The eQ-3 CC-RT-BLE is a decent electronic thermostat with bluetooth low energy support. But everyone who ever used python-eq3bt should have noticed that the devices don't need any kind of pairing. It was therefore possible to talk to them (when in range) without any kind of authorization. The pairing PIN used in the calor BT app was only verified inside the app itself - most likely as an additional check to avoid adding the wrong device.
More secure pairing update¶
This was changed with the calor BT 1.3.3 update and the integrated firmware 1.44. Instead of their pseudo-pairing, the normal pairing mechanism from the phone/tablet platform (for example Android) will be used when the user manually triggered the device firmware update. And at the same time, the length of the pairing PIN was increased to 6 digits.
The only thing the user has to do (in theory) is to:
install the app update using the App/Play store
go into each room in calor BT
go to each device in this room
select firmware update in the calor BT device settings
wait (while making sure that the phone/tablet doesn't go into standby) until the two timers for the update ended
Broken devices¶
But there are always problems in practice. So I ended up with 2/3 of my devices in a state where I was not able to talk to them anymore via bluetooth (but the other 1/3 were working fine). Reason for this seems to be a combination of two things:
calor BT 1.3.3 is not able to load (or store?) the currently configured rooms/devices/profiles/... and will therefore look like a fresh install after it was started again
the activation of the new pairing mechanism is done by calor BT and not by the firmware update itself. But the firmware itself will only display the 6 digit PIN on pairing (and not the 4 digit PIN which was displaying in the old firmware)
So what seems to have happened at my end was an unsuccesful second part of the pairing mechanism activation. And my phone's aggressive powersave decided to close the calor BT app at some point - causing a loss of the old pairing information. Adding the devices again to calor BT was also not working because it was asking for the 4 digit PIN and the device was displaying "000-" and "-255". And besides "000255" not being accepted during pairing, it actually looks to me like some kind of error code - but displayed the same way as the new 6-digit PIN.
Recovery¶
To recover such a device, various methods can be used:
figure out what the calor BT sends to the device to enable the new pairing mode
figure out how the old 4-digit PIN was calculated
Since we can be rather sure that the 4-digit PIN is only used by calor BT, I've tried to figure out how it was calculated. It just needs the serial number which can be calculated in two different ways:
Search for a sticker between the two batteries of the thermostat. It should have a string (something like "REQ0123456") and a barcode. The string is the needed serial number
Or retrieve the serial number over bluetooth. It needs various tools but is rather straight forward:
Figure out the BT-MAC of the device with a scanner like nRF connect or just hcitool (lescan) from BlueZ
Retrieve the serial number via eq3cli from python-eq3bt and the MAC address which was found in the last step:
$ eq3cli --mac 00:1A:22:00:11:22 device Firmware version: 144 Device serial: REQ0123456
The the rest of the recovery process will use the retrieved serial number.
Calculate the old style PIN using the full serial string (here using the python3 interactive shell)
serialno = "REQ0123456" pin = [] x = str((ord(serialno[3]) ^ ord(serialno[7])) % 10) pin.append(x) x = str((ord(serialno[4]) ^ ord(serialno[8])) % 10) pin.append(x) x = str((ord(serialno[5]) ^ ord(serialno[9])) % 10) pin.append(x) x = str((ord(serialno[0]) - ord('A') ^ ord(serialno[6]) - ord('0')) % 10) pin.append(x) print("".join(pin))Or use the integrated calculator: REQ0123456 ⇒ 4448
Add the device again in calor BT with the old pairing method and the calculated 4-digit PIN from the last step
go to the room view and select the re-added device
select firmware update again (calor BT will automatically skip the first phase)
wait until the timer ended
Hold the knob on the thermostat again to start a new pairing with a proper 6-digit PIN from the thermostat
If the shown PIN on the thermostat is again "000-" + "-255", remove the battery of the thermostat for a short period of time and afterwards repeat the last two steps again
Conclusion¶
I was able to recover my devices using this method. But I am still waiting to hear back from eQ-3 regarding the load (or store?) problems of the calor BT app since the 1.3.3 upgrade from 2020-12-14.