Open CrNMGuy opened 10 months ago
Here is the complete welcome conversation : Difficulty should be with the token calculation
$login token\r\n
$B9A8DXXX\r\n
$login key 1360131XXXXXXXXXXXXXXXX6ECD\r\n
zclient login (182)\r\n
$ack\r\n
$apiversion\r\n
$1.0.0\r\n
$setkomm\r\n
$2109716 ack\r\n
$asnr get\r\n
$Unknown Command\r\n
$igw set 0022771\r\n
$ack\r\n
$daq stop\r\n
$logging disable\r\n
$daq stopped\r\n
$logging disabled\r\n
$daq desc\r\n
$<<<DAQPRJ><ANALOG><CHANNEL id='0' name='ZK' unit=''/><CHANNEL id='1' name='O2' unit='%'/><CHANNEL id='2' name='O2soll' unit='%'/><CHANNEL id='3' name='TK' unit='�C'/><CHANNEL id='4' name='TKsoll' unit='�C'/><CHANNEL
[...]
$daq start\r\n
$logging enable\r\n
$daq started\r\n
$logging enabled\r\n
$bootversion\r\n
$V2.18\r\n
$info\r\n
$KT: 'Nano.2(.3) 12'\r\n
$SWV: 'V14.0m4'\r\n
$FWV I/O: 'V1.2.0'\r\n
$SN I/O: '2000000'\r\n
$SN BCE: '1900000'\r\n
$uptime\r\n
$179954\r\n
$erract\r\n
$no errors\r\n
You cannot do it this way, because you cannot mimick the login token / login key handshake. The nano pk will not recognize you as a valid igw.
They also initiate the conversation on UDP port 35601 ==> HargaWebApp v6.4.1 SN:0039808 ==> get services
<== HSV/CL 9-60KW V14.0n3HSV1P par.cgi daqdesc.cgi daqdata.cgi token.cgi events/quit.cgi events/clear.cgi events/list.cgi trykey.cgi 4FBBB70C
Someone did manage one day to extract or get the firmware ? I could try to reverse how the token calculation is done from it. And also could you try via telnet to send the token request multiple times ? If the response is static, it whould be way easyier. I should ask my vendor to come update my unit and i could have this new feature to try ;)
I in no way intend to do something like that: this would infringe the intellectual property of Hargassner and expose you to lawsuit. see https://news.ycombinator.com/item?id=37874220 for an example in the automotive industry
anyway, the response is not static so it’s not trivial
i have a working script that sits in between the igw and the boiler ; when i have enough time i will expose the boiler through mqtt using the ha-discovery protocol.
I worked on communication with NanoPk and just listen Telnet conversation between Hargassner Internet connector and Nano PK
Here is what is interessant : I played with temperature adjustement (-3 to +3°) from the app Commands are super explicite and not firmware dependant like the "pm" report
Read value :
Write value
Whole transmission