I have an underfloor heating system which connects to my wifi and is controllable by an android app.
How does one go about working out what dialogues take place between the device and the app to be able to devise an HA integration? The device is shown here: https://www.ojelectronics.com/business-areas/electric-floor-heating/products/wifi-thermostat-mwd5-prod401
If you are controlling it via an android phone, there is a good app called āPacket Captureā which is good for this kind of thing. https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture
I would start with an Nmap scan to see what ports are open on the device.
Yep, that too.
Android apps are .APK files. They are nothing more than a renamed .ZIP file.
Download the .APK file, rename it to .ZIP and unzip it to look inside.
You may find what you are looking for.
From the FAQ on their site:
It seems as though the communications between the mobile phone App and thermostat actually go via their server on the internet, except during setup.
So while you may be able to sniff what is being sent from the App to the web, you will also need to sniff what is being sent from the web to the thermostat. There is a probability that most of the āSmartsā are in their server, not the device. Although they do say the thermostat will function without internet, I would imagine the settings and control logic is via their server.
To sniff connection which do not have an end on the device you are sniffing from can be tricky. Wireshark or tcpdump have the ability to switch your ethernet card into what is called āpromiscuous modeā so they ask to receive all traffic from the switch (or wifi router). This is not 100% effective 100% of the time, but itās worth trying. If you can work out the IP addresses of the devices you can filter and just watch traffic for those IPs. Wireshark has protocol analysers and if it recognises a protocol it will attempt to decode the contents.
As Wifi routers, firewalls and ISPs have a tendency to sometimes filter or limit traffic it is not uncommon for these protocols to work over HTTP as itās a commonly allowed protocol, so you might get lucky in capturing and decoding their communications. It doesnāt mean what is actually being sent is intuiative and easy to understand and then fake.
There is also the high probability that the communications are secured. Either fully encrypted over HTTPS or have authentication tokens to sniff, capture and fake to effectively āhackā the communications.
A small word of caution. If the attempt at hacking involves bypassing anything which could be considered circumventing software licensing or digital rights management it is potentially illegal in the UK. I donāt want this to sound alarmist as itās highly unlikely you will fall foul if it, unless you are trying to hack a video or music on demand service or get access to a pay-for service you didnāt buy, but it is worth considering.
It is hard to know what is meant by this
The robust system design means that users will retain full control of the heating even if their Internet access in interrupted.
Users can always access all programming options and functions via the built-in displayā¦
This could mean either
-
The app doesnāt require the internet, or more likely
-
If the app doesnāt work because the internet is down, then you can always use the display to control things.
Anyway decoding the appāserver communication will give you control, even if it is via their server, undesirable as that is.
@ianadd how did you go with this?
I have the same thermostat, and elec floor heating from coldbusters, and itās been installed for nearly 9 months now. However only just now is my house switchboard getting upgraded to connect it.
Did you make any headway with it?
No, ive ordered a couple of bht-002 from ali express. The first is installed and works via Smartlife rather that their intended app. I use tuya integration to control but not happy as it only delivers room thermal sensor data not floor. The second one is somewhere in a covid cloud atm. When it arrives i plan to hack it to tasmota and use mqtt.
I initially looked at other thermostats that were already integrated with HA, however I have reservations of using cheap units that could potentially cause a fire.
Hopefully today I get power connect to the bathroom (if the sparky shows up) and I can finally power this thing up and start working it out.
Let me know how you go with those BHT-002 units.
Ta
Hi Ian;
Powered up the OJ Electronics thermostat today - itās a POS. Canāt actually turn the system off, and refuses to pair with the app - as if there is no āuser accountā but no where to set one up.
How far down the road have you got with your BHT-002?
ta
thereās other threads about this product here. to cut to the end the best solution is local control.
you can flash it with tuya convert and the working bin is here
@matticas, still waiting for one from China/Singapore ā¦
The one I received back in March is installed in covid riddled UK and works with Smartlife and HA using tuya cloud but not as I would want. I canāt tasmota it as I am the other side of the world. Got to wait for the next one, maybe another few weeks I fear.
Thanks Juan; this is a good read.
I ended up ordering a BHT002 - given the one key feature missing from the unit I have: no soft off button. So if you want to turn it off to the next schedule, there is no way to do this without re-writing the schedule etc. pretty crappy I reckon
@ianadd, there is another post in this community with a solution for the OJ WiFi devices, but itās still going through the cloud. So what @paulcam mentioned remains.
Link to other post:
Anyone had more luck integrating the MWD5?
Also putting in underfloor heating soon, and most of the local (Australia) suppliers seem to sell some branded version of the MWD5 as a standard offering.
For support reasons it makes sense to go with it, but some Home Assistant integration would be nice!
Has anyone managed to integrate the MWD5? I guess for the most part the thermostat just does itās thing, but I am conditioned to try and integrate anything new that gets installed now!
I just installed underfloor heating in a bathroom and decided to go with the HWSMWiFi thermostat. I integrated it using the new Tuya integration, and it appears to be mostly working: I can see the temperature reading from the underfloor sensor, and I can change the target temperature, but I cannot change the mode (smart/anti-frozen/manual).
Before installing the thermostat I opened it up and can confirm it has a TYWE3S chip (ESP8266) built in. However, I did not try to flash it with the likes of ESPHome or Tasmota due to a lack of information to give me confidence that I would work out.
Somebody at OpenHab made an integration for the OJ Electronics MWD5. It appears to be incomplete/abandoned but it shows itās possible and the code may be a useful reference.
Sadly itās cloud based rather than local, and it seems you need to obtain your distributors API Key in order to access the API.
Also, it seems nuheat also rebrands the OJ Electronics devices, and publishes a very detailed reference guide. It may be useful:
https://api.mynuheat.com/
If I end up with one of these, I may have a go at creating an integration for HA.
still no luck on a integration on this?
Best wishes