If You Can't Stand the Heat, Hack the Computers! Understanding OAS Heat
Computers
by The Philosopher
It is a rare technology indeed that continues to be accessed by
dial-up modem in addition to DSL and other venues, drops one to a
command prompt immediately upon connection, and yet carries a great deal
of significance in the aspect of life administered thereby. Such systems
do exist, although they are usually discovered by the oldest and most
primitive, in the opinion of some, of processes-the few systems with so
little security and so much importance are thus often overlooked and
underrated in a hacker culture increasingly geared towards discovery of
the cutting-edge. It is simply astonishing what wardialing is still
capable of revealing, for instance-a technique that has unfortunately
lost most of its popularity in the underground, surviving now primarily
as a pastime for casual phreaks, who more often than not do it by hand
in search of nothing so glamorous or useful as modem carriers to
computer systems, a practice usually called 'hand scanning' or simply
'scanning'. Hea ters and monitoring/building automation systems of all
types comprise one of the few remaining classifications of machines that
may still be accessible via phone lines, and one of the still scarcer
categories of those that do not immediately require a password. As
might be expected, these attributes, when exploited clandestinely,
provide the potential for some extremely outlandish hijinx, some of the
only things possible remotely that even begin to compare with the pranks
portrayed in the film "Hackers"(with regard to physical manipulation of
buildings remotely). From these computers the temperature of water in
the boiler, cutoff temperatures at which the OAS will cease to heat the
building, burner attributes and more may be controlled-these systems are
designed to manipulate and monitor the entire scope of processes
involved in space heating. Brief, minimal explanations of boiler
operation and water heating are necessitated by the subject matter of
this paper and will be provided i n due course. Still, interested
readers are urged to research boiler operation and water heating more
extensively. In this article the extent of this author's knowledge
regarding said systems shall be detailed only with respect to specific
models of OAS heat computers; however, the similarities of their
operation would suggest that other brands and versions function in a
similar fashion so as to ensure the usefulness of the information within
this article in the instance that one should encounter one other than
those specified here.
As was mentioned previously, the OAS Heat Computer (version
6310, in the following captures) is an attractive target for exploration
as it is accessible remotely over a modem (and, in the case of later
models, DSL over static IP) connection, provides a plethora of
information regarding the boilers under its control to anyone who calls
without supplying security credentials (although a password is necessary
for programming) and renders possible through remote technology tasks
that formerly required access to a thermostat or boiler room. Said
modem connection to the OAS requires 1200 baud and a 7E1 terminal
emulation (7 data bits, even parity, one stop bit). Upon connection a
banner similar to the following will be displayed:
CONNECT 1200
OAS Heat Computer
124-5 & 328-12 WEST 12 12:49A Tue Jun 24, 2008
MODE:
This will identify the time and date at the location of the unit and the
address, concluding with a "MODE:" prompt. Note that this is a street
address in the format 124 West 12th St. (this unit has moved since this
was set during the installation period, though, and the address is
obviously fictitious, changed to preserve the identity of this
particular system)-this is the format for New York City, at least.
Units in other locations may display it differently. "MODE:" prompts the
user to enter a command. Typing a question mark will result in the
following helpful explanation providing a list of commands and keys that
will be used during the session:
MODE: ?
COMMANDS:
R = CURRENT REPORT
S = SET POINTS
P = PROGRAMMING (ALSO P1,P2,P3,P4)
T1,T2,T3 = HOURLY TEMPERATURE RECORDS
E = EVENTS
H = DAILY HISTORY (HA,HB = THE TWO PARTS SEPARATELY)
W1,W2,W3 = WATER RECORDS
D1,D2,D3 = T1,T2,T3 + E + H + W1,W2,W3
XD1,XD2,XD3 = MORE HOURLY RECORDS
L = LOGON MESSAGE (ADDRESS AND DATE)
V = VERSION (MODEL NUMBER, DATE AND NOTES)
SPECIAL KEYS:
<?> = HELP
<CTRL-C>, <ESC> = ABORT CURRENT MODE
<CTRL-S> = PAUSE TRANSMISSION
<CTRL-Q> = RESUME TRANSMISSION
<BACKSPACE> = DELETE LINE
Current Report
The descriptions of commands are fairly cryptic, as the OAS assumes that
one is familiar with its administration. I shall elaborate: "R",
Current Report, will print a report of the temperatures of water in
various sections of the boiler as well as their status, as seen below
(note that commands must be entered in all caps):
MODE: r
MODE: R
__TIME_245A_245B_245C_245D_285A_285B_285C_285D____9___10__OUT__AQS__DHW_CHW_STK
12:49A 77 80 82 78 80 74 82 83 <5* <5*| 68 194 117 >>> 136
OFF(B) AUT(K) WINTER
_BURNER__HEAT___BYP___MAL___BAT__HI__LO_
0:03 0:00 0:00 0:00 0:00 71 68
0
__H-A__H-W__L-W__H-S_____WTR_
198 128 113 656 0
TIME is self-explanatory-the time of access. 245A through 285D signify
the eight thermistor sensor inputs of the computer, (thermistor=thermal
resistor-a resistor that varies in electrical resistance with
temperature. Thermistors were invented by Samuel Ruben in 1930,
although they were not developed for practical commercial use until the
latter half of the 1950s by Bell Telephone Laboratories. This
information is included in case one wonders as to how temperature data
is converted into electrical signals decipherable by the computer) with
the values underneath them denoting the temperature at each
corresponding location. OAS claims that these may span three
locations-perhaps the 245 and 285 are located in two separate places. _9
and _10 are two additional sensors that report apartment or outside
temperatures. A "<5*" is indicative of an electrical break/open
connection or indeed a temperature below 5 degrees F. Obviously the
former is true in the case of this building, since it was accessed in
June, and other reported temperature values are not within even remote
proximity to 5 degrees or less. OUT is the sensor input for outside
air; 68 is the temperature outside at the time of access. AQS stands
for aquastat, similarly-this value represents the temperature of the
water in the boiler. "DHW" and "CHW" are acronyms for domestic hot
water and coil hot water, respectively, representing the temperature of
hot water when "called" domestically and in the coil. To make this
distinction, the term, "domestic hot water" or DHW refers to potable
water used for functions other than space heating; i.e., water of
sufficient quality for human consumption (regardless of actual usage)
that is not used to heat a building. ("Potable" water is tap water-water
deemed suitable for drinking.) Examples include tap water used for
showering/bathing, drinking, cooking, cleaning, etc. The latter value,
CHW, is necessary to monitor since debris may collect on the outer coil
and abs orb heat, thereby lowering the temperature of the water as it
travels through the boiler, thus wasting fuel as more is required to
achieve the requested temperature. The significance of the arrows seen
underneath CHW is that of a "probable electrical open" as according to
the electronic manual for the OAS Heat Computer 1000 (the likes of which
is packaged with software that will be discussed in the latter half of
this article.) Usually, though, a numerical temperature value will be
displayed here. Following CHW, STK represents the temperature of the
stack (also commonly referred to as a chimney) of the boiler. Notice
that the burner is in winter mode, an unusual condition for a system
accessed in June. Summer and winter modes differ in that the heat
computer will cease to actively provide heat when it is set to the
former option, although domestic hot water will be provided still, and
winter mode is that at which the computer will provide heat and function
ordinarily. Altering t he mode from winter to summer and vice versa is
one of the programmable set points of the system, as will be seen anon.
"OFF(B)" reports the status of the burner as off, and "AUT(K)" the
status of the key switch in automatic position. This key switch serves
as a venue to control the most fundamental functions of the heat
computer manually and locally-if in the ON position, it activates the
burner in a manual bypass; that is, in the absence of a heat call.
"Heat call" is simply the term for a request, either automatic/digital
(the temperature may drop below the programmed threshold, necessitating
heat) or manual, for heat. Calls may also occur for domestic hot water.
If in the OFF position, the burner will be switched off and remain
unresponsive to heat calls. In automatic position, the burner will
activate/deactivate appropriately depending upon the presence of system
heat calls. Also on this line may be commonly printed an indication of
a domestic hot water call; it could be alt ernately seen as:
OFF(B) AUT(K) WINTER DHWTR
Furthermore, all of the dial-out alarm conditions described below may
appear on this line of the report, in addition to OVRD (programmed
override) and BAT, which indicates that the system is currently
operating on battery backup. Hydronic systems may exhibit "ON(C)" or
"OFF(C)", which report the status of the circulator pump as on or off.
The differentiation between hydronic and steam boilers will be made
throughout the current report analysis as the OAS Heat Computer handles
each respective type of system slightly differently. Hydronic boilers
heat fluid, usually water, to a specific temperature and heat a space
through the circulation of that hot water or fluid. The circulation
pump serves the specific function of returning water to the boiler once
its heat has been largely dissipated.
The next line reports the burner run time, heat time, bypass,
malfunction, and high/low outside temperatures for the past 14 days. As
can be concluded from a brief analysis, the burner has been running for
three minutes at the time of access, and no malfunctions or bypasses
have occurred. It appears as if the current outside temperature is the
lowest in two weeks. High aquastat temperature (H-A), high/low domestic
hot water temperature (H-W, L-W), highest stack temperature and boiler
water consumption are daily reports as opposed to the current ones seen
above. HEAT, or heat time, displays the burner run time during heat
calls (an instance of heat being turned off or on is referred to as a
heat call, as noted above. The redundancy here is simply to facilitate
expediency in quick reference of this particular section of the report
analysis.). Underneath BYP, system bypass, is placed the burner run
time during a period in which the burner is active yet no heat or DHW
calls ar nt. Bypasses will trigger the bypass alarm (see below), and
may occur when the key switch has been manually set to the ON position,
or if the burner has been physically controlled from the burner panel
located on the heat computer system itself. In order to understand the
significance of the time value if one is present under MAL one must
understand the method by which the heat computer defines and manages
'malfunctions'. In order to properly operate the burner as corresponds
to heat calls, the OAS Heat Computer temporarily records through its
circuitry the burner status. The "flame failure" circuit is that which
will be interrupted if flame is not turned on when called for. The
malfunction alarm is connected to this circuit and "listens" for flame
failure. If a delay in excess of 45 minutes is reported between a call
for heat or DHW and the activation of the burner, when the key switch is
in automatic position, a "timed malfunction" occurs, the likes of which
is printed here and logged as an event in the records viewable by the
'E' command. Timed and hardware malfunctions differentiate in that the
latter is a failure of flame even when the burner has attempted to
produce it, as opposed to timed malfunctions which are failures of the
burner to activate at all; logging of this is an instant process. BAT
reports the amount of time that the heat computer has been operating on
battery backup.
ASCII Diagrams
To enhance reader understanding of boiler operation, two ASCII
diagrams are included. Two main classifications of steam
boilers exist-shell and coil type. Differences in structure are
evident in the diagrams, and marginal explanations are written
in.
Safety vent
|
| ( )
v | | <--Stack/Chimney
Steam travels in this direction through this valve<===_ || | |
Dome-->| | || | |
___________________|_|___||___|__|_______
( | | || )
( ________________|_|___||______ )
Water line --> =========(--(______________________________) )
( (______________________________) )
........ ( (______________________________)<------)--------"Aquastat" temp. . .____( (______________________________) ) would refer to . Burner . | (___*** Shell Type Boiler ) the temp. of
. .__|_(___***___________________________________) water in these
.......... ^ pipes.
|
ASCII approximation of flames
Burner
____ |
<|____| |
| | . . . v. . .
| | . _v__ .
Steam line--> | | . || |____| .
Steam travels | | Safety vent-.-->|| |____| .
through this | | ...||..|....|....... valve into a \ \__________________|| |____| || separator. \ || ______|v|v|_______ ||
\__________________||(_____ |v|v|<Ascii approximation of flames || ______|v|v|_______ ||
'Coil' lining the inner shell-->(______|v|v|_______)|| 'Coil hot water' refers to the || ______|v|v|_______ || temperature of the water in ||(_____ |v|v|_______)|| this coil. || ______|v|v|_______ || ( )
||(______|v|v|_______)|| | | || ______|v|v|_______ || | |
||(______|v|v|_______)|| | | <--Stack/chimney || ______|v|v|_______ || | | ||(______|v|v|_______)|| / / || ______|v|v|_______ ||---/ /
||(______|v|v|_______)|----- || ______|v|v|_______ || ||(______|v|v|_______)|| || ______|v|v|_______ ||
||(______|v|v|_______)|| || || || Coil Type Boiler || || || || ||
Set Points
True to the OAS advertisement pitch of "Be A Control Freak",
several attributes (henceforth referred to as 'set points') of the heat
computer may be remotely programmed-this is the venue through which the
title of this article may be literally applied. Set points are as
follows:
MODE: S
TIME SET POINTS DIAL OUT
DAY 5:30A ALARMS___MAL_AQS_DHW_BYP_APT_ADC__A7__A8_
EVENING 6:00P ENABLED: N N N N N N N N
NIGHT 10:00P
AQS 120 A7.
TEMPERATURE SET POINTS DHW 90 A8.
INSIDE
DAY 69 1. 1917XXXXXXX
EVENING 69 2. 1800XXXXXXX
NIGHT 65 3. 191XXXXXXXX
ATH 0 4.
OUTSIDE *. XXXXXXXXXXX
DAY 55
NIGHT 40
SUMMER/WINTER W
AQUASTAT
DAY 190
NIGHT 190
DIF 10
Time set points define for the system 'day' 'evening' and 'night' by
minimum hour. Thus, the period of time from 5:30 a.m. to 6:00 p.m.
would be considered 'day', from 6:00 p.m. to 10:00 p.m. is 'evening',
and so forth. The importance of establishing and defining these
categories lies in the fact that the OAS determines cutoff temperatures
by the time of day; this individual system will cease to heat the
building actively if the inside temperature during the period of time
defined as the day reaches 69 degrees, the temperature set point for
this particular system. If the heat computer is administering an
apartment building, heat will be provided if a majority of Outside
cutoff temperatures are logically opposite the inside as the system is
incapable of heating the area outside of a building-therefore, 55 and 40
degrees, as seen here, are the temperatures at which, when sensed by
thermistors, the boiler will initiate procedures to actively heat the
building. The precise purpose and effect of summer/winter mode is
unknown and absent from the technical specifications of other versions
including the 3500. A reasonable assumption, however, is that summer
operation involves the toleration of lower maximum aquastat and cutoff
temperatures without activating an alarm by default, since the outside
temperatures are obviously expected to be higher. Under "aquastat" are
the temperature settings with a permitted differential of ten. Dial out
and alarm conditions follow-the computer will generate an alarm message
in the instance of a burner malfunction, an aquastat temperature below
the specified minimum (120 degrees, here) excessively low domestic hot
water temperature, system bypass, disconnected area sensor, and/or an
analog-to-digital converter error. A7 and A8 are additional generic
alarms that may be connected to external devices. Alarms MAL through BYP
will dial out after five minutes of the persisting condition, APT after
ten, and ADC after forty. This is only lo gical as analog-to-digital
converter and apartment sensor errors are far more likely to be resolved
automatically with system resets and other automatic measures, and it is
not absolutely vital that the building manager be made aware of them
immediately, as they concern the machine and not the actual heat or hot
water in the building, directly. Despite what may be believed to the
contrary, the terse list of phone numbers is NOT a directory of dialups
to other units, (the number following the asterisk is the dialup for the
unit to which the user is connected) nor is it a log of the last four
numbers to dial in. Instead, the OAS will dial the numbers listed and
leave an automated message, emergency page, (if a beeper/pager number is
specified) or electronic message (if sent to a modem), with the alarm
time and status. Often these numbers will seem rather random and
unrelated when called. Remember that the purpose of this feature is to
notify those in charge of the building, who are m ost likely responsible
for remote programming of the system as well, of alarm conditions; it
would do little good to have the computer call the main number(s) of the
building itself to report problems. These numbers, then, could merely be
those of people or other places that the owner of the computer has
contact with and access to, possibly including personal numbers. In
fact, the author of this article knew that the number of this particular
unit was registered to a certain establishment, here called "Jones
Financial". Upon calling one of the numbers listed, an answering
machine picked up with the greeting, "You've reached the Joneses". Case
in point.
Programming the System
The next option in the menu of commands is perhaps the most
exciting, as it increases the potential to learn about the system by way
of practical application. Pressing 'P' at the prompt will result in the
following sub-prompt for a password:
PASSWORD:
If an invalid password is entered twice, the OAS will output the
directive, "redial" to the screen, spew a line of garbage text, and
disconnect the user:
PASSWORD: INVALID
REDIAL
4_QKvhbhC\v5(ij%Tudy%!#`&X WJd,U�'MOu@,D+�LS�
NO CARRIER
Defaults for this are unknown, although it is likely that they
exist and are given to customers at the brief seminars that are
recommended for all new OAS owners to attend. If one is truly
determined to know the password, I would recommend that the interested
hacker also visit the seminar. No features that log invalid password
attempts are documented. Passwords do not echo to terminal. The
programming option is used to set every consequential element of the
system from time set points to hardware handling. Passwords are ten
characters in maximum length, an attribute revealed by the audible bell
(Control-G character) heard when an eleventh character is entered-this
bell will also sound at the MODE: prompt when input in excess of the
expected is entered. When a correct password is entered a main menu of
four options will appear. The four main options are as follows:
1. CLOCK, DATE
2. SET POINTS
3. MISCELLANEOUS
4. DIALOUT
Selection of any one of these will open a sub-menu of options followed
by a question mark. For example, the following options may be displayed
in the miscellaneous sub-menu 3:
OVERIDE/NORMAL?
SENSORS?
SENSOR LABELS?
METERS?
METER LABELS?
STEAM/HYDRONIC?
BURNER SIGNAL?
VERSION NOTES?
PASSWORD?
In order to program any of the options in any sub-menu, input the
desired value followed by a carriage return <CR>. If a <CR> is pressed
without an alteration in value the next option in the submenu will be
displayed-to navigate through the sub-menus without programming, simply
press ENTER at the option prompts. As is the case with the main 'MODE:'
menu, typing a question mark will display all of the potential values
for a programmable option, ESC is used to exit from programming mode
altogether (upon which a password need not be supplied to reenter during
the session), and BACKSPACE cancels an entire line of input. If an
invalid value is entered, "INVALID ?=HELP" will be printed.
Sub-menu Notes
Sub-menus 1,2, and 4 are straightforward-programming of the
clock, date, set points as seen in the 'S' mode, and dialout
numbers/alarm conditions is accomplished here. The 'MISCELLANEOUS'
sub-menu, however, requires some explanation. The first option,
OVERIDE/NORMAL, will set the system in a heat call for one hour if the
override value is entered-it may be interrupted at any time during the
cycle and turned off, returning the system to 'normal' operation. At
'SENSORS?' one may manipulate privileges of the apartment temperature
sensors (priority) and turn the outside temperature and aquastat sensors
on and off. Sensor and meter labels refer to the headings that denote
the thermistors and water meter in the current report 'R'. 'METERS?"
provides the options to turn the water meters on and off, combine the
pulse inputs to a single, double-headed meter, specify a scale factor
for the flow rate, and to turn the water records on and off.
"STEAM/HYDRONIC?" is only useful on the model of heat computers that may
be used for steam or hydronic systems, controlling reporting options.
"BURNER SIGNAL?" does not control the burner control signal, which
activates the burner-it only permits the user to switch the monitoring
of burner on and malfunction signals on or off. One may write "version
notes" in with the second-to-last option; these will be seen with the
"V" command and typically pertain to any idiosyncrasies of the boiler to
which the computer is attached. The final option in this submenu
enables the user to change the programming password, an action not
advisable as the legitimate operator of the unit will undoubtedly notice
the presence of an intruder upon discovering that the password last used
is no longer valid; still, little recourse exists for this.
Interestingly, it seems as if the password storage capability for
certain models is more extensive than a single programming password, as
some oil companies have been known to possess passwords in additi on to
building managers.
Controlling the Heat
For reasons of sheer practicality and to remain true to the
title, here is a quick step-by-step tutorial regarding the actual
setting of heat. At the 'MODE:' menu, press 'P' to enter programming
mode and enter the password. Select sub-menu 2, set points, and
navigate to the option to set the maximum temperatures under 'day',
'evening' and 'night'. Note the current definitions of all three times
of day and select the appropriate point. To increase the heat, increase
the maximum temperature permitted value as described above; to decrease
heat, decrease this value. Alternately, one could input a manual
override at the miscellaneous sub-menu to actuate a one hour heat call.
Other Modes
A few of the following modes are mere alternate manifestations
or continuations of the data displayed in the report and are explained
satisfactorily by the help command. T1, T2, and T3 are indeed nothing
more than hourly temperature records in the following format, edited
here for brevity:
MODE: T1
__TIME_245A_245B_245C_245D_285A_285B_285C_285D____9___10__OUT__AQS__DHW_CHW_STK
12:00M 77 83 82 81 80 74 82 83 <5* <5*| 68 189 116 >>> 120
11:00P 76 82 82 80 81 76 82 83 <5* <5*| 69 181 116 >>> 120
10:00P 75 82 82 80 81 76 82 83 <5* <5*| 68 194 119 >>> 272
9:00P 75 82 82 78 81 76 81 83 <5* <5*| 68 189 117 >>> 128
8:00P 76 79 82 78 82 76 81 83 <5* <5*| 70 181 116 >>> 120
7:00P 76 82 82 81 81 76 82 83 <5* <5*| 71 198 119 >>> 152
6:00P 77 81 81 80 81 75 81 83 <5* <5*| 69 184 117 >>> 120
5:00P 77 81 81 80 81 73 81 82 <5* <5*| 70 191 117 >>> 128
4:00P 77 80 81 80 81 73 81 81 <5* <5*| 70 197 119 >>> 144
3:00P 77 80 81 79 80 74 80 81 <5* <5*| 70 188 116 >>> 116
2:00P 77 80 80 78 80 74 80 81 <5* <5*| 66 194 119 >>> 128
1:00P 76 79 80 78 79 74 80 80 <5* <5*| 63 186 118 >>> 124
12:00N 76 79 80 78 79 75 80 80 <5* <5*| 66 180 119 >>> 120
The only moderately important distinctions here are the facts that
"12:00M" and "12:00N" represent midnight and noon in that order,
obviously, and that these tables conclude with 11:00 p.m. T2 and T3 are
identical, differing only in the 24-hour days that they contain data
for-T3 contains three-day-old information, etc. Similarly, "H" will
provide the daily history of the data in the next lines of the report.
This should appear familiar:
MODE: H
_DATE_BURNER__HEAT___BYP___MAL___BAT__HI__LO_
Jun 23 0:45 0:00 0:00 0:00 0:00 73 62
Jun 22 0:46 0:00 0:00 0:00 0:00 73 61
Jun 21 0:42 0:00 0:00 0:00 0:00 80 60
Jun 20 0:46 0:00 0:00 0:00 0:00 79 61
Jun 19 0:49 0:00 0:00 0:00 0:00 78 57
Jun 18 0:50 0:00 0:00 0:00 0:00 69 56
Jun 17 0:48 0:00 0:00 0:00 0:00 76 63
Jun 16 0:49 0:00 0:00 0:00 0:00 78 61
Jun 15 0:45 0:00 0:00 0:00 0:00 75 65
Jun 14 0:38 0:00 0:00 0:00 0:00 >90 69
Jun 13 0:46 0:00 0:00 0:00 0:00 89 74
Jun 12 0:46 0:00 0:00 0:00 0:00 >90 76
Jun 11 0:48 0:00 0:00 0:00 0:00 >90 75
Jun 10 0:51 0:00 0:00 0:00 0:00 >90 73
_DATE___H-A__H-W__L-W__H-S_____WTR_
Jun 23 198 127 106 664 0
Jun 22 200 125 109 668 4
Jun 21 200 125 107 668 0
etc...
This unit displayed this for every date up to June 10. XD 1-3, or "more
hourly records" were not seen on this system at all and are probably
boiler-specific, perhaps containing records such as the supply and
return temperature that are only required on hydronic systems. Since
some of the systems that one may hack might control hydronic boilers, it
is important to retain a knowledge of their workings, information
universal to all types of heat computers that manage such boilers.
Recall the operation of hydronic boilers, specifically the process of
water circulation. Quite simply, supply temperature refers to the
temperature of water as it exits the boiler to circulate around the
space that it is heating, and return temperature to that of the water as
it returns to the boiler. Water records were also absent from this log,
strongly suggesting that this is a steam system. Events, accessed by
the command, "E" are entirely separate from the initial report, although
some events may be re corded there without the time of their occurrence:
MODE: E
8:27P OFF 12:16P ON DHW 11:56P ON DHW 2:51P OFF
8:21P ON DHW 11:47A OFF 11:00P OFF 2:47P ON DHW
7:50P OFF 11:42A ON DHW 10:55P ON DHW 1:52P OFF
7:46P ON DHW 11:10A OFF 10:05P OFF 1:47P ON DHW
7:04P OFF 11:05A ON DHW 10:00P ON DHW 1:00P OFF
6:59P ON DHW 9:15A OFF 9:20P OFF 12:55P ON DHW
6:05P OFF 9:15A HEAT OFF 9:16P ON DHW 12:04P OFF
6:01P ON DHW 8:20A ON 8:09P OFF 12:00N ON DHW
5:35P OFF 8:19A HEAT CALL 8:04P ON DHW 11:17A OFF
5:30P ON DHW 7:06A OFF 7:22P OFF 11:12A ON DHW
4:49P OFF 7:06A HEAT OFF 7:16P ON DHW 9:56A OFF
4:44P ON DHW 5:31A ON 6:38P OFF 9:56A HEAT OFF
4:00P OFF 5:30A HEAT CALL 6:33P ON DHW 9:00A ON
3:56P ON DHW 4:34A OFF 5:59P OFF 8:59A HEAT CALL
2:54P OFF 4:29A ON DHW 5:54P ON DHW 7:50A OFF
2:49P ON DHW 3:04A OFF 5:03P OFF 7:50A HEAT OFF
2:15P OFF 2:59A ON DHW 4:58P ON DHW 5:31A ON
2:10P ON DHW 1:15A OFF 4:18P OFF 5:30A HEAT CALL
1:29P OFF 1:10A ON DHW 4:13P ON DHW 5:07A OFF
1:24P ON DHW 12:00M OFF 3:23P OFF 5:03A ON DHW
12:21P OFF 12:00M ----- 3:18P ON DHW 3:39A OFF
This is a record of every burner on/off cycle for the past 84 events. Only ordinary heat and domestic hot water calls are seen above, but flame failures, overrides, bypasses and power failures may also be logged here depending upon the version.
As is evident by the redundancy present in several of the options, the entire system is designed to facilitate great discretion in what one views during a particular session. The only practical reason for offering all of the records as individual segments is that of specificity in monitoring. If one wishes to view a complete list of all of the records for a particular day in the past three days at the entry of a single command, D1, D2, and D3 are available. To conclude descriptions of all commands, "L" will redisplay the message first seen in the banner immediately upon connection to the system and "V" for Version will print a message similar to the following, with the version, date installed/configured, type of system and number of sensors:
MODE: V
V 6310 - 10 NOV 1995
On/Off System
8 SENSOR UNITAT
This confirms the previous suggestion to the effect that this is a steam
system, as steam systems are also known as ON/OFF or HI/LO fire boilers.
Footprinting the System-A Review/Additional Tips on Obtaining the
Password
Several ways exist through which information pertaining to the
system may be acquired, information potentially useful in the attainment
of the password and in programming of the settings. Commands such as
"Version", "Water Records" and "More Hourly Records" should reveal with
ease the general specifications of the OAS. This information, coupled
with the CNAM data of the dialup (backspoofing, anyone?), address, and
dial-out phone numbers, will likely prove extremely useful in either
social engineering to obtain the programming password or guessing it in
order to further one's exploration of the heat computer. One aspiring
to program the OAS could also potentially attempt the age-old callback
ruse, phoning the legitimate operator at a number listed under 'Set
points' (Mode S) and leaving a message with a voicemail number with a
greeting identifying it as belonging to 'Optimum Applied Systems,
Incorporated', accompanied by a statement to the effect that "Your heat
computer has its ___ year point, and as such we need to perform
diagnostic tests on the system as a part of your warranty..." and so
forth. Do note, however, that the dialup or IP might be particularly
difficult to obtain as the actual operator of the system would logically
be the only individual in possession of such information, thus rendering
impersonation of him or her absolutely useless. Creative ways to get
the dialup may be devised, though, although the best method as of yet
seems to be a simple matter of wardialing the exchange controlled by the
company that owns the OAS (in the case of large corporations with
inclusive PBXes) or dialing around the phone numbers of the building in
which it is likely to be located (with small businesses). Wardialing
metropolitan prefixes is also bound to turn up heat computers, possibly
of the OAS brand. Although the version 6310 does not support this,
other versions may permit simultaneous logins and command execution in a
single 'session', enabling on e to "eavesdrop" and/or interfere with the
session of the legitimate user. The programming password is not echoed
to terminal or screen; however, it is, remember, unnecessary to enter
the programming menu once it has been entered at the initial prompt.
Also, while it may contain special characters, it is doubtful that it
will be greatly protected; the ten-character password is likely to be
vulnerable to a dictionary attack of words containing ten characters or
less, especially since no evidence or mention is made or available
anywhere of logging failed attempts. As a side note, the author of this
article has heard of a few rumors of use of the OAS and similar heat
computers by landlords to deny tenants heat in an quasi-extortive
context or misuse resulting in active heating of a building in the
summer or when the temperature outside is otherwise high. Wherever
advanced technology exists, there will be people who are either ignorant
or abusive of it, unfortunately. Although such in cidents are certainly
rare, OAS skills would be infinitely useful in the face of their
occurrence, proving once again that knowledge regarding any type of
technology that controls one's life is always of use to nearly anyone
with any motives. Remember, if you can't stand the heat, get out of the
kitchen and into the OAS!
The Software-An Addition
All of the above is merely the beginning. While connecting to
the OAS heat computer via a terminal client and manually entering all of
the commands might be satisfactory for some, OAS also offers software to
automate and enhance the process of heat computer maintenance (whether
it is authorized or not). This is an incredibly useful enhancement to
the pursuit of hacking OAS Heat Computers, as it reveals a few aspects
otherwise hidden, and it has several useful utilities intended clearly
for administration. This software, available on the OAS website for all
to download, at http://www.oas-inc.com, is called 'Master95' and is
supposed to be somewhat of a kludge just to install, as OAS doesn't seem
particularly disposed toward the idea of amateur experimenters logging
into heat computers and running commands. Master95 may only be used for
the access/administration of heat computers and other OAS systems over a
(true) modem connection; unfortunately, it does not appear to support et
connections, although interestingly If the reader will forgive the
sudden launch into linear, redundant expository style and the informal
shift into the second person, the following will explain the
installation process. It comes in a strange archive format unknown to
the WinRAR archive software, called an 'SFX CAB Archive' as a .exe file,
"STUB.EXE". If you attempt to run it as you would any other Windows
.exe file, by double-clicking on the icon, you will receive a window
prompting you for a case-sensitive password of enormous maximum length.
We do not desire that, now do we? Ignore that for the moment and open
the archive in the archive management software of your choice-the author
personally recommends WinRAR. A list of 16 files should appear,
beginning with 'data1.cab' and ending with '_INST32I.EX_'. Extract and
copy all of these files to the desktop or other location where the
entire installation process will take place. (The desktop is
recommended for the sake of conven ience.) Run SETUP.EXE (It should be
the eighth file in the list. Does that text in the background of the
window with the copyright and version appear at all familiar?) and
proceed through all of the prompts-agree to the license, etc. Instruct
the software to place an icon for Master95 onto the desktop when
prompted to do so. Upon reaching the end of the InstallShield Wizard
(the application that guides you through the setup process) click
'Finish' and run the software by double-clicking on the desktop icon.
The full version of Master95 Master Dial Program Version 1.96 is now
installed.
Behind that password prompt lies the self-extractor for
Master95, easily bypassed by opening the archive. The OAS website also
declares that the software, while downloadable, must be registered over
the phone before use, (presumably with the purpose of the confirmation
of one's status as a customer) lending credence to the notion that OAS
does not intend for the public to have unhindered access to Master95 and
that the password protection is a feeble form of security. If so, this
is simply another instance of security through obscurity, assuming that
one will not attempt to open it with archive software, an absurd
assumption as it clearly identifies itself as an archive under
"properties", with passwords absent. Another possible purpose of the
password prompt is to protect "InstallShield" from being run, although
it is regardless when Master95 is configured at installation. In any
case, all of these files in the archive may be freely copied, and the
software should operate any difficulty if all of them are located in the
same directory.
Although at first glance the Master95 software appears to merely
be an alternate way to access heat computers and administer them using a
GUI and menu system, it does reveal a few interesting things. Of
foremost interest to the reader may be the commands help file, which
presents in a succinct format all the descriptions of the current
report, event log, etc., although it completely lacks explanation useful
to an outsider (unauthorized user; i.e., hacker) such as explanations of
ultimate application to heat and descriptions of boiler operation, as it
assumes that the software user will be trained in such matters.
Observing the window, one will notice that, under the "direct dial"
option when the option "building list" is selected, other OAS products
controllable over modem are listed-a mildly interesting little bit of
information. Perhaps it would be lucrative to watch wardial logs for
anything mentioning a "tank computer" or a "fire eye". The following
banner demonstrates eral format and appearance of tank computers, which
are used to monitor liquid inside of tanks, such as oil:
OAS Tank Gauge 145 ATLANTIC STREET 4:30P Sat Dec 17, 1993 TANK CAPACITY:5000 GALLONS
These connect at 8,N,1 as the heat computer output does not display
properly when a heat computer is dialed and either option is selected.
Tank computers are a subject for another article. Upon establishing a
connection to a heat computer through the software (calling cards may
even be used for long distance dialups) one may enter commands manually
in the blue terminal window in which all output is viewed, or using the
drop-down menu system, if one prefers a GUI. Notice the command "Real
Time Display", under "Commands" sent by the keyboard shortcut Alt+R.
Selection of this during a session will pull up a "Command Select" box,
with four commands listed that accomplish this-R RA, RB, and XR. RA and
RB will not work on this particular model/type of heat computer at all,
and may produce erratic results on other models. XR, however, displays
the report and alters it in real-time. This is a hidden command on the
Heat Computer 6310, not documented in the list provided with a "?"!
Whil e in most cases the two reports may be identical, a slight
discrepancy may be seen between them, a display of the constantly
fluctuating temperature of the area surrounding thermistors.
Master95 also serves as an effective organizational tool for
heat computer management, incorporating into its array of utilities a
building list in which heat computers (and the other types of systems)
may be sorted based upon address, an assigned ID, and dialup. Editing
the properties of a particular building in this list entails the
assignment of an ID, setting the type of unit (Heat, Oil Tank, Heat
7000, or Fire Eye), the baud at which it connects, and the "port
switch". Building lists may also be imported from older, DOS versions
of Master software with the file option, "Import Old List". "Tools" for
building lists include daily and single collection, summer/winter
programming, and clock programming. The latter two are simply an
automation of the programming set points process for the summer/winter
option and time. The password box only accepts ten characters,
revealing the aforementioned fact that passwords are ten characters
long. Daily/single collection is a slight complex automation, in which
the user may program the software to dial selected buildings in the list
at a specified time and day, execute commands, and store the output in a
file with the extension .sum, for "collection summary". To configure
these parameters, select "Setup Parameters" under the "Tools" menu.
Web Interface and Internet Connectivity
As is noted in the introduction, certain newer models of OAS
Heat Computers, notably the 3700, include the access option of a web
interface which provides for convenient access to and remote management
of heat computers with Internet connectivity. One may login through the
following websites in order to connect to and administer a heat computer
unit online:
http://hcdbs.oadincorp.com
http://www.oasincorp.com
A mySQL database is used to this end-TCP port 3306 is open on
hcdbs.oasincorp.com, a port used by the mySQL database server.
Conclusion-Thoughts on Security
While in some regards OAS can hardly be blamed for certain
aspects of the nature of heat computers that render them so incredibly
predisposed to control by outsiders-attributes such as the remote
accessibility over phone lines, un-passworded execution of seemingly
harmless commands, and so forth, leaving such systems that control heat
to an entire building lying about on the PSTN, and recently, the
Internet, is frankly unwise. OAS is extremely zealous in advertising,
providing details as to the technical specifications of models sold in
numerous public releases. The problem as here present insofar as
security is primarily that a very limited amount of seemingly innocuous
information can lead to extremely specific information useful in
penetrating and taking complete control of specific units; for instance,
the attainment of the dialup to a heat computer can lead to the address
of the unit and possible numbers at which the owners/operators may be
contacted. One could ev social-engineering scheme so far as to call up
the building owner/manager with an actual problem visible in the report,
a difficulty only repairable by remote programming, and proceed to
correct it upon learning the password! A simple understanding of human
nature suggests that people will be much more susceptible to
social-engineering, that is, much more willing to give out the
programming password, when faced with a potential disaster such as
complete cutoff of heat in the dead of winter, or even something minor
such as a small water leak or a dirty coil. And, while I most certainly
do not condone exaggeration of the problem, all of this is definitely
something to ponder as these systems begin to make their way onto the
Internet. While manufacturers of some things have realized the folly of
unnecessary remote access, heat and building automation systems are
likely to become even more accessible in the future, for evident reasons
of expediency. From an explorer's standpoint, heat computers of all
types provide a relatively safe venue through which a fairly extensive
assortment of technologies may be studied-boilers are nearly as complex
and interesting as phone systems or any one of the other self-contained
networks of mechanical and electronic parts that comprise the modern
world. Still, the thought that an individual in a remote location could
with relative ease (here it is important to remember that while OAS Heat
Computers may be uncommon, other heat computers and building maintenance
systems exist in abundance, especially in large cities) direct the
equipment that administers heat and water to a large building is
slightly disturbing. If, by any stroke of fortune, the curious hacker
reading this article should happen to find an OAS Heat Computer, I
advise him or her to align subsequent actions with the Hacker Ethic, to
refrain from actuating the causation of any permanent or immediately
serious problems with the system either unintentionally (as prepostero
us as that may sound) or intentionally, as a matter of course.
A grayscale photograph of an OAS Heat Computer unit is available at the
time of this writing on
http://www.homeenergy.org/archive/hem.dis.anl.gov/eehem/picts/97054101.gif,
and other pictures of the front panel are available on
http://www.oas-inc.com.
Shoutouts to rev, whitehorse, ThoughtPhreaker, Substance,
DCFlux, bomberman2525, radio_phreak, everyone in #telephony, Binrev and
the DDP, the broad class of people who ever wrote anything that has
contributed to my technological knowledge base, underground or
otherwise, the anonymous person who posted the logs that initially
brought heat computers to my attention, and OAS for manufacturing such
interesting, useful, and vulnerable products. If I have forgotten or
omitted anyone else, please forgive me with the assurance that your
contributions and the general benefits of our interactions do not go
unnoticed and underemphasized. I may be contacted on IRC on 2600net in
#2600, #telephreak, and #telephony, on the Telephreak BBS at
telnet://bbs.telephreak.org, or at my email address:
philosopher2600@gmail.com with any questions or input. If anyone should
happen to possess a superior command of such systems as were discussed
in this article, I would like to hear from you; to this e courage
contact via one of the above channels to further knowledge upon this
topic. Although it was extensively researched, I authored this paper
strictly from the perspective of an outside explorer experimenting with
the system-a good deal of information presented here was garnered from
experimentation and observation, and as such is not all-inclusive by any
means, although conjecture and speculation is labeled as such.
Redundancy here (presentation of details present in the help file of the
Master95 software and so forth) exists in order to provide readers with
a reference that may be used both as a quick guide to heat computers
without the help file or the official manuals, as well as an explanation
of, in the true spirit of hacking, potential unintended uses for the
various options therein. Additional details are available in the help
file of Master95 and elsewhere that are not mentioned here-obtain the
software!
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
