Smanos w100 alarm panel

Share your Projects!
1

I’ve been using a closed source alarm panel from a chinese oem called smanos.
Looks like it is just a rebranded chuango for the western markets.
The panel is w100 and provides no api.
Came upon a security cve about this panel that it makes it vulnerable from an attacker on the same network.
I managed making use of that cve to get the payload for arming,disarming and setting to home mode l.
These are enough data to automate the panel with a bash script using netcat.
Its a 2018 panel so if anyone left over with it this might be helpfull.

You’ll need your device id.
Save CVE-2019-13361/poc.py at 75712ea4d6308d2c2d5bc3693b27170da6869cc9 · lodi-g/CVE-2019-13361 · GitHub as a .py file

usage: a [-h] [-p PORT]
ip wifi_ssid wifi_password

e.g. script.py 192.168.1.1 mywifi 123456

It will return:

set_wifi: receiving:    b'CGWPSC030000deviceid**\r'
set_wifi: device_id:    b'xxxxxx**'
disarm: sending:        b'CGWPCS53xxxxxxxxxx**2'
disarm: receiving:      b'CGWPSC53xxxxxxxxxxxxx**1001\r'

Your payload is what the device returned as "disarm: sending: "

The number after ** is the Mode: 0/1/2 ; Disarm/Arm/home

Knowing the payload you can use it to any script to change the panels mode

I created 3 scripts under config/shell_scripts/

w100_arm.py
w100_disarm.py
w100_ome.py

And made them executable chmod +x

They are identical only the last number of the payload changes.

#!/bin/bash                                     
ip="192.168.1.1"
ssid="mywifi"
pswd="123456"
port=60003
payload="CGWPCS53xxxxxxxxxxxxxxc**0"

# Function to send payload and exit after 10 second
send_payload() {
    { echo -n "$payload" | nc -w 10 "$ip" "$port"; } > /dev/null 2>&1 &
    sleep 1
    kill %1
}

# Main
send_payload

And added to the configuration.yaml

shell_command:
  w100_home: /config/shell_scripts/w100_home.sh
  w100_disarm: /config/shell_scripts/w100_disarm.sh
  w100_arm: /config/shell_scripts/w100_arm.sh

Restart home assistant

You can use the scripts as actions in automation.

My example with voice assistant

alias: W100 arm
description: ""
trigger:
  - platform: conversation
    command:
      - alarm on
      - Turn on alarm
      - Turn-on alarm
      - Turnon alarm
      - Turn on the alarm
condition: []
action:
  - service: shell_command.w100_arm
    data: {}
mode: single

**afterthoughts:

  1. I’m totally new with home assistant and not an advanced user at all. Scripts and integration my not be polished .
  2. Thanks to @tetele and @Tinkerer on the discord server that helped me out

#todo:
Decompiled the android app.
Uploaded the relative java class containg the payload info W100 - Pastebin.com
It may contain addidtional info for further use cases.

1 Like