OH2 Z-Wave refactoring and testing... and SECURITY

Ok, yes, I know the issue, and unfortunately I don’t expect this to go away as nothing has changed. I can’t replicate the issue, and I’ve not had other thoughts from ZWave. I checked the source in some Sigmas docs that I have and I’m also reasonably confident that I’m doing things correct, so I’m not sure where to take this.

I am not either. The majority of my network is mains-powered. My OH2 server is on a UPS, so I shut off the mains power for the whole house to try to limit the amount of Z-Wave communication going on during the inclusion process. Same issue. Here’s a snippet from the log viewer. I am not sure I am reading it right, but it looks to me like the controller assigns an ID (101 in this case), advances to the security stage, sends SECURITY_SCHEME_GET, receives an ACK from the node, accepts it, then times out at 0ms saying there is no ACK? This then just repeats until it apparently times out and moves on.

No - this isn’t a timeout - it’s a response from the controller to say that the device did not respond. Also, don’t be fooled when it says 0ms - probably you have changed your log format and it’s now not compatible with the viewer so this is wrong.

Got it. Well, I will keep fiddling with it. Unfortunately not being able to resolve this and not having a workaround is a pretty big problem - I either need to figure this out, find a way to run Z-Wave in my home separate from OH2, or just move away from OH2, which is definitely not what I want to do.

I agree and I’d love to resolve it, but I can’t replicate it here and I’ve tried a couple of things that haven’t helped, and I spent quite a lot of money to get a Schlage lock that everyone had trouble with, and also the devkit, but so far, nothing has helped which is “slightly annoying” :wink:

I’m open to ideas…

1 Like

I have figured out a work around for this, at least when using the Aeon Z-Stick Gen5 (white). Maybe it does or does not give a clue to the root cause of the problem. Workaround for secure inclusion failing when a certain threshold of nodes exists in the network:

  1. Download Zensys Tools (link)
  2. Download Aeon Backup tool (link)
  3. Copy your network security key from Habmin
  4. Shut down OH2 and remove the Z-Stick
  5. Place the Z-Stick in a Windows PC
  6. Perform a backup of your Z-Stick following the directions in step 2
  7. Open the Zensys Tools, connect to your Z-Stick
  8. Highlight your Static Controller node (should be first in the list)
  9. Go to the Command Class tab on the right, select COMMAND_CLASS_SECURITY_V1 for the Command Class, NETWORK_KEY_SET for the Command Name
  10. Enter your key into the Network Key byte field, replacing the “00” with your key you copied from OH2
  11. To test, go find a working secure node and click the Node Info button. You should see all command classes and the log will indicate that the node was “added to the secure network”. So far, so good. If you don’t get “added to secure network”, then the query isn’t working and the following steps won’t do you any good.
  12. Click “Add node”
  13. Start the inclusion on the device you wish to add, ensure the device is within a few feet of the Z-stick. You should see an indication that this device was added to the secure network.
  14. Shut down the Zensys Tools, move the Z-stick back to OH2, move the device you just included to within a few feet of the Z-stick
  15. Start OH2 and go get a snack. Wait 20-30 minutes for the binding to settle down and you should see the new node you added in your Inbox, identified and waiting.
  16. Add the node to OH2 and validate that security is checked. Your device should now be working.

The only issue I am having is that the binding doesn’t seem to want to enumerate all of the channels. For the particular device I am using the only channel I need is exposed by default (Barrier State), and the controls work. I haven’t figured out how to get the binding to discover the remaining channels.

Tagging @shawnmix as this may be useful for your setup!


What is the device?

Linear GD00Z-3 - but keep in mind I had these same issues with Kwikset locks (a handful of models), so I am 99.9% sure this issue isn’t device specific.

So, to be clear, on all your devices you only have 1 channel? That is strange as I’m sure that this is not the case with most people (and not the case here that’s for sure).

If that is the same as the NGD00Z-4 that’s in the database, then there is only 1 channel so what you see is correct based on the database definition. It doesn’t look like the device supports a lot of functions so I’m not sure what you think is missing?

It actually shows up as a NGD00Z-4. I have two though - one I included via OH2 after my accidental hard reset, the other I just did. The one I did early on shows 17 channels:

Again, not a big deal. If there is only one channel, then maybe this solution works for other secure devices as well.

Someone added a lot of random channels to this device a while ago and it looks like they have been removed now. Your old device probably still has the old definition.

Clearly devices can have moe than one channel so this is fine.

Delete the Thing and then rediscover to remove those extra channels, which the device does not support. I went through the same confusion when I added my second one. You can find more details here on the history of that device, item definitions, and some example rules (I’m using lambdas now, so let me know if you’d like me to share them)…

Yep, fixed it! I wish there were a way to know when a Node needs that.

@nolan_garrett - thanks for the info on the ZenSys. I’d seen approaches like this before, and as I think you’ve indicated and realized - it’s a bit annoying to do just to get a secure inclusion. But at least it’s a workaround. The problem for me, I’m a Mac shop at home, so trying to get a portable device running windows is annoying. VM’s off the ESX server to run locally on a laptop, then fiddle with USB passthrough, gets a bit ugly! :wink:

I wish we could identify what is different about our setups though that is causing this issue that isn’t seen by @chris. He’s gone a lot of good work digging into the core of things, I just can’t help but feel like we’re all overlooking something minute. Is there some type of like a “full report” we can output somewhere or some way to see all the nitty gritty settings on the ZSticks or something?

I’d also agree with @nolan_garrett about the device updates. Maybe there is a way to auto-refresh the devices at some type of set interval? Perhaps a component to the binding that can force a refresh of the XML files? Perhaps its just something to be added in HABmin vs the binding? I’ve found this on occasion that I needed to manually delete and re-add to update XMLs in the past, and as you’ve seen Nolan - I had the same issue initially with the Garage controller that showed a ton of channels that were useless.

1 Like

Update: I’m actually going to explore this docker container for OpenZWave to securely include as a workaround. Theoretically, this should let me quickly/easily spin up an OpenZWave container to do this, then scrap it when done. My only worry is the lack of ability to backup my ZStick (windows only it seems from Aeon).

It’s pretty easy to get running. But, the startup command doesn’t work as shown.

docker run -p 8008:8008 --device /dev/ttyUSB0 openzwave-control-panel

To get it running, I needed to change it to this

docker run -p 8008:8008 --device /dev/ttyUSB0 openzwave/openzwave-control-panel

When I included my lock I just grabbed my older Pi that was running OH1.9, plugged the zstick in and did the secure include there. No problems with the 1.9 secure binding, and I have 66 devices and could not get it to include with this binding.

Quick question: Can I use newest (Octoberish/Novemberish) 2.2.0 binding (development snapshot from @chris post)with my standard distribution (raspbian) packaged openhab 2.1.0 ?

I’ll ofcourse uninstall default zwave binding from openhab 2.1.0. My question is about usage of current dev binding with older openhab 2.1.

I’m not sure. I suspect that there have been some changes to ESH since 2.1 was released that might stop it working. You can try - if it throws errors, then the answer is no :wink:

2.2 binding works with openhab 2.1 - at least logs looks normal.

However it didnt resolve my problem I’m trying to debug for half a day already:
I did clean install from scratch, openhab 2.1. I also did full reset (20 seconds button press) of my usb aeotec serial controller). But I can not include any devices (they worked more less ok few months ago). It’s only controller which is visible. even gets some frames, and logs dont show any problems. The only thing I notices suspicious is that in zwave debug log I see both node1 and node255 messages.

Just to be clear: this is not related with 2.2.0 development snapshot. I just tried it to be sure, but the very same problem is with stock openhab 2.1.0

Any clues/suggesstions?