Setting up a Smart Home - How to Update Clipsal Wiser (Zigbee) Without the Hub

We’re renovating a house, and this includes replacing all of the electrics. Because of this, it’s now the time to automate a sensible amount of our house. You can read part 1 of this process at Home Automation - Clipsal Wiser + Siri. You can also see my overall thoughts on the products there (I’d try my hardest to find something different next time).

This section deals with how to update the Clipsal Wiser Products, which, (hint hint) appear aren’t really made by Schneider Electric at all, but effectively resold from a automation industry corporate equivalent of AliExpress, TuYa.

Clipsal are stubbornly refusing to provide update files, likely because TuYa, the actual Chinese manufacturer of ‘their’ products has a very complex update ecosystem, and who knows what contractual arrangements are in place? So firstly, some FAQs (to help Google out), then get onto how you can do this.

FAQs on Clipsal Wiser

These are all just my opinion after using the system for a while. I still can’t think of a decent alternative, but I’d summarise the product as only worth: (aka ²⁄₅ stars or a failing grade). You can work around a lot of the crappiness, but you shouldn’t need to.

A note for Schneider Electric / Clipsal Wiser developers if you’re reading this - Please reach out and help. A lot of the problems are fixable (other than the mushy momentary switches). If all your Zigbee gear just worked correctly and had proper OTA updates, it should be a really good experience!

More of my overall thoughts on the Clipsal Wiser products are here.

Is there a bug with double-pressing in Clipsal Wiser switches?

Yes, but it can be fixed (even without the hub). The bug is that external control of the switch doesn’t update its internal state, so if you switch it on remotely, you then need to physically press it twice to turn it off.

You can update the switches using the BLE mode and the phone app. Alternatively, pair it with the hub, then pair it with your preferred Zigbee controller. Contrary with what you see on forums, if you use the iOS app (Wiser Rooms), it will fix the bug for the dimmers and switches in Zigbee mode too.

Is Clipsal Wiser Reliable?

Short answer: No. You need to update them. The powerpoints in particular shouldn’t be trusted, as out of the box (the 1.0.0 version) they switch off by themselves randomly (aka haunted, as my wife describes the behaviour).

Slightly longer answer: Yes, with an update, the powerpoints now appear to be reliable for roughly a week. That said, hidden inside the installer documentation for many of their products, they’re described to not to be used for any product where power interruption could be an issue. Naturally, this disclaimer doesn’t appear to be anywhere in their marketing material that I’ve seen…

So how do I update them?

Using the Bluetooth Mode, or via a borrowed/begged/stolen Wiser Hub that you get rid of shortly afterwards.

Does Schneider Electric Actually Make Clipsal Wiser products?

Short answer: Not really, they’re rebadged TuYa (Chinese) products. That’s the problem with updating, and why this process is a nightmare. Clipsal/Schneider Electric don’t really control their own products.

Slightly longer answer: Even the iOS app is a rebadged TuYa app, the same as described for Positivo’s smart home gear here.

Does Clipsal Wiser Share My Data with China?

It appears so. You can see what the mobile app sends using MITMProxy. Concerningly, much of it is not only over HTTPS, but then encrypted with AES so we have little insight into the data shared. MITMProxy shows that it regularly reports your location, for example.

How do I switch Clipsal Wiser products from Zigbee mode to Bluetooth/BLE?

This is hidden away in the docs with very vague language to arguably hide that you can do this. Press 3 times, then press (a fourth time) and hold until the light blinks red very quickly. It will blink red slowly first. Keep holding until it’s quick, then let go and wait a minute or so. It’s not described in the documentation but does work. I have confirmed it works for dimmers, switches, and powerpoints. You can know it’s been successful because if you then try and pair it will alternate flashing red/green in BLE mode rather than amber in Zigbee mode.

Updating Your Wiser Switches, Powerpoints, and Pucks

Why? - Stop pushing buttons twice and make the powerpoints reliable

There is some discussion on the internet that Clipsal/Schneider Electric failed to implement state correctly in early firmware versions of Wiser products. This requires an update if you don’t want to have to press a switch twice the first time after controlling something via a Zigbee command.

Because it would be crazy to spend nearly $400 on a hub to just do firmware updates, you can switch to Bluetooth mode and then update the firmware. Follow the instructions below under “Press Commands” to switch modes, and then use the Wiser Rooms app to update. (Why are there two apps anyway?!)

This bluetooth updating method does work contrary to some forum reports. I’ve done it on 20+ switches and confirmed it fixes the problem.

Unfortunately, it appears that it doesn’t update the firmware of the powerpoints as high as it can go. They do appear to stop switching off randomly though. Using the app, I’ve updated to 1.1.0 for the powerpoint to the right (model 3025CSGZ), but I can confirm that the hub updated it to 1.1.5.

How to Update Without Paying a $400 Tax to Buy a Hub with software rated at ²⁄₅ stars on the App Store

There are two ways to do this - either a strange combination of over 20 button presses and mucking around in a terrible app or working on proper over-the-air updates from Zigbee2MQTT. I’m working on the latter, but it’s not finished yet. Even so, my notes are below, and if they help, please let me know.

There are three options that this can be done:

1. Update via Bluetooth (easiest for now)
2. Extract firmware files from Wiser Rooms app.
3. Discover the URL of the TuYa hosted update files.

Option 1) Updating via Bluetooth

1. Download the Wiser Rooms app
2. Press 3 times, then press (a fourth time) and hold until the light blinks red very quickly. It will blink red slowly first. Keep holding. This switches from Zigbee to Bluetooth mode. It’s not described in the documentation but does work.
3. Wait for the switch to reset into bluetooth mode.
4. Press 3 times and wait for it to flash white for pairing.
5. Add the switch and pair it with the Wiser Rooms app on your phone.
6. Select the switch, and choose Settings -> Advanced -> Firmware -> Update.
7. Wait the 3min to update the software.
8. Factory reset the switch by pressing 3 times, then press (a fourth time) and hold until the light blinks red slowly. Wait for the reset.
9. Press 12 times to switch back to Zigbee mode. Wait.
10. Press 3 times to repair with Zigbee2MQTT.
11. Find the switch in Zigbee2MQTT and select reconfigure. This seems to intermittantly be required and sometimes fail under you restart Zigbee2MQTT. I’m not sure what’s going on here.

And you’re done! That was really painful, and when you do 20+ switches, you’ll be cursing a company that ships products with old firmware.

It should also be noted that I don’t believe that this updates it to the latest firmware. It does, however, update it to a version that works well enough that I haven’t experienced any issues so far.

Schneider Electric recently (about a month before I wrote this) decided to refuse to make firmware files available outside of their junk software. It’s a bit strange that a company that makes good hardware won’t work with the OSS community to fix the software side.

Option 2) OTA Updates Extracted from Wiser Rooms App - NB: WORK IN PROGRESS

I’ve posted this now in order to help others as I work through it.

Try this at your own risk, you might destroy every light switch in your house, which would be a real downer…

This is unfortunately stupidly involved due to SE’s intransigence on providing updates. Many thanks to @DanielNagy who provided the following info:

I got OTA working with zigbee2mqtt. I found the firmware files in one of the wiser android apks. (The wiser room app). However they weren’t usable in their current form, there was a OTA header that needed to be prepended to the file for z2m be able to send. I found a silabs image builder tool which would turn the firmware into a ota file for you with hints taken from the firmware file name in the android apk.

As for enabling ota in z2m, it’s just a simple ota line in the devices config. But you need to host the files somewhere and reference them in a metadata file

Breaking this down into steps, we can do:

1. Download the Android APK for Wiser Rooms from https://apps.evozi.com/apk-downloader/?id=com.se.clipsal.blefinalapp

2. Extract the files and copy out the firmware files into the directory firmware:

   $ mkdir rooms
   $ cd rooms/
   $ unzip ../com.se.clipsal.blefinalapp_1556_apps.evozi.com.apk
   $ cd ..
   $ mkdir firmware
   $ find . -name \*ZBE\*.gbl -exec cp '{}' firmware/ \;
   

   This then gives you the following files:

105E-0001-02012800-0100-01FF-chameleon_dimmer-ZBE.gbl       105E-0010-01000104-0000-01FF-push_button_relay-ZBE.gbl      MFR4820801_MG13_ZBE_02.03.00_Timer_Switch.gbl
105E-0001-02030400-0100-01FF-chameleon_timer_switch-ZBE.gbl 105E-0011-01000104-0000-01FF-push_button_dimmer-ZBE.gbl     MFR4820801_MG13_ZBE_02.07.00_Switch_10ax.gbl
105E-000B-010500FF-0100-01FF-C4Bond_1Gang-ZBE.gbl           105E-0012-01000104-0000-01FF-push_button_shutter-ZBE.gbl    MFR4820801_MG13_ZBE_02.08.00_Switch_10ax.gbl
105E-000C-010500FF-0100-01FF-C4Bond_2Gang-ZBE.gbl           105E-0013-01000104-0000-01FF-NH_Rotary_Dimmer-ZBE.gbl       MFR4820801_MG13_ZBE_02.09.00_Switch_10ax.gbl
105E-000D-010009FF-0000-00FF-Puck-ZBE.gbl                   105E-0014-01000103-0000-01FF-NH_Motion_Relay-ZBE.gbl
105E-000D-01050004-0000-01FF-Puck-ZBE.gbl                   105E-0015-01000203-0000-01FF-NH_Motion_Dimmer-ZBE.gbl

1. Now you need to update these files to have the right firmware details somehow because Schneider Electric don’t follow the correct standards…

Here’s the details from @DanielNagy for how to do this for two examples:

image-builder-windows.exe -c 105E-0036-020507FF-0000-01FF-chameleon_switch_2ax-ZBE.ota -v 0x020507ff -m 0x105e -i 0x0036 -s 0x0002 --min-hw-ver=0x0000 --max-hw-ver=0x01ff -t 0x0000 --tag-file 105E-0036-020507FF-0000-01FF-chameleon_switch_2ax-ZBE.gbl

image-builder-windows.exe -c 105E-0037-020307FF-0000-01FF-chameleon_dimmer-ZBE.ota -v 0x020307ff -m 0x105e -i 0x0037 -s 0x0002 --min-hw-ver=0x0000 --max-hw-ver=0x01ff -t 0x0000 --tag-file 105E-0037-020307FF-0000-01FF-chameleon_dimmer-ZBE.gbl

Thats for the 2AX (41E2PBSWMZ/356PB2MBTZ) and the Dimmer (41EPBDWCLMZ/354PBDMBTZ). I’ve not had any 10AX installed yet.

From the APK file, there is a heap of firmware assets, and the way I determined which file was the correct one, I had a zigbee sniffer setup and watched the OTA request from the device. Particuarly the “image type -i” is what is different between models i found. ie, 0036 and 0037.

From this, it suggests that the format above is:

[MANUFACTURER ID]-[IMAGE TYPE ID]-[FIRMWARE VERSION]-[TAG IDENTIFIER]-[MAX HARDWARE VERSION]-DEVICENAME-ZBE.gbl

So, based on what we’ve got, we can figure this out like so for the dimmer.

Firstly, install Simplicity Studio manually, then install the SDK, then install wine64 via brew install wine-stable, then you can build the OTA update:

wine64 ~rob/SimplicityStudio/SDKs/gecko_sdk/protocol/zigbee/tool/image-builder/image-builder-windows.exe -c 105E-0001-02012800-0100-01FF-chameleon_dimmer-ZBE.ota -v 0x02012800 -m 0x105e -i 0x0037 -s 0x0002 --min-hw-ver=0x0000 --max-hw-ver=0x01ff -t 0x0000 --tag-file 105E-0001-02012800-0100-01FF-chameleon_dimmer-ZBE.gbl

More to come on this part…

Option 3) OTA Updates URLs Hosted by TuYa - NB: WORK IN PROGRESS

So there’s at least three ways to attack this:

1. Extract the Clipsal Wiser TuYa API key and secret from the app, and make calls to TuYa to get it to tell us the URL for each update. This is described in these links:

   • Description / thread on making a client - https://github.com/codetheweb/tuyapi/issues/20
   • Sample code for client - https://gist.github.com/nk-gears/a185c83d3e521c47d64d252197e87c88
   • GitHub Repo on Reverse-Engineering the Client - https://github.com/nalajcie/tuya-sign-hacking
   • Description of Reverse-Engineering Another Rebranded TuYa App - https://blog.rgsilva.com/reverse-engineering-positivos-smart-home-app/
      
     

2. Find an old version of the Wiser App, and man-in-the-middle attack it:

   • Description of process for generic TuYa - https://www.zigbee2mqtt.io/advanced/more/tuya_xiaomi_ota_url.html
      
     

   The issue here is that newer versions of the app/api encrypt the response including the URL (see right). I’ve also discovered that the hub does check the certificate root, so I can’t MITM attack it via a network-layer transparent proxy.

   • Updated: You can get an old version of the app that shouldn’t enforce encryption here: https://m.apkpure.com/wiser-by-se/com.schneiderelectric.WiserBySE/versions - try for something from 2020.

3. Memory attack the Android App via the Emulator

   It might be possible to dump the memory and find the URL this way. This is still just a thought…

Unfortunately, from my understanding of how the TuYa ecosystem works, you need to have a product joined to a local Wiser Hub that needs an update, and then do either 1, 2, or 3 above. So, I’m yet to figure out the best option… stay tuned.