Hi Adrian,
thank you very much.
Sounds good.
Do you maybe know if the ioBroker hm-rpc Adapter can handle this?
When I connect a ZWave device through homegear…
That is the only thing where I am a little unsure whether this will work without problems.
Are the ZWave devices exposed to ioBroker through bin-rpc just like Homematic ones?
With channels and values and so on?
Or is this different?
Thanks & best regards
Alex
There are some details specific to the zwave module, but homegear deals with the peers from different modules in a similar way, so you should expect from the zwave peers similar behavior as from the peers from the other modules.
@Adrian
I received my smoke sensors in the meanwhile and want to install them this weekend.
I will try to add them with S2 security and see if that works, if not S0 will be fine as well.
Can you explain the 3 different types of S2 security?
‘Access Control mode’ corresponds to 3, ‘Authenticated mode’ corresponds to 2, ‘Unauthenticated mode’ corresponds to 1
Which one should I use?
Do I need to try S2-3, then S2-2, then S2-1 and last S0 if I don’t know what the device supports because it could be that the device supports S2 but only in mode 1 or something like that?
And what is this for?
If you want to grant only a single security level, use
sec2pairing3e on.
That stuff with all the different security settings is confusing. 
Thanks & best regards
Alex
Hi,
I will start in reverse, since it seems easier to explain.
The difference between pairing with ‘e’ and without it is that the one with ‘e’ (from ‘exclusive’) grants only the specified security level. Without that, a certain security level has access to all security levels below it (so a device with level 2 security can ‘talk’, if it wants, with all levels below it - if it requested them at pairing, not all of them request all security levels below its own).
It depends on the device and how strong you need the security be. S2-3 is the strongest.
Here is a quote from a whitepaper:
Source: https://cdn.shopify.com/s/files/1/0066/8149/3559/files/z-wave-security-white-paper.pdf
‘S2 Access control’ is S2-3. ‘S2 Authenticated’ is S2-2, ‘S2 Unauthenticated’ is S2-1 and the S0 ‘compatibility mode’ is S2-0.
The first two security levels also require specifying the first bytes of the DSK (typically found on the back of the device) for ‘authenticating’ the device when pairing.
Here is also a slide on the security: https://www.silabs.com/documents/login/presentations/PMP13827-2.pdf
One thing I forgot to add is that a device can support S2 but not necessarily all security levels. There are plenty that support only the S2 Unauthenticated. When the device is paired, a negotiation takes place that gives the device the max level that’s equal or less with the one specified in the paired command (unless you try to grant only a specific level).
OK, thank you.
That made everything clearer now for me.
I added one Smoke Sensor now.
But I could not find a DSK key on the device. Can this be the case?
So I used s2pon1 as this does not require the DSK.
Seems to work.
It does show a peer now on ls command.
31 │ SED5738A200002 │ SED5738A200002 │ 0013 │ 76292921...
‘config print’ on the device gives the following output.
Does this look fine?
MASTER
{
Channel: 12
{
[MULTI_CHANNEL_ASSOCIATION_REMOVE.VG]: 00
[MULTI_CHANNEL_ASSOCIATION_REMOVE.NODE_ID]: 00
[MULTI_CHANNEL_ASSOCIATION_REMOVE.GROUPING_IDENTIFIER]: 01
[MULTI_CHANNEL_ASSOCIATION.GROUPING_IDENTIFIER]: 01
[MULTI_CHANNEL_ASSOCIATION.NODE_ID]: 00
[MULTI_CHANNEL_ASSOCIATION.REPORTS_TO_FOLLOW]: 00
[MULTI_CHANNEL_ASSOCIATION.MAX_NODES_SUPPORTED]: 00
[MULTI_CHANNEL_ASSOCIATION.VG]: 00
[MULTI_CHANNEL_ASSOCIATION_GROUPINGS.SUPPORTED_GROUPINGS]: 00
}
Channel: 10
{
[CONFIGURATION.PARAMETER_NUMBER]: 01
[CONFIGURATION.LEVEL__SIZE]: 00
[CONFIGURATION.LEVEL__DEFAULT]: 00
[CONFIGURATION.CONFIGURATION_VALUE]: 00
[CONFIGURATION.LEVEL]: 00
}
Channel: 7
{
[WAKE_UP_INTERVAL_CAPABILITIES.MINIMUM_WAKE_UP_INTERVAL_SECONDS]: 00
[WAKE_UP_INTERVAL_CAPABILITIES.MAXIMUM_WAKE_UP_INTERVAL_SECONDS]: 00
[WAKE_UP_INTERVAL_CAPABILITIES.WAKE_UP_INTERVAL_STEP_SECONDS]: 00
[WAKE_UP_INTERVAL.NODE_ID]: 01
[WAKE_UP_INTERVAL_CAPABILITIES.DEFAULT_WAKE_UP_INTERVAL_SECONDS]: 00
[WAKE_UP_INTERVAL.SECONDS]: 00
}
Channel: 6
{
[POWERLEVEL_TEST_NODE.TEST_NODEID]: 00
[POWERLEVEL_TEST_NODE.TEST_FRAME_COUNT]: 00
[POWERLEVEL_TEST_NODE.STATUS_OF_OPERATION]: 00
[POWERLEVEL_TEST_NODE.POWER_LEVEL]: 00
[POWERLEVEL.POWER_LEVEL]: 00
[POWERLEVEL.TIMEOUT]: 00
}
Channel: 5
{
[ASSOCIATION_SPECIFIC_GROUP.GROUP]: 00
[ASSOCIATION.GROUPING_IDENTIFIER]: 01
[ASSOCIATION_REMOVE.NODE_ID]: 00
[ASSOCIATION.MAX_NODES_SUPPORTED]: 00
[ASSOCIATION.NODE_ID]: 00
[ASSOCIATION.REPORTS_TO_FOLLOW]: 00
[ASSOCIATION_GROUPINGS.SUPPORTED_GROUPINGS]: 00
[ASSOCIATION_REMOVE.GROUPING_IDENTIFIER]: 01
}
Channel: 4
{
[ASSOCIATION_GROUP_INFO.GROUPING_IDENTIFIER]: 01
[ASSOCIATION_GROUP_COMMAND_LIST.GROUPING_IDENTIFIER]: 01
[ASSOCIATION_GROUP_COMMAND_LIST.PROPERTIES1]: 00
[ASSOCIATION_GROUP_INFO.PROPERTIES1GET__LIST_MODE]: 00
[ASSOCIATION_GROUP_COMMAND_LIST.PROPERTIES1__ALLOW_CACHE]: 00
[ASSOCIATION_GROUP_COMMAND_LIST.LIST_LENGTH]: 08
[ASSOCIATION_GROUP_INFO.PROPERTIES1REPORT__DYNAMIC_INFO]: 00
[ASSOCIATION_GROUP_INFO.PROPERTIES1GET]: 00
[ASSOCIATION_GROUP_INFO.PROPERTIES1GET__REFRESH_CACHE]: 00
[ASSOCIATION_GROUP_INFO.VG1]: 01 00 00 01 00 00 00
[ASSOCIATION_GROUP_INFO.PROPERTIES1REPORT]: 01
[ASSOCIATION_GROUP_INFO.PROPERTIES1REPORT__GROUP_COUNT]: 01
[ASSOCIATION_GROUP_NAME.NAME]: Lifeline
[ASSOCIATION_GROUP_INFO.PROPERTIES1REPORT__LIST_MODE]: 00
[ASSOCIATION_GROUP_NAME.GROUPING_IDENTIFIER]: 01
[ASSOCIATION_GROUP_COMMAND_LIST.COMMAND]: 5a 01 71 05 80 03 31 05
[ASSOCIATION_GROUP_NAME.LENGTH_OF_NAME]: 09
}
Channel: 1
{
[ZWAVEPLUS_INFO.Z-WAVE+_VERSION]: 01
[ZWAVEPLUS_INFO.USER_ICON_TYPE]: 0c 01
[ZWAVEPLUS_INFO.ROLE_TYPE]: 06
[ZWAVEPLUS_INFO.INSTALLER_ICON_TYPE]: 0c 01
[ZWAVEPLUS_INFO.NODE_TYPE]: 00
}
Channel: 0
{
[SPECIFIC_DEVICE_TYPE]: 01
[SPECIFIC_DEVICE_NAME]: SPECIFIC_TYPE_NOTIFICATION_SENSOR
[SERVICE_HOSTNAME]: SED5738A200002
[SECURE2]: 00
[SPECIFIC_DEVICE_DESC]: Notification Sensor
[SERVICE_NAME]: SED5738A200002
[SECURE]: 00
[PROTOCOL_VERSION]: 04
[PROTOCOL_SUBVERSION]: 18
[SUPPORTSECURITY2]: 00
[PRODUCT_ID]: 10 03
[NODE_PORT]: 00
[NODE_ID]: 02
[CHANNELS]: 00
[HARDWARE_VERSION]: 02
[BASIC_DEVICE_NAME]: BASIC_TYPE_ROUTING_SLAVE
[BASIC_DEVICE_TYPE]: 04
[PRODUCT_TYPE]: 0c 02
[BASIC_DEVICE_DESC]: Routing Slave
[APPLICATION_SUBVERSION]: 03
[APPLICATION_VERSION]: 03
[GENERIC_DEVICE_TYPE]: 07
[ENDPOINT_ID]: 00
[PEER_ID]: 1f
[GENERIC_DEVICE_DESC]: Sensor Notification
[SECURE2LEVEL]: 00
[GENERIC_DEVICE_NAME]: GENERIC_TYPE_SENSOR_NOTIFICATION
[MANUFACTURER_ID]: 01 0f
[LIBRARY_TYPE]: 03
[IP_ADDRESS]: 02
[LISTENING]: 00
[MULTI_CHANNEL]: 00
}
}
VALUES
{
Channel: 14
{
[SENSOR_ALARM_SUPPORTED.BIT_MASK]: 00
[SENSOR_ALARM_SUPPORTED.NUMBER_OF_BIT_MASKS]: 00
[SENSOR_ALARM.SOURCE_NODE_ID]: 01
[SENSOR_ALARM.SENSOR_TYPE]: 00
[SENSOR_ALARM.SECONDS]: 00
[SENSOR_ALARM.SENSOR_STATE]: 00
}
Channel: 13
{
[APPLICATION_BUSY.STATUS]: 00
[APPLICATION_REJECTED_REQUEST.STATUS]: 00
[APPLICATION_BUSY.WAIT_TIME]: 00
}
Channel: 11
{
[SENSOR_MULTILEVEL_SUPPORTED_SCALE_GET.SENSOR_TYPE]: 01
[SENSOR_MULTILEVEL_SUPPORTED_SCALE.SENSOR_TYPE]: 01
[SENSOR_MULTILEVEL_SUPPORTED_SENSOR.BIT_MASK]: 01 ca 00
[SENSOR_MULTILEVEL_SUPPORTED_SCALE.PROPERTIES1__SCALE_BIT_MASK]: 00
[SENSOR_MULTILEVEL.SENSOR_VALUE]: 00 ed
[SENSOR_MULTILEVEL.SENSOR_TYPE]: 01
[SENSOR_MULTILEVEL.LEVEL__PRECISION]: 01
[SENSOR_MULTILEVEL.LEVEL]: 22
[SENSOR_MULTILEVEL.PROPERTIES1]: 00
[SENSOR_MULTILEVEL_SUPPORTED_SCALE.PROPERTIES1]: 00
[SENSOR_MULTILEVEL.LEVEL__SCALE]: 00
[SENSOR_MULTILEVEL.PROPERTIES1__SCALE]: 00
[SENSOR_MULTILEVEL.LEVEL__SIZE]: 02
}
Channel: 9
{
[NOTIFICATION_SUPPORTED.PROPERTIES1__NUMBER_OF_BIT_MASKS]: 00
[NOTIFICATION_SUPPORTED.PROPERTIES1]: 00
[NOTIFICATION.EVENT_PARAMETER]: 00
[EVENT_SUPPORTED.PROPERTIES1]: 00
[EVENT_SUPPORTED.BIT_MASK]: 00
[NOTIFICATION.NOTIFICATION_STATUS]: 00
[NOTIFICATION.EVENT]: 00
[NOTIFICATION.V1_ALARM_TYPE]: 00
[EVENT_SUPPORTED.PROPERTIES1__NUMBER_OF_BIT_MASKS]: 00
[EVENT_SUPPORTED.NOTIFICATION_TYPE]: ff
[NOTIFICATION.V1_ALARM_LEVEL]: 00
[NOTIFICATION.NOTIFICATION_TYPE]: ff
[NOTIFICATION.PROPERTIES1]: 00
[NOTIFICATION_SUPPORTED.PROPERTIES1__V1_ALARM]: 00
[NOTIFICATION.PROPERTIES1__SEQUENCE]: 00
[NOTIFICATION.RESERVED]: 00
[NOTIFICATION.SEQUENCE_NUMBER]: 00
[NOTIFICATION.PROPERTIES1__EVENT_PARAMETERS_LENGTH]: 00
[NOTIFICATION_SUPPORTED.BIT_MASK]: 00
}
Channel: 8
{
[BATTERY.BATTERY_LEVEL]: 64
}
Channel: 7
{
[WAKE_UP_NO_MORE_INFORMATION.ACTION]: 00
[WAKE_UP_NOTIFICATION.ACTION]: 00
}
Channel: 3
{
[DEVICE_RESET_LOCALLY_NOTIFICATION.ACTION]: 00
}
Channel: 2
{
[BASIC.VALUE]: ff
}
Channel: 0
{
[UNREACH]: 00
[LOWBAT]: 00
[STICKY_UNREACH]: 00
[CONFIG_PENDING]: 00
[LAST_PACKET_RECEIVED]: 5e d3 d8 95
}
}
Thanks & best regards
Alex
Hi,
It looks like it was added non securely:
[SECURE2]: 00
[SECURE]: 00 You may try removing it and attempt to add it again with S0 (spon). That device should support S0 at least.
Hi,
thanks.
I will try this now.
But I have the following in my logs:
06/01/20 16:14:08.553 Module ZWave: Z-Wave serial module "Serial1": Function not handled: 01090141539C010407017A; Direction: Response; Function: ZW_GET_NODE_PROTOCOL_INFO
This appeared after trying to add it with s2pon1.
Thanks & best regards
Alex
You might have an old version of a ‘stick’.
Is it by any chance some raspberry hat? There is an old version that appears to work but security does not work with it. If I recall correctly, that one also lost the network after a while.
Thanks for quick support 
No, i have the ZMEEUZB1 USB stick.
This one: https://z-wave.me/products/uzb/
spon (S0 pairing) also results in
[SECURE2]: 00
[SECURE]: 00
And the same error is stated in homegear.err
Hi,
I just looked over the code, it seems that the message is harmless. The function is handled, but in some other place (and in another way) than the function that’s emitting the message. Probably I should filter it out.
As for the secure pairing, I don’t think I can tell a lot more without seeing a log of what’s happening.
Do you have the password properly set in the config file?
There should be a line like this:
but of course with your own password.
For S2 three different passwords should be additionally set in the config file, passwordS21, passwordS22 and passwordS23.
Could you please provide a link to some documentation of the device, or at least the device model? I want to see if I can figure out what kind of security it supports. S0 should be supported from what I see…
LE: I think I found it already. I’m not sure it’s exactly the same device, though.
Hi,
this is what I have in terms of documentation:
https://manuals.fibaro.com/smoke-sensor/
The site itself contains information and you can also download a PDF with additional information there.
The following can be found under the item “Features”
* Compatible with any Z-Wave or Z-Wave+ Controller
* Supports protected mode (Z-Wave network security mode) with AES-128 encryption
So I think this means S0 right?
This is my config:
[General]
#######################################
############ Serial ############
#######################################
[Serial]
id = Serial1
deviceType = serial
# 16 bytes hex 'password'. Please change it to a random one.
password = ...
passwordS21 = ...
passwordS22 = ...
passwordS23 = ...
# The usb serial device, whatever that is on the system
device = /dev/serial/by-id/usb-0658_0200-if00
#device = /dev/ttyACM0
################################################
############ Gateway ###########################
################################################
#[Gateway]
#id = gateway
#deviceType = homegeargateway
# 16 bytes hex 'password'. Please change it to a random one.
#password = 16CFA1797F981EC8651DDD45F8BF0FC6
#host = gateway
#port = 2017
#cafile = /etc/homegear/ca/cacert.pem
#certfile = /etc/homegear/ca/certs/gateway.crt
#keyfile = /etc/homegear/ca/private/gateway.key
The 3 passwords are all 32 chars of 0-9 and A-F.
So should be fine, not?
Thanks & best regards
Alex
Yes, that means it supports (at least) S0.
Probably only S0, usually they tell if it’s S2 (although I found a device that did not specify).
It might be the case that something didn’t go well during security negotiation phase. Please try to remove it and pair it again with spon.
I already did that (a couple of times).
I also tried to reset the device to factory defaults before pairing again.
It appears that without seeing the log file for the pairing process I cannot tell more about what’s happening 
Please turn security level up to 7 and send me the log file.
Or at least verity that those messages appear in the log when pairing:
At some moment this set of messages might stop and have some other message instead for security.
If any of those appear in the log, something went wrong. Please let me know if you see any of them.
Thanks.
Took me some time to find it as the log gets very very long in debug mode 7 
.
I found this:
06/01/20 17:46:08.222 Module ZWave: Security0: Security Key Set: Got reply, checking...
06/01/20 17:46:08.222 Module ZWave: Security0: Security Key Set: It's a security encapsulation, trying to authenticate and decrypt
06/01/20 17:46:08.222 Module ZWave: Security0: Security Key Set: Key Verify Encrypted packet with invalid nonceThat’s something I didn’t expect.
That message either comes because some nonce id in the packet is indeed invalid or a lot of time passed since the nonce was generated. Probably I should detail that message. I don’t think I encountered such thing before, though.
Probably the log above those messages would be helpful.
I’ll look more over the code tomorrow trying to figure out what could go wrong.
Is my key printed there anywhere or can I just send the part between spon and the error?
No, they aren’t. From the information in the log, I cannot decrypt the packets.
But better send it in a private message.
Ok, I have done that.
Let me know if you need anything else.
Thanks.