HEYO BMS Notes
The HEYO BMS appears to be a DALY clone. My 8S 60A model has a selection of ports - on the top:
- NTC (3 pin)
- UART (6 pin)
- Unnamed 5 pin)
On the bottom:
- Unnamed (4 pin)
- Monitor (3 pin)
- Unnamed (2 pin)
It’s likely the 2 pin unnamed port is the wake up switch, and the unnamed 5 pin is a RS 485 connection.
UART
The Bluetooth module connects to the 6 pin UART connector with a 6 pin to USB mini B cable. Despite the connector, the signaling is 3.3 V UART at 9600 N81.
The pins use a confusing colour set. They are:
- GND (black)
- +3.3V (green)
- N/C
- N/C
- TXD (white)
- RXD (red)
The Bluetooth adapter uses BLE with a custom write service and a read service Example frames seen over the Bluetooth UART are:
To BMS:
d2 03 00 00 00 3e d7 b9 ?????>??
d2 03 00 a9 00 20 87 91 ????? ??
d2 03 00 00 00 3e d7 b9
d2 03 00 a9 00 20 87 91 ?????>??????? ??
From BMS:
d2 03 40 34 30 31 30 31 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 4d 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 65 13 ??@401012??????????????????????????BMS?????????????????????????????e?
d2 03 7c 0d 6e 0d 69 0d 59 0d d7 0d 0b 0d 0b 0d 0c 0d 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 00 28 00 28 00 00 00 00 00 00 00 00 00 00 01 0f 75 30 03 e8 0d d7 0d 0b 00 3d 00 3d 00 00 00 fa 00 08 00 01 00 00 00 00 00 01 00 01 0d 46 00 cc 00 00 00 00 00 00 00 00 00 00 0e e1 ??|?n?i?Y???????????????????????????????????????????????????????????=?(?(????????????u0???????=?=?????????????????F??????????????
Surprisingly this is not the same as the common SMART BMS protocol. The overall framing looks straight forward:
- uint8 SOF: D2
- uint8 ???: 03
- uint8 Payload length: (40, 7C)
- Payload
- uint16 Checksum
The 0d 6e and similar are likely big endian uint16 battery voltages in mV.
Next up I’ll dig up a Windows machine and capture the serial data between the PC app and the BMS to see if it’s the same.
CRC
CRC RevEng shows that the checksum is CRC-16/MODBUS:
./reveng -w 16 -l -s d203063132333435364c69 d2035200fa0e10000100080000000000010000000000ff012c012c0ea60ea60b54012c012c00e800e8731d731d784d784d0069006900000000006e006e000000000000000000ff00ff0c8000320000000000aa00285737
./reveng: warning: you have only given 2 samples
./reveng: warning: to reduce false positives, give 4 or more samples
width=16 poly=0x8005 init=0xffff refin=true refout=true xorout=0x0000 check=0x4b37 residue=0x0000 name="CRC-16/MODBUS"
Windows app
Using Wireshark with USBpcap gives the serial stream from the Windows App to the BMS. A sample:
1612695069.430 OUT A5 40 90 08 00 00 00 00 00 00 00 00 7D
1612695069.647 IN A5 01 90 08 01 06 01 06 75 3A 00 5A 55
1612695069.906 OUT A5 40 91 08 00 00 00 00 00 00 00 00 7E
1612695070.143 IN A5 01 91 08 0C F9 02 0C AD 07 00 00 06
1612695070.191 OUT A5 40 92 08 00 00 00 00 00 00 00 00 7F
1612695070.447 IN A5 01 92 08 3D 01 3D 01 00 00 00 00 BC
1612695070.520 OUT A5 40 93 08 00 00 00 00 00 00 00 00 80
1612695070.655 IN A5 01 93 08 01 01 01 7E 00 00 09 4E 19
1612695070.739 OUT A5 40 94 08 00 00 00 00 00 00 00 00 81
1612695070.943 IN A5 01 94 08 08 01 01 00 00 00 00 00 4C
1612695071.066 OUT A5 40 95 08 00 00 00 00 00 00 00 00 82
1612695071.151 IN A5 01 95 08 01 0C F7 0C FA 0C F7 00 50 A5 01 95 08 02 0C F8 0C AF 0C AF 00 BF A5 01 95 08 03 0C AD 0C AD 0C AF 00 73
This is different again:
- uint8 SOF 0xA5
- uint8 node ID? 0x40 out, 0x01 from BMS
- uint8 register?
- uint8 length 0x08
- uint8[] body
- uint8 checksum
The checksum seems to be the sum of the payload.
Requests come from node 0x40 and always have an empty 8 byte payload.
Some requests like register 0x95 give multiple responses. 0x95 looks like the cell voltages: 0x01 then 3x 16 bit voltage in mV repeated 3 times.
