EQ3 firmwares 1.20+ not working anymore (requires pairing?)

[robluca]

After try to set target temperature at any values it goes at 5.0 Celsius Degree. With Fw 1.10 it is still working. I bought new one and I received it with new FW.
Did you see similar issues?
Thank you

[ropperto]

Also firmware 1.20 does not work.

[Predator83]

It seems that the producer of the thermostats updated their firmware recently. According to ios and Android appstore comments even the original app of the producer (calorBT) is not able to connect anymore.

Seems like this issue is NOT a problem with the Bluetooth library in use nor the adapter, it seems like a problem with the firmware itsself.

[rytilahti]

I'm not actively maintaining this package, but if someone wants to add support for the newer versions I can try to help however I can by codereviews etc.

The first step would be to figure out the new communication protocol, quick googling brought this site which looks like a helpful starting point on how to reverse BTLE devices: https://reverse-engineering-ble-devices.readthedocs.io/en/latest/

[nakatomi845]

I don't know if this is problem with protocol. I have checked it with eq3cli and it connect and after writing date it disconnect with exception. Thermostat is now with version 1.46.

eq3cli --mac 00:1A:22:06:A7:83 --debug
DEBUG:eq3bt.eq3btsmart:Querying the device..
DEBUG:eq3bt.connection:Trying to connect to 00:1A:22:06:A7:83
DEBUG:eq3bt.connection:Connected to 00:1A:22:06:A7:83
DEBUG:eq3bt.connection:Writing b'031501040e2415' to 1041 with with_response=True
DEBUG:eq3bt.connection:Got exception from bluepy while making a request: Device disconnected
Traceback (most recent call last):
  File "/home/openhab/.local/bin/eq3cli", line 8, in <module>
    sys.exit(cli())
  File "/usr/lib/python3.9/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1236, in invoke
    return Command.invoke(self, ctx)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/usr/lib/python3.9/site-packages/click/decorators.py", line 21, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/usr/lib/python3.9/site-packages/eq3bt/eq3cli.py", line 34, in cli
    thermostat.update()
  File "/usr/lib/python3.9/site-packages/eq3bt/eq3btsmart.py", line 205, in update
    self._conn.make_request(PROP_WRITE_HANDLE, value)
  File "/usr/lib/python3.9/site-packages/eq3bt/connection.py", line 73, in make_request
    self._conn.writeCharacteristic(handle, value, withResponse=with_response)
  File "/usr/lib/python3.9/site-packages/bluepy/btle.py", line 543, in writeCharacteristic
    return self._getResp('wr')
  File "/usr/lib/python3.9/site-packages/bluepy/btle.py", line 407, in _getResp
    resp = self._waitResp(wantType + ['ntfy', 'ind'], timeout)
  File "/usr/lib/python3.9/site-packages/bluepy/btle.py", line 362, in _waitResp
    raise BTLEDisconnectError("Device disconnected", resp)
bluepy.btle.BTLEDisconnectError: Device disconnected

With BLE Scanner on my phone when i send date to service then I received:

0x02010900042b000000001e0c2c220a it look like similar than prev version.

Problem with btle.py?

[Predator83]

Or maybe a problem with the thermostats new firmware itself, as there is quite a shitstorm on the app store‘s comment sections of the official app (CalorBT) as it cannot connect to the thermostats anymore once they were updated to the new firmware.

[nakatomi845]

From CalorBT works, also works from BLE Scanner. Problem starts when manufacturer add "pairing" then phone starts asking for pairing code.

[rytilahti]

@nakatomi845 if I understand you correctly, the vendor has fixed the security issue where it was possible to control the device without pairing (like this library does)?

[nakatomi845]

Yes, I think this is the problem. But of course I don't know if it's correct implemented on vendor side.

[Predator83]

Ok, that explains some things.

I was already wondering why I was never asked for a PIN when I was setting up the Raspi with the thermostats. In contrast, when pairing with the CalorBT app I had to enter a PIN.

[nakatomi845]

As I can see btle.py supports pair and unpair method so I think it shouldn't be complicated to implement it.

[nakatomi845]

Definitely this is problem with pairing. When I paired it manually eq3cli works well. But I don't know how to implement in on library.

[rytilahti]

What steps were necessary to pair it? Did you just use the bluepy (and the btle.py interface? so this is a standard btle passcode pairing?), or did you do something else?

[nakatomi845]

On my environment.

1. Press and hold wheel on thermostat until Pair will be displayed. Remember or write it.
2. $ sudo bluetoothctl
3. [bluetooth]# power on
4. [bluetooth]# agent on
5. [bluetooth]# default-agent
6. [bluetooth]# scan on
7. [bluetooth]# scan off
8. [bluetooth]# pair 00:1A:22:06:A7:83
9. [agent] Enter passkey (number in 0-999999): <enter pin>
9. [bluetooth]# trust 00:1A:22:06:A7:83
10. [bluetooth]# disconnect 00:1A:22:06:A7:83

Optional steps:
[bluetooth]# devices - to list all devices
[bluetooth]# info 00:1A:22:06:A7:83
Device 00:1A:22:06:A7:83 (public)
	Name: CC-RT-BLE
	Alias: CC-RT-BLE
	Paired: yes
	Trusted: yes
	Blocked: no
	Connected: no
	LegacyPairing: no
	UUID: Generic Access Profile    (00001800-0000-1000-8000-00805f9b34fb)
	UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb)
	UUID: Device Information        (0000180a-0000-1000-8000-00805f9b34fb)
	UUID: Vendor specific           (3e135142-654f-9090-134a-a6ff5bb77046)
	UUID: Vendor specific           (9e5d1e47-5c13-43a0-8635-82ad38a1386f)
	ManufacturerData Key: 0x0000
	ManufacturerData Value:
  00 00 00 00 00 00 00 00 00                       .........

[ropperto]

firmware 1.20 doesn't ask for pin

[bluetooth]# pair 00:1A:22:12:4B:E1
Attempting to pair with 00:1A:22:12:4B:E1
Failed to pair: org.bluez.Error.ConnectionAttemptFailed
[bluetooth]# trust 00:1A:22:12:4B:E1
Changing 00:1A:22:12:4B:E1 trust succeeded
[bluetooth]# info 00:1A:22:12:4B:E1
Device 00:1A:22:12:4B:E1 (public)
        Name: CC-RT-BLE
        Alias: CC-RT-BLE
        Paired: yes
        Trusted: yes
        Blocked: no
        Connected: no
        LegacyPairing: no
        UUID: Generic Access Profile    (00001800-0000-1000-8000-00805f9b34fb)
        UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb)
        UUID: Device Information        (0000180a-0000-1000-8000-00805f9b34fb)
        UUID: Vendor specific           (3e135142-654f-9090-134a-a6ff5bb77046)
        UUID: Vendor specific           (9e5d1e47-5c13-43a0-8635-82ad38a1386f)
[bluetooth]#

I wonder if it is better to upgrade or try to fix this fw version.

[nakatomi845]

What do you mean fix? I think it is better to upgrade. Because this is fix for security.

[ropperto]

I mean to get eq3bt working fine. My final goal is to have the valve again integrated in home assistant.
I know that security is important, but in my case where bt signal is not reachable outside my house the original firmware was also a good solution.

[nakatomi845]

I have 3 thermostats all were with 1.20, now they are working with 1.46 nothing change are needed except pairing.

[Predator83]

Hi nakatomi,

do I understand this correct: With the new firmware I need to pair the thermostats via bluetoothctl and then the eq3bt (and other scripts/libraries) should work as before?

[nakatomi845]

Yes.

But it will be nice to see that this library support that.

[nakatomi845]

Ok, one additional comment. Device remember paired device and only one device can be paired. So, if you pair device with pc then you can't connect with phone and vice versa.

[ropperto]

So we can say that only firmware 1.20 is not working with eq3bt, firmware 1.10 and 1.46 are fine.
At the moment I can't upgrade, hope to have time in the night.

[nakatomi845]

I think 1.20 works well without pairing. 1.46 needs be paired but also works.

[Predator83]

nakatomi, thanks for your comment above.

Then the new firmware would be actually a deal breaker for me as I use my phone AND my PC to adjust temperature. And this works pretty well currently as is.

[ropperto]

I confirm that 1.20 don't work with eq3bt, it works only with proprietary app on phone.

[Predator83]

Interesting fun fact: I found a master thesis that is analyzing the eq3 regarding its Bluetooth communication. Unfortunately it is in German.

https://www.h-brs.de/files/related/kevin_froehlich-masterthesis.pdf#page74

[rytilahti]

@nakatomi845 thanks for the pairing instructions! Do you mind creating a PR to add simplified instructions to the README file? I think that information is useful as it is, even when it cannot be done programatically for the time being. It may also be worth adding a warning about the fact that these devices can only be paired at the same time to one device => using both this library & the official app will not work on newer fws.

@Predator83 interesting, thanks for the link! Google translate can usually do a pretty good (or at least understandable) job with DE-EN translations.

[ropperto]

Well, after upgrading the valve, the library can connect again.
I had to remove the device and then the pairing again asked for the pin.
Thank you to all!

[Predator83]

Not sure which one I have but it’s not the newest one that requires the secure pairing. Also not sure where I can look up the firmware version.

[DJTechMo]

@Predator83 Restarting the thermostate by removing the battery and put it in again, then it should be displayed in the display as the first information.

[Windoofs]

Just to give an update:
With the newest Firmware 1.46 and the current master branch is paring needed and successful.
Updating the Firmware is possible with calorBT

[Ferrarista]

I have a EQ3 cc-rt-ble-eq. After updating the firmware to the 1.46, I removed the device from the calor BT app to reorganize my rooms better. Unfortunately now I can't pair it again. When I push the wheel for 3 seconds, the device just shuts down (seems to be crashing) and I have to remove the batteries to restart it. Is there a way to recover some old firmware without pairing it?

[dbuezas]

I have one that failed like that. I didn't find a way to revive it

[AleXSR700]

But you can see the device in e.g. nRF Connect? Try connecting there and see what it does.

[Ferrarista]

But you can see the device in e.g. nRF Connect? Try connecting there and see what it does.

I tried to connect via BLE Scanner, but I could do nothing from there.

[AleXSR700]

So it is advertising?
Maybe also try nRF Connect and see what it reports.

When you try to connect, no pin is shown on the display, right?
And you can control the TRV but not enter the menu?
Does the motor drive when you set the temp to max?

[Ferrarista]

So it is advertising? Maybe also try nRF Connect and see what it reports.

When you try to connect, no pin is shown on the display, right? And you can control the TRV but not enter the menu? Does the motor drive when you set the temp to max?

Ok, I will try with nRF Connect, even though I don't know what I can do. I think I would need to update the firmware again (as I have done with the other 5 modules after seeing what happened by deleting this one from the CalorBT app), but I don't see how this could be done via an app that is not the CalorBT.

Anyways I've decribed what happens: the thermostat works perfectly when controlled using the buttons, but as soon as I press the wheel for 3 seconds, the device shuts down (meaning no sign at all on the display) and stays like that until I remove the batteries.

[AleXSR700]

The idea with nRF connect was that it supports sending commands. So if you were lucky, maybe there is a command that allows the user to initiate a reset without entering the menu.

And question about motor was because I thought you maybe only tried switching around but not actually running the motor against real resistance. Just to ensure that there was not a battery issue.

So, if none of the above is the case then all I can think of is opening up the eQ-3 and checking for a reset soldering point.

[dbuezas]

Reset command: https://github.com/Heckie75/eQ-3-radiator-thermostat/blob/master/eq-3-radiator-thermostat-api.md#factory-reset

[Ferrarista]

The idea with nRF connect was that it supports sending commands. So if you were lucky, maybe there is a command that allows the user to initiate a reset without entering the menu.

And question about motor was because I thought you maybe only tried switching around but not actually running the motor against real resistance. Just to ensure that there was not a battery issue.

So, if none of the above is the case then all I can think of is opening up the eQ-3 and checking for a reset soldering point.

I managed to connect via nRF connect, but still I can't understand how I could use this to reset the device.

[dbuezas]

You can factory reset it from the wheel too, but don't put much hope into it. I had the same issue and Bluetooth never revived

[Ferrarista]

You can factory reset it from the wheel too, but don't put much hope into it. I had the same issue and Bluetooth never revived

I tried that, but this resets to the factory settings keeping the current firmware version. This does not solve the problem....

[AleXSR700]

@Ferrarista
Did you check David's link?
The app lets you send commands. So if you can connect, you might be able to send the reset command and with some luck that will fix the connection issues.

[Ferrarista]

@Ferrarista Did you check David's link? The app lets you send commands. So if you can connect, you might be able to send the reset command and with some luck that will fix the connection issues.

The app is not trivial at all. I can't really understand how I might send that command to the device.

[AleXSR700]

I am visiting family so cannot make a picture instruction but if you google how to send custom commands with nrf connect you will find instructions :-)

If not, I can check in a week when I'm back home

[Ferrarista]

I honestly gave up with that problem, but I'm experiencing another issue with all the other devices I have at home. All of them are now on 1.46 firmware and coupled to the Calor BT app. Still every time I try to change the temperature from the app, I get a notification from my phone that I sould couple that device (I'm on Android). Then after few seconds, this message disappears and I can regularly control the device. It's just really annoying having to remove the coupling notification each single time.

[AleXSR700]

I can only recommend taking the plunge and setting up a Home Automation system like Home Assistant.
So much more fun and better control of the eQ-3s.

[Ferrarista]

Could you elaborate? Thanks :)

[AleXSR700]

Well, you can control the eQ-3 from the Android app BTColor or whatever it was called. And if you have other devices like lamps or power sockets etc. you probably have one app per manufacturer.

An alternative is to set up e.g. Home Assistant (www.home-assistant.io) on a simple Raspberry Pi or any other mini computer and then control them all from there.

Essentially it is a software that allows control over all kinds of hardware, independent of manufacturer.
You can then create all kinds of automation (turn on when home, turn off when away and whatever else you can think of. You are no longer limited to the apps features.

But you will need a Raspberry Pi or similar.

[Ferrarista]

Ok, that's quite some work that I might do in the future. In the meantime it would be nice to have at least the Calor BT app working :)

[AleXSR700]

Have not used it in a long time. Not even installed. I saw it was updated recently. And ratings remain very low with lots of connection issues.

So all I can think of is uninstall the app and re-install the latest and reregister all devices. Maybe it will help. Fingers crossed :)

[xrayer]

Hi,
I got CC-RT-BLE-EQ device and installed calor BT 1.4.1 app to try. It worked fine until I tried to upgrade the BT FW. Upgrade process was finished without error but then I cannot pair with device anymore. The problem is when I press the rotary button for pairing that instead of pairing the display goes blank and it doesn't respond to any buttons like it was shutdown or in a deadlock. Only thing can be done is to remove and re-insert the batteries to restart it. It displays FW version 1.46 at power on and can be normally controlled by buttons but all attempts to pairing leads to hang. It doesn't advertise over BLE even BLE is on.
The problem was already described on a German forum here - more users meet this bug and there's no solution, but I read it too late so be warned that you may brick your device!
https://de.elv.com/forum/eqiva-bluetooth-n-kein-pairing-da-geraet-abschmiert-1.46-20210

Well as I'm naturally a bit curious I looked what's inside. Someone else before me already disassembled it and took nice photos: https://commons.wikimedia.org/wiki/Category:Disassembled_EQ-3_CC-RT-BLE-EQ
There are 2 chips, one Cypress BLE RF SoC with ARM Cortex-M3, probably dedicated for BLE functions and second 8-bit low power MCU STM8L052 with LCD muxed controller that do all the rest. I guess that FW update affect only the BLE chip. I noticed that on the PCB there are 2 programming "connectors" (rather say testpoint arrays) PRG1 and PRG2. One I figured is connected to STM8 and use one wire SWIM debun interface (+ RST#, VBAT, GND) and the PRG2 is for BLE chips, I guess some kind of SWD but as the chip has not accessible any legs I cannot figure exact pinout, it has to be determined trial-error. I think there would be possible to reflash the chip. If someone else is curious too and has proper tools he could try to connect to PRG2 and try if the chip is unlocked and can be dumped. I also found that calot BT APK contains 2 binary blobs: \res\raw\bleupdate.bin and \res\raw\bleupdate_2.bin there are also BASE64? or so update.enc and update_2.enc versions probably the same content as *.bin This may be used to flash? But the size is only 19kB so it's not a complette image with BLE stack, it would be just some application only. Maybe the BLE chip has some bootloader that can upload the image. calor BT 1.2.1 contains some older FW than 1.3.6 and 1.4.1 that may work. Anybody else here tried to play with it at low level?

[xrayer]

Well, I found that the CYW20735 BLE chip doesn't have any flash memory, it just has some internal ROM with BLE stack and RAM. The BLE application have to be loaded in RAM on every power up. It can be done via SPI or I2C from external flash/eeprom. This device doesn't have any ext.memory so it's obvious that BLE FW resides in STM8 MCU internal flashrom. It would be possible to reprogram BLE app there but...

I connected to the STM8L052C6 via SWIM with ST-LINK V2 and STVP tool told me that there's read protection so we cannot dump the flash and patch the BLE app there :( The only possibility would be to write a new firmware from a scratch, it doesn't worth...

[dbuezas]

That's a pity, i wished there would some day be a way to get the measured temperature from the valve.
Super interesting research by the way, 💪

[xrayer]

I have found a BLE debug/trace UART output at PRG2 con.pin 2, 115200 baud. There are a lot of interesting messages. I also found that my device can still advertise but due to bad FW update it happened that BLE on/off option on display menu got inverted. So when I set the BLE option to OFF it starts arvertising! And I can connect to it via nRF Connect from my phone. I tried to write 0xF0 byte for factory reset and it performed (same as if I trigger it from LCD menu) but it didn't fix anything. It seems like FW in STM8 MCU was not upgraded and new BLE FW behavior was changed and become incompatible together. If I could temporary connect BLE chip with some I2C EEPROM/SPI flashrom with old BLE FW version and boot it at power on then wiring it back to MCU pairing might work and then reflash it via old calor BT app (to get old BLE FW inside STM8 MCU)...

Here's the log of messages when I started pairing by push buttong and LCD goes blank, it's clear that something bad is happening - the unknown message indicates that new BLE FW doesn't understand old STM8 command (this repeats endlessly)...

Pack ADV Field perform
Pack ADV Field perform

GPIO-Interrupt detected
GPIO: TRUE
INTERRUPT CALLBACK handler started!
read data from UART fd
Startsign detected
read data from UART 91
Unknown MessageType
INTERRUPT CALLBACK handler started!
read data from UART 7e
read data from UART 67
GPIO-Interrupt detected
GPIO: FALSE
GPIO-Interrupt detected
GPIO: TRUE
INTERRUPT CALLBACK handler started!
read data from UART fd
Startsign detected
read data from UART 91
Unknown MessageType
INTERRUPT CALLBACK handler started!
read data from UART 7e
read data from UART 67
GPIO-Interrupt detected
GPIO: FALSE
GPIO-Interrupt detected
GPIO: TRUE
INTERRUPT CALLBACK handler started!
read data from UART fd
Startsign detected
read data from UART 91
Unknown MessageType
INTERRUPT CALLBACK handler started!
read data from UART 7e
read data from UART 67