So I’ve been feeling the need to be set free lately so I stopped at Radio Shack and picked up some Schlage gear.

Z-wave is the featured technology on these devices so don’t expect any documentation on the internals... Schlage outsources your freedom to Ingersoll Rand just as a heads up. The good news is that IR is “Your choice for Security Solutions”

http://www.integratedsystems.ingersollrand.com/

We learned a bit about the Z-wave chipset that turned out to be inside in one of our previous blog posts. The confidential chip docs for said chip are available all over Google.

Although it was a newer revision the pinouts matched the documents that we had previously read. I took this information and proceeded to tap MOSI, MISO, SCK, TX and RX.

Unfortunately the programming manual for Z-wave didn’t leak alongside the chipdocs. There are luckily a few sites working toward reversing items using the Sensys chipsets.

The Saleae picked up a bit of data that we were able to quickly track back to the Z-wave API . The first frame looked like this:

These bytes 01 03 00 05 f9 can be tracked back to the following reverse engineering project.

http://wiki.linuxmce.org/index.php/ZWave_API#Capturing_your_own_sample_transactions

At this point it looks as if we are on the right track... coming soon “One packet Z-wave door unlock” haha or maybe I am being too optimistic?