Should I bring all my shoes and glasses?

// >> November 2017

GE Concord 4 Home Security System – Resetting the Installer Code
| 2. November, 2017

Somewhat off the infosec path, but I recently found a need to break into a GE Concord 4 home security system recently – yes, the commercial/home alarm system with door, glass break, and motion sensors that calls the company monitoring your system when the alarm is tripped.  While my home alarm system has since been replaced with a newer model, the GE Concord 4 system was installed when I purchased my home, and I thought a consolidated set if instructions and details may help someone who also needs this information.  My main goal was to gain access to mess around with this system and at some point sell it to someone who needs a replacement board.  To be honest, the Concord 4 is overkill for single family homes as it supports 96 zones total (wired plus RF – comes with 8 zones on the standard board), 6 partitions, and 230 user codes…more than anyone could possibly need.

One thing you’ll notice when home security systems are installed is that the original installer, or the dealer, sets the install codes on your system.  You’ll need these codes should you need to change system-wide settings such as the central station (CS) number (the phone number your alarm system calls when tripped) and the system ID that let’s the monitoring center know which system is calling with an alarm.  These aren’t the same as user codes or the master code – which are used to arm and disarm the system on a daily basis – but the codes required to really program the system.   If you’re lucky enough to have a new system installed while you’re around always ask for the installer codes and store them some place safe.  One other caveat, as you’ll see below, is that not all alarm keypads can program a system and that applies to the Concord 4 as well.

The Basics:

  • The system we are dealing with is a GE Concord 4 – GE Home Security was purchased by Interlogix – previously there was a Concord 3 and Concord Express, and while there isn’t much difference in these models I can’t guarantee these instructions will work for other models.
  • You’ll also need a keypad that is capable of programming the Concord 4.  I was lucky in that I have the keypad models (SuperBus 2000 2×16 LCD) that can program this board.  In some cases, installers may only install touchpad models that can’t program the board throughout your house, and in that case you’ll also need to head over to eBay and find a new touchpad as well.  As an alternative, and if you’re simply attempting to switching monitoring companies, the installer may have one of the required programming keypads.  Although you’ll need the installer codes (which is the point of this post) to gain access to reprogram the system.
  • You’re also going to need a copy of the installer manual – not the user manual you get that describes daily operation of the system – the installer manual can be found here

The eeprom:

These boards have a removable eeprom that holds the codes and settings for the board.  To get the installer codes you have a few options.  You could:

  1. Attempt to use the default codes – usual suspects here are 4321 (default), 1234, 1111, 4112, 6321 (that’s one ADT was known to use), and 0602 (SCM monitoring used this as a default)
  2. Buy a new board with an eeprom configured with a default installer code (4321), or a known installer code (verify with the seller)
  3. Use the methods below to read the installer codes from the eeprom and then reconfigure your board – this post assumes you’re going with option 3…

Finding and removing the eeprom:

The board and eeprom (show in the pictures below) is where we’ll start.  The eeprom on the Concord 4 should be a Microchip 24LC256

Power the system down by removing the AC connection from the wall (or remove the power leads from the screw terminals on the leftmost side of the board, GND and Positive for the 16.5V AC transformer), and then remove the power leads from the battery or board (red and black connection in the picture below) to remove battery backup power to the board.  Use a chip puller to extract the eeprom from the socket, being careful not to bend any pins.  Note the orientation of the chip, with the notch towards the “top” of the board and away from the screw terminals used to connect sensors, power, and other items to the board.  You’ll replace it in that same orientation prior to reconnecting power.

Reading the eeprom:

To read the eeprom you’re going to need an eeprom reader.  I used this one – from Amazon, ~$10 –  (see image below)

The issue you’ll find with this reader is that it does NOT come with any software and only works with Windows 7 as the operating system. Luckily I had an older laptop that I could use for this task, if you don’t you could try a Windows 7 VM but I’m not sure the USB translation between host and guest will work for our needs here.  Assuming you have this device and a Windows 7 system, here are the steps to get the reader software working:

  1. Download the USB device driver and eeprom reader/writer software
  2. Unzip into a directory of your choosing – create a new folder in the directory called Languages and move the english.ini file into the Languages folder
  3. Plug in the eeprom reader – without the eeprom chip inserted – cancel the autodriver install
  4. Run the driver-24cxx25xx.exe driver installer, choose install, and your system should now recognize the eeprom reader
  5. Run the eeprom software with the USB reader/writer inserted (again, without the eeprom from the board inserted) – it is called CH341A.exe
  6. In the lower left corner of the application window it should say “connected”

Now it is time to take the eerpom from our board and insert it into the USB reader/writer.  This is the most confusing part as the diagram in the application, as well as other reader/writer tutorials show various orientation of the chip.  What DOES work with the reader is putting the the notch (or dot) of the eeprom in the socket closest to the USB connection and with the notch facing the USB connection.  If you reverse this you’ll burn up the eeprom chip – or your fingers.  If you use the socket furthest away from the USB connection the chip can’t be read.

Unplug the USB reader/writer from your system, using the correct orientation place the chip in the socket and move the lever at the end opposite the USB connection down to make contact with the 8 eeprom pins.  With the CH341A application running, plug the USB reader/writer back into your system.  Once it shows as connected, make sure you choose 24 eeprom as the type, Microchip as the manufacturer, and MI24LC256 as the name.  Hit the READ button – not erase, program, or anything else as we are not modifying the contents of the eeprom, only reading the values we need.  If your output is all FF’s you’ve done something wrong as those are null hex values.  If you see different hex values (besides FF’s) as you scroll the output then you’ve likely read the chip correctly.

The values we need are in the following locations:

  • Main code – used to arm/disarm the system is at 0x03E2-3 (in my shot below it was reset to 9999)
  • Installer code – what we are after, is at 0x03E5-6 (in my case it was set to 0602 by the installer)

Resetting the installer code/or programming the system:

With the installer code in hand, we can use our keypad to enter SYSTEM PROGRAMMING.  You’ll need to reinsert the eeprom (notch up), reapply the battery power and reconnect AC power to the board.  After system power up, you will do the following:

On the keypad, enter 8 + installer code (0602 in my example) and then 0 + 0 – the keypad should say SYSTEM PROGRAMMING (see below)

If you get a quick two-beeps and a return to the time/date screen then either your installer code is not correct, or your keypad is not capable of programming the system (see above).  Assuming you made it this far, you can either continue using the known installer code, or reset it.  Use the installer manual, starting at page 33, the instructions are pretty clear – under System -> Security we can view and change the installer codes as necessary.  Reminder, the default on these boards is 4321 for the installer and a blank dealer code.

Hope that helps!  Please note – I’m not actively monitoring this post for questions or comments.

Theme made by Igor T. | Powered by WordPress | Log in | | RSS | Back to Top