Skip to content

Reverse engineering the Essent E-thermostaat

[extoc Title=”Table of Contents”]

Bypassing the internet

The device consists of two parts: the base station and the thermostat itself. The base station connects to the internet via an Ethernet cable and wirelessly connects to the thermostat. You have to mount the thermostat to your existing two-wire thermostat mount on the wall.

The first obvious step in my journey to make the device independent of the manufacturer’s services, is the connection between the base station and the thermostat. It immediately crossed my mind this could be a simple 433 MHz connection used in many remote controller devices like remote garage doors, keyfobs, remote lighting etc. Some research in the datasheet quickly learned me this is instead a 868 MHz connection using a proprietary protocol by ICY which is used in many of their products. This fact, combined with my lack of knowledge and tools to analyze this signal, led me to find another way.

Captured TLSv1.1 handshake between base station and ICY's servers
Captured TLSv1.1 handshake between base station and ICY’s servers

So unless we can succesfully reverse engineer this protocol, there is no way to remotely control the device without the base station. The next step was to see how well protected the connections are to the ICY webservice and see if we can try a man-in-the-middle-attack there. Sniffing all the traffic between the base station and the internet, showed me this was actually well executed. Better than I expected for such an old device. All the traffic between the station and the server was encrypted with TLSv1.1 using both client and server certificate verification. I still tried some DNS attacks to see if the certificate was actually verified on the device, but the device kept sending DNS requests as soon as I pointed it to somewhere else then ICY’s servers. So I assumed the server’s certificate was indeed verified.

Pages: 1 2 3 4 5 6 7

9 thoughts on “Reverse engineering the Essent E-thermostaat”

  1. Enjoyed reading your article, too bad you didn’t succeed.
    I will check back later to see if you see if any progress has been made.
    In the worst case,. I have disposed of my e-thermostaat and help is too late for me

    1. Thanks for your response. For now I paid the 24 Euros so I can use the thermostat for at least another year. So probably no updates from my side, but if so I’ll let you know.

  2. Maybe it is possible to read the thermostat thermometer and rig the + and – button so you can control it with an Arduino or Pi Zero? Or even a step further, connect said Arduino or Pi to read the data that is going to the LCD?

    1. That’s probably feasible, however I doubt if that would be much less work than designing my own thermostat and letting my home automation system control it. If you already go the extra mile to get an additional device such as Arduino or Pi to read the pins, switching a relay and reading a temperature sensor is not that much work either though.

  3. I wonder if you were able to make any progress. The next year (for prolongate the subscription) is coming.
    I’m asking myself if it couldn’t be better to design an open source thermostat. But I also agree that another €23,40 shouldn’t be the problem.

    1. In the end I did design a very simple ESP8266 thermostat which communicates via SSL to my MQTT server. I can control it with my Home Assistant installation. It’s been working okay but because it sometimes crashes and I have to manually repower it, I haven’t released it yet. It’s designed to always fail safely so the heating turns off so it’s no big deal but it’s not ready to release.

      At the moment I am also considering flashing Tasmota, which I use for some of my lights. I think that is a better option.

      So to answer your question: no progress with this project and I probably never will. The thermostat was never perfect in the first place.

  4. Hi, thanks for this read! It’s a few years later now, and I was wondering if you ever did an attempt to try things out with the base station?

    1. Hi Robert, no I did not. This Essent E-thermostaat ship has sailed for me. I have moved in the meantime and am running a heat pump system now, so I have little need to control my thermostat remote anymore.

  5. Last week I tried to dump the firmware of the device using a PicKit2 programmer. After connecting succesfully, and giving the “read” command, the software says “Code protect”. So indead the PIC is read-protected 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *