Compatibility with Solution 3000 board

[brendon]

Hi there, I was wondering what you thought about the possibility of this software working with the Bosch Solution 3000 panel?

I think it might work quite similarly to the B and G series boards. TCP/SSL on port 7700. There is a Vera integration already written (apparently by Bosch): https://boschsecurityaustralia.freshdesk.com/support/solutions/articles/35000135521-solution-2000-3000-configuration-guide-for-vera-controller

I've tried to reverse engineer that but while I'm able to connect to the board via something like openssl s_client -connect 192.168.1.134:7700 and also via Ruby, I can't seem to get any output. The byte sequences seem fairly arcane and the Lua code doesn't help as I'm not familiar with that language! :D

I can use A-Link to connect to the panel via local TCP/SSL so I know the interface is working in principle. I just lack the magic incantations :D

I'd be happy to test your software out on my panel if you think it's close enough to work :D

[EHylands]

Hi, Solution Series panels with firmware version 4.06 and higher support Bosch Intrusion Integration Protocol mode 2 on which this plugin is based.

Is there a way to set "Automation Device" to "Mode 2" and an "Automation passcode" with A-Link software ?

If you can get pass initial connection with your automation passcode, Points(zones) sensors and Output accessories should be working properly because they share the same common protocol instructions.

Area arming instruction codes are slightly different and would need some code modifications.

Let me know if you can get pass initial connection !

[EHylands]

Deleted your last comment because you posted private encryption key and password in your pictures.

1- Could not find firmware 4.06 stated in IIP Mode 2 specification either. Wrote an email to Bosch support to find out if Solution 2000/3000 panels support IIP Mode 2 or not. Awaiting reply.

2- Wich TLS version is your panel using ? Before upgrading my firmware, Node.js could not establish a secure connection with the panel running on TLSv1.0 . Newest firmware upgraded panel to TLSv1.2 and allowed secure connections. From mac terminal or linux, run the following command to find out your panel TLS version: "openssl s_client -connect HOST:7700" (Replace HOST with your panel ip address)

Mode2WhatareYou command format 0x01 is supported by all panels and is taking place before any authentification. We should get pass that call.

[brendon]

Thanks @EHylands, I must have missed the key when I was checking through the images.

I was able to openssl to the panel last night. It just failed to verify the certificate. I'll try again tonight to see what the output is.

I did notice that there is probably a firmware upgrade for the ethernet board and found some instructions on how to access that on another IP address to initiate the firmware upgrade.

[EHylands]

Are you using the B426-M module for ethernet network connection ?

In this module newest documentation iI found the following configuration option:

Web and Automation Security

This setting also enables TLS security for Automation.

Is your B426 up to firmware 3.05 ?

On Feb 28, 2022, at 17:43, Brendon Muir @.***> wrote:  Thanks @EHylands, I must have missed the key when I was checking through the images.

I was able to openssl to the panel last night. It just failed to verify the certificate. I'll try again tonight to see what the output is.

I did notice that there is probably a firmware upgrade for the ethernet board and found some instructions on how to access that on another IP address to initiate the firmware upgrade.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

[brendon]

Yes that's what I have. Is that configuration option in the card's private web interface? If so, I'll have a go at accessing it tonight. I remember accessing it when I was setting it up for the Bosch Cloud RSC+ service. I'd assume it's already enabled but it might be in a mode that's only concerned with the Bosch integration.

[brendon]

After a direct connect reprogram the unit no longer boots at all (even without the ethernet module installed). I've tried a factory reset but unfortunately no dice. I've left it unplugged overnight to see if it comes right in the morning. Perhaps the system was partially failing the whole time?

[brendon]

Yep, it's definitely dead. Do you know if there's a low level serial recovery mode for these units to re-flash them in the case that their eeprom's get corrupted?

[EHylands]

https://resources-boschsecurity-cdn.azureedge.net/public/documents/Bosch_B450_IOG_Installation_Manual_enUS_9007212492304267.pdf

Check page 41 of that guide. Any hearthbeat error code on your module ?

[brendon]

Oh it's worse than that :D It's the actual Solution 3000 board that's dead. I did just find a video on re-flashing it from the DLA module (which has a built in copy of the firmware). I'll load the latest firmware on to the DLA and try re-flashing it tonight.

[brendon]

Crisis over. Turns out I accidentally half-flashed it by leaving the DLA plugged in when it booted. I've upgraded the Solution 3000 board to the latest firmware 2.0.5.0 as part of the fixing process. Will continue to try and gain access to the web interface for the card, though from what I understand programming from A-Link is supposed to supersede this.

[sanjay900]

I did a bit of reading on the lua code, and it appears that after sending the passcode, you also have to send a pincode. If i add the a function for doing this, and change it so that it calls this after setting the passcode, i am able to successfully talk to the device. Note that the pincode is your pincode when you use the RSC+ app.

However, it seems that ReadMode2SetSubscriptions fails, and i'm not really sure why this is. One thing i did notice is that it says my protocol version is 5.200 while ReadMode2SetSubscriptions is only supported for 5.207?

I am however able to poll for points manually, but it would be good for subscriptions to work

private SendMode2PinCode(){
      this.CurrentControllerState = BGControllerState.GetPanelMode2Pincode;
      const Protocol = new Uint8Array([0x01]);
      const Command = new Uint8Array([0x3E]);
      const CommandFormat = new Uint8Array([]);

      if(this.Pincode.length !== 4){
        this.emit('ControllerError', BGControllerError.PasscodeLengthError, 'Invalid Passcode Length');
        return;
      }
      const PincodeInt = parseInt(this.Pincode, 16);
      this.SecureSocket.write(this.FormatCommand(Protocol, Command, CommandFormat, Uint8Array.from([PincodeInt >> 8, PincodeInt & 0xff])));
    }

[brendon]

That's interesting @sanjay900 :) Sadly I never even got that far. What model ethernet card do you have, and are you using the Solution 3000? I have a B426-M but I'm starting to suspect these are only designed to talk to the Bosch cloud servers. Since updating the firmware on mine it doesn't even function as a cloud card either though. I've got some troubleshooting info from Bosch that I will try today to see if I can get it working again at least with RSC+.

[sanjay900]

That's the exact module I have!

[sanjay900]

Are you able to talk to it over the network from alink?

[brendon]

I used to be able to but no longer. I'm going to go in there now and restore the backup I took before I started messing around (I have a DLA fortunately). If that brings up the cloud interface again then I'm half-way there by the sounds of it :)

[sanjay900]

The only issue is we would need to implement a polling based implementation as subscribing to events does not seem to work, but for example if i send out a signal to poll point 5, and then walk infront that PIR sensor i do see that result

@EHylands Would you have any ideas? Attempting to call SendMode2SetSubscriptions() results in a response from the panel of <Buffer 02 fd 00> on the solution 3000

[brendon]

Do you have the latest firmware on the panel? I have 2.0.5.0 that I can email you.

[EHylands]

Thank you for providing help with Solution 2000 and 3000 panels.

Unfortunately, Bosch US can't provide any support on those panels since not available in our area.

Automation passcode are only available on B and G panels. Thank you for providing a function to use pin code on other panels.

As per protocol documentation, subscription notifications (push) are only available with protocol version 5.207 and higher. Pooling can easily be added with Mode2ReqFaultedPoints function as a fail over mechanism for other panels. Will test it out to access how instantaneous HomeKit notifications would be with pooling rather than push notifications.

Area arming instructions are also different for Solutions 2000 and 3000 panels. Slight changes have to be done at that level also for Home Security HomeKit accessory to be fully functional.

Lot of fun work to do in the next fews days ! Will keep you posted.

[sanjay900]

Interestingly enough, you have to use both an automation passcode and a pin code on the 3000. The automation passcode can be set via A-Link

[brendon]

Thank you both :) I was unable to bring my board back to life yet but I'm working with Bosch Australia to try and fix it.

@EHylands, I'm not sure if it helps, but the support email I'm using for Bosch Australia is technical.support@au.bosch.com. Perhaps they'd be able to help you with what you were looking for?

[sanjay900]

@EHylands There was one other thing, whenever i was reading text, the code would just fail and i presume its because all the text is empty on my panel i ended up having to change to the following, or variations of the following for all the functions that read text essentially, DataLength was coming through as 2, so it would just never continue as it would read the point number and then do nothing

const DataLength = Data[0];

      // No more data to be read, all point text has been received from panel
      if(DataLength <= 1){
        this.SendMode2ReqConfiguredOutputs();
        return;
      }

      let i = 1;
      while(i < DataLength){
        const PointNumber = (Data[++i] << 8) + Data[++i];
        let PointText = '';

        if (i > DataLength) {
          this.SendMode2ReqConfiguredOutputs();
          return;
        }

        while(i < DataLength){
          const Read = Data[++i];
          if(Read !== 0){
            PointText += String.fromCharCode(Read);
          } else{

            // read a zero: done reading text
            const Point = this.GetPoint(PointNumber);
            if(Point){
              Point.PointText = PointText;
            }

            if(i === DataLength){
              this.SendMode2ReqPointText(PointNumber);
              return;
            }
            break;
          }
        }
      }

[sanjay900]

Do you have the latest firmware on the panel? I have 2.0.5.0 that I can email you.

unfortunately I think im just running 2.0.0, and I do not have a DLA to do the update either

[brendon]

That's unfortunate. I see you're in NZ. I could post you mine if you wanted to borrow it for the update?

[brendon]

Though I don't think the update would add any functionality as from memory it was just bug fixes.

[sanjay900]

Yeah I didn't see any new functionally and I don't want to accidentally brick my one haha

[brendon]

Touché, you don't want to end up my boat. I think my B426-M is bricked in a way.

Out of interest, does the Vera controller Lua script poll the Solution 3000 for state or does it perhaps subscribe to events in another way unique to the Solution series?

[EHylands]

@brendon If it can make you feel better, I blew fuses on my first B Panel and B520 auxiliary power unit .... Had to buy brand new components!

[sanjay900]

@brendon it polls, I was able to whip up something that used it's method of polling and if I waved my hand in front of the sensor in my room I saw that reflected in the output. I'm probably going to be porting this all to home assistant as I'm using that and not home ridge myself

[sanjay900]

@EHylands heh I blew the fuse on my gate controller once, luckily I had a spare fuse and it still worked but I was worried for a bit haha

[brendon]

Haha! Sounds like we've all had our fair share of misadventure! :D Polling it is then! :)

[sanjay900]

Oh something else crossed my mind, it turns out that the WhatAreYou packet is actually different for the solutions 3000.... its just [1.1.1] not [1.2.1.1]

[EHylands]

@sanjay900 Funny, as per protocol, both should be supported for Mode2WhatareYou Command Format #1 (Protocol Version 1.14)

[ Protocol 0x01, Length 0x01 , Command 0x01]

or

[ Protocol 0x01, Length 0x02 , Command 0x01 , Command Format 0x01]

You event get A-Link protocol information with: [ Protocol 0x01, Length 0x02 , Command 0x01 , Command Format 0x03]

[sanjay900]

Must just not be something supported on the 3000, as it just returns <Buffer 02 fd 00> if i use 1,2,1,1

[sanjay900]

do you have the documentation for the protocol handy? It would be nice to look at

[EHylands]

@sanjay900 0x02: response packet length 0xFD: Negative Acknowledgement (NAK) (Command error) 0x00: Non-specific error

Just changed my code for [1,1,1] as it works perfectly too.

Documentation is a 240 pages long pdf document Amazing complete protocol. Fun reading !

Need to write to Integrated.Solutions@us.bosch.com and ask for Intrusion Integration Protocol (Mode2) documentation. They were quick to reply !

[EHylands]

@sanjay900 I checked on my Panel by removing all output text and everything works well without any modifications.

Are there any major differences in protocol implemenation between BG Panels and Solutions 2000-3000 Panels ?

For Mode2ReqOutputText function: The shortest response you can get for output #1 without text is 0x04 [0x04, 0xFE,0x00,0x01,0x00] (DataLength, 0xFE, Output Number MSB, Output Number LSB, 0x00 for empty text)

When no more output text is available you get: [0x01,0xFE]

Data length could then be 0x04 or 0x01, but not 0x02 ...

Same applies to AreaText and PointText

It would be nice to check with Bosch Australia if proper protocol implementation for Solution 2000-3000 has been documented.

@EHylands There was one other thing, whenever i was reading text, the code would just fail and i presume its because all the text is empty on my panel i ended up having to change to the following, or variations of the following for all the functions that read text essentially, DataLength was coming through as 2, so it would just never continue as it would read the point number and then do nothing

const DataLength = Data[0];

      // No more data to be read, all point text has been received from panel
      if(DataLength <= 1){
        this.SendMode2ReqConfiguredOutputs();
        return;
      }

      let i = 1;
      while(i < DataLength){
        const PointNumber = (Data[++i] << 8) + Data[++i];
        let PointText = '';

        if (i > DataLength) {
          this.SendMode2ReqConfiguredOutputs();
          return;
        }

        while(i < DataLength){
          const Read = Data[++i];
          if(Read !== 0){
            PointText += String.fromCharCode(Read);
          } else{

            // read a zero: done reading text
            const Point = this.GetPoint(PointNumber);
            if(Point){
              Point.PointText = PointText;
            }

            if(i === DataLength){
              this.SendMode2ReqPointText(PointNumber);
              return;
            }
            break;
          }
        }
      }

[sanjay900]

Ive sent a message to bosch australia, i will see if i get a response or not. I guess we can assume that the 3000 handles text differently?

[sanjay900]

Ah, so it appears that the solution 3000 does in fact treat text differently. It does not include the number at all, the text just immediately follows the length of the packet.

[sanjay900]

Not sure if this will help, but here is my rewrite of that lua code in python: https://github.com/sanjay900/solutions3000-home-assistant/blob/main/solutions3000.py I don't have doors or outputs so i have no idea if that functionality works but i presume it would do

[sanjay900]

My code seems to work okay with home assistant now, which was really all I was after.

[brendon]

Hey nice work! Can’t wait to get a working board so I can try this myself :)

[sanjay900]

Interestingly, I did ask Australia for documentation on mode 2, but they said I would have to sign an NDA for it, which wouldn't help us much being that this is open source.

Interestingly though they are working on a new firmware for home automation appearently , not really sure about any info on that though

[brendon]

That is super interesting isn’t it given the overall basics of the protocol are already out there. Nice that they responded to you as they just ignored me :) I think the pressure is probably on to make these products work with home automation frameworks so good to see them working on it. Thanks for the update :)

[sanjay900]

Funnily enough it was the product manager of the solutions 3000 that got back to me which is not what i was expecting

[sanjay900]

[EHylands]

@sanjay900 Great job !

Went through your python code. Only reason I didn't use await/promise in my code is you never know when you will get a push notification from the panel (protocol 0x02) while issuing a 0x01 protocol command at the same time.

Hope you can get subscriptions working on your panel !

[sanjay900]

@sanjay900 Great job !

Went through your python code. Only reason I didn't use await/promise in my code is you never know when you will get a push notification from the panel (protocol 0x02) while issuing a 0x01 protocol command at the same time.

Hope you can get subscriptions working on your panel !

Yeah i think my plan will be to just wait for them to release their new protocol for home automation. I've asked them if they plan on implementing something for home assistant themselves. Polling while ugly works quite well, and home assistant handles that all for me so im not to worried about polling for info.

The only real reason i went the async/await method was because it was needed for home assistant as it expects things to be async

[EHylands]

Well, it looks like your own Home Assistant implementation will be completed in no time !!

[sanjay900]

hopefully that helps enough for getting this working too!

[sanjay900]

@EHylands Do you have a copy of the documentation you based this code on? Also, is there a command for getting the type for a point? im trying to work out if something is a smoke detector or a motion sensor