Reverse Engineering the RS485 protocol

Well this weekend I had quite an adventure with RS485.
I ran into a couple issues on the way.
One was Identifying the baud rate of what your vampire tapping into.
One way is to use an Oscilloscope and find the shortest pause and calculate the baud rate from that.
Take the shortest pulse, then measure it in Microseconds (US aka 10^-5 in scientific notation aka 0.00000X). Take that value then plug it in here, (1 / 0.000026 = 38461.53…) there for 38461 is your baud rate… where 26 Microseconds is your shortest pulse.
An example on how to eye out the shortest pulse is below.

Now afterward’s There’s an issue just by merely vampire tapping into the wires with RS-485. An issue that arises is Discovering which way the traffic flows. On RS-45 unlike RS-232 there is no RX in TX line is only A and B. So determining the direction which data is flowing on the line is not really possible Unless you already where the underlying Sender / Receiver protocol. So one way to get around this is to actually split the connections physically and run them into your laptop with a RS-485 the USB converter, Read the data then send the same data out of the port. You can do this with the rig like I made below. In this case I use a red wire to transfer power that is required for the receiver and green for the ground. This power usage is purely for the UC on the receiving side, RS-485 itself does not require ground reference or power reference to ran along in the communication even though sometimes it is included it. In picture three see the solder points bridging the two green connectors on the left side and then to solder points bridging the connections on the right side.
   
Here’s a chart I found.

Time Baud Rate
3333µs (3.3ms) 300
833µs 1200
416µs 2400
208µs 4800
104µs 9600
69µs 14400
52µs 19200
34µs 28800
26µs 38400
17.3µs 57600
8µs 115200
4.34µs 230400

I wrote a MITM code using USB to RS485 modules and the following code below in VB.net
You can adjust the code below to the correct comport as needed.
 
Imports System.Text
Public Class Form1
Delegate Sub ListboxItem(data As String)
Dim func1 As ListboxItem = AddressOf Listbox1Item
Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
For Each MyPort In System.IO.Ports.SerialPort.GetPortNames()
ComboBox1.Items.Add(MyPort)
ComboBox2.Items.Add(MyPort)
Next
ComboBox1.SelectedIndex = 0
ComboBox2.SelectedIndex = 1
End Sub
Dim Buffer1Index As Integer = 0
Dim Buffer1(32) As Byte
Private Sub SerialPort1_DataReceived(sender As Object, e As IO.Ports.SerialDataReceivedEventArgs) Handles SerialPort1.DataReceived
Me.Invoke(func1, {“r1”})
Buffer1(Buffer1Index) = SerialPort1.ReadByte()
SerialPort2.Write(Buffer1(Buffer1Index))
If Buffer1Index > 1 Then
If (Buffer1(Buffer1Index) = &HAUS And Buffer1(Buffer1Index – 1) = &HDUS) Or Buffer1(Buffer1Index) = &HDUS Then
Dim strTemp As New StringBuilder(128)
strTemp.Append(“[” & SerialPort1.PortName.ToString & “]”)
For b = 0 To Buffer1Index
strTemp.Append(” ” & Conversion.Hex(Buffer1(b)))
Next
Me.Invoke(func1, {strTemp.ToString})
Buffer1Index = 0
Else
Buffer1Index += 1
End If
Else
Buffer1Index += 1
End If
End Sub
Dim Buffer2Index As Integer = 0
Dim Buffer2(32) As Byte
Private Sub SerialPort2_DataReceived(sender As Object, e As IO.Ports.SerialDataReceivedEventArgs) Handles SerialPort2.DataReceived
Me.Invoke(func1, {“r2”})
Buffer2(Buffer2Index) = SerialPort2.ReadByte()
SerialPort1.Write(Buffer2(Buffer2Index))
If Buffer2Index > 1 Then
If Buffer2(Buffer2Index) = &HAUS And Buffer2(Buffer2Index – 1) = &HDUS Or Buffer2(Buffer2Index) = &HDUS Then
Dim strTemp As New StringBuilder(128)
strTemp.Append(“[” & SerialPort2.PortName.ToString & “]”)
For b = 0 To Buffer2Index
strTemp.Append(” ” & Conversion.Hex(Buffer2(b)))
Next
Me.Invoke(func1, {strTemp.ToString})
Buffer2Index = 0
Else
Buffer2Index += 1
End If
Else
Buffer2Index += 1
End If
End Sub
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
SerialPort1.BaudRate = 1200
SerialPort2.BaudRate = 1200
SerialPort1.PortName = ComboBox1.SelectedItem
SerialPort2.PortName = ComboBox2.SelectedItem
‘SerialPort1.Open()
SerialPort2.Open()
End Sub
Sub Listbox1Item(ByVal data As String)
ListBox1.Items.Add(Now.TimeOfDay.ToString & ” ” & data)
End Sub
Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
Dim OutputString As String = “”
For Each MyLine In ListBox1.Items
OutputString &= MyLine
Next
Dim File1 = IO.File.CreateText(“Serial1.txt”)
File1.WriteLine(OutputString)
File1.Flush()
End
End Sub
End Class

Leave a comment

Your email address will not be published. Required fields are marked *