CuVoodoo

the sorcery of copper

User Tools

Site Tools


web-u2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
web-u2 [2019/09/09 18:28]
kingkevin remove support
web-u2 [2019/09/30 13:49] (current)
kingkevin [Bluetooth Serial] add git
Line 26: Line 26:
  
 The [[http://www.witrn.com/|official website]] is rather empty. The [[http://www.witrn.com/|official website]] is rather empty.
-It only point to the user guide  and software (with broken link).\\+It only points to the user guide  and software (with broken link).\\
 Instead they recommend to follow the QQ group 313755927. Instead they recommend to follow the QQ group 313755927.
  
Line 84: Line 84:
 ==== WITRN U2 V2.0 ==== ==== WITRN U2 V2.0 ====
  
-Because the clone was bricked, I got a genuine replacement.+Because the clone got bricked, I got a genuine replacement.
  
 {{:u2:witrn-u2_device_front.jpg?0x200|}} {{:u2:witrn-u2_device_front.jpg?0x200|}}
Line 132: Line 132:
   - [[https://www.fujitsu.com/downloads/MICRO/fsa/pdf/products/memory/fram/MB85RC16-DS501-00001-8v0-E.pdf|Fujitsu MB85RC16]] I²C FRAM: to store the settings and energy measurements   - [[https://www.fujitsu.com/downloads/MICRO/fsa/pdf/products/memory/fram/MB85RC16-DS501-00001-8v0-E.pdf|Fujitsu MB85RC16]] I²C FRAM: to store the settings and energy measurements
   - [[https://www.st.com/en/microcontrollers-microprocessors/stm32f072cb.html|ST STM32F072CBT6]] ARM Cortex-M0 micro-controller: the brain of the device   - [[https://www.st.com/en/microcontrollers-microprocessors/stm32f072cb.html|ST STM32F072CBT6]] ARM Cortex-M0 micro-controller: the brain of the device
-  - UART pins: to connect to the AT-09 Bluetooth module (with TI CC2541 chip). pinout, beginning with square pin: 3.8V GND RX TX+  - UART pins: to connect to the AT-09/HM-10 Bluetooth module (with TI CC2541 chip). pinout, beginning with square pin: 3.8V GND RX TX
 ===== Software ===== ===== Software =====
  
Line 161: Line 161:
 ==== USB HID ==== ==== USB HID ====
  
 +When connected to USB, it appears as an {{ :u2:usb_hid.txt |HID}} (Human Interface Device).\\
 +When powered while pressing on the OK button, it will boot in the DFU (Device Firmware Upgrade) mode, which allows flashing the firmware.
 +But it is still an {{ :u2:usb_dfu.txt |HID}}, and does not use the DFU profile specified by USB.
 +
 +I've partially reversed the HID communication:
 +  * the messages exchanged are 64 bytes long
 +  * the host (e.g. software) starts by sending a message. Here an example of message sent (captured from the software):
 +<code>
 +"\xff\x55\x58\x8a\x13\x79\x06\x57\x1a\x01\x0a\x02\x00\x00\x00\x00" \
 +"\x5e\x00\x00\x00\xff\x55\x2f\xb2\x8b\xdc\x5a\xd4\x1a\x2c\xa4\x00" \
 +"\xa4\x40\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x74\x21\x4f\x40\x75" \
 +"\x23\x19\x40\x75\xcc\x01\x01\x00\x02\x04\x00\x00\x5e\x00\xe7\x06";
 +</code>
 +  * this will cause the device (e.g. U2) to send measurements. Since it will only send a couple of messages, keep sending the message every couple of milliseconds (can be the same). Here an example measurement reply:
 +<code>
 +ff 55 13 b4 7f bf 50 ef 1a 2c d7 63 a0 40 0e 74 da 39 0e 74 da 39 0e 74 da 39 bb dd 08 3b 33 33 53 40 74 a8 6d 3c fe 98 f7 41 d2 34 91 c2 14 ae a0 40 0e 74 da 39 00 00 00 00 00 00 00 00 16 ae 
 +</code>
 +
 +here how to decode the measurements:
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''ff 55'' | constant | probably a fixed header |
 +| 2 | ''13'' | integer | number of second |
 +| 3 | ''b4'' | integer | super fast incrementing number (but not related to other bytes) |
 +| 4 | ''7f'' | integer | fast incrementing number (but not related to other bytes) |
 +| 5 | ''bf'' | integer | incrementing number (but not related to other bytes) |
 +| 6 | ''50'' | integer | 1/100th of byte 5 |
 +| 7 | ''ef'' | integer | slow incrementing number (but not related to other bytes) |
 +| 8-9 | ''1a 2c'' | constant | separates timing form measurement values |
 +| 10-13 | ''d7 63 a0 40'' | float | VBUS voltage, in V (e.g. 5.0122 V) |
 +| 14-17 | ''0e 74 da 39'' | float | VBUS current, in A (e.g. 0.0004 A) |
 +| 18-21 | ''0e 74 da 39'' | float | VBUS current, in A (seems the same as previous current) |
 +| 22-25 | ''0e 74 da 39'' | float | VBUS current, in A (sometimes slightly different for the other values, but I don't know why) |
 +| 26-29 | ''bb dd 08 3b'' | float | VBUS power, in W (e.g. 0.0021 W ) |
 +| 30-33 | ''33 33 53 40'' | float | D+ voltage, in V (e.g. 3.3000 V) |
 +| 34-37 | ''74 a8 6d 3c'' | float | D- voltage, in V (e.g. 0.0145 V) |
 +| 38-41 | ''fe 98 f7 41'' | float | In temperature (internal), in °C (e.g. 30.95 °C) |
 +| 42-45 | ''d2 34 91 c2'' | float | Ex temperature (external, from IN Micro-USB probe), in °C (e.g. -72.60 °C, because not connected) |
 +| 46-49 | ''14 ae a0 40'' | float | VBUS voltage (differs from first value, but I don't know how), in V (e.g. 5.0212 V) |
 +| 50-53 | ''0e 74 da 39'' | float | VBUS current (sometimes slightly different for the other values, but I don't know why), in A (e.g. 0.0004 A) |
 +| 54-61 | ''00 00 00 00 00 00 00 00'' | constant | seems always 0 |
 +| 62 | ''16'' | integer | checksum (addition of bytes 8-61) |
 +| 63 | ''ae'' | integer | checksum (addition of bytes 0-61) |
 +
 +There are other messages to get the device's serial number and firmware version, but I did not reverse those.
 +
 +I've implemented a software (C program for Linux) to read to measurements over USB and output it as CSV.
 +You can find it in the [[https://git.cuvoodoo.info/web-u2/about/|git]].
 ==== Bluetooth Serial ==== ==== Bluetooth Serial ====
 +
 +The Qway has an optional Bluetooth module.
 +This allows getting the measurement without physical connection (e.g. the USB HID port).
 +You can use the [[#resources|Android app]] to communicate with the device.
 +
 +I reversed the protocol so I can get the raw data myself.
 +Scan for Bluetooth (Low Energy) devices and look for one named ''QWAY_U2_xxx'', with ''xxx'' being the device's serial number.
 +There is no need to pair with the device.
 +You can directly connect to it.
 +Data is then exchanged using the GATT characteristic ''0000ffe1-0000-1000-8000-00805f9b34fb''.
 +
 +On the [[#hardware|hardware side]], the Bluetooth board uses a [[http://www.martyncurrey.com/hm-10-bluetooth-4ble-modules/|HM-10 module]] (with TI CC2541 chip) to send the measurement over Bluetooth Low Energy.
 +The main board is connected to the Bluetooth board using spring contacts and uses UART to communicate with the module (at 115200 bps).
 +
 +First send the message ''0xf1 0x01 0x00 0x00 0x00 0xfe'' to get device information.
 +The device will reply with a message using the following format (the bytes use little endian order):
 +
 +<code>
 +0xf1 0x01 0x30 0x31 0x31 0x33 0x33 0x37 0x67 0x14 0x00 0x00 0x00 0x32 0x00 0x00 0x00 0x00 0x03 0x00
 +</code>
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''f1 01'' | constant | header |
 +| 2-7 | ''30 31 31 33 33 37'' | ASCII | device's serial (here 011337) |
 +| 8 | ''67'' | nibbles | firmware version (here 6.7) |
 +| 9-12 | ''14 00 00 00'' | uint32 | number of times the device has run (here 20) |
 +| 13-14 | ''32 00'' | uint16 | current threshold for recording, in mA (here 50 mA) |
 +| 14-17 | ''00 00 00 00'' | float | energy recorded for this group, in Wh (here 0). note: the data overlaps with the previous field |
 +| 18 | ''03'' | uint8 | current recording group number (here 3 + 1 = 4) |
 +| 19 | ''00'' | constant | trailer |
 +
 +The device then sends measurements for a bit of time.
 +To keep the device sending measurements, send periodically the following message:
 +
 +<code>
 +0xf1 0x02 0x00 0x00 0x00 0xfe
 +</code>
 +
 +A complete measruement set is comprised of 5 messages.
 +But each message includes the voltage and current measurements, providing a higher time resolution for these values.
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 01'' | constant | header form message 1 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | float | D+ voltage, in V |
 +| 14-17 | | float | D- voltage, in V |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 02'' | constant | header form message 2 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | float | internal temperature, in °C |
 +| 14-17 | | float | external temperature (from USB probe), in °C |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 03'' | constant | header form message 3 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | uint32 | on time, in s |
 +| 14-17 | | uint32 | recording time, in s |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 04'' | constant | header form message 1 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10 | | int8 | acceleration value, X-axis |
 +| 11 | | int8 | acceleration value, Y-axis |
 +| 12 | | int8 | acceleration value, Z-axis |
 +| 14-17 | | uint32 | recording time, in s |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +^ index ^ byte(s) ^ format ^ meaning ^
 +| 0-1 | ''fe 01'' | constant | header form message 1 |
 +| 2-5 | | float | VBUS voltage, in V |
 +| 6-9 | | float | VBUS current, in A |
 +| 10-13 | | float | recorded charge, in Ah |
 +| 14-17 | | float | recorded energy, in Wh |
 +| 18 | | uint8 | current recording group number, add 1 |
 +| 19 | ''00'' | constant | trailer |
 +
 +when the device is unresponsive, the Bluetooth app sends the following message (with some data instead of the 00):
 +
 +<code>
 +0xf1 0x03 0x00 0x00 0x00 0xfe
 +</code>
 +
 +I did not take time to reverse this since I got the measurements I was looking for.
 +
 +I've implemented a software (C program for Linux) to read to measurements over Bluetooth and output it as CSV.
 +You can find it in the [[https://git.cuvoodoo.info/web-u2/about/|git]].
web-u2.1568046509.txt.gz · Last modified: 2019/09/09 18:28 by kingkevin