A Dreamer's Lair

eQ-3 Max Cube message protocol decrypted (Part 1)

In my quest to write a gateway for the eQ-3 Max Cube I came across several sources of information. For those who are interested and for myself to keep a future reference at one place, I will try to write the info for as many messages as I can find on this blog. Perhaps needless to say that the messages also apply to the ELV version of the Cube (since the devices are equal, besides the accompanying software).

I shall start with how we get to know which Cube devices are available on the network and at what IP-Address (or addresses since there can be more than one Cube present).

When a certain UDP broadcast ‘Hello’ message is sent on port 23272, any cube in the network will respond to this message with an answer. On receiving this answer, we can check the originators IP-Address and thus know at what IP-Address the Cube is available. In the received message we can find the Cube’s serial number and firmware version. The latter of which is of importance because the TCP port at which to communicate with the Cube differs depending on the firmware version.

To send the broadcast message we can use the following code.

private const int CubeBroadcastPort = 23272;
private static byte[] _helloMessage = new byte[] { 0x65, 0x51, 0x33, 0x4d, 0x61, 0x78, 0x2a, 0x00, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x49 };

// Broadcast hello message to find available cubes.
UdpClient sender = new UdpClient();
IPEndPoint ip = new IPEndPoint(IPAddress.Broadcast, CubeBroadcastPort);
sender.Send(_helloMessage, _helloMessage.Length, ip);

ip = new IPEndPoint(IPAddress.Parse(""), CubeBroadcastPort);
sender.Send(_helloMessage, _helloMessage.Length, ip);

This will broadcast the ‘Hello’ message on the network. The Hello message looks like this:

00: 65 51 33 4d 61 78 2a 00    eQ3Max..
08: 2a 2a 2a 2a 2a 2a 2a 2a    ........
10: 2a 2a 49                   ..I

I don’t know the meaning of all bytes in the message. Suffice it to say that it works 🙂

When the above message is broadcasted, the Max! Cube device will respond with the following answer (of 26 bytes):

00: 65 51 33 4d 61 78 41 70    eQ3MaxAp
08: 4a 45 51 30 35 34 34 39    JEQ05449
10: 32 33 3e 49 00 03 f2 5d    23.I....
18: 01 13                      ..

Important in this are the following fields:

Description        Startpos    Length      Example Value
Response           00          8           eQ3MaxAp
Serial Number      08          10          JEQ0544923
Unknown            12          3           3e 49 00
Address            15          3           03 f2 5d
Firmware Version   18          2           01 13

The response is always eQ3MaxAp. You can check for the presence of this code to validate that it is indeed a hello broadcast response message.

The Serial number is a string of 10 characters containing the serial number of the Cube (which in this case would be JEQ0544923).

The address field is the 3 byte address of the Cube. In the Cube software itself all addresses seem to be displayed in decimal notation so the address for this cube would be 258653.

The last bit of info is the firmware version. This info is BCD encoded. So the firmware in this case, in decimal, would be 113. The firmware version is important for us to know at which port the Cube device listens. Prior to firmware version 109, the Cube listens at TCP port 80. Starting from firmware version 109, the TCP port will be 62910.

Next time, we will connect to the Cube device and deal with the hello message to and from the device (the so called h: and H: messages).

    Your email address will not be published. Required fields are marked *


    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>