Message Format unknown #1
Comments
|
OK, so I've had a very quick play around. If you split the file on 0xe1 20 20 20 80 0a 02 you can see 3x different message lengths (not sure if this is the right start sequence or not). I'm curious - would the spa have been 38.5c temperature when you took the dump? - possibly seeing that in ascii in each message (maybe what it's sending for the display - might change when you press buttons and have the display change while recording (which may be in the other dump files I haven't played with yet)). |
|
Further digging looks like that isn't a start sequence, the first byte in some packets appears to be possibly a tx/rx flag or user flag? - it changes when it looks like the temperature is changed. the ASCII does appear to be the temperature commanded, as it changes in the dumpfile dump-temp when split on 0xe9 as an end byte. I need better packet/byte analysis tools - does anyone have any suggestions? Wireshark isn't playing ball for importing for some reason, and isn't the greatest for the completely unknown protocols. |
|
Yeah the spa was as 38.5 at the time with the temp dump was when i was trying to change the temp up to 40C I should perhaps explain the dump files are not all the raw data, some of them were created from a script where i tried to guess the delimiter and write out each sequence on it's own line into the file to see if it looked plausible. CTRL+B looked like it might be right and would seem to make sense as logical value to choose as that means "start of text" What is interesting is that I am not seeing a one2one relation to what is in the stream and the display. e.g when the display alternates between "Ecn" and the temp, while mode is Economy, there is no reference to Ecn as a a straight ascii string. Similarly when in the menus, no entries there. Given on this board we have both 8pin Main Panel connectors and 6 pin Aux Panel connectors, I wonder how the differ in what they carry. Lost access to the tub at the moment as the 9v pin I tried to used with stepdown to v5 to power the pi isn't working, was on usb charge pack instead that's now flat. Will have a look after work |
|
dump-7 and dump-8 are raw
Then the same, but bytesize = 7 |
|
See dumps/dump.cap for tcpdump of the data @davewatson91 - This includes me pressing lights on/off, pump1 and pump2 on and off and then dropping the temp down |
|
I think the best way to detect the delimiter byte(s) is to add a timestamp as they come in. You will probably see a break between messages. On my BP series, the reported time between bytes is ~250us while the time between messages is usually greater (though not always). The TCP redirect may obfuscate this, so I'd stick with pure Python. Here's a snippet: |
|
|
|
Tweaked to show time interval rather than time, see https://github.com/netmindz/balboa_GL_ML_spa_control/blob/main/tests/bggardner-timestamp-interval.log @bggardner |
|
Looks like Notice that a byte sequence starting with |
|
yeah, that would appear to the the case, See |
|
light of: fa 14 33 33 35 43 00 00 6c 00 00 00 80 02 ff ff ..335C..l....... light on: fa 14 33 33 35 43 00 03 6c 00 00 08 80 02 ff ff ..335C..l....... |
|
pump1 on: fa 14 33 33 35 43 02 00 6c 00 04 00 80 02 ff ff ..335C..l....... pump2 on: fa 14 33 33 35 43 08 00 6c 00 08 00 80 02 ff ff ..335C..l....... |
|
pump1 on: fa 14 33 33 35 43 02 00 6c 00 04 00 80 02 ff ff ..335C..l....... pump1 on - light on: fa 14 33 33 35 43 02 03 6c 00 04 08 80 02 ff ff ..335C..l....... |
|
pump2 on: fa 14 33 33 35 43 08 00 6c 00 08 00 80 02 ff ff ..335C..l....... pump2 on - light on: fa 14 33 33 35 43 08 03 6c 00 08 08 80 02 ff ff ..335C..l....... |
|
Let me rearrange so it's easier to decipher the byte sequence: fa 14 33 33 35 43 00 00 6c 00 00 00 80 02 ff ff 5c 00 00 00 00 00 d1 fb 06 03 45 0e 00 00 ff 74 0a // Light off fa 14 33 33 35 43 02 00 6c 00 04 00 80 02 ff ff 5c 00 00 00 00 00 97 fb 06 03 45 0e 00 00 ff 74 0a // Pump 1 on fa 14 33 33 35 43 02 00 6c 00 04 00 80 02 ff ff 5c 00 00 00 00 00 97 fb 06 03 45 0e 00 00 ff 74 0a // Pump 1 on fa 14 33 33 35 43 08 00 6c 00 08 00 80 02 ff ff 5c 00 00 00 00 00 51 fb 06 03 45 0e 00 00 ff 74 0a // Pump 2 on It's easy to tell what the light and pump bits are. The byte that always changes (byte 22) is most likely the checksum, so |
|
We actually see two messages if you see msg-count-light-on, they start the same but one has an extra bit on the end. For the hex dump i went for the longer form, just in case in some cases it contained useful stuff and didn't want to mix or suddenly change message length I've just committed the very hacky debug2.php that is able to read the status for light, pump1 and pump2, What is interesting us both pumps on not only changes the pump byte, but also the light swaps to 80 |
|
Runing That was a dump taken of where i basically worked my way through all the buttons to see if i could grab all the different messages. running the script like that allows you to replay the events, though limited use i guess without a video of what i was doing at the time |
|
For reference the following fa 14 33 33 35 43 is the header, (fa 14) then 335C in ascii when the tub us at 33.5C |
|
Have just pushed an updated debug2.php script Making good process with showing status of the tub - got most stuff mapped now, bar knowing ecn/slp/std |
|
I've also tried to summarise on the wiki https://github.com/netmindz/balboa_GL_ML_spa_control/wiki/Message-Format I'm getting the feeling that there is some bitmask style stuff is going on or something similar as things like while i thought was just the light, seems to change when you turn on multiple pumps |
|
Thanks for the great tip on using timing as clue to delimiter @bggardner and the help with the Any ideas on the |
|
@davewatson91 - Did you see I have a issue to track the pinout and the use of the remaining pins? #2 If you could take a look at the scope plots to see if you have any ideas about the rather odd values that would be much appreciated |
|
Try recording messages (with timestamps) during initial power-on of the spa. At this point, maybe only record timestamps per-message instead of per-byte. Do this with the top panel/display connected and disconnected and see if there is any different traffic. You can also try disconnecting the top panel/display while it's running, but be very careful as there is high voltage present. |
|
@bggardner without the top panel connected there is no traffic at all on the rs485 link. I wonder if the other pins form some part of discovery/negation system. Have folk looked at the scope plots for the other pins. Any guesses at to what they are? |
|
As only 3 pins, that to me makes me think I2C maybe, but then what about the extra pin? |
|
I've committed the first very very rough PoC that is able to read the temperature data and show up automatically in Home Assistant |
|
So, bit more info. If you unplug the top panel then all data stops on the rs485 line, so either this is creating the data to be shared with other devices - say long distance link for aux panels inside the property based on the other pins or that the data we are seeing is only triggered by the panel with the control unit responding. |
|
Have an ESP8266 now running feeding the status data to Home Assistant. So thanks for everyone's help getting this far, next challenge is going to work out how to actually send commands, so any help would be much appreciated on that, see the other thread for discussion on the data lines |
|
@bggardner - I think you may be right about the FB 06 being some form of reply to the FA 14, what is odd about that though is why would you only get that after the first FA 14. Turning my attention to the AE 0D messages, they actually cycle between AE 0D 00, AE 0D 01, AE 0D 02 and AE 0D 03 I'm also seeing some messages that are CA 82 Does anyone have a spare ESP8266 or ESP32 and RS484 adapter to try connecting up to their tub too? Have got to the stage that is actually useful for practical purposes, like checking up to temp from the comfort of the sofa and seeing the graphs and logs in Home Assistant for how the wind triggers the heater more often etc |
|
@netmindz I have a Balboa spa, just not this kind. I deciphered the bitstream for mine and figured it would be something similar for yours. |
|
@tmjo looks like the next two hex values after the time is the temp in Fahrenheit if you convert the hex to decimal. Interesting that it's sending the temp for the purpose of your display as Centigrade but also as Fahrenheit |
|
Hmm, that's interesting. Did a spotcheck right now, and seems that you're right. Could it be that this is the real temperature, and the location we're reading is basically the display? Could make sense since it actually includes the letter 'C' for centigrade, and it also changes to text when we're digging into the menus. Just a though, worth checking out. Btw; I have some stuff regarding power and energy that I would like to propose, just need to find the time :) My setup has been working flawlessly for more than a month now, really happy with what we have here! Did you get any further on sending commands? |
|
Proposed some PRs, take a look when u find the time. Included a sensor using the Fahrenheit value too. Applied some rounding with a tweak I found online to round to nearest 0.5 to match better the values we see in the display. I had a good feeling that the F-value could be the 'master' as mentioned above, but on the other hand I see the following after trending it a few days:
That is before I added the rounding, but still you can see that the display value clearly shows some "dips" in temperature (and it matches when the heater is switched on). These are not shown in the post-time Fahrenheit value as far as I can record. |
|
So found out a key bit of info - while it's true that I don't see any serial traffic if you boot the controller without the top panel attached, if you boot up the controller with the top panel and then remove the top panel, the "long" messages just become short. e.g becomes Therefore, the FB messages must be being sent by the top panel. So still weird pattern, controller sends FA message, top panel ignores. Controller sends same FA message again, top panel responds, contoller sends FA message again, ignored by top panel Controller then repeats pattern for the AE messages The FB message for me pressing the temp down button is fb0603450e0002fd50 |
|
Do you see the same FB strings @tmjo? I'm wondering if the top panel message has any form of deviceid as part of it, given you can have multiple top panels |
|
Interesting! I mostly see fb060343060000ffce, but I extracted values from my HA database over a couple of weeks and see that the last to characters change. The ce-value is there most of the time, but I've seen e7, c7, ce, cf and fe as last characters. The other ones come for very short time every now and then. I've been thinking the same as you that there should be some kind of deviceid, address or something like that in there somewhere. |
|
Just a thought about the three messages - is it possible that the controller either has a max of three panels connected and therefor sends three "requests" where it expects a fb-reply from each panel? Or perhaps that one is the controller itself, while the two others are our top panel + esp if it senses that we're on the communication bus? Anyway, what could be interesting to figure out is if we need to send some kind of fb-reply to be able to control the tub, right? I didn't figure out how you did when you tested sending commands. Care to elaborate a bit on your method, then I could try to test a bit too. |
|
Can you post what FB you get with pressing Temp+ and Temp- press temp down press temp up vs my idle I'm assuming at the moment final 2 values are some for of checksum |
Mystery solved!! So I had my panel connected to the middle of the 3 sockets and saw FB messages on the middle of the 3 FA messages, move my top panel to the top-most socket and i now see the FB on the 3rd message, so must be numbered bottom to top fa14202020200000003200008002ffffff00000000008a So - my thinking as that while probing established that while there is a single RS485 bus that all the panels connect to, the extra pins we haven't worked out what they are for yet seem to somehow let the panel know which port it's connected to So, if during startup the panel knows it's panel number 1 say, then it replies to the 1st FA message it sees. If it's the second, then ignore the first FA and reply to the next etc So to send our own message, we either need to discover this method or just have hard coded param in the code so we don't try and transmit at the wrong time. We count the FA messages then my code at the moment that just waits for a moment where there is no data, instead should only send the FB command when the FA for us has just been sent. It's odd that each FA message is the same rather than containing some ID, but this is my best guess at the moment |
|
Great finding! I'll try to catch my fb while pushing temp up/dn once I'm online with the tub again. |
|
Team effort, based on your idea @tmjo Have pushed a branch that has an attempt at sending data, won't work as our message processing is kinda one message behind. i.e If the next byte is not the start of a message, add to the buffer, if it is then process what we hold in the buffer. Makes for simple way to handle message that might be short/corrupt etc without checksums etc, but really i think we need to read X bytes, then based on that know the message length then read that many, then process as soon as we have all the message, not when the next message starts. Not sure how to handle short reads, how to get into sequence etc. Might have a look at the other Balboa project to see how they do it Note: for your MAX885 chip you would also need to toggle high/low for the tx/rx |
|
Also, thinking about it, our "fake" FB messages most likely need to use a different device id value as otherwise that could just be delayed response by the previous panel Might need to try capturing all the serial data on bootup to see if i we see any of the panel discovery on the rs485 or if that's on the unknown (I2C?) pins |
|
Hi. Perhaps this is old news, but I can't remember that we discussed so it has slipped my attention for sure. I did some more thorough logging via Telnet (did some minor changes to code to send more of it to Telnet), and discovered two things that was new to me:
I'm not sure what this means for us, but for me this was news. Did you see it before? I completely forgot to reply on the fb-message temperature up/down that we discussed above, but I did some tests back then, and I couldn't see the same as you. I will doublecheck just to be certain, but I actually believe we checked that before as well. If it is really different on your installation compared to mine, it could be since you have a panel with up/down buttons while I have only one button with kindof a state for up/down. Anyway, just though I'd let you know. Leaving for a couple of days, but intent to do some more digging soon. |
|
Thanks for that @tmjo I had in the past seen some non-idle AE0D messages, but I've actually removed that from my current display in HA. Can't remember if I thought was just duplicate or stuff we had already or if for some reason I was only seeing the idle message |
|
Don't think I've spotted and CA messages actually. Will have to see if I see them |
|
With the temp change. Can you try and do a message capture for changing temp? @tmjo |
|
One think to point out is that if the FB sequence is created by the top panel. As ours differ in both model and possibly manufacturer, it's to be expected these differ in their output. The protocol format should be the same enough that cracking how we actually implement sending out own FB messages should be the same though. Simply replaying a FB message in response to one of the other "slots" of FA messages didn't seem to be enough. Which makes sense if we assume that the FB message has some form of unique id, then the control unit would only be looking for FB message with the right ID when listening for a reply in that "slot" |
|
Hi again, Some temporary results from temp up/down test today:
Can't say I got any wiser, but at least some results :) |
|
Hmm, by doing some random logging without touching the tub I also see that the two bytes before fb-tail change when tubtime changes. I guess we assumed them to be some kind of checksum, right? That could be, but it was funny how they seem to change also everytime I press the temp up/down. Or then again, maybe not, since the LCD-value obviously changes as well..... |
|
Can you tweak your capture @tmjo to also log the FB sequence response to the AE0D messages, it might be your top panel send it's commands via those of you aren't seeing the value in what's being captured. Just woke up, so brain not in gear enough to decode hex just yet, but yeah if you are seeing the final two values change in that suspected checksum, then there should be a value earlier that changes. If your top panel doesn't actually let you set the time, it might be an idea to flip the dip switch on the control board to reflect that and then we won't have the "noise" of the time changing |
|
Sure thing. I couldn't see anything when I looked, but for sure there must be something I'm not seeing. See here for logfiles (denoted _raw with all details). I studied the newer protocol again, and it could make sense there are some Channel Assignment Requests or similar on our tubs as well. Also, it would be interesting to find if there is a clear-to-send (CTS) value of some sort. Although these tubs are newer, there seems to be quite some similarities too. I'm planning to make a clean sketch with pure telnet logging and then do some loggings during rebooting/powerup of the tub. Did you try that already? |
|
Hi again! Some interesting news from my side. Seems I could be missing some messages in the normal program, so I ran a cleaner version with pure telnet logging.
See here for results if you want to dig into the details. I made an Excel-sheet for easier reading, by using filtering it's easy to see when stuff is happening. Will study it myself more in detail. |
|
Thanks for the extra info. My suspicion was that anything to do with startup initialisation is on the pins that we have yet to establish the format of, given I saw zero rs485 data unless the top panel is connected and how the physical port you are connected to affects what we see in terms of messaging. With regards to the left of CTS, either this is on the other pins or simply done by counting the messages and then responding once the top panel has seen the FA message that's in its "slot" I haven't put a scope onto the aux panel connectors to see if they are just the rs485, just the unknown stuff or entirely different With regards to boot up, yeah that sounds like the display showing the firmware version of the control With regards to the FB tails, that's good to hear you are seeing button press data there. What did you change to get to see those? Is the temp really a short message or just a quirk of how you are parsing? |
|
I'm not quite sure what made a difference on the measurements. What I did was tweaking a cleaner and simpler code, removing all HA-stuff and webserver and leaving basically telnet only. To increase speed was the thought. But not sure if that made a difference, or if it just helped that I pushed the buttons like a maniac which made it easier to detect if loosing some messages. To my knowledge I only see the short fb060343060005 for temp-button, it's strange that it is shorter, but I don't do anything in parsing that should shorten it. I also see that I get som fa94 message in between (see the actions-sheet), quite a bit of them too. Most are just fa94, but there are some with some more data, but a few has more data too. Not sure if this can be garbled data, noise or something, or if they are real..... |
Thinking of it, it makes perfectly sence (in a way). The targetTemp never worked well for me, it never caught my temperature adjustments unless I did a "dummy" toggle on the temp-button (i.e. flashing temperature display, but making no changes). Since the code looks for Why it is shorter is a still a mystery though. |
|
@tmjo - I did a bit more testing on the temp from F stuff you found, but certainly for me I'm still only seeing temp change in 0.5C increments. I hoped we might get greater granularity and so better time estimates for the time to temp, but looks like no luck there |
|
Agreed. I just get 0.5C resolution, and I've also noticed that the display shows a slightly different temperature sometimes (typically the 0.5C difference though). Typically is doesn't indicate the falling temperature that triggers the heater. Not very easy to see on the image below, but DisplayTemp (blue) clearly shows drops to 38.5 while F-temp (purple) doesn't indicate this.
I also see a FF-value in the F-temp when temperature is in set-mode (flashing). We need to "filter" that out, but unfortunately I didn't have much time lately to fool around with it. Should be easy enough.
|
|
I'm so close and yet so far from being able to send data. Sending only once at the point in the stream I expect and with pin4 and pin5 in the state i believe to be right doesn't work but if I keep sending the tub with light toggle commands it takes effect intermittently Might need to do more closer inspection of the output of genuine panel to see how many times a FB with button press is actually sent Might also use the 3rd port and another rs485 adapter to read what's actually on the bus to confirm the esp is definitely putting the right data out all the time |
Not yet sure which char is used as message delimiter or that bytesize and baudrate etc are defiantly correct.
Can't really start breakdown down the contents of the message until the basics are sorted
The text was updated successfully, but these errors were encountered: