Open source CCS using AR7420

Development and discussion of fast charging systems eg Chademo , CCS etc
Post Reply
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Open source CCS using AR7420

Post by catphish »

I've been interested in the idea of an open source implementation of V2G, and ultimately CCS charging.

My initial investigation suggests that it should be possible to implement the Homeplug Green PHY protocol using an AR7420, and upper layers using a linux SoC such as a rPi or Allwinner H3.

My plan is as follows:
1) Purchase an AR7420 powerline adapter. These are about £10 on ebay :)
2) Utilize open-plc-utils https://github.com/qca/open-plc-utils to implement the SLAC protocol
3) Try to successfully join a V2G PLC network
4) ... upper layers can come later

The main challenge for me will be access to a V2G EVSE. There is a CCS charger about a mile from me, so maybe I can head down and play with it once I have something to test.
mikeselectricstuff
Posts: 105
Joined: Sun Nov 08, 2020 11:33 am

Re: Open source V2G using AR7420

Post by mikeselectricstuff »

I think you may be better off looking at the QCA7005 modules.
AFAICS the AR7420 is Homeplug, not Hompleplug Greenphy - I don't know what the difference is.
The QCA7005 has different firmware versions for EVSE and car side, and likely also different from powerline modem versions
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

mikeselectricstuff wrote: Wed Feb 16, 2022 8:35 pm I think you may be better off looking at the QCA7005 modules.
AFAICS the AR7420 is Homeplug, not Hompleplug Greenphy - I don't know what the difference is.
The QCA7005 has different firmware versions for EVSE and car side, and likely also different from powerline modem versions
I looked into this, and I can't find any evidence that there's any benefit to using the QCA7000 (green phy specific) chips, at least on the vehicle side, so I'm going to try the readily available AR7420 first, and see if it works. If the SLAC protocol doesn't work on the AR7420, I'll have to rethink, but other sources suggest that this chip can communicate with Homeplug GP, which after all just a subset of Homeplug AV. I'll update this thread with results :)
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

Here are my initial observations:
1) The AR7420 can be configured to enable SLAC and can successfully send and receive Homeplug GP management frames.
2) The AR7420 does not appear to support the EVSE side process of measuring signal strength.

Based on this, I suspect it will be possible to build the EV side using this chip, but perhaps not build an EVSE. I'm a little confused right now why the AR7420 would have this seemingly incomplete implementation, so I'm going to keep digging to see if I've missed anything. In the meantime, I think I can continue with building the EV side :)

The next big question will be whether it can actually communicate with a Homeplug GP network in a real CCS EVSE.

I've ordered a QCA7500 to compare functionality, and see if I can use it to simulate the EVSE.
User avatar
johu
Site Admin
Posts: 3560
Joined: Thu Nov 08, 2018 10:52 pm
Location: Kassel/Germany
Contact:

Re: Open source PLC V2G (CCS) using AR7420

Post by johu »

Following with great interest :)
Support R/D and forum on Patreon: https://patreon.com/openinverter - Subscribe on odysee: https://odysee.com/@openinverter:9
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

I found this article, which shows how to easily modify a TL-PA4010 to remove its AC power supply, power it from 12v, and wire its data lines to DC: http://www.helicopting.de/

I've ordered a couple of these, which I will modify accordingly. This will allow me to verify communication with a CCS charger. I have also ordered a powerline adapter with a QCA7500, to see if this chip supports the EVSE side.

In the meantime, I'll start reading up on the higher level protocols, but step one will just be to see if I can connect to, and ping, an EVSE. I don't know if it's worth trying to buy these chips, but I'll be happy putting a modded TL-PA4010 in a box with a rPi.
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

I've just started reading the specification for the upper layer communication. The document is insanely complicated! I think it'll take a while to get my head around it. I'll be focusing on the layer1+layer2 comms for now though.
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

I've now modified a TP-Link TL-PA4010. The device now runs on DC, and the data lines are exposed directly. This modification appears to work, and should now be ready to hook up the the CP and PE lines of a charger.
PXL_20220221_142751190.jpg
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

I've tested using two of these boards - one simulating the EVSE and one simulating the EV. The AR7420 does not appear to be capable of signal attenuation measurement, so I've had to fake the signal levels on the EVSE side, but this isn't a problem for this project. SLAC negotiation completes successfully and a network is formed. Definitely need to try this against a real EVSE before diving into the higher layer protocols.
PXL_20220221_143416054.jpg
Attachments
Screenshot at 2022-02-21 19-39-36.png
uhi22
Posts: 1
Joined: Mon Mar 14, 2022 3:20 pm
Location: Ingolstadt/Germany

Re: Open source PLC V2G (CCS) using AR7420

Post by uhi22 »

That's a highly interesting project. I used a similar setup for sniffing a "real" CCS communication between the car and alpitronics charger. I experienced, that there seem to be slightly different results depending on the detailed type of adaptor. I now ordered now a pair of TP-Link TL-PA4010 to check also them. With a devolo dLAN 1200+ I could not send nor receive the SLAC frames at all. With devolo dLan 200 AVplus I see the SLAC, but I was not able to set the NMK using the CM_SET_KEY. I'll further investigate.
I collect the current state in https://www.goingelectric.de/wiki/CCS-T ... e-Details/ (in German, unfortunately).
Did you find a data sheet for the AR7420, where the detailed conditions for acceptance/rejection of CM_SET_KEY is specified?
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

uhi22 wrote: Mon Mar 14, 2022 3:32 pm That's a highly interesting project. I used a similar setup for sniffing a "real" CCS communication between the car and alpitronics charger. I experienced, that there seem to be slightly different results depending on the detailed type of adaptor. I now ordered now a pair of TP-Link TL-PA4010 to check also them. With a devolo dLAN 1200+ I could not send nor receive the SLAC frames at all. With devolo dLan 200 AVplus I see the SLAC, but I was not able to set the NMK using the CM_SET_KEY. I'll further investigate.
I collect the current state in https://www.goingelectric.de/wiki/CCS-T ... e-Details/ (in German, unfortunately).
Did you find a data sheet for the AR7420, where the detailed conditions for acceptance/rejection of CM_SET_KEY is specified?
I only just saw your message, sorry! I got myself very worried and spend 4 hours debugging what might not actually be an issue at all!

When sending CM_SET_KEY to my plug, it returns a failure code. But... it seems to set the key anyway! Interestingly, the Qualcomm SDK treats the failure code as a success...

I'm starting to think there's a typo in the specification. Not sure if I'm going crazy? https://github.com/qca/open-plc-utils/issues/161
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

Here's a verbose example of my successful run, including the firmware version I'm using:

Code: Select all

charlie@charlie-ThinkPad-T14:~/open-plc-utils/slac$ pev -i enp0s31f6 -d
pev: slac_session: session.RunID 54:05:DB:40:48:C6:00:00
pev: slac_session: session.APPLICATION_TYPE 0
pev: slac_session: session.SECURITY_TYPE 0
pev: slac_session: session.RESP_TYPE 0
pev: slac_session: session.NUM_SOUNDS 0
pev: slac_session: session.TIME_OUT 0
pev: slac_session: session.NumGroups 0
pev: slac_session: session.AAG 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
pev: slac_session: session.MSOUND_TARGET 00:00:00:00:00:00
pev: slac_session: session.FORWARDING_STA 00:00:00:00:00:00
pev: slac_session: session.PEV_ID AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
pev: slac_session: session.PEV_MAC 54:05:DB:40:48:C6
pev: slac_session: session.EVSE_ID 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
pev: slac_session: session.EVSE_MAC 00:00:00:00:00:00
pev: slac_session: session.RND 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
pev: slac_session: session.NMK 3F:94:65:6F:A8:20:42:42:A0:90:26:C7:93:9F:1F:C5
pev: slac_session: session.NID 44:EB:DC:73:F9:76:0B
pev: slac_session: session.original_nmk 3F:94:65:6F:A8:20:42:42:A0:90:26:C7:93:9F:1F:C5
pev: slac_session: session.original_nid 44:EB:DC:73:F9:76:0B
pev: slac_session: session.state 1
pev: slac_session: session.sounds 0
pev: slac_session: session.limit 40
pev: slac_session: session.pause 20
pev: slac_session: session.chargetime 3600
pev: slac_session: session.settletime 10
pev: slac_session: session.counter 0
pev: slac_session: session.flags 0x0006
pev: pev_cm_set_key: --> CM_SET_KEY.REQ
pev: pev_cm_set_key: CM_SET_KEY.KEYTYPE 1
pev: pev_cm_set_key: CM_SET_KEY.MYNOUNCE AA:AA:AA:AA
pev: pev_cm_set_key: CM_SET_KEY.YOURNOUNCE 00:00:00:00
pev: pev_cm_set_key: CM_SET_KEY.PID 4
pev: pev_cm_set_key: CM_SET_KEY.PRN 0
pev: pev_cm_set_key: CM_SET_KEY.PMN 0
pev: pev_cm_set_key: CM_SET_KEY.CCoCAP 0
pev: pev_cm_set_key: CM_SET_KEY.NID 44:EB:DC:73:F9:76:0B
pev: pev_cm_set_key: CM_SET_KEY.NEWEKS 1
pev: pev_cm_set_key: CM_SET_KEY.NEWKEY 3F:94:65:6F:A8:20:42:42:A0:90:26:C7:93:9F:1F:C5
pev: pev_cm_set_key: <-- CM_SET_KEY.CNF
pev: pev_cm_set_key: CM_SET_KEY.RESULT 1
pev: pev_cm_set_key: CM_SET_KEY.MYNOUNCE 15:ED:B4:D2
pev: pev_cm_set_key: CM_SET_KEY.YOURNOUNCE AA:AA:AA:AA
pev: pev_cm_set_key: CM_SET_KEY.PID 4
pev: pev_cm_set_key: CM_SET_KEY.PRN 0
pev: pev_cm_set_key: CM_SET_KEY.PMN 255
pev: pev_cm_set_key: CM_SET_KEY.CCoCAP 0
pev: slac_session: session.RunID 54:05:DB:40:48:C6:00:00
pev: slac_session: session.APPLICATION_TYPE 0
pev: slac_session: session.SECURITY_TYPE 0
pev: slac_session: session.RESP_TYPE 0
pev: slac_session: session.NUM_SOUNDS 0
pev: slac_session: session.TIME_OUT 0
pev: slac_session: session.NumGroups 0
pev: slac_session: session.AAG 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
pev: slac_session: session.MSOUND_TARGET 00:00:00:00:00:00
pev: slac_session: session.FORWARDING_STA 00:00:00:00:00:00
pev: slac_session: session.PEV_ID AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
pev: slac_session: session.PEV_MAC 54:05:DB:40:48:C6
pev: slac_session: session.EVSE_ID 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
pev: slac_session: session.EVSE_MAC 00:00:00:00:00:00
pev: slac_session: session.RND 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
pev: slac_session: session.NMK 3F:94:65:6F:A8:20:42:42:A0:90:26:C7:93:9F:1F:C5
pev: slac_session: session.NID 44:EB:DC:73:F9:76:0B
pev: slac_session: session.original_nmk 3F:94:65:6F:A8:20:42:42:A0:90:26:C7:93:9F:1F:C5
pev: slac_session: session.original_nid 44:EB:DC:73:F9:76:0B
pev: slac_session: session.state 1
pev: slac_session: session.sounds 0
pev: slac_session: session.limit 40
pev: slac_session: session.pause 20
pev: slac_session: session.chargetime 3600
pev: slac_session: session.settletime 10
pev: slac_session: session.counter 0
pev: slac_session: session.flags 0x0006
pev: DisconnectedState: Probing ...
pev: pev_cm_slac_param: --> CM_SLAC_PARAM.REQ
pev: pev_cm_slac_param: <-- CM_SLAC_PARAM.CNF ?
pev: pev_cm_slac_param: --> CM_SLAC_PARAM.REQ
pev: pev_cm_slac_param: <-- CM_SLAC_PARAM.CNF ?
pev: pev_cm_slac_param: --> CM_SLAC_PARAM.REQ
^C
charlie@charlie-ThinkPad-T14:~/open-plc-utils/slac$ plctool -aI -ienp0s31f6
enp0s31f6 00:B0:52:00:00:01 Fetch Device Attributes
enp0s31f6 14:CC:20:4D:B7:C3 QCA7420-MAC-QCA7420-1.5.0.26-02-20200114-CS (1mb)
	PIB 0-0 8836 bytes
	MAC 14:CC:20:4D:B7:C3
	DAK 91:F1:F8:7C:DD:DC:47:06:59:C1:64:BF:53:19:94:36
	NMK 3F:94:65:6F:A8:20:42:42:A0:90:26:C7:93:9F:1F:C5
	NID 44:EB:DC:73:F9:76:0B
	Security level 0
	NET Qualcomm Atheros Enabled Network
	MFG tpver_401013_171025_901
	USR PEV
	CCo Never
	MDU N/A
If you can't make this work, there's also the Qualcomm proprietary SET_KEY message which will probably work instead. You can capture it using this command.

Code: Select all

plctool -ienp0s31f6 -K50:D3:E4:93:3F:85:5B:70:40:78:4D:F8:15:AA:8D:B9 -M
I'm going to get this plugged into a real CCS charger tomorrow to see what happens. Will attempt to establish a layer2 link as above, and if successful, then send this small UDP message which should cause the charger to reply with its own address.

Code: Select all

require 'socket'
datagram = [1, 0xFE, 0x9000, 2, 0x10, 0x00].pack('ccnNcc')
socket = UDPSocket.new(Socket::AF_INET6)
socket.send(datagram, 0, 'ff02::1%enp0s31f6', 15118)
message, server = socket.recvfrom(1500)
puts message.bytes.inspect
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

So today I finally had the opportunity to connect my TL-PA4010 to a CCS charger. The short version is it works!

I was able to initiate a SLAC negotiation with the charger, fetch the network key, and apply it to my AR7420. I was then able to send a muticast UDP discovery packet to the charger and received an appropriate discovery protocol response, so the connection is definitely established.

Full PCAP of my testing session is attached!
Attachments
ccs1.pcapng.zip
(6.15 KiB) Downloaded 16 times
User avatar
johu
Site Admin
Posts: 3560
Joined: Thu Nov 08, 2018 10:52 pm
Location: Kassel/Germany
Contact:

Re: Open source CCS using AR7420

Post by johu »

Wow, that is truly exciting! We really need a full open source implementation of CCS that lets everyone play with it until it works with all chargers. Had some bad experience with a Chinese car (video coming) that only worked on every other charger and would have loved to break out my laptop and fix it :)

What brand charger did you try?
Support R/D and forum on Patreon: https://patreon.com/openinverter - Subscribe on odysee: https://odysee.com/@openinverter:9
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source CCS using AR7420

Post by catphish »

johu wrote: Thu May 19, 2022 8:19 am What brand charger did you try?
This thing: https://www.setec-power.com/product/10k ... e-charger/
mikeselectricstuff
Posts: 105
Joined: Sun Nov 08, 2020 11:33 am

Re: Open source CCS using AR7420

Post by mikeselectricstuff »

How much of this work would be applicable for talking to a car to get it to close its CCS contactors for V2H?
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source CCS using AR7420

Post by catphish »

mikeselectricstuff wrote: Thu May 19, 2022 11:24 am How much of this work would be applicable for talking to a car to get it to close its CCS contactors for V2H?
If the car supports V2H over CCS then yes. That's not the focus of my project though, I'm interested in the vehicle side.
User avatar
CCSknowitall
Posts: 72
Joined: Fri Jun 04, 2021 1:47 pm

Re: Open source CCS using AR7420

Post by CCSknowitall »

Cool stuff!

FYI in your PCAP the CM_MNBC_SOUND.IND messages (soundings) appear to be malformed. It appears you are not sending the “random number” portion, bytes 55 - 63 are zero and bytes 64-70 are missing. The station in this case does just fine but don’t know if others will accept this.

You’re also supposed to send CM_START_ATTEN_CHAR.IND three times, you’re sending it once. I think stations are likely to be more tolerant on this.

You don’t happen to have an ABB charger locally, do you? If you can get to SDP on one of them, you should be mostly fine with everything else. You don’t even need an account as those stations will try to establish vehicle communications immediately upon plugin. You’ll need the correct resistance between CP and PE of course.
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source CCS using AR7420

Post by catphish »

CCSknowitall wrote: Sat May 21, 2022 11:58 am Cool stuff!

FYI in your PCAP the CM_MNBC_SOUND.IND messages (soundings) appear to be malformed. It appears you are not sending the “random number” portion, bytes 55 - 63 are zero and bytes 64-70 are missing. The station in this case does just fine but don’t know if others will accept this.

You’re also supposed to send CM_START_ATTEN_CHAR.IND three times, you’re sending it once. I think stations are likely to be more tolerant on this.

You don’t happen to have an ABB charger locally, do you? If you can get to SDP on one of them, you should be mostly fine with everything else. You don’t even need an account as those stations will try to establish vehicle communications immediately upon plugin. You’ll need the correct resistance between CP and PE of course.
Thank you for taking the time to go through my pcap in such detail! The current implementation is Qualcomm's open source example, so I will go through the points you raised, compare with the CCS spec and ensure I do it correctly.

At the moment, I'm not nearly far enough along to think about testing with public chargers, but I will have a look and see what brands of charger available locally.

Clearly you know a lot about this. Frankly I'd like you ask you about a thousand questions, but I'll try to restrain myself and read the documentation on my own first!
mikeselectricstuff
Posts: 105
Joined: Sun Nov 08, 2020 11:33 am

Re: Open source CCS using AR7420

Post by mikeselectricstuff »

catphish wrote: Fri May 20, 2022 8:22 pm
mikeselectricstuff wrote: Thu May 19, 2022 11:24 am How much of this work would be applicable for talking to a car to get it to close its CCS contactors for V2H?
If the car supports V2H over CCS then yes. That's not the focus of my project though, I'm interested in the vehicle side.
I'm told that at least one car (ID4) can be convinced to close its contactors by initiating a dummy charge session. I imagine that in principle this could work with any CCS car, but some might time out or produce some other error, e.g. when it sees power flowing out and not in.
stracky
Posts: 1
Joined: Tue Nov 02, 2021 9:16 pm

Re: Open source CCS using AR7420

Post by stracky »

This project looks promising. I've ordered my own set of TL-PA4010's, see if I can replicate your progress.
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source CCS using AR7420

Post by catphish »

stracky wrote: Tue May 24, 2022 7:34 pm This project looks promising. I've ordered my own set of TL-PA4010's, see if I can replicate your progress.
Fantastic. There's a guide here to modifying them which shows a version slightly different to mine. http://www.helicopting.de/

My progress is pretty minimal so far. The next step is to learn EXI, which is required to encode requests.
User avatar
CCSknowitall
Posts: 72
Joined: Fri Jun 04, 2021 1:47 pm

Re: Open source CCS using AR7420

Post by CCSknowitall »

Might want to check this out: https://github.com/SwitchEV/josev
User avatar
catphish
Posts: 307
Joined: Fri Oct 08, 2021 11:02 pm
Location: Dorset, UK

Re: Open source PLC V2G (CCS) using AR7420

Post by catphish »

uhi22 wrote: Mon Mar 14, 2022 3:32 pm That's a highly interesting project. I used a similar setup for sniffing a "real" CCS communication between the car and alpitronics charger. I experienced, that there seem to be slightly different results depending on the detailed type of adaptor. I now ordered now a pair of TP-Link TL-PA4010 to check also them. With a devolo dLAN 1200+ I could not send nor receive the SLAC frames at all. With devolo dLan 200 AVplus I see the SLAC, but I was not able to set the NMK using the CM_SET_KEY. I'll further investigate.
I collect the current state in https://www.goingelectric.de/wiki/CCS-T ... e-Details/ (in German, unfortunately).
Did you find a data sheet for the AR7420, where the detailed conditions for acceptance/rejection of CM_SET_KEY is specified?
I have a couple of questions about sniffing if you're able to help. When you sniffed traffic, did you sniff it encrypted, then decrypt later. or did you sniff the network key, and quickly install it into the chip in order to sniff the rest of the communication? In either case, do you have any information about *how* you did so?
User avatar
CCSknowitall
Posts: 72
Joined: Fri Jun 04, 2021 1:47 pm

Re: Open source CCS using AR7420

Post by CCSknowitall »

All of the commercial sniffers I know capture and load the key, then decode in real time. If you miss the key, nothing is decoded.

This PDF may also help, if you haven’t seen it already (think I linked it in the i3 thread) https://www.sstic.org/media/SSTIC2019/S ... -dudek.pdf
Post Reply