Skip to content

tim-hilt/standing-desk-reverse-engineering

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.vscode
.vscode
 
 
assets
assets
 
 
data
data
 
 
README.md
README.md
 
 
decoding.ipynb
decoding.ipynb
 
 

Repository files navigation

Reverse-Engineering of Veyhl SKQ standing desk

This repository includes logic-analyzer-sessions as well as exported data and exploratory code that shows the progress of reverse-engineering the data-communication of my standing-desk.

Why am I even doing this?

My goal is to perform a man-in-the-middle-attack on the data-communication and adjust the transmitted data, so that

  • I don't have to keep pressing the button for a preset, until the desk is in the correct position
    • ⚠️ This functionality is a safety-feature called a deadman-switch and is a regularity enforced by law in some countries. Removing safety features almost always is a dumb idea.
  • The correct height is displayed on the display
    • It's not centimeters, it's not inches, but rather 2.14 cm / 0.84 in per unit of measurement
  • Add remote capabilities / integration into HomeAssistant

Hardware / Software

  • Target: Veyhl SKQ standing desk
  • Logic Analyzer: Saleae Logic Pro 8
  • Logic Analyzer Software: Saleae Logic 2

Reverse Engineering Results

  • Serial Protocol: 3 Wire SPI (Also called Bidirectional SPI or Half-Duplex SPI)

SPI Settings

SPI Settings

Wiring

Color Function
Black Chip Enable
Brown MOSI/MISO
Red Clock
Orange 5V
Yellow 5V
Green GND
Blue GND
Violet 5V

Data Transfer

Data Meaning Misc
First Byte 0xA5 Data from Control Panel
First Byte 0x5A Data from Motor Controller 0xA5 is exactly the inverse of 0x5A
0xA5 0xA1 0x00 0xFE Control Panel idle
0xA5 0xA1 0x04 0xFA Button 1 pressed
0xA5 0xA1 0x08 0xF6 Button 2 pressed
0xA5 0xA1 0x10 0xEE Button 3 pressed
0xA5 0xA1 0x02 0xFC Button 4 pressed
0xA5 0xA1 0x20 0xDE Button S pressed
0xA5 0xA1 0x40 0xBE Button "UP" pressed
0xA5 0xA1 0x80 0x7E Button "DOWN" pressed
0x5A 0x10 0xXX 0xXX Motor Controller reports desk height 3rd byte: 10s, 4th byte: 1s. Ex: 0x90 0x80 -> 91
0x5A 0x10 0x10 0x10 Motor Controller goes to sleep Does this mean that the motor-controller is master?

Miscellaneous

  • Control Panel sends "button pressed" sequence cyclically until the button is released

TODO

  • Record longer trace and see if
    • "desk stop behavior" can be detected
      • No
    • "desk at low security-boundary behavior" can be detected
      • No
    • Which other 0x5A-frames are there?
      • Found one more - controller goes to sleep
    • Are there any patterns (binary or otherwise) in the button-frames?
  • Implement passthrough with TinyGo

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages