Electronics > Projects, Designs, and Technical Stuff

Figuring out an RS485 protocol?

(1/7) > >>


I'm trying to figure out (i.e. reverse engineer) an RS485 protocol - and I wonder whether (a) someone recognises this, or (b) someone has some hints on how to go about decoding it.

It's taken from chatter between a heating controller and a thermostat.

Messages occur roughly once a second. There's a 2s sample below, apparently with two messages (each maybe a poll & response), taken with an RS485 sniffer at 9600 baud (I measured the waveform frequency at 10kHz with a scope). The listing is time in ms followed by bytes in hex, so the 1st part is just 2 bytes 0x95ee. My preliminary investigation suggests this isn't Modbus RTU as the 2nd byte in the message, which should be the function code, isn't between 0x01 and 0x10.

(I'm looking at this re Modbus format: https://ipc2u.com/articles/knowledge-base/modbus-rtu-made-simple-with-detailed-descriptions-and-examples/ )

Any ideas?

TIA, Alan

--- Code: ---15:16:50.545 95ee
15:16:50.551 bb
15:16:50.556 952a
15:16:50.561 f80b7809f5
15:16:50.778 95ee
15:16:50.784 ce400979a442000b7c38f9
15:16:50.847 2a
15:16:50.852 f3b8
15:16:51.573 95ea
15:16:51.578 ce056ac80b7809ac
15:16:51.759 95eace
15:16:51.764 400979a442
15:16:51.769 820b7b08e9

--- End code ---

...and looking at the protocol as it runs, it looks like a request-response with a 10 or 11-byte request and a 13 or 16-byte response...


--- Code: --- Delta T in ms Time Hex # Bytes Packet Bytes
15:16:27.444 95 1
 5 15:16:27.449 f2fe 2
 26 15:16:27.475 95 1
 6 15:16:27.481 72080b7829cc 6 10

 181 15:16:27.662 95f2 2
 6 15:16:27.668 ce400979a442820b7c08fd 11 13

--- End code ---

It's a little tough to tell where packets start and end from the capture, because the vagaries of the OS, drivers, and software will obscure the timing somewhat.  This is where looking at it on a scope or a logic analyzer would be helpful so you can see the timing more clearly.

If you break the capture up by time:

--- Code: ---15:16:50.545 95ee
15:16:50.551     bb
15:16:50.556       952a
15:16:50.561           f80b7809f5

15:16:50.778 95ee
15:16:50.784     ce400979a442000b7c38f9

15:16:50.847 2a
15:16:50.852   f3b8

15:16:51.573 95ea
15:16:51.578     ce056ac80b7809ac

15:16:51.759 95eace
15:16:51.764       400979a442
15:16:51.769                 820b7b08e9
--- End code ---

A couple of repeated patterns jump out.  You'd really want to capture a lot more traffic to start sussing things out. With such a small sample you can't really distinguish between patterns and coincidences.  Then you'll want to start capturing traffic while something in the system is changing, to see if you can find any parts of the traffic that seem to track those changes.  You could also try disconnecting the two devices, which should give you an idea of which device is sending which sorts of messages.

I would probably start by disconnecting the thermostat as you should then hopefully only see the poll message. That'd give you a reference point as to the start of the message exchange.

BTW - Are you sure you've got your A/B lines correct? (don't assume the manufacturer's notation is correct!)

If you could tell the manufacturers of the components or the system this could perhaps give a hint what protocols it could be.
What are the high and low voltages measured?


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version