Project

General

Profile

Reverse Engineering Zigbee Communication (AlertMe / IRIS)

Added by ltickett about 6 years ago

I’m curious whether anyone has attempted to "reverse engineer’ zigbee communication?

I have just discovered the AlertMe products, specifically the SmartPlug (just what i’ve been looking for). While they work nicely and have quite a nice web interface etc, I would like to integrate them into my unified home automation software.

I picked up the TI USB Zigbee device and have had a play with Ubiqua Protocol Anaylzer:

It appears to’ve sniffed the network key and decrypted the packets successfully but I’m not quite sure what my next step is (i.e. how to actually decode the payload data into consumption and switch on/off instructions).

I have had a pretty good google but not really come up with much (plenty about the initial sniffing, but nothing about what’s next…

L


Replies (66)

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by draythomp about 5 years ago

Thanks for catching me reversing the fields (went back and fixed them). This is so complex that mistakes like that are too easy to make. You’re right, it’s a one byte signed field, and on my device, it follows pretty well the RSSI I see with an XBee. But, that only means that its actual worth is a little more than nothing at all. RSSI depends on the last hop and in a network like mine, that can change from one hop to the next depending on routing since it only represents the last device something heard from.

It is extremely good though to tell you if you have a path at all. I used the heck out of it getting data from a distance that took either one hop or two depending on weird factors like the placement of a tractor. I didn’t care about signal level as much as I cared about signal at all.

Nope, mine is cluster id 0x00f0, cluster cmd 0xfa, and databytes 0x01, 0x01 for the RSSI; I haven’t even messed with cluster id 0x000f (yet). There are definitely several options to this: There seem to be 4 of them with various features. Here’s a list of them and what they do. I’m only talking about the first of the data bytes here, not the whole thing; maybe that will keep me from messing up a field or two.

first data byte 0x00 - resets the switch back to normal operation. Remember this because it’s how you get out of the next modes.
0x01 - kicks it into RSSI mode like we already discussed; remote and local control work, but they cancel the double blink
0x02 - Lock mode (my name). This locks the switch such that the button on the front does nothing; remote control still works; periodic reporting is turned off (power, and accumulators); RSSI is reported, but infrequently
0x03 - Silent mode (my name) Remote and local control work, but the periodic reporting is stopped; you do see the RSSI, but infrequently
Any higher number in the first data byte acts exactly like 0x03 above.

While experimenting with this though I found that turning the switch on and off was affected in some weird fashion such that even making the switch rejoin (the multiple button press thing) I still couldn’t cause the switch to change states remotely. That led to some more experiments that caused me to change the switch on - switch off commands. After changing them, the switch works every single time regardless of how I mistreat the various cluster commands. All I did was substitute the ‘get status’ command for the one you used originally to allow the switch to change. So the sequence to turn it on is:

dest endpoint 0x02, cluster id 0x00ee, profile id 0xc216, cluster cmd 0x01, databyte 0x01
dest endpoint 0x02, cluster id 0x00ee, profile id 0xc216, cluster cmd 0x02, databytes 0x01 ,0x01

If I didn’t muck up the numbers again…

Meanwhile, I’m beginning to think the accumulators can’t be reset. I’ve been through the clusters we know about with every cluster command and a variety of databytes several times (yes, I automated it somewhat). However, that may be just fine since values can be saved and compared with reading at a later time. After all, we can’t reset the power meter on the house (sadly), but we can derive data from it over time. It would be nice to find a command that makes it report the totals as desired though. That way we could silence the switch (silent mode above) and only talk to it when we wanted data. Same with the instantaneous power; that would be useful on demand occasionally.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by CapnBry about 5 years ago

Ha HA! Speaking of mucking up the numbers, I meant to type ClusterId 0x00f0 for the “RSSI mode” command. I too have never used ClusterId 0x000f.

How big of a Zigbee network do you have? Sounds like you’ve got a pretty good mesh. I only have 3 plugs and 1 thermostat all within 20 feet of the coordinator. I also have 2 non-Zigbee Xbees I purchased originally thinking Xbee == Zigbee that are just sitting in a drawer now.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by draythomp about 5 years ago

I have about a dozen of them deployed right now. The west side of the house has one that controls the swimming pool, monitors the septic tank and controls an acid pump; the east side has one to control some water and another that measures outside temperature; the garage has one to control garage doors and hot water heater; there’s one hooked into the mains panel to measure power usage for the entire house; there’s one that displays various status mounted on the wall; one in the attic that has a GPS chip hooked to it to supply satellite based time for the entire house; one hooked to a Raspberry Pi that serves as monitor and control for the house (web interface), the rest monitor voltage on lead acid batteries on vehicles and a couple that forward for others because of the distance.

It sort of got out of hand once I realized the kinds of things I could do with them. Most have associated processors, but a few do whatever job totally on their own. Now I’m thinking about another entire network to support Iris devices scattered around the house. I won’t even mention the three Wemo switches and a couple of X10 devices I haven’t quite replaced yet. Most of the devices are described on my blog; I actually use the blog as a record of my many attempts to do something around the house … miserable failures and all. I keep the failures up so folk won’t follow the same path I did.

Sell the series 1 XBees on ebay; there are lots of folk that love those things (chumps).

edit: I forgot to mention that Alertme responded to my request for the API to the devices. They said ‘No’. Oh well, now that they denied me the API, I don’t have to worry about meeting an NDA, and since it’s legal to hack devices I own, I can play to my heart’s content and publish the results on my blog (for non commercial, hobby applications) … tee hee. So much for industrial secrecy; I did the same thing to the Goldline swimming pool protocol and a ton of people took off and mimicked the work for their own pool. Once it’s on the internet, it’s always on the internet.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by ltickett about 5 years ago

Loving following this thread. I’d love to know how you find the time! That’s where i’m struggling- i have 10s… probably closer to 100 projects i’ve started and then neglected :/

I try and blame it on the fact that there are too many choices and disparate systems / languages… Ending up with stuff running on a whole host hardware, platforms and languages can make it a real PITA to integrate and maintain.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by CapnBry about 5 years ago

That’s a great little network you’ve got going there with a variety of applications. I found the Zigbee modules to be too expensive to deploy in all my projects although the mesh system is pretty cool. Are they still like \$25 each (checks) oh I guess they’re a little cheaper now. I ended up using RFM12B modules for all my non-wifi RF stuff just because you can get them for like \$5 each. I have 5 or 6 doing temperature monitoring and control for my beer brewing and BBQ stuff, 1 that I built into a Jee-A-Watt, 1 hooked into my home alarm panel, and a few receivers. I might change that alarm one into a Zigbee node though because my Zigbee monitoring is a little easier to build on with the MQTT system and web UI.

It didn’t even occur to me that I could dump off these XBees on eBay. I kept thinking I’d use them for something, but I prefer the full Zigbee stack if I’m going to deploy a node. I guess the regular kind are ok for people who want to throw together a pseudo-serial sort of interface quick and easy. That sort of thing is great for just one device but when you add a second it starts getting too messy. I used to have some X10 stuff too, that protocol has been around forever!

ltickett: I know the 100 project problem too. The worst is when you run out of breadboards because you have too many projects on breadboard that you’re waiting to make the solder equivalents. I actually spent 5 hours last night working on another project where I have too much noise getting into my analog section so I’m slicing up the PCB to try and isolate it. Tonight I have to pasteurize and add the kumquats to my kumquat wheat beer, build a stronger connector to a thermocouple board, 3D print a new case for a device, research the best way to do a variable current limit on a USB connected device…

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by draythomp about 5 years ago

I have my stash of projects that got started, then wound up stuffed in a ziplock bag for later as well. However, some of the projects were to fill a real need and that means they got finished. For example, the thermostats, mine predate the NEST and the other ones that are wifi enabled or whatever; I needed them because my power bills were getting ridiculous. One time I came home and the garage door was open and the garage was full of squirrels and cactus wrens; I have the garage doors on the web now. All of the projects had a real purpose that fulfilled a need.

Some of them took months of research to get enough information to do. The interface to my Goldline pool controller was a painfully long process that never totally completed because I got far enough to use it and quit looking and started doing. There are other people that took that work and carried it to a conclusion. Teach them to hide their protocol. Measuring the mains power to the house was a matter of keeping the power company legal. I actually got several people’s meters replaced on that one. But, like I said before, about half of the projects failed many, many times before they worked.

I have a light switch that holds a processor, XBee, current sensor, voltage sensor, and latching DPDT relay that will fit in a wall switch box. That project was going to replace most of the switches in the house. When I looked at how much it was going to cost me to build each one, suddenly hacking into one of the commercial devices looked reasonable. That’s one of the projects that is bagged and in a box.

As for having the time, it’s amazing how much time you have when there’s no wife, the kids moved out, and you don’t have a race car.

Now that we’ve gotten enough out of the switch to use it pretty darn well, I think I’ll get one of the GE ZigBee wall switches and see what I can find. Right after I post everything found so far as a form of revenge for not publishing the API.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by epros almost 5 years ago

I am working on reverse engineering and documenting the Iris protocol and this thread has been a great help. I have set up a wiki using information from here and also from packet capture/analysis that I have done. My goal is to document as many Iris devices as possible. I currently have a SmartPlug, Window/door sensor, motion sensor and alarm keypad. I have about 2 weeks left on the free Ubiqua license so I plan on spending as much time capturing/analyzing as possible. I plan on creating python classes for the different iris modules to make them easy to integrate into a home automation system.

You can take a look at [[[http://epros.com/projectwiki/doku.php?id=wiki:iris\_packet\_decode]]]. It would be great to get others to contribute to the wiki. If you would like access to edit the pages, you can register and I will give permission.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by sorphin over 4 years ago

FYI, that post you quoted was me. :-) I’ve gotten my stuff working (well, the wireless door/window sensor and the smartplug), thanks to @draythomp’s python script (modified). I still have plenty of logs from hacking on the Iris hub (I was mainly trying to comendere the camera at the time). I’ve noticed that the temperature doesn’t tend to move though. Except for some times where it jumps to an impossible number.

CapnBry wrote:
> I had thought those two bytes were signed just because my values started with FF, but you’re right they could be unsigned. Your numbers actually look like acceptable temperatures but mine do not. I’ve never seen my 0xFF digit be anything but 0xFF.
>
> I see what you’re saying about the LED status now though, mine behave the exact same way. I was wondering why some of them had LEDs on and some had them off. Now I get it!
>
> Looks like field “DD” in that string is actually two fields. Here’s a “devlist” from the Iris app that I found posted on the AlertMe forums. http://forum.alertme.org.uk/viewtopic.php?f=4&t=97&start=20
> […]
>
> Note that “Volt” is 324A. Not really sure what that tells us though, because 324A is 12874. 128.74V? Seems high. It it were reporting non-RMS voltage that would be too low (should be around 155). Looks like Temp is in there too but shows up one byte and it is 00. Power is probably watts, proto (protocol) is probably AM for AlertMe.
>
> I think I’ll crack my Iris hub open tonight and see if I can’t get more information from it.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by epros over 4 years ago

sorphin - Would you mind sharing your modified python code? I am working on documenting the Iris protocol and reviewing working code would help speed the process.
Thanks!

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by zarnce over 4 years ago

I am trying to get communication working with a IRIS Door/Window Sensor. I have been following the advice and data from the previous posts but to no avail. The announce cycle just repeats. Any help would be greatly appreciated.

XBEE setup:

ZS - ZigBee Stack Profile = 2
EE - Encryption Enable = 1
EO - Encryption Options = 1
AP - API Enable = 2
AO - Api Output Mode = 3
SP - Cycle Sleep Period = AF0

Messages:

Received Device Announce Message (0x0013)
>> 7e 00 1e 91 00 0d 6f 00 03 40 d0 d4 49 00 00 00 00 13 00 00 42 81 00 49 d4 d0 40 03 00 6f 0d 00 80 c0

Sending Active Endpoint Request (0x0005)
<< 7e 00 15 7d 31 01 00 0d 6f 00 03 40 d0 d4 49 00 00 00 00 05 00 00 00 00 49 f3

Received Match Descriptor Request (0x0006)
>> 7e 00 1b 91 00 0d 6f 00 03 40 d0 d4 49 00 00 00 00 06 00 00 42 01 fd ff 16 c2 00 01 f0 00 b4

Sending Match Descriptor Response (0x8006)
<< 7e 00 18 7d 31 02 00 0d 6f 00 03 40 d0 d4 49 00 00 00 80 06 00 00 00 00 00 00 01 02 b7

Sending 0x00F6
<< 7e 00 17 7d 31 03 00 0d 6f 00 03 40 d0 d4 49 00 00 02 00 f6 c2 16 00 00 7d 31 01 01 5c

Sending 0x00F0
<< 7e 00 19 7d 31 04 00 0d 6f 00 03 40 d0 d4 49 00 00 02 00 f0 c2 16 00 00 19 01 fa 00 01 5f

Received Active Endpoint Response (0x8005)
>> 7e 00 16 91 00 0d 6f 00 03 40 d0 d4 49 00 00 00 80 05 00 00 41 49 80 dd 00 56

Received Transmit Status
>> 7e 00 07 8b 01 49 00 00 00 40 ea

Thanks
Brian

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by zarnce over 4 years ago

sorphin would it be possible for you to post your code so everyone can get it?

Thanks

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by sorphin over 4 years ago

zarnce it's on the menu. Just been trying to sort though some issues. I'll post it soon. FYI, it's a severe mutation ofdraythomp’s (desert-home) code. He’s what got me started again.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by zarnce over 4 years ago

sorphin, have you made any progress on this?

Thanks

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by sorphin over 4 years ago

zarnce Hi. Sorry, been swamped with life/work/trying to get these things to work with the new Almond+. I’ll post what i have either today or tomorrow.

RE: Reverse Engineering Zigbee Communication (AlertMe / IRIS) - Added by sorphin over 4 years ago

sorphin wrote:
> zarnce Hi. Sorry, been swamped with life/work/trying to get these things to work with the new Almond+. I’ll post what i have either today or tomorrow.

Ok..

http://pastebin.com/LMxjAsGt is the modified just Monitor.

http://pastebin.com/45tNmy1P is the monitor with the command(s) code added.

and

http://pastebin.com/z6EPWGEs has no visible output, but it logs to the sqlite3, to which i have some AJAX doing some query work and pulling me the info from the database for a simple web page.

The Schema for the sqlite3 DB is: CREATE TABLE smartswitch(name varchar(30), longaddress unsigned big int, shortaddress tinyint, status int, watts int, twatts int, utime int, devtype varchar(30), mfgdate varchar(11), vendor varchar(40));

All of these started from the base code from @draythomp’s python script.

(51-66/66)