and public.mine... Stm32F417 so we could find infos about ram eeprom spi etc.

@plouis7 I'm curious... did you open your IP150 to find the part number or did you get a pcb photo somewhere?

for 2.12 we need to dump it from EEPROM I guess...from a module with bootloader 2.12. for that, a program which connects to the IP module and issues eeprom read must be written.

Yeah. I was thinking about this. Maybe there is a "read flash" command as part of the InField<->IP150 protocol (unlikely? look at the exports for UpdateLibrary.dll) Otherwise we would have to write dummy firmware which implements a REST API or similar to read/write memory bytes, hextopuf it, and flash it to an IP150. It is an open question if you can recover from this... whether firmware upgrade is implemented in the bootloader code (my guess) or within the firmware itself.

Or maybe crack open an IP150 and search for JTAG or SWD pins...

[plouis7]

I opened the case (a 2 second maneuver). As I mentioned early..I had a comunication problem (stops during downgrade)...checked the soldered mini header for damages. There are no other pins but those you could see from outside the case :)

btw ..https://www.cybersecurity-help.cz/vdb/SB2020111814

https://threatpost.com/ics-vendors-warn-critical-bugs/161333/

`ICS Security System Paradox

Security device maker Paradox also announced a critical bug (CVE-2020-25189) impacting its IP150 Internet Module that created conditions ripe for a stack-based buffer overflow attack.

“Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code, which may result in the termination of the physical security system,” wrote the Cybersecurity Infrastructure Security Agency (CISA) in a bulletin posted on Tuesday.

According to Paradox, the impacted IP150 Internet Module is a “LAN based communication module that enables you to control and monitor your Paradox security system over a LAN or the internet through any web browser.”

A second high-severity bug, tracked as CVE-2020-25185 with a CVSS rating of 8.8, opens the IP150 Internet Module to “five post-authentication buffer overflows, which may allow a logged in user to remotely execute arbitrary code.”

While Paradox indicated that there are no known public exploits targeting the vulnerabilities, the company also did not offer any specific patches for either bug.

Inquiries to Paradox were not returned.

In lieu of patches Paradox offered a number of mitigation recommendations including ensuring the least-privilege user principle is adhered to and “minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet.”`

[xmm42]

@deonvdw If you disassemble the HexToPuf program, you can check the RTTI information of the original Delphi classes (Or use IDR). From there, I have found that every single Paradox product is described as a class and the best thing is that they also have some type information about the microcontrollers they use inside the products. For example you'll see that TIP150 inherits from TProduct and has relations to TSTM32F.... The same goes for a lot of products. I'm also working on some tools to help RE of TurboPascal/Delphi programs and I think I could extract a ton of info for the community out there.

@plouis7 that CVE looks interesting. I have HD78F cameras and I've been scratching my head to get some of the data there. As I have RE'd the protocol used between the Insight Gold app and them, I could try some of the techniques on the camera API if we ever find some public data related to this exploit.

Because unfortunately I've not been able to find SWD/JTAG pins (or at least they're not obvious) in these cameras either. The next thing will be to check for the test points I've found around the two flash (one parallel and one SPI). If I could dump them, I could find the algorithm used to encrypt the newest generation of PUF files (They're plain binary data, maybe they are just a single encrypted area/partition?).

[yozik04]

@xmm42 That all will be really interesting for our ParadoxAlarmInterface project. 👍

[deonvdw]

Thanks plouis7 for the tip :) Took me about 10 seconds... Here is a photo of the PCB:

There are a number of test points on the PCB, including these 5 I believe to be a JTAG interface (used during production for programming?):

EDIT: Updated image above to correctly reflect the test point functions after tracing the hidden connections with a multimeter. I am not sure if there is test point for NRST, which may mean you would have to connect via JTAG rather than SWD. Open question whether the STM32 flash is locked (read protection turned on). EDIT2: Tried to connect to the IP150 with SWD using OpenOCD and an ST-Link v2 clone. Pulling BOOT0 high does not help either - my only conclusion is the STM32 is set to read protection (RDP) level 2, which is quite reasonable for a production device. That leaves a custom/modded firmware as the only way to read out the bootloader from a specific IP150.

[nezmogus]

i ve searched for fw 3.2 they say it s the first with modified bootloader 2.13. found none. Wanted to compare it with the available 2.14.

@plouis7: You can find bootloader 2.13 in firmware IP150_V4.20.008.puf. Should also be in IP150 V5.02.009.puf.

I don't think we'll find bootloader 2.12 in any puf file... that was probably the baseline firmware IP150s were manufactured with.

Maybe these old firmwares may help... IP150_ENG_firmwares.ZIP

[deonvdw]

Maybe these old firmwares may help... IP150_ENG_firmwares.ZIP

Thanks. I've been through these firmware files - they all look like the main application code. I think it is only from fw 4.x (or may 3.x which I don't have) where they started to include a bootloader in the firmware.

[plouis7]

who has the time and knowledge to play RE. I ve set up a project in ida 7.3, ..set bootolader's Main() f. in the project. It loads fine. see https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/ BootLoaderIP150_2.14.bin.zip The bootloader.hex intel file comes with the vector table also...mapped at 0x08000000 so..the bl lies on flash. to rewrite during a bootupdate it should somehow run from other location; since it accepts..intel hex file to update itself...I bet the code should have a small hex parser..decode->writeToFlashMem..and where is write..there should be the read also. adding the rest of the firmware at 0x8010000...someone could find those buffer overruns... perhaps it's the same combination of arm opcodes in many places ..and then use this on old firmwares..to read the 2.12 bootloader :)..but I ask myself again...why..why?!

the secret..what it does when you push the button 5s ..then again one time...should be here :)

[xmm42]

So I've checked into the firmware you've linked and I found something :)

The RESET button is linked to port PB8 on the STM32F4. At address 0x800e520 there's a function which checks the port PB8 for a 5 second long press:

The function at 0x800c212 from what I've checked around seemingly sends information on port SPI3:

I have labelled the calls SendSPIData because I've tracked what registers was the program writing to. The SendSPIData looks like this:

As you can see the GPIO port PA4 is written to as chip select (that's supposed to be port 29). Unfortunately all my attempts at tracking where the SPI bus pins connect to have been unsuccessful (with the PCB image from @deonvdw ). I might have made a mistake somewhere but it's pretty late and I don't feel like retracing everything :)

Also, the SPI ports seem to be configured on PC10-12 (pins 78 - 80). I have RE'd the port initialization function:

That's it for tonight.

[plouis7]

"checks the port PB8 for a 5 second"...then another check on pb8 is made...requires 1 click next sec after releasing the button. Then it "glues" the uploaded fw which wont trigger fw update again on power on.

Interesting should be where it comunicates with insitegold upgr srvr send&rec those 448 packets.

https://github.com/alatarum/stmflasher

dm00589815-usb-dfuusart-protocols-used-in-stm32mp1-series-bootloaders-stmicroelectronics.pdf

The STM32 has a built in bootloader which can be accessed by setting the following BOOT1 and BOOT0 pins. "Main Flash Memory" is where your program typically resides. "System Memory" is where STM32's built in bootloaders reside.

https://developer.aliyun.com/mirror/npm/package/pi-stm32-uart-bootloader

[deonvdw]

Also, the SPI ports seem to be configured on PC10-12 (pins 78 - 80).

@xmm42: Pin 78 and 80 are pretty easy to trace out, going to pins 6 and 5 respectively of a device marked "518D 8704" (or is that "S18D 8704"?) I've not been able to find the proper part number for this device but it looks like a generic SPI flash part. It would make sense that reset/defaults would erase this flash. Probably used to store password and network config.

You could probably trace out most of the other pins if you wanted to but I'm not sure it will add much.

Different thought - I wonder how hard it would be to create a MAME/MESS style emulator for the IP150 bootloader+firmware. Pretty sure MAME/MESS would already have ARM32 M4 cores, then just define whatever peripherals the IP150 has. Simple in theory :) You would probably end up with a Raspberry PI emulating an IP150. Paradox might not like that much at all.

[Genik67]

https://github.com/Tertiush/ParadoxIP150v2/issues/22#issuecomment-753478634

So downgraded from the last fw 5.2 w bl 2.14.

Help me please. Two years ago I already did this downgrade and everything worked out for me successfully. But a week ago the electricity went out and after that I can't go back to the old firmware. I studied all the news and instructions again, I have been trying to make a downgrade for three days, but apparently my TVPfwd server does not work. Specifically returned to Windows 7. What am I doing wrong?

[plouis7]

Cmd Ping upgrade.blabla.com to test the dns hook. You should see a reply from your pc ip. From pics it seems that IP150 is connected to insitegold...in which case the tvpfwd doesn t start.

[pliusas1]

Hi,

Some offtopic. As I see you making custom firmware for downgrading fw in IP150 modules. I have little bit different problem - by mistake i ordered wrong keyboard (K641lx instead K32lx) and seller doesn't accept return because it was unpacked connected once to alarm system asi noticed that it's wrong keyboard when connected to my alarm system. So now i have keyboard which doesn't work with my alarm systems, because K641lx works with Evo systems, but i need to keyboard which compatible with Spectra systems. As i have another K32lx keyboard i've compared them and i see that keyboards have identical hardware (same microprocesor, same eeprom chip, same RF module, same pcb layout, same bootloader version). I've tried upgrade K641lx keyboard with K32lx firmware using paradox inField software. But at first inField doesn't accept when i was choosing K32lx fw to K641lx keyboard. Then i tried change fw puf file by changing from product id from 5B to 5F and family id from A1 to A5, then inField was accepting fw puf file, but when started transfer firmware, inField program freezes (maybe there is some checksums in puf file headers?). So any ideas, how to transfer K32lx firmware to K641lxkeyboard?

[Vandiliz3r]

Hi Guys,

Please help :( I am trying to downgrade my IP150 from V4.30.000 to V1.32.000. I have followed the instructions above but see below for steps followed:

1. Downloaded the TVPfwd.exe app
2. Created a Shortcut for parameters "TVPfwd.exe 192.168.1.5 10000 54.165.77.37 10000 IP150_V1_32_001_ENG.PuF" (Pinging upgrade.insightgoldatpmh.com [3.95.136.210]) did the upgrade IP change from InsightGold?
3. Inserted DNS entry for upgrade.insightgoldatpmh.com to point to the PC running"192.168.1.5" the TVPfwd.exe
4. Started the TVPfwd.exe with the above parameters
5. Opened Babyware (Babyware does not want to connect through to swan services)

This is where I got too before I noticed that i cannot connect to the IP150 via InsightGold or IP. I can however access the web interface. Any help will be appreciated

[nezmogus]

Today I got few IP modules to play with, so, i have some results to share

IP150 (don't remember FW version, but at least 4.00) - downgraded. IP150S with FW 5.02 - downgraded. Seems like IP150+ uses same hardware as IP150 and IP150S, but firmware headers have IP160 string instead IP150. Not sure about smooth downgrade. If tomorrow owner of IP150+ module will give me permission to vandalize it, I will let you know the results :)

IMOPORTANT: before downgrade - reset IP150 to factory defaults, to clear custom gateway and DNS server settings (press and hold reset button until IO LED's start blinking, then release and pres reset button again). Check using BabyWare or InField, is DHCP on on IP150

You should change DNS entries for: upgrade.insightgoldatpmh.com and for upgr.insightgoldatpmh.com (at least FW 5.02 uses this DNS record for firmware update)

Check IP address for upgrade.insightgoldatpmh.com and upgr.insightgoldatpmh.com and use one of them in TVPfwd command line (i believe, both IP addresses always should be same)

Now upgrade.insightgoldatpmh.com and upgr.insightgoldatpmh.com have IP address 3.95.136.210. It means, TVPfwd command line should be:

TVPfwd.exe 192.168.1.5 10000 3.95.136.210 10000 IP150_V1_32_001_ENG.PuF

IMPORTANT: with some bootloaders downgrade process can be started by powering on IP150 module while reset button is pressed. Also use this method to update IP150 back to latest firmware (remove DNS entries from your router before update).

I saw some interesting DNS queries directly to public DNS servers, like 4.2.2.2, 4.2.2.1, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6, 8.8.8.8 8.8.4.4, 208.67.222.222, 208.67.220.220. It means, that sometimes TVPfwd can be avoided by downgrade process. Block temporary these IP (just idea, not tested yet) or set these IP as your router IP (of course, if you router can have multiple IP. Mikrotik routers - can. Thank you Mikrotik for that! ;) )

[mustafaavcilar63]

merhabalar değerli arkadaşlar elimde ip150 var yazılım yükleme sırasında hata verdi suan içinde yazılım yok gibi yardımcı olursanız sevinirim teşekürler

[nezmogus]

こんにちは、

時間をかけて、このフォーラムメンバーが提供するすべての指示をお読みください

merhabalar değerli arkadaşlar elimde ip150 var yazılım yükleme sırasında hata verdi suan içinde yazılım yok gibi yardımcı olursanız sevinirim teşekürler ...

[hoebanx]

Yep, it was a big mistake buying this module. My goal is DIY home automation for fun and to learn new things. I have this Paradox MG5000 from 2009, it cost a lot back then, I recently made some restorations to my house and I thought I should upgrade my alarm system with a new one but I saw on forums that I can add this wonderful IP150 module and even have integrations with other software. Cool! I bought it, thought this would be easy : connect the module, set ip, upgrade the firmware of the control panel because it has the original fw from 2009 , add it to some HA hub and move to other project, NOT! Paradox information is not really easy available on the internet, the manuals are outdated, and top of all, when I asked them on email to share some information because my IP150 is nothing like the manuals they supplied ( I was not even aware at that moment that this 4.10 fw is the problem) they responded with the following text.

Unfortunately, Due to an agreement with our distributor network, The Paradox distributor Support will only assist distributor with issues. We do not support end user or installer when they encounter difficulties with their alarm system.

The assistance you need would be better provided to you by a qualified alarm technician who would be able to determine your requirement.

I suggest that you contact your local installer in your area if you don’t have a local installer. I am including a link to our distributor network. Simply contact the distributor nearest you, and ask them to refer an alarm company to you who is familiar with Paradox products.

Are you kidding me? I payed a lot for their alarm system, I even bought another 100$ module and planned to buy others and they are sending me off to the distributors/installers which charge a lot and have no clue about IP150.

I've spent a lot of time figuring out what is happening: I can’t do anything from the web interface, I can upgrade the control panel fw with the In-Field software and panel serial number but from Babyware I can’t connect locally via serial number or IP, only if I use their DNS account which I have to pay on the Insite Gold app… so no chance for integration with nothing yet, all solutions available were based on the old IP150 web interface which is now gone. TL:DR Anyway I am writing this on all threads that I find to make others aware of this issue. If you are buying the new IP150 you are paying 100$ + a monthly/yearly fee to have a remote on your phone and only on the phone. An outdated ugly remote actually, when people like Tertius made other app better than this one and he gets nothing, and we can't even use his app anymore. I tried to downgrade the IP150 firmware with various tricks I found on the web, like trying to flash it after reset of the control panel, reset of the module itself etc. and all I got is another trouble on the control panel which I can't get rid off, IP Unregistered.

Hello, I just bought a new ip150 and get the V4.4 version. As I read all this I'm fucked and my HA routines as well. Would you agree to help me? Best scenario is that I send you my module and I cover the costs to downgrade and send back. I have no chance to follow your setup. Thanks in advance, Ludovic

[nezmogus]

@hoebanx what is your email?

[mustafaavcilar63]

mustafaavcilar@gmail.com

@hoebanx e-postanız nedir?

[hoebanx]

Hello, Thanks for your reply. It is @.*** Have a nice day, L.

Le dim. 16 mai 2021 à 22:45, nezmogus @.***> a écrit :

@hoebanx https://github.com/hoebanx what is your email?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Tertiush/ParadoxIP150v2/issues/22#issuecomment-841875153, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASNJJECBSSLS45IXM5NEKS3TOAVHHANCNFSM4D5G5BDA .

[nezmogus]

https://www.blackhat.com/asia-21/briefings/schedule/#alarmdisarm---remotely-exploiting-and-disarming-popular-physical-security-system-from-public-internet-22329

http://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Bassat-Alarm-Disarm-Remotely-Exploiting-and-Disarming-Popular-Physical-Security-System.pdf

Thanks Omri!

[plouis7]

All Your IP150 Are Belong to Us...stack overflow :)

nezmogus it seems we need a patch to your older prepared fw