Archive

Archive for May, 2011

Plugwise Protocol Analysis, Part 4 (Create Network)

15 May 2011 5 comments

I experimented with my PW network to find how to create a network, and add modules to it. So first I removed one module completely from my network using Source and did a full reset of that Plug. Then, a bit later, I discovered the PW diag util, and looked at it a bit. BTW, Diag does not find your comport by itself, you have to click on the … button, then everything is easy.

I also tried resetting a circle using Diag and by accident, did that too with my Circle+.  Ok, network gone. Wanted to test that anyway, but a bit unplanned for now. Ok great oppertunity to reconfigure my whole network. I made captures of most of this, some stil pending more detailed analisis. I soon had my circle+ and another circle in my network, but did not see my other plugs. I decided to reset them too with a hard-reset. They became visible again, and I added them back into the network.

Now I had a working system again, and also captures of what happened. No real analisis of what happened during network creation, but the logging is below. I do not yet  know why so many attempts are registered. The second Network PAN ID offer is accepted, through I cannot see why the first few failed, maybe just ‘timing’.

Note that 000D6F0000B835CB is the Stick and 000D6F0000B1B64B is the Circle+

Anyway, here is what I logged:

SEND 000A
RECV 0000 000C 00C1
RECV 0011 000C 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 000D 00C1
RECV 0024 000D 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
SEND 004E 0000000000000000
RECV 0000 000E 00C1
SEND 000A
RECV 0000 000F 00C1
RECV 0011 000F 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 0010 00C1
RECV 0024 0010 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
SEND 0023 000D6F0000B835CB
RECV 0000 0011 00C1
RECV 0024 0011 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
SEND 0023 000D6F0000B835CB
RECV 0000 0012 00C1
RECV 0024 0012 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00

*** -=-Pair-=- *** (no offer made)
SEND 0001
RECV 0000 0013 00C1
RECV 0003 0013 00CE
SEND 000A
RECV 0000 0014 00C1
RECV 0011 0014 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 0015 00C1
RECV 0024 0015 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00

*** -=-Pair-=- *** (no offer made)
SEND 0001
RECV 0000 0016 00C1
RECV 0003 0016 00CE
SEND 000A
RECV 0000 0017 00C1
RECV 0011 0017 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 0018 00C1
RECV 0024 0018 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00

*** -=-Pair-=- *** (offer made, but not accepted)
SEND 0001
RECV 0000 0019 00C1
RECV 0002 0019 0F FFFFFFFFFFFFFFFF 520D6F0000B1B64B FFFFFFFFFFFFFFFF 520D6F0000B1B64B 5D52 01
RECV 0003 0019 00CE
SEND 000A
RECV 0000 001A 00C1
RECV 0011 001A 000D6F0000B835CB 01 00
SEND 0004 0000 0000000000000000 000D6F0000B1B64B
RECV 0000 001B 00C1
RECV 0061 FFFD 000D6F0000B835CB
RECV 0005 001B 0001
SEND 0023 000D6F0000B835CB
RECV 0000 0001 00C1
RECV 0024 0001 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00

*** -=-Pair-=- *** (offer made, accepted)
SEND 0001
RECV 0000 0002 00C1
RECV 0002 0002 0F FFFFFFFFFFFFFFFF 060D6F0000B1B64B FFFFFFFFFFFFFFFF 060D6F0000B1B64B 1606 01
RECV 0003 0002 00CE
SEND 000A
RECV 0000 0003 00C1
RECV 0011 0003 000D6F0000B835CB 01 00
SEND 0004 0000 0000000000000000 000D6F0000B1B64B
RECV 0000 0004 00C1
RECV 0061 FFFD 000D6F0000B835CB
RECV 0005 0004 0001

After this a full reply (0011) is receved
SEND 000A
RECV 0000 0005 00C1
RECV 0011 0005 000D6F0000B835CB 01 01 060D6F0000B1B64B 1606 FF
SEND 0023 000D6F0000B1B64B
RECV 0000 0006 00C1
RECV 0024 0006 000D6F0000B1B64B 0B051AF6 00044D78 01 85 653907007324 4CCEBFA1 01
SEND 0026 000D6F0000B1B64B
RECV 0000 0007 00C1
RECV 0027 0007 000D6F0000B1B64B 3F7FA7CC 3F7FA7CC 3CD87C2F 00000000

So in the end the new NetworkID (Long PAN) is 060D6F0000B1B64B and the short network code is 1606. Stick and Circle+ can talk, other nodes can be added.

Advertisements
Categories: Domotica Tags: ,

Plugwise Protocol Analysis, Part 3

15 May 2011 3 comments

Adding a Module

Found that a Circle Module that is not part of the network advertises itself by periodically broadcasting it’s MAC with an associated CmdID of “0006“.

The Source Software responds with a “0007” message”, accepting or rejecting the Module. This could be a way to detect unconfigured plugs in your network.

Example (about every 75 seconds):

RECV 0006 002A 000D6F0000B1A240
SEND 0007 00 000D6F0000B1A240
RECV 0000 007C 00C1

A random ‘sequence number’ (002A) is used in the 0006 command, and the reply 0007 command has a regular sequence number (007C). The 0007 00 means that the module is rejected, but if the 0007 01 is send back, the module is added to the network, which is confirmed with an 0061 message from the module.

Here some samples from the analysed capture where a new module is accepted in the network:
RECV 0006 002B 000D6F0000D3595D
SEND 0007 01 000D6F0000D3595D
RECV 0000 00B0 00C1

Some time (and many unrelated messages) later:
RECV 0061 FFFD 000D6F0000D3595D

Seems the module is in the network. Some time (and again many unrelated messages) later, the module is already queried for usage data:
SEND 0023 000D6F0000D3595D
RECV 0000 00D3 00C1
RECV 0024 00D3 000D6F0000D3595D 0B051B43 00044D90 01 85 653907014023 4CCEC0C2 02

I have the impression that at the end of the current scan loop, the restart command 0008 01 is sent to finish this adding, but I an not sure if that is related to this Module Add.

Stil have to analyse more of the data I gathered while joining those plugs and what happens when you (re)configure the network. I already know that the commands 0001 to 0005 are used to create the network and associate the Stick to a Circle+, but that is for a later post.

To help analyse the capture logs I created with portmon,I wrote an (initially) small script in VBS to filter and format the request and reply messages I got.  The data between <5><5><3><3> and <cr><lf> is now nicely organized, the rest is disposed off. Now I’m adding to it formatting for the commands I know the structure of.

NB.

I see this kind of ‘resets’ in my logs, but still unsure why and what it does. Just documenting for now.
SEND 0008 01
RECV 0000 020F 00C1
RECV 0000 020F 00D9 000D6F0000B1B64B

I’ll ignore those until I see a patern.

In the plugwise source folder, there is a diag util. Nice to see what hapens in your network, and see how the plugwise developers named some of the data.

Categories: Domotica Tags: ,