Reverse engineering a serial protocol

Hello guys,

im trying to reverse engineer an ECU / GSU protocol from a model airplane jet turbine, in order to make a telemetry adapter.
i have decoded several other protocols in the past with good success but this one is extra stubborn and so i thought i would ask for assistance.

im using a logic analyser to read the data and help decode the protocol.

the ECU uses a LIN interface but on a proprietary protocol unknown to me. in order to read it i am using an Arduino with a level shifter, and i verified the incoming data is correct.

When ECU is stand alone, it send several strings which appear to be interogations for bus nodes, but nobody is replying obviously.
one of these interogations can be seen in the attachment: ecu only.
the string is:
0x0A
0x00
0x00
0x00
0x00
0x0A

when i sniff the lines as i plug in the GSU there is a reply, which i assume is coming from the GSU, see attachment: ecu+gsu.

the result looks like this:
0x0A
0x00
0x00
0x00
0x00
0x0A

0x8A
0x80
0x8A
0x80
0x80
0x94

after this there is another string (which was not transmitted without GSU) of data - this is the string i need to read.
see attachment: ecu+gsu+reply

so to try and recreate a similar condition, im using ardu to transmit the reply above, but the ECU is not sending any data after it. i guess its possible the following string comes part from the GSU (interogation) and part from the ECU(reply) - how can i verify that? i tried transmitting any part of it on the bus with timing close to the gsu behaviour, but no luck in getting the ECU to reply.

see attachment: ecu + ardu.

any advicer on how to proceed from here?
thanks in advance.

ECU only.PNG

Looking at the sniff in decimal numbers, its clearly visible the ECU sends the following strings:
10 0 0 0 0 10
20 0 0 0 0 20
30 0 0 0 0 30
40 0 0 0 0 40

and when GSU is connected the reply is after the “10” string. see attachment.
when Ardu is used, the ECU just jumps to the next string (20).

decimal.png

i3dm:
the ECU uses a LIN interface but on a proprietary protocol unknown to me. in order to read it i am using an Arduino with a level shifter, and i verified the incoming data is correct.

Are you sure it's using LIN?

LIN is a master/slave protocol in which case is your ECU the master or slave in the network?

i was told by several its a LIN interface. havent opened it to check out the HW.
not sure about master / slave.
why should it matter?

i3dm:
why should it matter?

you tell me.

if your ECU is the slave then all you need is to ONLY replicate the Master requests (as in the case of i2c, for example). if, on the other hand it is the Master then you need to know what responses it expects to its requests.

so if it was me, to understand the communication flow, I would put a bridge between GSU and ECU to get a better image of how messages are passing.

btw looking at the data you shared, I have my doubts about the protocol being LIN.

if you sniff a LIN bus using a serial interface you should normally be seeing something like this for every new data frame: 0x00, 0x55, data1, data2…, next frame 0x00, 0x55, data1,… and so on…

it’s probably just serial over one wire… is this still related to your other 9bit serial post?

no it is not related to the 9 bit post. different ECU.

in my original post i mentioned its probably LIN hardware with a proprietary protocol. thats what i was told at least.
it might also just be a single wire UART but the voltage levels do match LIN (0-10v signal).

and about the master slave, what do you mean a bridge between ecu and gsu? can you elaborate?

my logic analyser is sitting on the bus itself, so im seeing transmissions of both the ECU and GSU, and trying to replicate the same. thats exactly where im having trouble.

if i had to guess this would be the protocol from what i can see:

ECU is polling the bus to see if an external unit (i.e GSU) is connected.
10 0 0 0 10 message is read by GSU and GSU responds.
ECU now knows there is a GSU on the line and sends data.

this seems to be not standard LIN.

i3dm:
and about the master slave, what do you mean a bridge between ecu and gsu? can you elaborate?

This is what I mean:

Untitled.png

A bridge (or gateway) basically lets messages pass through in either direction but would also allow you to see where the messages are coming from (ie either from ECU or GSU).

Untitled.png

thank you.
do you have a part number to a bridge component? how is it implemented?
where can i learn about it?

i3dm:
thank you.
do you have a part number to a bridge component? how is it implemented?
where can i learn about it?

If you have a Mega, all you need to do is code it to behave as a serial bridge. e.g:

Serial.begin //for serial monitor
Serial1.begin //ECU
Serial2.begin //GSU

if(Serial1.available()){
data = Serial1.read()
Serial2.write(data);
Serial.print(data);
}

if(Serial2.available()){
data = Serial2.read()
Serial1.write(data);
Serial.print(data);
}

Or course you could add more text on your serial monitor show Rx/Tx direction for example! :wink:

i dont have a mega. only an uno or nano. so not enough UART channels. i may be able use sw.serial though.

i still dont understand, since this is a single wire UART, each byte in the Rx buffer can come from either the ECU or GSU? how do you solve that?

i3dm:
i dont have a mega. only an uno or nano. so not enough UART channels. i may be able use sw.serial though.

i still dont understand, since this is a single wire UART, each byte in the Rx buffer can come from either the ECU or GSU? how do you solve that?

yeah...you would need some extra hardware do that.

had a think about the comms and from the data you share originally maybe this is what you need to send:

wait for ECU to send 0x0A 0x00 0x00 0x00 0x00 0x0A
Arduino to transmit 0x8A 0x80 0x8A 0x80 0x80 0x94 //did that already I believe
3ms (approx) later Arduino to transmit 0x0A // this is the extra bit

any ideas for an implementation for single wire UART?

i3dm:
any ideas for an implementation for single wire UART?

I guess you can used a LIN driver IC (e.g ATA6663) for that or if have a look at this link Figure 1, 2a, 2b, you may get a few more ideas to build a UART to 1-wire bus adapter

https://www.maximintegrated.com/en/app-notes/index.mvp/id/214

did a bit more experimenting.
in order to determine which unit is transmitting what, i have added a serial 50ohm resistor on the signal line between the units and was expecting to see a voltage swing from positive to negative.

instead, this is what im getting with both arduino and original units.

any ideas how to determine who is transmitting what on single line UART?

i3dm:
any ideas how to determine who is transmitting what on single line UART?

see replies #7, #9, #13

that would be my approach.

thank you for your help. it is appreciated.
im looming for (hopefully) a simple way (arduino based) to make a single line uart bridge. i agree with your approach but havent yet found an implementation i can easily make.

Here is what i have in mind, using 2 Arduino Nanos on 2 serial terminals.
the only issue might be the delay on the serial channels by using an arduino as pass through on the line.

what do you think?

i3dm:
Here is what i have in mind, using 2 Arduino Nanos on 2 serial terminals.
the only issue might be the delay on the serial channels by using an arduino as pass through on the line.

what do you think?

While your bridge design might just work to pass the data over, how would you then monitor what is transmitted by either device?

sherzaad:
While your bridge design might just work to pass the data over, how would you then monitor what is transmitted by either device?

both of the bridges will be printing incoming bytes to serial on 2 COM ports.