Skip to content

Reverse engineering the Essent E-thermostaat

[extoc Title=”Table of Contents”]

Decompiling the software

To discover if the software has something useful, I used the software ILSpy, “an open-source .NET assembly browser and decompiler”. One can immediately see this software did an excellent job at decompiling the software. Even though I had very limited experience disassembling programs, I was able to understand the working of the thermostat software almost immediately.

ILSpy software

Once I browsed through the software, I stumbled accross a datatype with Bootloader commands as shown below. Comparing these bootloader commands with the captured USB traffic, I could see how every command was used to interact with the device. By browsing the code even further I got an idea how every command is used. This list of bootloader commands was also the only list with commands. So anything not in here was not used in the software. There are commands for writing and reading some user data, getting bootloader and software versions, writing and reading the EEPROM and for writing new firmware. Unfortunately there was no way to read the existing firmware. Maybe there is a command in the bootloader which does this but is currently not used in the software. However firing unknown commands at the device could easily wipe and (as there is at the moment no way to reflash the firmware) therefore nuke the device.

public enum BootLoaderCommands
{
	UNLOCK_CONFIG = 3,
	PROGRAM_DEVICE = 5,
	WRITE_FLASH = 5,
	WRITE_DATA = 6,
	GET_DATA = 7,
	GET_BLID = 9,
	GET_BLID0 = 0x10,
	GET_BLID1 = 17,
	GET_BLID2 = 18,
	GET_BLID3 = 19,
	GET_BLID4 = 20,
	WRITE_EEPROM = 0x20,
	GET_EEPROM = 33,
	GET_ENCRYPTED_FF = 0xFF
}

Using USB-HID-Tool, “a command line tool for accessing USB HID devices”, I was able to succesfully send some commands to the device and capture the proper responses with USBPcap. Cool to see this work out, but relatively pointless for now.

Pages: 1 2 3 4 5 6 7

9 thoughts on “Reverse engineering the Essent E-thermostaat”

  1. Enjoyed reading your article, too bad you didn’t succeed.
    I will check back later to see if you see if any progress has been made.
    In the worst case,. I have disposed of my e-thermostaat and help is too late for me

    1. Thanks for your response. For now I paid the 24 Euros so I can use the thermostat for at least another year. So probably no updates from my side, but if so I’ll let you know.

  2. Maybe it is possible to read the thermostat thermometer and rig the + and – button so you can control it with an Arduino or Pi Zero? Or even a step further, connect said Arduino or Pi to read the data that is going to the LCD?

    1. That’s probably feasible, however I doubt if that would be much less work than designing my own thermostat and letting my home automation system control it. If you already go the extra mile to get an additional device such as Arduino or Pi to read the pins, switching a relay and reading a temperature sensor is not that much work either though.

  3. I wonder if you were able to make any progress. The next year (for prolongate the subscription) is coming.
    I’m asking myself if it couldn’t be better to design an open source thermostat. But I also agree that another €23,40 shouldn’t be the problem.

    1. In the end I did design a very simple ESP8266 thermostat which communicates via SSL to my MQTT server. I can control it with my Home Assistant installation. It’s been working okay but because it sometimes crashes and I have to manually repower it, I haven’t released it yet. It’s designed to always fail safely so the heating turns off so it’s no big deal but it’s not ready to release.

      At the moment I am also considering flashing Tasmota, which I use for some of my lights. I think that is a better option.

      So to answer your question: no progress with this project and I probably never will. The thermostat was never perfect in the first place.

  4. Hi, thanks for this read! It’s a few years later now, and I was wondering if you ever did an attempt to try things out with the base station?

    1. Hi Robert, no I did not. This Essent E-thermostaat ship has sailed for me. I have moved in the meantime and am running a heat pump system now, so I have little need to control my thermostat remote anymore.

  5. Last week I tried to dump the firmware of the device using a PicKit2 programmer. After connecting succesfully, and giving the “read” command, the software says “Code protect”. So indead the PIC is read-protected 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *