Author Topic: Trane XL950 Thermostat  (Read 42668 times)

Offline Dominic

  • Sr. Newbie
  • *
  • Posts: 34
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #60 on: June 03, 2016, 01:40:34 pm »
On the thermostat main screen, hit Help then About. It'll show you there.

Offline pdisme

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #61 on: June 03, 2016, 01:53:39 pm »
Looks like I'm on version 3.0

Offline micro98

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #62 on: June 03, 2016, 04:20:55 pm »
I have Software versions from 2.1, 2.2.2, 3.0, 4.0, 4.0.1, 4.0.3

3.0 will need to load up again and will try it my new test T-stat that comes tomorrow found it on Craigslist for 100.00 let the FUN begin :)
4.0  SSH is open but can get raptor21 to login
4.0.1 has SSH turned off
4.0.3 has the hard coded users removed don't recall if SSH is open or not
« Last Edit: June 03, 2016, 04:54:13 pm by micro98 »

Offline pdisme

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #63 on: June 03, 2016, 04:28:46 pm »
Have you tried nmap against it?   Maybe 4.0.2 has sshd on a non-standard port?

Offline micro98

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #64 on: June 03, 2016, 04:42:22 pm »

Just got in.  It appears it is buggy in that it will not let you access SSH from a remote subnet.  I was trying from my normal home wired vlan to the vlan where the thermostats are (since I don't trust them) and was getting either connection reset or connection closed.  I ssh'd to the router and from there to the XL950 via that network's interface and was able to log in with the raptor21 account:


 I was getting this error to, it uses and old KexAlgorithms key. you need to add "diffie-hellman-group1-sha1" to openSSH config

$ ssh -v raptor21@10.0.1.46
...
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
Unable to negotiate with 10.0.1.46: no matching key exchange method
found. Their offer: diffie-hellman-group1-sha1
« Last Edit: June 03, 2016, 04:51:40 pm by micro98 »

Offline micro98

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #65 on: June 03, 2016, 04:47:29 pm »
Have you tried nmap against it?   Maybe 4.0.2 has sshd on a non-standard port?

Any one have 4.0.2 that i can try ? But currently i can't get the password Cold,,2100RRRRR to work on 4.0
« Last Edit: June 03, 2016, 11:17:25 pm by micro98 »

Offline hjkim

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #66 on: June 04, 2016, 12:52:06 am »
In 4.0.2, on my new XL950 which I just had installed yesterday, port 22/SSH is not open.  Port 9999 is open and looks like a text automation interface (accessible over telnet), and gives some sort of challenge with an encoded or encrypted string:

1::evChallenge(0,"7C86E1D1AB0C0A790F5DA8DAC9D7671CCE86254F");

Other ports also appear to be open:
9037
39605
50871

If you telnet to port 9037, it dumps out the wifi network and key in plain text.  So, not particularly secure, although I suppose you do have to be on the network with it already to obtain this information.

I'm curious about this port 9999 process and what lives on it and what it is expecting.  Is it a custom binary?  A listener to a script or Java process that can be reversed so that we can communicate with it?  Maybe tinkering in an isolated environment with the upgrade file will yield some clues.

hjk
---

Offline micro98

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #67 on: June 04, 2016, 06:16:41 pm »
I have Software versions from 2.1, 2.2.2, 3.0, 4.0, 4.0.1, 4.0.3

3.0 will need to load up again and will try it my new test T-stat that comes tomorrow found it on Craigslist for 100.00 let the FUN begin :)
4.0  SSH is open but can get raptor21 to login
4.0.1 has SSH turned off
4.0.3 has the hard coded users removed don't recall if SSH is open or not

Just received my new T-stat, came with version 1.0 have not had a chance to upgrade it yet. Password is still not working, with the raptor21 account.



Offline micro98

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #68 on: June 05, 2016, 11:19:58 am »
In 4.0.2, on my new XL950 which I just had installed yesterday, port 22/SSH is not open.  Port 9999 is open and looks like a text automation interface (accessible over telnet), and gives some sort of challenge with an encoded or encrypted string:

1::evChallenge(0,"7C86E1D1AB0C0A790F5DA8DAC9D7671CCE86254F");

Other ports also appear to be open:
9037
39605
50871

If you telnet to port 9037, it dumps out the wifi network and key in plain text.  So, not particularly secure, although I suppose you do have to be on the network with it already to obtain this information.

I'm curious about this port 9999 process and what lives on it and what it is expecting.  Is it a custom binary?  A listener to a script or Java process that can be reversed so that we can communicate with it?  Maybe tinkering in an isolated environment with the upgrade file will yield some clues.

hjk
---

This "1::evChallenge(0,"7C86E1D1AB0C0A790F5DA8DAC9D7671CCE86254F")", looks like the line that is in the begging of the log file that is saved when you enabling logging  in the setup menu. I use that to try to get some responses. from telnetting to port 9999

Have seen some interesting responses but nothing useful, figuring out how to construct is key.
1::login(a,a,a);
1::evError(LGIN,"","login attempt failed");

1::subscribe(0,0);
1::evError(PERM,"1::subscribe(0,0);","Permission denied.");

1::subscribe(TRUE);
1::evError(XOID,"1::subscribe(TRUE);","No such object.");

1.9.1::evSalt("01/01/2010","06:27:03");
1::evError(XMTH,"1.9.1::evSalt("01/01/2010","06:27:03");","No such operation.");


Constrants.rb  show this services starting up on port 9999
Trying to make some scene, of these Ruby SMILCommanderService.rb and SMILService.rb


Offline hjkim

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #69 on: June 06, 2016, 12:20:06 pm »
Well, I spent some time this weekend working through the Ruby scripts as well, and see some potential places to look.  I also attempted to do some disassembly on the SCC binary, which appears to be the brain of the operation.

My main goal is to control the unit remotely, so if I can use telnet or HTTP/S to issue commands and get status, then I'm fine with that.

Another thread I may pursue is man-in-the-middle (using SSL decryption) to view the JSON or other HTTP items going back and forth, even if that means signing up for Nexia web-based management.  Just need to convince my Tomato router to forward requests to my SSL-decrypting Fiddler proxy.  :)

hjk
---

Offline micro98

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #70 on: June 07, 2016, 01:45:36 am »
Looking at some logs i noticed at the same time that I went into settings ~>  Security ~> system password ~> Change password. the following happened
Quote
Jun  7 01:09:04  auth.info passwd: Password for raptor21 changed by root
Jun  7 01:09:04  user.notice XCC: Changing password for raptor21
Jun  7 01:09:04  user.notice XCC: Password for raptor21 changed by root
Jun  7 01:09:04  auth.info passwd: Password for root changed by root
Jun  7 01:09:04  user.notice XCC: Changing password for root
Jun  7 01:09:04  user.notice XCC: Password for root changed by root
you can go into settings ~>  Security ~> system password ~> Display password.  To see the current password. it might say *Default password*" and can not be displayed.

What is displayed in this field add RRRRR for the raptor21 account or AAAAA for the root account

Mine had my wifi password in this field my have set it a long time ago.. I just Factory defaulted my T-stat now the default password is working on 4.0 this is why i could not get it working before.

so on boot it is loading a Xml config file this is why we were all seeing it change on boot.

« Last Edit: June 07, 2016, 01:56:38 am by micro98 »

Offline micro98

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #71 on: January 23, 2017, 08:16:59 am »
Trane Is No longer providing Firmware updated to the Consumer, All update now need to be done by the dealer.  ::)

Offline lwriot

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #72 on: July 06, 2017, 02:58:22 am »
*Bump*

Hey folks, I've been searching for ways to interface to my "Trane" 950 thermostat (mine is actually branded "American Standard", but I understand that's just a branding thing), and stumbled across this thread, which seems to have been abandoned.

Anyone still looking into this?  I'm a software developer, and am finding myself with some time on my hands, and curiosity about this device.

Given Trane's sketchy track record on device security (hardcoded passwords, really?), I'm not going to let this thing talk to the Internet, so Nexia, and all other online services are out.

I'd like to at least be able to get current status from the device, though.

At a minimum, I would love to understand the format of the SD card log file, so I can get statistics, e.g., external temperature, internal temp setpoint and actual temp, and humidity.

If we figure out nothing but the file format, we could use a WiFi SD card, configure the thermostat to log, and have an external machine periodically pull log files off the WiFi SD card directly.  Yes, that's a crass hack, but reading back in this thread, that seems to be an option we might have to go for...  I'd want to keep a careful eye on the temperature of the WiFi SD card -- if it heats up enough, it might affect the thermostat's internal temp sensor, and would totally crank the A/C in the summer, and back off the heating in winter!

OK, if anyone is still around, post a response!

Offline Drex

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #73 on: August 21, 2017, 07:19:07 pm »
https://community.smartthings.com/t/how-do-you-control-a-nexia-thermostat-with-a-smartthings-hub/34046/14


there's the code, API, etc for smartthings...  should be transposable to us with approrpiate LUUP syntax...  if you could do this, it would be awesome!!!

Offline funkspoc

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
Re: Trane XL950 Thermostat
« Reply #74 on: September 20, 2017, 11:09:06 pm »
Can someone send me the update files for the 950 thermostat? I'm stuck on 1.0 and can't connect to nexia without updating to at least 2.1.