Reverse engineering the Elco heating protocol

Posted on Feb 6, 2014

First step is always to look around on the internet. After some searching, I found out that the QAA75-sensor is actually made by Siemens. This broadened my search a bit. Turns out that Siemens refers to the communication as a “Boiler System Bus (BSB)”. This is the first interesting piece: a bus. In contrast with the OpenTherm protocol, which is point-to-point, this name seems to indicate it’s a bus (which is point-to-multipoint). There are a lot of implications: 1) data is most probably transmitted in the voltage, not in the current, and certainly not both. 2) it should be possible to passively listen in on the conversations. 3) it should be possible to act as an additional device on the bus and transmit messages, without changing the bus wiring...

Reverse engineering the Elco heating protocol
Click here to download the full size of the above Circuit.

So we have the amplitude conquered, next up in the time dimension: what form of line code is used? Figuring this out just boils down to trying to apply the different schemes and seeing if they add up. This particular case looks like very regular unipolar non-return-to-zero. At this point, it’s not clear whether the 12V corresponds to a binary 1 or 0.

One can also see (after staring at the bit sequence for long enough) that bit 0 mod 11 is low; and bit 10 mod 11 is high. This looks very familiar to the bitstream produced by UARTs: a start bit, 8 data bits, a parity bit (odd even in this case) and a stop bit.

Since the protocol resembles RS-232 a bit, I figured it should be easy to convert from/to RS-232 and do the rest of the processing in software on bits instead of on voltages.

PCB file: Click here to go to the original project webpage" href="uploads/files/Click here to go to the original project webpage">Click here to download Click here to go to the original project webpage file.

Leave Comment

characters left:

New Circuits



Popular Circuits

Thermally based anemometer
Low-volts alarm
BlueTooth Ericofon
schematics Use of ground symbols in circuit diagrams
ceiling fan regulator motor speed
meter adaptor with symmetrical
100Khz sine oscillator
Passive EQ for STAX
Relay control auto transformer one AC power supply circuit
A simple grid control circuit
555-channel temperature test circuits