MonoBLOC controller bruteforce hack

A project log for DIY Wastewater Treatment Controller

Project goal is to build a controller for home wastewater treatment plant.

leszek-wojcikleszek-wojcik 08/14/2018 at 19:180 Comments

One of primary motivation behind this project creation is malfunction of my MonoBLOC controller. This controller was manufactured by polish company ASC and was bundled with Marseplast Green Flow home waste water treatment tanks. MonoBLOC controller has integrated valve and heating system that allows controller to operate outdoors. Controller was delivered inside electric cabinet along with air pump and red light on top for alarm status signaling.

Issue with this product was extremely poor serviceability. When I wanted to perform air pump filter cleaning procedure I had to unscrew the pump, controller and the bulb. I had to access screws without seeing them. So much troubles for simplest maintenance procedure... and doing it I violated my warranty as I damaged controller case by accident.

From my point of view there are multiple issues with this product and I don't recommend to buy one of these. Mine had issue with power cable, valve and RTC on top of serviceability issue I've mentioned above. Moreover I think cabinet wasn't carefully designed by having air pump on highest shelf. That lead to constant issue of having too much noise caused by air pump vibration. Not sure who to blame for all of that... Anyway googling for alternative product resulted in finding products with high price tags. When thinking about what controller does I figured out that these products are highly overpriced so I decided to build my own controller.

Finding service password for MonoBLOC Controller

In order to recreate same logic inside my controller I had to learn what MonoBLOC controller does in details. In user manual I found that "vendor does not share controller settings". I need to find that by myself. So I opened case and I found that controller consist of two major elements. One is power supply (20V, 5V, 3.3V) which integrated relay blocks, AC outlet, RTC. Second was a controller main board with Liquid Crystal Display. Apparently LCD covers  micro controller so I don't have a clue what architecture were used. Controller main board is universal meaning that it can be used to run multiple relays, switches and so on. Seems like vendor was trying to create universal wastewater controller board or maybe he did.

Here is how it looks like:

Anyhow main controller board was equipped with 7 push buttons with easy access. Firstly I hooked up Arduino to controller power supply and confirmed I can run it without issues on 20 V power line. Secondly I solder wires to every push button on controller and connected with Arduino. After while I was able to to freely navigate over MonoBloc menu using my Arduino sketch. At this point I were able to perform brute force attack on the device.

Everything I had to do was to write a simple application that were trying to log in using combination of digits. Password consists of 4 digit number so I had only 10 000 combinations to try. Second thing I had to do was to detect whether attempt was successful or not. For this particular case I soldered one more cable to onboard buzzer and hooked it up with Arduino.

From this moment it was matter of time to find service password and ... I did: