UPDATE.
I replaced the thermostat, the screen was somewhat
ugly (according to wife, it had some pixels dark) so
that was the excuse to get a replacement. Installed,
it worked just fine so I installed the radio (wifi) module.
I am expecting to go through the hoops of having to
connect to it directly and give it the proper commands
and directives so it will then go and connect to my
WiFi AP. Low and behold, appears that the WiFi module
has some memory and it retained all of the connection
info. BUT it turns out that the connections were also
being requested by the WiFi module. Indeed the author
of the Home Automation software told me to go into the
thermostat and try to pull the cloud status:
http://IpAddress/cloud. So I did and I got the following:
{"interval":300,"url":"http://my.radiothermostat.com/filtrete/rest/rtcoa
","status":3,"enabled":1,*"authkey":"dfcf7d03"*,"status_code":-1}
The device still has the authorization key, which I have
highlighted above. Now to figure out how to clear it out.
It appears that it is going out and connecting, getting
enough back to change the clock. I have blocked those
IP addresses but I think it is trying another one because
I see it again changing the time, I know what is going on
so I am not going to sniff it again. Just have to find out
how to clear the data out of the radio module.
Ain't IoT fun, I have someone's cloud access and did not
even know it...
On Sun, Jan 9, 2022 at 5:43 PM Chuck Hast <[email protected]> wrote:
> Well I had to go in and change some directory settings,
> still not sure what happened. But was able to save the
> file.
>
> On Sun, Jan 9, 2022 at 5:27 PM Chuck Hast <[email protected]> wrote:
>
>> Folks, I have a great transaction capture on Wireshark,
>> when I went to save it I get a bitch screen that says
>> You don't have permission to create or write to the file:
>> test.pcapng
>>
>> Funny thing is I have been doing these captures now
>> for several days, but this was the best one. I just am
>> not sure why this is happening. I started Wireshark with
>> elevated access, and I have not stopped it since I saved
>> the last file. Never seen this before. I have seen it when
>> something did not get started with a needed permission
>> level but never seen something change without shutting
>> it down and restarting.
>>
>>
>> On Thu, Jan 6, 2022 at 10:58 AM Chuck Hast <[email protected]> wrote:
>>
>>> I have a batch of Chinese security cameras, one day I was
>>> sniffing my LAN and saw these packets that should not have
>>> been there, started tracing them down and they were coming
>>> from the cameras, they were trying to connect to 4 chinese
>>> web sites and AWS. The now are on an island network which
>>> routes to nowhere and the only other thing on there is the port
>>> that sends all of the camera data to ZoneMinder. Crazy cameras
>>> were trying to call home constantly. I cleaned some of it up by
>>> giving them all static IP's and getting rid of any DNS info. Some
>>> of them still try but a lot less.
>>>
>>> That was before I started seeing comments on line about the
>>> cameras doing the "call home" thing.
>>>
>>>
>>> On Wed, Jan 5, 2022 at 11:56 PM Tomas Kuchta <
>>> [email protected]> wrote:
>>>
>>>> Like with all other "smart things" you are the product, that thing is
>>>> just
>>>> the bait to connect to you .... I had the same thing with environment
>>>> sensors this summer. I returned them and got bunch of half price 433MHz
>>>> sensors + SDR to receive their signals.
>>>>
>>>> There are still 433MHz remote controlled relays + $5-$10 transmitters to
>>>> turn them on/off if you do not want to use SBC or Arduino.
>>>>
>>>> What sorry state of affairs, these things could be supper useful, only
>>>> if
>>>> the would hot call home.
>>>>
>>>> -T
>>>>
>>>> On Thu, Jan 6, 2022, 00:00 Chuck Hast <[email protected]> wrote:
>>>>
>>>> > Well folks here is the capture. This is when the device does the
>>>> > time change.
>>>> >
>>>> -------------------------SoF----------------------------------------------
>>>> > No. Time Source Destination Protocol Length Info
>>>> > 1416 6995.707153289 192.168.7.45 192.168.7.1 DNS 129
>>>> > Standard query 0x011d A my.radiothermostat.com
>>>> > 1417 6995.743011679 192.168.7.1 192.168.7.45 DNS 283
>>>> > Standard query response 0x011d A my.radiothermostat.com CNAME
>>>> > rtcoa-load-balancer.energyhub.net CNAME
>>>> > prod-ext-2-397343966.us-east-1.elb.amazonaws.com A 3.214.34.120 A
>>>> > 54.209.187.172 A 107.21.255.187
>>>> > 1418 6995.744228645 192.168.7.45 107.21.255.187 TCP 125
>>>> > 35222 → 80 [SYN] Seq=0 Win=2896 Len=0 MSS=1460 WS=1 SACK_PERM=1
>>>> > TSval=23065200 TSecr=0
>>>> > 1419 6995.795424653 107.21.255.187 192.168.7.45 TCP 121
>>>> 80
>>>> > → 35222 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1460 SACK_PERM=1
>>>> > TSval=1316753308 TSecr=23065200 WS=256
>>>> > 1420 6995.796759302 192.168.7.45 107.21.255.187 TCP 113
>>>> > 35222 → 80 [ACK] Seq=1 Ack=1 Win=2896 Len=0 TSval=23065200
>>>> TSecr=1316753308
>>>> > 1421 6995.797280360 192.168.7.45 107.21.255.187 TCP 204
>>>> > 35222 → 80 [PSH, ACK] Seq=1 Ack=1 Win=2896 Len=91 TSval=23065200
>>>> > TSecr=1316753308 [TCP segment of a reassembled PDU]
>>>> > 1422 6995.851194008 107.21.255.187 192.168.7.45 TCP 113
>>>> 80
>>>> > → 35222 [ACK] Seq=1 Ack=92 Win=26880 Len=0 TSval=1316753363
>>>> TSecr=23065200
>>>> > 1423 6995.853333530 192.168.7.45 107.21.255.187 HTTP 579
>>>> > POST /filtrete/rest/rtcoa HTTP/1.1
>>>> > 1424 6995.905205495 107.21.255.187 192.168.7.45 TCP 113
>>>> 80
>>>> > → 35222 [ACK] Seq=1 Ack=558 Win=28160 Len=0 TSval=1316753417
>>>> TSecr=23065300
>>>> > 1425 6995.912865908 107.21.255.187 192.168.7.45 HTTP 585
>>>> > HTTP/1.1 200 200
>>>> > 1426 6995.935820827 192.168.7.45 107.21.255.187 TCP 113
>>>> > 35222 → 80 [FIN, PSH, ACK] Seq=558 Ack=473 Win=2424 Len=0
>>>> TSval=23065300
>>>> > TSecr=1316753424
>>>> > 1427 6995.986668924 107.21.255.187 192.168.7.45 TCP 113
>>>> 80
>>>> > → 35222 [FIN, ACK] Seq=473 Ack=559 Win=28160 Len=0 TSval=1316753499
>>>> > TSecr=23065300
>>>> >
>>>> >
>>>> ------------------------EoF-----------------------------------------------------
>>>> > It is during this transaction that the time change takes place.
>>>> > I never signed up for their cloud service. This took place betwen
>>>> > Sept when I turned off the A/C and Nov when I turned on the
>>>> > heat. Thermostat was on all of the time. And as far as I know it
>>>> > was talking to the local HA server.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Wed, Jan 5, 2022 at 6:56 PM Chuck Hast <[email protected]> wrote:
>>>> >
>>>> > > I am going to start the logging I tested yesterday back up.
>>>> > > I had enabled packet sniffing streaming to a remote server
>>>> > > (Wireshark on another machine) so I had it running indeed
>>>> > > I thought I had saved that file but when I went to look at it
>>>> > > this a.m. somehow I sent it down the bit toilet... Ohh well it
>>>> > > is just bits, be a good exercise to get it going again. I need
>>>> > > to trace things every once in a while knowing how to get
>>>> > > the bit stream out of the router to wireshark can be very
>>>> > > handy (I am looking these chinese cameras that call home)
>>>> > >
>>>> > > Now if I can get the manufacturer to do more than respond
>>>> > > with scripted replies...
>>>> > >
>>>> > >
>>>> > > On Wed, Jan 5, 2022 at 6:17 PM Ben Koenig <
>>>> [email protected]>
>>>> > > wrote:
>>>> > >
>>>> > >> Whoops looks like I hit the wrong reply button and moved this off
>>>> the
>>>> > >> PLUG list.
>>>> > >>
>>>> > >> In my experience time sync issues are generally always the result
>>>> of one
>>>> > >> of 3 different root causes. For embedded devices its often simpler
>>>> since
>>>> > >> you have no control over the software, it just does whatever it was
>>>> > coded
>>>> > >> to do.
>>>> > >>
>>>> > >> #1 is the CMOS battery. If the firmware isn't holding on to certain
>>>> > >> settings (such as battery failure) then the clock will revert.
>>>> Normally
>>>> > >> this sends you back to 1970 but I've seen more recent devices
>>>> behave
>>>> > >> differently. In your case it looks like the time zone is not being
>>>> held
>>>> > >> properly.
>>>> > >> #2 is buggy software on the device that is resetting the time.
>>>> Could be
>>>> > a
>>>> > >> y2k22 style bug ( hi microsoft! ) or something else that it hit.
>>>> > >> #3 is the server. Since blocking the IP at the router prevents this
>>>> > issue
>>>> > >> then it might just be something stupid on their server end.
>>>> > >>
>>>> > >> IMO it's a combination of #2 and #3. This type of unexpected
>>>> behavior is
>>>> > >> not uncommon on E.T. devices since they *ALWAYS* phone home
>>>> regardless
>>>> > of
>>>> > >> whether or not you set up an account. It's entirely possible that
>>>> it
>>>> > spent
>>>> > >> the last 2 years dialing home for your timezone but in the past few
>>>> > months
>>>> > >> the server gave a different response. If you had a history of all
>>>> web
>>>> > >> traffic to those 3 addresses in the past year you could probably
>>>> spot
>>>> > the
>>>> > >> change. Maybe they changed the default response to unregistered
>>>> devices.
>>>> > >>
>>>> > >> It would be interesting to log the actual web traffic and see if
>>>> you can
>>>> > >> spot the data being returned. If you logged all traffic for the
>>>> past
>>>> > year
>>>> > >> then you could correlate the time you saw the change with any
>>>> changes in
>>>> > >> server responses.
>>>> > >>
>>>> > >> -Ben
>>>> > >>
>>>> > >>
>>>> > >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> > >> On Wednesday, January 5th, 2022 at 2:50 PM, Chuck Hast <
>>>> > [email protected]>
>>>> > >> wrote:
>>>> > >>
>>>> > >> The interesting thing is that I have had this unit for over
>>>> > >> 2 years and it has never done this, it just started doing
>>>> > >> it when I turned on the heat. I had shut the HVAC system
>>>> > >> down in Sept because the weather did not warrant running
>>>> > >> the system. All I did was set the system to OFF on the
>>>> > >> thermostat. So it was all powered up. When I set it to HEAT
>>>> > >> I got this funny time change thing. I tested with the A/C, as
>>>> > >> we have had a nice warm autumn this year, and got the
>>>> > >> same thing. So something happened between Sept and
>>>> > >> Nov when I turned on the heat. The question is what? Did
>>>> > >> the thermostat get hacked somehow, I have tried to do a
>>>> > >> factory reset but that does not work either. And since these
>>>> > >> people will not talk on the phone, I am pretty much running
>>>> > >> out of patience.
>>>> > >>
>>>> > >> On Wed, Jan 5, 2022 at 4:38 PM Ben Koenig <
>>>> [email protected]>
>>>> > >> wrote:
>>>> > >>
>>>> > >>> You also want to look at the URL sent as well. Since no other
>>>> ports are
>>>> > >>> open it's unlikely to be using any non-HTTP protocols. However if
>>>> this
>>>> > is a
>>>> > >>> REST API of some sort then the addresses might be part of a load
>>>> > balancing
>>>> > >>> system and may be expecting data for authentication or other
>>>> > information
>>>> > >>> specific to your router. The address is just the server being
>>>> asked for
>>>> > >>> information, the full URL path is the question.
>>>> > >>>
>>>> > >>> What's probably happening is that your "unconfigured" device is
>>>> dialing
>>>> > >>> home to ask if it is associated with an account using a REST API.
>>>> When
>>>> > it
>>>> > >>> gets a no from the server, it loads default settings and probably
>>>> goes
>>>> > >>> through this check on a regular schedule. I see this a lot with
>>>> > >>> cloud-routers as well. Under the hood its openwrt and while they
>>>> > function
>>>> > >>> without the cloud account linked they tend to behave in unexpected
>>>> > ways.
>>>> > >>>
>>>> > >>> -Ben
>>>> > >>>
>>>> > >>>
>>>> > >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> > >>> On Wednesday, January 5th, 2022 at 2:19 PM, Chuck Hast <
>>>> > [email protected]>
>>>> > >>> wrote:
>>>> > >>>
>>>> > >>> That is interesting, yesterday I tried all of them and
>>>> > >>> got no route, but doing as you did gave me what you
>>>> > >>> got. I have got to fire up Wireshark and get the sniffer
>>>> > >>> going on my router again and capture those packets
>>>> > >>> to see what is going on, I know that what I saw was
>>>> > >>> that the system was saying that there was no route
>>>> > >>> available. Let me get the port that was associated
>>>> > >>> with this connection attempts.
>>>> > >>>
>>>> > >>>
>>>> > >>> On Wed, Jan 5, 2022 at 3:53 PM Ben Koenig <
>>>> [email protected]>
>>>> > >>> wrote:
>>>> > >>>
>>>> > >>>> FWIW those are actually up and have ports 80/443 open for web
>>>> access
>>>> > >>>> according to a zenmap no-ping scan.
>>>> > >>>>
>>>> > >>>> Although accessing them via a browser is a pain. They are using
>>>> > >>>> self-signed certs and appear to be part of their API
>>>> infrastructure
>>>> > since
>>>> > >>>> simple requests via curl result in redirect http response codes
>>>> so the
>>>> > >>>> servers are up but it appears they want to limit traffic from
>>>> most
>>>> > sources.
>>>> > >>>>
>>>> > >>>> It would be kind of odd if they are using HTTP calls to sync the
>>>> time.
>>>> > >>>> Either way since you mentioned that you don't want to use their
>>>> cloud
>>>> > >>>> system they are probably safe to block. If you bypass SSL cert
>>>> checks
>>>> > then
>>>> > >>>> 3.214.34.120 actually brings up a real website.
>>>> > >>>>
>>>> > >>>> -Ben
>>>> > >>>>
>>>> > >>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> > >>>>
>>>> > >>>> On Wednesday, January 5th, 2022 at 11:02 AM, Chuck Hast <
>>>> > >>>> [email protected]> wrote:
>>>> > >>>>
>>>> > >>>> > Going to tear into it. Sorry state of affairs when you cannot
>>>> > >>>> >
>>>> > >>>> > trust the devices in your own home...
>>>> > >>>> >
>>>> > >>>> > On Wed, Jan 5, 2022 at 12:59 PM Russell Senior
>>>> > >>>> [email protected]
>>>> > >>>> >
>>>> > >>>> > wrote:
>>>> > >>>> >
>>>> > >>>> > > The FCC internal photos (if I have the right device) suggest
>>>> it
>>>> > is a
>>>> > >>>> > >
>>>> > >>>> > > marvell SoC. The photos have a sticker over the chip, so I
>>>> can't
>>>> > >>>> identify
>>>> > >>>> > >
>>>> > >>>> > > it precisely. There is a largish 8-pin SOIC chip in one
>>>> corner
>>>> > that
>>>> > >>>> looks
>>>> > >>>> > >
>>>> > >>>> > > like serial NOR flash. If you can get the part numbers of
>>>> the SoC
>>>> > >>>> and the
>>>> > >>>> > >
>>>> > >>>> > > flash, that would help. I don't see an obvious serial
>>>> console in
>>>> > the
>>>> > >>>> > >
>>>> > >>>> > > photos, but the photos are a bit blurry.
>>>> > >>>> > >
>>>> > >>>> > > On Wed, Jan 5, 2022, 10:46 Chuck Hast [email protected]
>>>> wrote:
>>>> > >>>> > >
>>>> > >>>> > > > The radio is a separate module you can plug two of them
>>>> > >>>> > > >
>>>> > >>>> > > > in, a zigbee module and a WiFi module, there are some
>>>> > >>>> > > >
>>>> > >>>> > > > other ones also. I have the Wifi module. I will see which
>>>> > >>>> > > >
>>>> > >>>> > > > one of those it is. I will see how to remove the case from
>>>> > >>>> > > >
>>>> > >>>> > > > the thermostat board and see what is in there beside the
>>>> > >>>> > > >
>>>> > >>>> > > > screen.
>>>> > >>>> > > >
>>>> > >>>> > > > I am going to start a capture again and see what the port
>>>> > >>>> > > >
>>>> > >>>> > > > is, I thought I had saved the previous capture file but
>>>> when
>>>> > >>>> > > >
>>>> > >>>> > > > I went to open it, could not find it.
>>>> > >>>> > > >
>>>> > >>>> > > > It is either checking different addresses until it finds
>>>> some
>>>> > >>>> > > >
>>>> > >>>> > > > thing alive or one of those addresses is being activated.
>>>> > >>>> > > >
>>>> > >>>> > > > If I block the address in the router the time stays what I
>>>> > >>>> > > >
>>>> > >>>> > > > have set it to.
>>>> > >>>> > > >
>>>> > >>>> > > > On Tue, Jan 4, 2022 at 9:34 PM Russell Senior <
>>>> > >>>> [email protected]
>>>> > >>>> > > >
>>>> > >>>> > > > wrote:
>>>> > >>>> > > >
>>>> > >>>> > > > > Maybe this? FCC ID: QO8-WIFI-M-0210
>>>> > >>>> > > > >
>>>> > >>>> > > > > https://fccid.io/QO8-WIFI-M-0210
>>>> > >>>> > > > >
>>>> > >>>> > > > > On Tue, Jan 4, 2022 at 7:16 PM Russell Senior <
>>>> > >>>> > > > >
>>>> > >>>> > > > > [email protected]
>>>> > >>>> > > >
>>>> > >>>> > > > > wrote:
>>>> > >>>> > > > >
>>>> > >>>> > > > > > Those addresses are all in AWS address space,
>>>> according to
>>>> > >>>> whois. As
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > a
>>>> > >>>> > > >
>>>> > >>>> > > > > > previous commenter suggested, it might just be NTP.
>>>> Did you
>>>> > >>>> notice
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > what port the communication was happening over?
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > Have you considered popping the case and seeing if
>>>> there is
>>>> > a
>>>> > >>>> serial
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > console port on their wifi module? It's reasonably
>>>> likely it
>>>> > >>>> is
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > running some ancient version of linux. Is there an
>>>> FCC-ID on
>>>> > >>>> the
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > case?
>>>> > >>>> > > >
>>>> > >>>> > > > > > On Tue, Jan 4, 2022 at 6:49 PM Chuck Hast
>>>> [email protected]
>>>> > >>>> wrote:
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > > Well folks, I was able to get wireshark on the
>>>> thermostat.
>>>> > >>>> I found
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > that it is trying to contact these addresses:
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > 54.209.187.172
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > 107.21.255.187
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > 3.214.34.120
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > Right now none are reachable. I am trying to figure
>>>> out
>>>> > why
>>>> > >>>> this
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > thermostat is trying to reach those addresses.
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > When I do a whois, they come up as being hosted on
>>>> > Amazon...
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > I wonder if one of them comes awake every so often
>>>> and the
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > thermostat gets the connection and receives a TZ
>>>> change...
>>>> > >>>> So
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > far I have not been able to catch it doing so.
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > When I bought the unit I intentionally did NOT try
>>>> to use
>>>> > >>>> the
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > cloud service, I have tried to get proper
>>>> communications
>>>> > >>>> with
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > Radio Thermostat but so far only idiots... And they
>>>> do not
>>>> > >>>> have
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > a published telephone number.
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > On Tue, Jan 4, 2022 at 4:53 PM Chuck Hast
>>>> > [email protected]
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > wrote:
>>>> > >>>> > > >
>>>> > >>>> > > > > > > > More info, this was the reply I got from the
>>>> > manufacturer
>>>> > >>>> > > >
>>>> > >>>> > > >
>>>> > >>>>
>>>> -----------------------SoF------------------------------------------
>>>> > >>>> > > >
>>>> > >>>> > > > > > > > Radio Thermostat [email protected]
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > 1:10 PM (3 hours ago)
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > to Info, me
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Hi,
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > If you are sure you have a WiFi module in the
>>>> thermostat
>>>> > >>>> Model -
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > RTMV-01
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > > > Then check out the following to see and correct
>>>> the time
>>>> > >>>> zone so
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > the
>>>> > >>>> > > > >
>>>> > >>>> > > > > > > > thermostat will have the correct time:
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > How to change time zone
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > First go to the web portal via a browser *
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > https://my.radiothermostat.com/rtcoa/login.html
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > > > https://my.radiothermostat.com/rtcoa/login.html*
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > (Note you will need to use the desktop version of
>>>> the
>>>> > web
>>>> > >>>> site)
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Then log in and go to the person (then select
>>>> location)
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > select the location you want and click edit
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Go to the pull down for time zone and select your
>>>> time
>>>> > >>>> zone
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Then click save
>>>> > >>>> > > > >
>>>> > >>>> > > > >
>>>> > >>>>
>>>> >
>>>> -----------------------------------EoF---------------------------------
>>>> > >>>> > > > >
>>>> > >>>> > > > > > > > This is exactly what I have tried to avoid, I never
>>>> > >>>> registered
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > the thermostat with their cloud. I have my personal
>>>> > >>>> reasons
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > for not wanting my devices on someone's cloud if I
>>>> can
>>>> > >>>> avoid
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > it. in this case that is exactly what I have tried
>>>> to
>>>> > do.
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Now meantime, since the thermostat IP is static, I
>>>> went
>>>> > >>>> into
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > the firewall and set up a rule to drop any packets
>>>> > to/from
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > the thermostat. No more time change, and I did
>>>> that well
>>>> > >>>> over
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > and hour ago. I can still control the device on my
>>>> LAN
>>>> > >>>> just
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > dropping whatever is trying to reach the
>>>> thermostat.
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > This brings up the question, of who/what is it? I
>>>> never
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > registered the device with their cloud, indeed I
>>>> bought
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > it because it was one of the thermostats that did
>>>> not
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > require you to use an outside network to access
>>>> it, (I
>>>> > am
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > looking at you Honeywell, Nest and all of the rest
>>>> of
>>>> > the
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > cloud only based devices). Now to see if I can get
>>>> Wire
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > shark on a part of the network that can see that
>>>> device.
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Suspend the rule and try to catch the packet
>>>> session.
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > On Tue, Jan 4, 2022 at 9:41 AM Chuck Hast
>>>> > >>>> [email protected]
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > wrote:
>>>> > >>>> > > > >
>>>> > >>>> > > > > > > > > Sorry, should have, not there is not. But the
>>>> > >>>> interesting thing
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > is that as long as it cannot contact the network
>>>> there
>>>> > >>>> is no
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > time change. I think I am going to go into the
>>>> > firewall
>>>> > >>>> and
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > make it drop all packets to/from the device and
>>>> see
>>>> > what
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > happens. If that takes care of it then maybe
>>>> allow it
>>>> > >>>> to talk
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > on the LAN but drop anything going to/from it on
>>>> the
>>>> > WAN
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > side. I would like to see what it is talking to.
>>>> So
>>>> > far
>>>> > >>>> I have
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > not been able to catch it.
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > On Mon, Jan 3, 2022 at 11:00 PM Erik Lane
>>>> > >>>> [email protected]
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > wrote:
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > > > > > You don't mention this, but since it's always 2
>>>> > >>>> hours, is
>>>> > >>>> > > > > > > > > >
>>>> > >>>> > > > > > > > > > there a
>>>> > >>>> > > >
>>>> > >>>> > > > > time
>>>> > >>>> > > > >
>>>> > >>>> > > > > > > > > > zone
>>>> > >>>> > > > > > > > > >
>>>> > >>>> > > > > > > > > > setting in there that has gotten off? Maybe
>>>> it's
>>>> > >>>> talking to a
>>>> > >>>> > > > > > > > > >
>>>> > >>>> > > > > > > > > > NTP
>>>> > >>>> > > >
>>>> > >>>> > > > > server?
>>>> > >>>> > > > >
>>>> > >>>> > > > > > > > > > On Mon, Jan 3, 2022 at 8:49 PM Chuck Hast
>>>> > >>>> [email protected]
>>>> > >>>> > > > > > > > > >
>>>> > >>>> > > > > > > > > > wrote:
>>>> > >>>> > > > > >
>>>> > >>>> > > > > > > > > > > Folks,
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > Not sure where to take this but figured that
>>>> I
>>>> > >>>> would get more
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > info here.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > I have a RadioThermostat CT80. I have had it
>>>> now
>>>> > >>>> for several
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > years. As the summer wound down. I shut down
>>>> the
>>>> > >>>> A/C and
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > opened the windows in the house. Then in Nov
>>>> I
>>>> > >>>> needed to fire
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > up the heating, all appeared to be well, but
>>>> I
>>>> > >>>> noticed that
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > the
>>>> > >>>> > > >
>>>> > >>>> > > > > > > > > > > thermostat clock was 2 hours slow. I set it
>>>> and a
>>>> > >>>> while
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > later see that it has lost 2 hours again.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > I have a home automation system. I checked
>>>> the
>>>> > >>>> logs, and
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > contacted the author. He has a CT50 which has
>>>> > fewer
>>>> > >>>> bells
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > and whistles than mine but same unit. Anyhow
>>>> he
>>>> > >>>> gave me
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > some guidance, in the end I shut down the HA
>>>> > system
>>>> > >>>> and it
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > still would drop the 2 hours, I powered the
>>>> > >>>> thermostat down
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > and removed the WiFi radio, powered it back
>>>> up, it
>>>> > >>>> ran about
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > 4 hours (about 3 hours longer) and never
>>>> dropped
>>>> > >>>> the 2 hours.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > Normally it will go between 20 minutes and
>>>> an hour
>>>> > >>>> after I
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > have set it to the correct time, then drop
>>>> back to
>>>> > >>>> the
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > incorrect
>>>> > >>>> > > > >
>>>> > >>>> > > > > > > > > > > time. So this appears to indicated that it is
>>>> > either
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > something
>>>> > >>>> > > >
>>>> > >>>> > > > > > > > > > > on the network that is doing the time change
>>>> or
>>>> > >>>> something in
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > the WiFi radio.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > I am trying to sniff the network and see if
>>>> I can
>>>> > >>>> catch any
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > weird packets. But this is one I have not
>>>> done
>>>> > >>>> before.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > My router is a Mikrotik 2011, and I have been
>>>> > >>>> trying to use
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > the tools on it to try to monitor the IP
>>>> address
>>>> > of
>>>> > >>>> the
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > thermo-
>>>> > >>>> > > >
>>>> > >>>> > > > > > > > > > > stat and try to see if it is talking to
>>>> something
>>>> > >>>> else. So
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > far
>>>> > >>>> > > >
>>>> > >>>> > > > > > > > > > > no joy.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > I am wondering about getting wire shark in
>>>> there
>>>> > >>>> and trying
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > to filter those packets that way as I am not
>>>> > having
>>>> > >>>> much luck
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > with the Mikrotik tools
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > Any recommendations?
>>>> > >>>> > > > > > > > > > > --------------------
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > Chuck Hast -- KP4DJT --
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > I can do all things through Christ which
>>>> > >>>> strengtheneth me.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > Ph 4:13 KJV
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > Todo lo puedo en Cristo que me fortalece.
>>>> > >>>> > > > > > > > > > >
>>>> > >>>> > > > > > > > > > > Fil 4:13 RVR1960
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > --
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > Chuck Hast -- KP4DJT --
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > I can do all things through Christ which
>>>> strengtheneth
>>>> > >>>> me.
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > Ph 4:13 KJV
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > Todo lo puedo en Cristo que me fortalece.
>>>> > >>>> > > > > > > > >
>>>> > >>>> > > > > > > > > Fil 4:13 RVR1960
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > --
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Chuck Hast -- KP4DJT --
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > I can do all things through Christ which
>>>> strengtheneth
>>>> > me.
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Ph 4:13 KJV
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Todo lo puedo en Cristo que me fortalece.
>>>> > >>>> > > > > > > >
>>>> > >>>> > > > > > > > Fil 4:13 RVR1960
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > --
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > Chuck Hast -- KP4DJT --
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > I can do all things through Christ which
>>>> strengtheneth me.
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > Ph 4:13 KJV
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > Todo lo puedo en Cristo que me fortalece.
>>>> > >>>> > > > > > >
>>>> > >>>> > > > > > > Fil 4:13 RVR1960
>>>> > >>>> > > >
>>>> > >>>> > > > --
>>>> > >>>> > > >
>>>> > >>>> > > > Chuck Hast -- KP4DJT --
>>>> > >>>> > > >
>>>> > >>>> > > > I can do all things through Christ which strengtheneth me.
>>>> > >>>> > > >
>>>> > >>>> > > > Ph 4:13 KJV
>>>> > >>>> > > >
>>>> > >>>> > > > Todo lo puedo en Cristo que me fortalece.
>>>> > >>>> > > >
>>>> > >>>> > > > Fil 4:13 RVR1960
>>>> > >>>> >
>>>> > >>>> > --
>>>> > >>>> >
>>>> > >>>> > Chuck Hast -- KP4DJT --
>>>> > >>>> >
>>>> > >>>> > I can do all things through Christ which strengtheneth me.
>>>> > >>>> >
>>>> > >>>> > Ph 4:13 KJV
>>>> > >>>> >
>>>> > >>>> > Todo lo puedo en Cristo que me fortalece.
>>>> > >>>> >
>>>> > >>>> > Fil 4:13 RVR1960
>>>> > >>>>
>>>> > >>>
>>>> > >>>
>>>> > >>> --
>>>> > >>>
>>>> > >>> Chuck Hast -- KP4DJT --
>>>> > >>> I can do all things through Christ which strengtheneth me.
>>>> > >>> Ph 4:13 KJV
>>>> > >>> Todo lo puedo en Cristo que me fortalece.
>>>> > >>> Fil 4:13 RVR1960
>>>> > >>>
>>>> > >>>
>>>> > >>>
>>>> > >>
>>>> > >> --
>>>> > >>
>>>> > >> Chuck Hast -- KP4DJT --
>>>> > >> I can do all things through Christ which strengtheneth me.
>>>> > >> Ph 4:13 KJV
>>>> > >> Todo lo puedo en Cristo que me fortalece.
>>>> > >> Fil 4:13 RVR1960
>>>> > >>
>>>> > >>
>>>> > >>
>>>> > >
>>>> > > --
>>>> > >
>>>> > > Chuck Hast -- KP4DJT --
>>>> > > I can do all things through Christ which strengtheneth me.
>>>> > > Ph 4:13 KJV
>>>> > > Todo lo puedo en Cristo que me fortalece.
>>>> > > Fil 4:13 RVR1960
>>>> > >
>>>> > >
>>>> >
>>>> > --
>>>> >
>>>> > Chuck Hast -- KP4DJT --
>>>> > I can do all things through Christ which strengtheneth me.
>>>> > Ph 4:13 KJV
>>>> > Todo lo puedo en Cristo que me fortalece.
>>>> > Fil 4:13 RVR1960
>>>> >
>>>>
>>>
>>>
>>> --
>>>
>>> Chuck Hast -- KP4DJT --
>>> I can do all things through Christ which strengtheneth me.
>>> Ph 4:13 KJV
>>> Todo lo puedo en Cristo que me fortalece.
>>> Fil 4:13 RVR1960
>>>
>>>
>>
>> --
>>
>> Chuck Hast -- KP4DJT --
>> I can do all things through Christ which strengtheneth me.
>> Ph 4:13 KJV
>> Todo lo puedo en Cristo que me fortalece.
>> Fil 4:13 RVR1960
>>
>>
>
> --
>
> Chuck Hast -- KP4DJT --
> I can do all things through Christ which strengtheneth me.
> Ph 4:13 KJV
> Todo lo puedo en Cristo que me fortalece.
> Fil 4:13 RVR1960
>
>
--
Chuck Hast -- KP4DJT --
I can do all things through Christ which strengtheneth me.
Ph 4:13 KJV
Todo lo puedo en Cristo que me fortalece.
Fil 4:13 RVR1960
