Improve support for Aqara / Xiaomi Curtain Drivers

[kiler129]

I had some time to sniff the traffic between https://www.zigbee2mqtt.io/devices/ZNCLBL01LM.html and M2 hub. There's a lot of things missing from the current integration so I tried to cover all. However, I don't even know where to begin modifying the current converter set, as the Dev Console in Z2M doesn't even allow me to send arbitrary Write Attributes. So I decided to dump my materials here and maybe we can work something out together. I was inspired to do this work after seeing https://github.com/Koenkk/zigbee2mqtt/issues/12639 and @keith-kl asking for captures ;)

All payloads: new pairing after hub reset.zip Keys for all payloads:

• 5a6967426565416c6c69616e63653039
• 78b478d6819198a527703a68ee94c29c

Actions which seem to be covered already

• Pause current movement
  • 3. pause button few times.pcapng
  • 8. open and click pause after few seconds.pcapng
• Open curtains
  • 4. open single time with auto stop due to overload at the end.pcapng
  • This one is special as device seems to report overload by beeping and presumably it's one of the last messages in Zigbee too
• Identify device: 9. identify twice.pcapng

Actions which are implemented incorrectly

• Inverted mode
  • it seems like inverted mode doesn't properly work in the current converter, as after calibration the 0-100% values are inverted correctly but the OPEN/CLOSE status is not
  • this normally is a part of manual calibration (see "calibration data" in the section below)

Actions which are NOT implemented

• Change "Pull to open/close" mode
  • Enable: 10. enable pull to close or open.pcapng
  • Disable: 11. disable pull top open or close.pcapng
  • Enable again: 12. reenable pull to open or close.pcapng
• Mounting/dismounting
  • The app allows removal and installation on the rail (e.g. for battery charging)
  • 19. release from rail.pcapng
  • 20. lock onto rail.pcapng
• Ambient light linkage
  • This one I'm not sure as to how is handled. Logically it should be reporting light levels.
  • In the Aqara app the UI looks like this:
  • I made some observations regarding this
    • The UI does NOT send any Zigbee data when things are changed. Changes are made only when "Save" button is pressed on the screen above.
    • Changing "Valid Period" settings doesn't alter device configuration (so it's probably "cloud-smart")
    • The "Valid Period" screen has a separate "Save" button which does nothing in terms of Zigbee comm :)
  • Relevant captures
    • 13. enabled ambient light linkage with default setting of curtain state off and every day 10am to 4pm.pcapng
    • 14. disable ambient light linkage with default settings as in 13.pcapng
    • 15. enable ambient with position at 69 percent.pcapng
    • 16. enable ambient with 69 percent and 11am-4pm period.pcapng
    • 17. enable ambient with 69 percent and 12-4p period.pcapng
    • 21. shine light for 340s and remove light after that till the end.pcapng <= this may contain light sensor value
• Calibration data
  • This seems to a rather complex but very important part
  • When calibration was already performed it is indicated in one of the attributes as the app displays a warning about that: 18. try auto calibration 3x without starting it (it shows a warning at this stage).pcapng
  • Calibration data can be erased with as single command: 23. clear calibration.pcapng
  • The app offers manual and "intelligent" calibration
    • The automatic one was recorded in dumps 24 & 25
    • I have a (untested) suspicion that the automatic one is no different than manual except that it automatically presses buttons :D
    • I recorded the flow of the manual one trying to sync the video (RPReplay_Final1668319415.MP4) and PCAP (22. see video recorded at 2359 on noveber 12.pcapng) while also making long pauses between commands

Appendix: sniffing Aqara hub

Normally Aqara M2 has additional security (?) built-in which prevents sniffing. Transport Key is never exchanged during pairing, so it's most likely static for every new product or possibly product+firmware combo. However, there's a way to go around that since Aqara devices work without the hub + hub supports legacy devices.

To get the keys you need some active non-Aqara device like a switch, I used an Ikea rotary knob:

1. Start "add new device" flow on the hub, which counts from 60s to 0
2. Put a non-aquara dummy device (e.g. IKEA switch) in a pairing mode next to the hub quickly
3. wait a few seconds
4. Put Aqara device you want to sniff (e.g. curtain driver) in pairing mode
5. Viola, the device pairs. If it doesn't or it times out observe Wireshark if the key is exchanged in 2.; sometimes 4. fails too for no reason.
6. Wireshark shows that the hub reuses the Transport Key which was requested by the IKEA switch to pair the curtain driver and that key allows for decryption of the Device Announcement which has the key to decrypt hub<>curtain driver communication
7. Profit 😄

[keith-kl]

Hi,

Sorry that I'm not familar with reading the message from the network packages, that might need others help. However, what I did was following the guide in https://www.zigbee2mqtt.io/advanced/support-new-devices/01_support_new_devices.html#_3-adding-converter-s-for-your-device, enable the debug log and check the difference in the json messages. (as in my PR https://github.com/Koenkk/zigbee-herdsman-converters/pull/4307

Have you enabled the debug log in Z2M? it may be helpful to compare the messages.

A great way to begin is the mounting / dismounting function as I remember it should be quite straight forward. I didn't implement it because I wanted to make my curtain motor works ASAP at that time. :)

[kiler129]

Sorry that I'm not familar with reading the message from the network packages, that might need others help.

In essence, these are dumps which can be opened in Wireshark. They list all packets in both directions between the device and the hub.

However, what I did was following the guide in https://www.zigbee2mqtt.io/advanced/support-new-devices/01_support_new_devices.html#_3-adding-converter-s-for-your-device, enable the debug log and check the difference in the json messages. (as in my PR https://github.com/Koenkk/zigbee-herdsman-converters/pull/4307

I saw that instruction. However, my main problem is how to SEND packets and not just passively observe. The Dev Console tab doesn't seem to allow that and still tries to validate against a list of allowed ones per device.

A great way to begin is the mounting / dismounting function as I remember it should be quite straight forward. I didn't implement it because I wanted to make my curtain motor works ASAP at that time. :)

This is exactly where I started: it's literally just one Write Attribute.

[mandrean]

Thanks for the wireshark captures @kiler129

I used them to add some new features:

• Calibrating limits (start, end, reset)
• Opening/closing hooks
• Enabling/disabling "pull to open/close"

See: https://github.com/Koenkk/zigbee-herdsman-converters/pull/5104

[keith-kl]

Thank you @kiler129 and @mandrean. Sorry that I'm stuck with my work recently and so I can no longer help to contribute to the enhancements for the time being. I hope when I get more time I can improve it!

[kiler129]

Thanks for the wireshark captures @kiler129

I used them to add some new features:

• Calibrating limits (start, end, reset)
• Opening/closing hooks
• Enabling/disabling "pull to open/close"

See: #5104

Thank you! Let me know if you need any more recordings. There are still some unimplemented functions and I didn't have time to dig into how converters are written ;)

[mandrean]

@kiler129: There are still some unimplemented functions

Could you list the missing features you know of?

I guess there's some auto-calibration and ambience light-level stuff still missing?

[buhito81]

I guess "ambience light-level stuff" would be missing, indeed

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days

[buhito81]

-unstale

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days

[buhito81]

-unstale

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days

[greenfrogs]

@kiler129 and @mandrean, I am looking to try and add the slow opening/closing of the Aqara E1 Curtain driver to Zigbee Herdsman. Was wondering if you might have had any recent success with sniffing for any packets related to that?

I have tested with: https://github.com/Koenkk/zigbee-herdsman-converters/pull/7109 but it appears to be different.