Iris Smart Button Analysis

Hi! Took me far longer than I thought but I’ve got the necessary parts together to do some analysis of the Iris devices.

I picked up three devices - no smart hub yet, unfortunately, they were out - and I’ve got a cheap-but-effective 802.15.4 sniffer from the guide at FreakLabs.

First up: the Lowes Iris Smart Button,model #0388563 (link) - here’s an internal shot from my iPhone: http://imgur.com/xVGSVId

The large chip is an EM250 Ember SoC (link) which is the predecessor of the EM357 used by the SmartModule. Ember has their own ZigBee HA implementation that is supposedly compliant - and the UK partner of Lowes, AlertMe, is listed as being HA-compliant on ZigBee’s HA page.

The small chip is a Microchip MCP9801-M (link) temperature sensor. No mention of this is made in the Iris docs that I could find and the AlertMe docs have yet to materialize.

The switch is engaged by a rubber foot from the back cover when the cover is closed. Not entirely sure what the purpose of the switch is - at this point I’m expecting it’s intrusion prevention since AlertMe was originally designed for that - i.e. tear off the cover and the button immediately sends a message.

Next up - sniffing the device as it attempts to pair.

Unfortunately I don’t have an Iris Smart Hub (yet) so I can’t see what a full pairing looks like. WireShark’s 802.15.4 analyzer is coming up with, well, nothing, so I’m looking at raw data. After putting in the battery and waiting for a second or two, I start seeing one 10-byte packet every second:

0A 03 08 xy FF FF FF FF 07 zz

y appears to be randomly generated at power on. It remains stable for, at least, several minutes of sniffing.

x is incremented by 1 every broadcast and overflows to 0. It appears to also start at a random number.

zz is clearly some kind of hash - the value of the first 9 bytes always match to a particular value of zz.

Here’s a full cycle - this will repeat as long as there’s power -

0A 03 08 00 FF FF FF FF 07 38
0A 03 08 10 FF FF FF FF 07 88
0A 03 08 20 FF FF FF FF 07 58
0A 03 08 30 FF FF FF FF 07 E8
0A 03 08 40 FF FF FF FF 07 E9
0A 03 08 50 FF FF FF FF 07 59
0A 03 08 60 FF FF FF FF 07 89
0A 03 08 70 FF FF FF FF 07 39
0A 03 08 80 FF FF FF FF 07 9A
0A 03 08 90 FF FF FF FF 07 2A
0A 03 08 A0 FF FF FF FF 07 FA
0A 03 08 B0 FF FF FF FF 07 4A
0A 03 08 C0 FF FF FF FF 07 4B
0A 03 08 D0 FF FF FF FF 07 FB
0A 03 08 E0 FF FF FF FF 07 2B
0A 03 08 F0 FF FF FF FF 07 9B

My current guess here is:

struct Frame { byte frame_size; //total length of frame - always 10 or 0xA so far byte frame_control[2]; //based on the ZigBee spec byte data_sequence_number; //Seems to make sense in context byte address[4]; //0xFFFFFFFF for broadcast? byte payload[]; //So far always a single character? Possibly part of FCS but probably not... byte frame_check_sequence; //ZigBee calls for a 16-bit FCS. Not sure what's being used here. }

The code tag appears to result in white-on-white text, at least for me, so here it is again:

struct Frame {
byte frame_size; //total length of frame - always 10 or 0xA so far
byte frame_control[2]; //based on the ZigBee spec
byte data_sequence_number; //Seems to make sense in context
byte address[4]; //0xFFFFFFFF for broadcast?
byte payload[]; //So far always a single character? Possibly part of FCS but probably not…
byte frame_check_sequence; //ZigBee calls for a 16-bit FCS. Not sure what’s being used here.
}

I just got an email from Lowes announcing their Iris products. They seem very similar to SmartThings. There are some nice features of the products and the prices are pretty good.

 

That seems to be a beacon that continually searches for their Smart Hub. This is interesting. When I have some free time I’m going to pickup that sniffer.

Let me know if there are any particular experiments you’d like run in the meantime - I’d also be happy to lend it to you.

Wow that’s super nice of you to offer! Such great fans! We have lab grade spectrum analyzers and all the super fancy toys our EE people use for hardcore testing, I meant pick one up for home use :stuck_out_tongue: I think it would be fun. Then again, our definition of fun seems to be different from others ha.

Jealous of your lab :slight_smile: yeah, my definition of fun is pretty cracked by general acclaim - http://github.com/aleksandyr is my personal project space and speaks louder than anything else I could say.

Bumping a very old topic.

@alexanderlash

Did you ever get this push button to work with SmartThings?

I’m fairly certain Andrew hit the nail on the head. It’s looking for its mommy.

This does sound like fun…

Following topic now.

…CP.

I LIVE. Received my smartthings kit and I’ve been spending quite a bit of time interviewing / setting up an exit from my job. I haven’t really had time to pick this back up and play with it, unfortunately, but it seems others have - http://jeelabs.net/boards/6/topics/285 is somewhat interesting reading but isn’t an answer (yet.)

The biggest issue with my kit is that my fiancee doesn’t want to deal with pulling out her phone, so I’ve got some really good reasons to get this button working. :slight_smile:

Did anyone ever figure out if these devices will work with SmartThings?

The button in the first post will not work with ST.

That explains why it wouldn’t pair. Thanks much.