Qolsys IQ Panel 2 and 3rd party integration

A few weeks ago, ADT replaced my legacy DSC panel with a new Qolsys IQ Panel 2 which I was not too thrilled about as I had build a ESP8266 to interface to the keybus using https://github.com/taligentx/dscKeybusInterface I knew that I would loose my integration but hoped to find a way to integrate in the future with Home Assistant.

While reading through the Qolsys installation manual, I came across a page talking about a 3rd party connections.

image741×508 68.6 KB

When you enable this option, it gives you a token and opens TCP port 12345 which seems to be a https server. I was wondering if we could leverage this port somehow to get status of the panel. Does anyone else have one of these panels and know about this?

I ran a testssl against it:

 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       offered (NOT ok)
 Triple DES Ciphers / IDEA                     not offered
 Obsolete CBC ciphers (AES, ARIA etc.)         offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256
                              ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA
 Elliptic curves offered:     prime256v1
 DH group offered:            Unknown DH group (1024 bits)

 Testing server preferences

 Has server cipher order?     no (NOT ok)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-RC4-SHA, 256 bit ECDH (P-256) -- inconclusive test, matching cipher in list missing, better see below
 Negotiated cipher per proto  (matching cipher in list missing)
     ECDHE-RSA-AES256-SHA:          SSLv3, TLSv1, TLSv1.1
     ECDHE-RSA-AES256-GCM-SHA384:   TLSv1.2
 No further cipher order check has been done as order is determined by the client


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID: yes
 TLS clock skew               Random values, no fingerprinting possible
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 4096 bits
 Server key usage             --
 Server extended key usage    --
 Serial / Fingerprints        58E4C8DE / SHA1 69855C20F32895AF72FD3A0ACF02DDD1470AC4E8
                              SHA256 A3285F61F7CC5F7795600C59AB108D5744AE2D957C9E75462E265CFDE0199150
 Common Name (CN)             qolsys
 subjectAltName (SAN)         missing -- no SAN is deprecated
 Issuer                       qolsys
 Trust (hostname)             certificate does not match supplied URI
 Chain of trust               NOT ok (self signed)
 EV cert (experimental)       no
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   expired (2017-04-05 06:37 --> 2018-04-05 06:37)
 # of certificates provided   1
 Certificate Revocation List  --
 OCSP URI                     --
                              NOT ok -- neither CRL nor OCSP URI provided
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     N/A


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  --   (applicable only for HTTPS)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok), potential DoS threat
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK) (not using HTTP anyway)
 POODLE, SSL (CVE-2014-3566)               VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=A3285F61F7CC5F7795600C59AB108D5744AE2D957C9E75462E265CFDE0199150 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers
                                           But: Unknown DH group (1024 bits)
 BEAST (CVE-2011-3389)                     SSL3: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES128-SHA
                                           TLS1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES128-SHA
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA

Hi mzac,
Any luck on the integration?
I am also looking into getting the qolsys iq panel 2+. From what I found on the qolsys site, the integration is so far only for control4 controllers. I haven’t yet purchased it as I want to make sure it can be integrated with HA without using alarmdotcom integration. A direct link is always better than a remote one but as of now alarmdotcom is the only way that I can find without having the iq panel 2+.
Here is the link on their FAQ
https://qolsys.com/support/#reamaze#0#/kb/faqs-for-iqp2/how-to-integrate-your-iq-system-with-control-4

Hi HAman, no luck here. I also saw there is a way to integrate with alarm.com with https://wrapapi.com/ however when you setup 2FA on alarm.com, I don’t think it would work. If only alarm.com would have a publicly accessible API it would make this much easier.

Found another thread similar to this…

Hey there Mzac,
Have you tried browsing to the IP/Url that is assigned to the qolsys panel in your local network? Maybe it has a Web GUI where the user can access? If so, there might be a possibility to access it and integrate hopefully in HA.

No, there is no web page returned on port 12345. If you use a browser or curl all you get is a blank page. Maybe it could be a websocket?

oh my! Just as was trying I left a curl connection open and it does look like we have something good here!!!

It is a web socket and spits out json data!! woohoo!!! Now to figure out how to use this in HASS

[email protected]:~ # curl -k https://192.168.200.20:12345
{"event":"ZONE_EVENT","zone_event_type":"ZONE_ACTIVE","version":1,"zone":{"status":"Closed","zone_id":8},"requestID":"679a9ef3-143b-415f-8228-344033e4eaca"}
{"event":"ZONE_EVENT","zone_event_type":"ZONE_ACTIVE","version":1,"zone":{"status":"Closed","zone_id":8},"requestID":"fcefac8a-4f47-4c7e-bfa5-02c6ecd646c7"}
{"event":"ZONE_EVENT","zone_event_type":"ZONE_UPDATE","zone":{"id":"82AF30","type":"Motion","name":"Upstairs Motion Detector","group":"awayinstantmotion","status":"Closed","state":"0","zone_id":8,"zone_physical_type":2,"zone_alarm_type":3,"zone_type":2,"partition_id":0},"version":1,"requestID":"ab003b1a-b61a-4356-b436-5d9c891c2874"}

@frenck do you know of any way to use a remote web socket that is spitting out json and use it as a sensor in Home Assistant?

We have been trying to figure out a way to get these new Qolsys alarm panels that ADT is starting to install into HASS and it seems that they listen on port 12345 and spit out json when ever alarm events are triggered.

If there is no integration that we could already use, could you point us in a good direction? Would a new integration need to be built? See my comment above.

Thanks!

Mzac, that is great news! Hopefully something can become of this! if there is possibility’s I’ll upgrade to the iq panel 2 plus also!

I’m sending an email to the Qolsys tech support to see if they can help out:

Hi, I am writing you to find out if there is any developer documentation available for the Qolsys IQ2+ panel in relation to the 3rd party developer option.

I am a member of the Home Assistant community (https://www.home-assistant.io/), an open source home automation project that supports 1700+ integrations and growing with support for many different platforms.

Here are some alarm systems that already have integrations:

Since ADT upgraded my system from a legacy DSC panel to a Qolsys IQ2+ panel, I have lost visibility from my Home Assistant install.

However, perusing the install guide I found the option for the 3rd party connections and enabled it to find that the panel listens on TCP port 12345. When connecting to this port, it appears to be a web socket that sends out information when zone changes occur.

What I would be looking for is if there are any commands that can be sent to the panel through this connection to give an overview of the system and also to know what all the formats of JSON that can be presented back to the client.

If this is possible, I would be willing to work on writing an integration for Home Assistant to work with your panels.

I understand that a lot of companies are not willing to work with open source communities as they prefer to sell their products, but I can tell you from experience that if you are able to provide this information it could open a whole new customer base to your products. I was personally reluctant to switch to this panel knowing I was going to loose my integration with my DSC panel in hopes that I would find a way to integrate with my home automation system in the future.

Thank you for your time and consideration.

Oh lovely tagline in the automated email back from them…

If you are an end-user of Qolsys products and need technical support, contact your authorized Qolsys dealer, monitoring company, or security service provider for assistance. Our team is dedicated to providing excellent technical support for authorized dealers, installers, and distributors.

Looks like we’re going to have to reverse engineer it…

image434×755 46.6 KB

I found a copy of the latest firmware update for qolsys and digging around looks like it may be using MQTT. I’ll keep digging

Hey there Mzac
Did a little digging around, either qolsys contacted them to develop the Android application on the “tablet” or they copied it from him.
Check this out:

Look familiar? lol

Yep it does! Found the github page but I have a feeling that Qolsys has made changes in the backend.

I found a copy of the latest Qolsys firmware so started digging around in there, there is a lot to look at so we’ll have to dig around to find what we’re looking for.

I just found a mosquitto.conf that shows it is listening on port 8883! Funny, my port scans didn’t pick it up. It is using TLS so now to figure that part out…

I have nothing to add to this, other than I’m watching :). I had this panel installed in our new home (no choice) and want to be able to make use of the sensors. Otherwise I need to switch it out with something useful…

Looks like their mqtt is cert based so would need a valid key to connect …

Where did you find 3rd party connections in the menus? I can’t seem to find it on mine.

Do you have the installer code? It is in the wifi menu

image752×515 89.4 KB

image733×515 68.6 KB

I don’t think qolsys would provide the key/cert. but I guess it would be worth a try. Maybe if you say you have the device and that you would like the key. Or if it’s in the device and just have to find it in the menus…