"Hacking" the Somfy Sonesse2 Zigbee Motors
I've been looking for some blinds to use in my refurbished office now for many months, about six months ago I heard that Somfy had launched a Zigbee line of products, I inquired at the time and they would release in Europe in the middle of 2024.
Well it's now the middle of the year, and my office is complete and needs some blinds.
I did my research, I found the offical Zigbee certification documents, I reviewed them - according to the documents and attestations they would act like normal Zigbee end devices, and most importantly (to me) they use the Zigbee Cluster Library Window Covering Cluster.
They also take USB-C power to charge, have an internal battery that should last for about six months, assuming one full movement up and down per day.
The last bit is a sticking point for me, I'm really trying to avoid Zigbee devices that don't conform to the specification - TuYa or Aqara for example use proprietary extensions and tend not to interact as well as they should.
So anyway, they were released, and I managed to find a company that supplied spares that would let me buy two motors. So they arrived - I excitedly powered them on, permitted joining on my coordinator... nothing joined.
I discovered that Somfy have an app called Tahoma Pro for installers, I managed to get an account via the US website with no effort (the UK one just goes to a black hole as far as I can tell).
I managed to connect using Bluetooth Low Energy using my iPhone with their app, I could configure them, set the settings... but I couldn't find a way to make them pair.
I thought maybe it was my set up, so I tried my own Zigbee stack, zigbee2mqtt, ZHA, with a Z-Stack stick and an Emby stick as coordinator - nothing helped.
My diagnostics took days and I got no where. I reached out to people who claimed they'd gotten it working, or had thought about purchasing them. The one person who said it worked, I suspect actually had the previous model and behaviour had changed.
I was beginning to get worried that I'd screwed up purchasing these - I did understand that Somfy aren't really a retail company, you're meant to buy them through resellers and installers - but I was convinced it should work.
At work, I remembered about the app, and wondered if they also had a Android version, as most apps are written for a JVM of some description - they did.
Out came a suite of tools APK Studio, JD-GUI, etc. I dug through Smali files extracted from DEX archives - I opened them up in IntelliJ to take advantage of it's better decompilation.
I finally found a hint, there's a lot of Bluetooth Low Energy comms in the app, most of it is understandable, configure limits, favourite positions, speeds, directions, etc.
One thing was odd though, there as a command to "LeaveNetwork" but there was no counterpart to "JoinNetwork". I dug through some pretty complex, disjoined and poorly disassembled Koitlin (which was converted to Java).
I finally found what appeared to be a step in the pairing process with the offical Tahoma hub, the odd thing was it issued that "LeaveNetwork" as part of the joining process. The step issued a "WritePinCode" and then "LeaveNetwork", each sent to different BLE endpoints (represented as UUIDs).
The motors are well documented, on a label is their EUI48, EUI64, Zigbee Installer Code and Pin code - so there was hope!
I've programmed BLE before, but I managed to find a tool on iOS called "BT Inspector" - it allowed me to connect to the motor with BLE and interogate. I figured out the bytes that would need to be sent to each UUID, sent them, then instantly the motors joined ZHA in HomeAssistant.
So how do we unlock the motors?
- To
0000000B-cad9-46c6-a2ea-2ca16d57b4a5we send the pin code as a 3 byte int, in little-endian. - To
00020001-cad9-46c6-a2ea-2ca16d57b4a5we simply send0x01.
That's it... so why are they doing this? Is it to stop retail customers? Are they just trying to lock it to installers?
I don't think so, while it's anoying, and they provide no external guidance on this, they went out of their way to follows the Zigbee standard and get it certified.
What I think this actually is, out of the box they come as their own network. Why? So that you can pair their Zigbee remotes with them, without their home hub.
That was a pain in the ass, but this evening I feel so much better that my expensive motors will be able to get mounted to my window.