Setting up a Smart Home - How to Update Clipsal Wiser (Zigbee) Without the Hub

UPDATE: OTA updates for the most common Wiser mechs and micro modules are now available in Zigbee2MQTT (development at least), and these hopefully should within a month or so be available in stable images.

Background

We’re renovating a house, and this includes replacing all of the electrics. Because of this, it’s now the time to automate a sensible amount of our house. You can read part 1 of this process at Home Automation - Clipsal Wiser + Siri. You can also see my overall thoughts on the products there (I’d try my hardest to find something different next time).

This section deals with how to update the Clipsal Wiser Products, which, it appears aren’t really made by Schneider Electric at all, but effectively resold from a automation industry corporate equivalent of AliExpress/Temu/Shein, TuYa.

How does this work in practice? Well, a TuYa ZigBee hub costs about $20. The TuYa hub with Wiser branding on it costs about $400. Unfortunately, prior to figuring out how to make updates available in open source software, you were locked into buying a hub and paying an additional $380 for the logo on the box.

Clipsal are stubbornly refusing to provide update files, likely because TuYa, the actual Chinese manufacturer of ‘their’ products has a very complex update ecosystem, and who knows what contractual arrangements are in place? So, we solved this problem for them. Firstly, some FAQs, then get onto how we got OTA updates working.

FAQs on Clipsal Wiser

These are all just my opinion after using the system for a while. I still can’t think of a decent alternative, but I’d summarise the product as only worth: (aka ²⁄₅ stars or a failing grade). You can work around a lot of the crappiness, but you shouldn’t need to.

With the OTA updates, a lot of the problems are trivially fixable (other than the poor quality hardward / mushy momentary switches). I doubt this will every change, though, as in reality Clipsal sell electrical equipment to sparkies (not to end-consumers), and only really sell the idea of a pretty faceplate to end-consumers. Classic example of the principal-agent problem, I suppose.

More of my overall thoughts on the Clipsal Wiser products are here.

Q) Is there a bug with double-pressing in Clipsal Wiser switches?

A) Yes, but it can be fixed (even without the hub). The bug is that external control of the switch doesn’t update its internal state, so if you switch it on remotely, you then need to physically press it twice to turn it off.

You need to update your devices for them to work correctly. You’d think any intern/muppet would be able to QA test a binary switch prior to releasing hardware to manufacturing, wouldn’t you? Not at Schneider Electric / Clipsal!

Q) Is Clipsal Wiser Reliable?

A) Short answer: No. You need to update the hardware before it works reliably. The powerpoints in particular shouldn’t be trusted, as out of the box (the 1.0.0 version) they switch off by themselves randomly (aka haunted, as my wife describes the behaviour).

A) Slightly longer answer: Yes, with an update, the powerpoints now appear to be reliable for roughly a week. That said, hidden inside the installer documentation for many of their products, they’re described to not to be used for any product where power interruption could be an issue. Naturally, this disclaimer doesn’t appear to be anywhere in their marketing material that I’ve seen…

Q) So how do I update them?

A) Well, now you can update them as you would other devices using Zigbee2MQTT. Previously you had to use the Bluetooth Mode, or via a borrowed/begged/stolen Wiser Hub that you get rid of shortly afterwards.

Q) Does Schneider Electric Actually Make Clipsal Wiser products?

A) Short answer: Not really, they’re rebadged TuYa (Chinese) products. That’s the problem with updating, and why this process is a nightmare. Clipsal/Schneider Electric don’t really control their own products.

Slightly longer answer: Even the iOS app is a rebadged TuYa app, the same as described for Positivo’s smart home gear here.

Q) Does Clipsal Wiser Share My Data with China?

A) It appears so. You can see what the mobile app sends using MITMProxy. Concerningly, much of it is not only over HTTPS, but then encrypted with AES so we have little insight into the data shared. MITMProxy shows that it regularly reports your location, for example. Location, of course, is useful for automation, but all data can be put to dual purpose…

Q) How do I switch Clipsal Wiser products from Zigbee mode to Bluetooth/BLE?

A) This is hidden away in the docs with very vague language to arguably hide that you can do this. Press 3 times, then press (a fourth time) and hold until the light blinks red very quickly. It will blink red slowly first. Keep holding until it’s quick, then let go and wait a minute or so. It’s not described in the documentation but does work. I have confirmed it works for dimmers, switches, and powerpoints. You can know it’s been successful because if you then try and pair it will alternate flashing red/green in BLE mode rather than amber in Zigbee mode.

Updating Your Wiser Switches, Powerpoints, and Pucks

Why? - The hardware doesn’t work correctly out of the box

Stop pushing buttons twice, and make your powerpoints reliable

There is some discussion on the internet that Clipsal/Schneider Electric failed to implement state correctly in early firmware versions of Wiser products. This requires an update if you don’t want to have to press a switch twice the first time after controlling something via a Zigbee command.

Because it would be crazy to spend nearly $400 on a hub (and use software rated at ²⁄₅ stars on the App Store) to just do firmware updates, we’ve put in a fair bit of effort to support this outside of the TuYa / Wiser ecosystem..

Originally, the only way to update the apps was to follow a strange combination of over 20 button presses and mucking around in a terrible app as there was no working proper over-the-air updates from Zigbee2MQTT. This now works, and this page documents how we achieved it.

There are three options for obtaining updates:

1. Update via Zigbee2MQTT (in the edge/development release, and should by May 2024 be in the stable release).
2. Update via Bluetooth (20+ button presses)
3. Extract firmware files from Wiser Rooms app and serve updates locally (bad idea).

In order to support option 1, we needed to find the OTA update URLs out of the TuYa servers (as Clipsal Wiser is effectively TuYa, just with a brand name and extra zero on the price tag attached).

Option 1) Update via Zigbee2MQTT (Easiest)

Thanks to the hard work of multiple people, there are now OTA updates for the most common devices in development branches of Zigbee-OTA on github:

• CCT5010-0001 (Micro module dimmer)
• CCT5011-0001 (Micro module switch)
• 2AX (Switch mech)
• 10AX (Switch mech)
• Wiser 40 / 300-Series Module Dimmer (Mech)
• Wiser 40 / 300-Series Module AC Fan Controller
• 3025CSGZ (Dual Smart GPO)

These are now in development Zigbee2MQTT and available for use. Likely by May 2024, these will be available in stable. You shouldn’t need to do anything more. For those interested in how we got these, the information is below.

How we obtained the Update URLs

So there’s two known ways to find out the URLs:

1. Extract the Clipsal Wiser TuYa API key and secret from the app, and make calls to TuYa to get it to tell us the URL for each update. This is described in these links:

   • Description / thread on making a client - https://github.com/codetheweb/tuyapi/issues/20
   • Sample code for client - https://gist.github.com/nk-gears/a185c83d3e521c47d64d252197e87c88
   • GitHub Repo on Reverse-Engineering the Client - https://github.com/nalajcie/tuya-sign-hacking
   • Description of Reverse-Engineering Another Rebranded TuYa App - https://blog.rgsilva.com/reverse-engineering-positivos-smart-home-app/
      
     

   This would be hard, and while it would make future updates easier, it’s not really worth the effort compared to option 2:

2. Find an old version of the Wiser App, and man-in-the-middle attack it:

   • Description of process for generic TuYa - https://www.zigbee2mqtt.io/advanced/more/tuya_xiaomi_ota_url.html
      
     

   The issue here is that newer versions of the app/api encrypt the response including the URL (see right). I’ve also discovered that the hub does check the certificate root, so you can’t MITM attack recent versions via a network-layer transparent proxy. We succeeded in doing this using an older version and the steps below.

How to Man-in-the-middle Attack TuYa software (Rebadged as Clipsal Wiser)

The steps below are based on the guide here (https://www.zigbee2mqtt.io/advanced/more/tuya_xiaomi_ota_url.html). Please note that I’m running this on an Intel Mac.

1. Install Android Studio (at least version 2023).
2. Install Docker
3. Run MITMProxy: docker run --rm -it -p 8080:8080 -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0
4. Open a web browser to http://localhost:8081 for the MITMProxy web frontend.
5. Download an old copy of the APK. Google “Wiser by SE_5.17.1_Apkpure.apk”.
6. Create a blank project in Android Studio
7. Create a device, I used Pixel 7 running Android 34 (x86_64)
8. Open Settings (swipe up), then choose “Network and Internet”, then “AndroidWifi”, then click on the pencil (top right), then set proxy to manual, and enter your IP address (e.g. 192.168.0.40) and port 8080.
9. Close settings, and open Chrome on the emulator, go to http://mitm.it and click on “Get mitmproxy-ca-cert.cer” under Android. Download it.
10. Open the settings app and search for “Certificate”. Choose to install CA certicate, and select the one that you’ve downloaded. Ignore the warnings and install it.
11. Open up Chrome app and make sure that you can browse to https://google.com/ and the traffic is visible through the mitmproxy web frontend.
12. Drag the APK onto the emulator to install it and open up the Wiser app.
13. Set up your hub as per usual using your normal device (NOT the emulator unless you want pain) and remember the username/password.
14. Add a device to your Wiser hub. Do not update when prompted.
15. Open up the wiser app on your hub. Because it’s a very old version, it might be hard to find the device you added. If you can’t find it, browse to the hub and find it via there.
16. As soon as you open it, open up MITMProxy, and look up the second or third last flow (it’ll look like step 3a here). Find the JSON key called url and that’s the firmware update location.

From here, we simply add this url to the zigbee-OTA repository and submitted a pull request following the instructions here. Updates are now submitted in Zigbee2MQTT for the following devices:

• CCT5010-0001 (Micro module dimmer)
• CCT5011-0001 (Micro module switch)
• 2AX (Mech)
• 10AX (Mech)
• Wiser ⁴⁰⁄₃₀₀-Series Module Dimmer (Mech)
• 3025CSGZ (Dual Smart GPO)
• Wiser ⁴⁰⁄₃₀₀-Series Module AC Fan Controller

PRs are here:

• Zigbee-OTA
• Zigbee-Herdsman-Converters

The vaguely more interesting thing, is that during this process, the brand new hub claimed to have a firmware update available at https://images.tuyaeu.com/smart/firmware/upgrade/ay1557480848074dO17I/1676360393eafd6358e13.img.

It would be interesting to see what is in here and if there is another approach to easily getting future updates.

Option 2) Updating via Bluetooth (Working - except for GPOs)

As an aside, this bluetooth updating method does work contrary to some forum reports. I’ve done it on 20+ switches and confirmed it fixes the problem. Contrary with what you see on forums and to Schneider Electric’s FAQ entry, if you use the iOS app (Wiser Rooms), it will update both Zigbee and BLE modes, fixing the bug for the dimmers and switches in Zigbee mode too.

1. Download the Wiser Rooms app
2. Press 3 times, then press (a fourth time) and hold until the light blinks red very quickly. It will blink red slowly first. Keep holding. This switches from Zigbee to Bluetooth mode. It’s not described in the documentation but does work.
3. Wait for the switch to reset into bluetooth mode.
4. Press 3 times and wait for it to flash white for pairing.
5. Add the switch and pair it with the Wiser Rooms app on your phone.
6. Select the switch, and choose Settings -> Advanced -> Firmware -> Update.
7. Wait the 3min to update the software.
8. Factory reset the switch by pressing 3 times, then press (a fourth time) and hold until the light blinks red slowly. Wait for the reset.
9. Press 12 times to switch back to Zigbee mode. Wait.
10. Press 3 times to repair with Zigbee2MQTT.
11. Find the switch in Zigbee2MQTT and select reconfigure. This seems to intermittantly be required and sometimes fail under you restart Zigbee2MQTT. I’m not sure what’s going on here.

And you’re done! That was really painful, and when you do 20+ switches, you’ll be cursing a company that ships products with old firmware.

It should also be noted that I don’t believe that this updates it to the latest firmware. It does, however, update mechs to a version that works well enough that I haven’t experienced any issues so far.

NOTE: Unfortunately, it appears that it doesn’t update the firmware of the powerpoints as high as it can go. They do appear to stop switching off randomly though. Using the app, I’ve updated to 1.1.0 for the powerpoint to the right (model 3025CSGZ), but I can confirm that the hub updated it to 1.1.5.

Schneider Electric recently (about a month before I wrote this) decided to refuse to make firmware files available outside of their junk software. It’s a bit strange that Schneider Electric don’t want to work with your typical early adopters and have them promote/recommend their product…

Option 3) OTA Updates Extracted from Wiser Rooms App (Working but bad idea)

I’ve posted this now in order to help others as I work through it.

Try this at your own risk, you might destroy every light switch in your house, which would be a real downer…

This is unfortunately stupidly involved due to SE’s intransigence on providing updates. Many thanks to @DanielNagy who provided the following info:

I got OTA working with zigbee2mqtt. I found the firmware files in one of the wiser android apks. (The wiser room app). However they weren’t usable in their current form, there was a OTA header that needed to be prepended to the file for z2m be able to send. I found a silabs image builder tool which would turn the firmware into a ota file for you with hints taken from the firmware file name in the android apk.

As for enabling ota in z2m, it’s just a simple ota line in the devices config. But you need to host the files somewhere and reference them in a metadata file

Breaking this down into steps, we can do:

1. Download the Android APK for Wiser Rooms from https://apps.evozi.com/apk-downloader/?id=com.se.clipsal.blefinalapp

2. Extract the files and copy out the firmware files into the directory firmware:

   $ mkdir rooms
   $ cd rooms/
   $ unzip ../com.se.clipsal.blefinalapp_1556_apps.evozi.com.apk
   $ cd ..
   $ mkdir firmware
   $ find . -name \*ZBE\*.gbl -exec cp '{}' firmware/ \;
   

   This then gives you the following files:

105E-0001-02012800-0100-01FF-chameleon_dimmer-ZBE.gbl       105E-0010-01000104-0000-01FF-push_button_relay-ZBE.gbl      MFR4820801_MG13_ZBE_02.03.00_Timer_Switch.gbl
105E-0001-02030400-0100-01FF-chameleon_timer_switch-ZBE.gbl 105E-0011-01000104-0000-01FF-push_button_dimmer-ZBE.gbl     MFR4820801_MG13_ZBE_02.07.00_Switch_10ax.gbl
105E-000B-010500FF-0100-01FF-C4Bond_1Gang-ZBE.gbl           105E-0012-01000104-0000-01FF-push_button_shutter-ZBE.gbl    MFR4820801_MG13_ZBE_02.08.00_Switch_10ax.gbl
105E-000C-010500FF-0100-01FF-C4Bond_2Gang-ZBE.gbl           105E-0013-01000104-0000-01FF-NH_Rotary_Dimmer-ZBE.gbl       MFR4820801_MG13_ZBE_02.09.00_Switch_10ax.gbl
105E-000D-010009FF-0000-00FF-Puck-ZBE.gbl                   105E-0014-01000103-0000-01FF-NH_Motion_Relay-ZBE.gbl
105E-000D-01050004-0000-01FF-Puck-ZBE.gbl                   105E-0015-01000203-0000-01FF-NH_Motion_Dimmer-ZBE.gbl

1. Now you need to update these files to have the right firmware details somehow because Schneider Electric don’t follow the correct standards…

Here’s the details from @DanielNagy for how to do this for two examples:

image-builder-windows.exe -c 105E-0036-020507FF-0000-01FF-chameleon_switch_2ax-ZBE.ota -v 0x020507ff -m 0x105e -i 0x0036 -s 0x0002 --min-hw-ver=0x0000 --max-hw-ver=0x01ff -t 0x0000 --tag-file 105E-0036-020507FF-0000-01FF-chameleon_switch_2ax-ZBE.gbl

image-builder-windows.exe -c 105E-0037-020307FF-0000-01FF-chameleon_dimmer-ZBE.ota -v 0x020307ff -m 0x105e -i 0x0037 -s 0x0002 --min-hw-ver=0x0000 --max-hw-ver=0x01ff -t 0x0000 --tag-file 105E-0037-020307FF-0000-01FF-chameleon_dimmer-ZBE.gbl

Thats for the 2AX (41E2PBSWMZ/356PB2MBTZ) and the Dimmer (41EPBDWCLMZ/354PBDMBTZ). I’ve not had any 10AX installed yet.

From the APK file, there is a heap of firmware assets, and the way I determined which file was the correct one, I had a zigbee sniffer setup and watched the OTA request from the device. Particuarly the “image type -i” is what is different between models i found. ie, 0036 and 0037.

From this, it suggests that the format above is:

[MANUFACTURER ID]-[IMAGE TYPE ID]-[FIRMWARE VERSION]-[TAG IDENTIFIER]-[MAX HARDWARE VERSION]-DEVICENAME-ZBE.gbl

So, based on what we’ve got, we can figure this out like so for the dimmer.

Firstly, install Simplicity Studio manually, then install the SDK, then install wine64 via brew install wine-stable, then you can build the OTA update:

wine64 ~rob/SimplicityStudio/SDKs/gecko_sdk/protocol/zigbee/tool/image-builder/image-builder-windows.exe -c 105E-0001-02012800-0100-01FF-chameleon_dimmer-ZBE.ota -v 0x02012800 -m 0x105e -i 0x0037 -s 0x0002 --min-hw-ver=0x0000 --max-hw-ver=0x01ff -t 0x0000 --tag-file 105E-0001-02012800-0100-01FF-chameleon_dimmer-ZBE.gbl

Realistically though, this is not a recommended way to get the updates, as these themselves are greatly out of date, and do not contain all of the mechs.