Feature request: Support classic fw

[FliegenKLATSCH]

A write command on the ble "wire" to turn the device on looks like:

0200 43A2 9600 0203 0254 FF

The first 6 bytes contain the magic (the first bits seem to be constant 02 and the last 00) so 4 magic/unknown bytes. Byte 7 starts with a counter, then probably opcode (or unit id) and length followed by the arguments, 54 FF which are the brightness and the temperature.

Other examples:

02D4 1712 FF00 0303 0200 FF # off, same connection as above

02BC 2754 2E00 0203 0254 FF #on (brigtness = 54), another connection
02B6 4C70 6C00 0303 0200 FF #off

The first message from the luminaire looks like this:

25AA 335E 507E AD73 03A2 4D05 00

or

5E62 CE74 5AFC 8793 03A2 4D05 00

8 unknown bytes followed by the state of the luminaire, I would guess. Any ideas on how to continue, figure out how to compute the magic?

[lkempf]

Did you already look at https://github.com/lkempf/casambi-bt-hass/issues/6#issuecomment-1368019222? That's my current state but I'm too busy to continue this until probably august due to my master thesis.

But that seems to confirm that there is no encryption (but still some kind of signature I think) which would make analysis a lot easier.

Edit: If you want to continue this I can try to give you some prompts but be warned that it is a lot of work. It would be easiest to contact me via email in that case.

[FliegenKLATSCH]

No, I did not :) Email is out.

[FliegenKLATSCH]

0200 43A2 9600 0203 0254 FF

• First byte is the auth level (02 for visitor)
• The following 4 bytes are the first 4 bytes of the cmac with the network visitor key based on the connection hash + payload including the counter (<8 bytes connection hash> 00 0203 0254 FF)

I am not sure in how far the opcodes match to the evolution firmware, looks different to me..

[sMauldaeschle]

Based on my analysis of the write commands I can conclude: 0215db43c40004040200b3

• First byte is also 02 when using admin credentials
• Following 4 bytes 15db43c4: I have no idea how this is calculated
• Byte 6 00 is always 00
• Byte 7 04 is the counter
• Byte 8 04 is the unit id (no opcode in my eyes)
• Byte 9 02 is the length of parameters
• Byte 10 00 is the dimmer value
• Byte 11 b3 can be the temperature value (e.g. Mito soffito) or the vertical value (e.g. Sento with up/down fading)

@lkempf I sent you some frida and bluetooth hci logs that have been recorded at the same time.

[krangchen]

Highly appreciate your efforts here! I have 40+ classic devices and cannot afford to upgrade. Tried to mitm the API/Gateway but it seems to be blocked when SSL certificate is exchanged so I was fearing some encryption... Would it be another approach to mimic the Casambi Gateway into a (Rest)Api controllable from HA and have the gateway's casambi traffic routed to the API? I'm not a programmer but let me know if I can contribute in any way. I have the gateway running on a rooted S3 with Lineage 14 and tried to use mitm so far...

[ElvezPelvez]

Hi guys! Any progress on this and anyway I could help?