Shared the following in a private conversation, but for ye' who dare venture here from the future:
The hardware is pretty straightforward. You do need to have a collective already established so that the CAN bus is active. Your goal is to spy on these messages. Note: I didn't try to inject/send any messages as that wasn't my goal but should be possible if you can reverse-engineer the protocol enough.
Three pieces:
- Any microcontroller with CAN bus and Wifi peripherals. I'm using an ESP32S2, which I have a bunch of lying around from various projects. Generally, my MCU of choice as it's pretty versatile.
- Buck power adapter to go from Hydros's 24v down to the MCU's power supply (3.3v for the ESP32S2).
Example
- CAN bus transceiver. Convert the differential CAN bus signals to appropriate MCU voltage levels.
Example
Hydros isn't doing anything special with the CAN bus - it's sending messages at 250kbps. There's a whole bunch of dispirate Message IDs for various IO on each device. Unfortunately, you have to basically guess and figure out what the messages mean through trial/error/observation. I was able to do that by setting pump states and observing what changed but it does take some effort. If you get this far, I'll share what message IDs I found correspond to what message structures. For the most part, fields are sent as either 'int16_t' or 'floats' with various scale factors (e.g. voltage values represented in hundredths of volts).
Also, note: if you change your collective, I'm guessing the message IDs may also switch around on you. The protocol/message structs should be the same, but you may need to remap message IDs to specific IO.
I'll also mention there are some USB CAN bus adapters that'll let you do your reverse engineering on a PC, though unfortunately, many of them are quite expensive (PCAN-USB for example). There may be cheap ones out there, but I didn't bother going that route.
