Friday, November 22, 2019

Attempting to reverse engineer a home automation oriented smart-meter - Part 1

In my quest to make my house smarter, but still looking forward to keep having control over it, I have been doing some additions which I plan to further document here, in the short term.

In the meantime I thought it would be more relevant to share my findings in regard to a device a bit more "exhotic" than the Sonoff boxes we are all used to. This device is a sort of a miniature smartmeter that fits in a DIN rail next to the circuit breakers.

Just like the Sonoff modules, it also pairs with your WLAN, and connects to a cloud service. Instead of the eWeLink cloud to which Sonoff devices connect to, in this case it connects to another relatively popular cloud service called Tuya.

The device is quite straightforward to setup: one installs the Tuya Smart Life app into the smartphone (it exists for both Android and iOS), creates an account, and after having the meter connected to the grid and running, waits for the app to detect it. The main screen is a gigantic power button, which in case you press it by mistake and have the device installed before all of the circuit breakers in your house, you will cut the power to your entire house:

Bringing it back up is not an easy feat, since the physical button in the device does not control the switch.

As the relay inside it is of the bistable type, it will stay in the same state as it was left. This is good and bad, because if it was left off, the only way to bring the power in the house back on (in case you don't have an UPS behind your wifi router/modem) is to reset the WiFi or pair with a smartphone running a portable hotspot with the same SSID and password.

Documentation is weak and poorly translated. The setup was easy however. The Tuya app seems better put together than the Sonoff one.

Apart from that, the device seems to work as expected. The metering component appears to be quite accurate, at least compared to the measurements I have taken with my UNI-T 22000 counts digital multimeter.

The device LCD continuously alternates between showing the grid voltage in Volts, the current in Amps, the power in Watts, and the consumption in kWh:

The app shows the same information and retains historical records of this data. And this is all there is to it.

As with the Sonoff devices, my ultimate ambition is to integrate this device into as well and deal with the switch and metering feature in a similar way as to other switches and sensors in this platform.

I have initially attempted an integration with based on the cloud API behind the Tuya app, but the efforts were not successful.

Started with a project called "localtuya", which can be found here:

But after some effort setting it up due to the difficulty in obtaining the localKey (a kind of a token used by the app to authenticate with the backend), and the python scripts of this project were not able to connect to the device, in spite of the repeated attempts and of being sure there is connectivity between the docker containers and host (a Raspberry Pi), and the meter.

From a post in the Home Assistant community, someone apparently managed to convert the device to Tasmota, but it appears that only the switch function is covered:

This motivated me to try to understand a bit better the hardware, and what possibilities could exist beyond the original firmware, the cloud and the app with its hazardous UX.

By opening it, I could find a a stack of two PCB's. In the topmost one lived the LCD display and what appeared to be a WiFi device:

In the back, a Vangotech V9821 chip could be found, which after some reading I learned as being a microcontroller/SoC with built-in power line metering features:

Its datasheet can be found here:

The WiFi device, a module labeled TYWE3S is common in Sonoff-like switches and dimmers, and is also a common target for Tasmota:

Unsurprisingly it is also based on the popular ESP8266 SoC.

The bottom PCB contains the relay, apparently built for this specific type of application, given the fact that the current shunt (for measuring the AC current) is part of one of its legs:

It also contains a simple switching power supply (obviously for powering the electronics and the relay), a few filter caps, and what appeared to be a FET transistor for driving the relay (couldn't lookup its reference anywhere on the web - it has the markings ZM888N 1A / 80A 250 VAC / Coil: 9 VDC):

Given the robustness of the relay (and switching sound) it probably requires a substantial amount of current during the switching (the 1 A mentioned in the relay eventually..).

Given that apparently Tasmota could be flashed into the ESP8266 without major issues, I considered more relevant to understand the communication between the later, and the V9821 SoC, as this would be the gateway to understanding about the metering and how an alternative firmware would have to talk to this MCU in order to obtain the measurements.

I soon learned that the way the ESP would likely communicate with the V9821 was via its UART (the ESP exposes one, the V9821 has multiple).

So I needed to tap into the serial communication between the two micro-controllers in order to try to understand what was going on.

Given that simply hooking up the RX pin of another parallel port would likely mess up the signal levels due to the dramatic drop in the impedance, I had to find a way to avoid this. Simply putting a 4.7K Ohm resistor between the RX pin of the serial interface used to eavesdrop on the communication, and the ESP8266 UART pins,  appeared to do the job.

In can tell that reverse engineering this communication is providing promising results, but that topic deserves a post on its own.

Catch you next time!


j.coudrais said...

Hello, good job with that reverse...
Do you think we can, more simple, configure Tasmota to get energy meter in MQTT ?

Creation Factory said...

Hi @j.coudrais,

Thanks! Actually, today the energy measurements are sent via MQTT, as I have explained in this post:

The values are however not parsed within Tasmota itself (would require coding driver logic to do that, which currently doesn't exist). That is the reason why we are parsing in Home Assistant, from the raw hex string that is sent via MQTT. I have provided complete examples for Home Assistant, and a description of the format in case you need to build a parser in a different platform.

There is currently no plan for a parser, but there were some talks in a recent past within the Tasmota community about whether or not this could be unified with the Tuya driver that already exists.

Thank you.


Manos said...

Great Job man

Creation Factory said...

Thanks a lot @Manos.

If you are interested, take a look at the evolution of this topic in the other related posts:


The blogger said...

Hi..thank u a lot for your sharing..but trying to flash ZMAI-90 (wifi smart meter)..I encountered some obstacles and unfortunately I didn't achieve and fulfill the flash..I will really appreciate your help.. my personal mail (