Disclaimer: I am very new to all of this. If anyone has general RS485 / serial debugging experience that’d be awesome.
I ended up with a RS485 to USB adapter and have tried about 5 different software programs to reverse engineer it at this point (list below) with no luck. At first I tried a protocol analyzer (knockoff Logic 16 device) which was helpful to a point, but only really confirming that it is indeed serial RS485-ish. I do have a few dumps from that if anyone would find it helpful…
Everything I’ve seen so far seems to lean towards the protocol being Modbus-like, but so far all the combinations of Baud Rate / Data Bits / Stop Bits / Parity I’ve tried have led to the CRC failing on each frame/message. That said, there seem to be some Modbus commands with the controller connected (like reading registers - Serial Port Monitor says so at least)
When I have the controller powered, there is a LOT more traffic over the wire even when no settings are changing - it’s like the controller and the ERV are in constant communication. When the controller unpowered (12V unhooked), there are a few bytes that get repeated over and over again (9600 baud, 4c 28) coming from the ERV - I am unsure if this means the ERV is the “master” or the “slave” according to the protocol definition, which could be something to investigate next.
I think the baud rate might be 19200 because it has the fewest number of huge 00-filled gaps (so far)… 9600 also seems to be common with Modbus.
I emailed Broan to ask, but I fully expect not to get a response.
Current setup:
- I have the D+ / D- wires connected to the RS485 serial adapter at the controller, just jammed both wires in to the terminals. I’m a bit concerned this method and the long length (~30ft) of thermostat wire might be hampering my investigation, but seems unlikely given how these controllers are typically installed.
- I also tried reversing them on the adapter.
Different software I’ve tried…
- Serial Port Monitor: Serial Port Monitor - COM port sniffer & analyzer, lots of errors around another program using the port
- https://qmodbus.sourceforge.net/: Currently crashing because I picked too high a baud rate at one point
- CAS Modbus Scanner: CAS Modbus Scanner - Chipkin Automation Systems, lots of errors
- Fernhill SCADA Configuration Tool: Fernhill SCADA Autodetect Wizards Overview, I thought this was promising because of the Autodetect tool, unfortunately it hasn’t found anything so far.
- Download Software | Simply Modbus Software - Not useful so far.
Possible next steps:
- Try to communicate just with the controller instead of (Controller+ERV) or just ERV - maybe more can be figured out in the other direction?
- Reboot the ERV with a serial port monitor connected - maybe some different data will show?
- Shorten control wires to ERV unit (low confidence this will help)