Figuring out an RS485 protocol?

[alanambrose]

Hi,

I'm trying to figure out (i.e. reverse engineer) an RS485 protocol - and I wonder whether (a) someone recognises this, or (b) someone has some hints on how to go about decoding it.

It's taken from chatter between a heating controller and a thermostat.

Messages occur roughly once a second. There's a 2s sample below, apparently with two messages (each maybe a poll & response), taken with an RS485 sniffer at 9600 baud (I measured the waveform frequency at 10kHz with a scope). The listing is time in ms followed by bytes in hex, so the 1st part is just 2 bytes 0x95ee. My preliminary investigation suggests this isn't Modbus RTU as the 2nd byte in the message, which should be the function code, isn't between 0x01 and 0x10.

(I'm looking at this re Modbus format: https://ipc2u.com/articles/knowledge-base/modbus-rtu-made-simple-with-detailed-descriptions-and-examples/ )

Any ideas?

TIA, Alan

Code: [Select]

15:16:50.545 95ee
15:16:50.551 bb
15:16:50.556 952a
15:16:50.561 f80b7809f5
15:16:50.778 95ee
15:16:50.784 ce400979a442000b7c38f9
15:16:50.847 2a
15:16:50.852 f3b8
15:16:51.573 95ea
15:16:51.578 ce056ac80b7809ac
15:16:51.759 95eace
15:16:51.764 400979a442
15:16:51.769 820b7b08e9


[alanambrose]

...and looking at the protocol as it runs, it looks like a request-response with a 10 or 11-byte request and a 13 or 16-byte response...

e.g.

Code: [Select]

Delta T in ms Time Hex # Bytes Packet Bytes
15:16:27.444 95 1
 5 15:16:27.449 f2fe 2
 26 15:16:27.475 95 1
 6 15:16:27.481 72080b7829cc 6 10

 181 15:16:27.662 95f2 2
 6 15:16:27.668 ce400979a442820b7c08fd 11 13


[ajb]

It's a little tough to tell where packets start and end from the capture, because the vagaries of the OS, drivers, and software will obscure the timing somewhat.  This is where looking at it on a scope or a logic analyzer would be helpful so you can see the timing more clearly.

If you break the capture up by time:

Code: [Select]

15:16:50.545 95ee
15:16:50.551     bb
15:16:50.556       952a
15:16:50.561           f80b7809f5

15:16:50.778 95ee
15:16:50.784     ce400979a442000b7c38f9

15:16:50.847 2a
15:16:50.852   f3b8

15:16:51.573 95ea
15:16:51.578     ce056ac80b7809ac

15:16:51.759 95eace
15:16:51.764       400979a442
15:16:51.769                 820b7b08e9
A couple of repeated patterns jump out.  You'd really want to capture a lot more traffic to start sussing things out. With such a small sample you can't really distinguish between patterns and coincidences.  Then you'll want to start capturing traffic while something in the system is changing, to see if you can find any parts of the traffic that seem to track those changes.  You could also try disconnecting the two devices, which should give you an idea of which device is sending which sorts of messages.

[nali]

I would probably start by disconnecting the thermostat as you should then hopefully only see the poll message. That'd give you a reference point as to the start of the message exchange.

BTW - Are you sure you've got your A/B lines correct? (don't assume the manufacturer's notation is correct!)

[MiDi]

If you could tell the manufacturers of the components or the system this could perhaps give a hint what protocols it could be.
What are the high and low voltages measured?

[engineer_in_shorts]

Once I saw an interesting you tube video of how someone reverse engineered a protocol.
 I think it was a WiFi sous vide.

[engineer_in_shorts]

Ignore all the Tcp/ip type stuff. At around 14minutes into the video there is a couple of ideas such as time correlation of the known temperature to the packet payload.

[Fortran]

See if this helps.
I've just made a python script that talks to these controllers.

English manual starts on page 27. (see attached pdf)

[alanambrose]

Hmm, thanks - all good suggestions.

>> Are you sure you've got your A/B lines correct? (don't assume the manufacturer's notation is correct!)

I think so, but you're right, it would be worth reversing them to see whether it makes more sense.

>>> I would probably start by disconnecting the thermostat as you should then hopefully only see the poll message.

Duh, I actually didn't think of that.

>>>
If you could tell the manufacturers of the components or the system this could perhaps give a hint what protocols it could be.
What are the high and low voltages measured?
<<<

These are Uponor components - from the markings on the device (A, B, 5V and GND) and the scope trace (sorry I'm not at that location right now and didn't save a pic) compared with some RS485 examples I saw on the web, it definitely looks like RS485 polled once a second at 9600 baud. Of course, I can always be wrong.

>>> a couple of ideas such as time correlation of the known temperature to the packet payload.

Nice, I think I can see half-a-dozen or so message types, each starting with 0x95xx where xx might be some kind of function code. 0x95 might be the ID of this particular sensor. A nice idea would be run code to spot-the-difference between the last message of that type and the current one. From the thermostat's IU - it looks like there are 5 or 6 values (set temp, current temp etc etc) which might be read as RS485 'registers'. Then I can twiddle the values in the thermostat's UI and spot the changes in the messages.

Will try some of these ideas and report back.

Alan

[alanambrose]

>>> I've just made a python script that talks to these controllers.

Sorry Mr Fortan, I didn't quite process that, esp. since I didn't say which controller...and the protocol you describe doesn't look like the signals I'm getting.

Which controllers were you referring to? I'm looking at the T-146 and the I-143 peripherals and the X-145 controller.

Alan

[Fortran]

I'm referring to Drews PID regulators.
Not the same, but I figured there could be some similarities.

[alanambrose]

>>>
I'm referring to Drews PID regulators.
Not the same, but I figured there could be some similarities.
<<<

Ah, I see.

For anyone playing along at home, this is what I'm recording atm:

http://anagram.net/nuts/RS485/Uponor%2003-Nov-18%2011-18%20-%20rh%20channel.csv

This has my guess at part of the format in the headings.

I also found this doc:

https://www.uponor.com/-/media/country-specific/uponor_com/download-centre/smatrix/smatrix-pro/uponor-product-info-smatrix-move-pro-modbus-rtu-en-1088472-12-2016.pdf

- this describes the modbus interface on a related (but not the same) device. That is clearly different.

Curiously, the data I'm recording seems to have too much variation in it. I assume that if the only data that is changing from the thermostats is the air temperature then it shouldn't change very frequently. I'm getting changes on mostly every poll from (what I think is) the same device.

I'm going to put a logic analyser on it to ensure the data I'm recording in my code is really what's on the wire.

Alan

[nali]

Just a thought - I'm assuming you're sniffing using a baud rate of 9600 with no parity & 8 data bits. Have you tried using using parity and 7bit?

We interface with a variety of equipment at work. Whereas 90% of devices use the ubiquitous 9600,N,8,1 we do sometimes see 7-bit interfaces, especially when using an ASCII-based protocol.

[alanambrose]

>>> Just a thought - I'm assuming you're sniffing using a baud rate of 9600 with no parity & 8 data bits. Have you tried using using parity and 7bit?

Ah good point.

I'm a bit slow in keeping the thread updated but a fair amount of progress has been made and I'm now successfully faking up some sensor replies.

When I started out, being impatient, I waved the scope at it for 5 secs and it seemed to show A & B the right way round at 10KHz frequency so I thought '9,600 baud, probably TRU, off we go....' and fired up some serial code and started logging.

Well, while I could see some polls and responses at 1 sec intervals, the data that came back looked a bit rubbish. In particular it varied too much. Barring some wacky encryption scheme, I expected the sensors to send back mostly the same temperature data from second to second - which is, of course, what they do.

OK so I fired up the scope for a more careful look around:



So, there's the 1 sec poll and response I saw before (screen dump #1), then every 6 secs an extra little poll and response is done (screen dump #2). I disconnected all the sensors (as suggested) and saw only 7 byte polls - all are 7 bytes long and each starts with 0x1104 except for the extra little poll which starts with 0x1204 (screen dump #3). Also, by looking at enough packets I saw that they're probably 8 / N / 1, although nali's point is noted.

I measured the frequency a bit more accurately and came up with (screen dump #2) ... 19,690 Hz. Actually, if I use 19,200 baud I get dodgy data and if I use 19,690 everything is good.
The clincher came when I checked the last two bytes of each packet against a modbus CRC calc ... and good data...

OK so that left me the slowish job of twiddling the options on the sensors, observing the packets and seeing where the data was. It's a mess, all sorts of stuff tucked away on odd byte and bit boundaries and with odd lengths. Definitely not RTU. But decoded nevertheless.

Result.

Thanks everyone for your useful comments and suggestions.

Alan

[alanambrose]

Ah one other funny thing. I was having trouble decoding the temperature data so I started plotting it in Excel.  It didn't make much sense until...



WTF - Fahrenheit! Last thing I expected - I'm in the UK and Uponor are Norweigan ffs

A.

[thobie]

WTF - Fahrenheit! Last thing I expected - I'm in the UK and Uponor are Norweigan ffs

Uponor is Finnish company. And Celsius is from Sweden so hell no, US to blame! 

Maybe they have bought some US company or the software development has done is states.

[stratcat]

This is somewhat like what Raritan ( https://www.raritan.com/ ) uses in their "PX Intelligent Rack PDUs" (glorified power strips for server racks).
I pulled one of those (PX-1000) out of a trash bin thinking it was just a big 20 outlet power strip.
A few days later, I got around to checking it out. It powered up, no smoke, etc.
Then I noticed the ethernet port. They are web-accessible! Each unit has a webserver (and more) that allows monitoring and control of each outlet, banks of outlets, temperature, current, voltage, etc. Internally, they use an RS485-ish protocol. Once I got the Baud rate figured out, I started monitoring the 485 bus. There is a LOT of traffic that appeared to be gibberish at first. Then, I started noticing patterns while monitoring the bus with PuTTY while sending commands via the web server. After a few days (I'm retired), I got it all figured out and started sending commands via RS485 WITH SUCCESS.
Needless to say, when I went back to get more of these units, they were all gone.
Anyway, I have built up a good bit of documentation if anyone needs such.
Sorry to be so long-winded but figuring out odd things is me.
Then, there is the Raritan "AUATC terminal converter".

Code: [Select]

The AUATC is designed to emulate an “ASCII terminal,” converting RS232 serial ASCII terminal data to PS/2 keyboard and VGA video or Sun keyboard and Sun video. Saw one on eBay long before the PX-1000 incident for $15.00 and thought I had to have it.
A little box about 4" x 4" x 1". I use it often for troubleshooting Arduino projects and other RS-232 stuff.
I've modified it for switchable RS-232 serial or TTL serial.
It also has an RJ45 port that outputs video and RS485 for their KVM products.
Sorry for hijacking your post.

[jsouto]

Hi,

Did you make some improvements? i trying to find out how the T-146 os Uponor works because I want to manage the thermostat throught Internet.

Thanks

[jsouto]

Hi,

I'm trying to figure out (i.e. reverse engineer) an RS485 protocol - and I wonder whether (a) someone recognises this, or (b) someone has some hints on how to go about decoding it.

It's taken from chatter between a heating controller and a thermostat.

Messages occur roughly once a second. There's a 2s sample below, apparently with two messages (each maybe a poll & response), taken with an RS485 sniffer at 9600 baud (I measured the waveform frequency at 10kHz with a scope). The listing is time in ms followed by bytes in hex, so the 1st part is just 2 bytes 0x95ee. My preliminary investigation suggests this isn't Modbus RTU as the 2nd byte in the message, which should be the function code, isn't between 0x01 and 0x10.

(I'm looking at this re Modbus format: https://ipc2u.com/articles/knowledge-base/modbus-rtu-made-simple-with-detailed-descriptions-and-examples/ )

Any ideas?

TIA, Alan

Code: [Select]

15:16:50.545 95ee
15:16:50.551 bb
15:16:50.556 952a
15:16:50.561 f80b7809f5
15:16:50.778 95ee
15:16:50.784 ce400979a442000b7c38f9
15:16:50.847 2a
15:16:50.852 f3b8
15:16:51.573 95ea
15:16:51.578 ce056ac80b7809ac
15:16:51.759 95eace
15:16:51.764 400979a442
15:16:51.769 820b7b08e9


I thinking in sniffing the data with a with and Arduino shield, https://www.dfrobot.com/product-1024.html.

Is it possible ?

Thanks.

Sorry for my english

[alanambrose]

>>>
I thinking in sniffing the data with a with and Arduino shield, https://www.dfrobot.com/product-1024.html.

Is it possible ?
<<<

Probably, but you might need to set the baud rate to an unusual number and it looks to me that the Arduino codebase that it only accept a few magic baud rates. Maybe someone else can chime in. I'm using C# and a rs485 dongle and setting the baud rate to 19,685. You might like to measure the actual baud rate with a scope if you have one. You could just try a serial app and a cheap rs485 dongle on a Mac/Windows/Linux machine to see if you can see the data OK that way. Try 19,685 and 19,200 baud and 8 / N / 1 and see if either of those work well. You will probably see data in either case, but one may look like sensible regular comms and the other slightly random nonsense.

Alan

[jsouto]

>>>
I'm using C# and a rs485 dongle and setting the baud rate to 19,685.

>>>>>>

Which dongle are you using ? and did you make an on porpose  application in C# to read the data in the dongle ?

What you mean with 8 / N / 1 ?

Thanks

[jsouto]

Probably, but you might need to set the baud rate to an unusual number and it looks to me that the Arduino codebase that it only accept a few magic baud rates. Maybe someone else can chime in. I'm using C# and a rs485 dongle and setting the baud rate to 19,685. You might like to measure the actual baud rate with a scope if you have one. You could just try a serial app and a cheap rs485 dongle on a Mac/Windows/Linux machine to see if you can see the data OK that way. Try 19,685 and 19,200 baud and 8 / N / 1 and see if either of those work well. You will probably see data in either case, but one may look like sensible regular comms and the other slightly random nonsense.

Alan

Hi,

I made some progress. As you said,  I put a rs485 dongle to sniff the traffic of the thermostat. I tried with 19685 baud, 8/N/1 and I get data but now the problem is figure out where the temperature is store. This is my pattern:

   10 05 54 f1 ff a1 0f
   
   10 05 54 f1 40 02 c6 3e 00 00 3f 0c 08 3b 01 9a 71 46
   
   10 05 54 f1 2d 7f ff 3d 00 00 0c 00 24 37 01 9a 38 03 b6 3b 01 9a 3c 00 48 35 80 00 ea a7

   11 05 68 d8 ff 43 53

   11 05 68 d8 40 02 c9 3e 00 00 3f 0c 03 42 00 22 08 09 da 09 68 26 0a 00 2e 45 1c

   11 05 68 d8 2d 7f ff 3d 00 04 0c 00 24 37 01 9a 38 03 b6 3b 02 c4 3c
   
   10 05 54 ff ff a5 6f
   10 05 54 ff 40 02 c2 3e 80 00 3f 0c 08 3b 03 b4 af 01   
    10 05 54 ff 2d 7f ff 3d 00 40 0c 00 24 37 01 9a 38 03 b6 3b 03 b4 3c 00 48 35 80 00 e4 6e
   10 05 54 31 ff f1 0f

   10 05 54 31 40 02 c1 3e 00 00 3f 0c 08 3b 01 9a c1 9d

   10 05 54 31 2d 7f ff 3d 00 00 0c 00 24 37 01 9a 38 03 b6 3b 01 9a 3c 00 48 35 80 00 13 98

   10 05 54 eb ff aa 6f
   
   10 05 54 eb 40 02 c3 3e 00 00 3f 0c 08 3b 02 ab 86 e8
   
   10 05 54 eb 2d 7f ff 3d 00 00 0c 00 24 37 01 9a 38 03 b6 3b 02 ab 3c 00 48 35 80 00 df 1c
   10 05 54 36 ff f3 3f
   
   10 05 54 36 40 02 ca 3e 00 00 3f 0c 08 3b 02 a9 fb da

   10 05 54 36 2d 7f ff 3d 00 00 0c 00 24 37 01 9a 38 03 b6 3b 02 a9 3c 00 48 35 80 00 fa e0

   10 05 54 f1 ff a1 0f


I think the 10h is the id device and 05h the function which would be Write Single Coil. How did you do to find the temperature field ?

Thanks

JSouto

[mitokondoria]

I'm on my own quest to fetch data from the same thermostat.
I have been able to sniff with an Arduino + MAX485 board at 19200 baud. Still havent disconnected the thermostat, but my pattern is:

Code: [Select]

11 05 95 8B FF EE 53
11 05 95 8B 40 02 D9 3E 00 00 3F 0C 02 E1 F1
11 05 95 8B 2D 7F FF 3D 00 00 0C 00 24 37 01 9A 38 03 B6 3B 02 C4 3C 00 48 35 80 00 B9 98
11 05 95 72 FF AC 03
11 05 95 72 40 02 D3 3E 00 00 3F 0C 02 9E 1D
11 05 95 72 2D 7F FF 3D 00 00 0C 00 24 37 01 9A 38 03 B6 3B 02 C4 3C 00 48 35 80 00 41 EB
11 05 95 26 FF 92 C3
11 05 95 26 40 02 D1 3E 00 00 3F 0C 02 FF 49
11 05 95 26 2D 7F FF 3D 00 00 0C 00 24 37 01 9A 38 03 B6 3B 02 B2 3C 00 48 35 80 00 01 49
11 05 95 CD FF DC 33
11 05 95 CD 40 02 E8 3E 00 00 3F 0C 02 23 F9
11 05 95 CD 2D 7F FF 3D 00 00 0C 00 24 37 01 9A 38 03 B6 3B 02 C4 3C 00 48 35 80 00 11 DA
11 05 95 9F FF E1 53
11 05 95 9F 40 02 CD 3E 00 00 3F 0C 02 F5 B0
11 05 95 9F 2D 7F FF 3D 00 00 0C 00 24 37 01 9A 38 03 B6 3B 02 84 3C 00 48 35 80 00 F9 EC
Which would match with the 5 thermostats at my home

[Doctorandus_P]

I skimmed through this thread and I'm not even sure whether the data captured is actually correct. RS485 does not imply a uart compatible format. As long as you're not sure of that, any attempt of staring at hex values will be pointless.

If you use Sigrok + Pulseview with one of the USD10 Logic Analyser boxes with a Cypress CY7C680somethingsomething you have a much better platform to capture your data. (Especially if you add a RS485 to TTL chip)

These very affordable Logic Analysers are also wonderfull for debugging "arduino", or any other microcontroller projects that work with (low speed) serial data streams. SPI, I2S, Uart, Sigrok has more then 100 protocol decoders now.

[mitokondoria]

I'm certainly staring at those values, but after disconnecting 4 in 5 thermostats, it seems clear that the master is polling the slaves (because they were previously registered)

These messages, in my case, are following this pattern:

Code: [Select]

11 05 95 XX FF YY ZZ
When the thermostat is available, the rest of the conversation packets start with 11 05 95 XX, so it looks like XX is the id of each thermostat, while FF whould be the ping message

The other conversation messages have XX with values 40 and 2D (in my understanding, they could map to a slave-pong&message / master ack-message messages)

the pong also includes additional info once the setup temperature has been modified

I have modified the configured the temperature and the bytes having the value on Fahrenheit for the ack are 02 96

Code: [Select]

11 05 95 9F 2D 7F FF 3D 00 00 0C 00 24 37 01 9A 38 03 B6 3B 02 96 3C 00 48 35 80 00 CB ED
while the slave pong&message includes the same 02 96

Code: [Select]

11 05 95 9F 40 02 C7 3E 00 00 3F 0C 02 3C 00 48 3B 02 96 AF 2A
With this, I'm fairly confident on the correct captured data, even on a different rate. I still have to find where is the actual temperature being set and if part of the message includes a master-turn-on-the-heating value, tho.

About the sigrok usage, I will go for it as seems the proper way to go, instead of finding on a text editor

Edit: As per https://www.lammertbies.nl/comm/info/crc-calculation, the last two bytes match the modbus crc-16, so the dump is definetly correct

Edit2: found an Uponor document describing each modbus frame format https://www.mikrocontroller.net/attachment/446274/Uponor_IM_Smatrix_Base_PRO_MODBUS-RTU_EN_1090255_032018.pdf

and more important:
* requests to switch modes, from eco to confort
* requests to write the setpoint
* request to read a sensor temp