Reverse engineering the Essent E-thermostaat

Bypassing the internet

The device consists of two parts: the base station and the thermostat itself. The base station connects to the internet via an Ethernet cable and wirelessly connects to the thermostat. You have to mount the thermostat to your existing two-wire thermostat mount on the wall.

The first obvious step in my journey to make the device independent of the manufacturer’s services, is the connection between the base station and the thermostat. It immediately crossed my mind this could be a simple 433 MHz connection used in many remote controller devices like remote garage doors, keyfobs, remote lighting etc. Some research in the datasheet quickly learned me this is instead a 868 MHz connection using a proprietary protocol by ICY which is used in many of their products. This fact, combined with my lack of knowledge and tools to analyze this signal, led me to find another way.

Captured TLSv1.1 handshake between base station and ICY's servers
Captured TLSv1.1 handshake between base station and ICY’s servers

So unless we can succesfully reverse engineer this protocol, there is no way to remotely control the device without the base station. The next step was to see how well protected the connections are to the ICY webservice and see if we can try a man-in-the-middle-attack there. Sniffing all the traffic between the base station and the internet, showed me this was actually well executed. Better than I expected for such an old device. All the traffic between the station and the server was encrypted with TLSv1.1 using both client and server certificate verification. I still tried some DNS attacks to see if the certificate was actually verified on the device, but the device kept sending DNS requests as soon as I pointed it to somewhere else then ICY’s servers. So I assumed the server’s certificate was indeed verified.

4 Replies to “Reverse engineering the Essent E-thermostaat”

  1. Enjoyed reading your article, too bad you didn’t succeed.
    I will check back later to see if you see if any progress has been made.
    In the worst case,. I have disposed of my e-thermostaat and help is too late for me

    1. Thanks for your response. For now I paid the 24 Euros so I can use the thermostat for at least another year. So probably no updates from my side, but if so I’ll let you know.

  2. Maybe it is possible to read the thermostat thermometer and rig the + and – button so you can control it with an Arduino or Pi Zero? Or even a step further, connect said Arduino or Pi to read the data that is going to the LCD?

    1. That’s probably feasible, however I doubt if that would be much less work than designing my own thermostat and letting my home automation system control it. If you already go the extra mile to get an additional device such as Arduino or Pi to read the pins, switching a relay and reading a temperature sensor is not that much work either though.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *