Does anyone have experience reading digital signals to reverse engineer digital control device?

TorontoBuilder · May 12, 2023

A certain ventilation company makes a product that provides multiple switching options, from the most basic; off,, low and high fan switch, to the more complex arrangements that make the high fan speed controlled by a humidistat, to multiple fan timer options, to recirculation options that actuate a damper to change the airflow pathway...

The highest level controller has a full blown lcd screen. It is similar to a programmable thermostat but for ventilation. For all their sophistication however they still require a lot of manual user input if you have changing conditions that require varying the recirculation rates and the lack the ability to know when to override a setting when another setting falls outside set parameters, and they dont have an alarm or alert.

So I want to replace the manufacturers controller with an ESP32 controller that has more settings, options and overrides as well as an alarm function.

I think I can connect an oscilloscope inline with the communications lines going back to the cpu in the ventilation unit to read the digital signals as I change all the settings in order to reverse engineer the code their controller is using.

I think this is viable method to try, any other suggestions? Oh a logic analyzer would likely work too I guess.

Susquatch · May 13, 2023

TorontoBuilder said:
I think this is viable method to try, any other suggestions? Oh a logic analyzer would likely work too I guess.

I have never reverse engineered anything like that. But I can offer a few comments.

What does the business end look like? Is it another controller or is it the regular type controls one sees on a normal system? I ask because the latter is more likely. That would be easier to build a box for.

Most such remote control panels with a box at both ends don't use signals that could easily be decoded by an Analyser. Instead, they use a communications link usually using some standard protocol. Often serial, sometimes other formats. If you can figure out what the protocol is, you can often insert a device to tell you what the signals are. Start by counting wires in the cable and compare that with known standards.

If I were gunna do this, I'd rebuild both ends using a standard protocol. It will take less time and be easier to develop and debug too.

PaulL · May 13, 2023

I hate my Hitachi heat pump and it's proprietary protocol and user-hostile controls.
Time to dig for some hobbyist who has hated it even more than me, sooner.

slow-poke · May 13, 2023

I installed an Electric Power Steering unit from a Chevy Truck into a vintage Mustang ( no more leaky, messy hydraulics, pumps, etc and a fraction of the weight). To accomplish this I had to intercept the messages going back and forth from the main car computer to the CPU in the EPS, and then emulate the messages that normally come from the main computer. It was mildly tricky to figure out and then emulate with a dollar style uC. I have both a digital scope with a bunch of protocol decoders as well as a logic analyzer. Can't recall which one I used possible both. There were lots of CANBUS and OBDII type documents available via Google and I was able to match up what I was seeing with those documents that described what each code represented.

I would suggest picking up a 8 channel clone Saleae logic analyzer ( they are dirt cheap $20 ) and work quite well for simple stuff like this.

PaulL · May 13, 2023

slow-poke said:
I would suggest picking up a 8 channel clone Saleae logic analyzer ( they are dirt cheap $20 ) and work quite well for simple stuff like this.

Yeah, I have the saleae logic analyzer. That thing is pure magic.
My hurdle is getting over doing the work in the hall where the thermostat is installed.
Excuses, excuses.

slow-poke · May 13, 2023

PaulL said:
Yeah, I have the saleae logic analyzer. That thing is pure magic.
My hurdle is getting over doing the work in the hall where the thermostat is installed.
Excuses, excuses.

Try decoding messages in a wrecking yard, I got a few weird looks.

TorontoBuilder · May 13, 2023

Susquatch said:
I have never reverse engineered anything like that. But I can offer a few comments.

What does the business end look like? Is it another controller or is it the regular type controls one sees on a normal system? I ask because the latter is more likely. That would be easier to build a box for.

Most such remote control panels with a box at both ends don't use signals that could easily be decoded by an Analyser. Instead, they use a communications link usually using some standard protocol. Often serial, sometimes other formats. If you can figure out what the protocol is, you can often insert a device to tell you what the signals are. Start by counting wires in the cable and compare that with known standards.

If I were gunna do this, I'd rebuild both ends using a standard protocol. It will take less time and be easier to develop and debug too.

Right now the need is singular, for my friend is a beekeeper. However, there is a potential commercial market.

We can fully change the parameters of our controller, but we can't jailbreak or otherwise mess with the ventilator units firmware. Well we could BUT that would limit the future commercial potential.

I finally got to speak with my buddy Brian and he says easy peasy to hack their firmware data streams and figure out what we need to implement our own schema

Does anyone have experience reading digital signals to reverse engineer digital control device?

TorontoBuilder

Ultra Member

Susquatch

Ultra Member

PaulL

Technologist at Large

slow-poke

Ultra Member

PaulL

Technologist at Large

slow-poke

Ultra Member

TorontoBuilder

Ultra Member