Zigbee sniffer - wireless thermostats

[readiescards]

I've got 9 John Guest wireless thermostat/hot water controllers. While neat little units it is a bit tedious to program so many - plus I want to monitor them.

I think they are Zigbee based.

 

If I get a Zigbee PC sniffer will that help me see what the stats are broadcasting so I can at least look for relevant packets or will it be encrypted ?

 

(I've asked John Guest direct but am waiting an answer)

[Jeremy Harris]

The quick way to check might be to just look at the board inside.  I very much doubt they use the Zigbee protocol, as there is no network connection-type requirement.  Our wireless thermostats use a standard 868 MHz RF module, with what looks like a proprietary 28 bit protocol.  Sniffing it was easy enough with an 868 MHz receiver hooked up to a microcontroller serial port, and storing a snapshot of the Manchester encoded bit sequence, but decoding it was beyond me.

 

I have managed to decode and remotely operate the Byron/HomeEasy 32 bit 433 MHz protocol, but only with a great deal of help from others.  I successfully managed to build both receivers and transmitters that would work with the Byron/HomeEasy home automation units, but never got so far as to emulate the learning mode these things had, so had to sniff every transmitter/receiver pair to determine the actual initial address sequence.

 

Most of the data transmitted by these devices is aimed at reducing interference, because there is only a very limited amount of bandwidth available and there is also a great deal of other stuff working on the two bands that this type of device works on.  Once you've got hold of the protocol used, and the address format, getting controls to switch on or off is easy, just a single bit change in the 32 bit command sequence in the case of the Byron/HomeEasy units.  I suspect other systems use something very similar.

 

 

Edited September 29, 2017 by JSHarris

[readiescards]

The manual states 'The wiring centre and system receivers will automatically join the Zigbee network when powered up and the Wireless Coordinator is in pair mode.'

 

But yes could be tricky decoding I guess, was just wondering if anyone had done it 

[readiescards]

Called them up - there is a JG Hub2: 

http://www.johnguest.com/speedfit/product/jg-aura-wireless-range/jg-hub-and-user-licence/

 

But at £150 not sure I want to spend that today

[Jeremy Harris]

Interesting that it does use Zigbee networking.  Sadly there's virtually no chance you'll be able to sniff it and make any sense of the data, as it uses 128 bit encryption, so is pretty secure.

 

 

[Lesgrandepotato]

If its Zigbee, then something like a Vera controller may well be able to talk to it?