• Reversing a heat pump protocol

    March 9, 2018 Author: RobinC
    No comment yet

    I’ve got an air source heat pump that communicates to a HMI (human machine interface) display and updates it with various status on temperatures, and what the compressors/fans etc are doing. I also have a fault with the system that every few days it trips out with an F6 fault, which is annoying. But to top that off the company that installed it have gone bankrupt so i’m pretty much on my own.

    Looking at the controller it looks like one from http://www.gzasl.com/en/page.html?id=28 but there is little info on their site and i’ve never had any success reaching out to these kinds of companies as they don’t want to deal with individuals and usually have some big organised reseller/importer network.

    Anyway back to the protocol, the HMI is fed from 2 wires, there appears to be a 12-14V differential between them, which would make sense for power, but also i can see on my DVM there is a non dc component. The voltages are floating at about 30v wrt earth so need to be a little careful connecting to them as i’ve no idea what the circuit is on the other end and if its safe to ground one side.

    Looking with a differential scope, we see :-

    Well that looks promising, there is data there.  Looks like two distinct sources as well, one pulling the voltage down, one pumping it up. The starts of the downward blocks are almost 250ms apart so this looks like a regular update message. Lets zoom in …

    What we see is 5 pulses, which may be a SOP marker. Then there are various pulses in other positions until we get back 20ms later to the 5 pulses again. This suggests to me that the 5 pulses are indeed a SOP and the data occurs after this. Start of one pulse to start of next is 400us (2.5Khz)

    Into the land of assumptions now, looking at the last pulse i’ve ever found before we get back to the next SOP marker i think there is room for 40 pulses or 5 bytes. There is room for another 5 pulses but these are always 0 (so far) and i’m assuming they are not important, this could prove to be incorrect.

    I exported the picoscope data as a CSV file and ran it through a C# chopper to detect the SOP and extract the bits and get the following results (showing raw bits and my first guess at byte decoding:-)

     SOP 01110000 0x70 00011100 0x1c 00000000 0x00 00111000 0x38 0000111 0x07 
SOP 00000000 0x00 00011100 0x1c 00000000 0x00 00000000 0x00 0000000 0x00 
SOP 01110000 0x70 00000000 0x00 11100111 0xe7 00000000 0x00 0000000 0x00 
SOP 00000000 0x00 00011100 0x1c 00000111 0x07 00000001 0x01 1100000 0x60 
SOP 00000011 0x03 10011100 0x9c 11100000 0xe0 00000001 0x01 1100000 0x60 
SOP 00000000 0x00 00000000 0x00 00000000 0x00 00111000 0x38 0000111 0x07 
SOP 00000011 0x03 10011100 0x9c 11100111 0xe7 00111000 0x38 0000111 0x07 
SOP 00000000 0x00 00011100 0x1c 11100000 0xe0 00000000 0x00 0000111 0x07

    I spent some time trying to turn these in to bytes, and then see if i could make sense of any numbers. I was expecting a regular temperature update of 40-50 degrees for 2 different sensors. But nothing really seemed to look like it could be this.

    Then i spotted something odd. the 1 pulses are always in groups of 3, and it appears the 0 pulses are in groups of 2, but its not impossible my chopper has got its timing wrong, it was pretty crude. But it is clear from the scope waveforms this is encoded digital data its not a raw bit stream.

    If we assume then that a 1 is 111 and a 0 is 00 can we chop this up? Looking at above, 4th line we have 0111 this does not fit our rules, may be there is always a 0 following the SOP to provide a break, so this byte is always ignored, if we slice this line using our new rule we get 17 bytes ;-( that is not working. Allowing the rest of the bits to be processed does not help either

    SOP 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-00-0
SOP 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-00-0
SOP 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-00-0
SOP 0111+00-00-00-0111+00-00-00- 0x38 00-00-00-111+00-00-00-0111+ 0xc7 00-00-00-
SOP 00-00-00-00-00-0111+00-00- 0x1c 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-0
SOP 0111+00-00-00-00-00-00-111+ 0x07 00-111+00-00-00-00-00-00- 0xc0 00-00-00-00-0
SOP 00-00-00-00-00-0111+00-00- 0x1c 00-0111+00-00-00-0111+00-00- 0x1c 00-00-00-0
SOP 00-00-00-111+00-111+00-111+ 0x77 00-00-00-00-00-00-111+00- 0x0e 00-00-00-00-0
SOP 00-00-00-00-00-00-00-00- 0x00 00-00-00-00-00-111+00-00- 0x1c 00-0111+00-00-00-
SOP 00-00-00-111+00-111+00-111+ 0x77 00-111+00-111+00-00-00-0111+ 0xc7 00-00-00-

    Above i’ve grouped into 2×0 and 3×1 then put a – for a 0 bit and a + for a 1 bit after 8 of them i decode a byte….. there are some problem sequences i can see some 00-0111+ that has broken my assumption of no of zeros and ones in a true bit… this is not the encoding you are looking for….

    Here are my picoscope captured waveforms, these can be loaded in to the picoscope application (free) from picoscope.com

    Heatpump data 1

    Heatpump data 2

     

     

  • Mains frequency monitoring

    November 1, 2016 Author: RobinC
    No comment yet

     

    Playing around with measuring the UK mains frequency and got the following results

    screenshot-mainsfq

    where blue is my measurement and yellow is a reference measurement i obtained from a real time tracker on the internet. Pretty good agreement with in 0.01 of a Hz (mostly)

    What i’m really interested in are the variations between blue and yellow, they are not constant and at times look cyclical such as

    mainsupdown

    What am i seeing there? is that the real time frequency regulation of the mains kicking in and out on 10-20 second duty cycles? as generating capacity is added and removed to regulate the frequency? Or am i detecting local distortions that are offsetting my zero crossing detection and causing error in my frequency graphs?

  • Fake FTDI and esp8266 flashing issues

    October 7, 2016 Author: RobinC
    No comment yet

    So I thought I would try the ESP8266 out at last so got my self a edp8266 module and a USB to 3.3v serial converter.

    After many hours of failing to flash the esp with nodemcu and other firmwares I was on the brink of giving up.The nodemcu flash tool kept letting stuck at anywhere between 1% and 6% no settings made any difference and other flash tools failed in similar ways. I then though to change the serial adapter and happen to have a board with a cp2102 on it so a few soldered on wires later and I had an alternative serial converter. This one worked first time.

    I remembered the whole fake FTDI issue from a while back and started investigating. Firstly my chip had painted on idents which would easily come off with my finger. Real FTDI chips apparently are laser etched. I then downloaded and ran FT_Prog from ftdi’s website and checked the serial no… Turns out it was the most common fake number there was

    fakeftdi

  • Another stunning success

    September 13, 2016 Author: RobinC
    No comment yet

  • Another one bites the dust

    September 12, 2016 Author: RobinC
    No comment yet

    Don’t think the puck diode thought a lot of the current I stuck though it. Plus it looks badly clamped as conduction clearly started and burned out at a single point from the edge

  • First test of the RaspiHats Isolated IO module

    September 8, 2016 Author: RobinC
    No comment yet

     

    First tests of the Isolated IO boards from http://raspihats.com/ This is the 6 in/out module featuring 6 relay isolated outputs and 6 opto isolated inputs. 3 Boards are currently being produced. A relay output board, an isolated input board and the mixed board shown here.

    I’ve connected it here to a system under test to simulate a PLC interface for verification. The Raspberry PI is pretending to do the PLC handshake with our equipment to verify its all working to specification.

     

     

    Taking to the board from the Raspberry PI is exceeding easy, for a start its a HAT module so supports the auto set up that newer PIs support. The only thing you need to do is enable the PIs I2C from the rasp-config tool (see here https://www.raspberrypi.org/documentation/configuration/raspi-config.md)

    After I2C is enabled ensure you have the following packages installed via apt-get

    sudo apt-get install python-smbus python-pip

    then using pip install the raspihats package

    sudo pip install raspihats

    If you want a video walk through of the setup you can find one below :-

     

    And here is my python test script simulating some of the PLC. The pupose of this script is to simulate some exteral hardware they we do not have to test the machine against. The particular handshake is defined by our specifications but it shows how easy a test script can be written and the RaspiHats modules used

    from raspihats.i2c_hats import Di6Rly6
from time import sleep
import time

board = Di6Rly6(0x60)

#force reset

board.do_set_state(3,1)
sleep(1)
board.do_set_state(3,0)

board.do_set_state(4,1)
board.do_set_state(5,0)
#board.do_set_state(7,1) # only 6 relays this is forced 0


while (1):
 sleep(1)

print("Waiting for ready signal")
 #wait for ready signal
 while(board.di_get_state(0)==0):
 print("Not ready")
 time.sleep(1)

print("system is ready")
 print(" .. Moving head to load position and requesting vac")

board.do_set_state(0,1) # req vac

#wait for vac on signal
 while(board.di_get_state(2)==0):
 #do nothing
 time.sleep(1)

print("VAC on requesting a cal cycle")

board.do_set_state(2,1) # req cal cycle


 #wait for done signal
 while(board.di_get_state(1)==0):
 #do nothing
 time.sleep(1)

#read passfail

if board.di_get_state(5)==1:
 print("** ITS A PASS **")
 else:
 print("** ITS A FAIL **")


 board.do_set_state(2,0) # clear cal cycle request

print("robot head in position, signal vac off")

#move head and turn on robot vac then say our vac is on by deasserting vac req signal
 board.do_set_state(0,0)

print("waiting for vac off comfirm")

#wait for vac off signal
 while(board.di_get_state(2)==1):
 #do nothing
 time.sleep(1)

print("Cycle complete")

#loop around and wait for ready signal

  • CanOpen on a Raspberry PI using CanFestival

    November 12, 2015 Author: RobinC
    No comment yet

    I wanted to hook a Raspberry PI into a CanOpen network and have it as a slave device, mainly for logging purposes. I had previously identified CanFestival  as a potential CanOpen stack to be used for this project as it describes itsself as “CanFestival focuses on providing an ANSI-C platform independent CANOpen® stack that can be built as master or slave nodes on PCs, Real-time IPCs, and Microcontrollers” so that is sounding promising.

    The other potential stack I had considered was CanOpenNode, this stack wins hands down for implementing on a PIC32/24 as it pretty much works out of the box on those platforms. The devil is always in the details and in this case the detail is the driver, or how the stack connects to the actual can hardware. Both stacks have certain “drivers” that allow them to interface to the host, both stacks as C implementations that just seem to work. But the winner was CanFestival supported socket_can.

    Socket_can is an implementation of can using unix sockets, this might not seem like a big deal, but its very efficient. Sockets have built in queuing mechanisms and expose them selves to usespace in a nice friendly way. Through put is not going to be an issue. Other CAN systems use character devices, eg they emulate a serial port and you talk one byte at a time to the character device. This is inefficient and has no queuing, so on busy networks things could go wrong.

    The hardware selected was the PICAN board from SK Pang (UK Supplier). Quick delivery, the board arrived next day and I was excited to start playing with it. I am using a Raspberry PI 2 and there are slight differences between the 1 and 2 when setting up the drivers on the PI (hint PI2 is much improved)

    Can board on raspberry pi 2

    Complete instructions can be found on SK Pang’s blog but the TLDR; version is in raspi-config, advanced -> turn on SPI. then add to /boot/config.txt the following

    dtoverlay=mcp2515-can0-overlay,oscillator=16000000,interrupt=25
dtoverlay=spi-bcm2835-overlay

    Thats it, a reboot later everything should be good the correct kernel modules will load at boot and the can interface will be ready to go.

    CanFestival

    The purpose of this was CanOpen not just raw can so lets proceed with Festival, we will do this on the raspberry PI as it should be ready to go with code compiling and will save the hassle of a cross compile setup for such a trivial thing.

    Download the source code from http://dev.automforge.net/CanFestival-3/ , you can check out the code as a Mecurial repository, or if you don’t know what that is, just download the latest source from http://dev.automforge.net/CanFestival-3/archive/tip.tar.bz2 which will get the latest code as a tar ball with bz2 compression.

    wget http://dev.automforge.net/CanFestival-3/archive/tip.tar.bz2
    Unpack the code
    tar -xvjf tip.tar.bz2
    Change directory to move into the source tree, Note at the time of writing the tip ID was 8bfe0ac00cdb when you do this it may have changed so just cd into the folder just unpacked which will be named CanFestival-3-?????????????
    cd CanFestival-3-8bfe0ac00cdb
    Now configure and build the code
    ./configure --arch=armv6 --target=unix --can=socket
    make
    sudo make install

    So thats good to go at this point and you should be able to test, an annoying niggle is that the can interface needs to be brought up with the “link” command, i am sure this can be fixed in festival but as it stands out of the box to run the first thing you need to do is :-

    sudo /sbin/ip link set can0 up type can bitrate 500000
    CanOpenShell load#libcanfestival_can_socket.so,can0,500k,1,1
    Where the paramaters for load are library name, can channel, bitrate, nodeID and master(1)/slave(0)

    If CanOpenShell starts correctly you should see

     Node_initialisation
Note_preOperational

    at this point press enter

    You can then sent NMT commands with the ssta/ssto/srst/scan commands eg ssta#0 start all nodes, and you can read and write SDOs with the rsdo and wsdo commands
    so you can talk to other CanOpen devices and prove you have a working network.

    Creating a node with festival

    So how do you actually use festival to do something real? The best example to start with and the simplest is in examples/SillySlave and is a very basic demo of a CanOpen slave on the network. Of cause sillyslave didn’t compile out of the box with the rest of festival and to get it to work do the following, firsty move to the /examples/sillyslave directory and edit the Makefile( eg use nano Makefile -c) on line 42 go to the very end and remove “-lcanlib”

    Next you also need to edit main.h and change the following defines in the section marked “Please tune the following defines to suit your needs:”

    #define NODE_MASTER 0x1
    #define NODE_SLAVE 0x40
    #define DRIVER_LIBRARY "libcanfestival_can_socket.so"
    #define BAUDRATE 500
    #define BUS 0

    Next you need to build as follows :-
    make mrproper
    make

    This is important as the SillySlave.c file is out of date and old and needs to be regenerated, only the mrproper target will remove it, not just make make all or clean. What it actually does is generate SillySlave.c from an XML representation of the object dictionay and using another tool this can be converted to/from the EDS/electronic data sheet files that is part of the CanOpen standard.

    To run the sample just do :-

    ./SillySlave

    If you have another can node, you can start/stop the node with NMT commands, and it will send a PDO for every SYNC it receives.

    The important thing to take home here is main.c is trivial, its the minimum needed to start up the application, SillySlave.c is machine generated and this is the goodness of the object dictionary and how you configure the main parts of your node.

    Creating an object dictionary with festival

    So the time has come to make the Sillyslave something real, your friend in this process is the objdicteditor tool, which is a python tool

    You need to run this from a GUI, either the PI’s X windows or another system (even windows) with python and python wx installed. Lets assume you are using the PI still. Firstly ensure you have the wx widgets for python
    sudo apt-get install python-wxtools
    Then change to X windows and use a keyboard and mouse to continue
    Open a terminal window and CD to the directory containing the canfestival source, then cd into the objdictgen directory and do the following python objdictedit.py Then if you go to File->Open abd browse to the examples/SillySlave directory and open SillySlave.od you can edit the object dictionary from a nice GUI with ease, any changes you make if you save them back to the od file you can then build this into the slave by following the previous steps to build sillyslave with your new changes.

    Canfestival object dictionary editor

    A few finishing words

    Sillyslave is very basic, the bare minimum and really the defines for the nodeid and the bitrate are wrong and these should be read from the object dictionary directly. If you need to add more advanced functionality CanFestival has callback hooks which can be used, but i leave developing a real application as an exercise for you to do on your own as this is where the business end of what ever you are trying to do actually starts now all the boiler plate is taken care of.

  • lirc sky rflink howto

    April 23, 2014 Author: RobinC
    No comment yet

    NB This Howto is around 5 years old, but its still linked to from some sources so I though I would keep it alive, the lirc bits are probably a little out of date by now

    This howto is a quick description of how i got a pace rflink device (designed for TIVO) working on a standard RS232 serial port with lircd

    Pace rf2link

    The rf2link is a remote control extender for SKY and SKY+ systems that sends the control commands via the coax cable that is also used to send the picture to other televisions. These can be bought from http://www.pacelink.co.uk/rf2link.htm. These devices run of 9v power from the SKY/SKY+ box that can be switched on from the RF2 socket. Two varieties exist one of which allows the power to continue to the NEXT device along the coax and one that stops the power at the rf2link device, ONLY use the through power device IF you require the power at the next device, i.e. another remote extender. DO NOT ALLOW the 9v to reach your TV or your capture card! You have been warned!.

    These are designed for a TIVO so two possibilities exist :-

    1 – Cut off the jack plug
    2 – Make a nice socket for the jack plug to plug in to

    I chose number one. Next you will need some 1N4148 diodes or similar small signal diodes, a female DB9 socket and a plastic cover to mount the DB9 socket and hide away the 1N4148 diodes. These parts can be obtained from maplins http://www.maplin.co.uk or you local electronics shop.

    Serial ports can signal from -9v to +9v (nominal) and can have voltages much lower than this. I assumed my serial port was 9v and used 4 diodes (0.6-0.7v drop per diode) and to stop the serial port putting any -ve voltages on the pacelink device.

    DTR. -------->|---->|---->|----->|------- PACELINK Centre of cable

GND ---------------------------------------- PACELINK Ground of cable

    The pace link device input drives into a 3.5k ish resistor so i suspect a few extra volts won’t hurt but their are a load of transistors next so i would not recommend any negative volts reaching them so a minimum of one diode always!.-

    [Read More…]

  • RS232 TTL to USB

    April 23, 2014 Author: RobinC
    No comment yet

    I’m often hacking around with some device that has RS232 but at TTL levels and I quickly want to connect it to a PC for some testing or set-up, but I came across these wonderful devices ready to go out the box :-

    TTL RS232 to USB convertors

    TTL RS232 to USB convertors

    Available from RS Components http://uk.rs-online.com/web/p/interface-development-kits/6877770/ there are 5V and 3.3V TTL versions available. They are not the cheapest things in the world but they are ready to go directly into your TTL RS232 level device and come on a standard 0.1″ pitch connector that also provides +5V if needed.