Clean up S0/S2 zwave devices

And I should add I have an unconfigured spare C7 hub on the shelf that I can leverage. I saw another post did some trickery with a second controller and excluding a device then "replacing" it on the primary hub. But wasn't sure of the exact procedure.

There may be multiple generations of each, but at least some of each product you mentioned above support Z-Wave security. They would not possibly join with it if they didn't. (Well, everything except I'm not sure what "peanut" is. That was a specific model of Zigbee smart outlets, but maybe that's a typo or you're saying they were just small?).

Any Z-Wave device will need to be re-paired to change security. Anything that is S2 should be able to be included with no security just by declining the security options when pairing. If the device supports S0 but not S2, see if the manual has different processes for secure vs non-secure inclusion and use the latter. Only in the case that the device does not offer non-secure inclusion (and only supports S0) would you need to resort to other methods to avoid security (something Hubitat does not officially recommend, BTW, though many have done it).

You may know that a Z-Wave device must be excluded or reset (assuming the reset actually fully resets it) before it can be included again. You could use a virtually device as a placeholder before removing the device if you plan to exclude it using this hub (any controller will work, or a reset, but be sure to remove the actual old devices at some point, including from the Z-Wave Details table, if you take one of those approaches). The Settings > Swap Approaches Device feature may make this easier, or you can manually swap things too.

1 Like

As @bertabcd1234 notes, for S2 devices you just choose the "Include without security" option when re-joining the devices.
2022-12-12 17_11_21-AbraIT β€Ž- OneNote for Windows 10

Since the addition of the Swap Apps Device option in Settings, I've gone to using a placeholder virtual device when I have to exclude and rejoin devices. You can use the Replace option w/out doing this, but I have found Replace to not be 100% reliable.

  1. Create a virtual device for each real device you're going to re-join
  2. Run Swap Apps Device and replace the real devices w/the virtual devices
  3. Exclude and re-join the S2 devices you want to change to no security (choose the "Include w/out security" option when re-joining)
  4. Run Swap Apps Device and replace the virtual device with the re-joined real device

For S0 devices you'll need Z-Wave USB stick and special software...


Perfect....I'll try that procedure for the S2 and see how that goes.

Note that is is not universally true for all S0 devices; many have a way to put the device into either "regular" or secure inclusion mode, and avoiding the secure method will, by definition, avoid S0. Sometimes this is something like tapping versus holding a button on the device, but the manual should say for sure.

Also, as above, Hubitat does not officially support adding secondary controllers and using them to manipulate your network. S0 (and especially S2) is not a guarantee of problems, nor is using a secondary controller, but if things are currently working OK, you may wish to leave them as-is -- though many people do recommend avoiding security (especially S0) if possible. (This is complicated by the fact that the official Z-Wave SDK that Hubitat is using forces this behavior with S0-only devices in this particular case...)

Good point...I don't have/use any of those SO devices that offer an option so I always forget about them. :slight_smile:

My mix of devices include Aeon products that have an "action button" that you click once to join insecure, click twice for secure. MultiSensor 6 is a good example.

I just removed one from my Development Hub (C-7) and then excluded it again, because I always do an Exclude-before-Include. I included it with a single click and it shows as no security.


As noted, for S2 devices you have the option to not use security.

For S0 devices, you are stuck - there is no built-in way to join them without S0, and thus you are stuck with the 3x traffic penalty.

@danabw should have linked to his HOW-TO with instructions on using a Z-Wave USB stick and the as secondary controller to include the device without S0. I've successfully used it for several devices.

1 Like

But, again, only if the device doesn't offer a non-secure pairing method. A couple of us noted above that some devices do. The manual will say for sure. (And in some cases, like the Inovelli bubs, the manufacturer added something with a firmware update after release to address this concern, which probably isn't in any printed manual.)

E.g., like my Fibaro flood sensor.

Ya S0 is forced on for my Fibaro motion sensor. No insecure option. I'm going to trash the Fibaro sensor and have a new motion sensor on order.

1 Like

I'd consider doing that with my Fibaro flood sensors, if I hadn't paid $40+ each for them.

Overall, almost all the Z-Wave devices I've ever bought have been a disappointment (my Inovelli Red dimmers being the lone exception to that).

Is it a ZW5 (the one that looks like an eyeball)?

Fibaro products are ZW5 and I’m fairly sure that even those supporting S2 cannot be paired without security (S0 is forced) At least that’s been my experience/nightmare

Yes the eyeball.

I managed to pair that to a C-7 with no security using a stick and the Simplicity Studio. I don't think I did anything special - just followed the instructions.

1 Like

Sounds like @Eric.C.Miller had success joining his Fibaro sensors w/out security w/this process below from the FAQ section of the "How To..." guide linked to above:

1 Like

Super appreciate all the input from everyone. Since the S0 issue was only for a single Fibaro motion sensor (eyeball), I'm going to replace it. I did exclude/include an Aeotec smart plug that was S2 authenticated so it now has no security. I'm down to one S0 (being replaced), and two S2 unauthenticated devices. I'll work on the other S2 later.

Via the Hub watchdog app, it seems my zwave network has less random high latency spikes. Commands respond in about 350ms consistently.


This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.