Bloggers like to play with smart home things, and smart homes can indeed bring a lot of convenience to the home.
The weather is hot, and the blogger wants to do one: when the room is occupied and the temperature is higher than 33 degrees, turn on the air conditioner. The blogger already has a set of his own smart home system, with gateways, human infrared sensors, and infrared transponders, just one temperature sensor. So the blogger looked for Lumi Lianchuang's temperature and humidity sensor on Xiaomi's official website. as follows:
Hardware disassembly: http://www.geekifix.com/wp/archives/390.html
In principle, the temperature and humidity sensor uses the Zigbee communication protocol, and the gateway I am using now also uses the Zigbee protocol, so you can know the communication process with the gateway by analyzing the packet capture data.
After the blogger gets the temperature and humidity, according to the instructions, the host opens the device network access license through the mobile client. Observe the temperature and humidity network access process by analyzing the host log. The process is roughly as follows:
1. The temperature and humidity issue a Beacon Request to request access to the network
2. The host replies to the Beacon, informing that it can access the network
3. The temperature and humidity request association, the host association reply, and the Transport Key transmits the key
4. Complete the network access
5. The temperature and humidity report ZDO data Package Device Announce, network access report
6. The temperature and humidity actively report ZCL data packets:
- cls_id:0x0000, attr_id:0x0005, dt:0x42, "lumi.sensor_ht" , I am "green rice. Sensor temperature and humidity"
- cls_id:0x0000, attr_id:0x0001, dt:0x20, 2, my application firmware version is 2
From the above two, it can be recognized that it is a temperature and humidity sensor.
This practice does not follow the Zigbee standard. The Zigbee standard network access process is more troublesome, and Xiaomi directly rejects it. As soon as its equipment is introduced, it directly reports to the door: what equipment am I? Well, straight to the point. It doesn't matter that your own gateway can also support this method.
Next, Xiaomi temperature and humidity reported a private attribute report:
cls_id:0x0000, attr_id:0xff01, dt:0x42, [1f 01 21 ef 08 04 21 a8 01 05 21 18 00 06 24 01 00 00 00 00 64 29 33 0c 65 21 cd 19 0a 21 00 00]
The above two are still HA1.2 standard attribute reports, but this attribute is private.
The blogger is thinking, why did Xiaomi report this? Does the host need to reply with the corresponding data to confirm that it is Xiaomi's gateway and open the back door to its own gateway? Don't worry about this, look at the temperature and humidity reported by the device:
cls_id: 0x0402, attr_id: 0x0000, dt: 0x29, [bb, 0b], the temperature is reported as 0x0bbb, decimal: 3003, divided by 100 is 30.03 degrees Celsius
cls_id: 0x0405, attr_id :0x0000, dt:0x21, [04, 1e], the humidity is reported as 0x1e04, decimal: 7684, divided by 100 is 76.84%
The blogger added the Xiaomi temperature and humidity sensor to the system of Zhijia 365 by modifying the configuration of the host.
But it seems that its work is not stable.
The blogger analyzed the data and found that it has not reported the temperature and humidity values, no heartbeat, and no power report for a long time. It just reports the attribute report of cls_id: 0x0000, attr_id: 0xff01 from time to time, and there are subtle differences each time:
[1f 01 21 ef 08 04 21 a8 01 05 21 18 00 06 24 01 00 00 00 00 64 29 33 0c 65 21 cd 19 0a 21 00 00]
[1f 01 21 bd 0b 04 21 a8 13 05 21 2a 00 06 24 00 00 00 00 00 64 29 27 0b 65 21 26 26 0a 21 00 00]
[1f 01 21 bd 0b 04 21 a8 13 05 21 2a 00 06 24 00 00 00 00 00 64 29 ef 0a 65 21 e4 20 0a 21 00 00]
The blogger estimates that this must be a backdoor made by Xiaomi. If it is not Xiaomi's gateway, it will work erratically, sometimes not. If it is, it works fine. It seems that Xiaomi kept a hand.
Another day, the blogger will buy another Xiaomi gateway and use it together to see what the Xiaomi gateway replies when it receives 0xff01.