ROTH Touchline – time to get owned!

October 8 Lars-Georg S. Paulsen 21 Comments

roth

I have JAVA, it sucks, it’s slow, it’s crashes, it’s awful, it’s ugly , I really don’t like it. So what do you do when your home is fitted with the latest super cool floor heating system from ROTH? And it got this crazy bad software, that could be useful, but really is not working as it should… let’s try and have some fun!

I’ve been in contact with ROTH and asked if there was an API I could use, so that I could develop a third-party sw to controll my system, but that was a clear no no. So I start digging. The software can be downloaded from http://www.roth-nordic.no/softwareoppdateringer.htm. So I could try reverse engineer the java, and see what was under the hood, but as I said before, I do not like JAVA…..

Let’s poke around..

HTTP/1.1 200 OK
Server: Keil-EWEB/2.1
Content-Type: text/html
Cache-Control: no-cache
Connection: close

Roth-Touchline-Wave-traadloes-romtermostat-m-display-Hvit-590027 (1)

Okey, so this is a embed web server that are handling my request…

Firing up Burp Suit, my new favourit tool, let it handle all my request.

The login is just a joke, you do not need the password of “1234”, there is no session handling, or anything.. so hurray for bad programing!

Interesting files:

ILRReadValues.cgi – This will give you all the info you ever want.
writeVal.cgi – This will write anything you want.

For ILRReadValues.cgi this are the interesting fields. They are all in the <item_list> tag.

totalNumberOfDevices  <– Gives you how many controllers you have. (I’ve got 10)
GX.RaumTemp <– Gives you the temperature for the room
GX.TempSIUnit<– Gives the unit, haven’t digged into this one, as mine is set to Celsius
GX.name <– Gives you the sensor name, if you have set on
GX.WeekProg<– What kind of program it’s running

Change out the X with the number for your sensor.

For writeVal.cgi

SollTemp=xxx (where xxxx is your desired temperature)
OPMode=1 = Night
OPMode=2 = Off / Holiday
OPmode=0 = Day
WeekProg=0 = Av
WeekProg=1 = Pro I
WeekProg=2 = Pro II
WeekProg=3 = Pro III

Let’s get some values, my roth system is running on x.y.z.k ip…

curl -s -k -X ‘POST’ \
-H ‘Content-Type: text/xml’ -H ‘User-Agent: SpiderControl/1.0 (iniNet-Solutions GmbH)’ \
–data-binary $'<body><item_list><i><n>G0.RaumTemp</n></i><i><n>G1.RaumTemp</n></i><i><n>G2.RaumTemp</n></i><i><n>G3.RaumTemp</n></i><i><n>G4.RaumTemp</n></i><i><n>G5.RaumTemp</n></i><i><n>G6.RaumTemp</n></i><i><n>G7.RaumTemp</n></i><i><n>G8.RaumTemp</n></i><i><n>G9.RaumTemp</n></i></item_list></body>’ \
‘http://x.y.z.k/cgi-bin/ILRReadValues.cgi’

This will give me

<body><item_list><i><n>G0.RaumTemp</n><v>2086</v></i><i><n>G1.RaumTemp</n><v>1903</v></i><i><n>G2.RaumTemp</n><v>1895</v></i><i><n>G3.RaumTemp</n><v>1999</v></i><i><n>G4.RaumTemp</n><v>2043</v></i><i><n>G5.RaumTemp</n><v>2188</v></i><i><n>G6.RaumTemp</n><v>2110</v></i><i><n>G7.RaumTemp</n><v>1710</v></i><i><n>G8.RaumTemp</n><v>2014</v></i><i><n>G9.RaumTemp</n><v>2012</v></i></item_list></body>

Here you can actually see my temperatures in my house… Nice and warm… 🙂

If i think G0 should be a bit warm I would set this to 24 degrees…

curl -i -s -k -X ‘GET’ \
-H ‘User-Agent: Mozilla/4.0 (Windows 8 6.2) Java/1.6.0_43’ \
‘http://x.y.z.k/cgi-bin/writeVal.cgi?G0.SollTemp=2400

Now I need to write this a php-wrapper, pull data from sensors once every X minutes, log it to database, has the option of controlling my sensors an so on..

21 Coments

  • janus30/11/2014

    I completely agree – Can anything good be said about java ? I guess the good part is that they seem to publish updates – I like that. Nothing worse than embedded systems that could be upgraded, but the manufacturer does not bother to do anything anymore.

    My favorite nuisance, is programming of the timers, when the pre-set ones doesn’t cover your households pattern. And they do not even allow that from the web-interface. Only locally from the thermostat !

    Happy hacking

    Janus

  • Daniel11/01/2015

    Great Script.

    You have write a php-wrapper file for the ROTH Tochline?

    Thank You

  • Thomas18/02/2015

    Nice work but unfortunatally I get an error message when I tried to run the curl POST request in a script on my raspberry.

    I trid to copy your approach as followed:

    curl -s -k -X ‘POST’ \
    -H ‘Content-Type: text/xml’ -H ‘User-Agent: SpiderControl/1.0 (iniNet-Solutions GmbH)’ \
    –data-binary $’G0.RaumTempG1.RaumTempG2.RaumTempG3.RaumTempG4.RaumTemp’ \
    ‘http://myIP/cgi-bin/ILRReadValues.cgi’

    The error is:

    /home/pi/bin/Roth: line 6: syntax error near unexpected token `(‘
    /home/pi/bin/Roth: line 6: `-H Content-Type: text/xml -H User-Agent: SpiderControl/1.0 (iniNet-Solutions GmbH) \’

    Could somebody please help ? (sorry I am an absolute beginner and I begin to dipair )

    Another question. My eventual goal is to integrate the “POST request” in FHEM homeautomation server. Does anybody has experiance on that?

    Thanks for help

  • Lars-Georg Paulsen20/02/2015

    Formating is making the ‘ wrong when you copy&past from my website.
    I give up trying to fix it, here is a small bash script you can test with…

    http://dev.n0ll.com/TechNet/touchline.sh

    And the POC for a php-wrapper is public as well –> http://dev.n0ll.com/2015/01/roth-touchline-poc-php-wrapper/

  • Kasper21/02/2015

    Briliant reverse engenieering, I don’t see any problem for a good programmer to integrate the Roth to a better Home Automation solution like Openhab for example. By using your scripts and description.
    First thing I will do is to save the temps in a database and make an alert if the temp drops in one of my rooms. Often when a Window is left open.

  • Matt27/11/2015

    I’ve just moved into a new apartment with a Roth Touchline.

    The software you describe is a Java applet presented through a simple webserver running on the master controller. Did you ever find the software the master controller is running? The user manual says it can be updated (to connect an old controller to a new one) but I can’t find a download for it.

    It would be interesting to see if there are further API calls which the Applet (and presumably iPhone app) don’t use.

  • Lars-Georg S. Paulsen27/11/2015

    Sw can be downloaded from roth download page –> http://www.roth-nordic.no/softwareoppdateringer.htm
    Latest software: http://www.roth-nordic.no/files/Touchline_update_august_2015.zip

    You could probably reverese engineer the iMaster, but I have not had a look at it..

    I’m still on Roth_März_2012.zip witch I got from ROTH via email

  • Kenneth Due29/11/2015

    I did a short python function that will return the temperatures

    #!/usr/bin/python
    # -*- coding: utf-8 -*-

    import re, os, rrdtool, time, urllib2, codecs
    from io import StringIO, BytesIO
    from xml.dom import minidom

    temperature = range (4)

    def read_floor():
    xmlout = “totalNumberOfDevices
    xmlout += “G0.nameG0.RaumTemp
    xmlout += “G1.nameG1.RaumTemp
    xmlout += “G2.nameG2.RaumTemp
    xmlout += “G3.nameG3.RaumTemp
    xmlout += “G4.nameG4.RaumTemp
    xmlout += “”
    #######
    # repeat with other zones
    #######

    r = urllib2.Request(“http://192.168.1.118/cgi-bin/ILRReadValues.cgi”, data=xmlout,headers={‘Content-Type’: ‘application/xml’})
    u = urllib2.urlopen(r)
    response = u.read()

    xmldoc = minidom.parseString(response)
    itemlist = xmldoc.getElementsByTagName(‘i’)
    varlist = range(25)
    ind = 0

    for node in xmldoc.getElementsByTagName(‘i’):
    varlist[ind] = str(node.toxml())
    print ind
    print varlist[ind]
    ind=ind+1

    temperature[0] = float(varlist[2][24:28])/100
    temperature[1] = float(varlist[4][24:28])/100

    #######
    # repeat with other zones
    #######
    return temperature

    print (read_floor())

  • Kenneth Due29/11/2015

    Mind the indentations !!!

  • Lars-Georg S. Paulsen30/11/2015

    See.. give somebody a way, and they will fix it! 🙂 Perfect…
    Good work

  • Kim14/01/2016

    What firmware do you have on your controller? I tried with 2.3 and it doesn’t work. I’m able to communicate with the controller, but cannot get any data. I do not have the exact error at this time.

  • Lars-Georg S. Paulsen14/01/2016

    I’m not sure, but if you need an older version, I can provide one, send me an email at lars.georg.paulsen[a]gmail.com

  • Mathias27/01/2016

    Great stuff Lars-George. I was just reverse engineering my Roth system and was halfway of getting it to work when I tried to google the cgi script name and found you post.

    I’m also interested in logging if the valves in the heating system are open or closed. I was going to put some microswitches on each regulator and log them with a Raspberry. Do you think there is a way to read if the valve for a room is open or closed through the cgi scripts?

  • Lars-Georg S. Paulsen27/01/2016

    Not as I know, since the cgi-bin script are not a part of the firmware. Looks like it’s hardcoded into the device… There might be a way in, if you upload a modfied version of the fireware, that will give you some kind of access to the system. But not sure what’s running on it…

  • david29/01/2016

    Having a problem with my roth temp stat losing signal it shows up an error. down stairs stat is wired up stairs battery I have moved it to other rooms still the same any advice why this is happening

  • Lars-Georg S. Paulsen30/01/2016

    @david: No idea, and since post is regarding hacking the touchline system, and your question is regarding connection problem between the temp sensor and toucline I would recommend to get in touch with ROTH, maybe you have a defect sensor…

  • Andre B.02/11/2016

    Mathias: Did you find a way for detecting the valve output status from the Touchline? I’m curious as this would be the next and interesting step.

  • Lars-Georg S. Paulsen03/11/2016

    I’m writing a new wrapup as we speak. The firmware has changed a little bit.

  • Andre B.04/11/2016

    @Lars-Georg: Interesting! Please let me know what you find out. 🙂

    I have an arduino pulling data from the Roth control unit every 15 seconds. I’m looking for a way to tell if the heating valves are open.

    Thank you.

  • Lars-Georg S. Paulsen08/11/2016

    As fare as I can see, there is no way to check if the valves are open or not, but you could use the RaumTemp and SollTemp variables. If RaumTemp is lower then SollTemp the valve should be open.

    The latest info on roth will be on this page; https://dev.n0ll.com/roth-touchline/

  • Andre B.09/11/2016

    Thank you,
    I’m now using the OPMode parameter, when this is 1 it means that it is in “night” or “eco” mode according to the weekly program. I’m then reducing the temperature setpoint for P-44 number of kelvins and checking wether the actual is lower than the setpoint which would give an engaged valve.

    Good luck with your project 🙂

    • Leave a Comments