Open HansWegman opened 2 weeks ago
Could you increse the log level and provide a complete log (in best case retrieved using a serial/USB connection)?
logger:
level: VERY_VERBOSE
logs:
jbd_bms_ble: VERY_VERBOSE
ble_client: DEBUG
esp32_ble: DEBUG
esp32_ble_tracker: DEBUG
scheduler: DEBUG
component: DEBUG
sensor: DEBUG
api: DEBUG
api.service: DEBUG
Hello Sebastian, thanks for your quick response and your support. Unfortunately I do not have access to the device other than through Bluetooth since it is sealed. I added your log levels and have included the complete logs including the compilation and, in the end, where I move the device out of reach from the battery.
Hope this helps?
Your BMS doesn't respond. Do you have an Android app which is able to talk to the BMS? Could you share a link to this app?
No Android app but an iOS app called XiaoXiangElectric which works fine. Could it have something to do with the password I set and am unable to remove?
Yes. The password could probably be the root cause.
Okay, than I am stuck, I have been googling but there seems to be no way to get rid of it since my only connection option is bluetooth which won't work with a password set. Any suggestions other than breaking the seal and the guarantee of this new unit?
Hello Sebastian,
Any suggestions on how I can debug this further? I did find a link to an Android App which looks the same as my iPhone app if that helps: https://play.google.com/store/apps/details?id=com.jiabaida.little_elephant&hl=en_US&pli=1
Some special protocol details of your BMS model / firmware:
sendAppKeyFrame: [FF, AA, 15, 06, 30, 30, 30, 30, 30, 30, 50]
^^--CRC
setFirstLevelPasswordFrame: [FF, AA, 16, 06, 31, 32, 33, 34, 35, 36, 50]
sendFirstLevelPasswordFrame: [FF, AA, 18, 06, 31, 32, 33, 34, 35, 36, 50]
sendSecondLevelPasswordFrame: [FF, AA, 1B, 06, 31, 32, 33, 34, 35, 36, 50]
^^^^^^^^^^^^^^^^^^^^^^--6 bytes password
removePasswordFrame: [DD, 5A, 09, 07, 06, 4A, 31, 42, 32, 44, 34, FE, 85, 77]
cleanFirstLevPswFrame: [FF, AA, 23, 01, 01, 25]
cleanAppKeyFrame: [FF, AA, 24, 01, 01, 20]
restoreSecondPswFrame: [FF, AA, 1F, 01, 01, 21]
factoryResetFrame: [FF, AA, 20, 01, 01, 22]
baseAppKeyFrame: [FF, AA, 22, 06, 30, 30, 30, 30, 30, 30, 50]
testFrame: [FF, AA, 1A, 42, 31, 35, 31, 36, 33, 38, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 31, 32, 33, 33, 35, 34, 80]
randomFrame: [FF, AA, 17, 00, 17]
It looks like the communication isn't using official BLE encryption/pin/authentication features. It's a custom protocol. I guess we have to send an authorization frame to establish proper communication.
Could you provide some screenshots of the Android or iOS app? I would like to understand which types of different passwords are used. It looks like the app key
is something like a 6 chars value (always 000000
). There is a first level password
(6 chars) and second level password
(6 chars) too and a root password
(15 bytes).
Sorry, I have to ask another time: Are you able to borrow a Android smartphone somewhere? A BLE traffic capture would be super helpful (it's part of a standard bug report bundle and can be create pretty easily). The device doesn't need to be rooted.
Really appreciate your help here, thanks!
I can try to capture the BME traffic on my Mac using my iPhone I guess. I will give it a try and get back asap.
I've no experiences with iOS. A traffic capture (it called btsnoop
/ pcap file
) would be helpful.
Well that went smoothly...:) See the attached log.
What I did, I removed and reinstalled the app so it would ask for the password again. I started the log I opened the app and entered the password 123123 Than the readings came in, battery 99% charged I switched to some other screens in the app I closed the app I reopened the app and this time I did not need to enter the password, I guess it saves it and uses the same or another way to connect The data reappeared
I hope this gives more insight in how to make it work. LeOr maybe it gives a pointer to remove the bluetooth password all together by maybe sending CLeanAppkeyframe or something which might do the trick as well.
Let me know if I need to get your other info, looking forward to hearing your judgement! btsnoop xiaoxiangelectric.log
I made a selection for you within the apple logger which might make things easier.
Good job! This is the raw traffic:
ff:aa:15:06:30:30:30:30:30:30:3b
ff:aa:15:01:00:16
ff:aa:17:00:17
ff:aa:17:01:71:89
00:b1:2c:00:00:e5:2c:00:00:00:00
ff:aa:18:06:06:64:75:a6:90:fe:31
ff:aa:18:01:00:19
ff:aa:1d:0f:5f:f4:e4:d7:ca:3f:e8:d5:92:b1:94:a3:a1:a3:a4:62
ff:aa:1d:01:00:1e
dd:a5:03:00:ff:fd:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:f0:0b:ee:0b:eb:f9:bd:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:16:0d:15:0d:08:0d:0b:ff:86:77
dd:a5:fa:03:00:75:04:fe:8a:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:16:0d:15:0d:08:0d:0b:ff:86:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:16:0d:15:0d:08:0d:0b:ff:86:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0b:ff:87:77
dd:5a:00:02:56:78:ff:30:77
dd:00:00:00:00:00:77
dd:a5:16:00:ff:ea:77
dd:16:00:02:00:00:ff:fe:77
dd:a5:a2:00:ff:5e:77
dd:a2:00:01:00:ff:ff:77
dd:a5:a0:00:ff:60:77
dd:a0:00:06:05:44:47:4a:42:44:fe:9a:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:15:00:ff:eb:77
dd:15:00:02:30:9b:ff:33:77
dd:a5:05:00:ff:fb:77
dd:05:00:0f:53:50:30:34:53:30:33:34:4c:34:53:32:30:30:41:fc
5a:77
dd:5a:01:02:00:00:ff:fd:77
dd:01:00:00:00:00:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77:dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0a:ff:88:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ee:0b:eb:f9:c1:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ee:0b:eb:f9:c1:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0a:ff:88:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0b:ff:87:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ee:0b:eb:f9:c1:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0a:ff:88:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0a:ff:88:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0a:ff:88:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ee:0b:eb:f9:c1:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:15:0d:08:0d:0a:ff:88:77
ff:aa:15:06:30:30:30:30:30:30:3b
ff:aa:15:01:00:16
ff:aa:17:00:17
ff:aa:17:01:e1:f9
ff:aa:18:06:76:d4:e5:16:00:6e:d1
ff:aa:18:01:00:19
ff:aa:1d:0f:cf:64:54:47:3a:af:58:45:02:21:04:13:11:13:14:f2
ff:aa:1d:01:00:1e
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
dd:a5:fa:03:00:75:04:fe:8a:77:00:b1:2c:00:00:e5:2c:00:00:00:00
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:ec:0b:ed:0b:eb:f9:c2:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:15:0d:14:0d:08:0d:0a:ff:89:77
Extract from XiaoXiang log 2.log / communication.json.txt
Long story short: Your BMS firmware supports some new / special commands to do some auth flow. We will try to replicate this behavior to get authenticated too.
Wow, I can read and understand the short version and that sounds absolutely marvellous! This is really highly appreciated and I am looking forward to it. Please let me know if I can be of any further help!
These are the most important parts of the communication:
# Write instructions -> Handle 0x0015
# Responses / notifications via 0x0011
>>> ff:aa:15:06:30:30:30:30:30:30:3b # Send app key
<<< ff:aa:15:01:00:16 # Send app key response (data_len: 1 byte, data: 0x00)
>>> ff:aa:17:00:17 # Request random data
<<< ff:aa:17:01:71:89 # Random data response (data_len: 1 byte, data: 0x71)
>>> Read blob request (0x0c), Handle 0x0003, Offset 19 # Device name?
<<< 00:b1:2c:00:00:e5:2c:00:00:00:00
>>> ff:aa:18:06:06:64:75:a6:90:fe:31 # Send first level password (64:75:a6:90:fe)
<<< ff:aa:18:01:00:19 # First level password response (data_len: 1 byte, data: 0x00)
>>> ff:aa:1d:0f:5f:f4:e4:d7:ca:3f:e8:d5:92:b1:94:a3:a1:a3:a4:62 # Send root password (5f:f4:e4:d7:ca:3f:e8:d5:92:b1:94:a3:a1:a3:a4)
<<< ff:aa:1d:01:00:1e # Root password response (data_len: 1, data: 0x00)
>>> dd:a5:03:00:ff:fd:77 # Request hardware info
>>> dd:a5:03:00:ff:fd:77
<<< dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:f0:0b:ee:0b:eb:f9:bd:77 # Hardware info response
>>> dd:a5:04:00:ff:fc:77 # Request cell info
<<< dd:04:00:08:0d:16:0d:15:0d:08:0d:0b:ff:86:77
>>> dd:a5:fa:03:00:75:04:fe:8a:77 # Unknown request
>>> dd:a5:03:00:ff:fd:77 # Request hardware info
<<< dd:03:00:1d:05:39:00:00:52:a8:53:34:00:01:30:9b:00:00:00:00:00:00:44:63:03:04:03:0b:eb:0b:ee:0b:eb:f9:c2:77
>>>
indicates Requests. <<<
are Responses.
Unusual question but could you provide your passwords for comparison?
The plaintext password is encrypted against the MAC address of the BMS. The plaintext password would be helpful to reverse engineer the encryption.
Sorry to only now notice your request but I already shared that, it is 123123 and that is the bluetooth password which is the only one I have set.
Oh. I missed the detail the first time.
Yeah, I guessed so ;). Let me know if I can help more, maybe set different passwords or so might ease the decryption?
Could you provide another capture in which you enter an incorrect (but known) password?
Okay, here is what I did. The password was first changed from 123123 to 123412 and the app removed and reinstalled. LOG started started the app and entered 000000 entered 111111 entered 123412, app opened and displayed data changed the password to 123123 and confirmed closed the app and reopened closed the app closed the LOG xiaoxiang [Live] - iPhone van H.log
Filtered the log on the battery only: just the battery.log
Content of the second capture: communications2.json.txt
# 1. attempt
ff:aa:15:06:30:30:30:30:30:30:3b
ff:aa:15:01:00:16
ff:aa:17:00:17
ff:aa:17:01:62:7a
00:b1:2c:00:00:e5:2c:00:00:00:00
>>> ff:aa:18:06:f6:53:69:96:7f:f0:d5 # password 000000
<<< ff:aa:18:01:01:1a
^^--NACK
# 2. attempt
ff:aa:15:06:30:30:30:30:30:30:3b
ff:aa:15:01:00:16
ff:aa:17:00:17
ff:aa:17:01:21:39
00:b1:2c:00:00:e5:2c:00:00:00:00
>>> ff:aa:18:06:b6:11:27:56:3d:b0:4f # password 111111
<<< ff:aa:18:01:01:1a
^^--NACK
# 3. attempt
ff:aa:15:06:30:30:30:30:30:30:3b
ff:aa:15:01:00:16
ff:aa:17:00:17
ff:aa:17:01:61:79
00:b1:2c:00:00:e5:2c:00:00:00:00
>>> ff:aa:18:06:f6:54:65:91:7d:ed:c8 # password 123412
<<< ff:aa:18:01:00:19
^^--ACK
ff:aa:1d:0f:4f:e4:d4:c7:ba:2f:d8:c5:82:a1:84:93:91:93:94:72
ff:aa:1d:01:00:1e
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:36:00:00:4f:f2:53:34:00:01:30:9b:00:00:00:00
00:00:44:60:03:04:03:0b:b7:0b:bf:0b:b9:fa:16:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:36:ff:cb:4f:f2:53:34:00:01:30:9b:00:00:00:00
00:00:44:60:03:04:03:0b:b7:0b:bf:0b:b9:f8:4c:77
>>> ff:aa:16:06:31:32:33:31:32:33:48 # change password to 123123
<<< ff:aa:16:01:00:17
^^--ACK
# 4. attempt
ff:aa:15:06:30:30:30:30:30:30:3b
ff:aa:15:01:00:16
ff:aa:17:00:17
ff:aa:17:01:37:4f
>>> ff:aa:18:06:cc:2a:3b:6c:56:c4:d5 # password 123123
<<< ff:aa:18:01:00:19
^^--ACK
ff:aa:1d:0f:25:ba:aa:9d:90:05:ae:9b:58:77:5a:69:67:69:6a:fc
ff:aa:1d:01:00:1e
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:36:ff:ba:4f:f1:53:34:00:01:30:9b:00:00:00:00
00:00:44:60:03:04:03:0b:b7:0b:bf:0b:b9:f8:5e:77
dd:a5:03:00:ff:fd:77
dd:03:00:1d:05:36:ff:cb:4f:f1:53:34:00:01:30:9b:00:00:00:00
00:00:44:60:03:04:03:0b:b7:0b:bf:0b:b9:f8:4d:77
dd:a5:04:00:ff:fc:77
dd:04:00:08:0d:07:0d:06:0d:08:0d:08:ff:a7:77
dd:a5:fa:03:00:75:04:fe:8a:77
00:b1:2c:00:00:e5:2c:00:00:00:00
I am really impressed, looks like you are making progress! I was looking in Wireshark but cannot even see how you determine these packets, to me it looks completely different all together. Maybe I am using wrong settings or something. But never mind, don't let me distract you, let me know when you need me to test something! :)
I am really impressed, looks like you are making progress! I was looking in Wireshark but cannot even see how you determine these packets, to me it looks completely different all together. Maybe I am using wrong settings or something. But never mind, don't let me distract you, let me know when you need me to test something! :)
First of all you should filter for the important parts using:
bluetooth.addr == a4:c1:37:04:2d:be && (btatt.opcode == 0x1b || btatt.opcode == 0x52)
Expand the Bluetooth Attribute Protocol
section and take a look at the Value:
field. This is the payload per frame.
Could you try to start the App and retrieve some measurements from your BMS without any internet connection?
Sure, just did and no issue, got the data.
How to generate the payload of the "send first level password" frame:
>>> ff:aa:17:00:17 # Get random byte
<<< ff:aa:17:01:62:7a # Random byte response. Value: 0x62
>>> ff:aa:18:06:f6:53:69:96:7f:f0:d5 # Send password 000000
# Password "000000" = 0x30 0x30 0x30 0x30 0x30 0x30
# Random byte: 0x62
# MAC address: a4:c1:37:04:2d:be
>>> hex(((0xA4^0x30 % 255) + 0x62) % 255)
'0xf6'
>>> hex(((0xC1^0x30 % 255) + 0x62) % 255)
'0x54' # <-- One off. 0x53 expected!
>>> hex(((0x37^0x30 % 255) + 0x62) % 255)
'0x69'
>>> hex(((0x04^0x30 % 255) + 0x62) % 255)
'0x96'
>>> hex(((0x2D^0x30 % 255) + 0x62) % 255)
'0x7f'
>>> hex(((0xBE^0x30 % 255) + 0x62) % 255)
'0xf0'
# Expected output: f6:53:69:96:7f:f0
>>> ff:aa:17:00:17
<<< ff:aa:17:01:61:79 # Random byte response. Value: 0x61
>>> ff:aa:18:06:f6:54:65:91:7d:ed:c8 # password 123412
# Password "123412" = 0x31 0x32 0x33 0x34 0x31 0x32
# Random byte: 0x61
# MAC address: a4:c1:37:04:2d:be
>>> hex(((0xA4^0x31 % 255) + 0x61) % 255)
'0xf6'
>>> hex(((0xC1^0x32 % 255) + 0x61) % 255)
'0x55' # <-- One off. 0x54 expected!
>>> hex(((0x37^0x33 % 255) + 0x61) % 255)
'0x65'
>>> hex(((0x04^0x34 % 255) + 0x61) % 255)
'0x91'
>>> hex(((0x2d^0x31 % 255) + 0x61) % 255)
'0x7d'
>>> hex(((0xbe^0x32 % 255) + 0x61) % 255)
'0xed'
# Expected output: f6:54:65:91:7d:ed
That's interesting! not very standard but looks like an algorithm, does it not? Do you need more examples, any specific ones maybe? Or would you like me to test possibly updated code which might support these passwords?
I will care about the so called root password
as next step. This is what we have discovered already:
>>> ff:aa:15:06:30:30:30:30:30:30:3b # Send a so called app key to the BMS
<<< ff:aa:15:01:00:16 # BMS responds with success
>>> ff:aa:17:00:17 # Retrieve random byte used to encrypt the password
<<< ff:aa:17:01:37:4f # Random byte response: Value 0x37
>>> ff:aa:18:06:cc:2a:3b:6c:56:c4:d5 # Send encrypted password (`123123`) using the algorithm above
<<< ff:aa:18:01:00:19 # BMS responds with success (0x01) or failure (0x00)
>>> ff:aa:1d:0f:25:ba:aa:9d:90:05:ae:9b:58:77:5a:69:67:69:6a:fc # Send root password
<<< ff:aa:1d:01:00:1e # BMS responds with success (0x01) or failure (0x00)
# We are properly authenticated now and the BMS will respond with well known frames
>>> dd:a5:03:00:ff:fd:77
<<< dd:03:00:1d:05:36:ff:ba:4f:f1:53:34:00:01:30:9b:00:00:00:00
It looks like frame starting with ff:aa
are control commands for the BMS module. As soon the client is properly authenticated the standard JBD BMS frames (frame starting with 0xdd
) are passed to the BMS.
Hello, thanks for your great work, unfortunately I cannot get to to work with my unit SP04S034L4S200A.
I have included the log and the home assistant ESPHome configuration and hope to get some pointers to fix this.
It might be relevant that I have accidentally set a bluetooth password on the device. I did try to remove it by changing it to 000000 but not sure whether that helped.
Log underneath:
And the configuration: