Improve support for Aqara / Xiaomi Curtain Drivers

I had some time to sniff the traffic between https://www.zigbee2mqtt.io/devices/ZNCLBL01LM.html and M2 hub. There’s a lot of things missing from the current integration so I tried to cover all. However, I don’t even know where to begin modifying the current converter set, as the Dev Console in Z2M doesn’t even allow me to send arbitrary Write Attributes. So I decided to dump my materials here and maybe we can work something out together. I was inspired to do this work after seeing https://github.com/Koenkk/zigbee2mqtt/issues/12639 and @keith-kl asking for captures 😉

All payloads: new pairing after hub reset.zip Keys for all payloads:

• 5a6967426565416c6c69616e63653039
• 78b478d6819198a527703a68ee94c29c

Actions which seem to be covered already

• Pause current movement
  • 3. pause button few times.pcapng
  • 8. open and click pause after few seconds.pcapng
• Open curtains
  • 4. open single time with auto stop due to overload at the end.pcapng
  • This one is special as device seems to report overload by beeping and presumably it’s one of the last messages in Zigbee too
• Identify device: 9. identify twice.pcapng

Actions which are implemented incorrectly

• Inverted mode
  • it seems like inverted mode doesn’t properly work in the current converter, as after calibration the 0-100% values are inverted correctly but the OPEN/CLOSE status is not
  • this normally is a part of manual calibration (see “calibration data” in the section below)

Actions which are NOT implemented

• Change “Pull to open/close” mode
  • Enable: 10. enable pull to close or open.pcapng
  • Disable: 11. disable pull top open or close.pcapng
  • Enable again: 12. reenable pull to open or close.pcapng
• Mounting/dismounting
  • The app allows removal and installation on the rail (e.g. for battery charging)
  • 19. release from rail.pcapng
  • 20. lock onto rail.pcapng
• Ambient light linkage
  • This one I’m not sure as to how is handled. Logically it should be reporting light levels.
  • In the Aqara app the UI looks like this:
  • I made some observations regarding this
    • The UI does NOT send any Zigbee data when things are changed. Changes are made only when “Save” button is pressed on the screen above.
    • Changing “Valid Period” settings doesn’t alter device configuration (so it’s probably “cloud-smart”)
    • The “Valid Period” screen has a separate “Save” button which does nothing in terms of Zigbee comm 😃
  • Relevant captures
    • 13. enabled ambient light linkage with default setting of curtain state off and every day 10am to 4pm.pcapng
    • 14. disable ambient light linkage with default settings as in 13.pcapng
    • 15. enable ambient with position at 69 percent.pcapng
    • 16. enable ambient with 69 percent and 11am-4pm period.pcapng
    • 17. enable ambient with 69 percent and 12-4p period.pcapng
    • 21. shine light for 340s and remove light after that till the end.pcapng <= this may contain light sensor value
• Calibration data
  • This seems to a rather complex but very important part
  • When calibration was already performed it is indicated in one of the attributes as the app displays a warning about that: 18. try auto calibration 3x without starting it (it shows a warning at this stage).pcapng
  • Calibration data can be erased with as single command: 23. clear calibration.pcapng
  • The app offers manual and “intelligent” calibration
    • The automatic one was recorded in dumps 24 & 25
    • I have a (untested) suspicion that the automatic one is no different than manual except that it automatically presses buttons 😄
    • I recorded the flow of the manual one trying to sync the video (RPReplay_Final1668319415.MP4) and PCAP (22. see video recorded at 2359 on noveber 12.pcapng) while also making long pauses between commands

Appendix: sniffing Aqara hub

Normally Aqara M2 has additional security (?) built-in which prevents sniffing. Transport Key is never exchanged during pairing, so it’s most likely static for every new product or possibly product+firmware combo. However, there’s a way to go around that since Aqara devices work without the hub + hub supports legacy devices.

To get the keys you need some active non-Aqara device like a switch, I used an Ikea rotary knob:

1. Start “add new device” flow on the hub, which counts from 60s to 0
2. Put a non-aquara dummy device (e.g. IKEA switch) in a pairing mode next to the hub quickly
3. wait a few seconds
4. Put Aqara device you want to sniff (e.g. curtain driver) in pairing mode
5. Viola, the device pairs. If it doesn’t or it times out observe Wireshark if the key is exchanged in 2.; sometimes 4. fails too for no reason.
6. Wireshark shows that the hub reuses the Transport Key which was requested by the IKEA switch to pair the curtain driver and that key allows for decryption of the Device Announcement which has the key to decrypt hub<>curtain driver communication
7. Profit 😄