Starting to reverse a Z-wave door lock kit

Monday, November 29, 2010

 

So I’ve been feeling the need to be set free lately so I stopped at Radio Shack and picked up some Schlage gear.


    


Z-wave is the featured technology on these devices so don’t expect any documentation on the internals... Schlage outsources your freedom to Ingersoll Rand just as a heads up. The good news is that IR is “Your choice for Security Solutions”


http://www.integratedsystems.ingersollrand.com/




We learned a bit about the Z-wave chipset that turned out to be inside in one of our previous blog posts. The confidential chip docs for said chip are available all over Google.

Although it was a newer revision the pinouts matched the documents that we had previously read. I took this information and proceeded to tap MOSI, MISO, SCK, TX and RX.



Unfortunately the programming manual for Z-wave didn’t leak alongside the chipdocs. There are luckily a few sites working toward reversing items using the Sensys chipsets.


The Saleae picked up a bit of data that we were able to quickly track back to the Z-wave API . The first frame looked like this:



These bytes 01 03 00 05 f9 can be tracked back to the following reverse engineering project.


http://wiki.linuxmce.org/index.php/ZWave_API#Capturing_your_own_sample_transactions


At this point it looks as if we are on the right track... coming soon “One packet Z-wave door unlock” haha or maybe I am being too optimistic?

 
 
 

next >

< previous