Closed petsch9 closed 1 year ago
kadzsol
commented
3 years ago Xbee is also an interesting device which is able to generate/send frames in API mode: https://subscription.packtpub.com/book/hardware_and_creative/9781784395582/1/ch01lvl1sec12/switching-to-api-mode Cost is around the 20-25 euro. Anyone experience?
boons605
commented
3 years ago You mean this?
Got this laying around here for a work project I was going to pick up again the coming weeks.
kadzsol
commented
3 years ago Ja, precies. Would be nice if you could test if it is able to generate frames which are similar to what we see in the sniff. With the frame generator included in XCTU (free download of Digi) it seems relatively easy to do this. If this works, we could create a development/test environment in which we send frames with xbee and sniff with cc2531.
boons605
commented
3 years ago I can try this. Nevermind what I wrote about getting up on the roof, I missed the part about the development environment.
boons605
commented
3 years ago Ok. Sending stuff using XCTU is easy and capturing that with the CC2531 is easy too. Now to send stuff that looks remotely like what we captured. Looks like I have some learning to do in the ZigBee world.
boons605
commented
3 years ago It has taken a bit of fiddling with XCTU, since this is my first actual experience with ZigBee, but I have set up a ZigBee network on channel 16 / 0x10 and have managed to send some data across the network.
However, this doesn't remotely look like what the APS devices are sending, since this is a 'normal' network with a coordinator and two routers.
kadzsol
commented
3 years ago Great that you have managed to set up a network! If I understand correctly, you have 3 xbee devices participating in your network able to echange data with each other?
According to the documentation, there is a frame generator in XCTU which can be used to generate custom frames. I wonder if you can evaluate this generator to see if we can use it to imitate the messages the ECU-R sends?
boons605
commented
3 years ago These frames have already been generated using the frame generator. The frame generator generates frames in the XBee API format.
My guess is that we need to figure out if the XBee API offers possibilities to send frames that look like what the ECU-R sends and, more importantly, pick up the frames that the YC600 sends, since we already concluded that the ECU and YC donāt form a network. The XBee does and the receiving end as currently configured only receives frames for the PAN it is associated with.
Also, have we been able to identify which packets are sent by the ECU-R and which by the YC600?
kadzsol
commented
3 years ago 
In the sniffs (like above) you can clearly see the packets of the ECU-R (source 0x0000). Before the pairing it sends "many to one" route requests and the inverters (e.g. 0xcaec)) only sending link status frames.
boons605
commented
3 years ago Well. The only way I can get the XBee to work is in a ānormalā network. The frame generator only helps me generate API commands.
I started reading up on CC2531 firmware development since apparently I need a device that allows a little more freedom.
kadzsol
commented
3 years ago Bummer. So we know how to "listen" but do not know how to "talk". I am afraid we will need to develop our own tool first :-(
manoficons
commented
3 years ago Which hardware uses the ECU-R to build and operate this "non-standard" network? Has anyone opend the box to see what is inside?
kadzsol
commented
3 years ago Which hardware uses the ECU-R to build and operate this "non-standard" network? Has anyone opend the box to see what is inside?
https://github.com/Koenkk/zigbee2mqtt/issues/4221#issuecomment-703176688
krikk
commented
3 years ago only the inverter itself is unable to open, the ecu-r should be more easy because it does not have to be waterproof...
boons605
commented
3 years ago Which hardware uses the ECU-R to build and operate this "non-standard" network? Has anyone opend the box to see what is inside?
The link in that comment points to a thread on the TI message board which also moves in the direction of setting up a network with a coordinator and routers. Because thatās how it seems to work in the zigbee world.
Yesterday evening I was reading up on firmware development. Didnāt have chance to try things yet.
npeter
commented
3 years ago I opened my ecu-r.
The zigbee chip is in the left/bottom corner. There is a blank metal case behind the label. No details.
npeter
commented
3 years ago 
kadzsol
commented
3 years ago Great!! https://fccid.io/2AFGR-APS2530S Some sort of clone of the CC2530?
manoficons
commented
3 years ago The user manual of the APS2530S says Zigbee PRO protocol. Does that mean, that this protocol must run on the CC2531 to make it work? https://e2e.ti.com/support/wireless-connectivity/zigbee-and-thread/f/158/t/151438?zigbee-pro-stack-on-cc2531-dongle-and-using-USB-
iboot700
commented
3 years ago kadzsol
commented
3 years ago how to sniff zigbee pro: https://community.smartthings.com/t/zigbee-sniffer-recommendations/9689/3 differences zigbee and pro: https://www.eetimes.com/zigbee-and-zigbee-pro-which-feature-set-is-right-for-you/
After reading stuff on internet, I think we can still see/detect frames of Zigbee Pro protocol with a Zigbee (Zboss 1.0) sniffer, Only parsing of the information might not work. I have asked this question on the Zboss forum.
iboot700
commented
3 years ago I reverted my CC2531 back to the original TI firmware and sniffed using the zigbee pro protocol during the paring of the YC600 with the TI package sniffer. To analyze you will need this software, it can be downloaded here
The only line which obviously stands out is line 24 but I'm not able to find anything interesting. Maybe some of you can?
kadzsol
commented
3 years ago Did you use sniffer of sniffer-2?
iboot700
commented
3 years ago Sniffer Sniffer-2 is not compatible with the CC2531
kadzsol
commented
3 years ago Thanks, I have managed to open the sniff. Line 24 is indeed a large one. Let me try to understand what is happening in this sniff.
npeter
commented
3 years ago I sniffed my system (1 QS1, 3 modules connected) with the TI fw as descriped https://github.com/Koenkk/zigbee2mqtt/issues/4221#issuecomment-700925206.
pair_QS1_TI_ZBPro_2020-11-03.zip
Still tying to understand whats going on.
kadzsol
commented
3 years ago Very difficult to interpret these types of sniffs. It seems I have to learn a lot. Finally got some time to download and install IAR Embedded Workbench for 8051. Went for the 4k limited source installation mode to have enough time to expremiment. Anyone who knows a good tutorial for beginners?
kadzsol
commented
3 years ago The limited 4k edition of IAR is useless. Do not waste time on it. Use the 30-days fully functional trial version.
Finally managed to get a working IAR for 8051 installation and was able to compile the genericapp example provided by TI.
npeter
commented
3 years ago I installed TI Code Composer Studio and was able to run TI zigbee example on an LAUNCHXL-26X2R1 board. Could see some zigbee communication with sniffer. But sill a long way to go.
gamer123
commented
3 years ago i also running an YC 600 and would like to use the zigbee connection. May an other point is getting the firmware and decompile it. May if a firmware update with ECU R is possible we could do it like this ?
kadzsol
commented
3 years ago @gamer123 Can be an other route to try. I have some experience with dismanteling some Android phone ROM's but you always needs special tools for that. Not sure what format the ECU-R firmware would need.
In the meantime I have made some steps with creating a CC2531 based "low-level transmitter".
It was written for the CC2530 and IAR 7.5, but I have managed to compile it with IAR 10.30.
I can flash my CC2531 with the generated hex file. Directly after flashing the red LED of my CC2531 goes on. I do not know yet what it means. :-)
Next week I hope my other CC2531 dongle will arrive so I can listen in real time with Wireshark what is going on in the "air".
In te meantime I will try to use the debugger/simulator in IAR to figure out what the red LED means.
Still a lot of things to learn/do!
npeter
commented
3 years ago I starte analysis of data frames from QS1 to ECU-R focussed to the long once (APDU payload with lenght 94). So I wrote a Java Script (node.js) to convert .psd files into a .txt wich can be imported by Excel. Now it was possible to identify some structures and data and its potential meaning. But there's still a lot of unknown data (and APDU data frames)
See the following tables
Global data
Protocol related data
gamer123
commented
3 years ago @kadzsol thats true i do have a tool. The used chip is shown upper here. If some one owns a firmware update may he or she can provide it to me, then i can try to decompile it. https://github.com/Koenkk/zigbee2mqtt/issues/4221#issuecomment-718162950
@npeter looks very good did you used the data they are provided here in github ?
As far as i understood is the main thing is to get into touch with the zigbee of the YC or QS1. The ECU triggers the YC and after that the YC start sending data without building a network. And the available zigbee firmware and stuff is not able to send own telegrams in a not available network. But the good thing is no crazy enrcyption.
kadzsol
commented
3 years ago @gamer123 I have just googled for about an hour but was not able to find a firmware (update) file. Maybe if you have an installation account you can grab it at APS site, but I doubt. It seems a very closed system, also for updates if I read this:
You may try to decompile the ECU-R app to learn something if you have the time?
https://play.google.com/store/apps/details?id=com.apsystems.ecu_r&hl=nl&gl=US
iboot700
commented
3 years ago @kadzsol I do have an installation account but was not able to find any firmware in there.
@npeter Great work! As I already own the ECU-R for me it would be sufficient to convert this data to mqtt so I can pick it up from there. If you are willing the share the script I can help to analyze the frames. Looking at the raw data coming from the YC600 it should contain the following info:
kadzsol
commented
3 years ago My 2nd cc2531 has arrived today! My setup is complete now. I can develop in IAR, compile the code and upload it to the transmitter device. While it transmitts, I can see the packages real time in Wireshark.
I have recompiled the GenericApp example from Z-stack 3.0 to behave as a coordinator on channel 12, and I can see it in Wireshark:
Now it is time to test if I still can program in C... :-)
npeter
commented
3 years ago @iboot700 Great! You are welcome to support the analyzing of the frames. The data shown by you is exactly what i'm still looking for. I try to find a way to share the script and some data. It's also my first priority to have a specific YC/QS1 zigbee-mqtt gateway.
@kadzsol, @gamer123 A second step could be to replace the ECU-R as proposed.
npeter
commented
3 years ago @iboot700 the converter can be found here If you have fuerther questions ...
npeter
commented
3 years ago I continued with my analizys of the data QS1 frame.
See the table below
still some work todo
dash042
commented
3 years ago Hi, I have just bought 2 Heckert panels and a YC600. I have a cc2531 on my rpi4. Anything I can do to help?
kadzsol
commented
3 years ago @dash042 Let me try to summarize the status of our project for you. Feel free to jump in any part you like/can.
One use case of npeter is interpreting the sniff results of an earlier (officially) paired inverter. So If you have an ECU and already paired your YC600, the inverter will transit information to this real ECU, which in turn uploads the information to the APS cloud. With a cc2531 you can grab the Zigbee information transmitted and interpret it with the a script of npeter. So you do not have to get the information from the APS cloud but have it as output of his script. After that you could do whatever you want with the information, like feeding it into other systems for further processing.
I myself busy with writing some software to simulate the pairing process. This is needed to trigger the inverter to start sending information to this simulated/fake/virtual/etc ECU. Once we managed to pair without having to have a real ECU, the script of npeter can be used to interpret and use the information in other systems.
Completing the use cases #1 & #2 would yeald us a minimum system which would enable us to get information from the inverters without using an ECU and the APS cloud.
Status of use case 2:
I have setup a development environment and managed to compile sample applications provided by TI. They run fine on my cc2531. I have modified one of the samples to transmit my own frames. Unfortunately, this does not work yet. When I try to debug it, my application hangs at the hardware initialization code. This is kind of strange, as I did not modify that part. So kind of stuck here.
gamer123
commented
3 years ago Very nice:) 2 days ago my CC2531 arrived. I am still waiting for the flash euipment. then i can start testing with my YC600
dash042
commented
3 years ago @kadzsol thank you! I didnt spend 200ā¬ on this proprietary ECU... Maybe I can have a look at the "tiggering-app" you wrote? is it on github? I'll get myself a second cc2531 for testing
kadzsol
commented
3 years ago @dash042 Nice if you want to help with coding. First please download IAR embedded workbench for 8051 and install it. You need to apply for a 30 days FULL license, After that download and compile the Z-stack 3.0 sample application GenericApp. Once that is done, I will tell you the changes I did to the code of GenericApp to start transmitting my own frame.
https://www.iar.com/iar-embedded-workbench/#!?architecture=8051
npeter
commented
3 years ago Short summary about the state of my PV POC:
System Overview:
Next steps - Short term:
Next steps - Mid/long term (ideas and dreams):
gamer123
commented
3 years ago @kadzsol i would use also a spearated gateway for as a fake ECU i think a sonoff zigbeebride would be great because it is cheap wifi an ESP8266 with tasmota can run on it custom firmware files for CC2531 can be flashed directly via tasmota via serial comunication on this board ... but for now it is may relevant in the future.
Do you have somewhere the code changes listed will try it too. Has someone created a pairing sequence out of a sniffs to toggle YC/QS to send data ?
btw i odered a second CC2531 to sniff and send at the same time ..
kadzsol
commented
3 years ago Hi @gamer123, i have added the following peace of code to the static void zclGenericApp_HandleKeys( byte shift, byte keys ) function of the GenericApp example in order to transmit my own zigbee frame:
afAddrType_t TransmitApp_DstAddr;
TransmitApp_DstAddr.addrMode = (afAddrMode_t)AddrBroadcast;
TransmitApp_DstAddr.endPoint = 0;
TransmitApp_DstAddr.addr.shortAddr = 0;
endPointDesc_t TransmitApp_epDesc;
byte TransmitApp_TaskID;
// These constants are only for example and should be changed to the
// device's needs
#define TRANSMITAPP_ENDPOINT 1
#define TRANSMITAPP_PROFID 0x0F05
#define TRANSMITAPP_DEVICEID 0x0001
#define TRANSMITAPP_DEVICE_VERSION 0
#define TRANSMITAPP_FLAGS 0
#define TRANSMITAPP_MAX_CLUSTERS 1
#define TRANSMITAPP_CLUSTERID_TESTMSG 1
// This is the Cluster ID List and should be filled with Application
// specific cluster IDs.
const cId_t TransmitApp_ClusterList[TRANSMITAPP_MAX_CLUSTERS] =
{
1 // MSG Cluster ID
};
const SimpleDescriptionFormat_t TransmitApp_SimpleDesc =
{
TRANSMITAPP_ENDPOINT, // int Endpoint;
TRANSMITAPP_PROFID, // uint16 AppProfId[2];
TRANSMITAPP_DEVICEID, // uint16 AppDeviceId[2];
TRANSMITAPP_DEVICE_VERSION, // int AppDevVer:4;
TRANSMITAPP_FLAGS, // int AppFlags:4;
TRANSMITAPP_MAX_CLUSTERS, // byte AppNumInClusters;
(cId_t *)TransmitApp_ClusterList, // byte *pAppInClusterList;
TRANSMITAPP_MAX_CLUSTERS, // byte AppNumInClusters;
(cId_t *)TransmitApp_ClusterList // byte *pAppInClusterList;
};
TransmitApp_epDesc.endPoint = TRANSMITAPP_ENDPOINT;
TransmitApp_epDesc.task_id = &TransmitApp_TaskID;
TransmitApp_epDesc.simpleDesc
= (SimpleDescriptionFormat_t *)&TransmitApp_SimpleDesc;
TransmitApp_epDesc.latencyReq = noLatencyReqs;
uint8 tmp;
uint16 len;
static byte TransmitApp_TransID = 0;
// This is the buffer that is sent out as data.
byte TransmitApp_Msg[ 10 ]; // max len = 10
tmp = HI_UINT8( '0' );
tmp += '0';
TransmitApp_Msg[2] = tmp;
tmp = LO_UINT8( '0' );
tmp += '0';
TransmitApp_Msg[3] = tmp;
len = 10;
uint8 AF_DataRequestDiscoverRoute = TRUE;
tmp = AF_DataRequest( &TransmitApp_DstAddr, &TransmitApp_epDesc,
1,
len, TransmitApp_Msg,
&TransmitApp_TransID,
0, // no ACK required
AF_DEFAULT_RADIUS );Before you can do any coding, you need to create/setup a dvelopment environment and compile examples: https://github.com/Koenkk/zigbee2mqtt/issues/4221#issuecomment-757342233
gamer123
commented
3 years ago @kadzsol until here it was no big deal
i used this project.
For the code in my project are some buttons in this function programmed. see here:
the value you handover in this function are not used in you code ? ( byte shift, byte keys )
i removed now all this gibberish
So comiling is possible but with a warning.. so i think i am working in the wrong file ? Or am i wrong ?
should we create a discord channel ?
kadzsol
commented
3 years ago @gamer123 I have found my discord login so yes, let us do it :-) I am also kadzsol on discord :-))
Indeed, the values I handover in that function are not used. I just hardcoded some code for now for transmittion of a many-to-one route request. This is the first frame the ECU sends when it is powered on. My idea was to send this hardcoded frame when I press the switch button on my transmitter cc2531 and see the manyto-one route request comming in on my sniffer cc2531. But is is not working....
kadzsol
commented
3 years ago @gamer123 my discord Id is kadzsol#5835
Hi,
Did someone manage to connect/pair with the APsystem YC600 micro omvormer. They should connect with zigbee but it is not pairing at all.
Any sugestions are welcom.
Kind regards, Peter