Skip to content

Application Protocol

Jump to bottom
bggardner edited this page Nov 5, 2017 · 3 revisions

I will henceforth refer to the Data portion of the RF frame as a "Message", as it is the Python base class name I chose for the application-layer protocol data unit.

Message Structure

The names and encodings of the fields that comprise the Message are my best guess, and are by no means verified with SimpliSafe developers. The fields of the Message are, in order:

  1. Vendor Code: 2 bytes, always 0xCC05 (this could actually be part of the Preamble)
  2. Payload Length Code (PLC): 1 byte, a code that signifies a Payload type and length
    • 0x00: 7 bytes, only seen in a Keypad Out of Range message
    • 0x11: 3 bytes
    • 0x22: 4 bytes
    • 0x33: 5 bytes
    • 0x66: 7 bytes
  3. Serial Number: 5 bytes, ASCII-encoded
    • If sent by a base station, the serial number of the destination keypad
    • Otherwise, the serial number of the device
  4. Payload: length and content varies, see Payload Structure section
  5. Checksum: 1 byte, sum of Payload bytes (truncated to one byte)
  6. Footer: 6 bytes, only present in base station messages
    1. Base station serial number: 5 bytes, 6 hexadecimal characters "stuffed" into 5 bytes
      • Bytes are all 0xFF for keypad "menu" responses
      • 1st character: least significant nibble (LSN) of 1st byte
      • 2nd character: LSN of 2nd byte
      • 3rd character: LSN of 3rd byte
      • 4th character: LSN of 4th byte
      • 5th character: LSN of 5th byte
      • 6th character: most significant nibble (MSN) of 4th byte
      • Other nibbles are 0x0
    2. Sequence/Response Type: 1 byte
      • Sequence number: MSN, increments by one
      • Response type: LSN
        • 0x2: Status (non-keypad menu response)
        • 0x6: Menu

Payload Structure

  1. Header: 1-2 bytes
  2. Body: 0-4 bytes
  3. Footer: 1 byte, Event code

Base Station Messages

  1. Header: 2 bytes
    1. Origin: 0x00
    2. Message Type:
      • 0x01: Response, to Keypad request
      • 0x05: Update, unrequested
  2. Body: 0-4 bytes
  3. Footer: Keypad Event code

Keypad Messages

  1. Header: 2 byte
    • Origin: 0x01
    • Sequence: MSN, increments by four
    • Fixed Nibble: 0x4, LSN
  2. Body: 0-4 bytes
  3. Footer: Keypad Event code

Sensor Messages

  1. Header: 1 byte
    • Sequence: MSN, increments by one
    • Origin: LSN
      • 0x2: Keychain Remote
      • 0x3: Motion Sensor
      • 0x4: Entry Sensor
  2. Body: 0 bytes
  3. Footer: Sensor Event code
Clone this wiki locally