Reverse engineering the Elco heating protocol

  
Inside:
Repository
First step is always to look around on the internet. After some searching, I found out that the QAA75-sensor is actually made by Siemens. This broadened my search a bit. Turns out that Siemens refers to the communication as a “Boiler System Bus (BSB)”. This is the first interesting piece: a bus. In contrast with the OpenTherm protocol, which is point-to-point, this name seems to indicate it’s a bus (which is point-to-multipoint). There are a lot of implications: 1) data is most probably transmitted in the voltage, not in the current, and certainly not both. 2) it should be possible to passively listen in on the conversations. 3) it should be possible to act as an additional device on the bus and transmit messages, without changing the bus wiring...
Reverse engineering the Elco heating protocol - schematic

So we have the amplitude conquered, next up in the time dimension: what form of line code is used? Figuring this out just boils down to trying to apply the different schemes and seeing if they add up. This particular case looks like very regular unipolar non-return-to-zero. At this point, it’s not clear whether the 12V corresponds to a binary 1 or 0.

One can also see (after staring at the bit sequence for long enough) that bit 0 mod 11 is low; and bit 10 mod 11 is high. This looks very familiar to the bitstream produced by UARTs: a start bit, 8 data bits, a parity bit (odd even in this case) and a stop bit.

Since the protocol resembles RS-232 a bit, I figured it should be easy to convert from/to RS-232 and do the rest of the processing in software on bits instead of on voltages.

PCB file: Click here to go to the original project webpage" href="uploads/files/Click here to go to the original project webpage">Click here to download Click here to go to the original project webpage file.


Leave Comment

characters left:

New Circuits

.