Skip to content

Latest commit

 

History

History
136 lines (110 loc) · 5.54 KB

H5086.md

File metadata and controls

136 lines (110 loc) · 5.54 KB
Raw

H5080 - Bluetooth/Wifi Smart Plug

Contributors


reydanro

Implemented Packets

  • Read state
  • Change state
  • Firmware version
  • Hardware version
  • Update timer settings
  • Update auto-on
  • Update auto-off

The H5086 is much like the H5080, but adds the ability to monitor power usage The protocol is very similar to the H5080, but there are minor differences Check the Products/H5080 folder for a set of example scripts to get you started communicating with the device.

Communication protocol

The protocol is identical to the H5080, using the same Characteristics.

Authentication

Authentication is the same as the H5086

On/Off state

You can inspect the state of the smart plug in 2 ways:

  • Connection-less
    • This is a far cheaper way to obtain the state as it does not rely on you setting up an actual bluetooth connection
    • The device will send the current on/off state as part of the advertisement data
  • Connection-based
    • Once you establish a connection, the device will stop broadcasting its advertisement data so in order to read the latest state you will need to use the command/response protocol to check this.

Connection-less From the advertisement data, inspect the manufacturer data field. The last byte in that data array will be a boolean flag describing the current state (0x00 for off, 0x01 for on).

Connection-based Send an AA01 packet and wait for an AA01 response. The first byte in the payload will be a boolean flag with the current state.

Packets

Get device on/off state (AA01)

Send: aa01 0000000000000000000000000000000000 ab
Recv: aa01 0100000000000000000000000000000000 aa (if on)
      aa01 0000000000000000000000000000000000 ab (if off)

Get device power measurement (AA00)

Send: aa00 0000000000000000000000000000000000 aa
Recv: ee19 00198b 000026 2f3d 0091 004465 64 000000 85
           ^^^^^^----------------------------- time powered on in seconds
                  ^^^^^^---------------------- accumulated power (measured in 1/10 of a Wh)
                         ^^^^----------------- Voltage (in 1/100 of a Volt)
                              ^^^^------------ Current (in 1/100 of an Amp)
                                   ^^^^^^----- Power (in 1/100 of a Watt)
                                          ^^-- Power Factor (in %)

Get device firmware version (AA06, AA20, AA21)

There seem to be multiple packet identifiers that return the firmware version. Not sure what their purpose is, maybe it's some backwards compatibility thing

Send: aa06 0000000000000000000000000000000000 ac
Recv: aa06 312e30302e323100000000000000000000 9e
            1 . 0 0 . 2 1

Get device hardware version (AA07)

Send: aa07 0300000000000000000000000000000000 ae
Recv: aa07 03312e30322e3030000000000000000000 9d
              1 . 0 2 . 0 0

Get authentication key (AAB1)

Send: aab1 0000000000000000000000000000000000 1b
Recv: 
      aab1 00 687ea542cc1d267e0000000000000000 63 (invalid key)
      aab1 01 0db6be06253334300000000000000000    (valid key)

To determine if the response has a valid or invalid key you must inspect the first byte of the payload. If it's 0x01 then the response has a valid key.

The authentication key will be in the payload and starts with the second byte in the payload. In the example above, 0db6be06253334300000000000000000 is the valid key.

Authentication current connection (33B2)

Send: 33b2 0db6be0625333430000000000000000000 97
Recv: 33b2 0000000000000000000000000000000000 81 (if key is correct)

The send message contains the authentication key in the payload section. If the key is less than the expected size of payload (17 bytes) then you should pad it with 0x00 at the end.

If the authentication key is incorrect, there will be no response received from the device.

Set the on/off state (3301)

Turn On
Send: 3301 0100000000000000000000000000000000 33
Recv: 3301 0000000000000000000000000000000000 32

Turn Off
Send: 3301 0000000000000000000000000000000000 32
Recv: 3301 0000000000000000000000000000000000 32

You must go throuogh the authentication flow before you send any of these on/off messages. Otherwise, you will not receive a response if you send a 3301 message.

Control indicator light

Send: 3316 01 00 00 17 3b 01 0000000000000000000000 09
           ^^ --------------- Disable state indicator light (1: Enabled, 0: Disabled)
              ^^ ------------ Indicator light enable start-time - Hours
                 ^^ --------- Indicator light enable start-time - Minutes
                    ^^ ------ Indicator light enable end-time - Hours
                       ^^ --- Indicator light enable end-time - Minutes
                          ^^- Use timer for indicator ligt (1: Yes, 0: No)
Recv: 3316 0000000000000000000000000000000000 25

Lock physical button

Send: 331f 0201000000000000000000000000000000 2f
             ^^ - 1: Button is locked, 0: button is unlocked
Recv: 331f 0000000000000000000000000000000000 2c

Other messages

There is more functionality of H5080 device that hasn't been mapped yet. The device is capable of maintaining its own schedule to turn on or off and it's able to have auto-on and auto-off features after a timer expires. There are probably more messages to read and write this configuration, as well as possibly synchronizing the time so that the schedule could be applied.