Reverse Engineering central heating wireless thermostat - help needed!

[picitup]

Hi All

I'd like to control my central heating from the Internet.  The current setup is a wireless stat in the hall and a wireless receiver in the airing cupboard, next to the boiler.  I did consider removing the wireless receiver, and fitting a Photon board and controlling it that way, but I don't want to mod the system such that a new occupant can't use it if we sell the house.

I did some searching and found this excellent page:

http://www.stevenhale.co.uk/main/2013/08/home-automation-reverse-engineering-a-worcester-bosch-dt10rf-wireless-thermostat/

This guy didn't own a storage scope, but managed to work out the protocol using a sound card and Audacity (sound recorder) to display the waveform.

In his example, the protocol is very simple; it sends a series of 1s and 0s as a training sequence then a couple of bits at the end signify boiler on or off.  His system used a 433mHZ transmitter/receiver and compatible hardware is available from eBay for less than £2.00.

Flush with the promise of a simple and cheap solution, I bought a transmitter and receiver.  Then I checked my stat and it's quite different to his.

Mine works at 868.3 MHz and has a couple of chips in it:

The Atmel XMEGA128B1 which is the microcontroller and is here:

http://www.atmel.com/images/atmel-8330-8-and-16-bit-avr-microcontroller-xmega-b-atxmega64b1-atxmega128b1_datasheet.pdf

The second chip is an ATRF212 which is the wireless chip.  It's essentially an SPI-to-wireless transceiver chip and is here:

http://www.atmel.com/images/doc8168.pdf


Now for the bit where I'm stuck.  I don't have much radio experience and want to buy a suitable receiver for it, then I can decode the transmission and work out the on and off codes.  However, the ATRF212 supports a range of transmission standards and I have no idea which one it uses.  I have a scope, but that's only 100MHz and a frequency counter that goes up to 1.3GHz but I don't think either are much help in this situation.

Interestingly, the ATRF212 is around £2.00, the XMEGA128B1 is around £3.70 and the stat costs £109.99.  I think the manufacturer us making a killing with these...

You may think I've bitten off more than I can chew, and you may be right, but I was wondering if anyone could point me in the right direction?

I've attached some piccies of the stat for reference.

Thanks for reading.....

Steve

[rickey1990]

Reverse engineering my favourite topic - Well iv seen people turning on and off a LED from a webpage, http://www.instructables.com/id/ESP8266-Web-Server-Without-Arduino/ & . It uses a ESP8266, its a wifi module with a build in microcontroller, The ones shown in the links previous can be picked up from aliexpress for about £1.50. but id recommend sepending a extra pound and getting the "NodeMcu Lua" from aliexpress as it has header pins.



Then all you have to do is buy a cheap radio transmitter module and try to get it to communicate wirelesly with the reciever in the thermasat.

Well thats my idea, hope it helps,

Kind regards,
Rickey

[LaserSteve]

Post canceled, its O_QPSK modulationm, my diode detector  idea would not work, never mind..
OP needs to sniff the  SPI bus. I dont suggest hacking furnace controllers, its a safety of life issue if something goes wrong. As each TX chip has a MAC addess the thermostat probably is probably a matched pair, anyways...

Steve

[picitup]

@rickey1990 Thanks for your reply.  The ESP8266 looks really cool - a tiny web server for almost nothing 

I didn't explain my own setup fully, I have a Photon (previously Spark Core) which you can communicate with over the Internet via their cloud which I guess is quite similar to the NodeMCU you suggested.

I could fit this in a box and get it to power a relay to offer the volt-free contacts in a proper central heating receiver, but I don't want to modify the existing system as I'll have to put it all back together if we sell house.

@LaserSteve how do you know it's O_QPSK?  I'm interested to find out.  I think you're right about the MAC address, but the user guide shows you how to pair the transmitter/receiver if, for example you have to replace one of them, so hopefully it's still possible in theory.

Thanks

Steve
 

[ataradov]

The problem with reverse engineering this thing is that you will need equipment and software that will total much more than the price of 10 units.

You can do it on the cheap, of course, but then you will be paying with your time.

There is no point in looking at transmissions over the air with the scope, that's a complete waste of time and you won't see anything because of complex modulations.

You will need to get any ZigBee sniffer hardware/software that is capable of working in a sub-GHz bands. The cheap option is Atmel Wireshark interface and ZigBit-based USB stick (~$50). Expensive options start at ~$2500, so I guess they are out of the question.

Another thing you can do is sniff SPI bus and record significant amounts of traffic, so you will need some equipment for that as well.

[ataradov]

Also, when replacing things that interact with the real world, think about the consequences. Thermostats control heaters, improper control may result in very serious consequences starting from damaging your heating equipment and ending up with a fire. Do you really want to risk it?

[ataradov]

Also, they may be using some secret encryption keys, and then you out of luck at all.

[senso]

Those radios support encryption in hardware, in the software side is as simple as a define in the sample code from Atmel..

[ataradov]

Those radios support encryption in hardware, in the software side is as simple as a define in the sample code from Atmel..

1. What makes you think they use code from Atmel?
2. Encryption in hardware is typically used for session keys, but master keys are typically kept internal, since it is super easy to sniff the bus and bet the keys. That is if security is done right.

[senso]

Was just implying that using the encryption is dead easy, so would doubt they are no using it.

[picitup]

Hi again

Thanks for your replies.  It sounds like I've bitten off more than I can chew.  It would probably be less work to fit a photon in a box with a relay.

I'm not worried about controlling the heating myself as I worked as a BMS engineer for a few years.  The control of the boiler on my system is done through a timer in series with the wireless receiver, which is a box external to the boiler so any volt free contact would work in the same way.  So in practice, the wireless stat/receiver is no different to an old mechanical stat with a microswitch.

I appreciate it would need a 'dead zone' so the boiler, for example, turns off at setpoint +1 degree and on at setpoint -1 degree to stop any rapid cycling of the boiler.

Also the Photon would work locally without any need for an Internet connection, just the ability to change the setpoint over the net.  So hopefully then we won't get cold if the Internet goes down!

I'd still like to get this going, tell me I'm bonkers if you like and you may well be right.

Thanks for reading...

Steve

[ataradov]

I'd still like to get this going, tell me I'm bonkers if you like and you may well be right.

Well, you can certainly do that, but it will take more effort to reverse engineer this stuff that to recreate the software from scratch. Just erase the Xmega and write your own software. You will have to do it on both sides, of course.

Trying to reverse engineer the protocols will require a lot of time, luck and equipment.

[picitup]

Well I appreciate your feedback, thanks.

I'll continue to wrangle with this until I come up with a solution or slip into a sulk 

If I come up with anything, I'll post it up.

Cheers

Steve

[philpem]

I'd still like to get this going, tell me I'm bonkers if you like and you may well be right.

Well, you can certainly do that, but it will take more effort to reverse engineer this stuff that to recreate the software from scratch. Just erase the Xmega and write your own software. You will have to do it on both sides, of course.

Trying to reverse engineer the protocols will require a lot of time, luck and equipment.

Not really. A Saleae Logic (or anything supported by Sigrok really) sat on the SPI lines of the RF chip and an hour with the Atmel datasheet should do it.

Make the thermostat turn the boiler on. See what it sends to the RF chip. Repeat for boiler off.

This is literally what I did for the Worcester-Bosch MT10RF, but I did it with an Agilent mixed-signal scope, a Python script, and a couple of wires and a broken Worcester-Bosch MT10RF I found on Ebay. Then I found a TI USB FET (MSP430 Flash programmer) and hooked it up to the JTAG pins on the main micro... which helpfully wasn't JTAG-locked! 

Ten minutes later, I had a complete flash ROM dump, and about an hour after that, I'd single-stepped their code and knew what the I/O pins did, why the temperature sensing was so shockingly bad (they're using a digital pin to sense a thermistor using an R/C, and the capacitor drifts like a mother with both time and temperature...) and what the RF protocol was "as they envisioned it". Curiously it can signal low-battery status back to the boiler, but the boiler doesn't have any way of saying "uh, the battery's low, fix pls?" -- nor does the thermostat. First you find out about that is when your heating doesn't come on...

So it's not impossible. In fact, on an SPI chip it's probably easier than the WoBo -- I was dealing with TX_EN and FSK_DATA on some Infineon chip. SPI should be easier because once you know what the registers are (should be in the datasheet), you can figure out what it's actually doing. I'd be legitimately stunned if this thing uses encryption, and if it does, the keys probably go over the SPI bus in the clear. This is only meant to protect against passive eavesdropping and noise, really, most manufacturers consider "a guy with a Saleae Logic" to be a "well-funded attacker"...

Cheers,
Phil.

[ataradov]

Make the thermostat turn the boiler on. See what it sends to the RF chip. Repeat for boiler off.

Properly designed protocols will use sequence numbers for duplicate detection and replay attacks (which is what you are trying to do here).

I work at Atmel and support those chips. I know what I'm talking about. The only way reverse-engineering will be simple if you are in luck and the protocol used is some custom simple protocol.  Even if they went with basic IEEE 802.15.4 MAC, then sniffing the SPI and replaying the results will achieve absolutely nothing.

which helpfully wasn't JTAG-locked! 

Again, you need a lot of luck for this to happen.

[mark03]

You could reverse-engineer the air interface on the cheap using an RTL-SDR type of dongle and [free] GNU Radio software.  But it may not be worth the investment of time.

[ataradov]

You could reverse-engineer the air interface on the cheap using an RTL-SDR type of dongle and [free] GNU Radio software.

Why would you want to do that? The radio is a standard IEEE 802.15.4 transceiver, there are proper sniffers for this already in existence. But if OTA communication is properly encrypted, sniffing it makes no difference.

[philpem]

Make the thermostat turn the boiler on. See what it sends to the RF chip. Repeat for boiler off.

Properly designed protocols will use sequence numbers for duplicate detection and replay attacks (which is what you are trying to do here).

I work at Atmel and support those chips. I know what I'm talking about. The only way reverse-engineering will be simple if you are in luck and the protocol used is some custom simple protocol.  Even if they went with basic IEEE 802.15.4 MAC, then sniffing the SPI and replaying the results will achieve absolutely nothing.

which helpfully wasn't JTAG-locked! 

Again, you need a lot of luck for this to happen.

I think you're overestimating the average consumer electronics company manager. Quoting one of these beasts from some time ago...

"Who's going to hack a <x>? It's not like it's a military radio or... or a Patriot missile or... something like that! Stop wasting time on that, just make it work, as quickly as possible! We need to get a product out the door faster than <competitor>!"

I would be legitimately stunned if that thermostat -- almost an entry-level wireless 'stat -- is running a full Zigbee stack. They want a short development cycle and a cheap product. This is hardly a Nest. At best they'll have grabbed some Atmel sample code and used that.

The most they'll want is "on" and "off", anti-collision (CSMA-CA or CSMA-CD) and an ID/pairing to make sure multiple nearby transmitters can't be misidentified.

But really, all the OP wants to do is get the key and MAC for his thermostat and the packet format.
Looking at the AT86RF212 datasheet, the key is set with an SRAM write. So that's volatile -- the MCU will have to write it on every power-up. Same goes for the transmit buffer.
Transmit frequency, modulation settings, keys, MAC address, etc. can all be determined from SPI writes.

As for sequence IDs -- look at a dozen or so packets. I think the MT10RF has a mod-3 counter or something like that. Sequence IDs usually follow a fairly obvious sequence. Humans (like engineers, no matter how much we deny it!) like obvious sequences, they're easy to remember and easy to test.

Cheers,
Phil.

[mark03]

You could reverse-engineer the air interface on the cheap using an RTL-SDR type of dongle and [free] GNU Radio software.

Why would you want to do that? The radio is a standard IEEE 802.15.4 transceiver, there are proper sniffers for this already in existence. But if OTA communication is properly encrypted, sniffing it makes no difference.

I'm assuming a "proper sniffer" costs well over the $20 one those dongles will set you back.

[ataradov]

I'm assuming a "proper sniffer" costs well over the $20 one those dongles will set you back.

$50 at least. Do you have a link to a $20 SDR receiver?

[picitup]

Well this has sparked some interesting debate! I'm learning loads!

@philpem that's a very impressive piece of reverse engineering.  Unfortunately I only have a budget scope and look at mixed signal scopes and drool.  I don't have a Salea sniffer either, but it's nearly xmas....

You can buy 833MHz receivers from fleabay for a couple of quid so I may well buy one and just see if it works.

I'd still like to pursue this and the idea of reverse engineering it sounds like fun, I think I could learn a lot from that.  Can I ask which Salea sniffer you have philpem?

Cheers

Steve

[ataradov]

You can buy 833MHz receivers from fleabay for a couple of quid so I may well buy one and just see if it works.

I can guarantee you, it won't.

[senso]

You can also buy a cheap RTL-SDR, or even use an equal atmega128rfa/rfr and use Wireshark.

[ataradov]

You can also buy a cheap RTL-SDR

Which one and what is your definition of cheap?

, or even use an equal atmega128rfa/rfr and use Wireshark.

No, you can't. RF212 is a sub-GHz device. megaRF are only available in 2.4 GHz band.

You can use this USB stick http://www.atmel.com/tools/atzb-x-rf212b-usb.aspx with Wireshark. But it is $55 before taxes and shipping.

[mark03]

I'm assuming a "proper sniffer" costs well over the $20 one those dongles will set you back.

$50 at least. Do you have a link to a $20 SDR receiver?

$12.75 + shipping: http://www.amazon.com/RTL-SDR-DVB-T-Stick-RTL2832U-R820T/dp/B00C37AZXK
The RTL-SDR dongles (all based on the same digital TV tuner chip and its clones, I believe) are even cheaper now than I remember.  I'm not saying this is necessarily the right tool.  Because the radio is separate from the MCU it sounds as though sniffing the SPI bus would be just as useful, or just as useless (depending on encryption as you say).  But these very simple tuners have allowed folks to do things like reverse-engineer the transmissions from the tire-pressure monitoring systems in their car, and other fun stuff.