Tapped the X180T's CAN bus via CANable 2.0 at the monitor panel's terminator
port. The bus is NOT RV-C — it's Lippert's proprietary IDS-CAN (250k, 11-bit
IDs, (page<<8)|node, 1 Hz broadcasts).
Read side fully mapped from live captures:
- device classes (page-2 type byte: 0x0A tank, 0x1E switched load, 0x21 motor)
- node map for this rig (Catalina 263BHSCK): tanks 27/E2/7D/FE, lights 2A/F8,
heater 95, pump 61, awning 75 (+ direction & live motor current)
- battery voltage on 29-bit extended frames
Write side: commands are DLC-0 ext frames 0006<node><op>, but auth-gated by a
rolling challenge-response (page 42/43). Replay confirmed dead (spoofed cansend
did not actuate). Not the BLE TEA cypher. response=f(challenge) is deterministic
(no session state) so crackable offline later — seeded 42 pairs in
sniff/2A-auth-pairs.txt.
Includes raw captures (sniff/*.log, force-added past *.log ignore), a read-only
esp32_can ESPHome skeleton, and the log-can.sh sniff helper. Full writeup in
canbus/README.md.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The OneControl panel's command characteristic is a streaming (Write Without
Response) endpoint. Bleak 3.x changed write_gatt_char to default to
write-with-response when the char advertises the "write" property, so every
command (incl. switch turn_on/off) got rejected by the panel with ATT 0x0E
(Unlikely Error), surfaced as BleakGATTProtocolError. Force response=False on
the command write (matching the auth key write) to restore control.
Also commits the productionized custom_components integration (config flow,
coordinator, switch/sensor/cover entities, key-seed TEA auth, COBS codec) and
the matching src/ RE client/COBS fixes (big-endian framing, table-driven CRC8,
status-event decoding) that were developed but never tracked.
Verified live on the campsite HAOS Pi: switch.exterior_lights / interior_lights
toggle the physical panel with no GATT error.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Root cause of immediate disconnect after write: panel requires auth on
service 0010 before accepting commands on 0030. Protocol found by
decompiling Plugin.BLE.dll (BleDeviceUnlockManager.PerformKeySeedExchange).
Auth flow:
1. Read 4-byte seed from char 0012 (00000012-0200-a58e-e411-afe28044e62c)
2. Apply modified TEA with RV-specific cypher (612643285 / 0x248431D5)
3. Write 4-byte little-endian result to char 0013
4. Retries up to 3x if seed < 4 bytes (panel not yet ready)
connect() now calls perform_auth() before enabling 0034 notifications.
Also cleans up experimental auth attempts from campsite debugging session.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix scan_for_onecontrol() to use return_adv=True and adv.service_uuids
(device.metadata removed in bleak 3.x)
- Add missing _parse_get_devices_response() — was called but never defined,
would crash on first real device response
- main() now auto-connects when exactly one device is found via scan
- Remove premature turn_on/off_light(5) calls from main() — device IDs
unknown until get_devices() has been run against real hardware
- Guard send_command() and disconnect() against unconnected state
- control_awning() now takes MovementState enum instead of raw int
- Bump post-get_devices sleep from 2s to 5s for real device latency
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The decompiled code is not included in the repository (excluded via .gitignore).
Mentioning it in the README could create legal concerns and is misleading.
- Added Apache License 2.0 (full text)
- Strengthened README disclaimer with interoperability language
- Added references to DMCA 1201(f) and EU Software Directive Article 6
- Clarified what IS and IS NOT included in repo
- Added license badge to README
- Explicitly states purpose: legally purchased hardware integration
Compliance checklist:
✅ Clean room implementation (no decompiled code in repo)
✅ .gitignore excludes all binaries and extracted code
✅ Interoperability defense clearly stated
✅ Apache 2.0 license with patent grant clause
✅ Disclaimer for Lippert Components Inc.