Learning about HammerSpace's Andover Controls Systems

Written 2011-06-20

Tags:Control Systems HVAC Cingular SNMP TCP RS-485 RS-232 Andover Controls serial 

The best I can Andover Controls is a company that made facility automation systems. Connect multiple buildings together, and control access, security, fire alarms and controls, power system, HVAC, and more from a central location. The system installed at HammerSpace controlled at least access, power, and HVAC. They used a mixture of RS-485 and ethernet to control the system. Since HammerSpace used to be a network trunk center for Cingular, the system is far overspec'd for the current purpose. We'd like to control the network, but do not have any software belonging to it. Thus the saga begins.

First, the Andover Controls systems installation is modular, and consists of the following components: 

Two units provide I/O, an DX 800i and an LCX810. The 800i is an input-only device, although there are relay solder points. The LCX810 has 8 input and 8 outputs for controlling HVAC systems.

An ACX780 provides access control interfaces to prox readers. I assume a clocked serial like most prox and card readers.

i2 867 units are the most complicated thermostats I've ever seen. Dave ended up putting a thermometer on one since it doesn't have a display.

A CX9200 provides an ethernet management interface to the rest of the system, or at least it used to. It also has four serial ports, and one of them is attached to a touch-screen controller with a broken display. Because we lacked the needed 25-pin serial connector, we went for ethernet first(I left my serial adapters at home, as I didn't know I'd be fiddling around with anything fun). After rebooting the system, it sent out some diagnostic packets and an ARP request.


So of course, I set my laptop to appear as that IP address...


Hey look, SNMP traffic. I've peppered out the community string, but at least now we're getting somewhere. Next we NMAPed the IP address to find two open TCP ports: 33440 and 33456. 33440 appears to have a simple ascii text client, but everything I've entered emits the same error message and closes the connection. 33456 emits some binary data and closes the connection. I need to look for a MIB to explain the SNMP trap.

Next to investigate are the serial ports. There's one designated to be attached to a modem, and another attached to a touch screen. Hopefully the modem port has a text-UI we can use. That is, after finding the serial port settings.

Also, I've posted a few datasheets here:http://rsaxvc.net/datasheets/hammerspace/