BT Homesafe Wireless Burglar Alarm System.

[linuxnewbie]

Hi,
Does anyone know how to go about resetting the default password on a BT Homesafe Wireless Burglar Alarm System please?

The manuals say that the default password can only be changed whilst logged onto your BT Homesafe account online (this service used to be provided by Intamac but is no longer offered by them). It's possible to connect to the panel directly via web-browser but unfortunately there are no options at all to reset the default password.

The panel is made by Climax.com.tw as are the sensors etc. at a guess. Emailed Intamac and they're unable to help. Emailed Climax.com.tw also but whether they're able to offer assistance I'm really not sure.

Without being able to reset the default password the alarm system is not really useable which is a shame really as the kit seems to be reasonably well made.

Would be great should there be a possibility to telnet into the panel to determine what .htm pages reside on the device. Surely there must be .htm pages with a whole set of configuration parameters on there.

Any help would be much appreciated.

Thank you.

 

[ekmdgrf]

Interesting sounding device. So some kind of cloud based alarm? My guess is that you won't be able to telnet onto it. Though I would start with a nmap of its IP and see what services are listening. Next step would be to have a look at the board. My guess is that the magic will happen in software and the hardware will be some kind of ARM based system with some off the shelf peripherals soldered to a custom board arrangement. That all depends on what sort of peripherals you have. Be nice to have some kind of debug device like a serial port. You might find that you have the tracks on the PCB but no header in place. My guess is that the software will run on a Linux kernel and the roof fs will be stored on a flash chip and be unzipped to ram on boot. So really you need to find a way to read the flash chip. For starters, go look at the PCB and see what you can see.

 

[linuxnewbie]

Interesting sounding device. So some kind of cloud based alarm? My guess is that you won't be able to telnet onto it. Though I would start with a nmap of its IP and see what services are listening. Next step would be to have a look at the board. My guess is that the magic will happen in software and the hardware will be some kind of ARM based system with some off the shelf peripherals soldered to a custom board arrangement. That all depends on what sort of peripherals you have. Be nice to have some kind of debug device like a serial port. You might find that you have the tracks on the PCB but no header in place. My guess is that the software will run on a Linux kernel and the roof fs will be stored on a flash chip and be unzipped to ram on boot. So really you need to find a way to read the flash chip. For starters, go look at the PCB and see what you can see.

Hi, Thank you for your reply. Yes I'm of the impression these are interesting devices. They seem to be very well made in all fairness but I'm extremely reluctant to install a home alarm system that has a default password that cannot be changed. Am convinced that it is possible to change the default password however despite the monitoring services that were offered by Intamac having had the plug pulled on them (basically a third-party monitoring service operating on behalf of BT).

I'd hoped that it'd be possible to use something like PuTTy to telnet into the panel but at a guess there really needs to be a telnet server running (could be wrong though as don't really know much about this. Can recall using PuTTy to telnet into an NSLU2 but other than that I'm clutching straws really).

I've no idea how to go about checking what ports are open on the alarm panel. Can you advise how you'd go about checking this please?
Convinced the alarm panel is running some form of Linux and Apache web-server (or similar) as all the pages that are visible seem to be in the form of .htm pages. What is available is extremely limited unfortunately. No doubt there are other .htm pages running in the background that offer increased functionality for adding sensors, removing sensors and ultimately allowing for the default password to be changed.

Details of the alarm panel are as follows:

Brand Climax Technology
Model Code CTC-1200
Series CTC Series
Control Panels & Accessories Yes
Remote Keypad LCD
Wireless Yes
No Event Logs 30
No of Zones 20
Keypad Operated Yes
Backlit/ illuminated Yes
Physical Specifications Dimensions mm: 245 x 180 x 46
Environmental Specifications Operating Temp oC: -10 ~ 45
Model Info
Alarm reporting: IP based and/or PSTN Contact ID &nbsp
Reporting to Central Monitoring Station: 1 IP address, 2 phone numberswith seperate Account Numbers of 4 or 6 digits)
A 20-zone full-featured wireless IP Panel with built-in webpage
IP Address: DHCP or Static IP programmable
UPnP basic device
Automatic configuration for router setting that offers easier access to Web

A document giving more details on this alarm panel can be found here:
http://www.gardsman.co.il/uploads/1/0/0/5/10055021/ctc-1200__1208.doc

Edit:
Downloaded and ran NMap and as fas as I'm aware only port 80 is open all other ports scanned are closed.

Any help on getting this up and running would be much appreciated.
Thank you.

 

[ekmdgrf]

I doubt you'll get much mileage trying to connect over the network. There might well be a telnet service running but it will almost certainly ask for authetnicatio (ie the password that you know not). You might find some other custom services listening too.

From your userID, I'd suspect you have a Linux box, so if you know the IP address of the panel, run:

nmap -p 1:65535 <ip>

You might have to install nmap with yum install nmap or whatever.

I would again say that they only way to stand a chance of resetting the password is to be able to see the firmware and for that you need to look at the PCB to see what your options are. Generally, it's almost certainly possible one way or another, you just have to find it.

If you know the model of the device, you can do some Googling to see if anyone has done this before you.

It's probably not running Apache, more likely some kind of lightweight web server package. If you can use CURL to get the HTTP headers, you can usually see what server it's running (I can't remember off the top of my head the syntax for this. Actually, you can just telnet to port 80 and type:

GET / HTTP/1.1
Host: 127.0.0.1

Finish with a return, return. Job done.

 

[linuxnewbie]

I doubt you'll get much mileage trying to connect over the network. There might well be a telnet service running but it will almost certainly ask for authetnicatio (ie the password that you know not). You might find some other custom services listening too.

From your userID, I'd suspect you have a Linux box, so if you know the IP address of the panel, run:

nmap -p 1:65535 <ip>

You might have to install nmap with yum install nmap or whatever.

I would again say that they only way to stand a chance of resetting the password is to be able to see the firmware and for that you need to look at the PCB to see what your options are. Generally, it's almost certainly possible one way or another, you just have to find it.

If you know the model of the device, you can do some Googling to see if anyone has done this before you.

It's probably not running Apache, more likely some kind of lightweight web server package. If you can use CURL to get the HTTP headers, you can usually see what server it's running (I can't remember off the top of my head the syntax for this. Actually, you can just telnet to port 80 and type:

GET / HTTP/1.1
Host: 127.0.0.1

Finish with a return, return. Job done.

Hi, Thank you for your further reply. I'm a complete newbie to Linux (literally) with extremely limited knowledge therefore would not have much of an idea of how to install NMap on a Linux box. Tried NMap under Win-7 and can post results on here should you think they'd be of any use but from what I'd gathered only port-80 was open all other ports were closed.

Think you're correct in concluding that the best way forward is to open up the panel but what that will achieve I'm not 100% certain. Can post findings on here though. Agree that the panel is more than likely running Apache failing that something similar. It's a shame it's seemingly not possible to determine what other .htm configuration pages reside in the panel as no doubt they do and it's just the BT branded .htm pages that are making no reference to them.

Surely even with the Intamac service switched-off it's still possible to change the password locally on a panel.

Emailed the manufacturers again and hope they will reply and be able to help. Expensive kit otherwise that is extremely limited in its capabilities and not of a lot of use at all as a burglar alarm with the password being very easy to guess and unchangeable.

Thank you again for your comments.

 

[koalaukboy]

Hi ,

I also have the same alarm kit and so far I got this information,

You can actually login to the admin panel via UI from your browser,

First find out ip address for the alarm panel from your router and click to login

user #; admin
pass: admin1234

this will log you in but again you have limited options to change things in there,

however on the main control panel

you can login to panel by # or * # login is mentioned on the user manual
but * login has the same user id but 6 digit password.
If we can find out the 6 digit password yiou can do all the config via main control panel.

I am also trying to find a solution to all this as it is a fantastic well made kit.

let us know

regards

 

[koalaukboy]

http://192.168.1.2/advSetting.htm, line 9, col 1

 

[koalaukboy]

can you check your fw level and post it please.

CTC1200 1.0.17 I1200E31A 0x008b

 

[linuxnewbie]

Hi ,

I also have the same alarm kit and so far I got this information,

You can actually login to the admin panel via UI from your browser,

First find out ip address for the alarm panel from your router and click to login

user #; admin
pass: admin1234

this will log you in but again you have limited options to change things in there,

however on the main control panel

you can login to panel by # or * # login is mentioned on the user manual
but * login has the same user id but 6 digit password.
If we can find out the 6 digit password yiou can do all the config via main control panel.

I am also trying to find a solution to all this as it is a fantastic well made kit.

let us know

regards

Hi, Thank you for your reply. Apologies for not posting back here as hadn't realised there were replies. Agreed this seems to be well-made kit despite having been advised bought a turkey on another forum. Convinced that the BT branding can be stripped via a Firmware upgrade should this be possible but other than that the web-interface is extremely limited. Thank you for trying to find a solution too.

 

[linuxnewbie]

can you check your fw level and post it please.

CTC1200 1.0.17 I1200E31A 0x008b

Hi,
The firmware is identical from what's been gathered.
CTC1200 1.0.17 I1200E31A 0x008b
Kindest Regards.

 

[koalaukboy]

We need the stock firmware

I now managed to get in to installer menu but very limited and searching to find if it is possible to get climax stock fw after that we ll have all the installation web interface and menus on the panel

 

[linuxnewbie]

We need the stock firmware

I now managed to get in to installer menu but very limited and searching to find if it is possible to get climax stock fw after that we ll have all the installation web interface and menus on the panel

Hi, How did you get into the installer menu please? Was this via the panel or via the web-interface? At a guess there are many, many other configuration and sensor status pages hidden / unavailable with the BT branding however guessing what the .htm filenames are is probably extremely difficult. Please post back here on how you're getting on with delving into this further. Thank you. Agreed we need stock firmware. Best Regards.

 

[koalaukboy]

Logged in to installer menu via main operating panel, I used link crawler and didnt find anyother links other then simple user htm files. If you manage to get more info let us know. I sent an email requesting stock base fw from climax but I dont count on it. It is still a basic alarm only to be used with keyfob for security purposes. I am using the main panel inside a sexure ccupboard where my main proper alarm is installed and only using the keyfob to gain access to the garage. So it is safe to use for me.

but I would still like to use all of the features.


Keep us updated

 

[koalaukboy]

Remote config is done via cgi or xml, I now located cgi and on port 804 but trying to gain access to cgi directory as it is protected..

 

[koalaukboy]

Unable to find user name and password for cgi commands,

linux box says cgi on port 801

run HTTrack and there are no other pages on the webserver on the device,

Hopefully they will respond to various emails I sent tonight with regards to base fw.

Alternative would be running a CID CAMS sw and configuring it remotely ?