Sunday, October 2, 2016

RS-485 Anti-theft system commands

Some of you may have read on of my previous post, where I tried interpret the keypad print command.
If you did, well some of the interpretations I wrote on it were wrong.
This post is the second attempt to interpretate the dialogue exchanged between main board and the keypad.

After some researches and tests, I came out with the following, which if it is not the correct frame format, it is very close to it.


Each device connected to this bus, seems to follow this rule in the format of the frames produced.


Length is the first byte of each frame. It appears to be one byte long, which also means that a frame cannot be larger than 258 bytes including the length and checksum bytes. This does not seem to be a problem, all traffic I watched, no frame was longer than 25 bytes.


ADDR is the layer level address of the device. Few facts I noticed about the ADDR field:
  • The address 0x00 seems to be reserved to the main board. All devices, when queried, simply answers to this address.
  • Keypads are ranged from 0x10 to 0x1f (on the PCB of each device there are 4 deepswitch which can be used to select the low order four bits). The master keypad on the actual system must be the 0x10 address. In fact main board appears to send bytes directly to this address during normal operation.
  • The RFID readers seem to be ranged at 0x50 and 0x5f.
  • It seems there is some sort of multicast address ranged probably from 0xf0 to 0xff, not clear how does this work, but when mainboard starts, it seems to query 0xff. It also appears that 0xfe must be some sort of multicast directed to keypads. The keypad I have does not seem to recognize this kind of addresses btw.
CMD is the place where you tell to the addressed device what you want. Every device has its own mapped functions. No need to be discussed in this section.

DATA is the field where, if needed, the command data is placed. Not all commands have data, and if data is needed, it depends from the command.

Checksum is where a redundancy code is calculated to guaranty the integrity of the frame. The checksum is calculated on all the frame excluded the length field which is not included in the sum. Also I determined that this particular checksum can be calculated adding all bytes in a 16 bit integer and then checksum the 16 bit accumulator into a 8 bit value. eg. this frame tells a keypad to print "Hello World!" string in the upper line of the display. 1310140048656c6c6f20776f726c64212020202006 checksum is the last byte of the string an is calculated as: 
16bitsum(10+14+00+48+65+6c+6c+6f+20+77+6f+72+6c+64+21+20+20+20+20)=0501
8bitsum(05+01)=06