1
votes

That's my first question. I'm trying to turn on/off my heating with an arduino. First I've to figure out how to communicate with it. My thermostat have 4 wires (3V, GND, A+, B-) That's typical 2-wire RS-485 + 3V power to feed the thermostat. I've connected a RS-485 to ethernet converter to monitor the protocol and figure out the commands used by my actual thermostat in order to replicate them with arduino (and automate some tasks). I started with a modbus monitor (Serial Port Monitor) and some packets have a OK checknum and some packets have a BAD checknum. I don't know the configuration of the port so i've tried some 9600 8 bits no parity, 9600 8 bits even parity, 9600 8 bits odd parity and the result is the same. It seems that the packets fit the modbus structure sometimes but not always. Can I assume that the communication protocol is modbus? Why some packets more or less 30% have OK checknum and 70% have BAD checknum?

[23/10/2019 19:57:51]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils
Starting Address: 1 Quantity: 4

Checksum: 1454(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils Byte Count: 0
Values:

Checksum: 32174(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils Byte Count: 1
Values: 00
Coils 0-7: 00000000

Checksum: 20736(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils
Starting Address: 1 Quantity: 4

Checksum: 33660(OK)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils

Checksum: 1(BAD)

[23/10/2019 19:57:52]
Modbus Response (COM4)
Address: 0
Function: 4 (0x04) - Read Input Registers

Checksum: 1454(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils

Checksum: 0(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 0
Function: 7 (0x07) - Read Exception status

Checksum: 32174(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 7
Function: 1 (0x01) - Read Coils

Checksum: 256(BAD)

[23/10/2019 19:57:53]
Modbus Response (COM4)
Address: 7
Function: 15 (0x0f) - Write Multiple Coils
Starting Address: 1 Quantity: 4

Checksum: 256(BAD)

Do you think that modbus is the protocol being used or should I try some other protocol? How can I be sure that the port communication settings (9600 8 bits even parity) are OK?

Thank you guys!

1
it certainly looks like Modbus. Not that I'm advocating against the tons of entertainment you can get from reverse engineering but have you tried to get the documentation of your boiler and thermostat? I guess you are using Eltima, right? I have no experience with it but being a commercial product I imagine the bad CRCs you see are real. More than a couple of bad CRC every once in a while normally means you have hardware issues. You should verify if the connections and cables on the original bus are OK and if you are somehow disturbing the bus with your sniffer - Marcos G.
Thanks for your response. I really want to avoid all this entertainment but my thermostat is tailor-made for the installation (electronic PCB included) by a small company and I don't know even if the modbus goes to the boiler directly. The installation is a community boiler for radiant heating. I ignore the reason for using a installation-specific thermostat instead of a commercial one. - Marklar
I see, but don't forget there are two sides to the story, what about the boiler? Is it unbranded too? Reverse engineer it should not be that difficult for a simple temperature control. Out of curiosity: can you tell what microcontroller is the thermostat build upon? - Marcos G.
I forgot to mention that it is quite likely your Modbus device is not checking for parity (some devices do check but they already have the CRC so it does not make much sense from a design perspective). If you use no parity bit I think the standard says you have to go with 2 stop bits. - Marcos G.
I wrote before you finished writing your comment, sorry about that. For a community boiler, you will probably have a valve box with computer control and inputs from the boiler and each thermostat. Depending on the temperature you set on the thermostat of each room the control open or closes each valve as needed. If you have a certain number of rooms or appartments I guess it makes sense to use Modbus... - Marcos G.

1 Answers

1
votes

I solved the issue. The problem was that I'm using a RS485 to ethernet device to read the bus. The device was buffering frames until the buffer reaches 1024 bytes, then it packets the data in an UDP packet and sends it to my PC. That was breaking the modbus frames. A modbus frame is delimited by a silent period of 3,5 times of a symbol. I configured the buffer to 0 bytes so the device immediately sends the data to my PC and all the CRCs are now OK and the data makes sense. Now I've to reverse engineer the data sent by modbus but that's other topic. Thanks!