Reverse engineering the Essent E-thermostaat

Decompiling the software

To discover if the software has something useful, I used the software ILSpy, “an open-source .NET assembly browser and decompiler”. One can immediately see this software did an excellent job at decompiling the software. Even though I had very limited experience disassembling programs, I was able to understand the working of the thermostat software almost immediately.

ILSpy software

Once I browsed through the software, I stumbled accross a datatype with Bootloader commands as shown below. Comparing these bootloader commands with the captured USB traffic, I could see how every command was used to interact with the device. By browsing the code even further I got an idea how every command is used. This list of bootloader commands was also the only list with commands. So anything not in here was not used in the software. There are commands for writing and reading some user data, getting bootloader and software versions, writing and reading the EEPROM and for writing new firmware. Unfortunately there was no way to read the existing firmware. Maybe there is a command in the bootloader which does this but is currently not used in the software. However firing unknown commands at the device could easily wipe and (as there is at the moment no way to reflash the firmware) therefore nuke the device.

public enum BootLoaderCommands
{
	UNLOCK_CONFIG = 3,
	PROGRAM_DEVICE = 5,
	WRITE_FLASH = 5,
	WRITE_DATA = 6,
	GET_DATA = 7,
	GET_BLID = 9,
	GET_BLID0 = 0x10,
	GET_BLID1 = 17,
	GET_BLID2 = 18,
	GET_BLID3 = 19,
	GET_BLID4 = 20,
	WRITE_EEPROM = 0x20,
	GET_EEPROM = 33,
	GET_ENCRYPTED_FF = 0xFF
}

Using USB-HID-Tool, “a command line tool for accessing USB HID devices”, I was able to succesfully send some commands to the device and capture the proper responses with USBPcap. Cool to see this work out, but relatively pointless for now.

4 Replies to “Reverse engineering the Essent E-thermostaat”

  1. Enjoyed reading your article, too bad you didn’t succeed.
    I will check back later to see if you see if any progress has been made.
    In the worst case,. I have disposed of my e-thermostaat and help is too late for me

    1. Thanks for your response. For now I paid the 24 Euros so I can use the thermostat for at least another year. So probably no updates from my side, but if so I’ll let you know.

  2. Maybe it is possible to read the thermostat thermometer and rig the + and – button so you can control it with an Arduino or Pi Zero? Or even a step further, connect said Arduino or Pi to read the data that is going to the LCD?

    1. That’s probably feasible, however I doubt if that would be much less work than designing my own thermostat and letting my home automation system control it. If you already go the extra mile to get an additional device such as Arduino or Pi to read the pins, switching a relay and reading a temperature sensor is not that much work either though.

Leave a Reply

Your email address will not be published. Required fields are marked *