Plugwise Protocol Analysis, Part 4 (Create Network)
I experimented with my PW network to find how to create a network, and add modules to it. So first I removed one module completely from my network using Source and did a full reset of that Plug. Then, a bit later, I discovered the PW diag util, and looked at it a bit. BTW, Diag does not find your comport by itself, you have to click on the … button, then everything is easy.
I also tried resetting a circle using Diag and by accident, did that too with my Circle+. Ok, network gone. Wanted to test that anyway, but a bit unplanned for now. Ok great oppertunity to reconfigure my whole network. I made captures of most of this, some stil pending more detailed analisis. I soon had my circle+ and another circle in my network, but did not see my other plugs. I decided to reset them too with a hard-reset. They became visible again, and I added them back into the network.
Now I had a working system again, and also captures of what happened. No real analisis of what happened during network creation, but the logging is below. I do not yet know why so many attempts are registered. The second Network PAN ID offer is accepted, through I cannot see why the first few failed, maybe just ‘timing’.
Note that 000D6F0000B835CB is the Stick and 000D6F0000B1B64B is the Circle+
Anyway, here is what I logged:
SEND 000A
RECV 0000 000C 00C1
RECV 0011 000C 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 000D 00C1
RECV 0024 000D 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
SEND 004E 0000000000000000
RECV 0000 000E 00C1
SEND 000A
RECV 0000 000F 00C1
RECV 0011 000F 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 0010 00C1
RECV 0024 0010 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
SEND 0023 000D6F0000B835CB
RECV 0000 0011 00C1
RECV 0024 0011 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
SEND 0023 000D6F0000B835CB
RECV 0000 0012 00C1
RECV 0024 0012 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
*** -=-Pair-=- *** (no offer made)
SEND 0001
RECV 0000 0013 00C1
RECV 0003 0013 00CE
SEND 000A
RECV 0000 0014 00C1
RECV 0011 0014 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 0015 00C1
RECV 0024 0015 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
*** -=-Pair-=- *** (no offer made)
SEND 0001
RECV 0000 0016 00C1
RECV 0003 0016 00CE
SEND 000A
RECV 0000 0017 00C1
RECV 0011 0017 000D6F0000B835CB 01 00
SEND 0023 000D6F0000B835CB
RECV 0000 0018 00C1
RECV 0024 0018 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
*** -=-Pair-=- *** (offer made, but not accepted)
SEND 0001
RECV 0000 0019 00C1
RECV 0002 0019 0F FFFFFFFFFFFFFFFF 520D6F0000B1B64B FFFFFFFFFFFFFFFF 520D6F0000B1B64B 5D52 01
RECV 0003 0019 00CE
SEND 000A
RECV 0000 001A 00C1
RECV 0011 001A 000D6F0000B835CB 01 00
SEND 0004 0000 0000000000000000 000D6F0000B1B64B
RECV 0000 001B 00C1
RECV 0061 FFFD 000D6F0000B835CB
RECV 0005 001B 0001
SEND 0023 000D6F0000B835CB
RECV 0000 0001 00C1
RECV 0024 0001 000D6F0000B835CB 00000000 00000000 00 80 653907008510 4CCEC22A 00
*** -=-Pair-=- *** (offer made, accepted)
SEND 0001
RECV 0000 0002 00C1
RECV 0002 0002 0F FFFFFFFFFFFFFFFF 060D6F0000B1B64B FFFFFFFFFFFFFFFF 060D6F0000B1B64B 1606 01
RECV 0003 0002 00CE
SEND 000A
RECV 0000 0003 00C1
RECV 0011 0003 000D6F0000B835CB 01 00
SEND 0004 0000 0000000000000000 000D6F0000B1B64B
RECV 0000 0004 00C1
RECV 0061 FFFD 000D6F0000B835CB
RECV 0005 0004 0001
After this a full reply (0011) is receved
SEND 000A
RECV 0000 0005 00C1
RECV 0011 0005 000D6F0000B835CB 01 01 060D6F0000B1B64B 1606 FF
SEND 0023 000D6F0000B1B64B
RECV 0000 0006 00C1
RECV 0024 0006 000D6F0000B1B64B 0B051AF6 00044D78 01 85 653907007324 4CCEBFA1 01
SEND 0026 000D6F0000B1B64B
RECV 0000 0007 00C1
RECV 0027 0007 000D6F0000B1B64B 3F7FA7CC 3F7FA7CC 3CD87C2F 00000000
So in the end the new NetworkID (Long PAN) is 060D6F0000B1B64B and the short network code is 1606. Stick and Circle+ can talk, other nodes can be added.
Roel's technical notepad 
Hi,
nice work on the protocol dissection! I’m working on an xPL interface towards the Plugwise system, hence this info is very interesting 🙂
Are you still running firmware v2.34, or did you already upgrade to v2.36 (20110513)?
I’m unsure if it is safe to upgrade (the upgrade from v1 to v2 changed the protocol between the host and the Stick).
Best regards,
Lieven.
Hey leofwine,
I have developped (well enhanced) an xpl-plugwise module in perl. I started from the following google code source that had some fixes in it already. But with the new Plugwise firmware all the coding where move left for 4 characters ( i think they have had the sequence code which was not before)….
xpl-plugwise:
http://code.google.com/p/hasy/source/browse/#svn%2Ftrunk%2Fmisterhouse%2Fxplplugwise%2Fusr%2Flocal%2Fshare%2Fperl%2F5.10.0%2FxPL%2FDock
I have updated that coding and add support for the following commands:
– calibrate
– settime
– powerbuf
– timeinfo
I am still missing the pairing and the create network….. that is why I found this blog today!
Also look at the hackstruct site (link in my first plugwise post) and the example code on codeplex. It contails code to ‘pair’ the stick to the circle+ and to add additional nodes. As far as i decoded what was happening that code is right.
for pairing it seems that a reply 0003 is some sort of status reply or an acknowledgement reply, used after different pairing and unpairing commands. As usual there are also the normal ACK reply frames after every command send, and all replies have a sequence number.
Command 0001 is used to erase and initialise a new network. Looks like a 000A command (init) is used to activate that. The 0001 command both has an 0003 and an 0002 responce message. The 0002 message contains a suggested network addres. If the software accepts the networkID (or accepts the pair command), it sends an 0004 command to confirm the suggested networkID. As a reply to the 0004 a 0005 reply is received containing a status (0001 seems to indicate ‘success’). Then another 000a (init) is send and the network is ready.
I have noticed that this proces of building the network repeates itself a few times, but I could not find a reason why. Well,now there is a network, where stick and cyrcle+ are connected. More modules can be added to the network.
The circle+ still needs some initialisation. a 0016 command is used for that. It sets the realtime-clock, and configures the buffers (instead of the usual FFFFFFFF FFFF this is replaced by 00044000 4000, which clears the buffer (I assume 00044000 is the startaddress and 4000 is the size, enough to hold a bit more than 80 day’s of data) ).
Adding othe Circles is different.
Seems that they advertise themselfs and, as a reply to that, are added with a 0007 01 (macCircle) command. To remove a Circle from the network, use a 0009 (MacCircle) (flags) command. This is a normal remove module operation, you can also perform from within the modules menu in ‘source’.
The firmware update also used a 000B command before reconfiguring the old network.
Yes, it is save to upgrade. Last week took the ‘dive’ to just do that and the protocol did not change, as far as i could see.
For me 0016 command is a settime command. Here is my code in perl to settime:
elsif ($command eq ‘settime’) {
my $time2=$msg->settime;
my $year=sprintf(“%02X”,(substr($time2,0,4)-2000));
my $month=sprintf(“%02X”,(substr($time2,4,2)));
my $day=sprintf(“%02X”,(substr($time2,6,2)));
my $hour=sprintf(“%02X”,(substr($time2,8,2)));
my $minute=sprintf(“%02X”,(substr($time2,10,2)));
my $second=sprintf(“%02X”,(substr($time2,12,2)));
$packet = “0016”.”000D6F0000″.uc($circle).$year.$month.time2plughr($msg->settime).”FFFFFFFF”.$hour.$minute.$second.uc($msg->dayofweek);
Now, by default I send a FFFFFFFF so I need to check with my pairing log under windows to see if the 4400 is sent to set the first buffer log address.
I have checked. it set “0016000D6F00007293D70B07A2B0FFFFFFFF16080B05FCE6”
so I don’t have the 00044000 4000. Can you send me your log for your 016 command?
-olivier