The Honeywell X2S Smart Thermostat is a Wi-Fi-enabled thermostat that is meant to integrate with your typical ‘smart home’ setup, with mobile app control available as well. Of course, just using it as-is would be extremely boring, so fortunately we have [author0] to take it apart and reverse-engineer its encrypted firmware.
Of the two brains in this thermostat the first is a succinctly named Renesas R7FA6M4AF3CFP MCU containing a 200 MHz Cortex-M33 core with TrustZone features to theoretically keep out any firmware hackers. Handling the wireless side is a Realtek RTL8721DM Wi-Fi/BLE 5.0 SoC. There are also two Winbond Flash chips connected to these two main chips, with their contents of course encrypted.
Fortunately there are plenty of test points to connect to, for which a custom pogo-pin equipped breakout board was created. Cracking the encryption for the Realtek turned out to be as simple as using its RSIP decrypt-on-the-fly feature. From there exploring the firmware was the next step, with a TLS issue pertaining to certificates found to make man-in-the-middle attacks easy, along with a seeding bug that makes recovering session keys possible.
Although the Renesas MCU firmware still has to be decrypted and the full wireless handshake reverse-engineered, these do seem to be solid steps towards fully reverse-engineering this thermostat. It also makes it very clear once again that the ‘S’ in IoT absolutely stands for ‘security’. Maybe that’s why the smart home bubble popped.
That’s a lot of computing horsepower to replace a bimetallic strip and a switch :-)
I have the older version of this thermostat, and yes, the app on my phone depends on the Resideo servers continuing to operate. Still, it doesn’t cost me anything so it’s worth the price.
Should enshittification rear its ugly head, I’ll drop it like a hot potato(e). Would be worth buying this if the wifi protocol is reverse engineered or the firmware is replaced by an open source version.
Two embedded micros for, what, 100 LCD segments and six buttons? Progress!
Is if one doesn’t want to build one themselves.
RD cost cuttings. Using a powerful platform + a quick dev toolkit is still cheaper than register-crafting optimized firmware on minimalist platform. Especially if there is an aim at versatility (same HW base and dev framework for many products)
Please tell this to the aftermarket stereo brands that use such underpowered hardware it takes half a minute for the screen to come up and audio to start playing. Oh how far JVC has fallen!
I gave up with Smart or even programmable thermostats. More headache than savings. There a lot theories about why not to use programmable thermostats. I rather be if comfort room and spent time to make that extra money somewhere else I need pay for heating.
And the smart ones will eventually go dumb like Nest.
I have a Honeywell Evohome, which is a zone system (for hot water radiators, they also make it for hot water floor heating). I can control the heat in each room individually. Technically over wifi and internet, but I use that feature once a year. However, It still works without internet. I could even use it without the main module, beacause each room’s radiator knob can control itself when operated from the knob (it just no longer communicates with other knobs and no time program).
My house is not insulated enough / energy is expensive enough in Europe that I don’t want to heat 24/7.
so much unnecesary tech! if it has to be on the internet, even an ESP8266 would be overkill! But no, it has to have a 200 MHz Cortex-M33. more for us to tinker with when we find it at the Tibetan Center thrift store I suppose!
Honeywell makes my jaw drop in the best of ways and in the worst of ways all at once š
See? That’s why security through obscurity doesn’t work.