Z-Wave Packets

When turning on one switch:

Mag: -30.15, Time: 2018-06-17 13:32:27 [f0d66dec2c0141060d042501ff100000..]
Mag: -23.62, Time: 2018-06-17 13:32:27 [f0d26dec2c0403060a018e00..]
Mag: -26.69, Time: 2018-06-17 13:32:27 [f0d66dec2c0441090d012503ff1d00..]
Mag: -30.11, Time: 2018-06-17 13:32:27 [f0d66dec2c0103090a048100..]

When turning off the same switch:

Mag: -30.38, Time: 2018-06-17 13:33:45 [f0d66dec2c0141070d04250100ee00..]
Mag: -21.80, Time: 2018-06-17 13:33:45 [f0d66dec2c0403070a018f00..]
Mag: -22.77, Time: 2018-06-17 13:33:45 [f0d66dec2c04410a0d01250300e100..]
Mag: -30.52, Time: 2018-06-17 13:33:45 [f0d66dec2c01030a0a04820000..]

Turning on a second time:

Mag: -30.77, Time: 2018-06-17 13:35:16 [f0d66dec2c01410a0d042501ff1c00..]
Mag: -24.04, Time: 2018-06-17 13:35:16 [f0de6dec2c04030a0a018200..]
Mag: -28.45, Time: 2018-06-17 13:35:16 [f0d66dec2c04410e0d012503ff1a00..]
Mag: -30.92, Time: 2018-06-17 13:35:16 [f0d66dec2c01030e0a04860000..]

 

Turning off a second time:

Mag: -30.88, Time: 2018-06-17 13:35:55 [f0d66dec2c01410b0d04250100e200..]
Mag: -20.82, Time: 2018-06-17 13:35:55 [f0d66dec2c04030b0a01830000..]
Mag: -23.79, Time: 2018-06-17 13:35:55 [f0d66dec2c04410f0d01250300e400]
Mag: -30.78, Time: 2018-06-17 13:35:55 [f0d66dec2c01030f0a048700..]

 

By comparing the two packets used to start a “turn on” procedure:

Mag: -30.15, Time: 2018-06-17 13:32:27 [f0d66dec2c0141060d042501ff100000..]
Mag: -30.77, Time: 2018-06-17 13:35:16 [f0d66dec2c01410a0d042501ff1c00..]

We see that the only byte changing is the 8th byte (apart from the CRC). It changes from 0x06 to 0x0a. This is then probably just a number to identify a specific request.

By comparing the “turn on” packet with the “turn off” packet:

Mag: -30.15, Time: 2018-06-17 13:32:27 [f0d66dec2c0141060d042501ff100000..]
Mag: -30.38, Time: 2018-06-17 13:33:45 [f0d66dec2c0141070d04250100ee00..]

We see that the 8th byte is also changing here, but also the 13th byte. It is 0xff when turning on and 0x00 when turning off.

By comparing the first packet from the hub device with the receiver:

Mag: -30.15, Time: 2018-06-17 13:32:27 [f0d66dec2c0141060d042501ff100000..] 
Mag: -23.62, Time: 2018-06-17 13:32:27 [f0d26dec2c0403060a018e00..]

We see that the 6th byte changes (the device id), the 8th byte remains the same (request ID). The 7th byte changes from 0x41 to 0x03. This may indicate that it is an indicator of the packet type, where 0x41 is a request and 0x03 is an acknowledgement.

The end of the first packet (before the CRC) looks like 0x0d042501ff, while the second packet ends with 0x0a01. The first of the bytes is decimal 13 and decimal 10, which could be the length of the packet as of and including the CRC bytes.

By comparing the first packet from the hub device with the first “request packet” from the receiver:

Mag: -30.15, Time: 2018-06-17 13:32:27 [f0d66dec2c0141060d042501ff100000..] 
Mag: -26.69, Time: 2018-06-17 13:32:27 [f0d66dec2c0441090d012503ff1d00..]

We see that the 6th byte (device id) changes, the 8th byte changes (request id), the end of the packet changes from 0x0d042501ff to 0x0d012503ff.  The second of these bytes look like the address of the receiver. The 7th byte remains the same.

Mag: -30.15, Time: 2018-06-17 13:32:27 [f0d66dec2c0141060d042501ff100000..] 
                                        <><------><><><><><><---<><> 
                                        a b       c d e f g h   i j
a: sync word (0xf0)
b: network id
c: device id (central hub seems to be 0x01)
d: packet type (0x41: request, 0x03: ack)
e: request id
f: length of packet
g: device id of receiver
h: unknown
i: on(0xff) / off(0xff)
j: CRC

 

Leave a Reply

Your email address will not be published. Required fields are marked *