Air Con: $1697 for an on/off switch

Forcing customers to replace an entire system just because the cheapest component failed might be really profitable, I have no idea… But I do know that it annoyed me enough to make me want to fix it myself. While I understand that what I do next is beyond a large number of Advantage Air customers, in my investigation I found that there seems to be only software choices preventing modern tablets from working with older control systems. Adding a simple “system” chooser to their software applications would give solutions to everyone, while the custom POE connector would ensure they still need their hardware.

Aircon Controller

My family had a new home built in 2019. As part of the build package a large ducted reverse cycle (heatpump) air conditioning system was installed. As it was part of the entire build I am not sure on the specific price of this system but based on other quotes I have seen for a similar sized house I would guess $10k-$12k. The system has two main parts, the actual Daikin airconditioner and an Advantage Air control box in attic that opens the vents to the various zones. This control system is operated by a cheap POE powered Android tablet on the wall of the living room.

The Advantage Air e-zone system is an adequate interface that does its job reasonably well, it has the ability to actively monitor temperature and adjust vent opening angles and fan speed to achieve desired temperatures across multiple zones. This combined with the ability to allow remote control via phone apps from anywhere meant I would have happily recommended this system to anyone.

Control Lost

On Sunday the 18th of August 2024 approximately 6 months past warranty this changed. The tablet was complaining that “Sorry Google services has stopped”. I dismissed this message and continued with the task I had intended and turned off the heater. Later that day I returned home and went to turn the heater on again, only to find that this time the e-zone app itself had died and refused to launch. I restarted the tablet only to be greeted with a never ending ANDROID loading screen.

Being a Sunday the next few hours I researched and tried everything I could find to get this tablet working again. I entered recovery modes both English and Chinese and cleared every setting/partition I could. There was no visible USB interface on the device so I couldn’t connect it to a computer. Clearly there was something wrong with the operating system, a “system integrity check” returned multiple errors.

Disappointing Service

I called Advantage Air support the next day and waited for a call back. Eventually a support agent called and I explained my problem. One of the first questions I received was on the age of the system. Once he had established it was out of warranty it was explained to me that if the tablet was dead I would need a whole new control system for $1245. When I pushed back complaining that I only needed the cheap tablet replaced I received what sounded like a well rehearsed excuse along the lines of “Well technology keeps moving forward and systems aren’t compatible, new phones come out every year”. I was incredulous, I’m all for smart things, but this is effectively just the on/off switch for my air conditioner. To be clear, the Airconditioner worked fine, the control box worked fine, only the Android tablet had failed. We ended the call with him offering to send me instructions on how to hard reset the tablet.

Recovery: System Check Failed Factory recovery menu Very common problem

When the instructions arrived I found they were nothing I hadn’t already tried. In the meantime I had my hopes buoyed with evidence of people effectively using the latest tablet models with systems older than mine. This began a series of back and forth emails between myself and support where I would get increasingly frustrated at their complete refusal to sell me a control tablet and the bullshit excuses that always came along with it. I was angry and it is clear that I’m not the only one.

The straw that broke the camels back was when their official quote came through. Apparently not only the tablet and control system would need replacing but also the wireless temperature sensors too. This brought the price to $1697. $1697 so I could turn my heater on again. This is frankly outrageous and seems almost predatory. Fortunately it was nearly spring here in Australia, but in Summer people would pay nearly anything to get the aircon on again.

Ok I’ll fix it myself

I now had an angry fire lit. I was not going to pay this company a cent and became determined to fix/replace their tablet or install another companies system entirely. My first step was to rip the tablet off the wall and take it apart. The POE connection wasn’t something I recognised as standard as it was sending 12V and 2V on the middle pins.

Upon opening the tablet I found a hidden USB port! Connecting this to my computer allowed me to charge the device but no matter what I did, fastboot, recovery, adb sideload mode, everything… it wouldn’t recognise it. I initially thought this was due to me never enabling “USB Debugging” inside the android interface but I would later realise it was the POE connector.

After a couple of hours of frustratingly trying to load different firmwares via SDCard (I should state I am a total Android noob and was clumsily doing all of this) I finally decided to unscrew the main board and see where the extra wires from the POE connector went.

Inside the tablet POE to USB connection found!

AHA 3 wires, connected to USB 5V and data lines! The first thing I did was cut those datalines and immediately I could see the tablet when I ran fastboot devicesThis lead to another couple of hours going down the rabbit hole of trying to use mtktool to unlock the bootloader. While it looked promising it would always fail on stage2 what ever that is and did feel hardware related.

In retrospect I wasted way too much time trying to resurrect this clearly broken tablet. For whatever reason (I suspect some sort of storage failure) everyone’s tablets die around the same time.

When I finally gave up on the existing tablet, everything started falling into place. The only really unique part of this tablet, hardware wise was the POE adapter. I could see it served two functions. First it was wired to replace the battery to allow always on use, and secondly it was a USB device.

My first instinct was to go buy another cheap android tablet and wire it up exactly as this one was. But I know next to nothing about circuit boards and my soldering of small components is atrocious. So my second instinct was to wire this POE connector up to a USB-A plug, connect it to my computer (via a hub, I didn’t trust my wiring at all ) then see if I could detect it.

I couldn’t detect anything, then realised that maybe it was acting as a host and therefore could only connect to tablets/phones. I needed an Android tablet or phone. Fortunately I remembered that I did have an Android tablet, I won a Samsung Galaxy Tab 4 back in 2015 in a Hahn beer competition I entered randomly. I had no idea where it was so spent another hour turning the house upside down for this forgotten relic. My wife asked me what I was doing and when I told her she nonchalantly said “Oh the white one, yeah I saw it in the laundry cupboard a while back, does it even work?”

I had no idea if it worked or not, but after 5 minutes of charging I saw the lock screen and excitedly attached my terribly soldered connector.

POE to USB connection First connection attempt

Whoa! This was a step forward and also the exact point when I knew my venture would be successful. I am not a hardware/electronics expert, but I am very comfortable in software.

The original ezone tablet had been running Android 6.0, this Samsung was still on 5.0 but I didnt think that would cause any issues so I got started on doing what was clearly missing: The required apps. All ezone apps are available both on the Advantage Air website and the apkpure site. I only learned of the apkpure site from a post claiming he had been directed to it by a AA tech support person.

I installed two apps. The AAService app, which I guessed was the always on “service” and the Ezone “interface” app. I excitedly connected the poe dongle again:

“Not on AA Hardware”

Well duh, I didn’t expect it to be THAT easy but it was another roadblock, I would have to learn how to patch Android apps. I cut my teeth on Softice in DOS reversing much more complicated software for fun so I wasn’t daunted by this, but I also wasn’t expecting it to be so damn easy.

Android app patching

Thanks to this article. I learned that you can use a tool, er… apktool that allows you to not only disassemble an apk into smali ( a kind of Java runtime machine code ) but you can make modifications and run the command in reverse apktool b and it rebuilds it into a runnable app! No need for replacing bytes with a hex editor to stay within bounds etc… lol this seems like magic.

$ apktool d app-aaservice2-release-14.116

Cherry on the top is that you can also use a de-compiler JAXE on an apk that does its best to turn it back into Java. This code wont compile, but it has the exact same structure as the smali code. So you can identify what you need to modify in the pseudo-java, then make the changes in the smali. I used the awesome hosted version here.

So I opened the decompiled java project in VSCode, then one search for “AA Hardware” and I was here:

    /* access modifiers changed from: protected */
    public void onResume() {
        super.onResume();
        f2272e.set(true);
        Log.d(f2271d, "onResume");
        if (ServicePleaseReboot.f2283b.get()) {
            setContentView(R.layout.reboot_now);
            e.a((Activity) this);
        } else if (f.a()) {
            a();
        } else {
            Log.d(f2271d, "Not on AA Hardware");
            Toast.makeText(this, R.string.not_on_aa_hardware_error, 1).show();
            finish();
        }
    }

Excellent, so if f.a() is false then the “Not on AA Hardware” error will display and the app will quit. Following the imports ( I am not a Java person so this caught me out ) I found the f class was this:

import b.a.a.a.i;

/* compiled from: GetTabletInfo */
class f {
    static boolean a() {
        return i.c() || i.d() || i.e() || i.g() || i.f() || i.b();
    }
}

Now if you now go to sources/b/a/a/a/i.java you will find that each one of these is a check against the device Build.MODEL

for example i.c() is:

    public static boolean c() {
        return a().contains("eZone") || a().contains("e-zone") || a().equals("PIC7KS-EZ") || a().equals("PIC7KS6") || a().equals("PIC7KS6-EZ");
    }

So each of these i.c() i.d() etc… just feature flag functions checking against the model name. This c() function above is probably named something like isEzone(). Another might be something like isMyAir4() or isZone10() etc… So I had two easy options to make this work with my e-Zone controller box. I could make the i.c() (isEzone()) function always return true, or I could make the a() function always return my old tablet devicename. In retrospect I think the first option would have worked fine, but at the time I didn’t know if the model name was being checked anywhere else so I chose the latter.

My old tablet’s model name was on a sticker on the inside of the case, but looking at the code I saw it needed the -EZ identifier tagged to end. So the string I was to return was “PIC7KS6-EZ”. The original Java function looked like this:

    private static String a() {
        String str = Build.MODEL;
        if (str.equals("SM-T113")) {
            str = "MyAir5";
        }
        .
        . // other if statements overriding Build.MODEL
        .
        if (str.equals("PIC8GS8")) {
            return "MyAir5";
        }
        return str; // <-- I needed to change this to return "PIC7KS6-EZ"
    }

Jumping over to sources/b/a/a/a/i.smali I found the same function, but with the smali code. I could see the same if statements and the same return str. I just had to change the return str to return “PIC7KS6-EZ”


    :cond_4
    const-string v1, "PIC8GS8"

    .line 7
    invoke-virtual {v0, v1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v1

    if-eqz v1, :cond_5

    goto :goto_0

    :cond_5
    #move-object v2, v0 # <-- this was return str;
    const-string v2, "PIC7KS6-EZ"  # this returning the new string instead

    :goto_0
    return-object v2
.end method

Ok modification done time to rebuild it

$ apktool b app-aaservice2-release-14.116

Like magic you now have a new apk in the dist folder. This apk is unsigned though so I needed to sign it. I don’t do any android work so I had to google what to do, but I ended up creating a key store like this.

$ keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-android-release

Then I signed the apk with this command

jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore ../my-release-key.jks -storepass passwordiused dist/app-aaservice2-release-14.116.apk my-android-release

Then I connected my tablet and tried to install. Only to be hit with INSTALL_FAILED_DUPLICATE_PERMISSION. Turns out this was because I was installing the aaservice app which was requesting the same permissions as the ezone app. This is fine if they are both signed by the same key but they were not. To get things moving I just deleted the ezone app.

This time I fired up the aaservice app and it worked! I even got a nice notification announcing “System connected”. OK Great! I had a working service, now only needed the UI app eZone working. I did did the exact same apktool d and JAXE decompile as before but VSCode didn’t find any device strings or “Build.MODEL” checks. I quickly signed the eZone app with the matching key and installed, hoping that it didn’t need any other modifications. Upon opening it seemed to be attempting to connect but ended up returning an error about an un-recognised system.

I went back to the decompiled java and realised that actually VSCode’s search was just taking a long time, so I restricted the search to the java files. It didn’t take long to find the exact same device checking code. I made the exact same change to smali/com/air/advantage/w1/k.smali and rebuilt the apk. Installed it, connected to the POE and …

E-Zone running on a normal Android tablet

E-Zone running perfectly on an ancient Samsung Galaxy Tab 4. I was elated. After I gave up on repairing the original, getting this tablet working took only a few hours and was a hell of a lot of fun. This tablet is 10+ years old and yet still is much snappier than the junk that came with the system, but if I want to upgrade to something more powerful, say to control my homeassistant etc… all I need to do is plug it into the usb. But for turning the AC on and off it is more than enough and I am currently waiting on a nice flush connector to arrive then will mount it on the wall.

My aircon company (Not Advantage Air) kindly emailed me the next day to let me know that one of their installers had found an old tablet in the back of a van that I could purchase for $400. Although still outrageously expensive for what it is, had Advantage Air offered this originally I probably would have jumped at it. Instead I am thankful I had the opportunity to get this working on my own.

Hopefully this post is useful to someone else in the same situation. None of this can be done without the original POE connector so it won’t help anyone that doesn’t already have AA hardware, but if this extremely common tablet failure is the problem you are facing then a little soldering and a new tablet is all you need.

Followup

This post is being discussed on Hacker News which sparked some great comments like this one from gstar who lives in the same city and was working on the same problem:

The system uses RS422…Incidentally, if you root your tablet you can just change the build.MODEL to “MyAir5” and everything will work on a third party tablet…
― gstar, Hacker News Comment

From this discussion thread some HN members have started pooling their resources to document everything Hardware/Protocol/API related. Visit https://github.com/gundy/aa_interop for more information.