[PLUG] Evil thermostat

Wed Jan 5 18:59:32 UTC 2022

The FCC internal photos (if I have the right device) suggest it is a
marvell SoC. The photos have a sticker over the chip, so I can't identify
it precisely. There is a largish 8-pin SOIC chip in one corner that looks
like serial NOR flash. If you can get the part numbers of the SoC and the
flash, that would help. I don't see an obvious serial console in the
photos, but the photos are a bit blurry.

On Wed, Jan 5, 2022, 10:46 Chuck Hast <wchast at gmail.com> wrote:

> The radio is a separate module you can plug two of them
> in, a zigbee module and a WiFi module, there are some
> other ones also. I have the Wifi module. I will see which
> one of those it is. I will see how to remove the case from
> the thermostat board and see what is in there beside the
> screen.
> I am going to start a capture again and see what the port
> is, I thought I had saved the previous capture file but when
> I went to open it, could not find it.
> It is either checking different addresses until it finds some
> thing alive or one of those addresses is being activated.
> If I block the address in the router the time stays what I
> have set it to.
>
>
> On Tue, Jan 4, 2022 at 9:34 PM Russell Senior <russell at personaltelco.net>
> wrote:
>
> > Maybe this? FCC ID: QO8-WIFI-M-0210
> >
> > https://fccid.io/QO8-WIFI-M-0210
> >
> > On Tue, Jan 4, 2022 at 7:16 PM Russell Senior <russell at personaltelco.net
> >
> > wrote:
> > >
> > > Those addresses are all in AWS address space, according to whois. As a
> > > previous commenter suggested, it might just be NTP. Did you notice
> > > what port the communication was happening over?
> > >
> > > Have you considered popping the case and seeing if there is a serial
> > > console port on their wifi module? It's reasonably likely it is
> > > running some ancient version of linux. Is there an FCC-ID on the case?
> > >
> > > On Tue, Jan 4, 2022 at 6:49 PM Chuck Hast <wchast at gmail.com> wrote:
> > > >
> > > > Well folks, I was able to get wireshark on the thermostat. I found
> > > > that it is trying to contact these addresses:
> > > > 54.209.187.172
> > > > 107.21.255.187
> > > > 3.214.34.120
> > > > Right now none are reachable. I am trying to figure out why this
> > > > thermostat is trying to reach those addresses.
> > > > When I do a whois, they come up as being hosted on Amazon...
> > > > I wonder if one of them comes awake every so often and the
> > > > thermostat gets the connection and receives a TZ change... So
> > > > far I have not been able to catch it doing so.
> > > > When I bought the unit I intentionally did NOT try to use the
> > > > cloud service, I have tried to get proper communications with
> > > > Radio Thermostat but so far only idiots... And they do not have
> > > > a published telephone number.
> > > >
> > > >
> > > > On Tue, Jan 4, 2022 at 4:53 PM Chuck Hast <wchast at gmail.com> wrote:
> > > >
> > > > > More info, this was the reply I got from the manufacturer
> > > > >
> -----------------------SoF------------------------------------------
> > > > > Radio Thermostat <radiothermostat at tstatsupport.com>
> > > > > 1:10 PM (3 hours ago)
> > > > > to Info, me
> > > > > Hi,
> > > > >
> > > > > If you are sure you have a WiFi module in the thermostat Model -
> > RTMV-01
> > > > >
> > > > > Then check out the following to see and correct the time zone so
> the
> > > > > thermostat will have the correct time:
> > > > >
> > > > > How to change time zone
> > > > >
> > > > > First go to the web portal via a browser *
> > https://my.radiothermostat.com/rtcoa/login.html
> > > > > <https://my.radiothermostat.com/rtcoa/login.html>*
> > > > >
> > > > > (Note you will need to use the desktop version of the web site)
> > > > >
> > > > > Then log in and go to the person (then select location)
> > > > >
> > > > > select the location you want and click edit
> > > > >
> > > > > Go to the pull down for time zone and select your time zone
> > > > >
> > > > > Then click save
> > > > >
> > > > >
> > > > >
> > -----------------------------------EoF---------------------------------
> > > > > This is exactly what I have tried to avoid, I never registered
> > > > > the thermostat with their cloud. I have my personal reasons
> > > > > for not wanting my devices on someone's cloud if I can avoid
> > > > > it. in this case that is exactly what I have tried to do.
> > > > >
> > > > > Now meantime, since the thermostat IP is static, I went into
> > > > > the firewall and set up a rule to drop any packets to/from
> > > > > the thermostat. No more time change, and I did that well over
> > > > > and hour ago. I can still control the device on my LAN just
> > > > > dropping whatever is trying to reach the thermostat.
> > > > >
> > > > > This brings up the question, of who/what is it? I never
> > > > > registered the device with their cloud, indeed I bought
> > > > > it because it was one of the thermostats that did not
> > > > > require you to use an outside network to access it, (I am
> > > > > looking at you Honeywell, Nest and all of the rest of the
> > > > > cloud only based devices). Now to see if I can get Wire
> > > > > shark on a part of the network that can see that device.
> > > > > Suspend the rule and try to catch the packet session.
> > > > >
> > > > >
> > > > > On Tue, Jan 4, 2022 at 9:41 AM Chuck Hast <wchast at gmail.com>
> wrote:
> > > > >
> > > > >> Sorry, should have, not there is not. But the interesting thing
> > > > >> is that as long as it cannot contact the network there is no
> > > > >> time change. I think I am going to go into the firewall and
> > > > >> make it drop all packets to/from the device and see what
> > > > >> happens. If that takes care of it then maybe allow it to talk
> > > > >> on the LAN but drop anything going to/from it on the WAN
> > > > >> side.  I would like to see what it is talking to. So far I have
> > > > >> not been able to catch it.
> > > > >>
> > > > >> On Mon, Jan 3, 2022 at 11:00 PM Erik Lane <eriklane at gmail.com>
> > wrote:
> > > > >>
> > > > >>> You don't mention this, but since it's always 2 hours, is there a
> > time
> > > > >>> zone
> > > > >>> setting in there that has gotten off? Maybe it's talking to a NTP
> > server?
> > > > >>>
> > > > >>> On Mon, Jan 3, 2022 at 8:49 PM Chuck Hast <wchast at gmail.com>
> > wrote:
> > > > >>>
> > > > >>> > Folks,
> > > > >>> > Not sure where to take this but figured that I would get more
> > > > >>> > info here.
> > > > >>> >
> > > > >>> > I have a RadioThermostat CT80. I have had it now for several
> > > > >>> > years. As the summer wound down. I shut down the A/C and
> > > > >>> > opened the windows in the house. Then in Nov I needed to fire
> > > > >>> > up the heating, all appeared to be well, but I noticed that the
> > > > >>> > thermostat clock was 2 hours slow. I set it and a while
> > > > >>> > later see that it has lost 2 hours again.
> > > > >>> >
> > > > >>> > I have a home automation system. I checked the logs, and
> > > > >>> > contacted the author. He has a CT50 which has fewer bells
> > > > >>> > and whistles than mine but same unit. Anyhow he gave me
> > > > >>> > some guidance, in the end I shut down the HA system and it
> > > > >>> > still would drop the 2 hours, I powered the thermostat down
> > > > >>> > and removed the WiFi radio, powered it back up, it ran about
> > > > >>> > 4 hours (about 3 hours longer) and never dropped the 2 hours.
> > > > >>> > Normally it will go between 20 minutes and an hour after I
> > > > >>> > have set it to the correct time, then drop back to the
> incorrect
> > > > >>> > time. So this appears to indicated that it is either something
> > > > >>> > on the network that is doing the time change or something in
> > > > >>> > the WiFi radio.
> > > > >>> >
> > > > >>> > I am trying to sniff the network and see if I can catch any
> > > > >>> > weird packets. But this is one I have not done before.
> > > > >>> >
> > > > >>> > My router is a Mikrotik 2011, and I have been trying to use
> > > > >>> > the tools on it to try to monitor the IP address of the thermo-
> > > > >>> > stat and try to see if it is talking to something else. So far
> > > > >>> > no joy.
> > > > >>> >
> > > > >>> > I am wondering about getting wire shark in there and trying
> > > > >>> > to filter those packets that way as I am not having much luck
> > > > >>> > with the Mikrotik tools
> > > > >>> >
> > > > >>> > Any recommendations?
> > > > >>> > --
> > > > >>> >
> > > > >>> > Chuck Hast  -- KP4DJT --
> > > > >>> > I can do all things through Christ which strengtheneth me.
> > > > >>> > Ph 4:13 KJV
> > > > >>> > Todo lo puedo en Cristo que me fortalece.
> > > > >>> > Fil 4:13 RVR1960
> > > > >>> >
> > > > >>>
> > > > >>
> > > > >>
> > > > >> --
> > > > >>
> > > > >> Chuck Hast  -- KP4DJT --
> > > > >> I can do all things through Christ which strengtheneth me.
> > > > >> Ph 4:13 KJV
> > > > >> Todo lo puedo en Cristo que me fortalece.
> > > > >> Fil 4:13 RVR1960
> > > > >>
> > > > >>
> > > > >
> > > > > --
> > > > >
> > > > > Chuck Hast  -- KP4DJT --
> > > > > I can do all things through Christ which strengtheneth me.
> > > > > Ph 4:13 KJV
> > > > > Todo lo puedo en Cristo que me fortalece.
> > > > > Fil 4:13 RVR1960
> > > > >
> > > > >
> > > >
> > > > --
> > > >
> > > > Chuck Hast  -- KP4DJT --
> > > > I can do all things through Christ which strengtheneth me.
> > > > Ph 4:13 KJV
> > > > Todo lo puedo en Cristo que me fortalece.
> > > > Fil 4:13 RVR1960
> >
>
>
> --
>
> Chuck Hast  -- KP4DJT --
> I can do all things through Christ which strengtheneth me.
> Ph 4:13 KJV
> Todo lo puedo en Cristo que me fortalece.
> Fil 4:13 RVR1960
>