Reverse engineering the Essent E-thermostaat

Looking at the guts

(click on a picture for fullscreen view)

The next step was to disassemble the thermostat itself and see what is actually powering it. Maybe there is way to read the flash chip without powering the device? So after disassembling the device, I immediately noticed a PIC microcontroller. In this case the PIC18F4550. Also I noticed a lot of testing points on the main board which is always nice to see. This makes my life a lot easier. What particularly raised my interest, were 5 test points/holes adjacent to the PIC microcontroller. Pulling up the datasheet and probing around the board with a multimeter, I noticed these were probe points for In Circuit Serial Programming i.e. ICSP. As the name implies, this is used to program the chip without lifting it off the board. So even after manufacturing, it is possible to upload new firmware to the chip, debug it and so on.

Thermostat back with ICSP connections
Thermostat back with soldered ICSP headers

The PIC microcontroller has built-in flash memory where the program is stored so no (easy) way to read the flash without powering the controller. Keeping my hopes up, I built a high voltage ICSP using an Arduino and an external 12V power supply. I also soldered headers to the board to easily connect and disconnect wires. Using an existing Arduino ICSP sketch by Kirill Kulakov and verifying the workings of these sketches with the programming specification provided by Microchip (the manufacturer of PIC microcontrollers), I was able to succesfully put the chip in ‘programming mode’ and play around with some commands.

Visual schematic of my improvised ICSP programmer using an Arduino

I verified everything was working by reading the configuration registers of the chip and got some valid responses. So far so good. In my mind I was almost close to dumping the firmware. I tried reading some addresses from the chip in the region where the program must be stored. The response was nothing but zeros. Could be just valid data right? Not every section of the chip has to contain data. So I wrote some quick code in the Arduino sketch to dump the whole flash memory over the serial console, and ran the code. And the response was… all zeros again. That was a bummer. Was my code wrong? No it wasn’t, because using the same code I was able to read the registers and get valid responses. Was the flash memory actually empty? No it wasn’t, because the device still worked fine and there were no other flash chips on the board so the program must be stored there. What was going wrong?

4 Replies to “Reverse engineering the Essent E-thermostaat”

  1. Enjoyed reading your article, too bad you didn’t succeed.
    I will check back later to see if you see if any progress has been made.
    In the worst case,. I have disposed of my e-thermostaat and help is too late for me

    1. Thanks for your response. For now I paid the 24 Euros so I can use the thermostat for at least another year. So probably no updates from my side, but if so I’ll let you know.

  2. Maybe it is possible to read the thermostat thermometer and rig the + and – button so you can control it with an Arduino or Pi Zero? Or even a step further, connect said Arduino or Pi to read the data that is going to the LCD?

    1. That’s probably feasible, however I doubt if that would be much less work than designing my own thermostat and letting my home automation system control it. If you already go the extra mile to get an additional device such as Arduino or Pi to read the pins, switching a relay and reading a temperature sensor is not that much work either though.

Leave a Reply

Your email address will not be published. Required fields are marked *