4100U reverse engineering effort: Panel crash - bad CFIG version, how to recover?

Hi guys,

I came across a Simplex 4100U on eBay for a ridiculously low price a few months ago and picked it up. (It was even cheaper than most other panels I’d be able to get at the time). I wasn’t really looking for a panel, but I couldn’t pass this up. I also obtained the serial programming cable.

As I had said in a prior post, I’m not a collector or technician, but I am interested in fire alarm systems. However, what I am is a software and cybersecurity engineer. My goal with this panel is to discover a way to program it with free to obtain software (the Autocall ES Programmer), without needing a dongle. It turns out that this is actually possible with some minor tweaks to the Autocall software and the .SDB4100U file that is used to contain the job information before it’s built into a CFIG for the panel. I plan to make another, larger post about this effort sometime soon, but in short, I’ve made much more significant progress than I had expected to. (Ironically enough, by my research, it would be easier to program a 4100ES because of its Ethernet port and USB/Ethernet file transfer, as well as its mass storage device. I may pick up a 4100ES in the future to play around with.)

However, I have run into a bit of an issue which I’m trying to work on, but am not sure I can solve without some help. I put together a CFIG with 10 or so addressable points enabled with some dummy labels so I could see if the panel took my CFIG. It took some effort to convince the software, but the node tree in the programmer contained all valid devices/cards according to what was actually in the panel (it is a very basic panel, with only a DACT (which I disconnected) and CPU card with built-in IDNet loop). I first backed up the CFIG using the 4100U Transfer Utility. I then used the “Bootloader” option to download the latest system revision. I then downloaded my new CFIG. The panel rebooted…and crash code 34 came on the screen.

According to this site, crash code 34 is an invalid CFIG format error:

INDICATES THAT THE CFIG FORMAT NUMBER IS INCOMPATIBLE WITH THE VERSION OF EXECUTIVE SOFTWARE (SYSTEM PROM). CHECK PROGRAMMER DISK REV NUMBER AGAINST REV NUMBER ON THE LABEL OF THE SYSTEM PROM. UPDATE SYSTEM PROM TO REV OF CURRENT SOFTWARE BY BURNING A NEW SYSTEM EXECUTIVE PROM.
See FSB-252R for compatible system exec and programmer revisions

The panel won’t do anything in this state, and I can’t even get it to accept a new CFIG since it reboots every 10 seconds (stuck in a bootloop). Here are the courses of action I’m looking at:

1 - Try to contact someone at Simplex to burn a new PROM chip. I could send in my old chip providing I can locate it off the panel. If someone on this forum that works for or has a contact with Simplex, I would be willing to pay a decent amount for this chip to be flashed to the correct version.

2 - Try to flash the chip myself. I have a decent amount of electronics knowledge as well as an Arduino and Raspberry Pi. Me and my brother have used an Arduino before to flash a new firmware to a 3D printer. However, I have no earthly idea where I’d obtain the correct software that needs to be flashed to the chip.

3 - Patch the Job Builder application or the CFIG itself to contain a different rev number. Will require a good bit of effort. This may work, but due to upgrades in the CFIG format, may still cause the panel to crash unexpectedly.

4 - Try to get the old CFIG back on the panel to at least get it functioning, then try to use the Job Builder to “unbuild” the old CFIG for modification. I tried the route of modifying the existing CFIG first, since the 4100U Programming Manual mentions that I can use the Job Builder to decompile a CFIG file. Unfortunately this function seems to be missing from the Autocall suite of tools. I’m trying to track down the Simplex 4100U programmer, but am not having luck.

If anyone has any suggestions, let me know. If I can build a fully working 4100U without needing to involve Simplex at all, I will be sharing the entire process with all of you, and likely making videos of how to do this to your own 4100Us for those of you that own one. Of course, if this works, it will be HIGHLY experimental and should under no circumstances be used in an active life safety system. Consider it the fire alarm version of an iOS jailbreak - I’m just jailbreaking a 4100U. I can upload proof as needed.

While I don’t understand a lot of what you outline (as I’m not familiar at all with advanced computing), this seems like a neat project to me, especially as all the higher-end Simplex panels (4100, 4100U, 4020, etc.) have been essentially off-limits to enthusiasts due to the unobtainable software needed to program them. However, if your efforts & experiments go well, you may finally open the doors to them for us. Best of luck!

What’s happening here is that you attempted to use a 4100ES CFIG file with a 4100U.
The 4100ES and 4100U are very similar, but are not identical.

The Autocall brand, in its current incarnation, did not exist in the 4100U era.

This makes sense and is one of the first things I thought of. However:

• The Autocall software is actually very similar to the Simplex software, I think they just added a few panel types and cards. I tricked the programmer into thinking I’m programming a 4100U, and it appears to believe me every step of the way.
• There is actually a different crash code for using the wrong CFIG in the panel:

INVALID SYSTEM CFIG
· The information in the Cfig Prom indicated that the program is installed in the wrong type of panel.
example: A UT program installed in a 4020.
· Can also occur if a prom bank size exceeds a value of 16385 (greater than 100% full) and spills over into the next bank.
-Used wrong size CFIG chip. Used 1 Meg when 2 Meg required or used 2 Meg when 1 Meg required.

I actually might see if I can test this by sending the panel a 4007ES/4100ES CFIG file.

I am inclined to think that a mere number inside the CFIG is set to something that doesn’t match the panel, and the panel doesn’t like that.

So from my understanding, you got ES software to kind of work and give you a U config file. Although I am not surprised it did not work. I have the Simplex branded 4100U programmer. The only problem is, I cant start the software because I don’t have the security key/dongle/software. I was thinking that you might be able to get past that with your experience in cybersecurity.

You mentioned that you “may pick up a 4100ES in the future to play around with”.
I’d probably recommend doing that as a starting point, as you have a greater chance of success with a 4100ES.

PM me what you want in your config file and i will generate you one for the proper system revision. Also you will need to reflash the bin files to match the config.

Hi
I have the same problem
With 4007 ES panel
Any help please

Hi Ahmed, can you elaborate on what you need? Thanks

@steph You may want to try getting ahold of the Simplex software (which @Fire-Alert has said they are willing to give you) and seeing if it’s possible to get around the dongle requirement. (which might be easy, as the UL listing and warranties are a major deterrent to prevent anyone else from using/playing around with the software, so Simplex isn’t playing a cat-and-mouse game the way Adobe does.)

You may also want to try some older, 1990’s-era panels (e.g. original 4100, or even something from another manufacturer e.g. Siemens MXL), as their programming software is likely far more primitive and rudimentary and would therefore be easier to play around with.

The main difference between adobe software and simplex software is that there is way more people that want to use adobe stuff for free. Fire alarm panel programmers are extremely niche and most people don’t want to deal with the liability that would come with modifying the software/bypassing the license checks as you would be able to tell in the programming changes history afterwards. If you can find someone on the internet willing to modify an existing program/generate one from scratch you could transfer it(and from) to the panel without a license but whoever programmed it would take the liability.

I also have the problem

the necessary files were posted to this site recently, just check the latest tab.

I didn’t see where are they?

not sure but look under the recent tab of the main page of this site

What are you looking for exactly? The only simplex programmers that you can open without a license are the small panel programmer, the 4007es programmer and the simplex foundation programmer. Most older panels including 4010 and 4100u and newer panels like the 4010es and 4100es all require license to open and modify. With all programmers you usually can extract and flash but not much more than that.

when / if you modify the Simplex 4100u software could I PLEASE have a copy of the modded software (I am about to get a 4100u from a old school that is upgrading to a Notifier NFS2-3030 with DVC) and I would like to use the panel as a demo system.

There might be liability/legal issues with doing such so I don’t know if you’ll get what you seek.

Oh, well if still possible PLEASE can I have a copy of the software

I can not do such a thing unfortunately, but I can tell you that google helps if you are willing to take the extra lengths of searching.