Forum Datorer och system Smarta hem Tråd Inlägg

Tellstick ZNet Lite V2 teardown/reverse engineering

1
Skriv svar
Permalänk
Medlem

Tellstick ZNet Lite V2 teardown/reverse engineering

(In english if someone outside of sweden finds this post usefull)

So I'm getting into trying to automate my home a bit with home assistant, and happend to stumble apon a second hand tellstick, which sounded good with booth 433Mhz and z-wave support.
It seems like the local api for home assistant by telldus has been depricated so you now have to use their cloud service to coontrol things.
So I thought i migth do a teardown and a bit of reverse engineering to se if its hackable in any way.

the inside of the Tellstick ZNet Lite V2:

The board part:

There is a debug 3 pin "debug" port next to the z-vawe module that is a TTL 115200 8N1 serial port staright into the tellstick openwrt console without password.

there is a python firmware update script cyclic running with a 86400 second interval
also a python tellstick-znet script
dropbear as ssh-server
udhcp for dhcp
ntpd for time
msdns for bonjour edtection.

Senast redigerat
Redigera
Citera flera Citera
Permalänk
Medlem

a bit of digging in the pythonscripts gave the firmware URL for telldus:
http://fw.telldus.com/versions.xml
http://fw.telldus.com/tellstick-znet-lite-v2/tellstick-znet-l...

it seems the python script tellstick-znet.py is the telldus client

Redigera
Citera flera Citera
Permalänk
Medlem

all the python files regarding telldus are bytecompiled .pyc files, possible to decompile with uncompyle6 though.

ports listened to on the tellstick:

root@OpenWrt:/# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1743/dropbear
tcp 0 0 10.0.2.22:59759 16.170.51.134:45000 ESTABLISHED 995/python
tcp 0 0 :::80 :::* LISTEN 995/python
tcp 0 0 :::22 :::* LISTEN 1743/dropbear
tcp 0 0 ::ffff:10.0.3.22:80 ::ffff:10.0.2.37:58554 ESTABLISHED 995/python
udp 0 0 0.0.0.0:42314 0.0.0.0:* 995/python
udp 0 0 0.0.0.0:30303 0.0.0.0:* 995/python
udp 0 0 0.0.0.0:56282 0.0.0.0:* 984/mdnsd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 984/mdnsd
udp 0 0 :::546 :::* 1651/odhcp6c
udp 0 0 :::59699 :::* 984/mdnsd
udp 0 0 :::5353 :::* 984/mdnsd
raw 0 0 ::%1:58 ::%4438220:* 58 1651/odhcp6c
raw 0 0 ::%1:58 ::%4438220:* 58 913/odhcpd
raw 0 0 ::%1:58 ::%4438220:* 58 913/odhcpd

killing dropbear and starting it with
/usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
instead makes login in as root possible with:
ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa -oHostkeyAlgorithms=+ssh-rsa root@<tellstick ip-adress>

Senast redigerat
Redigera
Citera flera Citera
Permalänk
Medlem
Skrivet av sulfurwinter75:

So I'm getting into trying to automate my home a bit with home assistant, and happend to stumble apon a second hand tellstick, which sounded good with booth 433Mhz and z-wave support.
It seems like the local api for home assistant by telldus has been depricated so you now have to use their cloud service to coontrol things.

Gå till inlägget

How's your quest progressing?
I'm mainly interested in 2-way 433 mhz with the wider support for devices that's in the rtl433-project rather than what is supported by Telldus.

I've been running this the last 5 - 7 years but from what I gather it might be a bit tricky getting it on there nowadays.
https://github.com/quazzie/tellstick-plugin-mqtt-hass

Would definitely like an alternative if you need testers.

Visa signatur

🛜🫀: HP 290 PRO G9, i3 14100, 8GB DDR4, Intel X520-DA2
🐳🐧: AMD R5 3600 | Google Coral.ai | ASRock X570D4U-2L2T | Silverstone CS381 | 80GB DDR4 | 8 HDD BTRFS RAID1
⌨️🎮#1: R7 5700X3D | RTX 4070 | Acer XF270HUA | 96GB @ 3600 | MSI X570 MPG GAMING EDGE
⌨️🎮#2: i5 12400F | RTX 2080 LC | Huawei GT 27 | 16GB @ 3600 | MSI B760M-P DDR4 | CORSAIR C70
🎞🎶: LG OLED55C8 | Epson TW3200 | Onkyo TX-NR646 | Infinity Reference 61/51 mk2 | Shield TV V2 | minhembio.com

Redigera
Citera flera Citera
1
Skriv svar