Difference between revisions of "RDTech TC66C"
(→Poll data format: Document encryption algorithm) |
|||
Line 138: | Line 138: | ||
=== Checksum algorithm === | === Checksum algorithm === | ||
Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field. | Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field. | ||
=== Encryption algorithm === | |||
Poll packets are encrypted using AES in ECB mode using the following static key: | |||
<pre> | |||
0x58, 0x21, 0xfa, 0x56, 0x01, 0xb2, 0xf0, 0x26, | |||
0x87, 0xff, 0x12, 0x04, 0x62, 0x2a, 0x4f, 0xb0, | |||
0x86, 0xf4, 0x02, 0x60, 0x81, 0x6f, 0x9a, 0x0b, | |||
0xa7, 0xf1, 0x06, 0x61, 0x9a, 0xb8, 0x72, 0x88, | |||
</pre> | |||
Kudos to [https://ralimtek.com/reverse%20engineering/software/tc66c-reverse-engineering Ben V. Brown] for documenting the encryption algorithm and key. | |||
== Recording format (gtrec) == | == Recording format (gtrec) == |
Revision as of 19:16, 5 March 2020
Status | unsupported |
---|---|
Source code | [1] |
Connectivity | serial over Bluetooth or USB |
Measurements | voltage, current, power, energy, voltage over USB data lines |
Features | measures USB-C devices; color display |
Website | rdtech.aliexpress.com |
The RDTech TC66C (~$25 USD) is a USB-C load meter which can measure various properties of USB-C devices including their voltage, amperage, wattage, resistance, capacity, temperature, data line voltage, and charging mode. This device is similar to the RDTech UM series of devices, but doesn't use the same protocol.
Protocol (serial)
Command | Mode | Resp. len. | Meaning |
---|---|---|---|
query | All | 4 | Query mode ('firm' or 'boot') |
getva | Normal | 192 | Poll readings. (ret: pacX) |
gtrec | Normal | Variable | Get recording. |
lastp | Normal | 0 | Previous page. |
nextp | Normal | 0 | Next page. |
rotat | Normal | 0 | Rotate screen. |
update | Boot | 5 | Prepare to upload firmware. Returns 'uprdy'. |
Protocol (Bluetooth LE)
Transport
UUID | What |
---|---|
0000ffe5-0000-1000-8000-00805f9b34fb | TX service |
0000ffe9-0000-1000-8000-00805f9b34fb | TX attribute |
0000ffe0-0000-1000-8000-00805f9b34fb | RX service |
0000ffe4-0000-1000-8000-00805f9b34fb | RX attribute |
Transmission to the device is implemented by writing to the TX attribute in the TX service. RX is implemented by listening for notifications from the RX attribute in the RX service.
Commands
Command | Resp. len. | Meaning |
---|---|---|
bgetva\r\n | 192 | Poll readings. |
blastp\r\n | 0 | Previous page. |
bnextp\r\n | 0 | Next page. |
brotat\r\n | 0 | Rotate screen. |
Poll data format
Poll data is returned as Returns 3x64 byte blocks of data, a total of 192 bytes. Each block is prefixed by pacX
The returned data is encrypted using AES in ECB mode.
pac1
Offset | Type | Meaning |
---|---|---|
0 | char[4] | pac1
|
4 | char[4] | Product name (TC66 )
|
8 | char[4] | Version (e.g., 1.14 )
|
12 | uint32_t | Module serial number |
16-43 | Unknown | Unknown |
44 | uint32_t | Number of runs |
48 | uint32_t | Voltage (multiply by 1e-4 for Volt) |
52 | uint32_t | Current (multiply by 1e-5 for Ampere) |
56 | uint32_t | Power (multiply by 1e-4 for Watt) |
60-63 | uint32_t | Checksum |
pac2
Offset | Type | Meaning |
---|---|---|
0 | char[4] | pac2
|
4 | uint32_t | Resistance (multiply by 1e-2 for Ohm) |
8 | uint32_t | Group 0 mAh |
12 | uint32_t | Group 0 mWh |
16 | uint32_t | Group 1 mAh |
20 | uint32_t | Group 1 mWh |
24 | uint32_t | Temperature sign (1 for negative) |
28 | uint32_t | Temperature (Celsius or Fahrenheit) |
32 | uint32_t | D+ Voltage (multiply by 1e-2 for Volt) |
36 | uint32_t | D- Voltage (multiply by 1e-2 for Volt) |
40-59 | Unknown | Always zero? |
60-63 | uint32_t | Checksum |
pac3
Offset | Type | Meaning |
---|---|---|
0 | char[4] | pac3
|
4-59 | Unknown | Always zero? |
60-63 | uint32_t | Checksum |
Checksum algorithm
Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field.
Encryption algorithm
Poll packets are encrypted using AES in ECB mode using the following static key:
0x58, 0x21, 0xfa, 0x56, 0x01, 0xb2, 0xf0, 0x26, 0x87, 0xff, 0x12, 0x04, 0x62, 0x2a, 0x4f, 0xb0, 0x86, 0xf4, 0x02, 0x60, 0x81, 0x6f, 0x9a, 0x0b, 0xa7, 0xf1, 0x06, 0x61, 0x9a, 0xb8, 0x72, 0x88,
Kudos to Ben V. Brown for documenting the encryption algorithm and key.
Recording format (gtrec)
Recordings dumped using the gtrec
command are returned as a list of 32-bit unsigned integer pairs terminated by reck
. The first value in the pair is the voltage (multiply by 1e-4 to get voltage) and the second value is the current (multiply by 1e-5 to get Ampere).
Firmware update
Firmware update process:
- Issue a
query
command to verify that the boot loader is active. - Issue the
update
command, wait foruprdy
. - Write firmware in blocks of 64 bytes (the last block may be shorter than 64 bytes). Each block is acknowledged with an
OK
response. - Device reboots automatically.
Useful URLs:
- Firmware metadata: http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.json
- Firmware binary: http://www.ruidengkeji.com/rdupdate/firmware/TC66/TC66.bin