Analysing pv’s attempt to work with CMS-5000

There’s a library a wrote a little while ago that was designed to interact with some photovoltaic inverters via the serial port. It was written based on captured communication between the official ProControl software

Reader contribution

Simon’s tried out my code to see if it’ll work on a newer inverter, the CMS-5000. Unfortunately the library as it stands doesn’t quite work. So let’s take a closer look at the packets:

First we reset the inverter:

SEND -> aaaa 0100 0000 0004 00 0159

Discover inverters:

SEND -> aaaa 0100 0000 0000 00 0155

RECV <- aaaa fe00 0000 0080 0a 52353634363033303631 04fd OK

Mostly OK so far, but something that strikes me is that the first byte (0xFE) of what I assumed to be the source address seems to have some other significance (it’s not 0×0000). Moving on…

Register the inverter with address “0001”:

SEND -> aaaa 0100 0000 0001 0c 523536343630333036310001 0384

The inverter acknowledges

RECV <- aaaa fe01 0000 0081 01 06 02db OK

So even though the first byte of the address 0xFE is incorrect, things still seem to be working.

Now we try to find what status fields the inverter gives:

SEND -> aaaa 0100 0001 0101 00 0158

RECV <- aaaa fe01 0000 0181 01 15 02eb OK

This bit here is the interesting bit. First, (if my assumptions about the comms protocol were correct), the inverter only gives 2 fields: 0×01 and 0×15. That’s really few compared with the ones I’ve seen before. Not only that, but we don’t yet know what the field 0×15 is for. Basically I assumed that the reply I get is a listing of the status fields, but instead I get something else.

So let’s query the inverter for its status:

SEND -> aaaa 0100 0001 0104 00 015b

RECV <- aaaa fe01 0000 0184 12 05dc003c071c0abe1290139a009900e8034a 080f OK

So here we have the full status update from the inverter. We can’t decode what it’s saying, because it doesn’t quite match the status field query. This is why the pv library is failing to interpret this packet based on the received structure that was supposedly just 2 fields long.

What does this mean?

In the most basic level, there are a few assumptions + generalisations that I’ve made which turned out to be inaccurate, hence it’s not working for a different model inverter.

What we’d need now is a capture of the raw communication between the official monitoring software and the inverter to get a better understanding of what’s going on.

pv – a Python library to monitor/control PV Inverters

After having the solar electricity system installed, I can monitor the energy output of the inverter using Pro Control. However, because the software runs on Windows, I’d have to have a PC turned on just for that purpose wasting quite a bit of energy. So, my goal is to use a low-power embedded Debian box (which is usually on) to do the monitoring. Instead of just writing an application to do the job, I’ve decided to write a library others can use to write their own custom logging software.

pv can be found at http://pv.codeplex.com/, and should work for you if you have a Carbon Management Solutions CMS-2000 or Schneider Electric SunEzy 600E (judging from a sample protocol exchange).

I’ll have to give full credit to the folks at http://www.solarfreaks.com/cms2000-inverter-rs232-serial-port-hack-cms-2000-rs232-t271.html who did the initial work on reverse engineering the communication protocols. Building on what has already been done on working out the protocol, and doing a bit of reverse engineering myself, the library supports sending arbitrary data frames for further exploring, as well as the known protocols.

Read more »

Study notes for ELEC5616 Computer and Network Security

After a bit of distraction, my study notes for ELEC5616 Computer and Network Security is finally finished and have been posted. As usual, it’s up my my Sydney Uni page.

The AT&T 3G MicroCell is actually a Femtocell

What were those marketing folks thinking? Seriously, this got me jumpy. I think many other telecommunications engineers would be jumpy at this naming too.

AT&T, a US telecommunications provider, recently announced a product called “3G MicroCell” that promises better signal strength at 3G data speeds. Essentially, it’s a wireless access point that plugs into the internet but instead of giving out WiFi, it gives out mobile phone signals. It’s the US way of fixing their rather patchy mobile service.

While people think that it is magic that gives full bars of mobile phone reception with the product, it’s actually worth noting that the concept has been around for a while. What’s more, this strategy for cellular expansion is actually called called “femtocell”. That’s right, not micro-, not nano-, not pico- but femto-.

To clarify things a bit, the reason why calling this a “MicroCell” is bad is because a microcell is actually almost like a regular mobile phone cell tower (except it’s smaller and has less range) that is put in places where calls tend to be congested in order to give it a bit more capacity. The thing that plugs into your home broadband is way too small to be even considered being called a microcell.

Different computing degrees are similar yet distinct

I have been thinking about the different computing undergraduate degrees offered at Sydney University: software engineering (SE), computer science (CS) and information technology (IT). Each of these are offered by a different department: School of Electrical and Information Engineering, Faculty of Science, and School of IT respectively.

So here’s what I think are the difference between them:

Read more »