Soco TC 05 RS485 decode finding baud rate and contains

 I knew from web info that it's RS485 connection between units on TC, but the baud rate and format was not found on web. Base on the information I found at least BMS, motor controller, ECU and dash board are connected on 485.

I have this 485 module on hand, decide to find out the traffic on 485.

I first connect it to a FTDI, with DE/RD both tied to GND to receive data from bus.

with ternimal on PC, I start to test on different baud rate, only at 4800 and 9600 I can receive "seems resonable" hex data.

These are in 485, 

This is 4800bps I tried to group them...

48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 3F 3F

48 3F E3 20 49 ED 6F 23 62 00 00 01 40 F2 3F 3F 

48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 3F 3F

12 87 90 3F 3B ED 6F 23 62 00 00 01 40 F2 3F 3F 

48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 3F 3F

48 3F E3 20 49 ED 6F 23 62 00 00 01 40 F2 3F 3F 

48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 

These are in 9600, also try to group it...

C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D
C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D
C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D 
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D
C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D 
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D 

Without knowing the structure of TC data, it's difficult to find out which is the correct one.

The I try to peak LimBo's PC config sw I found on web to get an idea about the data structure.

I know TC controller and BMS are custom made ones, in case of OEM, most engineer will try to make less change as possible. So there is a chance that it will be the same or similar.

I used 2 FTDI interconnected, one as connection point for LimBo sw, one connect to my serial program, so that I hit connect on limbo SW, I can see what it send on the other FTDI. I know from web that the SW is 9600...

since the connect command is very simple,I do figure out that it contain start bytes, Nr of contain, and a byte of chk sum and an end byte.

after few try and calculation, I think the 9600 recording from my soco TC does fit some rules.

C5 5C 5A AA 01 97 96 0D
C5 5C DA AA 02 00 00 02 0D

are both query commands.(most of 485 use a master to query nodes, like mod bus)

C5 5C is the header
0D is the end byte

5A AA and DA AA looks the commander or the device master is asking some data type:

for the 5A AA one:C5 5C 5A AA 01 97 96 0D

01 means one byte of data, which is 97 and the 96 is a XOR checksum after AA(01 97). 

for the DA AA one:C5 5C DA AA 02 00 00 02 0D

02 means 2 bytes, which is 00 00 and the check sum is 02( 02 00 00 )

Same rules can be applied to the returning message:

B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D 

B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D

B6 6B is the header of answering message, AA 5A indicate that this is the return message of  5A AA, AA DA is the return messge of DA AA

the following byte 0A (10 in decimal )is the data length of payload: 10 bytes.

the 18 and 1F in each message is the XOR checksum start with 0A. 0D is the end byte.

I managed to find out that AA 5A is a BMS query message, since my battery voltage is about 66V and the battery level is indicated at 77% on my soco.

42 is 66 and 4D is 77 in decimal. not sure what is the following byte 1B(which is 27 in decimal), maybe it's the BMS temperature? the day is about 20-25 degree, 27 seems a little bit high in a cold battery. then I have no idea on the  00 00 05 00 03 00 00

I took out the battery and connect it's 485 with m PC through the 485 module. I use one 485 module as sender for query data, and another one as listener.

I found out the BMS does response to  C5 5C 5A AA 01 97 96 0D  with right response as B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D 

But BMS does not response to DA AA command. I think this one is for controller. 

My guess is that ECU sends these queries, and the dashboard only listen and display info.

I check SOCO web on the dash board. I think most data of these 2 485 messages are presenting these info on dashboard.

for the return message:

B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D

I think the 17 of AA DA could be the controller temperature which is 23 in decimal

wondering if the 01 is the gear position?

INSTRUMENT

1. 1 Speed Indication
   Show current speed.

2. 2 Range/Temperature
   Indicate current trip range or temperature can switch.

3. 3 Total Range
   Indicate total range.

4. 4 Controller Temperature
   Indicate real-time temperature of controller.

5. 5 SOC in Bars
   Indicate real-time battery capacity.

6. 6 SOC in %
   Indicate real-time battery capacity.

7. 7 Mode
   Indicate real-time riding model.

MBUTTON FUNCTIONS

Change Indications - Range/Temperature
In normal mode, Press it less than 2 seconds, change indications, and keep the status.

Manually start the back light of Instrument (Back light for Letters + LCD back light)
In normal mode, Press it longer than 2 seconds but shorter than 8 seconds, start the back light for instrument and head light.

I think I need a arduino tool to record the 485 data and real data presented on dash.....