TransWikia.com

reverse engineering bluetooth smart thermostat payload

Reverse Engineering Asked by Richard Zilahi on November 29, 2020

I am trying to reverse engineering an ENSTO "smart" bluetooth thermostat, which i just got installed in the house. The thermostat due to some technical and electrical challenges sometimes got placed at weird positions, so I thought, I am giving this a try, and see how far I can get.

In their official app, i was playing around to generat some log, so I managed to sniff the bluetooth packages, then using wireshark, noticated some patterns, but having hard times actually understanding them:

enter image description here

The first 01 or 00 definitely indicates whether we are increasing or decreasing, but what the rest could be?

Any tips, ideas, and suggestions are welcome!

I am a fullstack engineer, and pretty new all these iot and smarthome things, but trying my best.


ACTION  PAYLOAD
INCREASE_BY_5_IN_ONE_HOUR   Value: 01f401143c003c00
DECREASE_BY_5_IN_ONE_HOUR   Value: 00f401143c003c00
    
INCREASE_BY_3_IN_ONE_HOUR   Value: 012c010a3c003c00
DECREASE_BY_3_IN_ONE_HOUR   Value: 002c010a3c003c00
    
INCREASE_BY_1_IN_3_HOURS    Value: 01640014b400b400
DECREASE_BY_1_IN_3_HOURS    Value: 00640014b400b400

Thank you!

One Answer

Some elements of answer:
INCREASE_BY_5_IN_ONE_HOUR Value: 01f401143c003c00
01=increase
f401 = 0x1f4=500 times 1/100 of degree (little-endian)
14 =0x14=20 could be a step ?(other case 0x0a=10 )
3c00 =0x3c = 60 minutes
( 2 times to check the validity of the frame ?)

more data would be needed to go further

Correct answer by Gordon Freeman on November 29, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP