Reverse engineering the Elco heating protocol


Posted on Feb 6, 2014

First step is always to look around on the internet. After some searching, I found out that the QAA75-sensor is actually made by Siemens. This broadened my search a bit. Turns out that Siemens refers to the communication as a “Boiler System Bus (BSB)”. This is the first interesting piece: a bus. In contrast with the OpenTherm protocol, which is point-to-point, this name seems to indicate it’s a bus (which is point-to-multipoint). There are a lot of implications: 1) data is most probably transmitted in the voltage, not in the current, and certainly not both. 2) it should be possible to passively listen in on the conversations. 3) it should be possible to act as an additional device on the bus and transmit messages, without changing the bus wiring...


Reverse engineering the Elco heating protocol
Click here to download the full size of the above Circuit.

So we have the amplitude conquered, next up in the time dimension: what form of line code is used? Figuring this out just boils down to trying to apply the different schemes and seeing if they add up. This particular case looks like very regular unipolar non-return-to-zero. At this point, it’s not clear whether the 12V corresponds to a binary 1 or 0.

One can also see (after staring at the bit sequence for long enough) that bit 0 mod 11 is low; and bit 10 mod 11 is high. This looks very familiar to the bitstream produced by UARTs: a start bit, 8 data bits, a parity bit (odd even in this case) and a stop bit.

Since the protocol resembles RS-232 a bit, I figured it should be easy to convert from/to RS-232 and do the rest of the processing in software on bits instead of on voltages.


PCB file: Click here to go to the original project webpage" href="uploads/files/Click here to go to the original project webpage">Click here to download Click here to go to the original project webpage file.


Leave Comment

characters left:

New Circuits

.

 


Popular Circuits

Automatic Dual output Bulb Display
800Watt light-dimmer
IC L298 based bidirectional H bridge DC motor control circuit
Simple digital frequency meter
c520
A Simple Keypad Using Lin With The Mc68hc908qt/qy Mcu
High power transistor amplifier circuits
Advantages and challenges of third-overtone IC crystals
DCF77 Preamplifier
lf365 A digital thermometer or talk I2C to your atmel microcontroller
Surveillance Transmitter Detector



Top