Reverse engineering of the exchange protocol in EOS equipment



I must say right away, the headline is perhaps a little loud. I really needed to pull out only one command from the protocol to control the dimmer. About how this was done and what happened in the end, read on in the article.

So, there is such a German company EOS Premium SPA Technology . It produces a wide range of equipment for saunas. They have quite interesting control panels, with touch screens, a high-quality power unit. True, they are quite expensive, but they seem to justify themselves.

However, there is one big minus in their equipment. Power units can control multi-kilowatt electric furnaces, but at the same time they have a very weak lighting control channel. Only up to 150 watts! Lighting can be conveniently controlled directly from the remote control, turn it on / off, and adjust the brightness. But 150 W is VERY small! There are additional units for lighting control on sale, but the price tag there is very inhumane.
In this regard, the task appeared to make a dimmer that would control the load with more power and, in addition, low-voltage load (LED strip on 12 / 24V or halogen lamps on 24V).

Halogens, although they consume more and are prone to burnout, but in my opinion, the lighting from them is more pleasant. Although this is a matter of taste. In general, such a task has matured. For what exactly such lighting is needed, it is well illustrated in this picture:



EOS releases many control panels, but the most common ones are Emotec and Emotouch III. We will deal with them.





I must say that the control panel in the EOS equipment is connected to the power unit via a conventional 4-pin telephone cable:



A quick inspection of the board showed that two wires were allotted for 24V power, and the other two via the RS-485 interface line. In general, a standard implementation. Lines A and B are in the middle:



Having connected to the line using the USB-RS-485 converter and setting the speed at 9600 bps from the bald, we saw running bytes, but their purpose, of course, was unknown. The exchange protocol was not found in the public domain, and the manufacturer itself refused to provide it, although a corresponding request was sent to them.
I had to deal with decoding myself :-)

Yes, I immediately note one nuance. The dimmer control only works after the power unit is put into operation. This is clearly visible when the lamp is connected to the output of the built-in dimmer. It starts to glow only after the sauna starts to heat up.

Initially, they began to sort through the speeds from 9600 to 115200 bps from the standard series.
And at a speed of 38400 it struck my eye that the commands are separated by two standard bytes 0x0A, 0x0D.

Well, this is already something. Let's do the next trick. Let's look for the command we need by the brightness value. Suddenly it is transmitted in the clear.

We set the value 73 (0x49) on the remote control:



Next, we remove the log and stupidly look for this byte there:



Voila! We find it, look left and right to bytes 0x0A, 0x0D, trying to select the package we need. And as a result, we get this structure:

0x0E 0x04 0x04 0x49 0x49 0x00 0x00 0xD1 0x0A 0x0D

During the experiments it was found that 2 and 3 bytes are always equal 0x04, 4 and 5 set the brightness in percent, 6 and 7 are 0, 8 - it changes , which means it is not clear yet, 9 and 10 - 0x0A, 0xD.

As experiments have shown, the first byte is the address. It sets the so-called room number. The fact is that EOS remotes can control several power units at the same time. Each has its own address, which is transmitted in this byte.

The addresses are as follows:
For control panels for the furnace:
01 - first room
21 - second room
41 - third room
61 - fourth room
81 - fifth room
A1 - sixth room
C1 - seventh room
E1 - eighth room

For control panels for the steam generator:
0E - first room
2E - second room
4E - third room
6E - fourth room
8E - fifth room
AE - sixth room
CE - seventh room
EE - eighth room

Actually, this is all decoding.

To check, so to speak in the "dynamics", we quickly threw the program on Delphi to display the brightness value and twisted the slider. Everything fulfills clearly.

After that, we developed in C a simple program for decoding these packets and launched everything in hardware. The device itself is quite simple. There, ordinary PWM is implemented on a power key, but if interested, I can then write a separate article about it.

Also popular now: