Tranewreck is a collection of ruby scripts meant to connect with and exploit vulnerable thermostats running ComfortLink II based firmware, specifically the Trane ComfortLink II XL850. Use these tools only on devices you own or have consent to test.
There are three tools included in this repository:
These tools are witten in Ruby and you should have a recent version od Ruby installed. If you do not you must install ruby on your system. The package comes with a gem file. To ensure you have everything you need in addition to ruby run:
$ cd Tranewreck/
$ bundle installtranewreck.rb is intended to obtain available information from vulnerable thermostats. It uses default credentials and exploits the plain-text protocol controlling the device. After authenticating with the device commands are issued to obtain the following information:
Usage:
Usage: tranewreck.rb -t [TARGET] [options]
options
-h, --help help
-t, --target IP where?
-s, --stay fire subscribe and stay connectedDerailer is meant to change heating and cooling points as well as establish and delete trusted server connections. Here be dragons. Using this script my permanently update the settings of the targeted thermostat.
Useage:
Usage: derailer.rb -t [TARGET] [OPTIONS]
Options
-h, --help help
-t, --target=n where?
-H, --set_heat=n set heat int
-C, --set_cold=n set cold int
-d, --derail=n makes new trusted connection to host:port
-r, --rerail=n remove a given server from trusted connections.tranewreck_single.rb allows for a basic subscribe command which will dump all evData to the socket connection. The sec_probe can also be easily altered to acheive other commands.
These tools are a work in progress.