Attacking My Landlord's Boiler
63 comments
·April 22, 2025rsynnott
Some risk of collateral damage in the form of randomly controlling other peoples' boilers if your transmitter turns out to be more powerful than the one in the thermostat, tho...
Also, what happened to the promised encryption from the spec?!
sz4kerto
We've moved to an new apartment (house) and we had to do a full renovation. It doesn't have modern insulation and I calculated that for the time being the ROI on insulation isn't worth it. It's a multi-floor semi-detached house and I wanted the best comfort and the most economical heating possible.
In particular: stable and individually adjustable temperatures for bedrooms and living rooms; underfloor heating in some rooms (bedrooms), radiator-based heating in some others (living room), and combined UFH+radiators in some others (where UFH might not be enough during extreme colds).
I thought I can just pay someone some money and they'll set up the controls for me. It must be a simple exercise, right?
I could not have been more wrong. After spending a few hours of understanding the setups that "experts" have recommended, I figured out edge cases where they would be either wasteful or uncomfortable (meaning: unnecessary and inavoidable temperature overshoots or undershoots, etc.). I had many-many rounds with Honeywell, Tado, Siemens, etc. and every single one of them had _major_ issues.
The renovation got a bit stuck because of this, but the plumbing was ready so I wanted to see whether the pluming and pumps are working, at least. So I connected the pumps and valves to "smart plugs", i.e. Zigbee-controlled plugs, so that I can see that they turn on. They did, which got me thinking...
Right now I have $20 Zigbee temp sensors sprinkled across the house, $30 smart plugs and relays driving valves, pumps and the boiler, and Home Assistant is controlling the whole thing. Everything works perfectly and I could implement some features that simply no system would have done out of the box, for example in rooms where there's combined UFH and radiators I can drive both heating systems when the target temperature is far from the desired (so that the room heats up quickly) but as the room temp is getting closer to the target, the radiators are turned off so that UFH dominates heating (more comfortable and more energy efficient than radiators). In rooms with radiators, temp is +- 0.4 C within target, in rooms with UFH, it's +-0.1C within target.
sokoloff
> I also have it so the heating turns off when I go into town and turns back on when I'm just a few train stops away so my place is nice and toasty for me getting home!
If your goal is saving energy/money, you don’t want a system capable of going from cool to toasty in 20 minutes.
Instead, you want a system that runs (much) lower water circulation temperatures (giving lower losses in the unconditioned spaces and more even room heating). That can be done to any condensing boiler by just turning down the flow target temperature.
A second layer of optimization on top of this is the addition of outdoor reset/weather compensation which will adjust that flow temperature based on the outside temperature, giving a flow temperature than can just barely restore the building to the desired setpoint temp.
With mine properly tuned, I was targeting having the thermostat act more like a high-limit and for it to call for heat between 22 and 24 hours per day while not overheating the house. That often meant flow temps in the 110°F (warm day) to 135°F (below freezing day) range. Compared to the prior winter (at a constant 160°F flow), the house used 8-15% less gas and was wildly more comfortable. (This setup does preclude using deep setback settings, which also can save money, because recovery times are necessarily long in such a scheme, unless you have an even smarter control system that can run perfectly tuned water most times but hotter water during recovery from setbacks.)
sz4kerto
> If your goal is saving energy/money, you don’t want a system capable of going from cool to toasty in 20 minutes.
Depends. As explained in a sibling comments, I have some rooms that have combined UFH and radiators, and if the desired temp is more than 1 celsius away from the current temp, then both are driven, otherwise it's just the UFH.
Retric
That’s an artifact of how heating is setup inside your home. Which is more efficient depends on where you’re dumping heat inside the home, levels of insulation, etc.
Energy moves from hot to cold linearly with temperature differences. Hypothetically, if the pipe was the same temperatures as the inside of your home all the heat transferred would be outside the envelope. The hotter the pipe the better this ratio becomes. This is true regardless of what percentage of the pipe is inside the envelope.
However, heating along the exterior of the home under windows and such then you’ll heat the exterior walls to higher temperatures than the interior thermostat thus losing more heat to the outside. Radiant heating on the other hand largely avoids this effect.
frereubu
I've read that it's always more efficient to turn heating off when you're not home and then turn it back on when you return. Is the reason for it being on 22-24 hours here that it takes a very long time to get back to the desired temperature, meaning you'd actually be cold for quite a while as it returned to the desired temperature?
sokoloff
I work entirely remote so, other than travel, there are not many long periods when the house is unoccupied.
I target the long run time to maximize efficiency. A 160°F pipe will lose more heat to the part of the building that I don’t want to heat as well as more heat to the wall right behind the radiators. It also results in the house going micro too-hot, too-cold, too-hot, too-cold as it cycles. Mine is constantly trickling in just enough heat to replace the heat lost instead of cycling between adding way more than needed then none for a while.
Another large effect is that low return water temperatures into the boiler allow for greater condensation of exhaust gas energy to be used in the building instead of sent outside. Walking by my house on a cold day, you’ll see minimal steam plume during operation. All that steam I see my neighbors emitting is energy they paid for and delivered to the outside… (They paid a lot for a boiler with a 95% or 98% sticker and run it at 80% efficiency.)
https://kw-engineering.com/how-to-optimize-condensing-boiler...
Retric
> A 160°F pipe will lose more heat to the part of the building that I don’t want to heat as well as more heat to the wall right behind the radiators.
You’ve got the first part of that backwards, it’s the walls that are your problem.
smelendez
I wonder what the ideal one-size fits all thermostat looks like.
The one in my apartment has a “feature” a lot of US thermostats now have, where you set four ordered times called wake, leave, return, and sleep and the temperature you want the space in each interval. I know very few people who actually live in a household where everyone wakes, leaves, returns, and sleeps on the same schedule every day.
I work from home and personally just want to set a temperature and have the space stay at that temperature indefinitely but this system requires that I tap through and enter the desired temperature four times, while confirming the four intervals.
I guess I’d be happier with a more programmable thermostat that I could set to behave like an old school dial thermostat.
Cthulhu_
I'm still of the opinion that a dial works best. Especially in modern homes (in Europe at least), there seems to be a school of thought that you should just leave your thermostat at the same temperature at all times - the theory being that warming up a cold house in the morning costs more energy than maintaining a stable temperature.
Anyway, my ideal setup would be to install 'smart' thermostat taps on every radiator in the house, either manually turn them down when you're not in the room or have them automatically detect activity or open windows and adjust accordingly. But each one has the authority to trigger the central boiler if needs be, instead of only the master thermostat in the living room.
tgsovlerkhgsel
> the theory being that warming up a cold house in the morning costs more energy than maintaining a stable temperature
This is only true if the heating happens quickly and the system is less efficient when heating quickly. Otherwise, this doesn't make sense from a physics standpoint. A temporarily lower temperature differential means less kWh of heat lost.
KineticLensman
(UK) my boiler has a control with something like the wake..leave timer (it actually has six settings for a midday period as well) and there is a separate thermostat with a temperature dial. The boiler also has a button that advances it to the next time interval if you want instant on (eg if you come home early to a cold house). I find this combo of controls meets all of my needs, given that I have a fairly repeatable daily schedule.
vladms
I think in real life there are more constraints. For example there are people that sleep better at a lower temperature than the daily one (so leaving the thermostat at the same temperature it's a minus for them).
Regarding "what is better" from energy efficiency, I would prefer a system that "check it" because my guess is that it depends a lot based on the individual situation. I mean everybody is going crazy over "IA" but a couple of sensors and a system smart enough to adjust your usage based on your particular situation and preferences (like "eco", etc.) is an exception.
alistairSH
In slightly cooler climates, the answer for sleep is to open windows. This works in much of Europe, even through summer.
But of course, not really feasible in Atlanta or Phoenix. Nighttime temps are too warm.
wickedsight
> the theory being that warming up a cold house in the morning costs more energy than maintaining a stable temperature
I've heard this theory a lot too, but it doesn't match with physics. A warm house loses more energy than a cold house, due to a higher temperature difference allowing easier heat transfer. So in most homes, with radiators and high temperature CV, it's way more efficient to just turn it off when you gone.
One exception is when you have a very well insulated house, combined with floor heating and a very efficient, low temperature heat pump. In this case, it takes a lot of time for temperature to move in the house and it's already incredibly efficient.
sz4kerto
It does match physics if you consider other factors. Apart from the heat pump scenario, this statement can also be true when you have condensing boilers (and okay-ish insulation)
The reasoning: when you heat up the house, then your boiler needs to produce constant high-temperature water. When you keep the house at the same temperature, then the boiler produces much lower temp water and it is more efficient.
Insulation also matters because if your house has outer insulation then it means that heat transfer from the house to the environment is mostly blocked, but cross-room heat transfer is likely not (through the walls). Therefore it is better to heat the whole house than heating just a couple of rooms because if you do the latter then you'll end up heating the whole house anyway but you're using less surface area (meaning you need higher flow temperatures, meaning less efficiency).
miunau
We've used the Tado system with a central boiler and smart radiator knobs for a few years. It's worked fine and hooks up to Home Assistant and can do the things you describe. I'm sure there are some alternatives.
bob1029
> I wonder what the ideal one-size fits all thermostat looks like
https://www.honeywellhome.com/us/en/products/air/thermostats...
tgsovlerkhgsel
The obvious solution is a "wake time" of 8 am, "leave time" of 8:01, "return" 8:02, "sleep" 8:03. Then just set the sleep temperature to your desired temp and the remaining ones to something reasonably close, or if it doesn't automatically switch between heating and air conditioning, set it for the no-op for the season (i.e. the highest possible temp in summer, and the lowest possible in winter) for those three minutes.
Freak_NL
Isn't this pretty much what these thermostats already allow? I have a new Honeywell Thermostat which basically does what the twenty years old one it replaced does with a few added conveniences in terms of UI. It has those wake/leave/return/sleep instants for each weekday (but also adds an optional second leave/return pair), and it has an option to override the day programme to 'holiday', which is essentially an eighth programmable weekday you can activate at any time.
Your use case is possible with that. Just set the standard program to 15°C, and activate the holiday set to whatever you need whenever you want. Configure it to go to 15°C at some sensible time in the evening, so it won't go on even if you forget it.
null
ThePowerOfFuet
> I wonder what the ideal one-size fits all thermostat looks like.
As you go on to describe, there probably isn't one.
xattt
My wife and I worked a six-week shift work schedule for a long time. We got second-gen nest thermostats when they first came out (2012) thinking they were neat.
Nope! The smart learning feature was the biggest pain in the ass. You’d be sleeping during the day for a night shift, only to find yourself freezing because it decided no one was home.
willvarfar
I guess your toolbox really shapes your solution space thinking; as I read through this, being completely lost in the whole world of RF whatnot, my mind jumped straight to an alternative attack that better fit my own tooling: could you encase the thermostat in a box that you can mechanically control the temperature of?
haileys
I removed the thermistor from inside my wall controller and wired in a digital pot instead. Achieves the same thing without physically heating and cooling the sensor
avidiax
This sounds good, except that cooling a box is problematic. He needs the temperature sensor to read low so that it turns on the heat.
That said, if he has access to the interior of the thermostat, I'm sure it won't be difficult to replace the temperature sensor with a circuit to cause it to read either really high or really low on demand.
dtech
For such a minor use case a peltier element is suitable. Very energy inefficiënt but you don't need much and it can both heat and cool.
willvarfar
I was literally imagining duck-taping one of those cheap electric "instant cooling" cups over the box on the wall, and running a small incandescent bulb in to be the heating up element.
toast0
> This sounds good, except that cooling a box is problematic. He needs the temperature sensor to read low so that it turns on the heat.
Ice pack and desiccant?
kbuck
Or attach an ESP32 to the boiler's control board that closes a dry contact circuit...?
unsnap_biceps
That was my first thought on how I would approach it as well.
mschuster91
The problem is, if your landlord ever comes around for inspection, or the bloody thing breaks down due to your installation attempt, you can be held liable up to and including getting evicted.
nippoo
Yes! You can indeed do exactly this. Look up CoolBot - they do exactly this, by just heating up the existing thermostat
mjlee
Or, assuming they have physical access to the combi boiler, removing the receiver unit and replacing it with a more Home Assistant friendly combi boiler thermostat.
Probably a 30 minute job if you’ve never done it before and easily reversible with a little bit of double sided sticky tape, which all Brits should be familiar with if they ever made a Tracy Island. There is a real risk of electrocution which could be completely militated against by turning off the power to the boiler.
Still, a fun hack, and nicely executed!
anal_reactor
I've heard a story of people renting an apartment with locked thermostat to the legally allowed minimum. Tenants would put ice on the thermostat
Gazoche
I heard that was a well-known trick at my old uni dorm. There was a single thermostat for the whole floor so once people figured out where the sensor was, the ones who lived closest to it would often leave packs of frozen food on it.
thomashabets2
If you do want to decode it, it's probably not that hard. I was going to implement the transmission side when I did this, but then I moved.
buccal
Cool project.
Speaking of newish natural gas (CH4) heaters, they all should have modulating thermostat capability with OpenTherm/eBus or other protocol. Combined with a thermostat with outdoor temperature sensor system efficiency is increased a few percent and that should help offset thermostat and installation costs. In the end you have more efficient modern heating system.
Same should apply for heat pump systems.
steelegbr
OpenTherm is a cool idea but even new installations aren't always wired for it. When installing a new smart thermostat I found the installation has been wired as S Plan with the few cables running between the boiler location and valves location already consumed. Makes the job much bigger if you're not prepared for it.
yurishimo
If OP ever shows up here, you probably could have just replaced the thermostat with one that is compatible with your boiler for less money and headache. The boiler market is fairly open to competition as evidenced by the fact that you could find a Honeywell signal in a random OSS project that also worked.
Good luck with your future apartment customizations!
glitchcrab
I think you missed where it was explained that the apartment is rented and therefore you cannot modify anything.
odiroot
Replacing a thermostat is very easy to do though. And very easy to revert too.
Usually it's just acting as a simple relay (on-off switch) so there's two physical wires.
I've got my Hive thermostat running great with various Bosch and Vaillant boilers. And it works great with HA.
Some newer boilers have 12V "smart" controls but still expose 230V "dumb" call for heating pins.
glitchcrab
Agreed (I set up our dual zone Nest-controllee heating so I know it's not difficult), but what happens if the landlord visits and isn't happy with you having done this? It would be a pain to have to revert this if you knew the landlord was coming.
mschuster91
> Usually it's just acting as a simple relay (on-off switch) so there's two physical wires.
Vaillant has a proportional signal as well, and that thing in my old home was 30 years old... [1]
[1] https://www.mikrocontroller.net/topic/126250?page=single
Griffinsauce
Cannot modify irreversibly though right? Something like a Nest or whatever is easy to return to the original state when you leave.
YakBizzarro
Funny how the manufacturer proudly claims that the protocol is encrypted, but completely forget to mitigate replay attacks,thus making the encryption completely useless
kleiba
Which raises the question whether the OP now unknowingly also controls the heater in the apartment next to his...
mattigames
And so the heat-stroke-killer was born, offing his victims with rapid changes between coldest and hottest setting, natural death has never been this human-made.
globular-toast
Ah yes, the classic problem of people using crypto primitives without fully understanding the problems they're trying to solve. Anyone even remotely interested should look into a full protocol like TLS or PGP to see how many primitives like block ciphers, hashes, etc. are involved and why.
alistairSH
Is this a non-standard thermostat control mechanism? I don’t know what’s common in apartments. All my houses have the thermostat wired to the HVAC (and are easily replaceable by the resident).
solarist
One doesn’t actually need any extra hardware for this… just 8cm of wire and this https://github.com/F5OEO/rpitx
(use at your own risk of course)
LeonM
From the linked repo:
> rpitx is a general radio frequency transmitter for Raspberry Pi which doesn't require any other hardware unless filter to avoid intererence. It can handle frequencies from 5 KHz up to 1500 MHz.
Wait, how does that work?
1.5GHz is a _lot_, I can't imagine this is done with bit-banging an I/O line, nor do I expect the Pi will have a DAC with anything close to a 3GHz+ sample rate.
> Plug a wire on GPIO 4, means Pin 7 of the GPIO header (header P1). This acts as the antenna.
A bit of Googling shows me that on the later Pi board GPIO4 (pin 7) has a bunch of alternative modes, amongst which is a general purpose clock output (GPCLK0), a DPI output bit (DPI_D0) and what I recon is composite analog video in/out (AVEOUT_VID0, AVEIN_VID0), and the TDI JTAG pin. But none of these would get close to 1.5Ghz TRX capabilities, no?
What's the magic here?
solarist
RF is basically black magic but here it’s the harmonics of lower frequencies that are in GHz range (and very noisy and weak)
The Flipper Zero is great, and could handle all of this by installing custom firmware.
The original product understandably arrives with heavily-restricted firmware (I imagine to reduce the amount of flak the company receives). However, it is incredibly easy to install Flipper Unleashed or similar, which removes all said restrictions and adds a lot of additional functionality.
Possessing the tools that could be used to commit a crime is not necessarily a crime in and of itself! Just be careful with what you do or, depending on what country you’re in, you might find some men in suits knocking at your door.
Personally, I wanted to replay “encrypted” 433MHz signals for my own devices (electric gate, roller door, roller shutters, …) and this was disabled with the Flipper’s region set to Australia.