Good to find others struggling with the same challenge as me :).
I have spent a lot of time on this. MitM attacks on the Danfoss controller and Danfoss App. I have tried to decompile the Android Danfoss App. I have downloaded the controller firmware and tried to take it apart. The controller communicates with an API hosted by Trifork, the same goes for the Danfoss App. The api is served on port 443 and uses ssl. However I am unable to even connect with it with openssl. Some strange ec curve issue. When I took the Android app apart, I found a file called brainpoolP320r1-curve.pem which contains EC PARAMETERS - probably needed to connect.
I have tried to get the app and controller to communicate with my fake API which also is served with a fake Trifork CA. However nginx is unable to use the brainpool curves, even though openssl supports them. Apache can serve using some brainpool-curves, but not the P320r1 - in my first try. Right now I have given up on the API.
So trying z-wave. I bought this z-wave sniffer https://www.suphammer.net/product/suphacap and am now able to see the traffic to/from my thermostats and the controller. I have reversed part of the protocol and can now see temperature per thermostat and if it’s heating or not.
I am now not certain if I really want to take over control of my thermostats, as I am sure Danfoss does a much better job at this than I can. So maybe monitoring the state is enough?
z-wave example - my thermostat 2 says to the controller, that it is at 19,97 degrees:
0x00021028120C054720202021030020102011030F031703280318032F0330057F0800049D013700004901C06599DA
and my controller says to the thermostat, go to 24,22 degrees:
0x0002100A0D0D0001000409761C9A655E
Has anyone made better progress on this than me?