Sending JK BMS PB-x firmware update command via BLE

[tarek-zy]

Hi, thank you for your great project and support!
I'm a Software Engineer, and I have a JK BMS (PB-2A16S15P - HW: 15.XA, SW: 15.10) with a faulty RS485-1 (right besides CAN port), which makes me unable to update my BMS firmware or even connect it to my inverter, as there is no communication possible via that port at all, so I had to do a lot of tests and sniffed all communication possible.
When I try to update the firmware via RS485-2 ports that are designated for parallel connection with other JK BMS units, the BMS shuts down / crashes immediately. We are a growing number of owners having this fatal bug and despite several attempts to contact JK support and other popular YouTube influencers, we are out of luck so far.
Since you have full knowledge of the communication protocols of JK BMS (PB series), is it possible to edit the command to make it possible to be executed via RS485-2 or BLE?

RS485-1 Firmware update command (HEX):
01 10 16 26 00 01 02 00 00 D6 97

[jblance]

Did this command work?
What process did you follow (be good to add it to mppsolar if possible)

[tarek-zy]

The command I provided here works on RS485 only, and I didn't get any help from anyone yet to convert it to a BLE command. So, no updates on this issue whatsoever, I'm still stuck with the same fatal bug with no help.

[jblance]

Oh I see - I dont see how the command can update the firmware tho - surely you'd need to send the new firmware as well

[tarek-zy]

I totally understand what you're saying.
Actually, as I sniffed all RS485 communication right when the official JK BMS Windows app tries to do a normal or force update for the BMS. In both methods, it starts the update process by sending the aforementioned command then it starts sending the new firmware file in packets until it finishes uploading it.
This fatal bug relies in that the BMS never responds to the command over RS485, so that's why I'm trying to send it via BLE. For the update process to be successful, the BMS should reply with HEX (15) after receiving the update command, then after each firmware file data packet it should reply with HEX (06) until the last data packet where the BMS stops the firmware file upload process and restarts with the newly uploaded version.

So, the whole idea is to do the firmware update process over BLE instead of RS485, as it's not working at all in a faulty BMS.
I, with other professionals, have had a lot of extensive discussions and analysis in a German forum (akkudoktor.com) about this fatal bug. We figured out all these information and put all the pieces together, but have got no help at all in doing the update process successfully on our faulty BMSes over BLE, as it's still impossible for us to get it done over RS485.
And as I mentioned earlier, JK never replied to us to assist with their products, and I tried a few times to contact Andy from Off-Grid Garage Australia on YouTube regarding the bug itself, but never got a reply from him.

[jblance]

The BLE commands look like [20 bytes long) (where the 0x97 is the command designator)
b'\xaa\x55\x90\xeb\x97\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11'
compared to: 01 10 16 26 00 01 02 00 00 D6 97 I'm not sure how to translate
There seem to be many protocols for JK BMSs
jkserial has a 21 byte command (that looks closer)
b'NW\x00\x13\x00\x00\x00\x00\x06\x03\x00\x00\x00\x00\x00\x00h\x00\x00\x01)'
With these bytes looking important:

# command byte: 0x01 (activation), 0x02 (write), 0x03 (read), 0x05 (password), 0x06 (read all)
byte[8] = command_byte
byte[9] = 0x03                         # frame source: 0x00 (bms), 0x01 (bluetooth), 0x02 (gps), 0x03 (computer)
byte[10] = 0x00                        # frame type: 0x00 (read data), 0x01 (reply frame), 0x02 (BMS active upload)
byte[11] = command_code                # register: 0x00 (read all registers), 0x8E...0xBF (holding registers)

So not really sure how to map the command you supplied can map - do you have any other commands that could be used as comparsions

[tarek-zy]

Yeah, sure!
I've put together a fine extract of all commands and responses that goes through the JK BMS Windows app.
Please check out the following for other commands that you can recognize for sure, as they should match what you already have in your library.

All Commands begin
01 10 16

All Responses begin
55 AA EB 90


Firmware Update
01 10 16 26 00 01 02 00 00 D6 97
---------------------------------------------
BMS Info
01 10 16 1C 00 01 02 00 00 D3 CD
Response
55 AA EB 90 03
---------------------------------------------
Additional Info
01 10 16 1E 00 01 02 00 00 D2 2F
Response
55 AA EB 90 01
---------------------------------------------
Cell Readings
01 10 16 20 00 01 02 00 00 D6 F1
Response
55 AA EB 90 02

[jblance]

Wow - thats kinda weird

the response looks like the jk02 / jk04 protocol, but the commands are completely new (and I assume that the posted response is just the start of the data?)

this is via the RS485 port?

[tarek-zy]

I'm so sorry for my late response.
Yes, my previously posted responses are only the start of the data, and yes, this is R485 on the new PB series. I just sniffed some fresh data for you for every command I provided:

COMMAND:
01 10 16 1C 00 01 02 00 00 D3 CD

RESPONSE:
55 AA EB 90 03 05 4A 4B 5F 50 42 32 41 31 36 53 31 35 50 00 00 00 31 35 2E 58 41 00 00 00 31 35 2E 31 30 00 00 00 C8 0E CE 00 C5 01 00 00 41 54 52 20 42 4D 53 00 00 00 00 00 00 00 00 00 31 32 33 34 00 00 00 00 00 00 00 00 00 00 00 00 32 34 30 35 31 30 00 00 33 31 32 31 33 34 38 30 30 38 35 00 30 30 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 30 39 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FE FF FF FF 2F E9 01 02 00 00 00 00 90 1F 00 00 00 00 C0 D8 E7 FE 1F 00 00 01 00 00 00 00 00 00 00 00 01 00 CF 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 CF 03 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 07 00 00 32 32 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FE 9F E9 FF 07 00 00 00 00 00 00 00 E6 01 10 16 1C 00 01 C4 47

COMMAND:
01 10 16 1E 00 01 02 00 00 D2 2F

RESPONSE:
55 AA EB 90 01 05 E4 0C 00 00 5A 0A 00 00 96 0A 00 00 42 0E 00 00 AA 0D 00 00 05 00 00 00 AB 0D 00 00 8C 0A 00 00 AC 0D 00 00 48 0D 00 00 C4 09 00 00 F0 49 02 00 1E 00 00 00 3C 00 00 00 F0 49 02 00 1E 00 00 00 3C 00 00 00 05 00 00 00 D0 07 00 00 58 02 00 00 26 02 00 00 58 02 00 00 26 02 00 00 9C FF FF FF CE FF FF FF E8 03 00 00 20 03 00 00 08 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 60 5B 03 00 DC 05 00 00 16 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 60 E3 16 00 50 03 3C 32 18 FE FF FF FF 3F E9 01 02 00 00 00 00 50 01 10 16 1E 00 01 65 87

COMMAND:
01 10 16 20 00 01 02 00 00 D6 F1

RESPONSE:
55 AA EB 90 02 05 2B 0D 2B 0D 2B 0D 2B 0D 2C 0D 2B 0D 2C 0D 2C 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 2B 0D 01 00 00 01 42 00 42 00 4E 00 52 00 57 00 58 00 64 00 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 00 00 00 58 69 00 00 16 07 0C 00 2D 72 00 00 29 01 27 01 00 00 00 00 00 00 00 5C 7B 14 03 00 60 5B 03 00 65 00 00 00 E0 13 56 01 64 00 00 00 6E 10 CE 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 01 00 00 00 E8 03 4D 00 00 00 66 F4 3F 40 00 00 00 00 88 0A 00 00 00 01 01 01 00 06 00 00 61 30 00 00 00 00 00 00 32 01 1F 01 1F 01 B5 03 E4 1E ED 08 B0 1C 00 00 80 51 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FE FF 7F DD 0F 01 00 B0 07 00 00 00 53 01 10 16 20 00 01 04 4B

[tarek-zy]

Please also note that project "esphome-jk-bms" started supporting series PB of the JK BMS a while ago, if you would like to take a look at the differences in the data structure than previous series of their products

[jblance]

I couldnt find anything in the esphome-jk-bms code that matches your commands (not that I really understand the esphome stuff) Ive added a jkpb protocol to the github source tree - be interested to see what results it gives

…

On Sun, 29 Sept 2024 at 18:27, Tarek Yag ***@***.***> wrote: Please also note that project "esphome-jk-bms" started supporting series PB of the JK BMS a while ago, if you would like to take a look at the differences in the data structure than previous series of their products — Reply to this email directly, view it on GitHub <#510 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJVKNT4QIOV4U4WDVWAMBDZY6FVDAVCNFSM6AAAAABNDWBWLGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBRGEYTIMBRGA> . You are receiving this because you commented.Message ID: ***@***.***>

[tarek-zy]

Sorry for being late!
I referred you to the esphome-jk-bms repo since they already implemented a variant for the newest model series (JK-PB) for ESP8266 in the following file:
https://github.com/syssi/esphome-jk-bms/blob/main/esp8266-jk-pb-modbus-example.yaml

Please also note that I don't own an ESP microcontroller yet, so I can't help with any testing right now. I thought that it would be easy to convert commands between protocols. I tried to contact @syssi a while ago, but I never got help on this matter.