search

Jahislove / Hargassner

site web permettant la visualisation en temps réel d'une chaudière Hargassner Nano PK
GNU General Public License v2.0
14 stars 5 forks source link

New way to control a Nano PK via Telnet #21

Open CrNMGuy opened 10 months ago

CrNMGuy commented 10 months ago

I worked on communication with NanoPk and just listen Telnet conversation between Hargassner Internet connector and Nano PK

Here is what is interessant : I played with temperature adjustement (-3 to +3°) from the app Commands are super explicite and not firmware dependant like the "pm" report

Read value : 

    Data: $par get A6d\r\n
    Data: $A6d;3;0.000;-6.000;6.000;0.500;�C;0.000;0;0;0;Zone 1 Corr.Amb. T�l�commande; 0;\r\n

Write value 

    Data: $par set "A6d;3;1.00"\r\n
    Data: zPa A: A6d = 0.0\r\n
    Data: zPa N: A6d = 1.0\r\n

Whole transmission

    Data [truncated]: pm 1 1.2 7.5 58.7 0 61.2 0 0 0 0 13 2 0 0 0 4.3 5.1 61.2 -20 120 -20 50.5 61 62.2 35 29 112.7 86.5 84 74 0 0 45 0 0 3670 0 0 -4 50 2 0 81 100 17 0 2725 5590 1 0 -20 0 20 20 0 1 42.0 42 20 19 1 1 140 0 20 20 0 1 -20 0 20 2
    Data: 0 \r\n

    Data: $par get A6d\r\n
    Data: $A6d;3;0.000;-6.000;6.000;0.500;�C;0.000;0;0;0;Zone 1 Corr.Amb. T�l�commande; 0;\r\n

    Data: $par set "A6d;3;1.00"\r\n
    Data: zPa A: A6d = 0.0\r\n
    Data: zPa N: A6d = 1.0\r\n

    Data: $ack\r\n
    Data: zFr 1 Set RT 1.0 (2)\r\n
    Data [truncated]: pm 1 1.2 7.5 58.7 0 61.1 0 0 0 0 13 4 0 0 0 4.3 5.1 61.2 -20 120 -20 50.5 61 62.2 35 29 107.1 86.5 84 74 0 0 45 0 0 3670 0 0 -4 50 2 0 81 100 17 0 2725 5590 1 0 -20 0 20 20 0 1 42.0 42 20 19 1 1 140 0 20 20 0 1 -20 0 20 2
CrNMGuy commented 10 months ago

Here is the complete welcome conversation : Difficulty should be with the token calculation

$login token\r\n
  $B9A8DXXX\r\n

$login key 1360131XXXXXXXXXXXXXXXX6ECD\r\n
  zclient login (182)\r\n
  $ack\r\n

$apiversion\r\n
  $1.0.0\r\n

$setkomm\r\n
  $2109716 ack\r\n

$asnr get\r\n
  $Unknown Command\r\n

$igw set 0022771\r\n
  $ack\r\n

$daq stop\r\n
$logging disable\r\n
  $daq stopped\r\n
  $logging disabled\r\n

$daq desc\r\n
  $<<<DAQPRJ><ANALOG><CHANNEL id='0' name='ZK' unit=''/><CHANNEL id='1' name='O2' unit='%'/><CHANNEL id='2' name='O2soll' unit='%'/><CHANNEL id='3' name='TK' unit='�C'/><CHANNEL id='4' name='TKsoll' unit='�C'/><CHANNEL 
  [...]

$daq start\r\n
$logging enable\r\n
  $daq started\r\n
  $logging enabled\r\n

$bootversion\r\n
  $V2.18\r\n

$info\r\n
  $KT: 'Nano.2(.3) 12'\r\n
  $SWV: 'V14.0m4'\r\n
  $FWV I/O: 'V1.2.0'\r\n
  $SN I/O: '2000000'\r\n
  $SN BCE: '1900000'\r\n

$uptime\r\n
  $179954\r\n

$erract\r\n
  $no errors\r\n
hlehoux2021 commented 9 months ago

You cannot do it this way, because you cannot mimick the login token / login key handshake. The nano pk will not recognize you as a valid igw.

hlehoux2021 commented 9 months ago

They also initiate the conversation on UDP port 35601 ==> HargaWebApp v6.4.1 SN:0039808 ==> get services

<== HSV/CL 9-60KW V14.0n3HSV1P par.cgi daqdesc.cgi daqdata.cgi token.cgi events/quit.cgi events/clear.cgi events/list.cgi trykey.cgi 4FBBB70C

KiLMaN commented 9 months ago

Someone did manage one day to extract or get the firmware ? I could try to reverse how the token calculation is done from it. And also could you try via telnet to send the token request multiple times ? If the response is static, it whould be way easyier. I should ask my vendor to come update my unit and i could have this new feature to try ;)

hlehoux2021 commented 9 months ago

I in no way intend to do something like that: this would infringe the intellectual property of Hargassner and expose you to lawsuit. see https://news.ycombinator.com/item?id=37874220 for an example in the automotive industry

anyway, the response is not static so it’s not trivial

i have a working script that sits in between the igw and the boiler ; when i have enough time i will expose the boiler through mqtt using the ha-discovery protocol.