> I also have it so the heating turns off when I go into town and turns back on when I'm just a few train stops away so my place is nice and toasty for me getting home!
If your goal is saving energy/money, you don’t want a system capable of going from cool to toasty in 20 minutes.
Instead, you want a system that runs (much) lower water circulation temperatures (giving lower losses in the unconditioned spaces and more even room heating). That can be done to any condensing boiler by just turning down the flow target temperature.
A second layer of optimization on top of this is the addition of outdoor reset/weather compensation which will adjust that flow temperature based on the outside temperature, giving a flow temperature than can just barely restore the building to the desired setpoint temp.
With mine properly tuned, I was targeting having the thermostat act more like a high-limit and for it to call for heat between 22 and 24 hours per day while not overheating the house. That often meant flow temps in the 110°F (warm day) to 135°F (below freezing day) range. Compared to the prior winter (at a constant 160°F flow), the house used 8-15% less gas and was wildly more comfortable. (This setup does preclude using deep setback settings, which also can save money, because recovery times are necessarily long in such a scheme, unless you have an even smarter control system that can run perfectly tuned water most times but hotter water during recovery from setbacks.)
It seems like the easier hack would be to put a peltier heater/cooler under the thermostat then control that remotely to assume control over what temperature the thermostat sees.
The link to the exact model of thermostat isn't working, so I don't know how amenable its design is to this approach, but the thermostats I've used are generally wall-mounted and putting a heat/cool source under them wouldn't be too hard. You'd need to make sure that you didn't send both the heat and cool into the thermostat, but that's a simple positioning problem.
I wonder what the ideal one-size fits all thermostat looks like.
The one in my apartment has a “feature” a lot of US thermostats now have, where you set four ordered times called wake, leave, return, and sleep and the temperature you want the space in each interval. I know very few people who actually live in a household where everyone wakes, leaves, returns, and sleeps on the same schedule every day.
I work from home and personally just want to set a temperature and have the space stay at that temperature indefinitely but this system requires that I tap through and enter the desired temperature four times, while confirming the four intervals.
I guess I’d be happier with a more programmable thermostat that I could set to behave like an old school dial thermostat.
I guess your toolbox really shapes your solution space thinking; as I read through this, being completely lost in the whole world of RF whatnot, my mind jumped straight to an alternative attack that better fit my own tooling: could you encase the thermostat in a box that you can mechanically control the temperature of?
I would probably just go about this by heating/cooling the thermostat itself rather than messing around with radio signals. Put a little box around it and something that could control the temp in the box, like a little peltier element. When you want the heat to run, cool the inside of the box. When you want it to stop, warm it up. Etc.
But then I build thermal control devices for fun so maybe it just seems like a much easier method to me.
The Flipper Zero is great, and could handle all of the hacking/investigation part by installing custom firmware.
The original product understandably arrives with heavily-restricted firmware (I imagine to reduce the amount of flak the company receives). However, it is incredibly easy to install Flipper Unleashed or similar, which removes all said restrictions and adds a lot of additional functionality.
Possessing the tools that could be used to commit a crime is not necessarily a crime in and of itself! Just be careful with what you do or, depending on what country you’re in, you might find some men in suits knocking at your door.
Personally, I wanted to replay “encrypted” 433MHz signals for my own devices (electric gate, roller door, roller shutters, …) and this was disabled with the Flipper’s region set to Australia.
If OP ever shows up here, you probably could have just replaced the thermostat with one that is compatible with your boiler for less money and headache. The boiler market is fairly open to competition as evidenced by the fact that you could find a Honeywell signal in a random OSS project that also worked.
Good luck with your future apartment customizations!
Speaking of newish natural gas (CH4) heaters, they all should have modulating thermostat capability with OpenTherm/eBus or other protocol. Combined with a thermostat with outdoor temperature sensor system efficiency is increased a few percent and that should help offset thermostat and installation costs. In the end you have more efficient modern heating system.
We've moved to an new apartment (house) and we had to do a full renovation. It doesn't have modern insulation and I calculated that for the time being the ROI on insulation isn't worth it. It's a multi-floor semi-detached house and I wanted the best comfort and the most economical heating possible.
In particular: stable and individually adjustable temperatures for bedrooms and living rooms; underfloor heating in some rooms (bedrooms), radiator-based heating in some others (living room), and combined UFH+radiators in some others (where UFH might not be enough during extreme colds).
I thought I can just pay someone some money and they'll set up the controls for me. It must be a simple exercise, right?
I could not have been more wrong. After spending a few hours of understanding the setups that "experts" have recommended, I figured out edge cases where they would be either wasteful or uncomfortable (meaning: unnecessary and inavoidable temperature overshoots or undershoots, etc.). I had many-many rounds with Honeywell, Tado, Siemens, etc. and every single one of them had _major_ issues.
The renovation got a bit stuck because of this, but the plumbing was ready so I wanted to see whether the pluming and pumps are working, at least. So I connected the pumps and valves to "smart plugs", i.e. Zigbee-controlled plugs, so that I can see that they turn on. They did, which got me thinking...
Right now I have $20 Zigbee temp sensors sprinkled across the house, $30 smart plugs and relays driving valves, pumps and the boiler, and Home Assistant is controlling the whole thing. Everything works perfectly and I could implement some features that simply no system would have done out of the box, for example in rooms where there's combined UFH and radiators I can drive both heating systems when the target temperature is far from the desired (so that the room heats up quickly) but as the room temp is getting closer to the target, the radiators are turned off so that UFH dominates heating (more comfortable and more energy efficient than radiators). In rooms with radiators, temp is +- 0.4 C within target, in rooms with UFH, it's +-0.1C within target.
A hammerier solution would be to control the temperature seen by the thermostat (ignore the difficult RF protocol).
A heating element and a temperature reading could control the heat seen by the thermostat.
I'm pretty sure you wouldn't need any cooling (Peltier or whatever). Just a heater and ambient cooling! Set the thermostat to a high temperature, and run the heater to make the measured temperature hotter: when you don't want the heating to run.
That said, I think hacking the RF protocol is geekier and far awesomer.
> Please do your due diligence and check local laws before attempting anything I do in this post. Transmitting radio signals can become legally problematic very quickly, and the band I specifically transmit on here (868Mhz) is illegal in the United States without a license. I'd rather you didn't have men in suits knocking on your door on my account. You've been warned!
Let's be honest here: the FCC is gonna have to see a helluva lot of problems coming from your transmissions before they bother to send the black Suburbans filled with men in suits to knock on your door. You're going to get a series of letters that basically say "please don't do that" if anything.
Funny how the manufacturer proudly claims that the protocol is encrypted, but completely forget to mitigate replay attacks,thus making the encryption completely useless
```There was a comment section here. It's gone now.
As of March 16th, 2025 the United Kingdom's Online Safety Act has gone into full effect. The law presents a lot of challenges for hobbyist websites like this one to present any user-to-user content (like y'know, blog comments) and comes with some pretty serious repercussions for non-compliance.
The odds of Ofcom (the regulator whose job is to enforce this) kicking my door down over this blog are low if we are being honest with ourselves. But the odds are at least somewhere above zero and the punishment is a life ruining £18 million fine(!!) so it's just not worth the risk.
A kind lawyer has written up the implications of this law for self-run blogs like this one and the only way to guarantee that I am not in-scope would be to manually review all comments made before being available to the public. Not to be a big baby about it all but I don't really want to do this! I liked my current setup!
So I guess as a little act of protest and to hedge against any risk I've removed the comment section entirely. Sorry about that!```
> The only thing I'm not happy with is needing to use a very powerful and versatile radio like the HackRF for something as simple as a boiler on/off switch. But I'd rather use something overkill and have it work than spend ages trying to force smaller radios to do my bidding.
All the apartments I lived in had basic thermostats; and I even rewired and replaced one of them.
What was blocking Videah from buying an off-the-shelf thermostat?
The legit Hackrf One is known to have frequency smearing, I wouldn’t use one off Aliexpress to transmit without testing it with a spectrum analyzer first (which you probably don’t have if you are buying knockoffs from Aliexpress).
Some risk of collateral damage in the form of randomly controlling other peoples' boilers if your transmitter turns out to be more powerful than the one in the thermostat, tho...
Instead of attacking a radio controlled relay, the author should have read up on how their heating system works. All they need is a relay controlled by an internet connected thing to replace the thermostat receiver. I could understand if the receiver was locked away but the video clearly shows they have access to the boiler.
For a related hack... If your apartment building with a BACnet system, it also relies on a set of commands for heating and cooling. Assuming you are on the same VLAN as teh server, you can inject commands. The difficulty is that every BACnet server is somewhat different, though most have spec online.
I went through various stages of this myself and got an Sonoff RF Bridge, that allowed me to capture and replay RF via Home Assistant. In the end though, it was always easier to use an off the shelf solution, especially for boilers. OpenTherm with Tado worked perfectly.
Is this a non-standard thermostat control mechanism? I don’t know what’s common in apartments. All my houses have the thermostat wired to the HVAC (and are easily replaceable by the resident).
I would have put a peltier/TEC below the thermostat to influence it's measured air temp vs resorting to reverse engineering and illegal signal broadcasting.
OP removed their comment section, but if you’re here:
I haven’t done this since 2014 but the google nest API used to (hopefully still does?) let you see and or set the thermostats status with curl commands.
My use case was to run one shell script that got my burglar alarms status, and if it was “armed/away” to simply set my nest thermostat as away, too.
But it can also be hooked up to a dummy load or a relay and just used as an indoor temperature sensor.
And the curl commands OP is relying on can be tied in to indoor and outdoor temperatures , such as scraping local weather with curl/wget and based on that integer, turning the boiler to a minimum when it’s a certain temperature outside.
Or turning it completely off when it’s warm outside.
I’m about to revisit this again just because I have an ancient gas pig of a furnace that uses microvolt and is too cold when it’s cold outside, and too hot when it’s warm outside.
So I need one thermostat in place to turn it on no matter what at 40F, but then some conditional logic to kick that thing on and off on different cycles based on outdoor temps. The whole systems too crude to implement one off the shelf without adding a zone controller, so I just want a Linux box at home to be the zone controller….
where I differ is that I’m not sending an RF signal to the boiler, I just have to close an NO contact to engage mine (and I’m lazily going to use the nest for that.)
If anyone knows of a better thermostat that has its own API I can set, read sensors, turn hvac on and off without using google/nest account or having a dependency on the goodwill of their API existing forever , I’ll come back and glean any responses thanks in advance.
As an afterthought, hm I can just attach temperature probes and a GPIO for a relay and indoor/outdoor temps and do away with google/nest altogether…. Thanks for jogging my brain a bit I might do exactly that.
(The nest was cool , and educational, I guess, 12 years ago when I didn’t know how to really do anything but run and fire off curl commands on someone else’s hardware for temp sense and closing a relay and I don’t have anything bad to say about it as a starting point.)
Where I was going with this , though, was that , you could use an off the shelf nest , and run
1) one command against API to get thermostat status (system thinks it’s on or off , even though it’s factually not directly controlling anything) and then based on that,
2) another command to your RF board to transmit a matching signal.
…
(However you could also do the same with a temperature probe that can be read on board or over WiFi , and then manage your setpoints in the script and or by other means: eg scraping a weather site for the local outdoor temp in your case where the landlord probably wouldn’t let you attach or connect an outdoor probe.)
Bonus with the nest approach is you get a dial, can mount it on anything , doesn’t have to be the wall of your unit… and it “sort of works” like a normal thermostat as well, as soon as the shell script reconciles the two states manually.
Long winded rant but the original use case was an apartment where the thermostat was proprietary and serialized data and I didn’t have any option to integrate a smart thermostat other than turning it to its maximum set point and then using the nest with a massive 220V/50A HVAC relay to just chunk the AC power line on and off on demand.
Attacking My Landlord's Boiler
(blog.videah.net)387 points by ericvolp12 22 April 2025 | 219 comments
Comments
If your goal is saving energy/money, you don’t want a system capable of going from cool to toasty in 20 minutes.
Instead, you want a system that runs (much) lower water circulation temperatures (giving lower losses in the unconditioned spaces and more even room heating). That can be done to any condensing boiler by just turning down the flow target temperature.
A second layer of optimization on top of this is the addition of outdoor reset/weather compensation which will adjust that flow temperature based on the outside temperature, giving a flow temperature than can just barely restore the building to the desired setpoint temp.
With mine properly tuned, I was targeting having the thermostat act more like a high-limit and for it to call for heat between 22 and 24 hours per day while not overheating the house. That often meant flow temps in the 110°F (warm day) to 135°F (below freezing day) range. Compared to the prior winter (at a constant 160°F flow), the house used 8-15% less gas and was wildly more comfortable. (This setup does preclude using deep setback settings, which also can save money, because recovery times are necessarily long in such a scheme, unless you have an even smarter control system that can run perfectly tuned water most times but hotter water during recovery from setbacks.)
It seems like the easier hack would be to put a peltier heater/cooler under the thermostat then control that remotely to assume control over what temperature the thermostat sees.
The link to the exact model of thermostat isn't working, so I don't know how amenable its design is to this approach, but the thermostats I've used are generally wall-mounted and putting a heat/cool source under them wouldn't be too hard. You'd need to make sure that you didn't send both the heat and cool into the thermostat, but that's a simple positioning problem.
The one in my apartment has a “feature” a lot of US thermostats now have, where you set four ordered times called wake, leave, return, and sleep and the temperature you want the space in each interval. I know very few people who actually live in a household where everyone wakes, leaves, returns, and sleeps on the same schedule every day.
I work from home and personally just want to set a temperature and have the space stay at that temperature indefinitely but this system requires that I tap through and enter the desired temperature four times, while confirming the four intervals.
I guess I’d be happier with a more programmable thermostat that I could set to behave like an old school dial thermostat.
But then I build thermal control devices for fun so maybe it just seems like a much easier method to me.
https://blog.habets.se/2017/04/Decoding-FSK.html
The original product understandably arrives with heavily-restricted firmware (I imagine to reduce the amount of flak the company receives). However, it is incredibly easy to install Flipper Unleashed or similar, which removes all said restrictions and adds a lot of additional functionality.
Possessing the tools that could be used to commit a crime is not necessarily a crime in and of itself! Just be careful with what you do or, depending on what country you’re in, you might find some men in suits knocking at your door.
Personally, I wanted to replay “encrypted” 433MHz signals for my own devices (electric gate, roller door, roller shutters, …) and this was disabled with the Flipper’s region set to Australia.
Good luck with your future apartment customizations!
Speaking of newish natural gas (CH4) heaters, they all should have modulating thermostat capability with OpenTherm/eBus or other protocol. Combined with a thermostat with outdoor temperature sensor system efficiency is increased a few percent and that should help offset thermostat and installation costs. In the end you have more efficient modern heating system.
Same should apply for heat pump systems.
In particular: stable and individually adjustable temperatures for bedrooms and living rooms; underfloor heating in some rooms (bedrooms), radiator-based heating in some others (living room), and combined UFH+radiators in some others (where UFH might not be enough during extreme colds).
I thought I can just pay someone some money and they'll set up the controls for me. It must be a simple exercise, right?
I could not have been more wrong. After spending a few hours of understanding the setups that "experts" have recommended, I figured out edge cases where they would be either wasteful or uncomfortable (meaning: unnecessary and inavoidable temperature overshoots or undershoots, etc.). I had many-many rounds with Honeywell, Tado, Siemens, etc. and every single one of them had _major_ issues.
The renovation got a bit stuck because of this, but the plumbing was ready so I wanted to see whether the pluming and pumps are working, at least. So I connected the pumps and valves to "smart plugs", i.e. Zigbee-controlled plugs, so that I can see that they turn on. They did, which got me thinking...
Right now I have $20 Zigbee temp sensors sprinkled across the house, $30 smart plugs and relays driving valves, pumps and the boiler, and Home Assistant is controlling the whole thing. Everything works perfectly and I could implement some features that simply no system would have done out of the box, for example in rooms where there's combined UFH and radiators I can drive both heating systems when the target temperature is far from the desired (so that the room heats up quickly) but as the room temp is getting closer to the target, the radiators are turned off so that UFH dominates heating (more comfortable and more energy efficient than radiators). In rooms with radiators, temp is +- 0.4 C within target, in rooms with UFH, it's +-0.1C within target.
(use at your own risk of course)
A hammerier solution would be to control the temperature seen by the thermostat (ignore the difficult RF protocol).
A heating element and a temperature reading could control the heat seen by the thermostat.
I'm pretty sure you wouldn't need any cooling (Peltier or whatever). Just a heater and ambient cooling! Set the thermostat to a high temperature, and run the heater to make the measured temperature hotter: when you don't want the heating to run.
That said, I think hacking the RF protocol is geekier and far awesomer.
Let's be honest here: the FCC is gonna have to see a helluva lot of problems coming from your transmissions before they bother to send the black Suburbans filled with men in suits to knock on your door. You're going to get a series of letters that basically say "please don't do that" if anything.
```There was a comment section here. It's gone now. As of March 16th, 2025 the United Kingdom's Online Safety Act has gone into full effect. The law presents a lot of challenges for hobbyist websites like this one to present any user-to-user content (like y'know, blog comments) and comes with some pretty serious repercussions for non-compliance.
The odds of Ofcom (the regulator whose job is to enforce this) kicking my door down over this blog are low if we are being honest with ourselves. But the odds are at least somewhere above zero and the punishment is a life ruining £18 million fine(!!) so it's just not worth the risk.
A kind lawyer has written up the implications of this law for self-run blogs like this one and the only way to guarantee that I am not in-scope would be to manually review all comments made before being available to the public. Not to be a big baby about it all but I don't really want to do this! I liked my current setup!
So I guess as a little act of protest and to hedge against any risk I've removed the comment section entirely. Sorry about that!```
All the apartments I lived in had basic thermostats; and I even rewired and replaced one of them.
What was blocking Videah from buying an off-the-shelf thermostat?
The government maintains indoor temperature at 24 degrees from October to May, and the water is heated at the power stations.
Our landlord installed a Honeywell home, the cheapest version, and it has no remote or timer capabilities
And especially in winter it would be nice if it would jump on before we wake up!
I haven’t done this since 2014 but the google nest API used to (hopefully still does?) let you see and or set the thermostats status with curl commands.
My use case was to run one shell script that got my burglar alarms status, and if it was “armed/away” to simply set my nest thermostat as away, too.
But it can also be hooked up to a dummy load or a relay and just used as an indoor temperature sensor.
And the curl commands OP is relying on can be tied in to indoor and outdoor temperatures , such as scraping local weather with curl/wget and based on that integer, turning the boiler to a minimum when it’s a certain temperature outside.
Or turning it completely off when it’s warm outside.
I’m about to revisit this again just because I have an ancient gas pig of a furnace that uses microvolt and is too cold when it’s cold outside, and too hot when it’s warm outside.
So I need one thermostat in place to turn it on no matter what at 40F, but then some conditional logic to kick that thing on and off on different cycles based on outdoor temps. The whole systems too crude to implement one off the shelf without adding a zone controller, so I just want a Linux box at home to be the zone controller….
where I differ is that I’m not sending an RF signal to the boiler, I just have to close an NO contact to engage mine (and I’m lazily going to use the nest for that.)
If anyone knows of a better thermostat that has its own API I can set, read sensors, turn hvac on and off without using google/nest account or having a dependency on the goodwill of their API existing forever , I’ll come back and glean any responses thanks in advance.
As an afterthought, hm I can just attach temperature probes and a GPIO for a relay and indoor/outdoor temps and do away with google/nest altogether…. Thanks for jogging my brain a bit I might do exactly that.
(The nest was cool , and educational, I guess, 12 years ago when I didn’t know how to really do anything but run and fire off curl commands on someone else’s hardware for temp sense and closing a relay and I don’t have anything bad to say about it as a starting point.)
Where I was going with this , though, was that , you could use an off the shelf nest , and run
1) one command against API to get thermostat status (system thinks it’s on or off , even though it’s factually not directly controlling anything) and then based on that,
2) another command to your RF board to transmit a matching signal.
…
(However you could also do the same with a temperature probe that can be read on board or over WiFi , and then manage your setpoints in the script and or by other means: eg scraping a weather site for the local outdoor temp in your case where the landlord probably wouldn’t let you attach or connect an outdoor probe.)
Bonus with the nest approach is you get a dial, can mount it on anything , doesn’t have to be the wall of your unit… and it “sort of works” like a normal thermostat as well, as soon as the shell script reconciles the two states manually.
Long winded rant but the original use case was an apartment where the thermostat was proprietary and serialized data and I didn’t have any option to integrate a smart thermostat other than turning it to its maximum set point and then using the nest with a massive 220V/50A HVAC relay to just chunk the AC power line on and off on demand.