I set myself up for some RS-232 logging today:
- CT2000 ready for RS232 logging sm.jpg (344.08 KiB) Viewed 2486 times
You can see, approximately top of the photo to bottom:
- A 2012 Leaf for testing, with J1772 socket. This EVSE still has a type 1 plug (I will eventually replace it with a type 2 plug).
- The J1772 plug, with foam around it for protection.
- Laptop for receiving RS-232 data.
- The "pilot" unit (also called the "Level 2 unit", model number CT2000-L2CORE=AUS). This is a heavy duty case aluminium box with the Pilot board, contactor, current sensor, etc.
- To its left, a non-contact thermal sensor, in case things get hot.
- To its right, you can just see a USB to RS-232 adapter, with a switch to select data to or from the pilot unit.
- Inside a plastic bag, the junction box that provides 230 V to the two main boxes. It has an orange 1.5 mm² cable with an industrial style plug on the end, plugged into my industrial style 15 A outlet. 15 A should be enough to charge via the Leaf's 3.6(?) kW on-board charger. Another reason to use the older EV; I'm not yet ready for 32 A or even 28 A that the MG can take.
- The main unit with the blue fluorescent display and card reader hanging out, also in a small plastic bag. To the right is a pair of authenticating cards (ChargePoint and Chargefox).
- The cap (triangular thing with the hole in the middle), which contains the cellular antenna. The original firmware still needs that to phone home and authenticate. There is also a Zigbee antenna in the cap, but I think I don't want to use this. If anyone is a Zigbee wiz and wants to convince me it's useful, I'll listen to arguments.
Here is the cellular modem, a beautiful work of art, soon to become obsolete:
- 3G modem with full sized SIM.jpg (176.62 KiB) Viewed 2486 times
The full-sized (!) SIM card is usually protected by a rubber bung.
Without plugging into the car, I see the same packets repeating every 10 seconds; the longer one to the pilot unit, the shorter one from the pilot unit.
[ Edit: I had the comms directions wrong earlier. ]
To pilot (commands?). . FE
00 02 00 02 00 FF
From pilot: (response?): FE
00 06 C0 02 00 07 00 A1 62 FF
It looks like FE introduces a packet, and FF terminates it. The second and third bytes (e.g. 00 02) are the big-endian size of the data (so 2 bytes and 6 bytes) and the data is followed by an XOR checksum of the second through third-last bytes (i.e. the underlined bytes, which are all bytes excluding the start and end bytes, and of course the checksum itself). So after a 2-byte command the pilot is responding with six bytes of data (sometimes 8).
It appears that when command 0x yz (x, y, z are hex nibbles), the response starts with Cx yz (i.e. I am responding to command 0x yz). This is presumably useful when several commands could be outstanding. It looks like responses starting with 8x yz might be unsolicited data of type xyz, sent because something has changed.
Here is the log from a longer session, plugging in the car, and including a little of the data from the pilot to the main unit near the end. Unfortunately, I was watching the responses when I thought I was watching commands, so there is way more of the response data than command data. Fortunately, if I'm right, it's easy to figure out the commands used to elicit a response.
PILOT unit ⇒ HEAD unit
====================
FE 00 06 C0 02 00 07 00 A1 62 FF < idle response >
< repeated 4 times>
FE 00 06 80 02 00 07 00 A2 21 FF < unsolicited: last byte changed A1 to A2 >
FE 00 06 C0 01 00 00 00 1E D9 FF < response to 00 01 command? 0x1E = 30,perhaps saying the pilot is set to the default of 30 A? >
FE 00 06 C0 02 00 00 7F A3 18 FF < response to 00 02 command? 3 last bytes changed >
FE 00 06 80 02 00 07 00 0B 88 FF < more unsolicited changes >
FE 00 06 80 02 00 0B 00 0C 83 FF < ditto >
FE 00 06 C1 C0 00 00 00 00 07 FF
FE 00 06 C1 00 00 F8 00 01 3E FF
FE 00 06 C1 02 00 4F 70 00 FA FF < Current gain = 1.241 >
FE 00 06 C1 04 00 31 60 00 92 FF < Voltage gain = 0.7715 >
FE 00 06 C1 03 00 07 24 DE 39 FF < Voltage dc offset = 0.0558 => 29.2V >
FE 00 06 C1 01 00 FE 1A 49 6B FF < Current dc offset = -0.0148 => -0.74A >
FE 00 06 C3 00 00 00 00 00 C5 FF < This 03 00 command response is 6 bytes >
FE 00 06 C3 01 00 00 00 00 C4 FF < Also this 03 01 command. Note the order >
FE 00 06 C1 0F 00 80 00 00 48 FF
FE 00 06 C1 1A 00 80 00 00 5D FF
FE 00 06 C1 E0 00 00 00 E8 CF FF
FE 00 06 C1 0F 00 10 00 01 D9 FF
FE 00 06 C1 13 00 00 00 00 D4 FF
FE 00 06 C1 0A 00 00 00 00 CD FF
FE 00 06 C1 0C 00 00 00 00 CB FF
FE 00 06 C1 0B 00 00 00 00 CC FF
FE 00 08 C3 01 00 00 00 00 00 00 CA FF <response to C3 01 command often 8 bytes >
FE 00 08 C3 00 00 00 00 00 00 00 CB FF < Also response to C3 00 >
FE 00 06 C1 0F 00 10 00 81 59 FF <Start of oft-repeated 7-byte command responses >
FE 00 06 C1 13 00 17 3B 80 78 FF
FE 00 06 C1 0A 00 00 06 F9 32 FF
FE 00 06 C1 0C 00 76 82 D2 ED FF
FE 00 06 C1 0B 00 00 BB D4 A3 FF
FE 00 08 C3 01 00 00 00 00 00 03 C9 FF
FE 00 08 C3 00 00 00 4D 66 00 03 E3 FF
FE 00 06 80 02 00 07 00 0B 88 FF < Start of almost repeated sequence >
FE 00 06 C0 02 00 07 00 0B C8 FF < Maybe a 00 02 command is sent every 10 seconds >
FE 00 06 C0 02 00 07 00 0B C8 FF < repeat of above>
FE 00 06 80 02 00 0B 00 0C 83 FF
FE 00 06 C1 C0 00 00 00 00 07 FF
FE 00 06 C1 00 00 F8 00 01 3E FF
FE 00 06 C1 02 00 4F 70 00 FA FF
FE 00 06 C1 04 00 31 60 00 92 FF
FE 00 06 C1 03 00 07 24 DE 39 FF
FE 00 06 C1 01 00 FE 1A 49 6B FF
FE 00 06 C3 00 00 00 00 00 C5 FF < Again: 03 00 responses is 6 bytes >
FE 00 06 C3 01 00 00 00 00 C4 FF < Also this 03 01 >
FE 00 06 C1 0F 00 80 00 00 48 FF
FE 00 06 C1 1A 00 80 00 00 5D FF
FE 00 06 C1 E0 00 00 00 E8 CF FF
FE 00 06 C1 0F 00 10 00 01 D9 FF
FE 00 06 C1 13 00 17 A1 80 E2 FF
FE 00 06 C1 0A 00 FF FF FF 32 FF
FE 00 06 C1 0C 00 00 10 00 DB FF
FE 00 06 C1 0B 00 00 0D 44 85 FF
FE 00 08 C3 01 00 00 00 00 00 1C D6 FF
FE 00 08 C3 00 00 00 00 00 00 1C D7 FF
FE 00 06 C1 0F 00 10 00 81 59 FF
FE 00 06 C1 13 00 17 BD 80 FE FF
FE 00 06 C1 0A 00 00 01 65 A9 FF
FE 00 06 C1 0C 00 76 75 BA 72 FF
FE 00 06 C1 0B 00 00 A6 CE A4 FF
FE 00 08 C3 01 00 00 00 00 00 1F D5 FF
FE 00 08 C3 00 00 00 04 31 00 1F E1 FF
FE 00 06 C1 0F 00 10 00 81 59 FF
FE 00 06 C1 0F 00 10 00 81 59 FF
FE 00 06 C1 13 00 17 C1 00 02 FF
FE 00 06 C1 0A 00 0F 4B 85 0C FF
FE 00 06 C1 0C 00 73 31 62 EB FF
FE 00 06 C1 0B 00 45 15 9E 02 FF
FE 00 08 C3 01 00 00 00 00 00 24 EE FF
FE 00 08 C3 00 00 29 7C 63 00 24 D9 FF
FE 00 06 C1 0F 00 10 00 81 59 FF
FE 00 06 C1 13 00 17 D5 80 96 FF
FE 00 06 C1 0A 00 11 EA B6 80 FF
FE 00 06 C1 0C 00 72 C3 38 42 FF
FE 00 06 C1 0B 00 50 F1 7A 17 FF
FE 00 08 C3 01 00 00 00 00 00 29 E3 FF
FE 00 08 C3 00 00 82 F8 86 00 29 1E FF
HEAD unit ⇒ PILOT unit
=====================
FE 00 02 01 0F 0C FF < Change of data direction, i.e. I threw the switch here. >
FE 00 02 01 13 10 FF
FE 00 02 01 0A 09 FF
FE 00 02 01 0C 0F FF
FE 00 02 01 0B 08 FF
FE 00 02 03 01 00 FF
FE 00 02 03 00 01 FF
FE 00 02 01 0F 0C FF
FE 00 02 01 13 10 FF
FE 00 02 01 0A 09 FF
FE 00 02 01 0C 0F FF
FE 00 02 01 0B 08 FF
FE 00 02 03 01 00 FF
FE 00 02 03 00 01 FF
PILOT unit ⇒ HEAD unit
====================
FE 00 06 C1 0F 00 10 00 81 59 FF < Change of data direction, I put the switch back >
FE 00 06 C1 13 00 18 4B 80 07 FF
FE 00 06 C1 0A 00 11 E9 B3 86 FF
FE 00 06 C1 0C 00 72 C6 0E 71 FF
FE 00 06 C1 0B 00 50 EA 58 2E FF
FE 00 08 C3 01 00 00 00 00 00 38 F2 FF
FE 00 08 C3 00 01 8F AB 2D 00 38 FB FF
FE 00 06 C1 0F 00 10 00 81 59 FF
FE 00 06 C1 13 00 18 14 80 58 FF
FE 00 06 C1 0A 00 11 EB D2 E5 FF
FE 00 06 C1 0C 00 72 BA CC CF FF
FE 00 06 C1 0B 00 50 FB 5C 3B FF
FE 00 08 C3 01 00 00 00 00 00 3D F7 FF
FE 00 08 C3 00 01 E9 47 B3 00 3D EA FF
FE 00 06 C1 0F 00 10 00 81 59 FF
FE 00 06 C1 13 00 18 35 00 F9 FF
< Probably J1772 disconnected at this point >
FE 00 06 80 02 00 07 00 0B 88 FF < Vehicle refused charge status >
FE 00 06 C1 0A 00 00 01 62 AE FF < Power nearly zero >
FE 00 06 C1 0C 00 76 80 52 6F FF
FE 00 06 80 02 00 07 04 A1 26 FF < Status: plug disconnected >
FE 00 06 C1 0B 00 00 A6 5E 34 FF
FE 00 08 C3 01 00 00 00 00 00 42 88 FF
FE 00 08 C3 00 01 F4 AE EC 00 42 3E FF
FE 00 06 C0 02 00 07 04 A1 66 FF (similar to the idle packet, except for 5th real data byte now 04 was 00)
< repeated twice more>
[ Edit: data with just the checksums deleted. I know enough that this is pointless now. ]
The 8-byte packets have a structure to them. They are always in pairs, starting with C3 01 and the second starting with C3 00. The rest of the first packet is always 00, except for the last real data byte, which increases monotonically. It's possible that this is some sort of time stamp, and the time stamp could be up to 6 bytes long, though I suspect 2 bytes. Bytes 7 and 8 (starting with 1) are repeated in the second packet. Bytes 2-6 of the second packet are often 00, but other data appears, especially later in the log. Bytes 2-3 of the second packet taken as a 2-byte number increase monotonically as well.
From this short sample, it seems that the commands to the pilot unit often cycles every 7 packets.
I have lots to think about, including deciding if and when I quit trying to figure this out.