Interesting, not sure what's going on there then.. how recently was your system installed? Maybe they have updated the pinout on newer models? I'll go back and check though.
I got inspired, and have plugged in my scope, and then an RS422 to serial adapter, and I'm getting XML encoded (weird) CAN messages, which I presume are the same as what's on the CAN bus exposed on some of the control box's ports. I'll get out the can analyser tomorrow and check.
Now the trick will be to reverse engineer this protocol. Here's a tiny sample:
The AES encryption might be related to the android intent messages that are sent to the AAservice. I recall they had an encrypted mode and a "signed app" mode that AAservice will respond to
I have decompiled the apk and it produced a somewhat useful (but incomplete) package of Java source files, which can be useful for reverse engineering the serial protocol. For example:
<string name="parse_block_tag_ping"><U>Ping</U=db></string>
...
private static final byte[] f2305f = "getCAN ".getBytes(Charset.defaultCharset());
private static final byte[] g = MyApp.a().getString(R.string.parse_block_tag_ping).getBytes(Charset.defaultCharset());
private static final byte[] h = MyApp.a().getString(R.string.parse_block_tag_startu).getBytes(Charset.defaultCharset());
private static final byte[] i = "<request>Unknown</request>".getBytes(Charset.defaultCharset());
You can do the same, or alternatively ping me if you'd like me to email you the source package.
I have reached out to your email address (as described in your profile) with some additional information that I've been putting together. Let me know if you didn't receive my mail.
