Didier Stevens

Thursday 30 June 2011

Integrating My CCTV DVR And Alarm System

Filed under: Hacking,Hardware — Didier Stevens @ 20:49

I’ve designed and installed my own home automation system: it allows me to control lights and appliances, and monitor activity and environmental parameters at home.

I also have a CCTV DVR with a couple of cameras around the house.

Until now, these 2 systems were not linked. If a PIR sensor detected movement in the garden and later I wanted to see what caused the movement, I had to write down the timestamp and then rewind the DVR around the time the movement was detected. Not anymore. My CCTV DVR has an external IO connector, and now events detected by my alarm system are logged on my DVR. I just have to click on an event on my DVR and the video starts to play.

The problem I faced to achieve this integration, was the lack of documentation. There was no pinout of the external IO connector, not in the manual and not online. So I had to reverse engineer it.

My CCTV DVR is a DVR4L5 sold by Velleman, and is actually produced by AVTECH in Taiwan. The external IO connector is a 9 pin DSUB connector. I can use it to send 4 different alarms to the DVR. But for this to work, the alarm has first to be configured on the DVR:

Set the channel for which you want the alarm to register to N.C. This means Normally Closed, which is counter-intuitive, because I’m using a Normally Open alarm. When I now close the circuit between pin 1 and pin 5 of the external IO connector, an alarm event gets logged and the DVR’s buzzer alerts me. Since I don’t need that buzzer to alert me, I disable it:

Here is an example of alarm events logged by the CCTV DVR:

The DVR can also send alerts to the alarm system. It does this by closing the circuit between pins 6 and 7. For example when it detects movement filmed by one of the cameras. But from experience I know you get a lot of false positives from this motion detection. For example when a cloud moves in front of the sun, the sudden shadow can trigger the simple motion detection algorithm of the DVR. A more useful alert to send to the alarm system is the loss of video signal. The DVR can be configured to sound the alarm when it loses a video signal from one of the cameras. For example when someone tampers with your camera.

Some weeks after I reversed the pinout, I received a reply from AVTECH that confirmed my findings. I’m including it here:






Connect ALARM INPUT (PIN1 – 4) and GND (PIN5) connector with wires. Once an alarm is triggered, the DVR will start recording and the buzzer will be on.

PIN Alarm Corresponding video channel
PIN 1 1 CH1
PIN 2 2 CH2
PIN 3 3 CH3
PIN 4 4 CH4





EXTERNAL ALARM COM Under the normal operation, COM disconnects with NO. But when any alarm is triggered, COM connects with NO.
Attention: The voltage restriction is under DC24V 1A.


EXTERNAL ALARM NO Under the normal operation, COM disconnects with NO. But when any alarm is triggered, COM connects with NO.
Attention: The voltage restriction is under DC24V 1A.







Wednesday 22 June 2011

Quickpost: Need a PoC to Test Your Security Setup? Not Necessarily…

Filed under: Quickpost,Vulnerabilities — Didier Stevens @ 13:30

People regularly ask me for a PoC (PDF or other type) to test their security setup. For example, they sandboxed Adobe Reader and now they want to test that Adobe Reader can’t write to sensitive Windows directories like system32.

Well, you don’t need a PoC to test your setup in this way. Just develop and compile a DLL that writes to system32, and inject it in the target process.

The problem however, is that not everybody has the skills to develop and compile such a DLL. But almost everybody can write a VBScript that accomplishes the same. Here’s a one-liner that creates test.txt in system32:


But how do you get the target process to execute this script? That is something I worked out 2 years ago: bpmtk: Injecting VBScript. In a nutshell: I developed a DLL that once injected into a process, instantiates a VBScript engine and executes the provided script.

Monday 13 June 2011

EMET Article

Filed under: Vulnerabilities — Didier Stevens @ 0:00

(IN)SECURE Magazine published my article on Microsoft’s Enhanced Mitigation Experience Toolkit.

It contains many details I’ve yet to discuss on this blog.


Monday 6 June 2011

Update: vs.py

Filed under: Hardware,My Software — Didier Stevens @ 18:46

I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version is multi-threaded. For each picture to retrieve, you can specify a thread.

Each line in vs.config requires a 4th parameter now, the name of the thread:

Hall.jpg    -    Thread1

This name can be anything. If you use the same name for different pictures, then these pictures will be retrieved sequentially by this thread.

vs_v0_4.zip (https)

MD5: A2AFAD9E581798F1D986A0AE9DF64577

SHA256: C3AC4892A71DF79E3BA87714CB6323D157C7E74C838EDE81013C96DD4EAD0238

Blog at WordPress.com.