Single Chip BMS Research + DALY Pin Compatible BMS's

Finally success.
Now I can share my data via the server. It took me almost as long to set up this s*** as it took me to build iot from scratch

-methods
 

Attachments

  • Screenshot_20221123-102101_compress25.jpg
    Screenshot_20221123-102101_compress25.jpg
    56.3 KB · Views: 94
  • Screenshot_20221123-101830_compress1.jpg
    Screenshot_20221123-101830_compress1.jpg
    51.4 KB · Views: 94
  • Screenshot_20221123-102159_compress34.jpg
    Screenshot_20221123-102159_compress34.jpg
    66.4 KB · Views: 94
  • Screenshot_20221123-102132_compress38.jpg
    Screenshot_20221123-102132_compress38.jpg
    68.7 KB · Views: 94
That was so much pain.

When you do it
* Use the app
* Log into YOUR wifi router, not ITS hotspot
* Give it your password (c o u g h)
* Then it magically just happens

What is going on is the phone app is backdooring the dongle and stuffing your SSID and Password. After that, if you already set up your online accounts, BAM. Data in the cloud.

-methods
 
So sketch
You can literally change current limits remotely

* I'm removing the dongle

Screenshot_20221123-103532.png

-methods
 
Ok, back to BMS's
I need one, like yesterday.

-methods
 
Point of all that?

* If you wanted to hack the GroWatt protocol, all you would have to do is sniff the UART

The interface between the WiFi dongle and the Inverter is USB. If you inspect closely you will see it converts to UART. If you simply attach GND and TX to the GND and RX of an Arduino and pick the correct baud, you can start spilling ONE SIDE of that communication to the terminal, where you can later parse it.

If you use a second arduino, or a second uart port, you can then grab the other side of the communication. OBVIOUSLY it is easier if you synchronize them (L O L) and I suggest doing it on a heartbeat. I.E. if you just log the ASYNC data you will have no way to line it up. If you instead log against a heartbeat you can line the two data streams up.

You then initiate
* Like sending a command

You then watch the 5 or 15 back and forths

Now you have a backdoor into the GroWatt - and - this may be at the AT command level or .... right? Because it is a standard WiFi nugget they have on there. The USB is THAT interface, the one between the actual WiFi node and the uProcessor, so that means

* That the language being spoken will comply with the datasheet of the WiFi "chip"
* I.E. that is what all the garble is wrapped around the snips of data you want

-methods
 
And
remember that I already posted a GitHub link to someone who re-programmed the WiFi dongle and hacked it to send to MQTT instead of the Jenky-ass GroWatt servers

C O U G H

Which is E X A C T L Y what I was wanting to do some many months back, so thank you to that person. Now we can use our own IoT to bang-bang with the SPF 5000 ES with far less worry about some clown logging in and changing Current Limits (barf).

* GroWatt Servers - big target
* methods super one-off IoT bungle, H A!

Nobody is ever going to waste the time or energy, if they could even find it among the trillions of other smart devices out there.

-methods
 
0320 local
Now to find that BMS
Starting with clue HLZT

-methods
 
That is what you call a dead end... maybe

JDB.png

-methods
 
Source: https://www.indiamart.com/proddetail/40amp-bms-board-23845642912.html
Source: Google Search of HLZT

JDB.png

-methods
 
Here translation courtesy of Google

Screenshot_20221125-033314_compress18.jpg

Parents today stamp of authenticity, day after Thanksgiving, North America, ~0330

PXL_20221125_113234916_compress85.jpg

You'll find that picture nowhere else on the internet. That's the same desk going back to the beginning. BMFW has not changed either.

-methods
 
Sometimes if the characters have too much meaning, the augmented reality doesn't render that well
 

Attachments

  • Screenshot_20221125-033824_compress45.jpg
    Screenshot_20221125-033824_compress45.jpg
    88.1 KB · Views: 74
Starting in, traction is good

JDB.png
 
Google is giving me some real go fish

"HLZT Shenzhen Hailong Zhitong Electronics"

So high street lighting is doing the import, but it is clear that this is not their primary gig. Ignore these informations, this is seller on indiabahbah not mfg of bms

JDB.png

-methods
 
Ok, two screens going
Currently on

Google Image Search
"HLZT BMS"

Looking for a visual match on the sticker. H I T

-methods
 
This is our friend from the Revolution, 3rd variant.
This is not a one-off, this is production
Why do we not find yet yes?

JDB.png

-methods
 
STOP TIME

This smalltime website has both the BMS and the Batteries shown in the teardown video
https://www.electromannsa.com/es/products/4s-12-8v-lifepo4-3-2v-battery-750a-bms-battery-protection-board

Zero doubt, the exact cells shown
https://www.electromannsa.com/es/collections/miscellaneous/products/life-po4-120ah-3-2v-lithium-battery

JDB.png

Code: 
Charging
Charge current: Same as continuous current
Charging voltage:12.8V (Nominal)

Over charge protection
Overcharge detection voltage:3.7V±0.05V
Overcharge release voltage:3.6V±0.05V
Overcharge protection delay:600uS

Over discharge protection
Over discharge protection voltage: 2.2V ± 0.1V
Over discharge release voltage:2.5V±0.1V
Over discharge detect delay:600uS

Discharge protection
Instantaneous current: continuous current * 2.5
Overcurrent detection delay:600uS
Over discharge detect voltage:100mV
Overcurrent protection release condition: Disconnect load

Short circuit protection
[b]Short circuit protection condition: External load short circuit
Short circuit detection delay:600uS[/b]
Short circuit protection release condition: Disconnect load

Working Temp
temperature range:-20℃/+80℃

Package Contents:
1 x 4S 12.8V LiFe Po4 Battery 3.2V Power Protection Board 75A
 
Uh... South Africa?
WTF Bro

https://www.electromannsa.com/es/pages/contact-us

First by me
I shizzle, its like a clearing house. Somehow this dude got a line on the batteries and bms. Proceed with great caution.

-methods
 
Oh SNAP
Same shitbird in blue now

Other.png

-methods
 
Now I am just doing depthcharges into the website search portal

https://www.electromannsa.com/es/products/90ah-lithium-lifepo4-45amp-12-8v-rechargeable-battery?variant=43390250189041

uh.... bro

Other.png

-methods
 
SQL style search works
https://www.electromannsa.com/es/pages/search-results-page?q=bms

Other.png

-methods
 
Ok, so on a hit like this I am seeing no mention of how high you can stack these. That is a very important factor, and a great sign of reliability. AFAICT, this 4S BMS can stack 16S

lets compare costs
https://www.electromannsa.com/es/products/4s-12-8v-lifepo4-3-2v-battery-750a-bms-battery-protection-board

Ok, $60 bucks
Other.png

-methods
 
Other.png

Thru the original Google Image Search
https://www.electromannsa.com/products/13s-50a-3-7v-48v-lithium-battery-charger-protection-board

13S 50A
Difference is that it has some hand tagging on it

-methods
 
Oh nice, actual potting

Other.png

Unlike the shoe-rubber I found in the DALY turd. DALY is not a friend of the revolution. If you rip off methods, you are not a friend of the revolution. methods may rip you off by selling you some swap meet louie, but cant go other way around

[youtube]Q0IrjFamL2c[/youtube]

Go big or go home
Time is 0420 PDT

-methods
 
You must log in or register to reply here.
Back
Top