Difference between revisions of "RDTech TC66C"

From sigrok
Jump to navigation Jump to search
(→‎Poll data format: Document encryption algorithm)
(it's frames not samples any longer)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Infobox energy meter
{{Infobox energy meter
| image              = [[File:UM24C_display.jpg|180px]]
| image              = [[File:Rdtech-tc66c-mugshot.png|180px]]
| name                = RDTech TC66C
| name                = RDTech TC66C
| status              = unsupported
| status              = supported
| source_code_dir    = rdtech-tc
| connectivity        = serial over Bluetooth or USB
| connectivity        = serial over Bluetooth or USB
| measurements        = voltage, current, power, energy, voltage over USB data lines
| measurements        = voltage, current, power, energy, voltage over USB data lines
Line 9: Line 10:
}}
}}


The RDTech TC66C (~$25 USD) is a USB-C load meter which can measure various properties of USB-C devices including their voltage, amperage, wattage, resistance, capacity, temperature, data line voltage, and charging mode. This device is similar to the [[RDTech UM series]] of devices, but doesn't use the same protocol.
The RDTech TC66C is a USB-C load meter which can measure various properties of USB-C devices including their voltage, amperage, wattage, resistance, capacity, temperature, data line voltage, and charging mode. This device is similar to the [[RDTech UM series]] of devices, but doesn't use the same protocol.


== Protocol (serial) ==
== Example use ==
 
<small>
  $ '''sigrok-cli -d rdtech-tc:conn=/dev/ttyACM0 --scan'''
  $ '''sigrok-cli -d rdtech-tc:conn=bt/dialog/11-22-33-44-55-66 --scan'''
 
  $ '''sigrok-cli -d rdtech-tc:conn=/dev/ttyACM0 --frames 4'''
  $ '''sigrok-cli -d rdtech-tc:conn=/dev/ttyACM0 --continuous'''
</small>
 
== Hardware ==
 
User perceivable peripherals:
* USB-C in and USB-C out for the line and the device under test (optionally supplies the measurement device as well)
* USB micro for host communication and measurement device supply (to not affect the DUT measurements in low load situations)
* color dot matrix display, several display modes with varying numbers of values, optionally rotated by 180 degree
* two push buttons to change display modes and adjust settings
* slide switch "POWER", measurement device supply is taken from DUT path
* slide switch "PD", measurement device can initiate USB charging when the DUT can't
 
Usability feature: Automatically detects direction of current flow, presents an arrow in the display. Transparently works on either host or device side of the cable.
 
Hardware components on the PCB, many guesses:
* 2019-06-05 date code in silk screen, hidden under the display cage
* MFD-28 MCU(?), markings "F150G8 // CE87915 // AJ1830"
* SO-8 24LC256 EEPROM 32KiB
* SSO-10 ADC (or opamp?), marking "88 TI // 226", R015 shunt across pins 9 and 10
* BLE module, castellation (mouse bites), dialog DA14580 (handles RF _and_ USB?)
* M5333B voltage regulator
* MFD-14 (4/3/4/3) chip, marking "PBAB // ?" near RF module and USB-C out plug
 
<gallery>
File:Rdtech-tc66c-mugshot.png
File:Rdtech-tc66c-parts-moon.png
File:Rdtech-tc66c-parts-pcb.png
File:Rdtech-tc66c-parts-pcb-zoom.png
</gallery>
 
== Protocol (CDC serial) ==


{| class="wikitable"
{| class="wikitable"
Line 30: Line 69:
| update  || Boot  || 5          || Prepare to upload firmware. Returns 'uprdy'.
| update  || Boot  || 5          || Prepare to upload firmware. Returns 'uprdy'.
|}
|}


== Protocol (Bluetooth LE) ==
== Protocol (Bluetooth LE) ==
Line 53: Line 91:


=== Commands ===
=== Commands ===
{| class="wikitable"
{| class="wikitable"
! Command    !! Resp. len. !! Meaning
! Command    !! Resp. len. !! Meaning
Line 65: Line 104:
|}
|}


== Poll data format ==
Notice the leading 'b' in the Bluetooth case. The remainder appears to match the USB CDC case.
Poll data is returned as Returns 3x64 byte blocks of data, a total of 192 bytes. Each block is prefixed by <code>pacX</code> The returned data is encrypted using AES in ECB mode.
 
== Protocol response format ("Poll data") ==
 
Poll data is returned as 3x 64 byte blocks of data, a total of 192 bytes. Each block is prefixed by <code>pacX</code> with X as 1, 2, or 3. The returned data is encrypted using AES in ECB mode. All integers are little endian.


=== pac1 ===
=== pac1 ===
Line 137: Line 179:


=== Checksum algorithm ===
=== Checksum algorithm ===
Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field.
Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field.


=== Encryption algorithm ===
=== Encryption algorithm ===
Poll packets are encrypted using AES in ECB mode using the following static key:
Poll packets are encrypted using AES in ECB mode using the following static key:
<pre>
<pre>
Line 148: Line 192:
</pre>
</pre>


Kudos to [https://ralimtek.com/reverse%20engineering/software/tc66c-reverse-engineering Ben V. Brown] for documenting the encryption algorithm and key.
Kudos to Ben V. Brown (see [[#Resources]]) for documenting the encryption algorithm and key.


== Recording format (gtrec) ==
== Recording format (gtrec) ==
Line 162: Line 206:
* Device reboots automatically.
* Device reboots automatically.


Useful URLs:
== Resources ==
 
* the [https://ralimtek.com/reverse%20engineering/software/tc66c-reverse-engineering Ben V. Brown blog article] (the URL might have gone stale, [https://ralimtek.com/posts/2019/tc66/ this link] worked as of 2023-03)
* the [https://github.com/Ralim/TC66C Ralim TC66C github repository] referenced by the above blog article, contains Python code to communicate to the device
* Firmware metadata: [http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.json http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.json]
* Firmware metadata: [http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.json http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.json]
* Firmware binary: [http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.bin http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.bin]
* Firmware binary: [http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.bin http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.bin]
[[Category:Device]]
[[Category:Energy meter]]
[[Category:Supported]]

Latest revision as of 18:43, 24 March 2023

RDTech TC66C
Rdtech-tc66c-mugshot.png
Status supported
Source code rdtech-tc
Connectivity serial over Bluetooth or USB
Measurements voltage, current, power, energy, voltage over USB data lines
Features measures USB-C devices; color display
Website rdtech.aliexpress.com

The RDTech TC66C is a USB-C load meter which can measure various properties of USB-C devices including their voltage, amperage, wattage, resistance, capacity, temperature, data line voltage, and charging mode. This device is similar to the RDTech UM series of devices, but doesn't use the same protocol.

Example use

 $ sigrok-cli -d rdtech-tc:conn=/dev/ttyACM0 --scan
 $ sigrok-cli -d rdtech-tc:conn=bt/dialog/11-22-33-44-55-66 --scan
 $ sigrok-cli -d rdtech-tc:conn=/dev/ttyACM0 --frames 4
 $ sigrok-cli -d rdtech-tc:conn=/dev/ttyACM0 --continuous

Hardware

User perceivable peripherals:

  • USB-C in and USB-C out for the line and the device under test (optionally supplies the measurement device as well)
  • USB micro for host communication and measurement device supply (to not affect the DUT measurements in low load situations)
  • color dot matrix display, several display modes with varying numbers of values, optionally rotated by 180 degree
  • two push buttons to change display modes and adjust settings
  • slide switch "POWER", measurement device supply is taken from DUT path
  • slide switch "PD", measurement device can initiate USB charging when the DUT can't

Usability feature: Automatically detects direction of current flow, presents an arrow in the display. Transparently works on either host or device side of the cable.

Hardware components on the PCB, many guesses:

  • 2019-06-05 date code in silk screen, hidden under the display cage
  • MFD-28 MCU(?), markings "F150G8 // CE87915 // AJ1830"
  • SO-8 24LC256 EEPROM 32KiB
  • SSO-10 ADC (or opamp?), marking "88 TI // 226", R015 shunt across pins 9 and 10
  • BLE module, castellation (mouse bites), dialog DA14580 (handles RF _and_ USB?)
  • M5333B voltage regulator
  • MFD-14 (4/3/4/3) chip, marking "PBAB // ?" near RF module and USB-C out plug

Protocol (CDC serial)

Command Mode Resp. len. Meaning
query All 4 Query mode ('firm' or 'boot')
getva Normal 192 Poll readings. (ret: pacX)
gtrec Normal Variable Get recording.
lastp Normal 0 Previous page.
nextp Normal 0 Next page.
rotat Normal 0 Rotate screen.
update Boot 5 Prepare to upload firmware. Returns 'uprdy'.

Protocol (Bluetooth LE)

Transport

UUID What
0000ffe5-0000-1000-8000-00805f9b34fb TX service
0000ffe9-0000-1000-8000-00805f9b34fb TX attribute
0000ffe0-0000-1000-8000-00805f9b34fb RX service
0000ffe4-0000-1000-8000-00805f9b34fb RX attribute

Transmission to the device is implemented by writing to the TX attribute in the TX service. RX is implemented by listening for notifications from the RX attribute in the RX service.

Commands

Command Resp. len. Meaning
bgetva\r\n 192 Poll readings.
blastp\r\n 0 Previous page.
bnextp\r\n 0 Next page.
brotat\r\n 0 Rotate screen.

Notice the leading 'b' in the Bluetooth case. The remainder appears to match the USB CDC case.

Protocol response format ("Poll data")

Poll data is returned as 3x 64 byte blocks of data, a total of 192 bytes. Each block is prefixed by pacX with X as 1, 2, or 3. The returned data is encrypted using AES in ECB mode. All integers are little endian.

pac1

Offset Type Meaning
0 char[4] pac1
4 char[4] Product name (TC66)
8 char[4] Version (e.g., 1.14)
12 uint32_t Module serial number
16-43 Unknown Unknown
44 uint32_t Number of runs
48 uint32_t Voltage (multiply by 1e-4 for Volt)
52 uint32_t Current (multiply by 1e-5 for Ampere)
56 uint32_t Power (multiply by 1e-4 for Watt)
60-63 uint32_t Checksum

pac2

Offset Type Meaning
0 char[4] pac2
4 uint32_t Resistance (multiply by 1e-2 for Ohm)
8 uint32_t Group 0 mAh
12 uint32_t Group 0 mWh
16 uint32_t Group 1 mAh
20 uint32_t Group 1 mWh
24 uint32_t Temperature sign (1 for negative)
28 uint32_t Temperature (Celsius or Fahrenheit)
32 uint32_t D+ Voltage (multiply by 1e-2 for Volt)
36 uint32_t D- Voltage (multiply by 1e-2 for Volt)
40-59 Unknown Always zero?
60-63 uint32_t Checksum

pac3

Offset Type Meaning
0 char[4] pac3
4-59 Unknown Always zero?
60-63 uint32_t Checksum

Checksum algorithm

Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field.

Encryption algorithm

Poll packets are encrypted using AES in ECB mode using the following static key:

0x58, 0x21, 0xfa, 0x56, 0x01, 0xb2, 0xf0, 0x26,
0x87, 0xff, 0x12, 0x04, 0x62, 0x2a, 0x4f, 0xb0,
0x86, 0xf4, 0x02, 0x60, 0x81, 0x6f, 0x9a, 0x0b,
0xa7, 0xf1, 0x06, 0x61, 0x9a, 0xb8, 0x72, 0x88,

Kudos to Ben V. Brown (see #Resources) for documenting the encryption algorithm and key.

Recording format (gtrec)

Recordings dumped using the gtrec command are returned as a list of 32-bit unsigned integer pairs terminated by reck. The first value in the pair is the voltage (multiply by 1e-4 to get voltage) and the second value is the current (multiply by 1e-5 to get Ampere).

Firmware update

Firmware update process:

  • Issue a query command to verify that the boot loader is active.
  • Issue the update command, wait for uprdy.
  • Write firmware in blocks of 64 bytes (the last block may be shorter than 64 bytes). Each block is acknowledged with an OK response.
  • Device reboots automatically.

Resources