I’m trying to read the
Can someone help me?

Did anyone find a solution?

I know this thread is old, but did you see this option:
GitHub - lkn94/Lupusec-Connector: Connector for the Lupusec XT1 Plus

(I am looking into security systems at the moment as well :-D)

Finally I am able to read the sensor state and trigger a motion from Lupus to OH.
But I still did not figure out how to change the Mode of the XT1 Plus (Arm/Disarm/Home)

According to the python connector this should work (where 1=Arm and 0=Disarm):

def setstate(stateid):
    session = requests.Session()
    session.get("http://{}/action/panelCondGet".format(lupusIp), verify=False, auth=HTTPBasicAuth(username, password))
    response ="https://{}/action/panelCondPost".format(lupusIp), headers={"content-type": "application/x-www-form-urlencoded", "x-token": xtoken}, data={"area": 1, "mode": stateid}, verify=False, auth=HTTPBasicAuth(username, password))
    return "{}".format(response.text)

The browser development view shows this while activating the Lupus XT1 Plus:

Method: POST
and the payload:


I tried this without success:

curl -X POST -d '{"area": 1, "mode": 1}' 'admin:pwd@'


curl -X POST -v 'admin:pwd@'

Maybe it’s obvious for more experienced people…
Any suggestion would be greatly appreciated.

This one returns: HTTP/1.1 401 Unauthorized

curl -v -X POST -d 'area=1&mode=1' -u 'admin:pwd' ''

In this case is seems I get: HTTP/1.1 302 Moved Temporarily

curl -v -X POST -d 'area=1&mode=1' 'admin:pwd@'

Using https (automatic redirection to encrypted port on XT1 Plus) and ignoring the SSL errors with “-k”:

curl -v -X POST -k -d 'area=1&mode=1' -u 'admin:pwd' ''

leads to:

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=DE; ST=RP; O=LUPUS Electronics GmbH;
*  start date: Oct  8 08:25:27 2019 GMT
*  expire date: Oct  5 08:25:27 2029 GMT
*  issuer: C=DE; ST=RP; O=LUPUS Electronics GmbH;
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Server auth using Basic with user 'admin'
> POST /action/panelCondPost HTTP/1.1
> Host:
> Authorization: Basic xxx
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 13
> Content-Type: application/x-www-form-urlencoded
* upload completely sent off: 13 out of 13 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Moved Temporarily
< Transfer-Encoding: chunked
< Location: /

This seems to work to a certain extend (following redirects):

 curl -v -k -X POST -d 'area=1&mode=1' -u 'admin:pwd' -L ''

<!DOCTYPE html><html><head><title>Welcome</title><script type="text/javascript">document.location="/action/login"</script></head><body><noscript>JavaScript must be enabled.<br>However, it seems JavaScript is either disabled or not supported by your browser.</noscript></body></html>

but how to deal with the JAVASCRIPT requirement?

I am lost, especially because this stuff works to get the alarm systems state flawlessly:

curl -v 'admin:pwd@'