Benutzer-Werkzeuge

Webseiten-Werkzeuge


hardware:vaillantvrt340f_protocol

Dies ist eine alte Version des Dokuments!


Vaillant CalorMatic 340f (868MHz) PART 2: Decoding the wireless protocol of the heating control

After we investigated the wireless signal that was sent by the Vaillant CalorMatic 340f over the 868MHz frequency and extracted the binary contents in the first part of our series, this second part will now deal with understanding the meaning of the bits and bytes sent to the boiler.

Features of the wireless control

Let's first look at the features of the wireless heating control:

  1. Heating modes: Normal and ECO (only different target temperatures)
  2. Operating modes: Automatic (time-based switch between Normal and ECO), forced Day mode, forced Night mode (=ECO), OFF
  3. Warm water pre-heating: Up to three different time periods per weekday where the water reservoir in the boiler is kept pre-heated. Outside this period, the water will be heated only on demand.
  4. Timers (up to three different time periods, independently set for each day) for Normal and for ECO mode
  5. Current temperature and time is displayed on the screen
  6. Party mode and override: Overriding the target temperature for a limited time (and/or preventing a switch to ECO mode)

So, the heating and boiler control appears to have some smart logic included. The first question is, whether this logic is inside the wireless control or inside the boiler. In the first case (smart control, dumb boiler), the wireless control would keep the timers and the current state and only signal to the boiler when the heating should be turned on or off. In the second case (dumb control, smart boiler), all information (current temperature, target temperature, date/time, mode, etc.) will be sent wirelessly to the boiler. Of course, the second case would be much more interesting, as this would allow us to later implement a second wireless control that could be implemented e.g. in OpenHAB.

Unfortunately, after sniffing several different target temperatures and several different modes (normal / ECO; Auto/Forced/OFF; Timed pre-heated water on/off), it became clear that the wireless control only sends „Heating ON/OFF“ and „Pre-heated water ON/OFF“ signals to the boiler. In particular, when I increased the target temperature, and the heating was already on, then no signal was sent to the boiler. Also, if the heating was off and I set the target temperature to different values that all caused the heating to come on, the wireless signal was always the same, i.e. the target temperature was never sent to the boiler, but only processed inside the wireless control.

Obtaining all possible signals

I tried all different combinations I could think of (including low batteries!), and the only information that was sent to the boiler appears to be:

  1. Heating ON/OFF
  2. Warm water ON/OFF
  3. Battery OK/LOW

So, there are 8 possible combinations for signals to be sent to the boiler. As we saw in the first part, each signal was followed by a second repeated signal, which has slight differences. So, we have 8 base signals and 8 repeats.

The corresponding observed binary sequences are:

Description Signal
Heating ON, Water OFF 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00010001 00101101 00000000 10111110 1 10000010 11111111 000000000
Heating ON, Water OFF (Rep.) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00010001 00101101 00000000 10111110 1 00000010 11111111 000000000
Heating OFF, Water OFF 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00010001 00000000 00000000 10111110 1 10101111 11111111 000000000
Heating OFF, Water OFF (Rep.) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00010001 00000000 00000000 10111110 1 00101111 11111111 000000000
Heating ON, Water ON 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00000001 00101101 00000000 10111110 1 10010010 11111111 000000000
Heating ON, Water ON (Rep.) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00000001 00101101 00000000 10111110 1 00010010 11111111 000000000
Heating OFF, Water ON 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00000001 00000000 00000000 10111110 1 10111111 11111111 000000000
Heating OFF, Water ON (Rep.) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00000001 00000000 00000000 10111110 1 00111111 11111111 000000000
Heat. ON, Water OFF, Batt. LOW 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00010001 00101101 10000000 10111110 1 00000010 11111111 000000000
Heat. ON, W. OFF, Batt. LOW (Rep.) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00010001 00101101 10000000 10111110 1 11111100 11111111 000000000
Heat. OFF, W. OFF, Batt. LOW 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00010001 00000000 10000000 10111110 1 00101111 11111111 000000000
Heat. OFF, W. OFF, Batt. LOW (Rep.) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00010001 00000000 10000000 10111110 1 11001111 11111111 000000000
Heat. ON, W. ON, Batt. LOW 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00000001 00101101 10000000 10111110 1 00010010 11111111 000000000
Heat. ON, W. ON, Batt. LOW (Rep) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00000001 00101101 10000000 10111110 1 11100010 11111111 000000000
Heat. OFF, W. ON, Batt. LOW 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 00000000 00000001 00000000 10000000 10111110 1 00111111 11111111 000000000
Heat. OFF, W. ON, Batt. LOW (Rep.) 00000000 00000000 01111110 10110110 01101111 00000000 00000100 00000000 10000000 00000001 00000000 10000000 10111110 1 11011111 11111111 000000000

In this table, I already split the binary signal into octets, i.e. bytes. Since the full signal has 130 bits, two extra bits need to be included somewhere.

Somehow that is strange… As my reasoning below shows, that extra byte must be before the final three bytes, but after the fourth-to-last one. So we have the 9-bit sequence 101111101 that we must make sense of. After some googling, I stumbled upon the framing approach in the High-Level Data Link Control, where the frames start with 0x7e=01111110 and the bit stuffing in the data part means that after five consecutive 1 bits, an extra 0 bit is included, which must be removed at the receiving end. Indeed, the 101111101 bit sequence is the only appearance of five consecutive 1 bits in these examples. Some other

The individual parts of the signal

All signals start with two 0x00 bytes, which makes perfect sense considering that the physical signal is differential-manchester encoded. The two 0x00 00 bytes simply mean that there will be eight long UP / DOWN impulses, so that the receiver has enough time to synchronize its clock.

The next three bytes 3-5 are also ways the same, but they are not zero. My best guess is that these three bytes are some kind of device ID.

The next three bytes 6-8 are again constant, but mostly full of zeroes. I have not yet found any explanation, so let's just assume they are constant and mostly zeroes.

The next byte 9 varies depending on whether the signal is a repeat or the original signal.

The next byte 10 has different bits for Water ON and OFF.

The next byte 11 is 0 for Heating OFF and has some bits set for Heating ON.

The next byte 12 has one bit set if battery is LOW and is zero otherwise.

The next byte 13 is always the same, then one additional 1 bit appears.

The next byte 14 is the most interesting, as is changes whenever anything before changes. So, this makes it an obvious candidate for a checksum byte. We just need to figure out how that checksum is calculated.

The two final bytes 15-16 are constant and always have the value 0xFF 00, which makes again sense considering the physical encoding, i.e. 0xFF will be a quickly oscillating square ware, and the final 0x00 byte will be a slowly oscillating square wave.

Re-writing the signal as HEX bytes

As we already split the binary sequence into bytes, let's rewrite the signal in hexadecimal form, with the least significant bit sent first, i.e. binary 10000000 is hex 0x01 and binary 10010010 is hex 0x49.

Why least significant bit first? That took me a while, too, and it stems from the way the checksum is calculated.

Our sixteen base signals from above now become:

Heat.Wat.Rep.Bat. Byte1 2  3  4  5  6  7  8  9 10 11 12 13 _ 14 15 16
Heating ON Water OFF OK 0x00 00 7E 6D F6 00 20 00 00 88 B4 00 7D 1 41 FF 00
Heating ON Water OFF X OK 0x00 00 7E 6D F6 00 20 00 01 88 B4 00 7D 1 40 FF 00
Heating OFF Water OFF OK 0x00 00 7E 6D F6 00 20 00 00 88 00 00 7D 1 F5 FF 00
Heating OFF Water OFF X OK 0x00 00 7E 6D F6 00 20 00 01 88 00 00 7D 1 F4 FF 00
Heating ON Water ON OK 0x00 00 7E 6D F6 00 20 00 00 80 B4 00 7D 1 49 FF 00
Heating ON Water ON X OK 0x00 00 7E 6D F6 00 20 00 01 80 B4 00 7D 1 48 FF 00
Heating OFF Water ON OK 0x00 00 7E 6D F6 00 20 00 00 80 00 00 7D 1 FD FF 00
Heating OFF Water ON X OK 0x00 00 7E 6D F6 00 20 00 01 80 00 00 7D 1 FC FF 00
Heating ON Water OFF LOW 0x00 00 7E 6D F6 00 20 00 00 88 B4 01 7D 1 40 FF 00
Heating ON Water OFF X LOW 0x00 00 7E 6D F6 00 20 00 01 88 B4 01 7D 1 3F FF 00
Heating OFF Water OFF LOW 0x00 00 7E 6D F6 00 20 00 00 88 00 01 7D 1 F4 FF 00
Heating OFF Water OFF X LOW 0x00 00 7E 6D F6 00 20 00 01 88 00 01 7D 1 F3 FF 00
Heating ON Water ON LOW 0x00 00 7E 6D F6 00 20 00 00 80 B4 01 7D 1 48 FF 00
Heating ON Water ON X LOW 0x00 00 7E 6D F6 00 20 00 01 80 B4 01 7D 1 47 FF 00
Heating OFF Water ON LOW 0x00 00 7E 6D F6 00 20 00 00 80 00 01 7D 1 FC FF 00
Heating OFF Water ON X LOW 0x00 00 7E 6D F6 00 20 00 01 80 00 01 7D 1 FB FF 00

Summarizing our interpretation of the individual bytes of the signal:

Byte Value Description Comment
1-2 0x00 00 Preamble (square wave to synchronize clocks with the receiver)
3 0x7E Begin of frame/data Constant
4-5 0x6D F6 Device ID Constant for each device
6-8 0x00 20 00 Unknown (bit 6 of byte 7 always set) constant
9 Repeat: 0x00 for original signal, 0x01 for repeat signal (bit 1)
10 Pre-heated Water: 0x80 for ON, 0x88 for OFF (bit 8 always set, bit 4 indicates water)
11 Heating: 0x00 for OFF, 0xB4 for ON (see below!)
12 0x00 Battery: 0x00 for OK, 0x01 for LOW (bit 1)
13 0x7D Unknown (End of data?) constant
Bit 1 Unknown, single 1 bit
14 Checksum
15-16 0xFF 00 End of Signal

The Checksum byte

Byte 14 seems to be some kid of checksum, but it took me quite some time to figure out how it is calculated (and how the bits need to be split and interpreted into bytes).

Let's look at e.g. the four signals for Heating ON + Water OFF (most bytes will be identical, so I have left them out and show only the differences):

Heating ON, Water OFF … 00000000 … 00000000 … 10000010 …
Heating ON, Water OFF (Rep.) … 10000000 … 00000000 … 00000010 …
Heat. ON, Wt. OFF, Batt. LOW … 00000000 … 10000000 … 00000010 …
Heat. ON, Wt. OFF, Batt. LOW (Rep.) … 10000000 … 10000000 … 11111100 …

Do you notice anything about the checksum? From the first to the second and third signals there is only one additional bit set, and in the checksum one bit is unset. However, going to the fourth is again just one additional message bit set, but the checksum changes considerably… Until you look at the hexadecimal representation with least significant bit first:

Heating ON, Water OFF … 00 … 00 … 41 …
Heating ON, Water OFF (Rep.) … 01 … 00 … 40 …
Heat. ON, Wt. OFF, Batt. LOW … 00 … 01 … 40 …
Heat. ON, Wt. OFF, Batt. LOW (Rep.) … 01 … 01 … 3F …

See, if any of the bytes in the message increases by 1, the checksum decreases by 1. Or in other words, the sum of the three bytes stays constant. If we had interpreted the message with most significant bit first, this would would not have made sense.

Let's look at other signals that differ only in one byte:

Heating ON, Water OFF … B4 … 41 …
Heating OFF, Water OFF … 00 … F5 …

Let's put out hypothesis to the test: Do the sum of the changed bytes stay constant? YES, 0xB4+0x41 = 0x00+0xF5 = 0xF5

So, the checksum seems to be simple complement of the sum of all bytes. After a few trials, one notices that bytes 4-12 and the checksum byte 14 always sum up to 0x300, i.e. 0x00! So the checksum is simply the complement of bytes 4-12 summed up.

Also, this result clearly shows that the checksum byte apparently does not start at a multiple of 8 bits, but starts from the bit 106 of the message, after an additional 1 bit…

The heating byte

We saw that turning on the heating always meant for byte 11 to be set to 0xB4, while turning off the heating set byte 11 to 0x00 (which is what we would expect). But why 0xB4?

The spurious extra bit between

hardware/vaillantvrt340f_protocol.1493836903.txt.gz · Zuletzt geändert: 2017/05/03 20:41 von reinhold

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki