Building a Custom Receiver for Kinetic Switches - Kinetic2MQTT
HTML-код
- Опубликовано: 14 май 2024
- In this video, we take a look at how I was able to build a custom receiver to bridge my Quinetic wireless kinetic switches to MQTT to control my smart lighting system instead of using proprietary relay and dimmer modules. We will also take a look at the process I went through using an SDR (Software Defined Radio) to capture and reverse engineer the completely undocumented radio protocol!
Buy parts used on Amazon UK (Affiliate):
- E07-M1101D-SMA Radio Module: amzn.to/3MJorR9
- Nooelec NESDR SMArt: amzn.to/3UAfTya
Buy parts used on Amazon US (Affiliate):
- E07-M1101D-SMA Radio Module: amzn.to/3zZYtBG
- Nooelec NESDR SMArt: amzn.to/43ze1cP
Find my code on GitHub: github.com/camerongray1515/Ki...
Resources used:
- secfault-security.com/blog/ki...
- github.com/merbanan/rtl_433/i...
/ camerongray1515
www.camerongray.me/
Chapters:
00:00 - Introduction
05:18 - Custom Receiver Hardware
09:28 - What about transmitting?
11:22 - Demonstration
14:34 - Looking at my code
17:47 - An introduction to SDRs
26:13 - Reverse engineering radio protocols
41:37 - Completed hardware
46:10 - Installing the system
48:33 - Conclusion
AFFILIATE LINKS NOTICE:
Product links under this video marked “(Affiliate)” are affiliate links where I may receive a small commission on qualifying sales. Affiliate programs that I am a member of include, but are not limited to: Amazon Associates, eBay Partner Network and AliExpress Affiliates.
As an Amazon Associate I earn from qualifying purchases.
Purchasing through these affiliate links will not cost you any more money, however the commission earned significantly helps fund the production of videos on my channel. 
Наука
Buy parts used on Amazon UK (Affiliate):
- E07-M1101D-SMA Radio Module: amzn.to/3MJorR9
- Nooelec NESDR SMArt: amzn.to/3UAfTya
Buy parts used on Amazon US (Affiliate):
- E07-M1101D-SMA Radio Module: amzn.to/3zZYtBG
- Nooelec NESDR SMArt: amzn.to/43ze1cP
“One of those hobbies that I spent too much money on and never had the time to do” made me chuckle…very relatable…
Good job, ESP's are ultra flexable. You've come a long way since Linux on the PS2!
Oh, also, I'd love to see more stuff on SDR. 👍
Fantastic piece of work
Fabulous stuff Cameron. Thanks! I was literally looking into reverse engineering the radio signal of my thermostat (a snazzily named ESI Controls ESRTERFW) a couple of days ago … and boom, you saved me a few weeks! 😀 Thank you so much! 👍
Very kewl. I followed 80%; feeling pretty proud of myself!
Hi Cameron, thanks for this video. I myself was playing with my SDR and looking at these switches and other wireless devices. This was just over a year ago and had managed to decode the bits. I could see the pre-amble and knew the ID was somewhere at the start of the packet. I gave I up before I was able to workout the whole protocol, I was thinking it may have been encrypted. So thanks very much for this. I was inspired to go back over what I had and used your info above to create a GNU radio companion flow chart and custom Python decode block that can receive and decode the ID and Status. It also does the CRC check so you only see valid data. Let me know if you are interested and I will see if I can upload to GIThub or something.
Hi Cameron,
It was great to see you onboard the train this evening I hope you found it to be a pleasant and comfortable journey at least as far as Carlisle.
Thanks for all your wonderful content always so very comprehensive. I’ve learnt a great deal from your videos.
It was a delight meeting you hopefully our paths will cross again.
Take care and continued success in everything you do.
All the best Steve 🚂
Was so great to meet you too, honestly made my day! I'm up and down to Manchester on that route pretty regularly so I'm sure we'll see each other again! 😊
I feel you have to design your own custom PCB to combine the radio board with the ESP!
This did cross my mind, it may be something I look into in the future once I get past my fear of ordering boards and waiting for them to arrive only to find that I've messed something up!
@@camerongray1515 yeah … measure twice, cut once! My first order I checked and checked over and over again! Same reason! 😀 (No errors/faults! 👏)
This is such a cool idea! I imagine having these kinetic switches instead of the sonoff ones on the smart home controls will take out a few failure points? They seem much less complex than the wifi based ones. Would be interesting to see a teardown of what the radio transmitter actually looks like
Long term reliability will be interesting to see. The Sonoff WiFi solution did have a mains power supply and more components although these should all be pretty reliable. The 433MHz signals from these kinetic switches is also likely not as reliable as WiFi would be and I don't really know much around the reliability of the kinetic mechanism since this will have a mechanical element. However, the kinetic solution is definitely much easier to install, takes up much less space in the back box and would work for situations where there isn't a neutral wire present.
Cameron, what antenna are you using there please? You have an Amazon link?
I wonder if the Qunietic engineers sat round in a group watching this video and said to each other - "he's a clever little sh!t"
Next video: I turned a whole posh neighbourhood into a disco... Kind of thing I used to do with car alarms around 30 years ago when they didn't use rolling code encryption. It might be a good idea to also make a criminal curfew tag tracker, they also run on 433MHz (It wasn't one I was wearing).
Really interesting video! I have an SDR dongle connected to my home server to read my outdoor thermometer into MQTT and it works very well. You sort of touched on it in the video, but I'm curious why you went this route instead of using an SDR. Is the protocol supported by rtl-433? I guess it is nice that it's a standalone receiver that doesn't require a ton of CPU power to decide the signal.
I really enjoyed seeing your reverse engineering process! That must have been a really satisfying project to see working.
I was going to mention this in the video but completely forgot! I was able to get it working using rtl_433 using the config file linked in the description. However, due to the high bitrate of the signals, you'd need to turn up the sample rate that rtl_433 is running at which significantly increases the CPU load. To get it to work I found it was essentially maxing out a single core of a Pi 3B+. Most 433MHz devices transmit at a much slower data rate and for those rtl_433 is perfect!
Great break out. Thanks for sharing this. I am slightly worried about the security side of this, though: what's stopping a third party from listening and replaying those signals as there is no encryption or signing involved. Even passively listening and linking those signals to a human being presence could be a privacy issue. Maybe I am too paranoid 😅
I don't really see how it could be used to invade privacy, at least not any more than a smart bulb could.
to me a light switch like this is just another form of tv remove, which 99.9% don't have any protection against replay attacks.
This is definitely a valid concern and of course it applies to kinetic switches in general rather than just this receiver (unless I'm missing something when looking at the protocol). Realistically it comes down to what you deem to be an acceptable risk. With my setup, the worst someone could do is mess about and turn lights on and off which is realistically a similar level of annoyance to them replaying signals to triggger a wireless doorbell which are usually similarly insecure. However it maybe wouldn't be the best idea to use these to control something security critical (such as for opening a door) or something that would be bad if it was turned on unexpectedly (such as a high power heater which could cost a fortune if turned on while left unattended). Likewise you maybe wouldn't want to use this somewhere where it is likely to be a target of deliberate attacks, but controlling some lights in a domestic environment is a low enough risk for me to be happy using them.
Privacy wise, this doesn't really concern me - I probably only trigger these switches a few times a day. If someone wanted to tell if I was at home they'd have many more obvious clues such as seeing lights/movement through windows. Even from a radio perspective there are likely many other signals that could be used - even though it's encrypted you could probably spot the presence of certain amounts of WiFi traffic or look out for "casting destinations" that many TVs and speakers will broadcast over WiFi or Bluetooth whenever they're powered on.
@@camerongray1515 I also thought about the security side. I also use a kinetic switch. The receiver has two relays included which I don't use but I flashed Tasmota on that receiver with a horrible solder job. It's amazing it still works. But yeah I only use those for lights. I guess the garage doors in my neighborhood are so old that they don't have rolling codes yet, so I guess they would be a more likely target.
This is absolutely fantastic! I maybe missed it, but how were you then forwarding the command to the bulb to turn off/on?
I use Zigbee2MQTT with a Sonoff Zigbee USB dongle to bridge my Zigbee smart bulbs over to MQTT. Then I have Node-RED sitting in between both of them that passes the messages between the switches and the bulbs.
Thank you for sharing another great video. They are always really interesting. I’ve ordered the board from Amazon to give this a go.
I was thinking the data after the ‘push/release’ might be a switch ID for the multi gang paddle switches.
I’ve got a 3 gang paddle ordered so will let you know. Would you be happy to have a pull request on GitHub if I updated the code? 33:50
Pull requests are more than welcome! Would definitely be interesting to see how multi-gang switches interact - I'd just assumed they'd each have their own ID since you need to pair each "gang" separately when using Quinetic receivers but I haven't yet been able to test one.
Hi i think you may be correct on the bits after after the push/release. I characterised a few of my switches and have found the following in the 8 bit data section.
Single Paddle switches PRESS data = 0x01 (All have unique 16 bit IDs)
Double Paddle switches PRESS data = 0x01 for paddle 1, data = 0x02 for 2nd paddle (All switches in the multi paddle have the same ID)
Grid type switches PRESS data = 0x04 (All have unique 16 bit IDs)
I dont have any Triple paddles to try but I assume they will most likely have data = 0x03 for the third paddle. So it seems the multi paddle switches use the same ID for each switch within the same unit and only identify the individual switches with a number in the data section.
All switches have the same data for the RELEASE 0xC0