Wink software

[funroompc]

Hi there,

This is really great work. I’m working on trying to sniff the serial port in wink hub so that I can send it to home assistant.

Thanks for the great work. Are you planning on continuing this work?

[tofurky]

hi @funroompc,

thanks :)

i wasn't planning on looking into the UART output of the PIC16F883 on the wink hub. my goal was to talk to the kidde smoke alarm independently of the wink hub using a cc1101 module. if you're interested in how all that works, maybe extract https://hub-updates.winkapp.com/wink-hub/4.3.60-0-g4d2358550e-hub-app-aa0cb25f-9230-f596-5ca2-ab36bb4cf91d/app-rootfs.ubi with binwalk and open up /mfgtests/sdk/tools/kiddetest or /usr/sbin/aprond in something like ghidra or ida. or just continue with sniffing the serial port - it's probably a lot simpler than the SPI protocol.

i am working on a much more polished arduino (atmega this time, not stm32) firmware that will listen for packets from a cc1101 module and output json over a serial port (so home assistant can easily parse the output).

i've made a lot of progress over the last few days and might have something up tonight or in the next couple of days.

fyi i got one of these https://www.ebay.com/itm/433Mhz-CC1101-USB-Wireless-RF-Transceiver-Module-10mW-USB-UART-MAX232-RS232/311565600262 but realized the atmega48 on it had re-programming disabled (SPIEN fuse). i desoldered the atmega48pa and put a atmega328p in its place only to realize that the original atmega48 appeared to be bit-banging SPI 😬

anyhow, i added some jumper wires and am making it work: https://imgur.com/a/ixWAovH

but, i think if someone were to want to use the upcoming firmware they would be better off using something like an arduino nano with a separate cc1101 module. or maybe better (but $$) http://wiki.in-circuit.de/index.php5?title=SIGNALduino_Stick

[tofurky]

here's a rough draft of the atmega328p firmware which outputs json: https://github.com/tofurky/kidde_cc1101/blob/atmega328p/arduino/kidde.ino

i'm going to try to hook it into my home assistant installation using the serial integration (https://www.home-assistant.io/integrations/serial/)

btw, it uses "MiniCore" (https://github.com/MCUdude/MiniCore)

[funroompc]

Great work and thanks for the tip! I will look into it and will update you if I’m successful.

Out of curiosity, why build a new system to do what the wink already does? I mean it has 5 radios, 3 of which are already available. Plus it runs Linux and makes a great gateway.

Not trying to put you off what you’re doing, cos I see great value in that for those who don’t own a wink hub.

[tofurky]

i moved away from the wink hub several months ago and have been using an HUSBZB-1 zigbee and zwave stick. i wanted to see if i could get the kidde smoke alarm i'd been using with wink working with home assistant, which motivated me to look into the protocol.

i don't really like the idea of bolting stuff on to the closed-source base of the wink hub (e.g. using aprontest). neither the wink hub 1 or 2 have enough ram/flash/cpu to run anything like home assistant. i suppose some parts of the zigpy/bellows and openzwave stack could run on the hub and talk to HA over mqtt.

i agree that it is a nice piece of hardware. sadly the more powerful wink hub 2 is quite locked down from what i understand.

[funroompc]

Very interesting. I have some avrs and I guess it will be my backup plan if I am unable to get the wink to work. I’ve been trying to sniff on ttySP3 using socat and I am unable to read anything. I read something when kiddetest runs, but I don’t get anything from the PIC. Not sure what to try next.

Also, how do the DIP switches work? I see in your code you use it as binary. Does 0 correspond to OFF or ON?

Btw, I can’t seem to get my hands on a HUSBZB. They are too expensive.

I’m planning on cutting out aprontest and aprond, but it all depends on if I can get the kidde to work, or else I’ll have to follow your route

[tofurky]

the dip switches are pretty much a 1:1 representation of the address in binary format. it may help to think of it like: 0b11110000. for that value, the left 4 switches would be set to 'on' and the right 4 set to 'off'.

do you not read anything even after pressing 'test' on the detector? iirc kiddetest can set the address that the radio listens on. it has to match what the detector is configured for otherwise it won't send anything to the serial port.

i think kidde test works like: ./kiddetest -s F0. F0 = 0b11110000. might just try running ./kiddetest -s 00 and set the detector to 0b00000000 (all "off") to confirm things are synchronized. it's been a few years since i tried running kiddetest so i could be off the mark.

also, if you're trying to read the serial port with socat at the same time aprond is running, aprond might gobble up the bytes before socat can see them.

[tofurky]

btw. to clarify - and i'd just mixed this up myself. there are 2 rows on the dip switches, up labeled A, and down labeled B. A = 0, B = 1.

[funroompc]

Annnnnd apparently so did I!!!

Thanks for the clarification and it turns out that my hex code was wrong.

The pic outputs 0x80 on the serial port when the test button is pressed. I have to simulate a fire alarm now with smoke to verify the output (I’m guessing 82 or 83)

Thanks for your help

[funroompc]

Thank you for this project. I’ll be closely following it