Sounds interesting. Please explain in detail. 
The older firmwares are inside the apk of older apps, and the app itself is what rejects a downgrade, not the eq3.
So I extracted the firmware binary pairs (there’s a Bluetooth chip and an stm8 micro), and made a script to flash.
Thing is, I bricked a device because i downgraded the stm8 first and the ble chip downgrade failed, and I can’t see the 6 digits pin anymore, so I can’t pair.
I need to make the script safer first and I’ll upload it.
Before that I need to buy more of eq3 devices though, I don’t want to brick more rooms of my place
1 Like
Update, I managed to take advantage of the broken pin security and flash the ble chip without knowing the pin too. I’ll also upload that.
I can consistently jump to any firmware version
I found some interesting stuff, the ble firmware is not encrypted, so i am trying to decompile it to see if there is some extras we could expose. There is a very very slight chance the mcu sends the current temperature to the ble chip. If it does, then there is a very slight chance one could make a new ble firmware that exposes it.
Also potentially fully removing any kind of pairing to the newer firmware versions (although honestly, 1.20 seems to me to be fully featured and has the “just works” pairing without a pin)
I managed to modify the BLE firmware to remove pairing completely! not even like the old versions, just no pairing at all
1 Like
Also managed to flash the ones i had bricked via uart. Hopefully nobody will need to do this since the auth removal now works reliably, but i’ll add it again.
I didn’t find any way to get the MCU to spit the measured room temperature though.
There, full guide on how to completely remove pairing from the firmware, even on the very last version!
Tested. Working. Thanks, will proceed reflashing all my 8 eq, yolo.
Just wondering, since disabling pairing completely opens the devices to “unfriendlyneighbour-hacking”, is it really such a good idea or I’m being a bit paranoid? I suppose adding a per-MAC filter to bypass pairing would be a bit too much? 
They’d have to download the app and connect to them when your HA isn’t connected. You can always reflash any version with/without auth anyway.
If it makes you feel worse, the unbrick script can connect with all but the last version without pairing too hehe
And yes, adding a a mac filter on the eq3 side is way too much. The hacked firmwares without pairing have just a couple of bits flipped to disable it, it is a very targeted mod.
The ble upgrade firmware files that the calor bt app ships aren’t full firmwares, they are sparse firmware patches.
1 Like
Understood. It was a long shot but worth trying
Side note for posterity: in case one’s eQs suddenly stop working, even if you are on 1.20 (no pin required), your instance may have lost the bluetoothctl pairing working after an HAOS update, you just need to redo the scan/pair/trust iter.
Don’t be like me, don’t buy another bkuetooth adapter 
Haha exactly. The new noauth firmwares fix that, and you can be on 1.48!