Electronics > Projects, Designs, and Technical Stuff
Reverse Engineering central heating wireless thermostat - help needed!
picitup:
Hi again
Thanks for your replies. It sounds like I've bitten off more than I can chew. It would probably be less work to fit a photon in a box with a relay.
I'm not worried about controlling the heating myself as I worked as a BMS engineer for a few years. The control of the boiler on my system is done through a timer in series with the wireless receiver, which is a box external to the boiler so any volt free contact would work in the same way. So in practice, the wireless stat/receiver is no different to an old mechanical stat with a microswitch.
I appreciate it would need a 'dead zone' so the boiler, for example, turns off at setpoint +1 degree and on at setpoint -1 degree to stop any rapid cycling of the boiler.
Also the Photon would work locally without any need for an Internet connection, just the ability to change the setpoint over the net. So hopefully then we won't get cold if the Internet goes down!
I'd still like to get this going, tell me I'm bonkers if you like and you may well be right.
Thanks for reading...
Steve
ataradov:
--- Quote from: picitup on December 02, 2015, 05:28:03 pm ---I'd still like to get this going, tell me I'm bonkers if you like and you may well be right.
--- End quote ---
Well, you can certainly do that, but it will take more effort to reverse engineer this stuff that to recreate the software from scratch. Just erase the Xmega and write your own software. You will have to do it on both sides, of course.
Trying to reverse engineer the protocols will require a lot of time, luck and equipment.
picitup:
Well I appreciate your feedback, thanks.
I'll continue to wrangle with this until I come up with a solution or slip into a sulk :)
If I come up with anything, I'll post it up.
Cheers
Steve
philpem:
--- Quote from: ataradov on December 02, 2015, 05:42:13 pm ---
--- Quote from: picitup on December 02, 2015, 05:28:03 pm ---I'd still like to get this going, tell me I'm bonkers if you like and you may well be right.
--- End quote ---
Well, you can certainly do that, but it will take more effort to reverse engineer this stuff that to recreate the software from scratch. Just erase the Xmega and write your own software. You will have to do it on both sides, of course.
Trying to reverse engineer the protocols will require a lot of time, luck and equipment.
--- End quote ---
Not really. A Saleae Logic (or anything supported by Sigrok really) sat on the SPI lines of the RF chip and an hour with the Atmel datasheet should do it.
Make the thermostat turn the boiler on. See what it sends to the RF chip. Repeat for boiler off.
This is literally what I did for the Worcester-Bosch MT10RF, but I did it with an Agilent mixed-signal scope, a Python script, and a couple of wires and a broken Worcester-Bosch MT10RF I found on Ebay. Then I found a TI USB FET (MSP430 Flash programmer) and hooked it up to the JTAG pins on the main micro... which helpfully wasn't JTAG-locked! >:D
Ten minutes later, I had a complete flash ROM dump, and about an hour after that, I'd single-stepped their code and knew what the I/O pins did, why the temperature sensing was so shockingly bad (they're using a digital pin to sense a thermistor using an R/C, and the capacitor drifts like a mother with both time and temperature...) and what the RF protocol was "as they envisioned it". Curiously it can signal low-battery status back to the boiler, but the boiler doesn't have any way of saying "uh, the battery's low, fix pls?" -- nor does the thermostat. First you find out about that is when your heating doesn't come on...
So it's not impossible. In fact, on an SPI chip it's probably easier than the WoBo -- I was dealing with TX_EN and FSK_DATA on some Infineon chip. SPI should be easier because once you know what the registers are (should be in the datasheet), you can figure out what it's actually doing. I'd be legitimately stunned if this thing uses encryption, and if it does, the keys probably go over the SPI bus in the clear. This is only meant to protect against passive eavesdropping and noise, really, most manufacturers consider "a guy with a Saleae Logic" to be a "well-funded attacker"...
Cheers,
Phil.
ataradov:
--- Quote from: philpem on December 02, 2015, 06:52:55 pm ---Make the thermostat turn the boiler on. See what it sends to the RF chip. Repeat for boiler off.
--- End quote ---
Properly designed protocols will use sequence numbers for duplicate detection and replay attacks (which is what you are trying to do here).
I work at Atmel and support those chips. I know what I'm talking about. The only way reverse-engineering will be simple if you are in luck and the protocol used is some custom simple protocol. Even if they went with basic IEEE 802.15.4 MAC, then sniffing the SPI and replaying the results will achieve absolutely nothing.
--- Quote from: philpem on December 02, 2015, 06:52:55 pm --- which helpfully wasn't JTAG-locked! >:D
--- End quote ---
Again, you need a lot of luck for this to happen.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version