KNX home automation: is there a FOSS (Free and Open-Source Software) alternative to ETS?

[solartist]

As mentioned in my main thread, I am seeking a solar solution in England that does not require the use of proprietary (non-FOSS) software: not locally (smartphone app, etc) nor server-side ("cloud").

To minimise reliance on grid power, and to maximise backup battery run-times during grid power outages, I am researching ways to automatically monitor and reduce power consumption. I.e. I am researching "home automation".

This might encompass, for example: automatically extending or retracting shutters/shades/blinds/curtains in order to minimise solar heat gain in summer (reducing the need for active cooling) and to maximise solar gain and natural light in winter; switching lights & HVAC on/off based on room occupancy; etc.

FOSS wireless solutions are available based on Zigbee, Z-Wave, WiFi, or Bluetooth. However, for reliability and security, I prefer wired solutions instead of wireless. Among wired home automation approaches, KNX seems to be perhaps the most mature international standard.

Unfortunately, all the tutorials I have encountered indicate that initial configuration, and subsequent modifications, of KNX systems requires a piece of proprietary (non-FOSS) software called ETS. For me, this is an insurmountable obstacle to deploying KNX: I won't adopt a system that requires proprietary software.

My question is: is there a FOSS alternative to ETS for setting up KNX installations?

Thanks in advance!

 

[caki]

I wasn't aware of Knx, so I learned something new. I think this is the answer to your question

https://www.reddit.com/r/KNX/comments/i3fldf

 

[solartist]

I wasn't aware of Knx, so I learned something new. I think this is the answer to your question

https://www.reddit.com/r/KNX/comments/i3fldf

Thanks. From that thread:

All data sent to the devices has to be cryptographically authenticated, that's why there's no open source/free/3rd party application. The crypto keys are proprietary.

If true, then this suggests KNX hardware modules are probably shipped with the public key from a "master" public-private key pair, and during configuration, they send an authentication challenge to ETS based on that public key. If so, then either:

• ETS does not contain the "master" private key, but instead passes the challenge to a server that does contain it, and then relays the server's reply to the hardware module. I.e. ETS is just a dumb man-in-the-middle as far as the authentication goes. This seems unlikely, as it would require ETS to have a robust internet connection during usage - not a reasonable requirement given that installers might be working on new-build properties without internet coverage.
• ETS does contain the "master" private key, in which case the situation is similar to DVD or Blu-Ray disc players. In other words, it might be possible for someone to recover the key and use it in FOSS.

It appears that there used to be a fully free (as in freedom, i.e. FOSS) alternative to ETS called KNXLive!. This was hosted at TU Wien (the Vienna University of Technology). Perhaps the introduction of encryption into KNX explains why KNXLive! is no longer maintained.

(KNXLive! is not the same as KNX Live, which seems to be a website operated by the KNX Association to train KNX installers.)

From the perspective of a prospective KNX user, this is highly discouraging. KNX is not easy to retrofit. For a whole-home installation, KNX cables are laid alongside mains cables to sockets, and are laid instead of mains cables to light switches.

So, either:

• I need to get some cheap KNX hardware and see if I can make it work without ETS (resurrecting KNXLive! if necessary, though this would obviously not be trivial! Or finding another way), or
• I need to forget about ETS.

I would much prefer to postpone that decision until after my retrofit is finished, but it looks like I will have to make it beforehand.

If anyone from the KNX Association reads this: please publish the keys, so that people who can't/won't use ETS can still use KNX! Update: it looks like the Reddit commenter might not have been entirely correct. Home Assistant appears to support KNX without needing ETS:

The KNX integration supports IP Secure and Data Secure. You can configure the IP Secure credentials either manually or by providing a .knxkeys file, which you can obtain by exporting the keyring in ETS as seen in the screenshot below. Data Secure credentials are always sourced from a .knxkeys file. You can import or update the Keyring file from the integrations settings.[/url]

So, hopefully a manual IP Secure configuration as described above would let me set up KNX without ETS.

 

[400bird]

As mentioned in my main thread, I am seeking a solar solution in England that does not require the use of proprietary (non-FOSS) software: not locally (smartphone app, etc) nor server-side ("cloud").

Maybe I am missing something, but how is the software supposed to run when it isn't local or cloud based? Maybe I'm just unaware of the 3rd option...

I controller my inverter with using Node-Red on a Raspberry Pi sending Modbus commands. Pretty sure that would meet the needs for free software. I'm not sure if Node-red meets your strict qualifications, but it works for me.

What is the use for KNX? Seems like it is used for wired comms/control, why not just go with wireless to the lights/switches/whatever?

 

[caki]

Thanks. From that thread:



If true, then this suggests KNX hardware modules are probably shipped with the public key from a "master" public-private key pair, and during configuration, they send an authentication challenge to ETS based on that public key. If so, then either:

• ETS does not contain the "master" private key, but instead passes the challenge to a server that does contain it, and then relays the server's reply to the hardware module. I.e. ETS is just a dumb man-in-the-middle as far as the authentication goes. This seems unlikely, as it would require ETS to have a robust internet connection during usage - not a reasonable requirement given that installers might be working on new-build properties without internet coverage.
• ETS does contain the "master" private key, in which case the situation is similar to DVD or Blu-Ray disc players. In other words, it might be possible for someone to recover the key and use it in FOSS.

It appears that there used to be a fully free (as in freedom, i.e. FOSS) alternative to ETS called KNXLive!. This was hosted at TU Wien (the Vienna University of Technology). Perhaps the introduction of encryption into KNX explains why KNXLive! is no longer maintained.

(KNXLive! is not the same as KNX Live, which seems to be a website operated by the KNX Association to train KNX installers.)

From the perspective of a prospective KNX user, this is highly discouraging. KNX is not easy to retrofit. For a whole-home installation, KNX cables are laid alongside mains cables to sockets, and are laid instead of mains cables to light switches.

So, either I need to get some cheap KNX hardware and see if I can make it work without ETS (resurrecting KNXLive! if necessary, though this would obviously not be trivial!), or I need to forget about ETS. I would much prefer to postpone that decision until after my retrofit is finished, but it looks like I will have to make it beforehand.

If anyone from the KNX Association reads this: please publish the keys, so that people who can't/won't use ETS can still use KNX!

I have no experience with KNX, so I can't comment on how they implemented security, but I do have experience in cryptography so I want to comment on your statement about the private key. A solid security implementation would work the same way as SSL/TLS, where only the certificate signer has the private key and that is protected under lock and key and only used to sign certificates. End user devices would contain the public part of the key that are used to validate the certificate. While I'm not considering their implementation, technically they can have a system that they are able to lock out any component that doesn't got a key signed by the KNX organization.
But that doesn't mean that they are against FOSS, it is just their trust model.

 

[solartist]

Maybe I am missing something, but how is the software supposed to run when it isn't local or cloud based?

Ah, what you're missing is this:

• I was not saying software should neither run locally nor on the cloud.
• I was saying that software involved - if any - should be FOSS, irrespective of whether it runs locally or on a server.

Sorry if that wasn't as clear as I intended it to be!

Maybe I'm just unaware of the 3rd option...

The third option would be to have no software involved - either just traditional hard-wired logic/switching, or that plus firmware (as opp. software).

I controller my inverter with using Node-Red on a Raspberry Pi sending Modbus commands. Pretty sure that would meet the needs for free software. I'm not sure if Node-red meets your strict qualifications, but it works for me.

Node-RED is published under the Apache 2.0 license, so is indeed FOSS. And yes, any inverter I get would have to be controllable using FOSS, e.g. over Modbus as in your case.

Which inverter do you use, BTW?

What is the use for KNX? Seems like it is used for wired comms/control, why not just go with wireless to the lights/switches/whatever?

See my post at the top of this thread

 

[solartist]

I have no experience with KNX, so I can't comment on how they implemented security, but I do have experience in cryptography so I want to comment on your statement about the private key. A solid security implementation would [mean] only the certificate signer has the private key and that is protected under lock and key and only used to sign certificates. End user devices would contain the public part of the key that are used to validate the certificate.

Yes, exactly as I described here

While I'm not considering their implementation, technically they can have a system that they are able to lock out any component that doesn't got a key signed by the KNX organization.

Maybe. I'm not sure that's their aim, though.

I would think their aim would be to avoid a situation in which an attacker can simply put a malicious device on a KNX bus and thereby take control of other devices on the bus.

If I'm right about this, then the private key should be under the control of the installer or the homeowner, not under the control of the KNX Association.

But that doesn't mean that they are against FOSS, it is just their trust model.

Maybe. We're really just speculating, at the moment. I aim to update the thread if I unearth any authoritative information on this.

 

[solartist]

would think their aim would be to avoid a situation in which an attacker can simply put a malicious device on a KNX bus and thereby take control of other devices on the bus.
If I'm right about this, then the private key should be under the control of the installer or the homeowner, not under the control of the KNX Association. ... We're really just speculating, at the moment. I aim to update the thread if I unearth any authoritative information on this.

After some further digging, I found Security Analysis of the KNXnet/IP Secure Protocol, the masters thesis of Robert Gützkow of the Humboldt University of Berlin. AFAICT, it was published just last year, so should be quite up to date.

Looking forward to reading it!

 

[400bird]

Ah, what you're missing is this:

• I was not saying software should neither run locally nor on the cloud.
• I was saying that software involved - if any - should be FOSS, irrespective of whether it runs locally or on a server.

Sorry if that wasn't as clear as I intended it to be!


The third option would be to have no software involved - either just traditional hard-wired logic/switching, or that plus firmware (as opp. software).

Now it seems obvious, thanks.

Node-RED is published under the Apache 2.0 license, so is indeed FOSS. And yes, any inverter I get would have to be controllable using FOSS, e.g. over Modbus as in your case.

Which inverter do you use, BTW?

I have a Schneider XW pro 6848. It is a battery inverter/charger only. In Europe (single phase, not split phase like the US) it gets a slightly different numbering/naming system. I believe it is the XW 8548, very similar capabilities but single phase.
I have a separate AC grid tied inverter and DC charge controller.

See my post at the top of this thread

Yeah, I tried that. Maybe I just didn't see the executive summary. Can I get a quick eli5?

 

[solartist]

Maybe I just didn't see the executive summary. Can I get a quick eli5?

Relevant excerpt:

To minimise reliance on grid power, and to maximise backup battery run-times during grid power outages, I am researching ways to automatically monitor and reduce power consumption. I.e. I am researching "home automation".

This might encompass, for example: automatically extending or retracting shutters/shades/blinds/curtains in order to minimise solar heat gain in summer (reducing the need for active cooling) and to maximise solar gain and natural light in winter; switching lights & HVAC on/off based on room occupancy; etc.

FOSS wireless solutions are available based on Zigbee, Z-Wave, WiFi, or Bluetooth. However, for reliability and security, I prefer wired solutions instead of wireless. Among wired home automation approaches, KNX seems to be the standard.

 

[400bird]

Relevant excerpt:

However, for reliability and security, I prefer wired solutions instead of wireless. Among wired home automation approaches, KNX seems to be the standard

Got it! Sorry, I'd just use Modbus over IP, simply because I'm familiar with it, not sure on the security front what is possible.

As you mentioned ZigBee and similar products are commonly available for common things like light switches, wifi relays that you can adopt into Home Assistant.

If you were fine with wireless, seems like Home Assistant would be an easy decision for you. But now I more fully understand the problem, you're looking for a secure, open source, Home Automation wired standard.

I don't have any ideas there. My question is, what products would you control? Are you going to build all your wired smart blinds?

Most every product that I have seen, from blinds, lights, temperature sensors, and smart load centers, are all some sort of wireless.

It feels sort of like you might find your standard, but have no products available to deploy.

 

[solartist]

Got it! Sorry, I'd just use Modbus over IP

That's an interesting suggestion, thank you. I'll definitely consider it

now I more fully understand the problem, you're looking for a secure, open source, Home Automation wired standard. I don't have any ideas there. My question is, what products would you control? Are you going to build all your wired smart blinds?

I'm not sure yet which products I would control or monitor (the possibilities are endless), but in addition to the examples I gave, these are the sorts of things I'm thinking of:

• Monitoring:
  • Current/power draw for each mains socket individually. (eMonPi or similar would be great for monitoring each circuit coming off the consumer unit, but doesn't seem to be built for monitoring each individual socket.)
  • Temperature, humidity, CO2 & particulate levels in each room.
  • Radon/radiation levels.
  • Ambient light levels - internal and external.
  • Weather: precipitation, wind speed, air temperature, air pressure, maybe ground soil temperature.
  • Water usage.
  • Possibly burglar detection using various intruder/presence/breakage sensors.
  • CCTV.
• Controlling:
  • Mains sockets - especially to reduce power consumption during grid power cuts, or if one or more among several parallel inverters fails.
  • Alarms.
  • Alerts/notifications.
  • Home audio.
  • Intercom.
  • Garden irrigation.

Many manufacturers make KNX hardware sensors or actuators for tasks like these, and there also seem to be FOSS libraries available for DIY projects.

It appears that there used to be a fully free (as in freedom, i.e. FOSS) alternative to ETS called KNXLive!. This was hosted at TU Wien (the Vienna University of Technology). Perhaps the introduction of encryption into KNX explains why KNXLive! is no longer maintained.

It turns out that parts of KNXLive! have been maintained and extended, especially the Calimero Project. Between that, and Home Assistant, and some other FOSS repos on GitHub and elsewhere, a FOSS KNX implementation is looking more viable.

 

[Leeds]

KNX is still popular in certain European circles but it's making no inroads globally. BACnet is still riding high after beating LON to death and should be the default open protocol to consider.

Obviously modbus is a very real option too. But you generally need a computer to tie it all together as the master in modbus. In BACnet most controllers are themselves masters so they don't need a central computer pulling their strings.

 

[solartist]

KNX is still popular in certain European circles but it's making no inroads globally. BACnet is still riding high after beating LON to death and should be the default open protocol to consider.

Interesting. Will check out BACnet too. Thanks!

 

[solartist]

RV-C seems to be another alternative to KNX with FOSS support.