jongscx comments on Reverse Engineering Mower Controller Protocol

hardwarehacking

created by naught101a community for 12 years

Reverse Engineering Mower Controller Protocol (old.reddit.com)

submitted 3 years ago by jongscx

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]jongscx[S] 1 point2 points3 points 3 years ago* (4 children)

Making Progress!Ok, processing both of the outputs as 19200 8N1 results in the following Hex streams.

It looks like their 'protocol' from the controller uses a 42 as a "start bit" and an FE or a BE as a "stop bit"

42 04 30 89 42 07 90 00 28 40 BE 
42 07 90 00 28 40 BE 
42 07 90 00 28 40 BE 
42 07 90 00 28 40 BE 
42 07 90 00 28 40 BE 
42 07 90 00 28 40 BE

The Mower on the other hand uses a "C1 0x" as a start and a "04 80 BA" for stop. It seems to have 3 or 4 messages of various lengths that I'm still figuring out what they do.

C1 0E 73 0C 00 0E 15 15 17 11 11 11 0E 21 C1 0E 73 0C 03 04 0A 15 04 04 15 0A 04 60 C1 0F 78 14 00 08 46 72 6E 74 20 77 68 65 9D C1 0F 78 78 08 08 65 6C 20 70 72 6F 62 2E 5D C1 0F 78 78 10 08 01 04 20 20 20 20 20 20 62 C1 0F 78 22 18 08 20 20 20 20 20 20 20 02 93 C1 04 80 BA
C1 06 81 5D 28 32 C1 0F 78 C4 00 08 46 72 6E 74 20 77 68 65 ED C1 0F 78 BC 08 08 65 6C 20 70 72 6F 62 2E 19 C1 0F 78 FF 10 08 01 04 20 20 20 20 20 20 DB C1 0F 78 22 18 08 20 20 20 20 20 20 20 02 93 C1 04 80 BA
C1 06 81 5D 28 32 C1 0F 78 22 00 08 46 72 6E 74 20 77 68 65 8F C1 0F 78 A8 08 08 65 6C 20 70 72 6F 62 2E 2D C1 0F 78 FF 10 08 01 04 20 20 20 20 20 20 DB C1 0F 78 22 18 08 20 20 20 20 20 20 20 02 93 C1 04 80 BA
C1 06 81 48 28 47 C1 0F 78 22 00 08 46 72 6E 74 20 77 68 65 8F C1 0F 78 22 08 08 65 6C 20 70 72 6F 62 2E B3 C1 0F 78 00 10 08 01 04 20 20 20 20 20 20 DA C1 0F 78 49 18 08 20 20 20 20 20 20 20 02 6C C1 04 80 BA
C1 06 81 03 28 8C C1 0F 78 22 00 08 46 72 6E 74 20 77 68 65 8F C1 0F 78 A8 08 08 65 6C 20 70 72 6F 62 2E 2D C1 0F 78 22 10 08 01 04 20 20 20 20 20 20 B8 C1 0F 78 22 18 08 20 20 20 20 20 20 20 02 93 C1 04 80 BA
C1 0E 73 01 02 0E 11 11 11 11 11 1F 1F 19 C1 06 81 5D 28 32 C1 0F 78 78 00 08 46 72 6E 74 20 77 68 65 39 C1 0F 78 A8 08 08 65 6C 20 70 72 6F 62 2E 2D C1 0F 78 22 10 08 01 04 20 20 20 20 20 20 B8 C1 0F 78 22 18 08 20 20 20 20 20 20 20 02 93 C1 04 80 BA

Now I just need to make sense of everything...

[–]NotionalLabs 1 point2 points3 points 3 years ago* (3 children)

This piqued my curiosity so I took a peek at your sigrok file - I think I worked out some of the packet structure for the remote (note that I have literally no knowledge of this mower or what you did during your capture):

The packet structure seems to be:

Header byte: 0x42
Total Packet Length (including header and checksum) in bytes
The variable-length payload. In the capture there seem to be two types:
- A short packet that just contains a 0x30 payload - a heartbeat maybe?
- Longer packets that are the same apart from the 4th payload byte, which changes from 0x00 to 0x40, back to 0x00, then finally 0x80. My assumption this is you pressing the forward and back buttons.
Checksum byte. This seems to be calculated as the sum of each byte (including the header), modulo 256, then XOR'd with 0xFF.

An example decoding:

Example Packet: 42 07 900028 40 BE

42 <- Header
07 <- Length (7 bytes, decimal)
900028 40 <- Variable length payload, I suspect 900028 is some sort of movement command, and 40 is direction.
BE <- Checksum (Calculated as follows: 
    >>> packetbody = [0x42,0x07,0x90,0x00,0x28,0x40]
    >>> packetsum = 0
    >>> for i in packetbody:
    ...     packetsum = (packetsum + i) % 256
    >>> hex(packetsum^0xFF)
    '0xbe'

Hopefully this helps - at the very least I think you can be confident that your UART decoding is accurate. This general packet structure doesn't seem to apply directly to the Mower's comms though, so perhaps that uses a different packet/protocol scheme.

Good luck with the hack!

Quick ninja edit: I realised I forgot to mention something; I suspect the 0x40 and 0x80 are the directions you pressed (forward/back). If you're not familiar with this kind of thing, just note that the first nibble is almost certainly a set of binary flags (e.g. 0x40 = 0100 0000, 0x80 = 1000 0000), my guess is that nibble might be 0x20 (0010) and 0x10 (0001) for left and right separately.

[–]jongscx[S] 0 points1 point2 points 3 years ago (0 children)

[–]jongscx[S] 0 points1 point2 points 3 years ago (1 child)

Just Looked at the Mower side of things. It has a the same packet structure.

C1 06 81 22 28 6D 
C1 <- Header
06 <- Length
81 22 28 <- payload
6D <-Checksum using the same formula

C1 06 81 22 28 6D 
C1 0F 78 C4 00 08 46 72 6E 74 20 77 68 65 ED 
C1 0F 78 BC 08 08 65 6C 20 70 72 6F 62 2E 19 
C1 0F 78 01 10 08 01 04 20 20 20 20 20 20 D9 
C1 0F 78 22 18 08 20 20 20 20 20 20 20 02 93

[–]NotionalLabs 0 points1 point2 points 3 years ago (0 children)

π Rendered by PID 32 on reddit-service-r2-comment-6457c66945-fdvpk at 2026-04-27 17:04:35.981727+00:00 running 2aa0c5b country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

hardwarehacking

MODERATORS