Author Topic: Pylontech sc0500 protocol "hacking"  (Read 2923 times)

0 Members and 1 Guest are viewing this topic.

Offline ArCoN

  • Contributor
  • Posts: 13
  • Country: dk
Pylontech sc0500 protocol "hacking"
« on: October 12, 2021, 03:12:16 pm »
Hello Good people of the world

I need some reverse engineering expertise to decode some CANbus data.
Maybe there is some smart eev's that can help. ;D

I have a SPH10000TL3 BH and a diy battery i love to get working.

We have the pylontech battery system at work, so i have sniffed some data between the inverter and BMS.

I made a C# program to try help decode the data, but i have a little trouble figuring out where the data is located. i need to find battery voltage and state of charge as a minimum, for the inverter to function (i think).

The files:
Program (use as you like, not pretty but kinda works, C# is not my main expertise ;D)
inverter tx.log - the CAN tgm's from inverter only
inv-bat-stby_full.log - The battery is approx 90% SOC, log is done over night without load.
batt full discharge.log - The battery is approx 90% SOC, log is done over night with load to around 0% SOC.

Thanks ArCoN
 

Offline ArCoN

  • Contributor
  • Posts: 13
  • Country: dk
Re: Pylontech sc0500 protocol "hacking"
« Reply #1 on: October 14, 2021, 08:26:35 am »
Maybe it's worth mentioning that the battery system consists of sc0500 + 3 x H48050. so voltage range should be somewhere between 135- 162Vdc. minor details  ;)
 

Offline buovjaga

  • Newbie
  • Posts: 3
  • Country: fi
Re: Pylontech sc0500 protocol "hacking"
« Reply #2 on: December 06, 2021, 12:21:21 pm »
Example from inv-bat-stby_full.log
one line a respond to CAN ID: 0x4200   [8]  02 00 00 00 00 00 00 00

00:42:35:6880 Rx 1 0x7320 x 8 2D 00 03 0F 90 00 32 00

to interprete this CANBUS answer we have
Obs! Byte#4==0x90 and Byte#5==0x00 by swapping them we have 0x0090==144 decimal
Also  Byte#6==0x32 and Byte#7==0x00 by swapping them we have 0x0032==50   decimal

Byte#0 = 0x2D Battery Module Qty or Total number of batteries 0x2D = 45 or 3 packs of 15 cells
Byte#1 = 0x00 reserve
Byte#2 = 0x03 Battery Module in series Qty.Number of battery modules in series in one cabinet = 3
Byte#3 = 0x0F 15 Cell Qty. in one battery module Number of battery cells in a module = 15
Byte#4 = 0x90 144=45*3.2 Voltage Level or Voltage platform, resolution: 1V
Byte#5 = 0x00 Offset: 0
Byte#6 = 0x32 50 AH number Resolution 1AH Charging capacity
Byte#7 = 0x00 Offset: 0

The other canbus lines can be interpreted in a similar way

cheers b
« Last Edit: December 07, 2021, 01:21:42 pm by buovjaga »
 
The following users thanked this post: ArCoN, blesk

Offline manny87

  • Newbie
  • Posts: 2
Re: Pylontech sc0500 protocol "hacking"
« Reply #3 on: March 31, 2022, 08:59:44 pm »
Hello ArCoN,

Bin working on a dbc file for the battery communication.

I have some questions:
   What whas the discharge power?
   Ambient temperature?
   Full-charge voltage?
   Discharge voltage?

Already found the soc data and high and low cell voltage needs a scaling factor.

Thanks Manny
 

Offline ArCoN

  • Contributor
  • Posts: 13
  • Country: dk
Re: Pylontech sc0500 protocol "hacking"
« Reply #4 on: April 01, 2022, 05:53:46 am »
Hi Manny

Ok, its a long time ago now ;P
Sorry I can't remember what inverter it was. maybe a SPH3600. ~3.6Kw
18-21dC
 "voltage range should be somewhere between 135- 162Vdc"

Try ask buovjaga. I think he has a good understanding of what the data means

BR ArCoN
 

Offline blesk

  • Newbie
  • Posts: 1
  • Country: cz
Re: Pylontech sc0500 protocol "hacking"
« Reply #5 on: April 02, 2022, 11:01:06 pm »
Hello everyone
I am sniffing same setup: SC0500 + 4x H48050
but I recieving only 9 IDs each one second:
Code: [Select]
 
interface   ID    lenght     data
  can1  00004200   [8]  00 FF FF FF FF FF FF FF (Goodwe 8k-ET)
  can1  00004210   [8]  C2 07 2F 75 28 05 45 64
  can1  00004220   [8]  70 08 CC 06 2A 76 36 74
  can1  00004230   [8]  F1 0C ED 0C 04 00 05 00
  can1  00004240   [8]  D8 04 C4 04 0F 00 0A 00
  can1  00004250   [8]  02 00 00 00 00 00 00 00
  can1  00004260   [8]  08 C2 FA C1 03 00 00 00
  can1  00004270   [8]  D8 04 CA 04 03 00 00 00
  can1  00004280   [8]  00 00 D4 30 00 00 00 00
  can1  00004290   [8]  00 00 00 00 00 00 00 00
  can1  000042A0   [8]  00 00 00 00 00 00 00 00
I am missing your ID "0x7320" but I saw it once durning initialization of the battery through PV Master (goodwe android app)
can anyone have some hints which ID or byte means what value?
Anyway, I am big fan of your analysis and passion for this DIY. :clap:
« Last Edit: April 02, 2022, 11:33:38 pm by blesk »
 

Offline buovjaga

  • Newbie
  • Posts: 3
  • Country: fi
Re: Pylontech sc0500 protocol "hacking"
« Reply #6 on: April 04, 2022, 01:54:03 pm »
Hi blesk,

check-out this, might help a bit.

https://u.pcloud.link/publink/show?code=XZCKP5VZGOrK3QVaYLuy4XWqcwWvsJUUpO4y

cheers buovjaga
« Last Edit: April 04, 2022, 07:11:47 pm by buovjaga »
 

Offline hr_eev

  • Newbie
  • Posts: 2
  • Country: de
Re: Pylontech sc0500 protocol "hacking"
« Reply #7 on: April 06, 2022, 12:35:59 pm »
I wonder if you can use your DIY High voltage Battery in the lead acid mode of the Growatt Inverter  for the first tests,
then you dont need a working communication. With good active balancers from JK BMS the LFP cells should stay in the safe range
I am planning to build such a HV battery, in the first step without communication.
Hopefully i can learn from your protocol hacking and port it to a raspberry pi.
I think Growatt is a rare exception among the new hybrid inverter which allows a lead acid high voltage configuration, all other inverters have only Low voltage lead acid batteries.


 

Offline hr_eev

  • Newbie
  • Posts: 2
  • Country: de
Re: Pylontech sc0500 protocol "hacking"
« Reply #8 on: April 06, 2022, 12:38:44 pm »
missed attachment
 

Offline buovjaga

  • Newbie
  • Posts: 3
  • Country: fi
Re: Pylontech sc0500 protocol "hacking"
« Reply #9 on: April 11, 2022, 05:41:51 pm »
Hi hr_eev,

i think it is ok to use your configuration with Growatt and Lead-Acid mode.
Our Growatt is Three-phase Growatt SPH10000TL3-BH.
We have focused on Lithium mode, but I think we have run it also in Lead-Acid-mode
without any problems.
We have other problems, we try  to solve. (I let you know when this is solved)
Your JK BMS will take care about the SOC and SOH values
and react accordingly, when for example SOC value 100% is reached.

Maybe there are many other parameters you can adjust with JK BMS.?

We developed the communication interface program (Python3) in Raspberry 4
to communicate between Growatt and our Battery System.
When you read my previous documentation, you can easily find how simple
it is actually.


cheers r
 
The following users thanked this post: hr_eev


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf