To answer Jay's questions:
And to clarify... this is NOT the SAM protocol, this is the protocol used on the ABCD bus that communicates between the thermostat, furnace, AC, and SAM.
1) The SAM connects to the ABCD bus. The ABCD protocol is mostly master slave. For the most part, the thermostat does the reading and writing, except there is a case where the furnace writes to what I'm assuming is another furnace address. So technically, it is multimaster, although I have no idea how collisions don't seem to happen - there must be more to the timing or order than I have seen.
2) I don't think that's the case. It's 38400 8n1.
3) It does use a CRC16 checksum with the result in a swapped byte order (at least according to the algoritm I used).
4) I haven't looked at the timing very much, although it does seem to be key.
6) The start up does search for a number of devices, but otherwise is very similar to the ongoing communication. It does however search for a few devices I don't have. My suspicion is that one of them is the SAM.
This is by no means discouraging. The nuts and bolts of the protocol are pretty obvious... the "registers" and data are difficult to figure out. (I come from a modbus world, so registers are the best term I could come up with). This is why having a SAM would be helpful, mainly to see if the SAM is a master on the bus, or a slave to the thermostat. This could be determined with a 20 second capture from the ABCD bus, assuming one has a RS485 adapter.
Here is the general packet structure:
Code:
[---------- HEADER ------------------------------]
[2 bytes][2 bytes][1 byte][1 byte][1 byte][1 byte][X bytes][2 bytes]
Dest Src Func ? ? Length Data Checksum
Dest and Src are the addresses of devices - 2001 Thermostat, 4001 Furnace, 5001 AC/HP.
The first 3 bytes of the data above are a "register address" that signifies what data is being read or written.
For example:
Code:
Example Packet:
[-----FRAME------------------------------]
[Header][ -------DATA----------][Checksum]
[00 03 16] [00] [01]
[Address ][Byte1][Byte2]
Functions are as follows:
Code:
Typical Function Codes:
================================================================================
===========
0x06 Response
1 Byte Length, Data=0x00 ? Seems to be an ACK to a write
Variable Length > 3 bytes ? a response to a read request
0x0B Read Request
3 byte Length, Data=register of data to get
0x0C Write Request
Variable Length > 3 bytes
First 3 bytes of data are register to write
Following bytes are data to write
0x15 Error?
1 Byte Length, Data=0x0A
Not sure of this ? think it is an error response