CuVoodoo

the sorcery of copper

User Tools

Site Tools


web-u2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
web-u2 [2019/09/23 15:47]
kingkevin [Resources] typo
web-u2 [2019/09/30 13:48]
kingkevin [USB HID] add git
Line 84: Line 84:
 ==== WITRN U2 V2.0 ==== ==== WITRN U2 V2.0 ====
  
-Because the clone was bricked, I got a genuine replacement.+Because the clone got bricked, I got a genuine replacement.
  
 {{:u2:witrn-u2_device_front.jpg?0x200|}} {{:u2:witrn-u2_device_front.jpg?0x200|}}
Line 205: Line 205:
  
 There are other messages to get the device's serial number and firmware version, but I did not reverse those. There are other messages to get the device's serial number and firmware version, but I did not reverse those.
 +
 +I've implemented a software (C program for Linux) to read to measurements over USB and output it as CSV.
 +You can find it in the [[https://git.cuvoodoo.info/web-u2/about/|git]].
 ==== Bluetooth Serial ==== ==== Bluetooth Serial ====
 +
 +The Qway has an optional Bluetooth module.
 +This allows getting the measurement without physical connection (e.g. the USB HID port).
 +You can use the [[#resources|Android app]] to communicate with the device.
 +
 +I reversed the protocol so I can get the raw data myself.
 +Scan for Bluetooth (Low Energy) devices and look for one named ''QWAY_U2_xxx'', with ''xxx'' being the device's serial number.
 +There is no need to pair with the device.
 +You can directly connect to it.
 +Data is then exchanged using the GATT characteristic ''0000ffe1-0000-1000-8000-00805f9b34fb''.
 +
 +On the [[#hardware|hardware side]], the Bluetooth board uses a [[http://www.martyncurrey.com/hm-10-bluetooth-4ble-modules/|HM-10 module]] (with TI CC2541 chip) to send the measurement over Bluetooth Low Energy.
 +The main board is connected to the Bluetooth board using spring contacts and uses UART to communicate with the module (at 115200 bps).
 +
 +First send the message ''0xf1 0x01 0x00 0x00 0x00 0xfe'' to get device information.
 +The device will reply with a message using the following format (the bytes use little endian order):
 +
 +<code>
 +0xf1 0x01 0x30 0x31 0x31 0x33 0x33 0x37 0x67 0x14 0x00 0x00 0x00 0x32 0x00 0x00 0x00 0x00 0x03 0x00
 +</code>
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''f1 01'' | constant | header |
 +| 2-7 | ''30 31 31 33 33 37'' | ASCII | device's serial (here 011337) |
 +| 8 | ''67'' | nibbles | firmware version (here 6.7) |
 +| 9-12 | ''14 00 00 00'' | uint32 | number of times the device has run (here 20) |
 +| 13-14 | ''32 00'' | uint16 | current threshold for recording, in mA (here 50 mA) |
 +| 14-17 | ''00 00 00 00'' | float | energy recorded for this group, in Wh (here 0). note: the data overlaps with the previous field |
 +| 18 | ''03'' | uint8 | current recording group number (here 3 + 1 = 4) |
 +| 19 | ''00'' | constant | trailer |
 +
 +The device then sends measurements for a bit of time.
 +To keep the device sending measurements, send periodically the following message:
 +
 +<code>
 +0xf1 0x02 0x00 0x00 0x00 0xfe
 +</code>
 +
 +A complete measruement set is comprised of 5 messages.
 +But each message includes the voltage and current measurements, providing a higher time resolution for these values.
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 01'' | constant | header form message 1 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | float | D+ voltage, in V |
 +| 14-17 | | float | D- voltage, in V |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 02'' | constant | header form message 2 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | float | internal temperature, in °C |
 +| 14-17 | | float | external temperature (from USB probe), in °C |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 03'' | constant | header form message 3 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | uint32 | on time, in s |
 +| 14-17 | | uint32 | recording time, in s |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 04'' | constant | header form message 1 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10 | | int8 | acceleration value, X-axis |
 +| 11 | | int8 | acceleration value, Y-axis |
 +| 12 | | int8 | acceleration value, Z-axis |
 +| 14-17 | | uint32 | recording time, in s |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 01'' | constant | header form message 1 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | float | recorded charge, in Ah |
 +| 14-17 | | float | recorded energy, in Wh |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +when the device is unresponsive, the Bluetooth app sends the following message (with some data instead of the 00):
 +
 +<code>
 +0xf1 0x03 0x00 0x00 0x00 0xfe
 +</code>
 +
 +I did not take time to reverse this since I got the measurements I was looking for.
web-u2.txt · Last modified: 2019/09/30 13:49 by kingkevin