Author Topic: Figuring out an RS485 protocol?  (Read 1752 times)

0 Members and 1 Guest are viewing this topic.

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Figuring out an RS485 protocol?
« on: October 29, 2018, 04:01:47 pm »
Hi,

I'm trying to figure out (i.e. reverse engineer) an RS485 protocol - and I wonder whether (a) someone recognises this, or (b) someone has some hints on how to go about decoding it.

It's taken from chatter between a heating controller and a thermostat.

Messages occur roughly once a second. There's a 2s sample below, apparently with two messages (each maybe a poll & response), taken with an RS485 sniffer at 9600 baud (I measured the waveform frequency at 10kHz with a scope). The listing is time in ms followed by bytes in hex, so the 1st part is just 2 bytes 0x95ee. My preliminary investigation suggests this isn't Modbus RTU as the 2nd byte in the message, which should be the function code, isn't between 0x01 and 0x10.

(I'm looking at this re Modbus format: https://ipc2u.com/articles/knowledge-base/modbus-rtu-made-simple-with-detailed-descriptions-and-examples/ )

Any ideas?

TIA, Alan

Code: [Select]
15:16:50.545 95ee
15:16:50.551 bb
15:16:50.556 952a
15:16:50.561 f80b7809f5
15:16:50.778 95ee
15:16:50.784 ce400979a442000b7c38f9
15:16:50.847 2a
15:16:50.852 f3b8
15:16:51.573 95ea
15:16:51.578 ce056ac80b7809ac
15:16:51.759 95eace
15:16:51.764 400979a442
15:16:51.769 820b7b08e9
“A foolish consistency is the hobgoblin of little minds"
 

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #1 on: October 29, 2018, 04:45:15 pm »
...and looking at the protocol as it runs, it looks like a request-response with a 10 or 11-byte request and a 13 or 16-byte response...

e.g.

Code: [Select]
Delta T in ms Time Hex # Bytes Packet Bytes
15:16:27.444 95 1
 5 15:16:27.449 f2fe 2
 26 15:16:27.475 95 1
 6 15:16:27.481 72080b7829cc 6 10

 181 15:16:27.662 95f2 2
 6 15:16:27.668 ce400979a442820b7c08fd 11 13
“A foolish consistency is the hobgoblin of little minds"
 

Offline ajb

  • Super Contributor
  • ***
  • Posts: 1679
  • Country: us
Re: Figuring out an RS485 protocol?
« Reply #2 on: October 29, 2018, 04:47:49 pm »
It's a little tough to tell where packets start and end from the capture, because the vagaries of the OS, drivers, and software will obscure the timing somewhat.  This is where looking at it on a scope or a logic analyzer would be helpful so you can see the timing more clearly.

If you break the capture up by time:
Code: [Select]
15:16:50.545 95ee
15:16:50.551     bb
15:16:50.556       952a
15:16:50.561           f80b7809f5

15:16:50.778 95ee
15:16:50.784     ce400979a442000b7c38f9

15:16:50.847 2a
15:16:50.852   f3b8

15:16:51.573 95ea
15:16:51.578     ce056ac80b7809ac

15:16:51.759 95eace
15:16:51.764       400979a442
15:16:51.769                 820b7b08e9

A couple of repeated patterns jump out.  You'd really want to capture a lot more traffic to start sussing things out. With such a small sample you can't really distinguish between patterns and coincidences.  Then you'll want to start capturing traffic while something in the system is changing, to see if you can find any parts of the traffic that seem to track those changes.  You could also try disconnecting the two devices, which should give you an idea of which device is sending which sorts of messages.
 

Online nali

  • Regular Contributor
  • *
  • Posts: 231
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #3 on: October 29, 2018, 05:42:02 pm »
I would probably start by disconnecting the thermostat as you should then hopefully only see the poll message. That'd give you a reference point as to the start of the message exchange.

BTW - Are you sure you've got your A/B lines correct? (don't assume the manufacturer's notation is correct!)
 

Offline MiDi

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: de
Re: Figuring out an RS485 protocol?
« Reply #4 on: October 29, 2018, 08:07:15 pm »
If you could tell the manufacturers of the components or the system this could perhaps give a hint what protocols it could be.
What are the high and low voltages measured?
 

Offline engineer_in_shorts

  • Regular Contributor
  • *
  • Posts: 101
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #5 on: October 29, 2018, 10:42:49 pm »
Once I saw an interesting you tube video of how someone reverse engineered a protocol.
 I think it was a WiFi sous vide.
 

Offline engineer_in_shorts

  • Regular Contributor
  • *
  • Posts: 101
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #6 on: October 29, 2018, 10:49:18 pm »


Ignore all the Tcp/ip type stuff. At around 14minutes into the video there is a couple of ideas such as time correlation of the known temperature to the packet payload.
 

Offline Fortran

  • Regular Contributor
  • *
  • Posts: 206
  • Country: fi
Re: Figuring out an RS485 protocol?
« Reply #7 on: October 30, 2018, 05:54:15 am »
See if this helps.
I've just made a python script that talks to these controllers.

English manual starts on page 27. (see attached pdf)



« Last Edit: October 30, 2018, 05:56:11 am by Fortran »
 

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #8 on: October 30, 2018, 06:30:26 pm »
Hmm, thanks - all good suggestions.

>> Are you sure you've got your A/B lines correct? (don't assume the manufacturer's notation is correct!)

I think so, but you're right, it would be worth reversing them to see whether it makes more sense.

>>> I would probably start by disconnecting the thermostat as you should then hopefully only see the poll message.

Duh, I actually didn't think of that.

>>>
If you could tell the manufacturers of the components or the system this could perhaps give a hint what protocols it could be.
What are the high and low voltages measured?
<<<

These are Uponor components - from the markings on the device (A, B, 5V and GND) and the scope trace (sorry I'm not at that location right now and didn't save a pic) compared with some RS485 examples I saw on the web, it definitely looks like RS485 polled once a second at 9600 baud. Of course, I can always be wrong.

>>> a couple of ideas such as time correlation of the known temperature to the packet payload.

Nice, I think I can see half-a-dozen or so message types, each starting with 0x95xx where xx might be some kind of function code. 0x95 might be the ID of this particular sensor. A nice idea would be run code to spot-the-difference between the last message of that type and the current one. From the thermostat's IU - it looks like there are 5 or 6 values (set temp, current temp etc etc) which might be read as RS485 'registers'. Then I can twiddle the values in the thermostat's UI and spot the changes in the messages.

Will try some of these ideas and report back.

Alan
“A foolish consistency is the hobgoblin of little minds"
 

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #9 on: November 07, 2018, 06:26:58 pm »
>>> I've just made a python script that talks to these controllers.

Sorry Mr Fortan, I didn't quite process that, esp. since I didn't say which controller...and the protocol you describe doesn't look like the signals I'm getting.

Which controllers were you referring to? I'm looking at the T-146 and the I-143 peripherals and the X-145 controller.

Alan


“A foolish consistency is the hobgoblin of little minds"
 

Offline Fortran

  • Regular Contributor
  • *
  • Posts: 206
  • Country: fi
Re: Figuring out an RS485 protocol?
« Reply #10 on: November 08, 2018, 06:32:38 am »
I'm referring to Drews PID regulators.
Not the same, but I figured there could be some similarities.
 

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #11 on: November 08, 2018, 05:10:17 pm »
>>>
I'm referring to Drews PID regulators.
Not the same, but I figured there could be some similarities.
<<<

Ah, I see.

For anyone playing along at home, this is what I'm recording atm:

http://anagram.net/nuts/RS485/Uponor%2003-Nov-18%2011-18%20-%20rh%20channel.csv

This has my guess at part of the format in the headings.

I also found this doc:

https://www.uponor.com/-/media/country-specific/uponor_com/download-centre/smatrix/smatrix-pro/uponor-product-info-smatrix-move-pro-modbus-rtu-en-1088472-12-2016.pdf

- this describes the modbus interface on a related (but not the same) device. That is clearly different.

Curiously, the data I'm recording seems to have too much variation in it. I assume that if the only data that is changing from the thermostats is the air temperature then it shouldn't change very frequently. I'm getting changes on mostly every poll from (what I think is) the same device.

I'm going to put a logic analyser on it to ensure the data I'm recording in my code is really what's on the wire.

Alan
“A foolish consistency is the hobgoblin of little minds"
 

Online nali

  • Regular Contributor
  • *
  • Posts: 231
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #12 on: November 08, 2018, 09:11:02 pm »
Just a thought - I'm assuming you're sniffing using a baud rate of 9600 with no parity & 8 data bits. Have you tried using using parity and 7bit?

We interface with a variety of equipment at work. Whereas 90% of devices use the ubiquitous 9600,N,8,1 we do sometimes see 7-bit interfaces, especially when using an ASCII-based protocol.
 

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #13 on: November 22, 2018, 03:28:50 pm »
>>> Just a thought - I'm assuming you're sniffing using a baud rate of 9600 with no parity & 8 data bits. Have you tried using using parity and 7bit?

Ah good point.

I'm a bit slow in keeping the thread updated but a fair amount of progress has been made and I'm now successfully faking up some sensor replies.

When I started out, being impatient, I waved the scope at it for 5 secs and it seemed to show A & B the right way round at 10KHz frequency so I thought '9,600 baud, probably TRU, off we go....' and fired up some serial code and started logging.

Well, while I could see some polls and responses at 1 sec intervals, the data that came back looked a bit rubbish. In particular it varied too much. Barring some wacky encryption scheme, I expected the sensors to send back mostly the same temperature data from second to second - which is, of course, what they do.

OK so I fired up the scope for a more careful look around:



So, there's the 1 sec poll and response I saw before (screen dump #1), then every 6 secs an extra little poll and response is done (screen dump #2). I disconnected all the sensors (as suggested) and saw only 7 byte polls - all are 7 bytes long and each starts with 0x1104 except for the extra little poll which starts with 0x1204 (screen dump #3). Also, by looking at enough packets I saw that they're probably 8 / N / 1, although nali's point is noted.

I measured the frequency a bit more accurately and came up with (screen dump #2) ... 19,690 Hz. Actually, if I use 19,200 baud I get dodgy data and if I use 19,690 everything is good.
The clincher came when I checked the last two bytes of each packet against a modbus CRC calc ... and good data...

OK so that left me the slowish job of twiddling the options on the sensors, observing the packets and seeing where the data was. It's a mess, all sorts of stuff tucked away on odd byte and bit boundaries and with odd lengths. Definitely not RTU. But decoded nevertheless.

Result.

Thanks everyone for your useful comments and suggestions.

Alan
“A foolish consistency is the hobgoblin of little minds"
 

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #14 on: November 22, 2018, 03:35:11 pm »
Ah one other funny thing. I was having trouble decoding the temperature data so I started plotting it in Excel.  It didn't make much sense until...



WTF - Fahrenheit! Last thing I expected - I'm in the UK and Uponor are Norweigan ffs :)

A.
“A foolish consistency is the hobgoblin of little minds"
 

Offline thobie

  • Contributor
  • Posts: 5
  • Country: fi
Re: Figuring out an RS485 protocol?
« Reply #15 on: November 24, 2018, 10:00:55 am »
WTF - Fahrenheit! Last thing I expected - I'm in the UK and Uponor are Norweigan ffs :)
Uponor is Finnish company. And Celsius is from Sweden so hell no, US to blame!  ;)

Maybe they have bought some US company or the software development has done is states.
 

Offline stratcat

  • Newbie
  • Posts: 3
  • Country: us
Re: Figuring out an RS485 protocol?
« Reply #16 on: December 19, 2018, 04:21:19 am »
This is somewhat like what Raritan ( https://www.raritan.com/ ) uses in their "PX Intelligent Rack PDUs" (glorified power strips for server racks).
I pulled one of those (PX-1000) out of a trash bin thinking it was just a big 20 outlet power strip.
A few days later, I got around to checking it out. It powered up, no smoke, etc.
Then I noticed the ethernet port. They are web-accessible! Each unit has a webserver (and more) that allows monitoring and control of each outlet, banks of outlets, temperature, current, voltage, etc. Internally, they use an RS485-ish protocol. Once I got the Baud rate figured out, I started monitoring the 485 bus. There is a LOT of traffic that appeared to be gibberish at first. Then, I started noticing patterns while monitoring the bus with PuTTY while sending commands via the web server. After a few days (I'm retired), I got it all figured out and started sending commands via RS485 WITH SUCCESS.
Needless to say, when I went back to get more of these units, they were all gone.
Anyway, I have built up a good bit of documentation if anyone needs such.
Sorry to be so long-winded but figuring out odd things is me.
Then, there is the Raritan "AUATC terminal converter".
Code: [Select]
The AUATC is designed to emulate an “ASCII terminal,” converting RS232 serial ASCII terminal data to PS/2 keyboard and VGA video or Sun keyboard and Sun video. Saw one on eBay long before the PX-1000 incident for $15.00 and thought I had to have it.
A little box about 4" x 4" x 1". I use it often for troubleshooting Arduino projects and other RS-232 stuff.
I've modified it for switchable RS-232 serial or TTL serial.
It also has an RJ45 port that outputs video and RS485 for their KVM products.
Sorry for hijacking your post.
 

Offline jsouto

  • Newbie
  • Posts: 3
  • Country: es
Re: Figuring out an RS485 protocol?
« Reply #17 on: September 18, 2019, 08:05:52 pm »
Hi,

Did you make some improvements? i trying to find out how the T-146 os Uponor works because I want to manage the thermostat throught Internet.

Thanks
 

Offline jsouto

  • Newbie
  • Posts: 3
  • Country: es
Re: Figuring out an RS485 protocol?
« Reply #18 on: September 20, 2019, 10:11:39 am »
Hi,

I'm trying to figure out (i.e. reverse engineer) an RS485 protocol - and I wonder whether (a) someone recognises this, or (b) someone has some hints on how to go about decoding it.

It's taken from chatter between a heating controller and a thermostat.

Messages occur roughly once a second. There's a 2s sample below, apparently with two messages (each maybe a poll & response), taken with an RS485 sniffer at 9600 baud (I measured the waveform frequency at 10kHz with a scope). The listing is time in ms followed by bytes in hex, so the 1st part is just 2 bytes 0x95ee. My preliminary investigation suggests this isn't Modbus RTU as the 2nd byte in the message, which should be the function code, isn't between 0x01 and 0x10.

(I'm looking at this re Modbus format: https://ipc2u.com/articles/knowledge-base/modbus-rtu-made-simple-with-detailed-descriptions-and-examples/ )

Any ideas?

TIA, Alan

Code: [Select]
15:16:50.545 95ee
15:16:50.551 bb
15:16:50.556 952a
15:16:50.561 f80b7809f5
15:16:50.778 95ee
15:16:50.784 ce400979a442000b7c38f9
15:16:50.847 2a
15:16:50.852 f3b8
15:16:51.573 95ea
15:16:51.578 ce056ac80b7809ac
15:16:51.759 95eace
15:16:51.764 400979a442
15:16:51.769 820b7b08e9

I thinking in sniffing the data with a with and Arduino shield, https://www.dfrobot.com/product-1024.html.

Is it possible ?

Thanks.

Sorry for my english
 

Offline alanambrose

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: gb
Re: Figuring out an RS485 protocol?
« Reply #19 on: September 20, 2019, 04:52:22 pm »
>>>
I thinking in sniffing the data with a with and Arduino shield, https://www.dfrobot.com/product-1024.html.

Is it possible ?
<<<

Probably, but you might need to set the baud rate to an unusual number and it looks to me that the Arduino codebase that it only accept a few magic baud rates. Maybe someone else can chime in. I'm using C# and a rs485 dongle and setting the baud rate to 19,685. You might like to measure the actual baud rate with a scope if you have one. You could just try a serial app and a cheap rs485 dongle on a Mac/Windows/Linux machine to see if you can see the data OK that way. Try 19,685 and 19,200 baud and 8 / N / 1 and see if either of those work well. You will probably see data in either case, but one may look like sensible regular comms and the other slightly random nonsense.

Alan
“A foolish consistency is the hobgoblin of little minds"
 

Offline jsouto

  • Newbie
  • Posts: 3
  • Country: es
Re: Figuring out an RS485 protocol?
« Reply #20 on: September 20, 2019, 10:25:55 pm »
>>>
I'm using C# and a rs485 dongle and setting the baud rate to 19,685.

>>>>>>

Which dongle are you using ? and did you make an on porpose  application in C# to read the data in the dongle ?

What you mean with 8 / N / 1 ?

Thanks
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf