Open epfenninger opened 2 years ago
sdellysse
commented
2 years ago hey there @epfenninger, how are you discovering this? I'm looking to expand our knowledge as well but aside from brute-force address scanning I aint found much, I figure I could probably be doing this better
epfenninger
commented
2 years ago @sdellysse Brute force scanning as well - but if you hook up the renogy firmware update app and connect it pushes the batteries into their debug mode by PylonTech which has several commands.
info, pwr, bat
You can use these to then see what is going on with the batteries (which is how I figured out the cell temperatures).
As for the 5223 registry I just found the first one that read 247 and tried writing to it!
All of Renogy's registries seem to be in the 5000-6000 range which also makes it easier.
sdellysse
commented
2 years ago That's useful info, I'll have to try that. Today I downloaded the android app and decompiled it hoping it would have some useful info in it, but it looks like they've either obfuscated that part of the code or I just simply couldnt find it heh, so i'm glad to see someone's been making progress
Grmume
commented
2 years ago @epfenninger Thanks, thats useful especially of you have multiple batteries. I will update the script. (Unfortunately I dont have the bt 2 Adapter, so the details you get from logging the communication is much appreciated :) )
gambleben
commented
2 years ago @sdellysse Brute force scanning as well - but if you hook up the renogy firmware update app and connect it pushes the batteries into their debug mode by PylonTech which has several commands.
info, pwr, bat
I've played around with the console and found a couple of other commands that might be useful for reverse engineering the modbus registers: config seems to show the BMS parameters since they match up with the datasheet from Renogy Some example values: OV:14800 mV OVR:13800 mV HV:14200 mV HVR:13800 mV LV:12000 mV LVR:12400 mV UV:10000 mV UVR:12400 mV BOV:3700 mV BOVR:3450 mV BHV:3550 mV BHVR:3450 mV BLV:3000 mV BLVR:3100 mV BUV:2500 mV BUVR:3100 mV
datalist allows you to view internal BMS logs. For example, the command datalist show history had the below example output (looks like it logs every 5 mintues):
Item Time Vol Curr VolH VolL BTempH BTempL Per Soc ETemp Base Syserr Vol.St Curr.St Temp.St Cmos Dmos Pmos Heat Power Conn
1 21-02-06 10:42:57 13158 0 3295 3283 15000 15000 50 NORMAL 16000 Running NORMAL NORMAL NORMAL NORMAL ON ON OFF OFF OUT NORMAL
2 21-02-06 10:47:56 13157 0 3295 3283 15000 15000 50 NORMAL 17000 Running NORMAL NORMAL NORMAL NORMAL ON ON OFF OFF OUT NORMAL
3 21-02-06 10:52:55 13157 0 3295 3283 15000 15000 50 NORMAL 17000 Running NORMAL NORMAL NORMAL NORMAL ON ON OFF OFF OUT NORMAL
4 21-02-06 10:57:54 13156 0 3295 3282 15000 15000 50 NORMAL 17000 Running NORMAL NORMAL NORMAL NORMAL ON ON OFF OFF OUT NORMAL
and datalist show misc gave the following similar output (looks like it's triggered by PowerOn and PowerOff events:
Item Time Vol Curr VolH VolL BTempH BTempL Per Soc ETemp Base Syserr Vol.St Curr.St Temp.St Cmos Dmos Pmos Heat Power Conn
1 21-02-06 10:34:23 13162 0 3296 3285 15000 15000 50 NORMAL 16000 PowerOn NORMAL NORMAL NORMAL NORMAL ON OFF ON OFF OUT NORMAL
2 21-02-06 10:36:51 13144 0 3291 3280 15000 15000 50 NORMAL 16000 PowerDown NORMAL NORMAL NORMAL NORMAL OFF OFF OFF OFF OUT NORMAL
3 21-02-06 10:37:13 13150 0 3293 3281 15000 15000 50 NORMAL 16000 PowerOn NORMAL NORMAL NORMAL NORMAL ON OFF ON OFF IN NORMAL
4 21-02-06 10:37:43 13172 0 3298 3287 15000 15000 50 NORMAL 16000 PowerDown NORMAL NORMAL NORMAL NORMAL OFF OFF OFF OFF OUT NORMAL
ctrl shows the following: cfet: on cblock: off dfet: on dblock: off heat: off pfet: off
log also gives some data, but not sure how useful it is.
Writing to registry 5223 allows you to change the battery address!