Reverse engineering the serial protocol used on the RS485 bus of the Projecta PM310-BT4J 12V Power Management System.
I initially spent a lot of time capturing BLE packets on an Android device running the "IntelliJay PM210&310" app. Decoding this data was semi-successful although it appeared that the data structure changed between connections, and I didn't manage to discover the connection handshakes.
I also tried to decompile the app, however it's data unpacking is done in a flutter/dart VM which I wasn't able to readily decrypt (or make sense of).
The system uses an RS-485 serial bus to allow communication between the LCD/BT device (PMD-BT4J Monitor) and the main management unit (PM335J-2 Transformer Unit). Tapping into this data is far less complicated as it isn't as complex in its packet structure and isn't protected by Bluetooth pairing handshakes.
In order to extract the data, initially a cheap RS-485 USB dongle (based on CH343G chip) was used. An interconnect point (can be found in the system's PDF manual) was found (between cables PMLCD7Y and PMLCDC) and a matching set of male and female waterproof 4 pin JST connectors with pigtails (04T-JWPF-VSLE-S / 04R-JWPF-VSLE-S).
┌┐┌┐ ┌┐┌┐
RED ││││ WHITE WHITE ││││ RED
+12V ◄────────┤││├───────────────────────┤││├────────► +12V
││││ ││││
YELLOW ││││ BLUE BLUE ││││ YELLOW
TO B ◄────────┤│││──────────────┐┌───────┤││├────────► B TO
TRANSFORMER ││││ ││ ││││ LCD/BT
UNIT WHITE ││││ BLACK ││ BLACK ││││ WHITE DEVICE
(PM335J-2) A ◄────────┤│││──────────┐┌──┼┼───────┤││├────────► A (PMD-BT4J)
││││ ││ ││ ││││
BLACK ││││ RED ││ ││ RED ││││ BLACK
GND ◄────────┤│││──────┐┌──┼┼──┼┼───────┤││├────────► GND
││││ ││ ││ ││ ││││
└┘└┘ ││ ││ ││ └┘└┘
││ ││ ││
┌──┴┴──┴┴──┴┴──┐
│ GND A+ B- │
└──────────────┘
RS-485
USB DONGLE
To set up Python:
python3 -m venv venv
venv/bin/pip install -r requirements.txtTo run a script use the venv/bin/python xxx.py command.
Both of the below scripts depent on rs485_tooling.py which provides the functions:
search_for_value(): searches a packet for a known valueunpack_data(): unpacks data from a packet according to previously discovered packet offsets
This script connects to the serial bus and:
- Buffers data until a break of at least 50ms occurs (interframe gap).
- Dumps the current time and the Buffer Hex to a line in a log file.
- Displays any known data in the frames as they occur which is helpful to validate a new unpacking location against the LCD display.
This script processes a packet log (from rs485_live_decode_interframe_gaps.py) and:
- creates an updated packet log with known data unpacked and added
- creates a csv of known, unpacked data over time
- allows desktop testing of potential new data (using the search for known value function)
Eventually, the plan is to convert the Python script used to unpack the data on the bus into CircuitPython compatible code that can run on an ESP-32 based Seeed Studio XIAO and interface is using a Seeed Studio RS-485 Breakout Board for XIAO. This RS-485 board should power the ESP32 and then, when WiFi is connected, the microcontroller will read and unpack the data then push it over WiFi for use.
An initial (untested) version of the CircuitPython script has been added here.