Difference between revisions of "RDTech TC66C"

From sigrok
Jump to navigation Jump to search
(→‎Poll data format: Document encryption algorithm)
Line 138: Line 138:
=== Checksum algorithm ===
=== Checksum algorithm ===
Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field.
Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field.
=== Encryption algorithm ===
Poll packets are encrypted using AES in ECB mode using the following static key:
<pre>
0x58, 0x21, 0xfa, 0x56, 0x01, 0xb2, 0xf0, 0x26,
0x87, 0xff, 0x12, 0x04, 0x62, 0x2a, 0x4f, 0xb0,
0x86, 0xf4, 0x02, 0x60, 0x81, 0x6f, 0x9a, 0x0b,
0xa7, 0xf1, 0x06, 0x61, 0x9a, 0xb8, 0x72, 0x88,
</pre>
Kudos to [https://ralimtek.com/reverse%20engineering/software/tc66c-reverse-engineering Ben V. Brown] for documenting the encryption algorithm and key.


== Recording format (gtrec) ==
== Recording format (gtrec) ==

Revision as of 19:16, 5 March 2020

RDTech TC66C
UM24C display.jpg
Status unsupported
Source code [1]
Connectivity serial over Bluetooth or USB
Measurements voltage, current, power, energy, voltage over USB data lines
Features measures USB-C devices; color display
Website rdtech.aliexpress.com

The RDTech TC66C (~$25 USD) is a USB-C load meter which can measure various properties of USB-C devices including their voltage, amperage, wattage, resistance, capacity, temperature, data line voltage, and charging mode. This device is similar to the RDTech UM series of devices, but doesn't use the same protocol.

Protocol (serial)

Command Mode Resp. len. Meaning
query All 4 Query mode ('firm' or 'boot')
getva Normal 192 Poll readings. (ret: pacX)
gtrec Normal Variable Get recording.
lastp Normal 0 Previous page.
nextp Normal 0 Next page.
rotat Normal 0 Rotate screen.
update Boot 5 Prepare to upload firmware. Returns 'uprdy'.


Protocol (Bluetooth LE)

Transport

UUID What
0000ffe5-0000-1000-8000-00805f9b34fb TX service
0000ffe9-0000-1000-8000-00805f9b34fb TX attribute
0000ffe0-0000-1000-8000-00805f9b34fb RX service
0000ffe4-0000-1000-8000-00805f9b34fb RX attribute

Transmission to the device is implemented by writing to the TX attribute in the TX service. RX is implemented by listening for notifications from the RX attribute in the RX service.

Commands

Command Resp. len. Meaning
bgetva\r\n 192 Poll readings.
blastp\r\n 0 Previous page.
bnextp\r\n 0 Next page.
brotat\r\n 0 Rotate screen.

Poll data format

Poll data is returned as Returns 3x64 byte blocks of data, a total of 192 bytes. Each block is prefixed by pacX The returned data is encrypted using AES in ECB mode.

pac1

Offset Type Meaning
0 char[4] pac1
4 char[4] Product name (TC66)
8 char[4] Version (e.g., 1.14)
12 uint32_t Module serial number
16-43 Unknown Unknown
44 uint32_t Number of runs
48 uint32_t Voltage (multiply by 1e-4 for Volt)
52 uint32_t Current (multiply by 1e-5 for Ampere)
56 uint32_t Power (multiply by 1e-4 for Watt)
60-63 uint32_t Checksum

pac2

Offset Type Meaning
0 char[4] pac2
4 uint32_t Resistance (multiply by 1e-2 for Ohm)
8 uint32_t Group 0 mAh
12 uint32_t Group 0 mWh
16 uint32_t Group 1 mAh
20 uint32_t Group 1 mWh
24 uint32_t Temperature sign (1 for negative)
28 uint32_t Temperature (Celsius or Fahrenheit)
32 uint32_t D+ Voltage (multiply by 1e-2 for Volt)
36 uint32_t D- Voltage (multiply by 1e-2 for Volt)
40-59 Unknown Always zero?
60-63 uint32_t Checksum

pac3

Offset Type Meaning
0 char[4] pac3
4-59 Unknown Always zero?
60-63 uint32_t Checksum

Checksum algorithm

Checksums are implemented using CRC-16/MODBUS zero-extended to fit a 32-bit field.

Encryption algorithm

Poll packets are encrypted using AES in ECB mode using the following static key:

0x58, 0x21, 0xfa, 0x56, 0x01, 0xb2, 0xf0, 0x26,
0x87, 0xff, 0x12, 0x04, 0x62, 0x2a, 0x4f, 0xb0,
0x86, 0xf4, 0x02, 0x60, 0x81, 0x6f, 0x9a, 0x0b,
0xa7, 0xf1, 0x06, 0x61, 0x9a, 0xb8, 0x72, 0x88,

Kudos to Ben V. Brown for documenting the encryption algorithm and key.

Recording format (gtrec)

Recordings dumped using the gtrec command are returned as a list of 32-bit unsigned integer pairs terminated by reck. The first value in the pair is the voltage (multiply by 1e-4 to get voltage) and the second value is the current (multiply by 1e-5 to get Ampere).

Firmware update

Firmware update process:

  • Issue a query command to verify that the boot loader is active.
  • Issue the update command, wait for uprdy.
  • Write firmware in blocks of 64 bytes (the last block may be shorter than 64 bytes). Each block is acknowledged with an OK response.
  • Device reboots automatically.

Useful URLs: