Open kdschlosser opened 5 years ago
@cowwoc Specs still seem to be available here, download quickly before gone.
https://drive.google.com/drive/folders/0BykrlXHrfSg0Z3AyTjRhWUJVM00
They are 'open' in this version but this is a funny industry.
I'm currently researching what brand of HVAC system would be best to install that would enable local monitoring and control, and it sounds like they're all basically ClimateTalk-ish at heart. How far is this project from being capable of at least monitoring status information from a real system? Are there any particular brands that are closer to being supported than others?
@cowwoc Specs still seem to be available here, download quickly before gone.
https://drive.google.com/drive/folders/0BykrlXHrfSg0Z3AyTjRhWUJVM00
They are 'open' in this version but this is a funny industry.
Did you ever end up getting a communicating thermostat to test controlling the thermostat locally with?
I'm moving into a house with a Rheem Econet thermostat and econet electric hot water heater and it would be great to control both locally.
@cowwoc Specs still seem to be available here, download quickly before gone. https://drive.google.com/drive/folders/0BykrlXHrfSg0Z3AyTjRhWUJVM00 They are 'open' in this version but this is a funny industry.
Did you ever end up getting a communicating thermostat to test controlling the thermostat locally with?
Yes, I have a communicating thermostat and I am able to read its state but I need got around to controlling it remotely. Work got in the way.
I'm moving into a house with a Rheem Econet thermostat and econet electric hot water heater and it would be great to control both locally.
I plan to do the same, one day... :)
PS: Rheem's Econet water heater software is garbage, in the sense that any bugs you report never get fixed. I doubt they even reach the developers. The most annoying bug they've got is the scheduler stops working 3-4 times a year. It seems to be a timezone-related problem. The water heater seems to be interpreting the time in terms of UTC instead of the timezone you selected.
One of the benefits of writing our own software would be to fix all these stupid bugs.
@cowwoc Specs still seem to be available here, download quickly before gone. https://drive.google.com/drive/folders/0BykrlXHrfSg0Z3AyTjRhWUJVM00 They are 'open' in this version but this is a funny industry.
Did you ever end up getting a communicating thermostat to test controlling the thermostat locally with?
Yes, I have a communicating thermostat and I am able to read its state but I need got around to controlling it remotely. Work got in the way.
I'm moving into a house with a Rheem Econet thermostat and econet electric hot water heater and it would be great to control both locally.
I plan to do the same, one day... :)
PS: Rheem's Econet water heater software is garbage, in the sense that any bugs you report never get fixed. I doubt they even reach the developers. The most annoying bug they've got is the scheduler stops working 3-4 times a year. It seems to be a timezone-related problem. The water heater seems to be interpreting the time in terms of UTC instead of the timezone you selected.
One of the benefits of writing our own software would be to fix all these stupid bugs.
Do you also have a Rheem econet thermostat? If yes can you share how you're reading it?
Yes, I have a communicating thermostat and I am able to read its state but I need got around to controlling it remotely. Work got in the way.
Do you mind sharing how you're able to read it state or if you had the chance to control it yet?
Do you mind sharing how you're able to read it state or if you had the chance to control it yet?
I didn't try interacting with the Rheem water heater. I was referring to my HVAC thermostat. You can read more about that here: https://community.home-assistant.io/t/new-daikinone-thermostat-integration/131647/1
DaikinOne is NOT Rheem Econet and it will not talk to a Rheem furnace that has EcoNet It will not even talk to a Rheem firnace that uses Climatetalk. Daikin has butchered up the protocol and is now their own version of it. It no longer conform to the climatetalk API. There are going to be things that do follow the original API but there is going to be a heap load of things that does not.
DaikinOne is NOT Rheem Econet and it will not talk to a Rheem furnace that has EcoNet It will not even talk to a Rheem firnace that uses Climatetalk. Daikin has butchered up the protocol and is now their own version of it. It no longer conform to the climatetalk API. There are going to be things that do follow the original API but there is going to be a heap load of things that does not.
Glad to finally get a response from you I have been hoping you were still around as I saw this went dead years ago.
Do you have the micropython esp32 script still for this https://github.com/kdschlosser/ClimateTalk
Is it functional that I could use that as a starting point to attempt to reverse engineer econet? How would I do that using your code? Is there a way to observe what's happening?
IDK what I did with the ESP script but it would not be too hard to write it again. It is actually a pretty simple script. You would need an ESP32 and an RS485 transceiver. The transceivers take care of the hardware level protocol and from there it is simply watching the bits that are being sent.
I didn't go further with it because I didn't want to shell out the 600+ bucks for a POS thermostat that would work with my furnaces. after months of looking for one used and not locating one I kind of gave up on it. I had also spoken with one of the original authors of the ClimateTalk specification and what he had told me is that the companies that have used it and the ones that still do use it have perverted the API so much that an application would have to be coded for specific devices.
IDK what I did with the ESP script but it would not be too hard to write it again. It is actually a pretty simple script. You would need an ESP32 and an RS485 transceiver. The transceivers take care of the hardware level protocol and from there it is simply watching the bits that are being sent.
I didn't go further with it because I didn't want to shell out the 600+ bucks for a POS thermostat that would work with my furnaces. after months of looking for one used and not locating one I kind of gave up on it. I had also spoken with one of the original authors of the ClimateTalk specification and what he had told me is that the companies that have used it and the ones that still do use it have perverted the API so much that an application would have to be coded for specific devices.
I'm wondering if it's time better spent to hack the wifi module and replicate what it sends to the cloud/receives from the cloud in an attempt to replicate that with a local server. My system has a dedicated wifi module on the bus with the hot water heater, HVAC and thermostat.
no need to reinvent the wheel.
no need to reinvent the wheel.
I'm trying to avoid relying on the cloud. This is useful for understanding what's sent to the server but not what the wifi module receives and sends?
the issue is with furnaces not having access to the lower API levels means the operation of the unit remains within the boundaries of the web API. I can tell you that the web API sucks with econet. I am sure you already know this tho.
Here is an example for you. I have 3 furnaces in my house. each of the is 60,000 BTU they all have modulating gas valves and variable speed brushless DC blower motors. What this means is the furnaces support having the heat output adjusted. anywhere from 20% output to 100%. Communicating thermostats are complete garbage because they do not give you access to be able to adjust the output beyond one of the 4 "stages" that are hard coded into the thermostats.
My furnaces operate in the exact same manner they would if spent 600 bucks a pop on 3 thermostats. they would work no differently than the conventional thermostats I have now. When the thermostat calls for heat the furnace turns on it slowly ramps up to 100% output over a couple of minutes.
A good runtime for a furnace is 8 to 10 minutes and the norm is 3-4 times per hour So that means the furnace is running for about 30 minutes each hour. This is the part that is going to twist your whiskers. My furnaces are 98.7% efficient. so lets call them 100% to make the numbers easier. so a single furnace outputs 60,000 BTU. That measurement is a per hour measurement. so if the furnace is running for 30 minutes out of an hour that means I have consumed 30,000 BTU.
Now if you use natural gas to heat your home you more then likely pay by the therm. My gas bill has gone up 283% since this same time last year. So I am paying a colossal $0.73 per therm. That may not sound like a lot of money but it adds up pretty fast. 30,000 BTU is equal to 0.30 therm. so it costs me 25 cents for each half hour each of the furnaces run.
If I could turn the furnaces on at 20% and leave them there and they never shut off for the entire winter guess what? I am saving money. Not only am I saving money the house is going to be a lot more comfortable because I am not going to have the typical 4° bounce in temperature caused by the on/off cycle of a thermostat. It is also going to be a whole lot quieter too. There is one last HUGE benefit to it as well. When do electronics break? when you go to turn them on. so it is a pretty safe making the statement of "if you don't turn it off it's not going to break" I have a 10 year old flat screen TV that has never been shut off since the day I got it.
It is actually easier on the components if it doesn't have to power cycle and the furnaces will last a lot longer and have less repairs needing to be done.
This is how it has been done since the 1970's in large commercial buildings.
the issue is with furnaces not having access to the lower API levels means the operation of the unit remains within the boundaries of the web API. I can tell you that the web API sucks with econet. I am sure you already know this tho.
Here is an example for you. I have 3 furnaces in my house. each of the is 60,000 BTU they all have modulating gas valves and variable speed brushless DC blower motors. What this means is the furnaces support having the heat output adjusted. anywhere from 20% output to 100%. Communicating thermostats are complete garbage because they do not give you access to be able to adjust the output beyond one of the 4 "stages" that are hard coded into the thermostats.
My furnaces operate in the exact same manner they would if spent 600 bucks a pop on 3 thermostats. they would work no differently than the conventional thermostats I have now. When the thermostat calls for heat the furnace turns on it slowly ramps up to 100% output over a couple of minutes.
A good runtime for a furnace is 8 to 10 minutes and the norm is 3-4 times per hour So that means the furnace is running for about 30 minutes each hour. This is the part that is going to twist your whiskers. My furnaces are 98.7% efficient. so lets call them 100% to make the numbers easier. so a single furnace outputs 60,000 BTU. That measurement is a per hour measurement. so if the furnace is running for 30 minutes out of an hour that means I have consumed 30,000 BTU.
Now if you use natural gas to heat your home you more then likely pay by the therm. My gas bill has gone up 283% since this same time last year. So I am paying a colossal $0.73 per therm. That may not sound like a lot of money but it adds up pretty fast. 30,000 BTU is equal to 0.30 therm. so it costs me 25 cents for each half hour each of the furnaces run.
If I could turn the furnaces on at 20% and leave them there and they never shut off for the entire winter guess what? I am saving money. Not only am I saving money the house is going to be a lot more comfortable because I am not going to have the typical 4° bounce in temperature caused by the on/off cycle of a thermostat. It is also going to be a whole lot quieter too. There is one last HUGE benefit to it as well. When do electronics break? when you go to turn them on. so it is a pretty safe making the statement of "if you don't turn it off it's not going to break" I have a 10 year old flat screen TV that has never been shut off since the day I got it.
It is actually easier on the components if it doesn't have to power cycle and the furnaces will last a lot longer and have less repairs needing to be done.
This is how it has been done since the 1970's in large commercial buildings.
I have an electric inverter heat pump. I know it would be great to have more control than what the web API allows but because it seems as if it may be very difficult to get the local rs485 API going I am wondering if it's easier to at least have a local web API and at least have the ability to locally know if it's on/off and set temperatures. It would be better than nothing.
I ended up going toe to toe with my gas company over a 400 dollar per furnace rebate that they said I do not qualify for because I do not have communicating thermostats. The only benefit the communicating thermostats give you is diagnostics on the screen of the thermostat. Funny thing is my furnaces have a digital readout on the boards of them which displays the same information that would be seen on the thermostat. The reason why they were trying to get out of paying it is because they made a boo boo in the rebate. They never defined the number of furnaces that could be claimed on a single rebate. they only stated one rebate per house. I pushed back at every reason they could come up with to try and deny me the rebate and in the end I said you can either give me the 1200 bucks now or you can hand it to my attorney along with the 500 per hour fee he is going to charge you when I win the case.
I ended up going toe to toe with my gas company over a 400 dollar per furnace rebate that they said I do not qualify for because I do not have communicating thermostats. The only benefit the communicating thermostats give you is diagnostics on the screen of the thermostat. Funny thing is my furnaces have a digital readout on the boards of them which displays the same information that would be seen on the thermostat. The reason why they were trying to get out of paying it is because they made a boo boo in the rebate. They never defined the number of furnaces that could be claimed on a single rebate. they only stated one rebate per house. I pushed back at every reason they could come up with to try and deny me the rebate and in the end I said you can either give me the 1200 bucks now or you can hand it to my attorney along with the 500 per hour fee he is going to charge you when I win the case.
Wow at least you avoided a protected legal battle.
In regards to the wifi Module any ideas on where to start? To see if a local web server can be setup to replicate the cloud server?
I hate cloud APIs. If the company decides to no longer support your device you are shit out of luck. Samsung did this to me with a washing machine and a dryer. 2 years after I bought it. It's encrypted communications and they didn't even unlock the damned things and release the API for them so that the functionality could still be used if someone wanted to write the program to do it,.
Ohhh it pissed me off something bad. I had a Vera ZWave controller that I was not able to access the admin section of it if the internet wasn't working. It actually would not boot fully if there was no internet. Needless to say my home automation works without needing the internet.
The only way you are going to be able to do anything with the WiFi piece is you are going to have to set up a MITM (Man In The Middle) sniffing scenario.
How you go about doing that is you would use a computer that has a WiFi card in it and you set that card to act as an access point. Have the EcoNet WiFi connect to that. You will need a second network interface that you connect to the internet. You then set up routing on the computer so it will pass information back and forth properly. Then you can use wireshark to sniff the data that is being passed.
Writing a program in respond to the EcoNet WiFi is easy to do once you know the requests and responses. If you do that you would be be able to completely remove the need to have it connected to the internet. This would be done by setting up a dns server on your network and when the WiFi from the EcoNet goes to connect your DNS server will hand it the IP address if one of your local computers where you would have the program running to handle the requests from the WiFi EcoNet.
I hate cloud APIs. If the company decides to no longer support your device you are shit out of luck. Samsung did this to me with a washing machine and a dryer. 2 years after I bought it. It's encrypted communications and they didn't even unlock the damned things and release the API for them so that the functionality could still be used if someone wanted to write the program to do it,.
Ohhh it pissed me off something bad. I had a Vera ZWave controller that I was not able to access the admin section of it if the internet wasn't working. It actually would not boot fully if there was no internet. Needless to say my home automation works without needing the internet.
The only way you are going to be able to do anything with the WiFi piece is you are going to have to set up a MITM (Man In The Middle) sniffing scenario.
How you go about doing that is you would use a computer that has a WiFi card in it and you set that card to act as an access point. Have the EcoNet WiFi connect to that. You will need a second network interface that you connect to the internet. You then set up routing on the computer so it will pass information back and forth properly. Then you can use wireshark to sniff the data that is being passed.
Writing a program in respond to the EcoNet WiFi is easy to do once you know the requests and responses. If you do that you would be be able to completely remove the need to have it connected to the internet. This would be done by setting up a dns server on your network and when the WiFi from the EcoNet goes to connect your DNS server will hand it the IP address if one of your local computers where you would have the program running to handle the requests from the WiFi EcoNet.
Yep I use home assistant for fully local automation. Sounds like a job for a raspberry pi. To setup an access point and then point econet to it and run Wireshark. Although I wonder if I could just do a dns rewrite from the beginning? And not need to setup an access point. Only set up Wireshark? Or some other software that allows inspecting the packet and sending the packet.
How you go about doing that is you would use a computer that has a WiFi card in it and you set that card to act as an access point. Have the EcoNet WiFi connect to that. You will need a second network interface that you connect to the internet. You then set up routing on the computer so it will pass information back and forth properly. Then you can use wireshark to sniff the data that is being passed.
I'm pretty sure this would not work. All recent firmware versions (of my HVAC thermostat at least) use HTTPS to communicate with their server. I'd be surprised if Rheem EcoNet does not do the same.
The only thing you can sniff for HTTPS requests is the destination hostname. You can't even examine the URL path, not to mention the headers or payload. Unless you find a way to break their HTTPS certificate (highly unlikely) then you can't do anything meaningful.
How you go about doing that is you would use a computer that has a WiFi card in it and you set that card to act as an access point. Have the EcoNet WiFi connect to that. You will need a second network interface that you connect to the internet. You then set up routing on the computer so it will pass information back and forth properly. Then you can use wireshark to sniff the data that is being passed.
I'm pretty sure this would not work. All recent firmware versions (of my HVAC thermostat at least) use HTTPS to communicate with their server. I'd be surprised if Rheem EcoNet does not do the same.
The only thing you can sniff for HTTPS requests is the destination hostname. You can't even examine the URL path, not to mention the headers or payload. Unless you find a way to break their HTTPS certificate (highly unlikely) then you can't do anything meaningful.
Could this be useful?
Could this be useful?
I don't think so, but I suggest asking the authors just to be sure.
The way I see it, their HTTP client is probably behaving like a browser. It wants to hit company-server.com so it asks the DNS for the associated IP address. It connects to the website and asks for their SSL certificate. It then asks a trusted Certificate Authority whether the SSL certificate is valid for that website.
I'm not a security expert so take what I'm about to say with a large grain of salt: I think the only way you could become a MITM is to trick their client into talking to a fake Certificate Authority that will confirm your fake SSL certificate is valid. But you cannot spoof the Certificate Authority because: https://security.stackexchange.com/a/215705/5002
In my experience, asking on https://security.stackexchange.com/ is the best way to answer this question. These guys know security exploits inside-out. Though, I'm not sure they will help you break an SSL client :) They mostly help people prevent their system from being broken, not the other way around.
Let us know if you find anything.
Could this be useful? https://hackmd.io/@rogerlin/S1UeTQocO
I don't think so, but I suggest asking the authors just to be sure.
The way I see it, their HTTP client is probably behaving like a browser. It wants to hit company-server.com so it asks the DNS for the associated IP address. It connects to the website and asks for their SSL certificate. It then asks a trusted Certificate Authority whether the SSL certificate is valid for that website.
I'm not a security expert so take what I'm about to say with a large grain of salt: I think the only way you could become a MITM is to trick their client into talking to a fake Certificate Authority that will confirm your fake SSL certificate is valid. But you cannot spoof the Certificate Authority because: https://security.stackexchange.com/a/215705/5002
In my experience, asking on https://security.stackexchange.com/ is the best way to answer this question. These guys know security exploits inside-out. Though, I'm not sure they will help you break an SSL client :) They mostly help people prevent their system from being broken, not the other way around.
Let us know if you find anything.
Yep I'll start digging and post here what I find.
Hmm, this might be of interest: https://www.grc.com/fingerprints.htm section "How is this elegant system subverted?"
The approach doesn't make sense to me (why would the client trust an unknown CA?) but maybe there is something there.
Hmm, this might be of interest: https://www.grc.com/fingerprints.htm section "How is this elegant system subverted?"
The approach doesn't make sense to me (why would the client trust an unknown CA?) but maybe there is something there.
I read someone did something similar for a dog feeder and it did trust self signed certs.
It all depends on how Rheem has set up the data transfer. It may or may not be HTTPS. it could be using Websockets. another thing you have to remember is what the WiFi part is. it is going to be designed as cheap as possible, it's not going to be able to do any heavy lifting in terms of processing power so the encryption is not going to be super strong. Chances are it's using a public key private key encryption method using certificates.
Chances are they are not doing a client validation using the certificates because after all this would got money to do. in increases server load and would cause them to have to shell out more money for more servers which I can tell you from experience, most companies wallets pucker up tighter than a frogs asshole when it comes to buying more IT related gear. especially when it's not going to make them a single dime. All they care about is the data being encrypted in which case the public key from the certificate is what is needed to encrypt the data being sent to the device. so a self signed certificate in this case would do the trick.
I got a suggestion from the maker of pyeconet to simply do the following. I will attempt that.
In theory it should work because it does use mqtt to communicate to the cloud. The question is will it accept a self signed certificate on the local broker I set up.
First thing I’d try to figure out is what URL it’s trying to hit to connect. That shouldn’t be to difficult if you have your own DNS like pinhole running
Then maybe try to update your DNS to redirect that URL to your MQTT server and see if it connects? Might have to get Wireshark running to see what port it’s trying to connect on.
I wouldn’t be surprised if they are using certificates on the clients/broker though.
That is basically what I have said to do. using the DNS as a redirect can work if they are not using a hard coded IP address. that is where you can run into issues using a DNS redirect. You also need to know the port it is attempting to connect on. This is where all the MITM stuff makes it a whole lot easier to do because you do not have to worry about trying to set up some kind of forwarder.
Most laptops come with WiFi and also Ethernet so it's nothing that is abnormal to have. Plug the Ethernet into your router and set the WiFi card up as an access point. in Windows it only takes a couple of clicks of the mouse to set up routing between the 2 network interfaces and then you can run wireshark and you will be able to see the information being sent and also received,
The certificates will be sent as plain text so they are going to be easy to capture. Chances are the EcoNet device is not going to validate the certificate. What I mean by that is it isn't going to check to make sure that the server it is connecting to is the actual server it is supposed to connect to. However on the server side of things it is probably going to check the certificate received from the EcoNet device. This would be the mechanism they use that dictates support for devices. so if a specific model is EOL and is no longer supported they will remove it from being a valid certificate on the server.
The hard part is you are not going to know what the private keys are so you will not be able to decode the data transfer once it becomes encrypted. If the EcoNet device doesn't care about the certificate it receives that will be fine because you will be able to decode messages you receive from the device and you will be able to encrypt message to the device. The problem is you are not going to know what is being sent to the device because you are not going to have the private key from the device to be able to decode the messages.
also is it known that MQTT is what is being used as a protocol? If it is known then who is the person that has reverse engineered it? That would be the person to speak to.
OK so the mini split thing is a kind of good idea.. I bought 4 Rheem 96%EF modulating furnaces with EC blowers (DC Variable speed) 60K BTU output each furnace. and a 20 seer Rheem 2 Ton modulating Condenser (variable from 20% output to 100% in 1% steps) and a set of High Efficiency coils with housing included for 4000.00 USD delivered. the AC was 1000 and the coils were 200 600 for each furnace.. so at 1200 that's pretty darn cheap for a 20 seer AC. the mini split probably cost ya a little bit more then that.
I wanted to throw something at ya that I built. I used a simple Arduino Uno and 6 thermisters and an ethernet shield for the Arduino I used 2 thermisters for each of my 3 furnaces. I put one into the intake plenum before the filter. and the second went in the output plenum about 12" from the exchanger but out of direct view of it. wired them up to the Arduino. I collect input and output temperature readings. get the difference between the 2 (delta-t rise). If you look on the label inside the door on your furnace it will tell you what the max delta-t rise is for the furnace. I plug this number into the program.. and presto I now have notifications of when my filters need to be changed. This is a real world thing and not based on a length of time. It all depends on how much dust and dirt if floating around in the house.. so say if I am doing some construction work I would have to change my filter more often. This tells me exactly when it needs to be replaced.
I have mine set up to send me an sms text message to my phone to change the filter.
The reason why this works is because when the filter gets clogged up the air moving through it slows down. and this slow moving air takes longer to cross the heat exchanger providing more time for the air to collect heat. if that temperature gets to high the furnace will short cycle.
One of the things I want to be able to do when i finally get around to going full tilt into writing the software to interface with ClimateTalk is I am going to add an outdoor air temp sensor. I am then going to code in a learning routine so it will know how long the temperature is going to take to drop in my house. I want to design the thing so the furnaces never turn off. I want them to stay running all of the time.
you may think that is bonkers.. So take this math.
a good furnace cycling time is 4-5 times an hour and it should run for 7-10 minutes each time. so call it 4 times an hour at 8 minutes runtime.
some rounding and that's 30 minutes out of every single hour the furnace is going to run for, 100K btu furnace. this is going to consume 50K btu's of heat energy per hour. so if i run a furnace at 50% for the whole hour there is no additional cost.
benefits are 1/2 as loud. no fluctuation in the temperature in the house less wear and tear on the furnace.
It's funny how the math actually works. because when a conventional furnace turns on it is running at 100%. it has to heat the house by usually 4 degrees. when you set the thermostat to a temperature it will not turn a furnace on until it is 1 - 2 degrees below that set temperature. there is also a "warmup time" for the furnace.. so lets make the number an event 2.. well the same thing applies when it turns off. it somewhere between 1 and 2 degrees above the set temperature..
If the furnace is running all of the time you are not making 4 degree swings in the temperature. so if the furnace is running all of the time you would need to set it to output a lot less then 50%. this is where that outside temperature helps in the calculations. that outside temp is what is going to dictate the btu output. You can do it without also by sampling the temperature in the house measuring the time it takes for the temperature to change and make adjustments according to that. I would use a combination of both.
also EC motors become more efficient the slower the speed they are at.. so you have electricity savings as well..
I had to install 3 furnaces because they do not make a high efficiency furnace that outputs over 120K BTUs unless you go commercial. plus my house is 3 stories tall and i got tired of having 3 different climates in my house. the original furnace was to small for the home and the ductwork was completely wrong. They had a single return for the furnace and 7 registers 4 of the 7 registers were 3" ducts and the rest was 6". my house is almost 3000 sqft poor insulation (r7 walls, r19 roof no attic). now I have 24 registers 19 of them have 6" ducts. and the rest are 4" they are all insulated rigid ducts. I also have 9 returns one in each bedroom and the rest scattered about the house. my gas consumption dropped by 50% from the old furnace which was a 120K btu. where as I am at 180K now. now my furnaces actually turn off when it's -20F (-29C) outside.