Software Engineer @ Tesla
I'm a software engineer with a strong passion for functional programming and a solid background in continuous integration, continuous delivery, and Kubernetes. Outside of work, I'm a proud father of two beautiful daughters.
I have been very fortunate to be able to buy a brand new house. The house was delivered with a heatpump system and floor heating, to my surprise the heatpump installation doesn't have any display or buttons like I was used to on a central heating system. Instead, the heatpump should be connected to a Windows computer with a special service cable. The heatpump and floor heating units all have a RJ45 jack that connects to that service cable. Without knowing this it is easy to assume that the heatpump can be simply connected with an internet cable but that isn't the case.
The service cable cost an extortionate amount, back when I was a teenager you could buy a Wii for that amount. But considering that I will use the heatpump and floor heating system for decades and I wanted to install an extra thermostat in another room it was a price I am willing to pay. I requested the floor heating maps from the builder of the house and I am happy to share that I installed 2 extra thermostats in 2 rooms that became more comfortable after installing them.
Luckily the service software was freely available from Itho Daalderop, with that application I could connect to the heatpump and floorheating using the service cable. The service tool has different levels, the higher the level the more options are available in the tool. By default on its lowest level it only allows reading values, which is already useful to see what errors the system is giving. On the bottom of the page I shared the "level 9" highest level service passwords that should give access to all the features of the tool. These codes are only shared from Itho Daalderop after following training with them.
I used ILSpy to decompile the binary, and to my suprise the binary wasn't obfuscated. Obfusicating can slow down the reverse engineering efforts. I found that the service passwords were stored in a MS Access database. But there the passwords weren't in plain-text, instead there was a hashing function that went over the password. Using different values for multiplication and modulo this code mapped to multiple passwords with different level of control.
The decompiled hash function I copied over into a fresh C# project, I tried converting the VisualBasic code into the C# equivelant. That was a mistake that gave me wrong passwords, I just left it as the code as ILSpy gave me and imported the Microsoft.VisualBasic and it worked like a charm.
| Name NL | Name EN | Service password |
|---|---|---|
| CAS 2 ECO FAN | CAS 2 ECO FAN | 4027 |
| Luchtgordijn | Air curtain | 5871 |
| GGBB | GGBB | 7228 |
| CZB | CZB | 8697 |
| LaadBoiler | LoadBoiler | 1018 |
| HRU | HRU | 1161 |
| DemandFlow | DemandFlow | 1326 |
| Autotemp | Autotemp | 1473 |
| OLB | OLB | 1628 |
| CO2relais | CO2relay | 1789 |
| Aquamax | Aquamax | 1959 |
| BR-V | BR-V | 2116 |
| CVE | CVE | 2272 |
| BR-R | BR-R | 2440 |
| AreaFlow | AreaFlow | 2606 |
| Vert. boily | Vert. boily | 2773 |
| Bootloader | Bootloader | 2941 |
| RF_CO2 sensor | RF_CO2 sensor | 3097 |
| E_Faucet | E_Faucet | 3285 |
| E_Boiler | E_Boiler | 3460 |
| Sniffer / RF+ | Sniffer / RF+ | 3616 |
| Warmtepomp | Heatpump | 3778 |
| RF_RV | RF_RV | 3946 |
| BoostWP | BoostWP | 4857 |
| RF_VI | RF_VI | 6662 |
| HRU-250 | HRU-250 | 7875 |
| BR2_Hand | BR2_Hand | 9384 |
| BR2_Aansluitset | BR2_Aansluitset | 9623 |
| CAS 3 | CAS 3 | 1132 |
| MultiBoiler | MultiBoiler | 1245 |
| HPMI | HPMI | 1370 |
| reserve_4 | reserve_4 | 1552 |
| reserve_5 | reserve_5 | 1667 |