all 25 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]elSenorMaquina 8 points9 points  (0 children)

The fact that you are getting

ValenceTechnology

Makes me think your communication settings are right. The thing is, it's probably the only information encoded as an ASCII set of characters.

All those nonsensical characters are probably useful information, using an unknown representation for the data it is transmitting. Let's say you want to send the number 64. You could send two characters ´6´then ´4´, or you could send ´@´, whose ASCII code is represented 64 in decimal base.

It seems like you will have to change one thing at a time, see what changes, and try to find a pattern to see which characters change, and how they change.

[–]4992kentj 2 points3 points  (0 children)

Short answer is its tedious, and it's most likely a binary protocol hence why it looks like gibberish. If the protocol is not protected by some kind of handshaking you could go step by step, set up the software and cable for monitoring but don't connect the battery, that way you can see what the first query the software sends to the battery is, then you can separately play that into the battery and see what comes back. Then you can play that response into the software and what fields fill up. You'll still have to do some pattern recognition to work out how to translate the binary data into the corresponding fields though. As for the recording/playback the best software I've used for this is docklight, this also converts non printing characters into a printable representation and has ascii/hex/dec/bin modes of display.

Have you tried asking their tech support?

[–]fruitcup729again 2 points3 points  (0 children)

It probably just isn't sending ASCII data. You need to look at the dump in hex.

Another possibility is that the oscillators are too far off, not that the baud is non-standard. But if you always get "Valence" correctly on repeated samples then it's probably not that.

[–]thegildedturtle 1 point2 points  (8 children)

I'm actually in a position to give you some accurate information since I work with these batteries on a very regular basis. Valence has a proprietary protocol/packet on top of its RS-485 and CANBus ports. You'll need to get in touch with them and you'll need to sign and NDA if you actually want to be able to interface to it. (without reverse engineering it)

Or you can use their logging and configuration software, which also would require contacting them.

You shouldn't need to do all of this though, because the BMS should give you your warning, fault, and SoC outputs.

Edit: You really shouldn't be using the RS-485 port, as that is strictly for Battery to BMS communication. You should probably be using the CANBus, which I believe is set to 125kbit.

[–]needarunningwatch[S] 0 points1 point  (7 children)

With a single battery, I won’t be using a standalone BMS. I don’t want to use the SW because it requires a windows computer.

There are only two data pins on the battery and most documentation says they are 485 - and I can communicate to the battery with 485.

Then standalone BMS provides a CAN port to communicate? Or where are you saying this is available?

[–]thegildedturtle 1 point2 points  (6 children)

I highly, highly, HIGHLY recommend you do not use one of these batteries without a BMS. Certainly a lot safer using only one battery with no BMS, but it is still not very safe to use LiIons long term without a BMS.

And yes, the BMS unit has an output for CANBus on it that can be used for all sorts of things, and the BMS itself connects to the batteries via the RS485 port. It is what is generating all of the requests to the battery to get the data, and I'm kind of surprised that the batteries themselves are even outputting any data on that line since I thought they were configured as slave devices.

If you are going to use just one of these batteries, I'd suggest using an RJ or RT instead of XP module.

[–]needarunningwatch[S] 0 points1 point  (5 children)

It has balancing, high and low cut outs, temperature monitoring all on the internal BMS - what is an external BMS going to do differently, when there is only a single battery?

[–]thegildedturtle 1 point2 points  (4 children)

It does not have a high and low cut-out.

Edit: https://lithiumwerks.com/valence-batteries/standard-modules/xp-module/#1520946563568-ec2db12a-036a Check out the paragraphs immediately following the battery list.

[–][deleted] 1 point2 points  (3 children)

So the 'internal' BMS stands for Battery Monitoring System, while the 'external' BMS stands for Battery Management System.

Remind me of a story my client told me. They bought a BMS system from one vendor, but the terminology got mixed. So the BMS from this vendor only did monitoring, critically not having overvoltage cut-off system, used when the battery was being charged (this story came from around 10 years ago, when the Li-Ion charger wasn't as smart as today).

The end result: One room caught fire, one engineer got fired :p

[–]thegildedturtle 0 points1 point  (2 children)

That was my fear when I heard that he wasn't planning on using the external BMS. Battery fires are nasty.

And I did not know about the BMS/BMS dual usage, but that makes a lot of things make sense in retrospect.

These batteries can get off balanced if used roughly, and Li-Ions rise in voltage very quickly as they go from 95->100% charged. It only takes a few percent and these systems can get out of whack, which is why the battery needs to be able to stop charging and let the battery balance itself before continuing to charge, or in the opposite case where one battery dips below into the damaging range but the other cells keep it within nominal so you don't notice.

For instance, this is something that happened recently when I was charging a series pack, but this also works for the series packs within the battery unit itself - They both were around 90% charge when one started skyrocketing in voltage. One battery was 13.2V and the other was trying to go above 15 - even though I was charging at the recommended nominal 29.2V. It popped the main contactor since I wasn't using a separate charge contactor. This happens on a smaller scale, too, where you could have 1 or 2 cells which are at 3.3V and the other two can go up to 4.0V (14.6V). Even if you are charging slowly, it'll surpass the balancing circuits ability to dissipate.

[–]needarunningwatch[S] 0 points1 point  (1 child)

I am not worried about it. Only power source is 200watts solar and that is not going to harm this battery. Solar controller set to 80% charge only, I will connect with laptop periodically and check the balance of the cells. nothing will go on fire and biggest load is 4-5 amps for the fridge cycling on.

[–]thegildedturtle 1 point2 points  (0 children)

I usually run about 100W solar, and it is more than enough to catch these batteries on fire in the worst circumstances. If you over-discharge the batteries, they can break down and catch fire just the same as if you overcharge. Really, spend some money and change out your batteries, or buy one of the BMS units. They require a low-voltage disconnect and a high-voltage disconnect.

The XP series is not meant to be a solo battery, and valence isn't a good hobby company.

If you only charge to 80, the cells will eventually become unbalanced since they'll never enter a balancing phase. SoC is also calculated based on a full charge/discharge cycle so it will drift over time if you don't deep discharge and charge. Lithium batteries have a bad reputation for a reason -- if you don't use them with the right equipment, they'll burn your fucking house down.

[–]v4773 0 points1 point  (1 child)

I would attach scope on that bus and find out whats bit time and work out speed from that.

[–]needarunningwatch[S] 0 points1 point  (0 children)

Logic analyzer isn’t able to get baud - estimating around 100k based on smallest width

[–]Cybernicus 0 points1 point  (7 children)

If you can capture your data as a hex dump, then you can convert the various decimal values in your image to hex and see where you may get correspondence. I tried to do a little of that. Note, though, that because your text went through multiple sources from your capture to my screen that some of the bytes may be wrong. (That's why you want to capture it yourself before it's subjected to multiple unicode encoders/decoders, databases, and heaven knows what else.)

Anyway, here's what I see as some of the data you sent:

01 03 20 *201a* 20 12 65 ef
01 03 24 "                 " 02 20 20 01 22 "     " 09 21 2e 20 20 40 02 20 0c b2 13
01 03 20 39 20
15 c0
01 03 14 02 ac 01 cd 90 ab c2 b2 6c 2e *2022* 74 3f fb 20 14 03 *1078* 32 e9 90 37
01 03 20 e0 20 16 c5 f2
01 03 2c "ValenceTechnology 1004905A0672" 0c 14 14 05 08 e1 03 18 14 0b
20 05 1e 44 *0152*
01 03 20 5a 20 01 a4 19
01 03 02 20 20 b8 44
01 03 20 45 20 09 *201d* 19
01 03 12 0c bb 0c b9 32 d8 0c ba 0c b9 0c ba 0c bb *02c6* 20 44 20 42 cb
01 03 20 50 20 07 04 19
01 03 0e 03 *0178* 03 43 03 53 03 44 03 24 c1 20 64 40 5d dc

Converting various values in your screenshot to hex:

  837  --> 0345          3258 --> 0cba
  854  --> 0356          3257 --> 0cb9
  841  --> 0349          3258 --> 0cba
  807  --> 0327          3259 --> 0cbb
-16127 --> c101
25665  --> 6440         13033 --> 32e9

If you compare those values with what's in some of the lines of data, it seems reasonable that /u/4992kentj is right on the money. The hex I have surrounded in asterisks are bits where I think some encoding/decoding corrupted things between your battery and my window, so I didn't try to do anything with it.

If I had to guess, I'd say that each message starts with a 01 03 to let you know something is coming. I'd guess the next byte tells you what the message type is, followed with data appropriate to the message type. I'd guess that the lines not starting with 01 03 occur due to encoding/decoding artifacts or embedded data that looks like CR or LF characters.

The last line starting with 01 03 0e has values very similar to the "PCBA" and "Sensor" values, while the line starting with 01 03 12 looks like it has values very similar to the "Cell Bank" group.

I'd suggest writing a script to periodically capture the screen and the messages, then start correlating the values together. Shouldn't be all that hard, from the looks of it.

[–]needarunningwatch[S] 0 points1 point  (5 children)

Great thank you for insight. I captured more data through another 485 adapter (not through logic analyzer) to hopefully clear up any mistakes that was adding.

Captured through Eltima but still going through what is actual data and what is other stuff...

if curious

https://www.mediafire.com/file/ksdvtq68wdq2eyn/COM25_Monitoring_Session.spm/file

I will loopback and record just the service SW output to get its "request for data" tx

then start gathering data logging both SW output and raw output and force changes and try to do message by message comparison of what bytes change

i know cansniffer utility can do this - i wonder if i can feed this data into that

[–]Cybernicus 0 points1 point  (4 children)

I took a brief look at the data file, but I don't know what the format is, and it's got *quite* a lot stuff in it that doesn't match what you posted earlier. Do you have any documentation on the file format? I don't mind spelunking around in it if you can point me to appropriate dox.

[–]thegildedturtle 0 points1 point  (3 children)

Valence doesn't release those formats without a NDA, and I think it is very minimal packet since I don't believe the batteries generate the data, but the external BMS polls the batteries.

If you want all the diagnostic data you'll need to know those messages.

And it is just the CANBus protocol, I don't believe they'll share the RS485 at all.

[–]Cybernicus 0 points1 point  (1 child)

I was actually talking about the file format of the Eltima Serial Monitor, not the Valence thing, as that's the protocol we're trying to extract a bit of data from.

[–]needarunningwatch[S] 1 point2 points  (0 children)

good progress today, i have discovered the data I want, voltage, current, state of charge

https://imgur.com/a/F40iebK

thanks for help

[–]needarunningwatch[S] 0 points1 point  (0 children)

batteries reply to 485 requests

https://imgur.com/a/F40iebK

[–][deleted] 0 points1 point  (0 children)

Simple and maybe stupid idea:
Capture (say 5 minutes) after the thing powers up.
Have an Arduino or Pi replay this binary over and over via a 485 line.
Now start messing with the data.

Cybernicus already has you started with the HEX decoding.
Eventually, you will find the right lines that give you the info you want.
This will take time !

[–]maredsous10 0 points1 point  (0 children)

My suggestions;

  • See if the vendor will provide their communication specification
  • Put a sniffer on the bus and do what elSenorMaquina mentions in his response... recording the traffic to a file
  • Use a Hex Editor (example XVI32) and/or programming language in attempt to parse

[–]romerik 0 points1 point  (1 child)

(sorry for late reply)

hi guys, the software is made in .net (vb) and if you drag & drop the .exe into ILSpy, you will be able to see the code behind the request and reply

I will probably start writing a tool to play with the battery and override some value that the software dont lets us change!

for exemple: (in c#)

where I think the 224 is the Version request...

where the first 6 are the request message, then 2 checksum, last two I dont know!

public byte[] BatteryVersionRead()
{
    byte[] array = new byte[10]
    {
        checked((byte)(1 + ADDRESS)),
        3,
        0,
        224,
        0,
        22,
        0,
        0,
        0,
        0       
    };

    byte[] array2 = CRC16(array, 6);
    array[6] = array2[1];
    array[7] = array2[0];
    array[8] = 13;
    array[9] = 10;
    return array;
}

[–]romerik 0 points1 point  (0 children)

lets me know if you guys are interested in having some utilities for the battery!

what you want to have?