我正在尝试对空调和墙上有线控制单元之间使用的协议进行逆向工程。(为了让我的家庭自动化能够监控和控制空调。)
电气接口是简单的集电极开路总线,两端使用 100 波特 UART 时序发送字节(非常慢,可能可以容忍此不平衡总线上的电气噪声)。
我抓到了两端的通信,发现他们总是发送13字节的数据包,其中最后一个字节似乎是某种校验和。我相信我可以找出在 12 字节有效负载中的哪个位置可以找到温度设定点、开/关位等。但是,我无法弄清楚校验和是如何计算的,如果我没有做对,那么我将无法向 A/C 单元注入命令(除了重新播放已知命令,它可以工作,但不会让我对完整的逆向工程感到满意。)
下面,我复制了到目前为止我捕获的数据包。很明显,校验和不是 CRC,因为通常数据中的一位翻转会导致校验和中只有一位或几个相邻位被翻转。
研究校验和如何随着第 8 个字节的增加而变化揭示了明显的差异模式: -1 +3 -1 -5 -1 +3 -1 -21 -1 +3 -1 -5 -1... 以上序列是由公式 y = (x & 0xAA) - (x & 0x55) 生成的一部分,所以我认为它会以某种方式形成校验和算法的一部分。
不过,我一直无法弄清楚如何将输入字节混合在一起,这就是我向本论坛中的专家逆向工程师询问的原因。欢迎任何意见,即使不是完整的解决方案。
空调是 Friedrich M09CJ,壁挂式“恒温器”DWC1 可以与许多其他 Friedrich 空调接口,因此可以合理猜测这些空调也会使用相同的协议。
行号是后来添加的,不属于数据。
1 A8 00 00 00 00 00 09 17 00 00 00 00 9D
2 A8 00 00 00 00 00 09 18 00 00 00 00 9C
3 A8 00 00 00 00 00 09 19 00 00 00 00 9F
4 A8 00 00 00 00 00 09 1A 00 00 00 00 9E
5 A8 00 00 00 00 00 09 1B 00 00 00 00 99
6 A8 00 00 00 00 00 09 1C 00 00 00 00 98
7 A8 00 00 00 00 00 09 1D 00 00 00 00 9B
8 A8 00 00 00 00 00 09 1E 00 00 00 00 9A
9 A8 00 00 00 00 00 09 1F 00 00 00 00 85
10 A8 00 00 00 00 00 09 20 00 00 00 00 84
11 A8 00 00 00 00 00 09 20 00 00 40 00 44
12 A8 00 00 00 00 00 09 21 00 00 00 00 87
13 A8 00 00 00 00 00 09 22 00 00 00 00 86
14 A8 00 00 00 00 00 09 23 00 00 00 00 81
15 A8 00 00 00 00 00 09 23 00 00 40 00 41
16 A8 00 00 00 00 00 09 24 00 00 00 00 80
17 A8 01 00 00 00 00 09 23 40 00 80 00 C0
18 A8 01 00 00 00 00 09 24 40 00 80 00 C3
19 A8 02 00 00 00 00 09 1E 00 00 00 00 84
20 A8 02 00 00 00 00 09 20 00 00 00 00 86
21 A8 02 00 00 00 04 05 1E 00 00 00 00 84
22 A8 02 00 00 00 04 07 1F 00 00 00 00 81
23 A8 02 00 00 00 04 09 1F 00 00 00 00 83
24 A8 02 00 00 00 04 09 20 00 00 00 00 82
25 A8 02 00 00 00 04 0A 20 00 00 00 00 8D
26 A8 02 00 00 00 04 0E 1F 00 00 00 00 8E
27 A8 02 00 00 00 04 0E 20 00 00 00 00 89
28 A8 03 00 00 00 00 09 20 00 00 00 00 81
29 A8 03 00 00 00 00 0A 20 00 00 00 00 80
30 A8 03 00 00 00 00 0B 20 00 00 00 00 83
31 A8 41 00 00 00 00 01 00 40 00 80 00 FF
32 A8 41 00 00 00 00 01 1F 40 00 80 00 9C
33 A8 42 00 00 00 00 09 1F 00 00 00 00 47
34 A8 60 40 00 00 00 09 1F 00 00 00 00 25
35 A8 60 40 00 00 00 09 20 00 00 00 00 24
36 A8 60 40 00 00 00 09 21 00 00 00 00 27
37 A8 60 40 00 00 00 09 22 00 00 00 00 26
38 A8 60 40 00 00 00 09 23 00 00 00 00 21
39 A8 62 00 00 00 00 09 1F 00 00 00 00 67
40 A8 62 00 00 00 00 09 20 00 00 00 00 66
41 A8 62 40 00 00 00 09 20 00 00 00 00 26
42 A8 62 40 00 00 00 09 21 00 00 00 00 21
43 A8 62 40 00 00 04 09 1D 00 00 00 00 21
44 A8 62 40 00 00 04 09 1E 00 00 00 00 20
45 A8 62 40 00 00 04 09 1F 00 00 00 00 23
46 A8 62 40 00 00 04 09 20 00 00 00 00 22
47 A8 62 40 00 00 04 09 21 00 00 00 00 2D
48 C8 00 00 00 00 00 09 17 00 00 00 00 BD
49 C8 00 00 00 00 00 09 18 00 00 00 00 BC
50 C8 00 00 00 00 00 09 19 00 00 00 00 BF
51 C8 00 00 00 00 00 09 1A 00 00 00 00 BE
52 C8 00 00 00 00 00 09 1B 00 00 00 00 B9
53 C8 00 00 00 00 00 09 1D 00 00 00 00 BB
54 C8 00 00 00 00 00 09 1E 00 00 00 00 BA
55 C8 00 00 00 00 00 09 1F 00 00 00 00 A5
56 C8 00 00 00 00 00 09 20 00 00 00 00 A4
57 C8 00 00 00 00 00 09 21 00 00 00 00 A7
58 C8 00 00 00 00 00 09 21 00 00 40 00 67
59 C8 00 00 00 00 00 09 22 00 00 00 00 A6
60 C8 00 00 00 00 00 09 22 00 00 40 00 66
61 C8 02 00 00 00 00 09 21 00 00 00 00 A1
62 C8 02 00 00 00 04 09 20 00 00 00 00 A2
63 C8 03 00 00 00 00 09 20 00 00 00 00 A1
64 C8 03 00 00 00 00 09 21 00 00 00 00 A0
65 C8 03 00 00 00 00 09 22 00 00 00 00 A3
66 C8 03 00 00 00 00 0A 20 00 00 00 00 A0
67 C8 03 00 00 00 00 0A 21 00 00 00 00 A3
68 C8 03 00 00 00 00 0A 22 00 00 00 00 A2
69 C8 03 00 00 00 00 0C 20 00 00 00 00 A2
70 C8 03 00 00 00 00 0C 21 00 00 00 00 AD
71 C8 03 00 00 00 00 0D 21 00 00 00 00 AC
72 C8 03 00 00 00 00 0E 21 00 00 00 00 AF
73 C8 03 00 00 00 00 0F 20 00 00 00 00 AF
74 C8 03 00 00 00 00 0F 21 00 00 00 00 AE
75 C8 03 00 00 00 04 03 20 00 00 00 00 A7
76 C8 03 00 00 00 04 04 20 00 00 00 00 A6
77 C8 03 00 00 00 04 05 20 00 00 00 00 A1
78 C8 03 00 00 00 04 06 20 00 00 00 00 A0
79 C8 03 00 00 00 04 07 20 00 00 00 00 A3
80 C8 03 00 00 00 04 08 20 00 00 00 00 A2
81 C8 03 00 00 00 04 09 20 00 00 00 00 AD
82 C8 03 00 00 00 04 09 21 00 00 00 00 AC
83 C8 03 00 00 00 04 0A 20 00 00 00 00 AC
84 C8 03 00 00 00 04 0A 22 00 00 00 00 AE
85 C8 03 00 00 00 04 0B 20 00 00 00 00 AF
86 C8 03 00 00 00 04 0B 22 00 00 00 00 A9
87 C8 03 00 00 00 04 0C 20 00 00 00 00 AE
88 C8 03 00 00 00 04 0C 22 00 00 00 00 A8
89 C8 03 00 00 00 04 0D 20 00 00 00 00 A9
90 C8 03 00 00 00 04 0D 22 00 00 00 00 AB
91 C8 03 00 00 00 04 0E 20 00 00 00 00 A8
92 C8 03 00 00 00 04 0E 22 00 00 00 00 AA
93 C8 03 00 00 00 04 0F 20 00 00 00 00 AB
94 C8 03 00 00 00 04 0F 21 00 00 00 00 AA
95 C8 03 00 00 00 04 0F 22 00 00 00 00 55
96 C8 03 80 00 00 00 09 20 00 00 00 00 21
97 C8 23 00 00 00 00 09 1F 00 00 00 00 46
98 C8 23 00 00 00 00 09 20 00 00 00 00 41
99 C8 43 00 00 00 00 09 1F 00 00 00 00 66
100 C8 43 00 00 00 00 09 20 00 00 00 00 61
101 C8 60 40 00 00 00 09 1B 00 00 00 00 D9
102 C8 60 40 00 00 00 09 1C 00 00 00 00 D8
103 C8 60 40 00 00 00 09 1D 00 00 00 00 DB
104 C8 60 40 00 00 00 09 1E 00 00 00 00 DA
105 C8 62 40 00 00 04 09 1E 00 00 00 00 C0
106 C8 62 40 00 00 04 09 1F 00 00 00 00 C3
107 C8 63 00 00 00 00 09 1F 00 00 00 00 06
108 C8 63 00 00 00 00 09 20 00 00 00 00 01
109 C8 63 40 00 00 00 09 1F 00 00 00 00 C6
110 C8 63 40 00 00 04 09 1F 00 00 00 00 C2
111 C9 C4 D0 1F 80 31 00 40 02 00 00 00 3A
112 CA 00 00 00 00 00 00 00 00 02 F1 21 8B
113 CB 00 00 FF FF 70 00 00 00 00 00 00 6C
114 CB 00 00 FF FF 7C 00 00 00 00 00 00 10
115 CB 00 00 FF FF 7D 00 00 00 00 00 00 13