Session with Turbine, eavesdropping. 1) Turbine->BCU is actually 19200 (not 57600 as in the doc) (probably changed by AVS for noise reasons) 2) Password is given by BCU as USR123P (and accepted by DPC) 3) BCU continuously sends SYSSTA until DPC responds... Actual text and hex as recorded by my viewer... S Y S S T A S Y S S T A 53 59 53 53 54 41 (0F D0 04 01 06) 53 59 53 53 54 41 (0F D0 04 01 06) I don't know the meaning of this stuff-- some of it is RS232 overhead. Here is the turbine response-- SOH (01) 8 \lf \lf (the ascii number '8', followed by two 0A's) "Capstone Turbine Corporation - MicroTurbine Generator\lf" "AK" 04 01 (EOT SOH) ""Boot Version 4.03 PN 511706-001 \lf" A8 "5" 04 (EOT) (SOH) "*\lfSoftware Version 1.34 (HEV) PN 510674-001A" DE EOT SOH ENQ \lf "USR>" E1 6C 04 (EOT) The BCU sends another SYSSTA, and gets a response-- SYSSTA,0=POWER UP\lf followed by another USR> prompt. After about 5 more SYSSTA from BCU, the Capstone changes the reply from the POWER UP response to "SYSSTA,0=STAND BY" BCU gets two of those responses and then queries-- "DATEQR" and Capstone replies: DATEQR,0=07/06/2006,5\lfp" (and a USR> prompt, which is given with all responses) Four more SYSSTA queries and responses (all the same ie STAND BY), then-- PSSWRD=USR123P\lfb PSSWRD,0=PROTECT (and then the prompt changes to) USRPRT> (which is given for the rest of the session) Now, we get this STRCMD and STRCMD,0=0 followed by STRCMD=1 and STRCMD,0=1 then PWRDMD=117 which is acknowledged with: PWRDMD,0=117 and a SYSSTA gets a new status SYSSTA,0=PREPARE TO START BCU: INVPWR CAP: INVPWR,0=0.000 What follows is a series of ever increasing PWRDMD requests from the BCU, interspersed with STRCMD queries and INVPWR queries (all of which return 0.000 in my non-starting turbine) and SYSSTA queries-- like this From BCU: PWRDMD=235 SYSSTA INVPWR STRCMD The Cap responds to each, and each PWRDMD goes like this: 352, 470, 588, 705, 941 in between 705 and 941, the BCU throws another STRCMD=1 in there, apparently not satisfied with all the responses from the Cap saying that it already had that 1 stored... and then, the next response to the SYSSTA is "SYSSTA,0=SHUTDOWN" and the BCU ignores this, continuing with dozens more of the same four commands & queries, trying to ramp up the power for a Cap that is not started... Its last PWRDMD is for 23882, and then it continues to do the SYSSTA INVPWR and STRCMD in sequence, endlessly. When I turn off the bus (and switched 12v power) the Capstone goes away, and at least the BCU recognizes this... but curiously, when the Cap does not respond to a STRCMD and then a SYSSTA and a INVPWR, the silly BCU sends a last command STRCMD=0 which I find hilarious, given the context... ================================================================= Simple packet protocol-- ================================================================= Unfortunately, the Capstone does not provide a simple terminal interface. They are using an old protocol (which is familiar to me, but I cannot remember its name-- it is something I've worked before)... A message is sent with an envelope-- SOH (Start of header) which is 01 LEN (a single byte giving the number of bytes in this "packet") (for example, the '8' is hex 48, or 56 bytes) [The LEN bytes of data...] CHK a two-byte chksum. Simple calc, usually, but I'll have to test this out. SUM Could be big or little endian, don't know yet, can't remember. EOT (End of Text, or really, End of this silly packet envelope scheme) which is 04 So, every "packet" begins with an 01, ends with an 04, contains a LEN which proceeds the payload, then the two-byte checksum and the end-of-this silly shit. Sender and receiver must follow this protocol, so I have some work to do. Software first, to make a packetizer, which means I need to break out my serial port code. Hardware, I may need to tie down the hardware handshaking, like the PEI people describe in their doc-- pin 7 and 8 tied together. The Capstone docs do not show it this way, but then again... Okay-- this is very similar to the ASync-HDLC envelope used by the Qualcomm DM. I just read the manual, and there are differences, but we'll find out more...