The main info about the eQ3 Cube Protocol comes from these sources:
- http://www.domoticaforum.eu/viewtopic.php?f=66&t=6654
- https://github.com/bietiekay/hacs/tree/master/tools/MAXDebug
- decompiling the Original MAX Software from eQ3/ELV
- http://www.adreamerslair.nl/category/homeautomation/
But i have seen that some of the information that is provided there is not correct (at least for my cube which runs firmware verison 1.1.3). For that reason i've started to describe the protocol here, so that everybody can contibute and profit.
Feel free to send me pull request or open an issue to help me getting this right!
All information in this file are valid (or at least work for me) with cube version 1.1.3.
The cube provides the possibility to send a broadcast UDP packet to the network and as soon as it receives it, it answers and we know its IP from that packet.
This is the data (19 Byte) one must broadcast or multicast to UDP port 23272 to get an answer from the cube.
0000000000: 65 51 33 4D 61 78 2A 00 2A 2A 2A 2A 2A 2A 2A 2A eQ3Max*.********
0000000010: 2A 2A 49 **I
To find a specific cube on the network replace the * (2A) with the serial. Hence to find a specific cube send a discovery packet with the content: "eQ3Max*\0" + serialnumber + "I"
The answer (26Byte) can be received on UDP Port 23272 and looks like this:
0000000000: 65 51 33 4D 61 78 41 70 4B 45 51 30 35 32 33 38 eQ3MaxApKEQ05238
0000000010: 36 34 3E 49 00 09 7F 2C 01 13 64>I...,..
It consists of the following parts:
Description Length Example Value
=====================================================================
Name? 8 eQ3MaxAp
Serial number 10 KEQ0523864
Request ID 1 >
Request Type 1 I
RF address 3 097F2C
Firmware version 2 1.1.3
The most important info of this reply is the IP address that coumes with the UDP packet. This is a wireshark dump of the received packet:
No. Time Source Destination Protocol Length Info
679 228.941379000 192.168.178.22 192.168.178.23 UDP 68 Source port: s102 Destination port: s102
Frame 679: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0
Ethernet II, Src: Eq-3Entw_03:81:6c (00:1a:22:03:81:6c), Dst: IntelCor_52:e2:50 (24:77:03:52:e2:50)
Internet Protocol Version 4, Src: 192.168.178.22 (192.168.178.22), Dst: 192.168.178.23 (192.168.178.23)
User Datagram Protocol, Src Port: s102 (23272), Dst Port: s102 (23272)
Data (26 bytes)
You can clearly see the source IP 192.168.178.22
There are several other UDP request types
I Identify
N Get network address
h get URL information
c get network default info
The network request needs to be made for a specific device hence the request "eQ3Max*\0" + serialnumber + "N"
For a get network address message the response is the following.
Description Length Example Value
=====================================================================
Name? 8 eQ3MaxAp
Serial number 10 KEQ0523864
Request ID 1 >
Request Type 1 N
IP address 4 The 4 bytes of the ip e.g. 192.168.1.9
Gateway address 4 The 4 bytes of the gateway e.g. 192.168.1.1
Netmask address 4 The 4 bytes of the netmask e.g. 255.255.255.255
DNS server 1 4 The 4 bytes of the dns e.g. 8.8.8.8
DNS server 2 4 The 4 bytes of the dns e.g. 8.8.4.4
The URL request needs to be made for a specific device hence the request "eQ3Max*\0" + serialnumber + "h"
00000000 65 51 33 4d 61 78 41 70 4b 45 51 30 35 36 35 30 eQ3MaxAp KEQ05650
00000010 32 36 3e 68 00 50 6d 61 78 2e 65 71 2d 33 2e 64 26>h.Pma x.eq-3.d
00000020 65 2c 2f 63 75 62 65 e,/cube
For a URL request message the response is the following.
Description Length Example Value
=====================================================================
Name? 8 eQ3MaxAp
Serial number 10 KEQ0523864
Request ID 1 >
Request Type 1 h
Port 2 80
server address 4 max.eq-3.de
Separator 1 ,
address path 4 /cube
The URL request needs to be made for a specific device hence the request "eQ3Max*\0" + serialnumber + "c"
For a c request message the response is the following.
00000000 65 51 33 4d 61 78 41 70 4b 45 51 30 35 36 35 30 eQ3MaxAp KEQ05650
00000010 32 36 3e 63 c0 a8 00 de c0 a8 00 01 ff ff 00 00 26>c.... ........
00000020 c0 a8 00 01 00 00 00 00 01 01 ........ ..
Description Length Example Value
=====================================================================
Name? 8 eQ3MaxAp
Serial number 10 KEQ0523864
Request ID 1 >
Request Type 1 c
IP address 4 The 4 bytes of the ip e.g. 192.168.0.222
Gateway address 4 The 4 bytes of the gateway e.g. 192.168.0.1
Netmask address 4 The 4 bytes of the netmask e.g. 255.255.0.0
DNS server 1 4 The 4 bytes of the DNS e.g. 192.168.0.1
Unknown 6
You can connect to the cube by establishing a TCP connection with the cube's IP address on port 62910. To do so you can use telnet for a first test:
telnet 192.168.178.22 62910
The cube will immediately reply with a lot of information. The further sections will describe what this data means.
A message always (as far as i know) begins with a single character followed by a colon, H: for example.
Furthermore a message is always ended by a CR+LF \r\n. In between these two marks is the content of the message.
There are a lot of message types. I have not seen a lot of them yet, but the list is out of the decompiled source code so it seems to be valid.
INCOMING HELLO: "H:"
INCOMING NTP SERVER: "F:"
INCOMING DEVICE LIST: "L:"
INCOMING CONFIGURATION: "C:"
INCOMING METADATA: "M:"
INCOMING NEW DEVICE: "N:"
INCOMING ACKNOWLEDGE: "A:"
INCOMING ENCRYPTION: "E:"
INCOMING DECRYPTION: "D:"
INCOMING SET CREDENTIALS: "b:"
INCOMING GET CREDENTIALS: "g:"
INCOMING SET REMOTEACCESS: "j:"
INCOMING SET USER DATA: "p:"
INCOMING GET USER DATA: "o:"
INCOMING CHECK PRODUCT ACTIVATION: "v:"
INCOMING ACTIVATE PRODUCT: "w:"
INCOMING SEND DEVICE CMD: "S:"
OUTGOING URL: "u:"
OUTGOING INTERVAL: "i:"
OUTGOING SEND: "s:"
OUTGOING METADATA: "m:"
OUTGOING INCLUSION MODE: "n:"
OUTGOING CANCEL INCLUSION MODE: "x:"
OUTGOING MORE DATA: "g:"
OUTGOING QUIT: "q:"
OUTGOING ENCRYPTION: "e:"
OUTGOING DECRYPTION: "d:"
OUTGOING SET CREDENTIALS: "B:"
OUTGOING GET CREDENTIALS: "G:"
OUTGOING SET REMOTEACCESS: "J:"
OUTGOING SET USER DATA: "P:"
OUTGOING GET USER DATA: "O:"
OUTGOING CHECK PRODUCT ACTIVATION: "V:"
OUTGOING ACTIVATE PRODUCT: "W:"
OUTGOING RESET: "a:"
OUTGOING RESET ERROR: "r:"
OUTGOING DELETE DEVICES: "t:"
OUTGOING SET PUSHBUTTON CONFIG: "w:"
OUTGOING GET DEVICE LIST: "l:"
OUTGOING GET CONFIGURATION: "c:"
OUTGOING TIME CONFIG: "v:"
OUTGOING NTP SERVER: "f:"
OUTGOING SEND WAKEUP: "z:"