Users of the KNX, a standard for home automation bus systems, may already have come across KNXnet/IP (also known as EIBnet/IP): It is an extension for KNX that defines Ethernet as a communication medium for KNX which allows communication with KNX buses over IP driven networks. Additionally, it enables one to couple multiple bus installations over IP gateways, or so called KNXnet/IP gateways.
In the course of some KNX related research we’ve had access to various KNXnet/IP gateways from different vendors, most of them coupled in a lab setup for testing purposes. The typical tools used for such tasks are ETS, the professional software developed by the creators of KNX (proprietary, test licenses available) and eibd, an open source implementation of the KNX standard developed by the TU Vienna.
ETS is great for programming new KNX bus installations but for our research tasks we needed something a little bit more flexible. Because ETS is only available for Windows, and it’s a complete GUI-based application, it’s not very scripting friendly. Instead one can just use eibd, which is a daemon that runs on Linux, which is a lot more scripting friendly. Additionally it’s open source, which allowed us to dive into the actual implementation of KNX. It is also used by many vendors for their KNXnet/IP gatways, but this is not in the scope of this post.
eibd is a great tool for interacting with KNX buses. However, setting it up and getting it running is quite a complex task that potentially requires various system changes. It is also not developed anymore (but there are forks like knxd), so new features in KNX will most likely not be available. We’ve started out with some shell scripts that wrapped the eibd command line tools in order to e.g. send values to group addresses or identify alive devices on the bus. But this solution was far from ideal.
KNXmap
At some point I decided to implement a tool that allows to easily identify devices on a KNX bus via a KNXnet/IP gateway. The main goals were to build something that is easy to use and had few dependencies.
I’ve implemented KNXmap as a basic KNX mapper, that allows not only to identify KNXnet/IP gateways but also live bus devices on the attached KNX bus. It can also extract information for further fingerprinting. It supports identifying KNXnet/IP gateways via multicast search and uncast description requests.
KNXmap also allows to passively identify bus devices via bus and group monitoring modes. These print out all messages that are sent e.g. to group addresses.
Compatibility
KNXmap is implemented in Python and heavily relies on the asyncio module. Therefore, KNXmap requires at least Python 3.3. asyncio is shipped in the Python standard library since version 3.4. So if you have Python 3.4 or newer you have everything you need. KNXmap has no external dependencies!
Get it, Try it, Improve it!
KNXmap is available on GitHub, where development will hopefully continue to improve it!
Unfortunately, the lab setup that was available during development had just a light switch, which wasn’t very fancy. It would be interesting to see how KNXmap performs on larger setups with more complex bus devices, e.g. alarm systems or probably an elevator? Feedback is always welcome.
Future Work
Currently there are some open TODOs like the objectserver implementation, proper KNX routing and device configuration implementations and other open features that are not yet implemented. However, many are not that interesting for the purposes of KNXmap.
What could be interesting is the implementation of KNX Secure, which introduces new security features including encryption and authentication for the IP driven part as well as the KNX bus communication. The new standard is not yet available, so I still have to wait to get hold of KNX Secure compatible devices.