Hacking Eaton Home Heartbeat Part 2: They’re Heeeeerrrrrreeee…

I received a box chock full o’ Eaton Home Heartbeat devices today.  They are nice little devices, fairly well designed (if a bit boxy).  I was up and running with a basic installation in a matter of minutes – very nice.  Each sensor has a little slot on top where the hardware key fits; to add a sensor to the network you need only place the key in the slot and select ‘add device’ on the key.  The key itself is a little Zigbee device with a backlit LCD and a scroll/click wheel (think mouse click wheel).  Devices can be edited using this litle device, can be renamed and even removed from the network.  Device naming seems fairly limited, one can select from a pre-defined list of names to use for a given sensor.  Docking the key with the base station both recharges the key and (I assume) backs up its configuration to the base station.  You can also set alarm types for different events – either a local alarm (which beeps the key and makes the display backlight colors change to red) or a phone-based alarm. which I’ll get to later.

Given the the Eaton Home Heartbeat online service has now gone the way of the dodo, any functionality that used these capabilities is now long gone.

So here’s what I ordered on Ebay:

  • 1 Home Heartbeat starter kit (includes base station, key, and one open/close sensor)
  • 2 Motion Detectors
  • 2 Garage Door Sensors
  • 2 Power Sensors
  • 1 Water Sensor
  • 1 Attention Sensor
  • 1 Reminder Sensor

I’ll be going into more details about the specifics of each sensor as time goes on.  I picked up these devices new in box from an EBay seller for $5 each – a heck of a bargain considering the hardware involved.  Once I verified basic functionality I went back and ordered a couple more motion detectors and a spare key.

I was pleasantly surprised to see that the base station came with a USB port, doubly so after I noticed that the sensors were not, as I had previously hoped, seen by my ConnectPort X2.  This is not a complete surprise – with a bit of coding I could have an XBee speaking with the devices – but the fact that Eaton provided a USB port gave me hope that I would not have to venture down that particular path.

Plugging in the base station to my Mac, I saw that the base station uses the ubiquitous ftdi USB/Serial driver.  This caused me great joy, as I rather like decoding serial protocols, and it means that at a bare minimum I can  “get in the front door” of the device.

A bit more plunking and I found that the device speaks at 38400, 8 data bits, no stop bits, and 1 parity bit.

!!!!RST2-PWR:BASE-000D6F000000FC5C/PC=3795/CH=9

Once in the serial terminal, hitting enter displays:

BASE-000D6F000000FC5C

Excellent – that looks suspiciously like a PAN ID, and the fact that it responded to a carraige return problaby means we’re dealing with a fairly simple serial command interface. So, I started pushing keys and monitoring results. Most keys pressed simply respond with “:?unk”; another good sign. Here’s a quick table of results that I found:

Key Description Notes
i System Information (see below)
p Print Device List (see below)
a Toggle Debug Logging (see below)
s Show node status (see below)
Subsequent keypresses show next sensor in list; appears to be a circular linked list, as it always returns a value
l Broadcast Message (see below)
displays “multicasthello?” – TODO: check this with debug enabled
v Backups and Profiles Clear WARNING – this deletes all node information WITHOUT CONFIRMATION.
b Boot Loader (see below)
m Modem Test Initializes Modem Test (Requires Eaton service, which is now disabled)

System Information

Sending command ‘i’ displays information like the following:

node 000D6F000000FC5C, channel [0x09], power [0xFF], app [base]
version 1.00
Total buffers: 64
Free buffers: 64

Device List

Sending command ‘p’ prints a  list of all registered nodes.

BIND="
BIND=00 00      L       0A      0A      000D6F000000FB32--FFFF
BIND=01 00      L       0A      0A      000D6F000000F479--FFFF
BIND=02 00      L       0A      0A      000D6F0000095193--FFFF
BIND=03 00      L       0A      0A      000D6F0000093BCB--FFFF
BIND=04 00      L       0A      0A      000D6F0000012897--FFFF
BIND=05 00      L       0A      0A      000D6F0000012883--FFFF
BIND=06 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=07 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=08 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=09 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=10 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=11 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=12 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=13 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=14 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=15 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=16 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=17 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=18 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=19 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=20 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=21 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=22 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=23 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=24 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=25 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=26 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=27 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=28 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=29 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=30 00      x       FF      FF      FFFFFFFFFFFFFFFF--FFFF
BIND=31 00      M       09      09      00000000001FEEEE--FFFF"

Items with an ID of “FFFFFFFFFFFFFFFF” are merely placeholders.

Debug Logging

Sending command ‘a’ toggles debug logging on and off.  Sample output is shown below.

Sensor Detail

Sending command ‘s’ prints the details for the next registered sensor. Once the last sensor is reached, loops back to the first sensor. c determine column names
The following list shows this looping behavior.

STATE="01,FF,0080,0010,03,06,00,00,0000,00,0000,00,00,00000000,00,,"
STATE="02,00,0040,0002,03,05,08,00,0001,05,0000,00,FF,00000000,00,000D6F000000FB32,Home Key"
STATE="03,01,0024,0003,01,45,00,09,0002,43,0000,00,FF,00000000,00,000D6F000000F479,Front Door"
STATE="04,02,00B4,0004,01,79,00,16,0000,10,0000,00,01,00000000,00,000D6F0000095193,TV"
STATE="05,03,0034,0017,02,43,01,0D,0002,58,0000,00,01,00000000,00,000D6F0000093BCB,Kitchen"
STATE="06,04,0024,0018,01,65,00,01,0002,4A,0000,00,FF,00000000,00,000D6F0000012897,Garage Left"
STATE="07,05,0024,0018,01,65,00,02,0002,45,0000,00,FF,00000000,00,000D6F0000012883,Garage Right"
STATE="00,FF,0088,0001,00,81,00,00,0302,57,0000,00,00,00000000,00,,"
STATE="01,FF,0080,0010,03,07,00,00,0000,00,0000,00,00,00000000,00,,"
STATE="02,00,0040,0002,03,07,08,00,0001,07,0000,00,FF,00000000,00,000D6F000000FB32,Home Key"

Multicast Broadcast

Sending command ‘l’ presumably sends a multicast broadcast.  It cryptically responds with ‘multicasthello?’.

Bootloader

Sending command ‘b’ displays basic system information along with a boot loader menu.


1002
8 MHz EM2420
Ch:9

1.program upload (.bin image)
3.run program image
7.stack and application token defaults (.ebin image)
8.application token defaults (.ebin image)
advanced mode

Looks like this allows a new OS kernel upload as well as application image upload. Might be handy to look around the Eaton website for a kernel image to see what can be learned about the device.

The EM2420 (datasheet) is an embedded 802.15.4/ZigBee solution implemented as an 8-bit CPU.

Device Status: Normal Operation

The device constantly sends binary data to the serial port while connected; my next task is decoding this packet format to see if it contains any useful information. I will also send a message to Eaton requesting the packet format, but I don’t have high hopes about them responding with anything useful. No worries, I’m pretty good at decoding this type of protocol.

Binary Data Snippet Example

This is a snippet of data received from the device over the serial port:

2011-06-04 18:31:33.179291:
10 62 E2 DA 5A F7 2C FE 10 63 22 3B 53 C3 12 25	.b..Z.,..c";S..%
FE F7 33 FE F3 F3 E2 77 FE BB D6 2F 4A 43 AF 12	..3....w.../JC..
44 0E C3 F3 C6 E2 C4 96 FE 10 BD E2 AB 0C C6 F7	D...............
FE 43 FE E2 72 7E D5 C2 CC 62 E2 AB 0C C6 F7 FE	.C..r~...b......
FF 96 16 DE E3 BB 26 FE 25 26 E3 77 FF 24 1E 4A	......&.%&.w.$.J
43 AF 12 A2 FF 37 FE A7 33 4E E3 BB 43 26 F3 10	C....7..3N..C&..
BE E2 D3 1C D3 67 FE                           	.....g.
2011-06-04 18:31:39.869118:
10 BA E2 FA 84 31 D6 81 42 96 FF B7 F3 E2 1A 43	.....1..B......C
73 C6 10 62 E2 AB 1C F3 1C FF 72 FE 39 7E 77   	s..b......r.9~w
2011-06-04 18:31:40.173146:
46 00 E3 F4 C6 DC F3 F2 08 50 02 BF 62 42 C3 BB	F........P..bB..
00 07 94 21 9C F3                              	...!..
2011-06-04 18:31:40.962935:
CE 10 38 43 C5 6F A7 37 4E 6E 4A 9C 25 F3 BF 62	..8C.o.7NnJ.%..b
42 9B                                          	B.
2011-06-04 18:31:42.516079:
EF 62 E2 FA 84 31 9E 53 F7 96 FF F7 F3 F2 62 FF	.b...1.S......b.
BB 4B 97 4A 13 47 12 3C 96 9F                  	.K.J.G.<..
2011-06-04 18:31:43.193785:
46 BF E3 F6 4B C2 E2 68 DE 3B BF 62 42 9B 7B DF	F...K..h.;.bB.{.
BE 50 84 5F C3                                 	.P._.
2011-06-04 18:31:43.979610:
82 10 4A C3 C9 E6 FF F0 4E 6E 3A DC 25 F3 BF 62	..J.....Nn:.%..b
42 C3                                          	B.
2011-06-04 18:31:50.278480:
DA C7                                          	..
2011-06-04 18:31:58.314698:
5A CE C2 FE                                    	Z...

Device Status: Debug

Here’s a sample of the debug log. Not sure how useful this is.

STATE=NEW
D=">14,2 -0 Mu-0-53/10 ACK:21,14!_0-14 d:53 d:53 Mu-0-22/10 eICUH: i(2) f(0) >53,20 -0 >37,6 -0 _0-53 wait:37,6 Mu-0-53/10 ACK:23,37!_0-37 >37,1 -0 d:53 wait:37,1 Mu-0-53/10 ACK:24,37!_0-37 >37,20 -0 d:53 wait:37,20 d:53 d:53 Mu-0-53/10 ACK:25,37!_0-37 >37,11 -0 d:53 wait:37,11 Mu-0-53/10 ACK:26,37!_0-37 >37,20 -0 wait:37,20 Mu-0-53/10 ACK:27,37!_0-37 >37,11 -0 wait:37,11 Mu-0-53/10 ACK:28,37!_0-37 >40,11 -0 wait:40,11 Mu-0-53/10 ACK:29,40!_0-40 d:53 d:53 d:53 Mu-5-57/10
[5]state0: 01->02
>53,13 -5 >73,19 -5 wait:73,19 _5-53 Mu-5-53/10 ACK:31,73!_5-73 d:53 d:53 d:53 d:53 "

STATE=NEW
D=">14,13 -0 Mu-0-53/10 ACK:32,14!_0-14 Mu-0-22/10 eICUH: i(2) f(0) >53,2 -0 >37,10 -0 _0-53 wait:37,10 Mu-0-53/10 ACK:34,37!_0-37 >37,13 -0 d:53 wait:37,13 d:53 d:53 Mu-0-53/10 ACK:35,37!_0-37 >37,10 -0 wait:37,10 Mu-0-53/10 ACK:36,37!_0-37 >37,13 -0 wait:37,13 Mu-0-53/10 ACK:37,37!_0-37 >37,3 -0 d:53 d:53 wait:37,3 d:53 d:53 d:53 d:53 Mu-0-53/10 ACK:38,37!_0-37 >37,11 -0 wait:37,11 Mu-0-53/10 ACK:39,37!_0-37 >40,11 -0 d:53 d:53 wait:40,11 d:53 d:53 d:53 Mu-0-53/10 ACK:40,40!_0-40  Batt.
Mu-6-56/10
[6]HB
>53,11 -6 _6-53
FOB all found 5,4: 1F
== FOB RANGE LOG ==
0x1F 0x1F 0x1F 0x1F 0x1F 0x1F

Mu-8-56/10
[8]HB
>53,19 -8 >73,1 -8 _8-53 wait:73,1 Mu-8-53/10 ACK:43,73!_8-73 d:53 d:53 Mu-0-56/10
[0]HB
>53,10 -0 _0-53 Mu-0-22/10 eICUH: i(2) f(0) >53,13 -0 >37,8 -0 _0-53 wait:37,8 Mu-0-53/10 ACK:46,37!_0-37 >37,11 -0 wait:37,11 Mu-0-53/10 ACK:47,37!_0-37 >37,8 -0 wait:37,8 Mu-0-53/10 ACK:48,37!_0-37 >37,11 -0 wait:37,11 Mu-0-53/10 ACK:49,37!_0-37 >37,8 -0 wait:37,8 Mu-0-53/10 ACK:50,37!_0-37 >37,11 -0 wait:37,11 Mu-0-53/10 ACK:51,37!_0-37 >40,11 -0 wait:40,11 Mu-0-53/10 ACK:52,40!_0-40 d:53 d:53 d:53  Batt.
Mu-6-56/10
[6]HB
!p

14 thoughts on “Hacking Eaton Home Heartbeat Part 2: They’re Heeeeerrrrrreeee…”

  1. I am impressed. Hopefully you can write an application to install in house (PC) for monitoring the home system (real-time) I am sure there will be plenty of customers looking forward to buy. I know there is a company called ATTIKIS that can understand the protocol and use as a service for homeheartbeat (EATON) customer. I actually did the same think, but I am not a coder, however I do understand something. If you decide to code something let me know thanks …

  2. Thanks Joe! Haven’t had much time to play with this recently, but it looks favorable so far. I’m more interested in making the devices behave well with my own home automation solution, but everything I write will be made available and open-sourced for others to extend and use.

  3. Great info! Thanks for posting! I just picked up a started kit and a motion sensor. I am trying to build a security system for my home with the sensors and an Arduino w/ Xbee adapter.

    I tried connecting to the RX and TX on the Mega64 chip inside of the motion sensor to see if I can use AT commands, but no dice. I’m a novice so I’m not sure what I’m doing wrong or if this just isn’t a function available on the sensor. Any advice? My primary goal is to just use the sensors without the base station, as the sensors are much nicer and cheaper than I can build myself. Thanks!

    1. The sensors that I have are based upon an integrated MCU/RF device from Ember, not an AVR device. As they already contain a micro controller and transceiver, it seems more practical to work with what is already in place. You can pick up the base stations for under 10 bucks on eBay as well… my goal with this project was to integrate the base station and sensors with my home automation solution. Ill get back to it eventually!

  4. Hello there! Any luck with deciphering the protocol? I’m an HS user and have been into home automation since the JDS TimeCommander was hot stuff, but I just found out about Home HeartBeat, and was considering picking up some of the gear. I’m guessing that Eaton wasn’t forthcoming with protocol information, but were you able to pick out any patterns from the packets, based on the sensors being in the “on” and “off” states?

    1. No word back from Eaton regarding protocol. There is a data stream available via the USB/serial port which does seem to vary based upon sensor and action, but I have not had the time to decode it yet.

      The equipment is actually pretty nice; high quality construction, well documented name brand components inside. I would recommend keeping an eye out on eBay for equipment. At a minimum you will need a base station and a sensor.

      I’m hoping that it is possible to work directly with the micro controller in the base station… have a lot of learning to do before I can successfully pull that off, however.

      1. I found a couple multi-hundred page spec documents (“Zigbee Wireless Networking” and “ZigBee-Specification-2006”), and use protocol specs quite often, but I wasn’t able to cross-reference any of the information you posted above. There are a handful of devices on eBay at the moment, including a water sensor module, which would be really convenient to have. But there’s an awful lot of information being produced periodically from that thing, and it would probably take either a bit of luck or a bit of effort to figure out what’s relevant and what’s mundane. Well, I guess I’ll stop looking at this gear for now. You have my email address, so if you pick it back up again, and want to drop me an email, you know where I am! Good luck!

        1. I’ve also got a ZigBee sniffer on order in case that proves to be more valuable. Unfortunately, just because the devices use Ember ZigBee radios does not guarantee that they follow the ZigBee protocols. As Eaton has been less than forthcoming about technical details (at least with me), I’ll need to wait until I get the additional hardware to make this determination.

          I still like the notion of using these devices for my home automation system, as they are small, cheap, and look pretty nice. Anything that I built myself wouldn’t be nearly as pretty. The DIY/Maker sites are full of examples of the duct-tape, bare PCB, and dangly bits variety, but little in the way of finished products. Anything I hope to install has to pass the spouse test…

          In any case, thanks for the replies!

  5. I went ahead and purchased a eaton starter kit and range extender last night on ebay, mostly because this blog post gave me some confidence that we will be able to figure out some more serial commands.

    When it arrives I will let you know what I can get out of it. I will also send some emails off to Eaton to see if they will respond with any more details.

    I am curious if it will respond to the any AT commands similar to the x10 Pro 2000 security device.

    1. That’s odd. It’s an older FTDI chip, you might need to find an older driver. I rarely use Windows these days. Ubuntu and latest Fedora core recognize it out of the box, and the latest FTDI Mac driver still supports it…

      1. Got the Windows driver working.
        Needed to edit the Windows driver .inf files to
        include the specific hardware ID of the HomeHeartbeat Base (VID_0403&PID_DE29).

        For example:
        USB\VID_0403&PID_DE29.DeviceDesc=”USB Serial Converter”

Leave a Reply

Your email address will not be published. Required fields are marked *