Starting to reverse a Z-wave door lock kit
Starting to reverse a Z-wave door lock kit
Monday, November 29, 2010
So I’ve been feeling the need to be set free lately so I stopped at Radio Shack and picked up some Schlage gear.
Z-wave is the featured technology on these devices so don’t expect any documentation on the internals... Schlage outsources your freedom to Ingersoll Rand just as a heads up. The good news is that IR is “Your choice for Security Solutions”
http://www.integratedsystems.ingersollrand.com/
We learned a bit about the Z-wave chipset that turned out to be inside in one of our previous blog posts. The confidential chip docs for said chip are available all over Google.
Although it was a newer revision the pinouts matched the documents that we had previously read. I took this information and proceeded to tap MOSI, MISO, SCK, TX and RX.
Unfortunately the programming manual for Z-wave didn’t leak alongside the chipdocs. There are luckily a few sites working toward reversing items using the Sensys chipsets.
The Saleae picked up a bit of data that we were able to quickly track back to the Z-wave API . The first frame looked like this:
These bytes 01 03 00 05 f9 can be tracked back to the following reverse engineering project.
http://wiki.linuxmce.org/index.php/ZWave_API#Capturing_your_own_sample_transactions
At this point it looks as if we are on the right track... coming soon “One packet Z-wave door unlock” haha or maybe I am being too optimistic?