I think I may’ve just had that eureka moment!

As part of the almighty home automation project I have been seeking a mains plug/socket which both meters the power consumption of attached devices AND allows remote switching. I struggled to find anything that fit the bill (and was reasonably priced and/or "open") but ended up taking the plunge and buying a few AlertMe (aka IRIS) Smart Plugs (£25/each).

Knowing that the AlertMe products communicate using Zigbee, if I want them to talk to anything more than themselves I would need to do a little packet sniffing in an attempt to document the packet format.

I first found some software that looked up to the job: http://www.ubilogix.com/products/ubiqua Ubiqua by Ubilogix (although I’m just using the trial version, I doubt I can afford the hefty $999 license fee!) and then found a compatible USB dongle: http://uk.farnell.com/jsp/search/productdetail.jsp?SKU=1855261 Texas Instruments CC2531EMK Zigbee USB dongle (£46.68).

A few days later- everything’s delivered and I fire it up (I use a Mac with VirtualBox to run windows virtual machines. I couldn’t get the driver working in Windows 7, so settled for XP).

There is a ton of traffic and I have very little idea what any of it is!

My next thought was- maybe I can find figure out which device is which through the online portal / web interface (maybe the mac addresses will be listed). They weren’t directly, but clicking on "manage" and viewing the source they were there for the taking:

Ubiqua uses a short notation but you can easily find it:

So, what next? Well there is where I got a little stuck and found myself examining random packets and not really figuring anything out. Applying a filter to only see traffic from the current clamp / meter reader seemed sensible but I believe because the mesh like nature of the Zigbee protocol each message was being relayed by each device causing a lot of duplication. I removed the SmartPlugs, leaving just the hub and meter reader (the SmartPlugs have battery backup so I think it takes a while for them to stop transmitting, I held the power button which I think drained them quickly- the orange light was no longer appearing).

So now we’ve isolated some traffic we’re interested in from a lot of "noise"- but we’re still pretty clueless. Brainwave… let’s monitor a short period with normal consumption then a short period with high consumption (I put the oven on) then a short period with 0 consumption (I removed the current clamp from the mains cable). I made a note of the packet count in Ubiqua at each change so I could be sure to pick a packet from each of the phases.

The incoming packets still don’t seem consistent- so maybe there are more conversation taking place than simply "here’s my power consumption" but I found a fairly regular packet structure 116 bytes in length and decided to filter my packets to just those. I then took the ZCL payload data from one of the "normal", "high" and "zero" samples:

Normal:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

01 DC 01 DC 01 DC 01 DD 01 DB 01 DD 01 DD 01 DD 01 DD 01 DA 01 DC 01 D4 01 D2 01 D5 01 D2

00 03 A8 FA

High Use:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

0E EE 0E FA 0E F4 0E F9 0E F7 0E F9 0E FB 0E FC 0F 13 0E E3 0E E9 0E E7 0E EA 0E 36 0B 33

00 03 A9 27

Zero Use:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 03 A9 AE

You can see I chopped the payload into three logical sections. Now my hex isn’t great, but I could quickly see 2 hex digits (8 bits or 1 byte) didn’t really mean anything but when paired and converted to decimal the numbers started to look very much like my estimated power consumption (repeated a number of times- at a guess there are 15 samples in each packet?). Taking the first reading from each packet you end up with:

01 DC = 476 W
0E EE = 3822 W
00 00 = 0 W

Whilst this seemed very likely I wanted to try and confirm the value… So I did another capture and checked the "power now" value on the portal- bingo, spot on!

I still have a lot of work to do to try and determine:

  • What the other packets are?
  • How to decode the consumption packets from the SmartPlugs?
  • How to decode the on/off switching instructions to the SmartPlugs?

And then potentially attempt to build a little arduino circuit / sketch to facilitate communication. Meanwhile I will no doubt be having a poke around inside the devices :)

I didn’t previously mention that the Zigbee packets are actually encrypted- I’m not quite sure where it came from but there was already a key in Ubiqua which was able to successfully decrypt the AlertMe / IRIS packets: AD:38:19:32:6F:D5:C8:F9:F2:8D:78:F0:82:66:AE:57 – I don’t know if this is unique to my devices or the same for everyone.

Advertisements