Decrypt your first .pca file

By the end of this tutorial you’ll have decrypted a .pca file, extracted the panel’s network address and AES-128 ControllerKey, and confirmed the key isn’t wrong by spot-checking the embedded customer-name field.

You don’t need a panel for this. The .pca file already contains everything.

What you need

• A .pca file from PC Access. These come from the Account → Save As menu in PC Access 3, or you’ll find one in Documents/HAI/PC Access/ on any machine PC Access has been installed on.
• Python 3.14 or newer.
• 5 minutes.

If you don’t have a .pca file of your own and just want to see the mechanics, you can synthesize one with the mock panel — but the headline moment of this tutorial is seeing your actual panel’s hostname pop out of the bytes, so go find a real one if you can.

Step 1 — install the CLI

uvx --from omni-pca omni-pca version

This pulls the omni-pca package into a temporary venv and runs the version subcommand. If that prints omni-pca 2026.5.10 (or newer), you’re done with install.

If you’d rather install permanently:

uv tool install omni-pca
omni-pca version

Step 2 — extract the ControllerKey

uvx --from omni-pca omni-pca decode-pca '/path/to/Your House.pca' \
    --field controller_key

You should see 32 hex characters and nothing else. Something like:

6ba7b4e9b4656de3cd7edd4c650cdb09

That’s your panel’s AES-128 session-derivation key. Hold onto it — it’s the credential the HA integration (and any other Omni-Link client) needs.

The same command takes other field names if you need them:

omni-pca decode-pca '/path/to/Your.pca' --field host    # 192.168.1.x
omni-pca decode-pca '/path/to/Your.pca' --field port    # 4369

Step 3 — confirm the key is right

The CLI defaults to redacting account fields (name, address, phone) so you don’t accidentally leak PII into a log. To sanity-check that the decryption worked rather than landed on noise, pass --include-pii:

omni-pca decode-pca '/path/to/Your.pca' --include-pii | head -10

You should see your real customer-info fields in plaintext. If those match what you set up in PC Access, the decryption is correct. If they look like random bytes, the file is corrupted or the wrong key was selected — file an issue with the byte length and a hexdump of the first 16 bytes.

Treat the plaintext like a password file

The decrypted .pca contains everything an attacker needs to talk to your panel: hostname, port, ControllerKey, and (commonly) factory-default user codes (12345678 is alarmingly frequent). Don’t commit it to a repo, don’t paste it in a screenshot, don’t email it to yourself.

What just happened

The .pca file is not AES-encrypted, despite PC Access shipping AES code for the wire protocol. It’s a Borland-Pascal LCG keystream XORed byte-by-byte. The CLI tried two known cipher keys (KEY_PC01 and KEY_EXPORT), picked the one whose decrypted first bytes match the expected PCA03 magic header, then walked the resulting plaintext to find the Connection.NetworkAddress, Connection.NetworkPort, and Connection.ControllerKey fields.

The full byte-level format is on the file format reference page if you want to see what’s in there.

Where next

• Tutorial: spin up a mock panel and try it — no hardware, just docker. Confirms your ControllerKey works end-to-end.
• Tutorial: write your first omni_pca script — use the key + host you just extracted to actually talk to the panel.
• How-to: find your ControllerKey by other means — if you don’t have a .pca file handy.