Menu [hide]
  Wiki

BidCos

backlinks print PDF
similar

Motivation


As consumers we read the manual of our brand new HomeMatic-devices?. There they promise: You will find all technical documentation at our website. We went there but only found advertising stuff.

As we wanted to know if those devices are worth the money and safe to use, we where forced to check on our own, as eQ-3 is not giving any technical information... now we know why. Read below:

General


HomeMatic uses the home-brew protocol BidCos ® based on TI CC1100 transceivers (3 Euro). Normally driven by an ATMEL processor (1..4 Euro). The (868,3MHz / 2-FSK modulation) transmit and receive part of messages is completely handled by the well documented TI chip (Output power set to its maximum of 10dBm - see CC11xx registers 4 BidCos). So no magic there ...

If you 're happy with FS20 stick to it and wait until this HomeMatic stuff is fairly priced. Bidirectional FM modulation@10dBm are good reasons to change, but same security issues as known from FS20 will remain (BidCos ® is also not record and replay safe).

Especially with TI's next generation CC1110, which contains a MCU, devices must become available for not more than 20 EUR. Everything else is a big ripoff.

® - Yes! we honor that ...

Payload "encryption"



dec[0] = enc[0];
dec[1] = (~enc[1]) ^ 0x89;
for (l=2; l < n-3; l++) dec[l] = (enc[l-1] + 0xdc) ^ enc[l];
dec[l] = enc[l] ^ dec[2];



(ignoring the cc1100 -status bytes)

Payload

Payload is partly described in xml files located in "/firmware" directory of CCU images

HM-RC4 (4ch handheld transmitter) payload

all data is after the de-xorring posted above.
some of the naming is taken from the debug (syslog) output from the CCU)
byte 0: packet length
byte 1: message counter
byte 2: always 0x84 for me
byte 3: message type (0x40)
byte 4+5+6 (4 = MSB) form 1 long number. the device address? mine is 0x100383
byte 7+8+9 also 1 long number, with unknown meaning. 0x000000 for me
byte 10: data
byte 10: bit 7: Low batt (0 = no, 1 = yes)
byte 10: bit 6: long press (0 = no, 1 = yes)
byte 10: lower bits: button number (1 - 4)
byte 11: button-toggle-counter. byte 1 DOES increment when you keep a button pressed, byte 11 does NOT

Tools

To receive and send messages you may use culfw.

On/Off switching a wall socket:


culfw/tools/asksin-dumper.pl
Press Ctrl-D to stop.
01:19:39 nr: 8F cc: A4 ty: 40 s: 119123 d: 105123 pl: 03 2B .+
01:19:39 nr: 8F cc: 80 ty: 02 s: 105123 d: 119123 pl: 01 01 00 00 2E .....
01:19:54 nr: 90 cc: A4 ty: 40 s: 119123 d: 105123 pl: 02 59 .Y
01:19:54 nr: 90 cc: 80 ty: 02 s: 105123 d: 119123 pl: 01 01 C8 00 39 ....9
Ready:

Created by: avrfreak last modification: Tuesday 18 of May, 2010 [02:27:10 UTC] by avrfreak


Online users
We have 37 online users
Google ads
RSS Wiki RSS File Galleries
[ Execution time: 0.40 secs ]   [ Memory usage: 11.98MB ]   [ 50 database queries used ]   [ GZIP Enabled ]   [ Server load: 0.31 ]