Could someone help me to reverse engineer this protocol? :)

Hardware
1

Hi all,

Last year i managed to “smarten up” my aircon unit. I basically replaced the controller that was using a (proprietary?) protocol over an RS-485 line, with an Atom board and an RS485 expansion.

It works fine, as I simply send the frames that the “old” controller was sending, after i managed to identify which byte/nibble means what to the aircon unit, and setting it according to mqtt messages from home assistant.

Here a picture of what i came up with, with the frames that the “old” controller was sending to the unit at given settings (speed, temperature etc.):

image
image1132×469 38.8 KB

As i said, it’s fine, it works!
What i’m still having trouble to understand, is the reply of the aircon unit, which are these (as per the same settings of the previous picture):

image
image916×322 31 KB

So basically i’m not able to understand what the hell the machine is replying. Fortunately it’s fine, because these frames are sent very often so untill now it worked perfectly.
But maybe there could be some informations like confirmations of settings, or other informations that i’m not able to understand? Does anyone see a pattern on RX side or - and this is what i hope - recognize some standard protocol?

I marked in Bold and Italic the bytes on the frames the changes at each command.
Also, this is the original controller, if it could help

Thanks in advance!

2

Can you post the tables in raw form instead of images?

3

I took a deeper look into this, and I don’t think we have enough data to reverse engineer it.

I think you should fill in the following table. Ensuring you DO NOT CHANGE any other settings than what’s listed in the table.

state set temperature mode fan speed
on 20° cool 1
on 21° cool 1
on 22° cool 1
on 23° cool 1
on 24° cool 1
on 25° cool 1
on 20° cool 2
on 21° cool 2
on 22° cool 2
on 23° cool 2
on 24° cool 2
on 25° cool 2
on 20° cool 5
on 21° cool 5
on 22° cool 5
on 23° cool 5
on 24° cool 5
on 25° cool 5
on 20° cool Turbo
on 21° cool Turbo
on 22° cool Turbo
on 23° cool Turbo
on 24° cool Turbo
on 25° cool Turbo
on 20° heat 1
on 21° heat 1
on 22° heat 1
on 23° heat 1
on 24° heat 1
on 25° heat 1
on 20° heat 2
on 21° heat 2
on 22° heat 2
on 23° heat 2
on 24° heat 2
on 25° heat 2
on 20° heat 5
on 21° heat 5
on 22° heat 5
on 23° heat 5
on 24° heat 5
on 25° heat 5
on 20° heat Turbo
on 21° heat Turbo
on 22° heat Turbo
on 23° heat Turbo
on 24° heat Turbo
on 25° heat Turbo
on 20° dehumi 1
on 21° dehumi 1
on 22° dehumi 1
on 23° dehumi 1
on 24° dehumi 1
on 25° dehumi 1
on 20° dehumi 2
on 21° dehumi 2
on 22° dehumi 2
on 23° dehumi 2
on 24° dehumi 2
on 25° dehumi 2
on 20° dehumi 5
on 21° dehumi 5
on 22° dehumi 5
on 23° dehumi 5
on 24° dehumi 5
on 25° dehumi 5
on 20° dehumi Turbo
on 21° dehumi Turbo
on 22° dehumi Turbo
on 23° dehumi Turbo
on 24° dehumi Turbo
on 25° dehumi Turbo
on 20° fan 1
on 21° fan 1
on 22° fan 1
on 23° fan 1
on 24° fan 1
on 25° fan 1
on 20° fan 2
on 21° fan 2
on 22° fan 2
on 23° fan 2
on 24° fan 2
on 25° fan 2
on 20° fan 5
on 21° fan 5
on 22° fan 5
on 23° fan 5
on 24° fan 5
on 25° fan 5
on 20° fan Turbo
on 21° fan Turbo
on 22° fan Turbo
on 23° fan Turbo
on 24° fan Turbo
on 25° fan Turbo
off 20° cool 1
off 21° cool 1
off 22° cool 1
off 23° cool 1
off 24° cool 1
off 25° cool 1
off 20° cool 2
off 21° cool 2
off 22° cool 2
off 23° cool 2
off 24° cool 2
off 25° cool 2
off 20° cool 5
off 21° cool 5
off 22° cool 5
off 23° cool 5
off 24° cool 5
off 25° cool 5
off 20° cool Turbo
off 21° cool Turbo
off 22° cool Turbo
off 23° cool Turbo
off 24° cool Turbo
off 25° cool Turbo
off 20° heat 1
off 21° heat 1
off 22° heat 1
off 23° heat 1
off 24° heat 1
off 25° heat 1
off 20° heat 2
off 21° heat 2
off 22° heat 2
off 23° heat 2
off 24° heat 2
off 25° heat 2
off 20° heat 5
off 21° heat 5
off 22° heat 5
off 23° heat 5
off 24° heat 5
off 25° heat 5
off 20° heat Turbo
off 21° heat Turbo
off 22° heat Turbo
off 23° heat Turbo
off 24° heat Turbo
off 25° heat Turbo
off 20° dehumi 1
off 21° dehumi 1
off 22° dehumi 1
off 23° dehumi 1
off 24° dehumi 1
off 25° dehumi 1
off 20° dehumi 2
off 21° dehumi 2
off 22° dehumi 2
off 23° dehumi 2
off 24° dehumi 2
off 25° dehumi 2
off 20° dehumi 5
off 21° dehumi 5
off 22° dehumi 5
off 23° dehumi 5
off 24° dehumi 5
off 25° dehumi 5
off 20° dehumi Turbo
off 21° dehumi Turbo
off 22° dehumi Turbo
off 23° dehumi Turbo
off 24° dehumi Turbo
off 25° dehumi Turbo
off 20° fan 1
off 21° fan 1
off 22° fan 1
off 23° fan 1
off 24° fan 1
off 25° fan 1
off 20° fan 2
off 21° fan 2
off 22° fan 2
off 23° fan 2
off 24° fan 2
off 25° fan 2
off 20° fan 5
off 21° fan 5
off 22° fan 5
off 23° fan 5
off 24° fan 5
off 25° fan 5
off 20° fan Turbo
off 21° fan Turbo
off 22° fan Turbo
off 23° fan Turbo
off 24° fan Turbo
off 25° fan Turbo

You would also need to record the temperature value on the device as well. If this is a response, it most likely has those values in the output.

4

Also, here’s tables of that data, maybe they will help you.

hex 1 hex 2 hex 3 hex 4 hex 5
D1 12 40 42 33
D1 12 41 41 33
01 00 41 41 3D
01 10 40 42 34
D1 12 41 42 33
51 12 41 42 39
51 06 41 42 3B
51 07 41 42 3B
53 02 41 43 3D
54 00 41 43 3C
int1 int 2 int 3 int 4 int 5
209 18 64 66 51
209 18 65 65 51
1 0 65 65 61
1 16 64 66 52
209 18 65 66 51
81 18 65 66 57
81 06 65 66 59
81 07 65 66 59
83 02 65 67 61
84 0 65 67 60
bin 1 bin 2 bin 3 bin 4 bin 5
11010001 00010010 01000000 01000010 00110011
11010001 00010010 01000001 01000001 00110011
00000001 00000000 01000001 01000001 00111101
00000001 00010000 01000000 01000010 00110100
11010001 00010010 01000001 01000010 00110011
01010001 00010010 01000001 01000010 00111001
01010001 00000110 01000001 01000010 00111011
01010001 00000111 01000001 01000010 00111011
01010011 00000010 01000001 01000011 00111101
01010100 00000000 01000001 01000011 00111100
1 Like
5

Thanks! Honestly I don’t think I could re-fetch the data in these days… I should have to rewire the original controller, place the sniffer and even re-install the software I used to get the frames, that will take some time! :face_exhaling:

Also, I do not have the temperature as seen by the unit, it’s not displayed back into the controller… so I think for the moment I’m hoping for someone to recognize the protocol :sweat_smile:

6

And just a tip, ChatGPT is pretty good in reverse engineering protocols :grin:
(helped me a lot when i reverse engineered my pellet stove :face_holding_back_tears:)

7

Well all I could see is that on/of is loosely tied to bin1 5th and 6th bit.

image

and set temperature is definitely the 3rd pair.

image

The rest is potentially grabbable but there’s too much noise in all the other bits.

8

Hex 4 could be current temperature measured at the unit. The manual also references temperature measured at the outdoor unit which could be hex 5, but that’s just guessing.

Looks like Mode is embedded in Bin 1.

I’d expect to see operating state in here as well. For example, in that last line the mode is set to heat but is the heat actually on or is the unit idle.

1000003357
10000033571080×1721 208 KB