1

That's my first question. I'm trying to turn on/off my heating with an arduino. First I've to figure out how to communicate with it. My thermostat have 4 wires (3V, GND, A+, B-) That's typical 2-wire RS-485 + 3V power to feed the thermostat. I've connected a RS-485 to ethernet converter to monitor the protocol and figure out the commands used by my actual thermostat in order to replicate them with arduino (and automate some tasks). I started with a modbus monitor (Serial Port Monitor) and some packets have a OK checknum and some packets have a BAD checknum. I don't know the configuration of the port so i've tried some 9600 8 bits no parity, 9600 8 bits even parity, 9600 8 bits odd parity and the result is the same. It seems that the packets fit the modbus structure sometimes but not always. Can I assume that the communication protocol is modbus? Why some packets more or less 30% have OK checknum and 70% have BAD checknum?

[23/10/2019 19:57:51]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils
Starting Address: 1 Quantity: 4

Checksum: 1454(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils Byte Count: 0
Values:

Checksum: 32174(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils Byte Count: 1
Values: 00
Coils 0-7: 00000000

Checksum: 20736(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils
Starting Address: 1 Quantity: 4

Checksum: 33660(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils

Checksum: 1(BAD)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 0
Function: 4 (0x04) - Read Input Registers

Checksum: 1454(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils

Checksum: 0(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 0
Function: 7 (0x07) - Read Exception status

Checksum: 32174(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils

Checksum: 256(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils
Starting Address: 1 Quantity: 4

Checksum: 256(BAD)

Do you think that modbus is the protocol being used or should I try some other protocol? How can I be sure that the port communication settings (9600 8 bits even parity) are OK?

Thank you guys!

M. Twarog
  • 2,418
  • 3
  • 21
  • 39
Marklar
  • 21
  • 4
  • it certainly looks like Modbus. Not that I'm advocating against the tons of entertainment you can get from reverse engineering but have you tried to get the documentation of your boiler and thermostat? I guess you are using Eltima, right? I have no experience with it but being a commercial product I imagine the bad CRCs you see are real. More than a couple of bad CRC every once in a while normally means you have hardware issues. You should verify if the connections and cables on the original bus are OK and if you are somehow disturbing the bus with your sniffer – Marcos G. Oct 24 '19 at 08:34
  • Thanks for your response. I really want to avoid all this entertainment but my thermostat is tailor-made for the installation (electronic PCB included) by a small company and I don't know even if the modbus goes to the boiler directly. The installation is a community boiler for radiant heating. I ignore the reason for using a installation-specific thermostat instead of a commercial one. – Marklar Oct 24 '19 at 09:47
  • I see, but don't forget there are two sides to the story, what about the boiler? Is it unbranded too? Reverse engineer it should not be that difficult for a simple temperature control. Out of curiosity: can you tell what microcontroller is the thermostat build upon? – Marcos G. Oct 24 '19 at 09:54
  • I forgot to mention that it is quite likely your Modbus device is not checking for parity (some devices do check but they already have the CRC so it does not make much sense from a design perspective). If you use no parity bit I think the standard says you have to go with 2 stop bits. – Marcos G. Oct 24 '19 at 10:02
  • I wrote before you finished writing your comment, sorry about that. For a community boiler, you will probably have a valve box with computer control and inputs from the boiler and each thermostat. Depending on the temperature you set on the thermostat of each room the control open or closes each valve as needed. If you have a certain number of rooms or appartments I guess it makes sense to use Modbus... – Marcos G. Oct 24 '19 at 10:16
  • The microcontroller is MSP430. I'll ask for the boiler brand again. They told me yesterday that in fact the bus don't go directly to the boiler, It goes to a valve and a fan so i thouhgt that is easier to reverse engineer the protocol from the point of iew of my thermostat. – Marklar Oct 24 '19 at 10:29
  • Yes! I've 1 thermostat for each room, all but the central one are very simple (a relay) and it only works dependind on the state of the main thermostat (the modbus one) that controlls the main valve, the rest just control a valve in a valve box. That is very simple. My problem is about controlling the modbus part. Do you know a good modbus sniffer to verify the protocol? How can I know if I'm disturbing the bus with the sniffer? I'll try to use parity none and 2 stop bits. I didn't try this combination. I'll tell you the result. Thanks! – Marklar Oct 24 '19 at 10:39
  • I use [SerialPCAP](https://github.com/j123b567/SerialPCAP), which is based on Wireshark and works great (on Linux). You can also try Termite or any other serial terminal, but you won't have any Modbus details, only the raw data, see [here](https://stackoverflow.com/questions/57056042/i-am-sending-commands-through-serial-port-in-python-but-they-are-sent-multiple-t/57062146#57062146). To check if you are unbalancing the bus impedance you can check if your device (RS485 to Ethernet) has an option to enable or disable terminating resistors (sometimes that's a microswitch or a software setting) – Marcos G. Oct 24 '19 at 10:58
  • My device has a jumper, it was open (terminal resistors enabled). When I close the jumper (terminal resistors disabled) the behaviour is the same. I've tried no parity - 2 stop bits, even parity - 1 stop bit, odd parity - 1 stop bit and no parity - 1 stop bit. The behaviour is always the same. Maybe parity bit is ignored?. The company that installed the system says that it is propietary and simply It stopped replying my emails. Any idea? – Marklar Oct 28 '19 at 10:29
  • it's very likely the parity bit is simply ignored and only the CRC is used by the protocol. It might be indeed a custom Modbus with some modifications that are giving you the bad CRCs, but I doubt it. The only other thing that comes to mind is noise in the bus, are you able to get a scope to hook it up to the bus and see what's going on? Otherwise if your bus is only two wires (A/B) you might want to try to add a third wire to connect the grounds (GND) of all parties (thermostat, valve box and your RS485 sniffer). You can experiment connecting only two sides to see if you notice any change – Marcos G. Oct 28 '19 at 10:38
  • My Bus has 2 wires and GND, I connected A,B and GND in least thermostat and sniffer (I can't reach the valve box, is key protected). I'll try to disconnect the thermostat to see if the noise is the problem. I see that almost all the packets goes with address 7, some with address 0 (All with CRC BAD) and sometimes (like a packet each 20) with another address (17, 96, 192) – Marklar Oct 28 '19 at 12:33

1 Answers1

1

I solved the issue. The problem was that I'm using a RS485 to ethernet device to read the bus. The device was buffering frames until the buffer reaches 1024 bytes, then it packets the data in an UDP packet and sends it to my PC. That was breaking the modbus frames. A modbus frame is delimited by a silent period of 3,5 times of a symbol. I configured the buffer to 0 bytes so the device immediately sends the data to my PC and all the CRCs are now OK and the data makes sense. Now I've to reverse engineer the data sent by modbus but that's other topic. Thanks!

Marklar
  • 21
  • 4