KRKeegan

The following are some notes I gathered while investigating the technical possibilities of the Insteon Hub2.

Starting Nmap 6.40 ( http://nmap.org )
Nmap scan report for 192.168.XXX.XXX
Host is up (0.00058s latency).
Not shown: 65535 open|filtered ports, 65531 filtered ports
PORT STATE SERVICE
23/tcp open telnet
443/tcp open https
992/tcp open telnets
25105/tcp open unknown
MAC Address: 00:0E:XX:XX:XX:XX (Smarthome)

Nmap done: 1 IP address (1 host up) scanned in 2306.43 seconds

I can connect to both telnet ports, but all I get is a blank screen that doesn’t seem to respond to any commands.  It also doesn’t seem to broadcast the buffer contents.

After a lot of futzing, I was able to connect to the https 443 port.  It uses the deprecated RC4-MD5 cipher and a self-signed certificate.  You will also need to use Basic Auth and the username and password.  Once in, the webpage looked identical to the one described below, I was unable to determine any other benefits of this port.

The 25105 port is configurable.  It is a basic http port that requires Basic Auth using the username and password printed on the bottom of your hub.  The default webpage is very basic, with a link to http://connect.insteon.com and the product manual and support pages.

There is some rudimentary available at this port.  It is rather crudely documents (as is Insteon’s style) here: http://cache.insteon.com/developer/2242-222dev-062013-en.pdf.  See pages 6-10.  Note that this document is actually for the Hub1, I have yet to find any developer notes for the Hub2.

The buffstatus.xml page provides access to the incoming messages for the Hub2.  Of note, the Hub2 has a 200 character buffer not the 100 listed for the 2242-222.  Also, undocumented is the final two characters of the buffer.  These turn out to be a hexadecimal representation of the last position written to.  Essentially, the incoming messages are written left to right and when the 200th position is reached it goes back to 1.  The characters are never cleared (unless you call a special command to do so) but are merely overwritten.

It is possible to poll the Hub2 about twice a second and to use the buffer to see all of the messages received by the Hub2.  This seems to work rather reliably, and the constant polling doesn’t seem to upset the device.

I am not aware of a way to see outgoing messages.

The interface also allows for sending of some messages.  See the http://xxx.xxx.xxx.xxx:25105/3?YYYYY=I=3 documentation in the above pdf.  This seems to provide an interface to communicate with devices from the hub.   However, as of yet, I am not able to communicate much if at all with the hub using this interface.  As a result, I am unable to scan the hub’s link table.  Update: Figured it out.  So far all of the common PLM commands seem to work with the 3?<CMD STR>=I=3 style message.  But, anytime a 3?<CMD STR>=I=3 style message is sent, the buffer is zeroed out and the buffer position is reset to 00.

Finally, I took a TCPDump of the Hub2.  Best I can tell, the Hub2 doesn’t open any outside ports on my router.  This is contrary to the claim that it does “automatic port forwarding.”  This is probably for the best security-wise anyways.

Instead it appears that the Hub creates a persistent connection to insteon.pubhub.com (hosted on Amazon Ec2).  Poking around http://www.pubhub.com confirms this.  The communication is all SSL encrypted.  I thought about placing a man-in-the-middle and trying to decode this messaging, but I doubt it would be much help.