Since modern household appliances now have an MCU inside, they often have a diagnostic interface and — sometimes — more. Case in point: Miele washing machines, like the one that [Severin] recently fixed, leading to the firmware becoming unhappy and refusing to work. This fortunately turned out to be recoverable by clearing the MCU’s fault memory, but if you’re unlucky, you will have to recalibrate the machine, which requires very special and proprietary software.
Naturally, this led [Severin] down the path of investigating how exactly the Miele Diagnostic Utility (MDU) and the Program Correction (PC) interface communicate. Interestingly, the PC interface uses an infrared LED/receiver combination that’s often combined with a status LED, as indicated by a ‘PC’ symbol. This interface uses the well-known IrDA standard, but [Severin] still had to track down the serial protocol.
Research started with digging into a spare 2010-era Miele EDPW 206 controller board with the 65C02-like Mitsubishi 740 series of 8-bit MCUs. These feature a mask ROM for the firmware, so no easy firmware dumping. Fortunately, the Miele@Home ‘smart appliance’ feature uses a module that communicates via UART with the MCU, using a very similar protocol, including switching from 2400 to 9600 baud after a handshake. An enterprising German user had a go at reverse-engineering this Miele@Home serial protocol, which proved to be incredibly useful here.
What is annoying is that the PC interface requires a special unlock sequence, which was a pain to figure out. Fortunately, the SYNC pin on the MCU’s pins for (here unused) external memory was active. It provided insight in which code path was being followed, making it much easier to determine the unlock sequence. As it turned out, 11 00 00 02 13 were the magic numbers to send as the first sequence.
After this, [Severin] was able to try out new commands, including 30 which, as it turns out, can be used to dump the mask ROM. This enabled the creation of a DIY transceiver you can tape to a fully assembled washing machine, for testing. As of now, the next target is a Miele G651 I Plus-3 dishwasher, which annoyingly seems to use a different unlock key.
Of course, you can just trash the electronics and roll your own. That happens more often than you might think.
Thanks to [Daniel] for the tip.
I have a dream where all home appliances will be opensource
Agreed, som many benefits. Hacks like this is great
And replacement parts standardized…
Parts being properly documented would be a good start.
Like it used to be in 1970s and ’80s (schematics in the manuals).
About standardization.. Yes and no. The basic idea is great, but the realization?
I don’t like the low-end Philips screws that are used almost everywhere, for example.
Torx screws are much more robust and less of a pain, they last longer, too.
Now let’s image Philips screws had been a forced standard.. a nightmare come true!
Then there’s PC platform. I liked non-standard approachs by Compaq and Dell.
Some ideas weren’t bad, after all. Or let’s take Intel’s BTX motherboard form factor.
It finally corrected alignment of PCI cards.
So they would face downside with the solder side, like ISA cards did on AT and ATX motherboards.
What I prefer isn’t standardization so much but interoperability.
That there are adapters available if needed.
Or that documentation is provided for free to make homebrew solutions.
standardisation isn’t your enemy. If you look at the linux kernel they have fixed cycles and you can submit software within that period. so there’s still the option for innovation, but it has to wait for the next release so as not to break userspace.
There’s no reason why torx and philips couldn’t be interchangeable so long as the hole and thread was the same.
In principle that’s right, I think, but let’s see what standardization had done to the internet/www in the past 30 years or so.
It used to be a place of innovation and experiments, now it’s a closed, standardized world led by big tech.
Standardization clashes with indiviualism or personalisation, too, often.
Or another example. Here in Europe, the smartphones must have USB-C ports for charging.
It’s a hard requirement, rather than a recommendation.
But is USB-C really so great? Other ports/plugs might be “better” but are not being allowed anymore.
Except as an option, an additon to USB-C port, maybe.
Hi. The cross shape of the thread of Philips screws is the main problem, I think,
along with low material quality that most Philips style screws are made of.
The thread will wear out much faster than the Torx one.
Philips screws are like public women’s bathrooms.
They’re fine, until they aren’t.
Then they are Chernobyl.
Torx’s main advantage is they won’t work at all with the wrong tool.
You can get a JIS ‘Philips’ screw out with a regular Philips screwdriver.
Or a big screw, that would work fine with a #4, with a smaller screwdriver.
Or a small screw with the tip of the #4.
You’ll often screw up the screws that way.
Or the cheap screwdriver with the fancy Japanese screw.
YMWV
In addition the JIS and real Philips there is euro-Philips and a commie-Philips, IIRC.
Plus a bunch of x shaped screw heads you’ll never actually see.
Is why I have moved over to Fisher and Paykel appliances. They have parts manuals for their machines, and you can order parts from them, or third parties easily. Have gotten 2 dishwashers of theirs for free/cheap and fixed with $15 of parts.
And open hardware, too? :)
“this”
If the hardware is not open and some firmware is in blobs, then It’s not open source to me.
At least the API should be open. If everyone can flash firmware to their own devices, then certification becomes a problem. There should be safeguards in place so that if you run your own firmware warranty is voided. If they use functional safety in software then there is a risk. That would mean the user would either have to accept the risk or it should have hardware safety.
I don’t know why no-one’s done it – most appliances are pretty simple things with a few actuators and sensors and a basic control panel, and the cycles they go through are not hard to work out or reverse engineer by observation.
For the average washing machine or dishwasher or dryer (or even microwave) the designs are so similar that one sensibly designed PCB could cover a huge percentage of the market.
There should be a HaD challenge/prize for whoever creates a reliable safe well-documented open-source controller project.
What a wonderful detailed insight on what he tries and why :D
I hope that someone figures out how to make Miele@Home run local-only next. The official Miele app is just so incredibly sluggish.
Have a look at developer.miele.com, you can make your own app if you like but not without the cloud. Take care with MDU interface, some modes are for testing only so there may no safety features enabled! By the way, APP team is working hard to improve it ;-)
Yeah, the API avoids some issues like lack of HomeKit integration. But I haven’t yet gotten around to getting notifications for example.
As hard as they might be working, the overall slowness on top of constant outages over these past years really doesn’t inspire confidence.
Local-first would also be useful in other ways besides control. Like why would the appliances need to use HTTP instead of (S)NTP for time synchronisation.
There’s so much potential that’s simply not used.
Bad UI and apps you want to delete after 1 minute of use are a specialty of German companies. It’s the same with heat pumps etc.
I really don’t get how these apps ever get the “let’s give this piece of crap software into users hands” approval :(
Man, I feel the same about Suse Linux too. It’s stable but good lord it’s slow on the same hardware compared to Ubuntu etc. There’s something about German software engineers and form over function.
Agreed — and this has been done in the form of an open-source server, and been (mostly) successful. https://github.com/akappner/MieleRESTServer (I’m the author).
You have to calibrate … … a washing machine … ?
It’s an instrument of precision. :)
Great reversing work here! I have separately worked on reversing the Wi-Fi interface; the Wi-Fi communications module (“XKM” in Miele-speak) appears to be a factory implementation of the kind of interface you are building.
The serial interface appears to be more powerful than what the XKM exposes; however, on (some) Wi-Fi enabled (=newer) devices, reading/clearing the fault memory should also be possible through the Wi-Fi interface. See my project at https://github.com/akappner/MieleRESTServer