Homematic Control Software

A few weeks ago I bought the home automation system HomeMatic. Up until now all the systems I knew either required cables or did not work properly, so I waited until radio controlled devices were on the market. I decided to buy HomeMatic, because the devices are not too expensive and they communicate bidirectional. The communication protocol is called “BidCoS” – short for “Bidirectional Communication Service”. Like this you always know, if a packet was received or not.

And I must say, the HomeMatic devices work perfectly! I didn’t buy the official HomeMatic central but only the LAN configuration tool (which can be used to control the devices, too) and as controlling software I’m currently using IP-Symcon.

Most of the things I want to do, I can do with this combination. But there are a few things, I don’t like. First of all it is impossible to control the valve state of the valve drives directly. It is only possible to send the desired temperature to the room thermostat (or to the valve drives with the HM-CC-RT-DN). Like this it is really hard to implement heating control algorithms. The second thing I don’t like: I have to pair remote contols and remote switches directly to actors for the transmitted signals to be encrypted. That is really annoying. I want the remote control to send a signal to IP-Symcon and decide there, what to do. If I only want to switch on or off the alarm system, there is no physical actor to switch – only a variable to set. And especially for remote controlling the alarm system encryption is kind of a nice feature.

That is why I decided to write my own control software. I started by analyzing the packets sent and received by a valve drive with a logic analyzer on the Serial Peripheral Interface Bus. Later on I bought a CUL and step by step analyzed the other devices with help from the fhem source code and the XML files which come with the software for the LAN configuration tool (I opened a Wiki for my findings: http://sathya.de/HMCWiki).

Until now my control software can’t do much. It took some time to write the underlying control code and now I’m starting to add devices. I’m already able to fully simulate a valve drive. There is no practical use to that but it helped me, understanding the BidCoS protocol.

Here a screenshot of my virtual valve drive in the “HomeMatic Konfigurator”:

And a screenshot of the pairing process in my control software:

I hope, soon I can control the valve drives directly. I will keep you up to date.

Sathya

7 thoughts on “Homematic Control Software

  1. Hi Sathya,

    thanks for sharing the project with us. Am I understanding correctly that you are talking to the Home-Matic Valves through their BidCos protocol? Could you share how exactly?

    Btw great talk at the 30C3!

    Best,
    Valentin

  2. Hi sathya,
    I am doing project to analyze receive packet from bidcos switch. I am using cc125em module with trex board. I am receiving data packet from bidcos switch at the pc software smart rf radio. Now i want to decrypt which i am receiving. I have seen your last post to valentin you shared a link about bidcos packet information
    https://www.homegear.eu/index.php/BidCoS_Packet_-_General_Information#Timing
    In this link there is a description of decoding with program. I did not understand how is it decoding. If you have any idea could you please explain it for me. Thanks.

    Regards,
    adam

  3. Hello,
    Thanks for the reply. Below is the raw packet which i received on smart rf studio. 13 packet I have received. 7 ok and 13 nok.
    14:46:23.194 | 61948 | 64 cd c7 46 7c 17 0e fd b0 06 a3 38 ca d6 c6 01 7f d7 f7 7f ff ff d7 ff fb db ff e9 fe fb fd ff ff ff 7f fd bf ef 3f ef ff ef f7 f7 dd ff fe 97 6f ef fb fb ff fe fe fb 5f | 0

    14:46:33.946 | 61946 | 6a cb d9 50 52 01 00 fb 8e 00 65 66 c8 c1 97 80 8f fb 7f df fe 7f 7d df ff d7 fd 9b cf f6 ff ff fb dc ff fb fe af ff bf ff 3f bf 55 fe 5f f7 fd 3f df ff ef ff 93 f7 79 ff | 0

    14:46:44.948 | 61944 | 68 c9 db 52 50 03 02 f9 8c 02 af 2c f6 13 d7 c1 d7 fe d7 f4 3e 4c fe 9d 2b df 53 c6 fe 5f e6 a5 de ee d9 bb fe bd f7 eb c2 fd f7 e6 f2 77 ff 3d bf 13 ef f7 a7 7b dc b6 67 | 0

    14:47:03.450 | 61926 | 7e a7 ed 9c 16 3d f4 c7 4a 4c 21 ba fe 6b e6 00 ed ef ef 7f fb f7 dd ef 7f 6b da bf df e7 c6 b7 bf fd ff 5f 6f b7 f7 bb fe 9d 9f 3b fb bf fe ff d7 df db fb fe ee ed ef 4b | 0

    14:47:19.948 | 61924 | 7c a5 ef 9e 14 3f f6 c5 48 4e eb e0 fa 59 39 c0 5f bc fe d5 bf d7 f7 fc eb 47 75 ee ff 16 3b e3 fb df 9d bf 96 d7 5f ff b6 7c b7 3a b7 df fb fd fb 78 ff cf ea 9b bf d7 ff | 0

    14:47:30.201 | 61922 | 42 a3 e1 a8 ea 89 88 03 86 08 7d 7e ee 04 6c 00 a8 ff f7 37 f6 df a2 ef 09 fd ea fd fd ae 7e ef d5 fd fb f7 ff 5b ae ef 5f ff ed df ef 75 ff e2 ae 3d ff f7 b7 e7 e7 df ff | 0

    14:47:37.754 | 62435 | 63 81 02 a5 88 84 ba a1 64 11 d0 c6 00 41 ff ff bb ff ff ff f3 fa ff ff fe 7f ff ff 7f ff df fe fb be 7f f7 ff ff fa f7 7f ff f1 ff ff ff ff 9e ff fe fd f7 ff fc 7e ff ff | 0
    14:47:38.256 | 62432 | 60 82 01 a6 8b a9 46 22 e7 93 18 e8 d0 47 ff ff ff bd 7e ff fe fb ee ff af df ff ef cf f7 ff df ef 7f ff ef fb ff ff ff fe df ef fd bf ff ef ff ff ff fd ff f6 ef bf ff df | 0
    14:47:38.381 | 61920 | 40 a1 e3 aa e8 8b 8a 01 84 0a b7 34 fd d6 c2 00 7a fb 4f 6f e5 ff f7 7b fb ae 7f ff d7 7e 7b 7f ff 6f b7 cd ff ff fd 9f 7f f6 ff 7d fe f6 f3 fe be ff b7 3f 7f f9 ae 2f dd | 0
    14:47:38.504 | 62433 | 61 83 00 a7 8a 86 b8 a3 66 12 18 d2 d3 c5 ff 7f 7e bf db fb f5 df ff ef ff ff fd fd ff f3 7f 6f ff fb ff ef ff fb bf bf ff ff 79 ff 7e ff ff 76 fd 75 ff ff ff ff df ff ff | 0
    14:47:38.999 | 62433 | 61 83 00 a7 8a 86 b8 a3 66 12 18 d2 d3 c0 de f9 fb bb 9f ff ef bf fe bd 67 ff be ff db d5 ff ff 74 ee 7f bf ea bb ff ef dc 7d ff d9 ff d7 fb ff bb ff fd bf ff ff f7 cb bf | 0
    14:47:41.971 | 62433 | 61 83 00 a7 8a 86 b8 a3 66 12 18 d2 d3 c1 ff df ed fb df ff ff ff eb ff ef ff ff ff ef ff df ff ff af 7d ff ff ff ff 77 f7 ff ff ff be ef 7f ff 7f ff f6 ff f7 bf ff ff ff | 0
    14:47:45.935 | 62433 | 61 83 00 a7 8a 86 b8 a3 66 12 18 d2 d3 83 5d ff ff f7 bf b7 ef fb fb df eb ff ed ff bd bf fb bd bf 77 fe ff fe 6f ff bd f6 bd fc fb 6d ef ff fb cf 7f fd ff db d9 7f fb e7 | 0

    • Those are no HomeMatic BidCoS packets. The first byte is the packet length. Your packets are all too large and the length doesn’t match the first byte. Also there are too many “ff” and “7f” there. Your register settings are probably wrong. Here are mine:

      if(_settings->oscillatorFrequency == 26000000)
      {
      _config = //Read from HM-CC-VD
      {
      (_settings->interruptPin == 2) ? (uint8_t)0x46 : (uint8_t)0x5B, //00: IOCFG2 (GDO2_CFG)
      0x2E, //01: IOCFG1 (GDO1_CFG to High impedance (3-state))
      (_settings->interruptPin == 0) ? (uint8_t)0x46 : (uint8_t)0x5B, //02: IOCFG0 (GDO0_CFG)
      0x07, //03: FIFOTHR (FIFO threshold to 33 (TX) and 32 (RX)
      0xE9, //04: SYNC1
      0xCA, //05: SYNC0
      0xFF, //06: PKTLEN (Maximum packet length)
      0x0C, //07: PKTCTRL1: CRC_AUTOFLUSH | APPEND_STATUS | NO_ADDR_CHECK
      0x45, //08: PKTCTRL0
      0x00, //09: ADDR
      0x00, //0A: CHANNR
      0x06, //0B: FSCTRL1
      0x00, //0C: FSCTRL0
      0x21, //0D: FREQ2
      0x65, //0E: FREQ1
      0x6A, //0F: FREQ0
      0xC8, //10: MDMCFG4
      0x93, //11: MDMCFG3
      0x03, //12: MDMCFG2
      0x22, //13: MDMCFG1
      0xF8, //14: MDMCFG0
      0x34, //15: DEVIATN
      0x07, //16: MCSM2
      0x30, //17: MCSM1: IDLE when packet has been received, RX after sending
      0x18, //18: MCSM0
      0x16, //19: FOCCFG
      0x6C, //1A: BSCFG
      0x03, //1B: AGCCTRL2
      0x40, //1C: AGCCTRL1
      0x91, //1D: AGCCTRL0
      0x87, //1E: WOREVT1
      0x6B, //1F: WOREVT0
      0xF8, //20: WORCRTL
      0x56, //21: FREND1
      0x10, //22: FREND0
      0xE9, //23: FSCAL3
      0x2A, //24: FSCAL2
      0x00, //25: FSCAL1
      0x1F, //26: FSCAL0
      0x41, //27: RCCTRL1
      0x00, //28: RCCTRL0
      };
      }
      else if(_settings->oscillatorFrequency == 27000000)
      {
      _config =
      {
      (_settings->interruptPin == 2) ? (uint8_t)0x46 : (uint8_t)0x5B, //00: IOCFG2 (GDO2_CFG: GDO2 connected to RPi interrupt pin, asserts when packet sent/received, active low)
      0x2E, //01: IOCFG1 (GDO1_CFG to High impedance (3-state))
      (_settings->interruptPin == 0) ? (uint8_t)0x46 : (uint8_t)0x5B, //02: IOCFG0 (GDO0_CFG, GDO0 (optionally) connected to CC1190 PA_EN, PA_PD, active low(?!))
      0x07, //03: FIFOTHR (FIFO threshold to 33 (TX) and 32 (RX)
      0xE9, //04: SYNC1
      0xCA, //05: SYNC0
      0xFF, //06: PKTLEN (Maximum packet length)
      0x0C, //07: PKTCTRL1 (CRC_AUTOFLUSH | APPEND_STATUS | NO_ADDR_CHECK)
      0x45, //08: PKTCTRL0 (WHITE_DATA = on, PKT_FORMAT = normal mode, CRC_EN = on, LENGTH_CONFIG = “Variable packet length mode. Packet length configured by the first byte after sync word”)
      0x00, //09: ADDR
      0x00, //0A: CHANNR
      0x06, //0B: FSCTRL1 (0x06 gives f_IF=152.34375kHz@26.0MHz XTAL, 158.203125kHz@f_XOSC=27.0MHz; default value is 0x0F which gives f_IF=381kHz@f_XOSC=26MHz; formula is f_IF=(f_XOSC/2^10)*FSCTRL1[5:0])
      0x00, //0C: FSCTRL0
      0x20, //0D: FREQ2 (base freq f_carrier=(f_XOSC/2^16)*FREQ[23:0]; register value FREQ[23:0]=(2^16/f_XOSC)*f_carrier; 0x21656A gives f_carrier=868.299866MHz@f_XOSC=26.0MHz, 0x2028C5 gives f_carrier=868.299911MHz@f_XOSC=27.0MHz)
      0x28, //0E: FREQ1
      0xC5, //0F: FREQ0
      0xC8, //10: MDMCFG4 (CHANBW_E = 3, CHANBW_M = 0, gives BW_channel=f_XOSC/(8*(4+CHANBW_M)*2^CHANBW_E)=102kHz@f_XOSC=26MHz, 105kHz@f_XOSC=27MHz)
      // 0x93, //11: MDMCFG3 (26MHz: DRATE_E = 0x8, DRATE_M = 0x93, gives R_DATA=((256+DRATE_M)*2^DRATE_E/2^28)*f_XOSC=9993Baud)
      0x84, //11: MDMCFG3 (27MHz: DRATE_M=(R_DATA*2^28)/(f_XOSC*2^DRATE_E)-256 ==> DRATE_E = 0x8, DRATE_M = 132=0x84, gives R_DATA=((256+DRATE_M)*2^DRATE_E/2^28)*f_XOSC=9991Baud)
      0x03, //12: MDMCFG2 (DEM_DCFILT_OFF = 0, MOD_FORMAT = 0 (2-FSK), MANCHESTER_EN = 0, SYNC_MODE = 3 = 30/32 sync word bits detected)
      0x22, //13: MDMCFG1 (FEC_EN = 0, NUM_PREAMBLE = 2 = 4 preamble bytes, CHANSPC_E = 2)
      // 0xF8, //14: MDMCFG0 (CHANSPC_M = 248 = 0xF8, Delta f_channel=(f_XOSC/2^18)*(256+CHANSPC_M)*2^CHANSPC_E=199.951kHz@f_XOSC=26MHz)
      0xE5, //14: MDMCFG0 (CHANSPC_M=(Delta_F_channel*2^18/(f_XOSC*2^CHANSPC_E)-256 ==> CHANSPC_M = 229 = 0xE5, Delta_f_channel=(f_XOSC/2^18)*(256+CHANSPC_M)*2^CHANSPC_E=199.814kHz@f_XOSC=27MHz)
      0x34, //15: DEVIATN (DEVIATION_E = 3, DEVIATION_M = 4, gives f_dev=(f_XOSC/2^17)*(8+DEVIATION_M)*2^DEVIATION_E=19.043kHz@f_XOSC=26MHz, =19.775kHz@f_XOSC=27MHz)
      0x07, //16: MCSM2 (RX_TIME_RSSI = 0, RX_TIME_QUAL = 0, RX_TIME = 7)
      0x30, //17: MCSM1 (CCA_MODE = 0b00 = “Always”, RXOFF_MODE = 0 = IDLE, TXOFF_MODE = 0 = IDLE)
      0x18, //18: MCSM0 (FS_AUTOCAL = 0b01 = cal@IDLE->RX/TX, PO_TIMEOUT = 0b10 = 149┬Ás@27MHz, PIN_CTRL_EN = 0, XOSC_FORCE_ON = 0)
      0x16, //19: FOCCFG (FOD_BS_CS_GATE = 0, FOC_PRE_K = 0b10 = 3K, FOC_POST_K = 1 = K/2, FOC_LIMIT = 0b10)
      0x6C, //1A: BSCFG
      0x03, //1B: AGCCTRL2
      0x40, //1C: AGCCTRL1
      0x91, //1D: AGCCTRL0
      0x87, //1E: WOREVT1
      0x6B, //1F: WOREVT0
      0xF8, //20: WORCRTL
      0x56, //21: FREND1
      0x10, //22: FREND0
      0xE9, //23: FSCAL3
      0x2A, //24: FSCAL2
      0x00, //25: FSCAL1
      0x1F, //26: FSCAL0
      0x41, //27: RCCTRL1
      0x00, //28: RCCTRL0
      };
      and

      writeRegister(Registers::Enum::FSTEST, 0x59, true);
      writeRegister(Registers::Enum::TEST2, 0x81, true); //Determined by SmartRF Studio
      writeRegister(Registers::Enum::TEST1, 0x35, true); //Determined by SmartRF Studio
      writeRegister(Registers::Enum::PATABLE, _settings->txPowerSetting, true);

      Then wait for the interrupt on GDO0 or GDO2. Read the first FIFO byte. This is the length of the packet. After that read the packet plus one byte (the RSSI).

      Cheers,

      Sathya

  4. Hi
    I am using transceiver cc1125 which works on 40khz OSC. Actually i want to decrypt the packet which i am receiving on smart rf studio. Can you give me an idea how to decrypt the bidcos packet and do if have config for cc125 could you provide it. Thanks

    Regards,
    adam

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>