#100 Monitoring A Line UPS Remotely

Modernizing the old UPSilon 2000 application was a daunting task my first thought was to read the serial output but unfortunately the UPS is listed as a HID device and not a simple COM port. So I went down the rabbit hole of trying to communicate with hid devices which have strict security to combat keyloggers. I tried to use kernel32 and the create file read and write file methods but I got access denied. Looking closer I could read some of the inputs of the ups hid device but it was going to take too long to figure out direct communication to the ups without an SDK or a good example app using USB HID to communicate with a UPS.

Computer Management Hid UPS

Some details of my ups hid were:
VID = 0001 PID = 0000 Path = \?\hid#vid_0001&pid_0000#6&7efa158&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030} SerialNumber = Manufacturer = MEC Product: MEC0003

Communication over USB

So after wasting 2 days I went back to the drawing board this time instead of using Wireshark to catch the USB packets I decided to take a closer look at the upsilon 2000 application. unfortunately the .dll's don’t show any useful functions in dependency viewer so I can’t call C++ functions from them in C#. So next I switched Wireshark to local monitoring and I found some very useful traffic.

tcp.port == 2570 connect as a client and get data
tcp.port == 8652 read the data from the sms server
udp.port == 11541 udp data

Port 8652 allows me to read alerts sent to the SMS server but instead I re-direct them to my C# application.

GET /smssend_hide.cgi?$sms_recptmobile=0123456789&$sms_content=DESKTOP-294DAYV: This is a test message!&$sms_code=1 HTTP/1.1
User-Agent: RUPS2K SMS
Connection: Keep-Alive

Port 2570 allows me to TCP connect as a client with no auth and now I get all the stat report strings every 1 second.

(238.7 238.7 238.7 007 50.1 27.4 --.- 00001000

The UDP port 11541 always receives upsXXXcnt001 for constant monitoring and I haven’t observed any other use besides this.

ups000cnt001 – connected ups
upsdiscnt001 – not connected

The exe files communicating between themselves are
Monw32.exe 11541 udp listner
RupsMon.exe 2570 tcp listner
UPSilon.exe connects as client

So after finding this info I was able to build a C# app that works in conjunction with UPSilon 2000 but the C# app offers more flexibility such as remote messaging via Telegram or forwarding the stats to a webserver for remote viewing.

The application checks the cd key every time it starts it connects to an IP in Taiwan on port 80 however is you go to port 8080 you get a webpage cd key checking form.

Reporting serial key and NTFS to home via:

The only thing I couldn’t do was send commands directly to the ups because that communication link is done within the upsilon app itself however I am happy with the overall outcome.

Source code of my application can be found on GitHub

Leave a Reply

Your email address will not be published. Required fields are marked *