Tongou DIN electricity monitors (WiFi model TO-Q-SY1-JWT)

Since my home is already using Z-Wave not ZigBee, I went for the Wifi version of these devices, the TO-Q-SY1-JWT: Remote Control Smart Metering WiFi Switch 1 - 63A - Tongou

It uses a “Smart Life” app, The app discovers the device via Bluetooth and configures the WiFi SSID/password (and perhaps does a firmware update).

Then the device joins the WiFi. Sadly it’s Legacy IP only, no IPv6. It makes a TLS connection to an external server using a PreShared Key (no certificates).

I haven’t worked out how to obtain the data from their server yet, but I can see it in the app.

I coudl work that out, but this is obviously not how HA stuff should work. I shouldn’t be transporting data from one part of the house to another via an external Internet link and someone else’s servers; that’s just insanely bad design.

I strongly suspect that if I can work out the Bluetooth configuration protocol, I can tell it to connect to a different server, with a different PSK. And that server can be within my own network.

I sniffed the Bluetooth traffic from my phone to it, but can’t make much sense of it. Has anyone looked at this or anything similar, and got and clues, please?

I have a capture at http://david.woodhou.se/tongou.cap

It goes something like…

Bluetooth L2CAP Protocol
    Length: 5
    CID: Attribute Protocol (0x0004)
Bluetooth Attribute Protocol
    Opcode: Write Request (0x12)
        0... .... = Authentication Signature: False
        .0.. .... = Command: False
        ..01 0010 = Method: Write Request (0x12)
    Handle: 0x0015 (Unknown)
    Value: 0100

Then we write twice to handle 0x0012:

00212001196b39321c6be47af779042b7f1210d1
01814f604a838f41c0deaf1d083a629093

And receive from handle 0x0014:

Bluetooth Attribute Protocol
    Opcode: Handle Value Notification (0x1b)
        0... .... = Authentication Signature: False
        .0.. .... = Command: False
        ..01 1011 = Method: Handle Value Notification (0x1b)
    Handle: 0x0014 (Unknown)

these values:

0081013001be3efa8db643bef8fc51875890ccb6
01690912472b3ed1c433ec1b35aabce3b9913c5b
02a7008ba125d12126ef40a57fd05799cecb9203
03a2d8418a952506f3f2d9fb3d8e3e0e7cc1d640
0440b5743272b6616393b16345869b39be0ddf83
0530ed4b12b015e0b63e98f33c3da997303a4b34
060afbb1698792d8a4c9eb6cdfad295446944f

We write to 0x0012:

005120026d56815666568cf9e3e7bed7ce6fa4ed
013d24549231c6114feec1005db3b97661bd89e8
023041d956cf731681a60b08f29dde33ef4e4dfb
03aee8fd1866c67568e8aca6d5fba091d2d1aa24
04c449f9d422a146

Receive from 0x0014:

002131029606c86d80ab9b8438ccadeb793701cb
01bc19113a056a5a393e1be127de07eeab

Write to 0x0012:

006120026b48510efd9a33d45a163db720a30806
01c4583994b363a08be6b93c2716bd2998e114d8
0218b02f030ad0630a257a0482db30bb39587c49
039b5d9d6182c9866aef7d9e12d46f29cb335b4a
04e92070bacf15121b1d138c9c2b454dd55bdc65
0533a660bf

Receive from 0x0014:

002132023cb46901f93dabc160cd24fedf033d7e
01dec0028589b5e792fbc57704cc5ea017

At this point the device joins the wifi. Then we receive on 0x0014:

0021330537126f739c5832df959da29cdf0b4fbd
0165c8c30c70c06d8d87c110d89c8a2686

Five seconds later the device does DHCP and is given a Legacy IP address. A couple of seconds after that, we receive on 0x0014 again:

00213405e75397db6b3cd1f2b5c327dc09602c5d
01e1c9b3c6826b1beba4bb9cb7ea876b47

00213502a62b4829c8693ea74715b777331731cc
0160f7d59b94fcaf4551948bd3ecf7079d

Then we send to 0x0012:

002120029238c76b93951e0a2601f892422488b7
01225f56dc9d686f0222e71557e1136e3a

Receive from 0x0014:

003136054c8ff9f54f657a6eb9fd77729ca5a68c
010143cac8b63b92bf47dc5fe1356484a7388d72
02ab375e8de9429b07c52d028d78

004137053952f565a6e11e93cdc4f2f4b9c39183
01f1ecfaac5af9e5141b9e5f6cd870388144aa12
02d669fc78bf9fe0956efd775820037ac7ccf194
03e653fb9ae392df606ee2

0031380513c6d4d46c404aa236f9816eb3d84eb1
01381de5788ad9a3d65a22ad29f4820203cc5e9b
021610fb39b89ac73af11bd15d26

003139057ee26002ab86d1dd79d3900a1c70e3b5
01f98eadf2e1f44db344b9df39a21734d3c028d7
02b01d61f8f393333fdebe48122c

00313a0577aa8495b3078bfb423b5d763af12b67
017ed9e45a4cd0e15392e2f4d268cab2285e28bd
021860168e65c4296d768bc9b307

00313b0587a3cfc7e7e919975f49280cacba4099
01a3b55151ff1902e434855f33e4e399851c49ee
02bd79b89dbf840e7952c00d2338

00213c022b2ecec562c3e3c3f36d8c4a904e5986
012c07649c5e64ebdd1652c92977653a9b

Finally we send to 0x0012:

0021200254600b273994eef8e780b8197933dcd1
0164486e55d1aed30044ef4fde94cb5908

and receive on 0x0014:

00213d057f5123aa7167f9cbed01f8bc20d88b1c
012c658d69709155b299e19b0c2fa9d188

And we’re done. Any clues on working this protocol out would be much appreciated…

1 Like

Ah, it turns out this is a Tuya device, and I can get data out of it with TuyAPI.

2 Likes

In HACS you will find custom integrations : Local Tuya and Tuya Local.

Thanks. I’m actually using Domoticz; I’d quite like to switch to HA but it still doesn’t have local communication for the Honeywell Evohome systems. So for the power monitors I’m playing with tuya-mqtt instead for now.

Ordered one from AE tonight. Hope to be able to integrate it into HA. Maybe it can even be flashed with Tasmota or ESPHome?

https://openbekeniot.github.io/webapp/devicesList.html

1 Like

It’s taken a while, but I’ve finally worked out how to get these working nicely with ESPHome, preserving the factory calibration: Tongou TO-Q-SY1-JWT DIN Rail Switch and Meter | devices.esphome.io

1 Like