Soco TC RS485 decode

 I knew from web info that it's RS485 connection between units on TC, but the baud rate and format was not found on web. Base on the information I found at least BMS, motor controller, ECU and dash board are connected on 485.




I have this 485 module on hand, decide to find out the traffic on 485.

I first connect it to a FTDI, with DE/RD both tied to GND to receive data from bus.

with ternimal on PC, I start to test on different baud rate, only at 4800 and 9600 I can receive "seems resonable" hex data.

These are in 485, I tried to group them...

48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 3F 3F
48 3F E3 20 49 ED 6F 23 62 00 00 01 40 F2 3F 3F 
48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 3F 3F

12 87 90 3F 3B ED 6F 23 62 00 00 01 40 F2 3F 3F 
48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 3F 3F

48 3F E3 20 49 ED 6F 23 62 00 00 01 40 F2 3F 3F 
48 EB 01 20 F2 ED 6F 3F 3F 03 00 00 01 20 60 F2 

These are in 9600, also try to group it...
C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D
C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D
C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D 
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D
C5 5C DA AA 02 00 00 02 0D
B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D
C5 5C 5A AA 01 97 96 0D 
B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D 

Without knowing the structure of TC data, it's difficult to find out which is the correct one.

The I try to peak LimBo's PC config sw I found on web to get an idea about the data structure.

I know TC controller and BMS are custom made ones, in case of OEM, most engineer will try to make less change as possible. So there is a chance that it will be the same or similar.

I used 2 FTDI interconnected, one as connection point for LimBo sw, one connect to my serial program, so that I hit connect on limbo SW, I can see what it send on the other FTDI. I know from web that the SW is 9600...

since the connect command is very simple,I do figure out that it contain start bytes, Nr of contain, and a byte of chk sum and an end byte.

after few try and calculation, I think the 9600 recording from my soco TC does fit some rules.

C5 5C 5A AA 01 97 96 0D
C5 5C DA AA 02 00 00 02 0D

are both query commands.(most of 485 use a master to query nodes, like mod bus)

C5 5C is the header
0D is the end byte
5A AA and DA AA looks the command or device master is asking
for the 5A AA one: 01 means one byte of data, which is 97 and the 96 is a XOR checksum after AA(01 97). 

for the DA AA one: 02 means 2 bytes, which is 00 00 and the check sum is 02( 02 00 00 )

Same rules can be applied to the returning message:

B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D 

B6 6B AA DA 0A 01 00 00 00 00 17 00 00 02 01 1F 0D

B6 6B is the header of answering message, AA 5A indicate that this is the return message of  5A AA, AA DA is the return messge of DA AA

the following byte 0A (10 in decimal )is the data length of payload: 10 bytes.

the 18 and 1F in each message is the XOR checksum start with 0A. 0D is the end byte.

I managed to find out that AA 5A is a BMS query message, since my battery voltage is about 66V and the battery level is indicated at 77% on my soco.

42 is 66 and 4D is 77 in decimal. not sure what is the following byte 1B(which is 27 in decimal), maybe it's the BMS temperature? the day is about 20-25 degree, 27 seems a little bit high in a cold battery. then I have no idea on the  00 00 05 00 03 00 00

I took out the battery and connect it's 485 with m PC through the 485 module. I use one 485 module as sender for query data, and another one as listener.

I found out the BMS does response to  C5 5C 5A AA 01 97 96 0D  with right response as B6 6B AA 5A 0A 42 4D 1B 00 00 05 00 03 00 00 18 0D and BMS does not response to DA AA command. I think this one is for controller. 

My guess is that ECU sends these queries, and the dashboard only listen and display info.

I check SOCO web on the dash board. I think most data of these 2 485 messages are presenting these info on dashboard.

I think the 17 of AA DA could be the controller temperature which is 23 in decimal

INSTRUMENT




  1. Speed Indication
    Show current speed.

  2. 2 Range/Temperature
    Indicate current trip range or temperature can switch.

  3. 3 Total Range
    Indicate total range.

  4. 4 Controller Temperature
    Indicate real-time temperature of controller.

  5. 5 SOC in Bars
    Indicate real-time battery capacity.

  6. 6 SOC in %
    Indicate real-time battery capacity.

  7. 7 Mode
    Indicate real-time riding model.

BUTTON FUNCTIONS

Change Indications - Range/Temperature
In normal mode, Press it less than 2 seconds, change indications, and keep the status.

Manually start the back light of Instrument (Back light for Letters + LCD back light)
In normal mode, Press it longer than 2 seconds but shorter than 8 seconds, start the back light for instrument and head light.




I think I need a arduino tool to record the 485 data and real data presented on dash.....


留言

張貼留言

這個網誌中的熱門文章

Heltec ESP32+OLED+Lora, hardware testing

圖片
you can easily find some good boards from china, but most of them lack of accurate document... Hrere is an example; https://hackaday.io/project/26991-esp32-board-wifi-lora-32 the board looks good with lora and a 128x64 OLED, but the IIC and reset connection is important, since pin can be muxing easily, so every board could be different. pinMode(16,OUTPUT);  digitalWrite(16, LOW); // set GPIO16 low to reset OLED  delay(50);  digitalWrite(16, HIGH); // while OLED is running, must set GPIO16 to high  and, if needed, edit your Wire.begin() to Wire.begin(4,15); (4 = SDA 15 SCL)  i tested it with the Adafruit SSD1306 and the Acrobotics SSD1306 Librarys  both work.  Display size is 128x64 There are discussions on these boards on TTN as a LORA node..or maybee single ch gateway? Heltec has a git :  https://github.com/Heltec-Aaron-Lee And there is another copy call TTGO https://de.aliexpress.com/item/TTGO-LORA32-868-915-Mhz-SX1276-ESP32-Oled-display-Bluetooth-WIFI
閱讀完整內容

micro SD card for ESP32, on lolin32 with OLED and heltec 32 lora oled

圖片
I have purchased 2 micro SD card holder for my esp project. First I would like to test with heltec esp32 lora oled module. this module uses: sck=05 MISO=19 MOSI=27 SS(lora)=18, then I assigned 21 for sd SS and there is a lib in esp32-arduino, which use SS default at 5 I took the example and use SD.begin(21), but I alway get the error: entry 0x40078a9c Card Mount Failed But I do saw once that it read out the sd card type and volume. Not sure it's the issue of lora sd card swithing, or it just can't work. The other esp32 card I have is an wemos esp32 oled, it did not leave me too much pins, I need to find out how to connect sd to it. But I have wemos D1 mini esp8266 on hand, and connect it as:  * The WeMos Micro SD Shield uses:  * D5, D6, D7, D8, 3V3 and G  *  * The shield uses SPI bus pins:  * D5 = CLK  * D6 = MISO  * D7 = MOSI  * D8 = CS It's not working with the example in the arduino IDE 1.8.5, which marked SD(esp8266), but it w
閱讀完整內容

Install Network Time Protocol(NTP) on BeagleBone with Angstrom linux and set local time zone

Referenced from : http://cwraig.id.au/?p=513 1. Update your Package List opkg update 2. Get the ntp Package opkg install ntp ntpdate Update 2014/07/03 for the latest beaglebone image(2013-06-20) with kernel 3.8.12, after this installation,  system will add to service list, so only need to change time zone 3. Now we need to stop the ntpd service so we can request a manual update /etc/init.d/ntpd stop manual update ntpdate pool.ntp.org type in date, you should see the date is changing to current date and time, but the time zone is not corrected. The time zone info is contained in /etc/localtime , use this to remove it: rm /etc/localtime before link up our time zone, look into /usr/share/zoneinfo folder for your timezone. I did not find taiwan in asia, not plan to use hong_kong, but there is still: /usr/share/zoneinfo/Etc/GMT-8 now we make the link with ln command ln -s /usr/share/zoneinfo/Etc/GMT-8 /etc/localtime now type date again to check, should ha
閱讀完整內容