Luxtronik firmware analysis

Motivation

I own a Alpha Innotec heatpump and wanted to integrate it into my Smart home. As a natural born tinkerer It was clear that I'm going to reverse engeneer what ever possible in order to achive my goal 🤓

Firmware updates

You can find the latest firmwar files here:

• Alpha Innotec
• Siemens Novelan
• CAT

The url is https://www.heatpump24.com/DownloadArea.php?layout=1&lang=5 and by changing the layout= GET parameterfrom 1 to 2 or 3 you get the download menu for one of the three manufacturers.

Heatpump models

See MODELS.md

Generated by heatpump_models.py

Firmware download and decompression

Can be done using luxtronik_firmware.sh. Results in an extracted firmware in the ./firmware subfolder, except for software 0 (see MODELS.md for reference).

You get this:

firmware
├── appl
├── appl.cfg
├── bootloader.lin
├── Defines.txt
├── index.html
├── lang_cz
├── lang_dan
├── lang_de
├── lang_ee
├── lang_en
├── lang_es
├── lang_fr
├── lang_hr
├── lang_it
├── lang_lt
├── lang_lv
├── lang_mag
├── lang_ned
├── lang_nor
├── lang_p
├── lang_pol
├── lang_ro
├── lang_sk
├── lang_slo
├── lang_suo
├── lang_sve
├── lang_tr
├── LWD.lin
├── LWDRev.lin
├── SWPH291.lin
├── SWPH.lin
├── SWP.lin
├── timezone
├── udhcpc.script
└── Webserver
    ├── base.css
    ├── base.jpg
    ├── index.html
    ├── jquery.js
    └── Lux.js

Or this:

firmware
├── appl
├── appl.cfg
├── ASB.bin
├── ASB_BL_Switch.bin
├── ASB_bootloader.bin
├── bootloader.lin
├── Defines.txt
├── HZIO.lin
├── index.html
├── LD2AG.lin
├── LWD45.lin
├── MSW_15.lin
├── MSW_Inverter.lin
├── RBE.bin
├── SEC.bin
├── share
│   ├── localtime
│   ├── passwd
│   └── shadow
├── timezone
├── udhcpc.script
└── Webserver
    ├── base.css
    ├── index.html
    ├── jquery.js
    ├── Lux.js
    ├── LuxSim.jpg
    └── saveIcon.png

Root password

😎 Yes, you can get the root password for your heatpump from a firmware update! I'm not sure if that's true for every firmware update but at least a couple I've tested.

1. Download and extract the firmware using luxtronik_firmware.sh
2. Run root_password.sh

SSH

The heatpumps run a fairly old version of Dropbear SSH server which does not support state of the art crypto cyphers. Therfore you have to specify a weak cipher in order to login.

Use ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc root@192.168.178.100 to get to the login prompt, be sure to replace 192.168.178.100 with the IP of your heatpump.

⚠ ATTENTION ⚠ You are logged in as root which mean that you can easily destroy your heatpump. Be careful with waht you do!

Edit April 2022:

The on my system installed OpenSSH client OpenSSH_8.9p1, OpenSSL 1.1.1n 15 Mar 2022 does no longer support the SSH protocol v.1 and therefore the command from above does no longer work. But I've added a Dockerfile together with a ssh config file and a stript to start the container and drop you in a shell within that container. From there you can ssh into the heatpump. make sure to adjust the IP address in the config file before you attempt log into your heatpump.

cd ssh
./legacy-ssh.sh

# You'll see a bash prompt saying
# bash-5.0#

ssh luxtronik

#Enter ssh passwort for root user and you're logged in 

Filetree

See FILETREE.md