RSS Feed
feb 15

Reparation af Nordlux IP S12 badeværelseslampe der ikke lyser længere

Posted on torsdag, februar 15, 2024 in Danish, Hal9k, Planets

Denne badeværelseslampe er udgået af produktion, og pga. monteringen og at man ofte har mere end én er det noget træls at skulle udskifte – det giver ihvertfald en del skrot uden grund. Heldigvis er konstruktionen super simpel: det er udelukkende en LED driver (230V AC til 24V DC) og en LED.

Lad os starte med det nemme: LED-driveren er direkte tilgængelig bagfra, og med lidt forsigtighed kan spændingen udmåles. I dette tilfælde var der ca. 24V DC, og det er jo fint indenfor specifikationen.

Selve LED’en er lidt sværere at komme til: fronten af glasset skal drejes af via de to huller deri. Jeg brugte en låseringstang af ca. korrekt dimension, med lidt forsigtighed. Lidt ridser gør nok ikke det store når lyset skinner. LED’en kan nu loddes af.

En ny LED kan købes for ca. 10 kr, f.x. på AliExpress. Det rigtige søgterm er måske “Bridgelux 2020 COB LED”, jeg endte med en 7W i Warm White (3000 Kelvin).

Efter lidt fidlen og lodden er den nye LED monteret, og kan testes. Stor succes!

okt 28

Fantus-button part 2: the physical button build and the network communication

Posted on lørdag, oktober 28, 2023 in Hal9k, Planets

First part of this series is here, covering the reverse engineering of the DRTV Chromecast App.

I wanted the physical appearance to be extremely minimalistic, with slight references to various cubes from videogames. Because it is a remote control, it of course has to be wireless and battery-powered.

The box is lasercut from 6 mm MDF, and with a giant red arcade button on top with a red LED inside.

The electronics inside is a battery-powered Wemos D1, along with 4 x 18650 Lithium battery cells. After some experimentation on the response time, which is primarily dominated by the time it takes to reconnect to the WiFi network, I initially only used “light sleep”. This resulted in a battery time of just over a week, which is okay, but not great.

In order to preserve battery deep sleep would be really nice. The problem is deep sleep on the Wemos can only be interrupted by a reset. The idea was to use a MOSFET (in this case an N-channel logic level mosfet, IRFZ44N) for the Wemos to be able to select whether a press of the button should reset it, or it should just register on a pin as normal.

This circuit allows RST to be pulled low by the button, as long as D0 is high. Luckily, D0 is high during deep sleep, so as long as the Arduino code keeps D0 low button presses will not reset — but can still be registered by reading pin D1.

This works out “responsively enough” because the initial start has some delay due to the Chromecast initializing the app and loading media. Any subsequent button presses within the 30 seconds the Arduino stays awake are instant though. With this setup the battery life is not a problem – I’ve only had to charge it once. As a bonus feature/bug whenever the battery gets low the Wemos will trigger a bit sporadically: this causes “Fantus-bombing” where Fantus will just randomly start; quite quickly thereafter the Fantus-button is being charged 😉

The Wemos itself is not powerful enough to do all the pyChromecast communication needed, so I setup a small Raspberry Pi to handle that part. Since I didn’t want to spend too much time and effort setting up the communication between them, I ended up using a trick from my youth: UDP broadcasting. Because UDP is datagram-oriented you can send a UDP packet to the broadcast address ( and then it will be received by all hosts on the local area network: no configuration needed. In Arduino code it looks like:

Udp.beginPacket("", 31337);

(Full Arduino code available here.)

At this point I had a UDP packet that I could receive on the Raspberry Pi, and it was just a matter of writing a small server program to listen, receive and process those UDP commands. However, at this point a thought entered my mind, that derailed the project for a while:

netcat | bash

Why write my own server to parse and execute commands, when Bash is already fully capable of doing exactly that with more flexibility than I could ever dream of? And netcat is perfectly capable of receiving UDP packets? This is a UNIX system, after all, and UNIX is all about combining simple commands in pipelines — each doing one thing well.

The diabolical simplicity of just executing commands directly from the network was a bit too insecure though. This is where Bash Restricted mode enters the project: I wouldn’t rely on it for high security (since it is trying to “enumerate badness“), but by locking down the PATH of commands that are allowed to execute it should be relatively safe from most of the common bypass techniques:

netcat -u -k -l 31337 | PATH=./handlers/ /bin/bash -r

The project was now fully working: press the button, Fantus starts. Press it while Fantus is playing: Fantus pauses. Press it while Fantus is paused: Fantus resumes. The little human was delighted about his new powers over the world, and pressed the button to his hearts content (and his parents slight annoyance at times).

(Full code for handler available here.)

But wouldn’t it be cool if the little human had a (limited) choice in what to view?…

jul 18

Fantus-button part 1: Reverse engineering the DRTV Chromecast App

Posted on tirsdag, juli 18, 2023 in Hal9k, Planets

I want to build a physical giant red button, that when pressed instantly starts a children’s TV-show, in my case Fantus on DRTV using a Chromecast.

The first part of the build is figuring out how to remotely start a specific video on a Chromecast. Initially I thought this would be pretty simple to do from an Arduino, because back in the day you could start a video just using a HTTP request. Very much not so anymore: the Chromecast protocol has evolved into some monster using JSON inside Protobuf over TLS/TCP, with multicast DNS for discovery. Chance of getting that working on a microcontroller is near-zero.

But remote control is possible using e.g. pychromecast which has support for not only the usual app of YouTube, but also a couple of custom ones like BBC. Let’s try and add support for DRTV to pychromecast, starting at the hints given on adding a new app.

Using the netlog-viewer to decode the captured net-export from Chrome, and looking at the unencrypted socket communication, the appId of the DRTV app is easily found.

However, one of the subsequent commands has a lot more customData than I expected, since it should more or less just be the contentId that is needed:

  "items": [
      "autoplay": true,
      "customData": {
        "accountToken": {
          "expirationDate": "2022-07-02T00:48:35.391Z",
          "geoLocation": "dk",
          "isCountryVerified": false,
          "isDeviceAbroad": false,
          "isFallbackToken": false,
          "isOptedOut": false,
          "profileId": "c4e0...f3e",
          "refreshable": true,
          "scope": "Catalog",
          "type": "UserAccount",
          "value": "eyJ0eX...Dh8kXg"
        "chainPlayCountdown": 10,
        "profileToken": {
          "expirationDate": "2022-07-02T00:48:35.389Z",
          "geoLocation": "dk",
          "isCountryVerified": false,
          "isDeviceAbroad": false,
          "isFallbackToken": false,
          "isOptedOut": false,
          "profileId": "c4e0a...f3e",
          "refreshable": true,
          "scope": "Catalog",
          "type": "UserProfile",
          "value": "eyJ0eXAi...IkWOU5TA"
        "senderAppVersion": "2.211.33",
        "senderDeviceType": "web_browser",
        "sessionId": "cd84eb44-bce0-495b-ab6a-41ef125b945d",
        "showDebugOverlay": false,
        "userId": ""
      "media": {
        "contentId": "278091",
        "contentType": "video/hls",
        "customData": {
          "accessService": "StandardVideo"
        "streamType": "BUFFERED"
      "preloadTime": 0,
      "startTime": 0
  "repeatMode": "REPEAT_OFF",
  "requestId": 202,
  "sessionId": "81bdf716-f28a-485b-8dc3-ac4881346f79",
  "startIndex": 0,
  "type": "QUEUE_LOAD"

Here I spent a long time trying without any customData, and just using the appId and contentId. Initially it seemed to work!

However, it turned out it only worked if the DRTV Chromecast app was already launched from another device. If launched directly from pychromecast the app would load, show a spinner, and then go back to idle. Here much frustration was spent; I guess the customData is actually needed. And indeed, putting that in works! But where do these tokens come from, and how do we get those tokens from Python?

Using Chrome’s developer tools (F12) on the DRTV page, and then searching globally (CTRL-SHIFT-f) for various terms (“expirationDate”, “customData”, “profileToken”, “accountToken” etc.) revealed some interesting code, that was as semi-readable as any pretty-printed minifyed Javascript. Eventually I found the tokens in local storage:

Using these tokens work really well, and allows starting playback!

Some further exploration proceeded: using the showDebugOverlay flag reveals that the DRTV player is just a rebranded Shaka Player. The autoplay functionality can be disabled by setting chainPlayCountdown to -1, which is honestly a real oversight that it cannot be disabled officially, to not have to rush to stop the playback of the item before the next autoplays.

With all the puzzle pieces ready, I prepared a pull request (still open) to add support for DRTV to pychromecast.

Fantus-button part 2 will follow, detailing the hardware build and network integration with the support from pychromecast.

feb 20

Floating Solid Wood Alcove Shelves

Posted on mandag, februar 20, 2023 in Hal9k, Planets, Woodworking

I have an alcove where I wanted to put in some floating shelves. I wanted to use some solid wood I had lying around, to match the rest of the interior; this ruled out most of the methods described online: (i) building up the shelf around a bracket, and (ii) using hidden mounting hardware would be hard to get precise and would not provide support on the sides.

So inspired by some of the options instead I tried to get by with just brackets on the three sides, in a solid wood shelf. I ended up with 12mm brackets of plywood in a 26mm solid wood shelf, and that was plenty sturdy.

Step 1 was to cut out the rough shelves, with plenty of extra width, and rough fitting the plywood bracket pieces. It makes sense to leave as much on the top of the slit as possible, as this will be the failure point if overloaded. The excellent wood workshop at Hal9k came in very handy!

Step 2 was to mount the plywood brackets in the alcove. Pretty easy to do using a laser level, biggest problem was getting the rawplugs in precise enough for the level to be kept.

Step 3 was fitting the shelves individually, accounting for the crookedness of the 3 walls. The scribing method used by Rag’n’Bone Brown was pretty useful, just doing it in multiple steps to make sure not to cut off too much.

Finally, all the shelves in final mounting. Getting them in took a bit of persuasion with a hammer, and minor adjustments with a knife to the plywood brackets, as it was a tight fit. The key again was small adjustments.

One concern with such a tight fit would be wood movement; however most of the wood movement is “across the grain” which in this application means “in and out” from the alcove, where the wood is basically free to move as the shelves are not fastened to the brackets in any way.

Another concern would be if the relatively small brackets (12x12mm) can handle the load of the relatively wide shelves (60cm wide, 35cm deep, and 2.6cm high). There are two failure scenarios: (i) the wood could split above the slit, (ii) or the bracket could deform or be pulled out. Neither seems likely as (i) applying a static (or even dynamic) load large enough to split the wood seems implausible, even at the weakest point in the middle of the front, and (ii) the tight fit counteracts the brackets ability to be pulled out since pulling out in one side would have the shelf hitting the wall on the opposite side.

All in all a very satisfying project to work on and complete!

dec 15

Quick and dirty guide to Lithium battery-powered Wemos D1 Mini

Posted on torsdag, december 15, 2022 in Hal9k

The Wemos D1 Mini is an ESP8266 based prototyping board with WiFi connectivity and countless applications. It becomes even more useful in battery-powered applications, where with the proper setup, it can run low-powered for months at a time — or only hours if done incorrectly.

This is the quick and dirty guide to running a Wemos D1 Mini powered by Lithium-Ion batteries: We will be blatantly ignoring several design specifications, so double check everything before using in a critical project. Several things will vary, and since there is plenty of clones of the board some boards will work better than others.

Warning: Lithium-Ion batteries always command healthy respect, due to the energy they store! Do not use bad cells, and do not leave batteries unattended in places where a fire can develop, especially while charging. That being said, the setup given here should be as safe as most other Lithium-Ion battery projects.

Why run off a battery?

You chose a Wemos D1 because you want to do some WiFi connectivity. This narrows down the useful modes from the overwhelming large table of possibilities. The approach will be slightly different depending on why you want to run off a battery. There are 3 main usecases:

  • Periodically wake up on a timer, do some work, connect to WiFi, and go back to sleep. Here we can utilize the deep sleep mode of the ESP8266, and get lifetimes in months.
  • Wake up based on an external pin trigger, do some work, connect to WiFi, and go back to sleep. Here we can also utilize deep sleep, and get lifetimes in weeks/months.
  • React with low latency to an external pin, do some work, and go to sleep while still connected to WiFi. Here we can utilize light sleep, but only get lifetimes in hours/days.

Hardware setup

The hardware needed is:

  • Wemos D1 Mini
  • TP4056 module with “discharge protection”, most modules with more than one chip has this, but be careful!
  • Lithium-Ion battery, e.g. a 18650 cell, and probably a holder for the battery

What you don’t want is anything resembling a power bank or battery shield with a regulated output (5V or 3V). These are practically useless, simply a more expensive battery holder! Two reasons: poorly built (I have several where standby is prevented by pulling 100 mA through a resistor!), and you don’t want a switching mode power supply. The keyword here is “quiescent current”: an SMPS can easily consume 5-10 mA continuously, which could very likely be the majority of the current draw.

Wiring diagram.

Waking on a timer – deep sleep

Full code example for deep sleeping on a timer.

To start deep sleep for a specified period of time:

//Sleep for some time; when waking everything will be reset and setup() will run again

Note that you can’t safely sleep for more than approximately 3 hours. Power usage is approx 0.3–0.4mA when deep sleeping.

Keep in mind that after waking from the timer the chip will be reset, meaning no state is available, and WiFi will have to reconnect. Reconnecting to WiFi can be anything from 3–10 seconds or even longer, meaning that will be a delay before the program can resume.

Waking on an pin trigger (reset)

Full code example for deep sleeping waiting for a pin trigger.

The code is exactly the same as waking on a timer, with one exception:

//Sleep until RESET pin is triggered

The chip will be effectively comatose, sleeping until a RESET is triggered. Same caveats apply: waking up the program is restarted, and reconnecting to WiFi will be a delay.

Stay connected – low latency

Full code example for light sleeping connected to WiFi waiting for a pin trigger. Note that the button should be connected to D3 for this example, not RST.

The key parts are:

void setup() {
  WiFi.setSleepMode(WIFI_LIGHT_SLEEP, 3);  // Automatic Light Sleep

void loop() {
  delay(350); // Any value between 100--500 will work, higher value more power savings
    // but also slower wakeup!

Simply delaying will bring power savings — simple and easy!

When awake power consumption is around 75mA. Average power consumption when light sleeping with delay(200) is around 45 mA, with delay(350) and larger is around 30–40mA.

Measuring battery depletion

The ESP can measure it’s internal VCC supply voltage, and because the battery will start dropping below the rated 3.3V before it is depleted, this allows to get an warning when the battery starts to deplete.


void loop() {
  if (ESP.getVcc() < 2800) {
    //Do something to warn of low battery

In my experience the Vcc reading will drop below 2800 when the battery starts to be depleted.

ADC readings vs. battery voltage

Note that measuring the VCC while connected with USB is not possible, as the USB connection will pull up the battery and the 5V rail to 5V!

Calculating battery life

Here is a quick calculator for how long your Wemos D1 Mini can stay powered

Deep sleep

(conservatively assumes base load 1mA, 10 secs burst of 100mA for every wakeup), resulting in

Light sleep

Of course the consumption can be brought even lower: some chips are unused but partly connected and will have some leakage (LEDs, USB chip on the Wemos). Making it even leaner is outside the scope of quick and dirty.

okt 4

Olimex A20-OLinuXino-LIME2 – 8 years in service, 2 PSUs and 1 SD-card down

Posted on tirsdag, oktober 4, 2022 in Hal9k, Planets, Sysadmin'ing

4 years ago I posted a 4 year review of the Olimex LIME2. It seems that the lifetime of power supplies is approximately 4 years as now another power supply died, and this time also the SD-card was expiring. The LIME2 lives on however!

It was a bit hard to notice, because the battery pack of the LIME2 kept it running pretty well even with the poor power supply. So, better monitoring of the battery pack is also on the todo list.

Recovering the bad SD-card

Recovering the SD-card was relatively easy with minimal dataloss, when out of the LIME2:

$ sudo ddrescue /dev/mmcblk0 backup.img
# Put in a new SD-card
$ sudo dd if=backup.img of=/dev/mmcblk0 bs=16M

I have done this a couple of times with other SD-cards from Raspberry PIs, and though there is the potential for dataloss it is usually minimal. This time a few blocks were lost.

Upgrading Debian from Stretch to Bullseye

I took the opportunity to upgrade the Debian install while the system was offline anyway. Upgrading was generally painless, following the usual Debian method. I went through the Buster release just to be sure:

$ vim /etc/apt/sources.list
# replace all "stretch" with "buster" :%s/stretch/buster
$ apt update && apt upgrade && apt full-upgrade
$ reboot

$ vim /etc/apt/sources.list
# replace all "buster" with "bullseye" :%s/buster/bullseye
$ apt update && apt upgrade && apt full-upgrade
$ reboot

The only tricky part is booting the new kernel. Since that always fails for me on the first try, I always hookup the serial console. For future reference, this is how to hookup the serial console (which is TTL 3.3V):

Pinout from left as labelled on the LIME2: TX, RX, GND

Now, of course the boot failed. I tried getting the flash-kernel package to work for my setup, but for historical reasons I have a separate boot partition. In the end I derived a simple bootscript from that package, that boots from p1 but loads the kernel, fdt and initrd from p2:

setenv bootargs  ${bootargs} console=ttyS0,115200 root=/dev/mmcblk0p2 rootwait panic=10

#setenv fk_kvers '4.19.0-21-armmp-lpae'
setenv fk_kvers '5.10.0-18-armmp-lpae'
setenv fdtpath dtb-${fk_kvers}

load mmc 0:2 ${kernel_addr_r} /boot/vmlinuz-${fk_kvers}
load mmc 0:2 ${fdt_addr_r} /boot/${fdtpath}
load mmc 0:2 ${ramdisk_addr_r} /boot/initrd.img-${fk_kvers}
bootz ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r}

The script can be manually input over the serial terminal, and thereby tested out.

The only downside is it needs to be manually updated after each kernel upgrade. To activate the uboot bootscript:

$ mount /dev/mmcblk0p1 /mnt/
$ cd /mnt
# ensure boot.cmd is as above
$ mkimage -C none -A arm -T script -d boot.cmd boot.scr

Monitoring the LIME2 battery pack

After upgrading to a recent 5.X mainline Linux kernel the battery pack is exposed in the sysfs filesystem:

$ cat /sys/class/power_supply/axp20x-battery/voltage_now 
4070000 # 4.07 V
$ cat /sys/class/power_supply/axp20x-ac/voltage_now 
4933000 # 4.93 V

I setup a couple of alerting rules for these in my home monitoring setup, so hopefully the next time the LIME2 defeats a power supply I’ll get notified.


I can still warmly recommend the LIME2. It is still available, and even a bit cheaper nowadays at 40 EUR + VAT, and still a little workhorse that just keeps on going.

aug 29

Grundfos Alpha 2 pumpe går i stykker og flimrer: reparer den med en kondensator til nogle få kr

Posted on mandag, august 29, 2022 in Danish, Hal9k, Planets

Som med så mange andre huse fulgte der en Grundfos Alpha 2 cirkulationspumpe med da vi købte et hus. Den pumpede og pumpede, indtil den var blevet 13 år gammel: så begyndte den at flimre når den skulle starte op. Det er jo som sådan en rimelig hæderlig levetid, men også lidt mistænkeligt at det ikke virkede til at være et mekanisk problem.

Flimmer, men ingen pumpning.

Symptomerne er:

  • Pumpen kan køre fint i længere tid
  • Ved længere tids stop kan den ikke starte; nogen gange starter den efter noget tid
  • Ved opvarmning starter pumpen, f.x. med en varmepistol

Det sidste punkt har gjort at der flere steder bliver spekuleret i at der er “kondens” i pumpen.

Det er dog ikke problemet. Problemet er en lille kondensator der holder strøm til lavspændingselektronikken:

47 uF 16 V kondensatoren er problemet.

I Hal9k eksperimenterede vi en smule for at verificere: hvis man køler den ned med f.x. sprit opstår problemet med det samme. Hvis man varmer den op starter pumpen med det samme.

For en udførlig vejledning i hvordan pumpen skilles ad og kondensatoren skiftes har Simon lavet en video:

Men hvad er kilden til problemet så? Kondensatoren får over tid en alt for stor indre modstand, og spændingstabet bliver for stort. Her et par målinger uden og med lidt sprit til ekstra afkøling:

En helt ny kondensator måler under 1 ohms modstand, altså 100 gange så lille indre modstand:

En ny kondensator kan findes ved at søge på “47 uf 16 v smd electrolytic capacitor”, f.x., eller endnu mere lokalt fra

Efter erstatning pumper pumpen lystigt.

Så hvad kan man lære af hele denne historie?
Grundfos laver mekanisk gode pumper, men sparer på deres elektronik. Det er trist at tænke på hvor mange pumper der mon er smidt ud lang tid før tid. Man kan nok ikke beskylde Grundfos for “planned obsolence” efter 13 år, men man kunne dog ønske at produktet fejlede i en mere brugbar konfiguration: f.x. at pumpen kører ved et minimum hvis elektronikken fejler.

jan 31

Reparation af Aduro-tronic II

Posted on søndag, januar 31, 2021 in Danish, Hal9k

Vi har en Aduro 1-2 brændeovn med Aduro-tronic, som vi generelt er rigtig glade for. Den har nu været i drift i 5 år, og har haft omkring 4500 optændinger. Generelt er designet rigtig fornuftigt, og med Aduro-tronic og Smart Response er det rigtig nemt at fyre korrekt.

Den eneste anke må være at vi nu 2 gange har oplevet at Aduro-tronic stemplet har givet op:

Første gang købte jeg et nyt, men det viste sig at være ret nemt at reparere. Så da problemet opstod igen reparerede jeg bare det gamle stempel.

Aduro-tronic er basalt set en utæt luftcylinder med en fjeder. Stemplet trykkes ind, fjederen bliver spændt og som lufter langsomt trækker ud af cylinderen kører stemplet op igen. Hvor utæt cylinderen er justeres med den lille skrue, og dette sætter således tiden spjældet holdes åbent.

Problemet opstår når aske, støv og lignende sætter sig inde i cylinderen, og over tid får foringen til at blive utæt. Derved er stemplet for utæt.

Løsningen er simpel:

Tag forsigtigt fjederen af ved at trykke holderpladen ned og dreje den 90 grader.
Den øverste plade kan forsigtig tages ud. Jeg brugte en spidstang, og lidt vrikken fra side til side. Derefter kan selve stemplet med gummi-foring tages ud.

Rengør nu cylinderen, og smør stempel og cylinder med en lille smule silikone-spray der hjælper med at forsegle.

Saml hele mekanikken igen, tryk stemplet ned og check at det nu bliver nede af sig selv. Når mekanikken igen er monteret på brændeovnen skal tiden nok indstilles forfra.

mar 25

Sniffing Philips Hue Zigbee traffic with Wireshark

Posted on mandag, marts 25, 2019 in Hal9k, Planets

I have a Philips Hue gateway at home that is connected to a number of Philips Hue lights, as well as some IKEA trådfri light bulbs, and a couple of OSRAM Lightify light strips. Most of the time the network works quite well, but some of the time a few of the lights become unreachable. I read a rumor online that the Hue lights and the other lights are actually on two different Zigbee networks. Of course, if only I had a way of sniffing the Zigbee traffic I could diagnose these problems. And thus began this quest.

USB TI CC2531 Zigbee sniffer dongle.

I started by buying a Zigbee sniffer, I found that the Texas Instruments CC2531 chip is widely used, and available in a cheap USB package. I purchased this USB CC2531 Zigbee sniffer, but others are probably equally good. After the dongle arrived I spent quite a while thinking that I need to replace the stock firmware, because of various old projects on GitHub (Sensniff, ccsniffpiper, etc.). Fortunately, you do not need to change the stock firmware. The best software package seems to be KillerBee which supports both sniffing and injection; however only sniffing with the CC2531. Installing KillerBee on Ubuntu is quite easy. You need to install scapy, and a few dependencies. The installation instructions are probably more up to date than this blog post.

Starting the sniffing is really easy, if you know the channel the Philips Hue is operating at. I think channel 11 is the default, but it is displayed in the Hue app, under info for the bridge:

sudo zbwireshark -c 11

This will launch a background process, and an instance of Wireshark that is monitoring the channel. At this point you can see the traffic; but everything is encrypted…

Encryption… Encryption everywhere!

A very incomplete intro to Zigbee encryption

Zigbee traffic can be encrypted with AES-128, which is a symmetric encryption scheme. This means the key to encrypt and decrypt is the same. There is a number of keys that can be used to encrypt a single packet payload:

  1. The Network Key, which is unique to this Zigbee network. This is what we will ultimately need to find. It is generated by the gateway, and shared by all the devices on the network. How does a new device join the network then? It uses the…
  2. The Key-Transport Key which is a pre-shared secret. Apparently there is a number of these, depending on the class of devices and type of network. These are apparently a well-kept secret or something, although widely available on the internet:
    1. “default global trust center link key” which is 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39
    2. “light link master key” which is 9F:55:95:F1:02:57:C8:A4:69:CB:F4:2B:C9:3F:EE:31
    3. “light link commissioning key” which is 81:42:86:86:5D:C1:C8:B2:C8:CB:C5:2E:5D:65:D1:B8

You can add these keys to Wireshark, and the Zigbee dissector will then try to decrypt traffic using them. Go to Edit -> Preferences -> Protocols -> ZigBee and edit the pre-configured keys:

The Key-Transport Key is used whenever a new device joins the network with the sole purpose of encrypting the network key. So, to find the network key we need to know the Key-Transport Key, and observe the traffic when a device joins. So this is what I did: I found an IKEA Trådfri lightbulb and spent the frustrating time needed to get it to join the Philips Hue gateway (resetting the bulb, searching for new lights). Finally, it suceeded!

Hitting gold!

Now, by adding the transport key to the list of keys in Wireshark all the traffic on the network was able to be decrypted!

Decrypted traffic

The next step will be to analyze the traffic, and understand the routing. Very initial probes using zigbee-viewer indicates that there is indeed three distinct routings:

Zigbee routing.
feb 1

Dør jeg af partikelforurening fra min moderne brændeovn?

Posted on fredag, februar 1, 2019 in Danish, Hal9k, Planets

Vi har en fin moderne brændeovn derhjemme (en Aduro 1-2), som vi bruger ret intensivt til opvarmning af vores gamle stuehus. Et meget relevant spørgsmål er derfor: hvor meget bidrager sådan en moderne brændeovn til partikelforureningen i vores stue?

Partikelforurening er små partikler af støv og sod, der bl.a. fremkommer ved afbrænding af fossile brændsler, som olie og træ. De kan forårsage forskellige slags sundhedsproblemer, bl.a. kræft. På et interaktivt partikelkort kan man se hvilke niveauer der (beregnet) var i Danmark i 2012, og f.x. forskellen mellem land og by; årsgennemsnittet for PM2.5 lå på 5.3 – 11.9 μg/m3.

Det er et ganske egoistisk projekt jeg har gang i: jeg har ingen data for hvor stor partikelforureningen er udenfor huset, men kun inde i selve stuen. Der er en del kilder til partikelforurening som jeg kender til, eller har observeret:

  • Vi har et pillefyr, der står i nærheden, der også kører i den kolde tid
  • Vi bor i kort afstand fra en lettere befærdet vej
  • Madlavning, specielt med en gammel emhætte, kan bidrage betydeligt
  • Den generelle baggrundsvariation kan være betydelig

For at undersøge det har jeg opsat en partikel sensor (en Honeywell HPMA-1150S0) i stuen, ca. 3 m fra brændeovnen. Samtidig registrerer jeg brændeovnens temperatur, via en Aduro Smart Response sensor. Dette har jeg nu gjort i lidt over et år, og kan dermed lave en data analyse på et års data.

Til brug for analysen er der registreret PM10 og PM2.5 værdier, ifølge databladet i μg/m3. Sensoren skulle desuden være “fully calibrated”, og kunne køre i mindst 20.000 timer, så et års data burde man kunne stole på. Usikkerheden er dog angivet til +/- 15 μg/m3, eller +/-15% alt efter målingen; i praksis virker den dog til at være ret stabil i værdierne. Sensoren beregner PM10 værdier ud fra PM2.5 værdier, så jeg vil primært fokusere på analyse af PM2.5 værdierne. Data er optaget med et interval på 5 minutter, men med sensor læsninger ca. hvert 6 sekund der så er aggregeret ved gennemsnit (Der er brugt HPMA-1150S0 sensorens “auto-send”).

Sensoren opfanger partikler mindre end 2.5 μg med en laser.

Brændeovnens temperatur er målt som foreskrevet af Aduro Smart Response, dvs. i den øvre del af brændkammeret på vej mod røgrøret. Aduro sensoren sender data i ca. 4 timer. Jeg har defineret at brændeovnen er i brug, hvis temperaturen er registreret, dvs. afkøling også er talt med.

Data der er opsamlet er bl.a. PM10, PM2.5, brændeovnens temperatur, og strømforbrug på de 3 faser.

Vi bruger vores brændeovn en hel del i de kolde måneder. Faktisk helt op til halvdelen af tiden:

Det passer meget godt med at vi bruger brændeovnen næsten alt tid vi er hjemme, i de kolde måneder.

Vi tænder op efter forskrifterne og bedste evne; genindfyring sker typisk ved 175C eller 150C ved at lægge 2-3 stykker brænde ind, og åbne spjældet (der så ved Adurotronic lukker over ca. 6 minutter). Der er naturligvis stor variation i præcis hvornår der lige bliver genindfyret. Og en sjælden gang imellem glipper optændingen, og giver røg i stuen. Men generelt opleves fyringen som ganske uproblematisk.

Gennem året har jeg lavet lidt observationer, og min subjektive vurdering for partikelforureningen er ca.:

  • Der er normalt meget lille partikelforurening, 2-3 μg/m3
  • Ved god optænding stiger forureningen med 1-2 μg/m3
  • I nogle perioder er baggrundsforureningen højere, lige under 20 μg/m3
  • Ved uheldig opførsel stiger partikelforureningen drastisk – helt op til 900 μg/m3; det kan f.x. være ved dårlig optænding, eller ved madlavning.


PM2.5 koncentrationer, ifht. årets måneder.

Som det kan ses er der en del variation imellem månederne. Der er også en hel del outliers, der trækker gennemsnittet op, mens medianen for alle måneder ligger under 5 μg/m3.

PM2.5 koncentrationer, ifht. brændeovnens temperatur; røde cirkler angiver gennemsnit, rød linje angiver kubisk tendenslinje.

Mere interessant er det om partikelforureningen påvirkes af brændeovnens temperatur, og dermed dens brug. Det ser det bestemt ud til! Selvom median værdierne ikke stiger meget stiger specielt 3. kvartil. Gennemsnitsværdierne stiger også, helt op til 12.37 μg/mfor intervallet [250, 300). En tolkning af dette kunne være at der normalt (median) ikke er ret meget mere partikelforurening, men det sker hyppigere at der er store koncentrationer til stede.

Det bør noteres at der ikke er særlig mange målinger over 350C, som det kan ses af histogrammet for hvilke brændeovnstemperaturer der er registreret:


Der er et par fejlkilder i målingerne:

  • Der mangler en uges data i september, hvor en strømforsyning stod af mens vi var på ferie.
  • Partikelsensoren giver nogle meget højere målinger i et enkelt punkt, engang imellem. Checksummen fra sensoren ser ud til at passe, så hvad præcist problemet er ved jeg ikke. Jeg har først filtreret åbenlyst forkerte målinger (<0 eller >1000) fra i databehandlingen, men pga. gennemsnittet over de 5 min kan nogle åbenlyst forkerte målinger stadig være talt med.
  • Brændeovnssensor har nok manglet batteri en dag eller to, det kan jeg ikke helt huske.


Årligt gennemsnit5.44 μg/m3
– Årligt gennemsnit, brændeovn i brug9.28 μg/m3
– Årligt gennemsnit, brændeovn ikke i brug4.49 μg/m3

Alle værdier er under EU’s grænseværdi, på 25 μg/m3 PM2.5. Hvis vi antager at målingerne mens brændeovnen ikke er i brug er repræsentative for hele året, så har brændeovnen bidraget med 0.95 μg/m3 PM2.5 til års gennemsnittet.

Hvor farligt er det så?

Et studie fra 2013 af sammenhængen mellem partikelforurening og lungekræft fandt (eftersigende, jeg har ikke adgang til artiklen men kun til resuméet på at selv små stigninger i partikelforurening giver øget risiko for lungekræft.

For småkornet luftforurening [PM2.5] stiger risikoen for lungekræft med 18 procent per fem ekstra mikrogram svævestøv, men det resultat var ikke statistisk signifikant. Det var alle resultaterne for risikostigning under det tilladte niveau heller ikke. Små mængder forurening øger faren for kræft

Hvis vi antager at det resultat holder, og at virkningen er lineær, vil den øgede forurening på 0.95 μg/m3 PM2.5 øge risikoen for lungekræft med 3.42%.

Enkeltstående tilfælde

Et andet problem kunne være hvis enkeltstående tilfælde af høj luftforurening var specielt sundhedsskadeligt, som indikeret af at EU for PM10 også har en daglig grænseværdi (50 μg/m3), og et antal tilladte overskridelser per år (35). Der er 0 dage hvor den daglige PM10 grænseværdi har været overskredet. Jeg har alligevel analyseret de 35 dage med det højeste gennemsnit, og forsøgt at klassificere de årsager (primær og sekundære) til de høje værdier. Det har jeg gjort ved at kigge på brændeovnstemperaturen, strømforbruget, tidspunket på dagen, osv. Disse tal må derfor siges at være min subjektive vurdering.

Primær årsagSekundær årsag

De primære årsager til høje målinger ser ud til at være madlaving og baggrund, mens brændeovnen bidrager til halvdelen af de høje dagsgennemsnit.


Vores moderne brændeovn bidrager med 0.95 μg/m3 PM2.5 til års gennemsnittet, og øger dermed vores risiko for lungekræft med 3.42%. Hvis vi f.x. flyttede til en større by som København ville vi opleve en væsentlig højere forøgelse til måske 10 μg/m3, ifølge modelberegningen, hvilket ville øge risikoen for lungekræft med 16%.

Hvis man ser på PM2.5 koncentrationer ifht. brændeovnens temperatur, ser det ud til at brændeovnen for det meste (målt på medianen) ikke udleder ret mange partikler, men bidrager til at høje forureningskoncentrationer optræder oftere (som set på de øgede gennemsnitsværdier, og forøgede 3. kvartil).

Brændeovnen bidrager til 18 af de 35 højeste dagsmålinger, mens de primære årsager til høje dagsmålinger er madlavning og baggrundsforurening.