Plugwise Protocol Analysis, Part 3
Adding a Module
Found that a Circle Module that is not part of the network advertises itself by periodically broadcasting it’s MAC with an associated CmdID of “0006“.
The Source Software responds with a “0007” message”, accepting or rejecting the Module. This could be a way to detect unconfigured plugs in your network.
Example (about every 75 seconds):
RECV 0006 002A 000D6F0000B1A240
SEND 0007 00 000D6F0000B1A240
RECV 0000 007C 00C1
A random ‘sequence number’ (002A) is used in the 0006 command, and the reply 0007 command has a regular sequence number (007C). The 0007 00 means that the module is rejected, but if the 0007 01 is send back, the module is added to the network, which is confirmed with an 0061 message from the module.
Here some samples from the analysed capture where a new module is accepted in the network:
RECV 0006 002B 000D6F0000D3595D
SEND 0007 01 000D6F0000D3595D
RECV 0000 00B0 00C1
Some time (and many unrelated messages) later:
RECV 0061 FFFD 000D6F0000D3595D
Seems the module is in the network. Some time (and again many unrelated messages) later, the module is already queried for usage data:
SEND 0023 000D6F0000D3595D
RECV 0000 00D3 00C1
RECV 0024 00D3 000D6F0000D3595D 0B051B43 00044D90 01 85 653907014023 4CCEC0C2 02
I have the impression that at the end of the current scan loop, the restart command 0008 01 is sent to finish this adding, but I an not sure if that is related to this Module Add.
Stil have to analyse more of the data I gathered while joining those plugs and what happens when you (re)configure the network. I already know that the commands 0001 to 0005 are used to create the network and associate the Stick to a Circle+, but that is for a later post.
To help analyse the capture logs I created with portmon,I wrote an (initially) small script in VBS to filter and format the request and reply messages I got. The data between <5><5><3><3> and <cr><lf> is now nicely organized, the rest is disposed off. Now I’m adding to it formatting for the commands I know the structure of.
NB.
I see this kind of ‘resets’ in my logs, but still unsure why and what it does. Just documenting for now.
SEND 0008 01
RECV 0000 020F 00C1
RECV 0000 020F 00D9 000D6F0000B1B64B
I’ll ignore those until I see a patern.
In the plugwise source folder, there is a diag util. Nice to see what hapens in your network, and see how the plugwise developers named some of the data.
Roel's technical notepad 
Hello Roheve. I am writing a java driver for Plugwise and I loved your blog. For now I can get power consumption, energy consumption and I can switch on/off the Circles. My big problem is that I want to detect circles automatically instead of writing their mac address in a properties file.
Trying to understand more the protocol, I have found some interesting things about the commands, like
000800 I call it ALLOW_NODES_TO_JOIN because it gives back an ack
00DD HN_ALLOWNEWNODESTOJOIN_ACK_0
and for 000801 I have
00D9 HN_ALLOWNEWNODESTOJOIN_ACK_1
I have a list of ACK with their meaning, so if anyone needs them, just send me an e-mail.
I’ll list some commands here for anyone that needs them:
(the names below are based on their ack response)
0028/0000 RTC_SET_REQUEST
004A/0000 SET_BROADCAST_INTERVAL
0029/003A RTC_GET_REQUEST
003E/003F SET_RELAIS_POSITION_ON
0018/0019 DEVICE_DISCOVER
004E/0000 SET_HANDLE_REQUEST
If I find other interesting things, I’ll let anyone know
Best regards
Adrian
I made a little mistake
003E/003F is for getting the clock, I noticed it just now.
Hi, currently trying to understand the protocol, i don’t get any 006 message on my network. Reading your comment i suspect that a 0080 need to be sent on the network to allow new circle appliance to advertise and then allow them to join the network. Did you published any information on joining new circle appliance and code 0800 ? thx