logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Interior and reverse engineering of the Ariston Velis 80 Wi-Fi electric water heater on ESP32 (part1

p.kaczmarek2 3135 46
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Report a violation of the law
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
  • #31 21721072
    krzbor
    Level 28  
    By the way, I wonder what it is:
    PCB section with coils, LED display, and solder pads highlighted in red box .
    Looks like the leads under the connector.
  • ADVERTISEMENT
  • #32 21721082
    Przemcio
    VIP Meritorious for electroda.pl
    Not far away is the CN5 - under probably an FFC connector for a fussy display
    future-proof. If there is Wi-Fi you will be able to YT yourself on the heater ;) .
  • ADVERTISEMENT
  • #33 21721427
    DeDaMrAz
    Level 21  
    There are 2 sensors connected to the MCU board, one is on the cold intake tank and the other is in the warm or outlet tank, probably something to do with shower count feature (maybe)

    Close-up of electronics workbench with PCB board, wires, and testing probes

    Also there appears to be some some sort of a clock transmitted between MCU and WiFi module as there an RTC crystal and backup battery (super cap) on board, so that will probably make our life easier in decoding the signal structure.

    Main thing for me is to decode the intermediate frames as I can then focus on the actual commands as the buss is supper chatty and I have to filter that communication out first.
  • #34 21721746
    sq3evp
    Level 38  
    bumble wrote:
    .
    And why. You hang such a thing on the wall and use it, when the heater dies you replace the heater or the whole thing. An electrode is probably once every 15 years. I've never heard of such devices being serviced. Unless you boil water in it, that's different.
    .
    I have seen a video where the electrode was replaced and cleaned - I think you are right, because the author tweirred that the boiler had not been moved for 15 years and was still working, only the electrode was almost gone, the heaters were not that dirty. Maybe the manual only says what to do to make it work long and painlessly?
    Nothing, I'll probably have a look, the water is quite soft, so maybe it won't scale up so quickly? I've had the gas flow unit for over 10 years and it hasn't been cleaned - the flow was good, only the gas ignition electrode needed cleaning every 9-10 months or so.
  • ADVERTISEMENT
  • #35 21722352
    Nargo
    Level 23  
    Wiring diagram of Velis EVO WiFi heater with relays and temperature sensors .
    >>21721427 The diagram shows two sensors per tank and interchangeable heater switching. That is, it probably heats the output tank first and then the input tank. Dale is probably already choosing which heater to heat depending on the temperature drop in the individual tanks.
    I assume that, depending on the ΔTemperature, the controller is able to calculate the water flow through the tank and determine the appropriate operating algorithm in order to maintain a constant temperature at the outlet, which is effectively helped by two tanks and two heaters of 1.5kW each (switched interchangeably).
  • #36 21723602
    DeDaMrAz
    Level 21  
    Some progress on the decoding front... one reporting packet isolated with some values decoded.

    Capture of communication data in hexadecimal and decoded text format

    Managed to figure out inlet and outlet temperature readings and set temperature from the traffic... more to come as soon as some time is available.
  • #37 21724871
    DeDaMrAz
    Level 21  
    There is something else on the board that I somehow missed because I focused on the WiFi part of the board. There is a NFC tag on the board, not yet sure what it does but this is what can be read from it:

    Green PCB with coil springs and electronic components

    Code: text Expand Select all Copy to clipboard
    {
  "VER": "01",
  "R1": "0054",
  "R2": "00B4",
  "R3": "00C4",
  "R4": "0264",
  "R5": "0274",
  "R6": "0304",
  "ED": "03F4",
  "HFG": "000342422102",
  "HHW": "460130051002_93D2500900",
  "HHW_raw": "460130051002_93D2500900",
  "HSW": "660060273204_25.04.00",
  "HSN": "SERIAL_OMITTED",
  "TST": "PNNPNNN",
  "ECN": "93D2303400",
  "VER2": "01",
  "LD1": "NO",
  "LD2": "NO",
  "LD3": "00",
  "MKT": "EU",
  "TP1": "000",
  "TP2": "000",
  "TP3": "000",
  "WIF": "1",
  "INI": "0",
  "TMN": 40,
  "TMX": 80,
  "TSP": "01",
  "TDF": 70,
  "THY": 5,
  "ABT": 60,
  "ABD": 60,
  "ABF": 30,
  "ABS": 1,
  "ALT": 60,
  "ALS": 0,
  "AFT": 16,
  "AFH": 11,
  "ECT": 40,
  "ECS": 1,
  "QIK": 0,
  "AIO": "00",
  "AIS": "00",
  "AOO": "00",
  "AOS": "00",
  "SRT": 40,
  "SRS": 1,
  "HEF": 2,
  "LT1": 40,
  "LT2": 50,
  "LT3": 60,
  "LT4": 70,
  "LT5": 80,
  "LO1": 30,
  "LO2": 38,
  "LO3": 48,
  "LO4": 60,
  "LO5": 70,
  "DLY": 540,
  "BUZ": 1,
  "POS": "M",
  "CAI": 32,
  "CAO": 32,
  "DIA": 220,
  "PI1": 1500,
  "PI2": 0,
  "PO1": 1500,
  "PO2": 0,
  "CK3": "555A",
  "TFG": "XXXXXXXXXXXX",
  "NIN": "XXXXXXXXXXXX",
  "NOU": "XXXXXXXXXXXX",
  "BFG": "3100946",
  "PLT": 5,
  "YDY": 25169,
  "BSN": 4430416,
  "NFC": "X",
  "SAT": "XXXXXXXXXXXX",
  "R1C": "000008",
  "R2C": "000038",
  "R3C": "000000",
  "H1H": "000000",
  "H2H": "000002",
  "H3H": "000000",
  "PSO": "000007",
  "PSK": "000001",
  "POH": "000024",
  "ER1": "XXX",
  "ER2": "XXX",
  "ER3": "XXX",
  "ER4": "XXX",
  "ER5": "XXX",
  "LMD": "MAN",
  "LTS": 70,
  "LAB": 1,
  "MAC": "MAC_OMITTED",
  "WSN": "SERIAL_OMITTED"
}


    It's obvious from the capture that some of these values can be seen in the captured traffic but I am yet to corelate them and understand their meaning.
  • #38 21797570
    p.kaczmarek2
    Moderator Smart Home
    Raspberry Pi Zero W in the role of remote UART analyzer connected via ADUM1200 :


    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #39 21800216
    clanfavorite
    Level 2  
    >>21797570 I've started experimenting with my boiler. Have you had any success with the protocol?
  • #40 21800334
    DeDaMrAz
    Level 21  
    @clanfavorite

    I am creating a remote logger based on RPi Zero W to log the traffic when I mount the boiler as I can't simulate all the data on the table. Protocol is somewhat simple but is supper chatty and requires lot of work. So far I managed to get the temperature reporting from the MCU and 1 or 2 commands but it's a chore - will require more time...
  • #41 21800348
    p.kaczmarek2
    Moderator Smart Home
    @clanfavorite can you share information about your Ariston, some photos, maybe protocol capture?
    Helpful post? Buy me a coffee.
  • #42 21800353
    clanfavorite
    Level 2  
    >>21800334 I've also started studying the protocol. But I plan to add the ESP32 as a MITM device, and then remove the native Wi-Fi. Could you please share the commands I've already found?

    Added after 5 [minutes]:

    >>21800348 I don't have anything yet; I just started researching this issue after Ariston's server crashed. I only know that WiFi communicates with the cloud via MQTT using TLS, which unfortunately doesn't allow me to spoof the broker... so I'll have to study the communication flow between the MCU and WiFi.
  • #43 21801392
    DeDaMrAz
    Level 21  
    Screenshot of UART Live Viewer software showing RX and TX data in HEX format.

    Final version of the RPi Zero W image will be uploaded soon together with wiring diagram and the HTML logger that works locally (not a server)....

    Weird timing issues should be resolved but I'd like to test it first on my own HW first and only then will I post everything.

    If anybody wishes to use this prerequisites are - RPi Zero W and CH342 board attached to OTG port and optionally ADUM1200 for isolation.
  • #44 21801472
    p.kaczmarek2
    Moderator Smart Home
    I think it would be worth to post it as a separate guide/tutorial, so more people can see it. It' not just Ariston Velis 80-only solution.
    Helpful post? Buy me a coffee.
  • #45 21803289
    geert2991
    Level 1  
    Hello everyone,

    I’m working on an Ariston Lydos Hybrid boiler and the internal electronics look very similar to what is discussed in this thread.

    The main control board uses an NXP MKE02Z64VLH4 microcontroller, and the optional Wi-Fi board contains an ESP32-WROOM-32D module.

    I’m fairly new to reverse engineering, but I’m trying to approach this methodically. So far I’ve been probing the GPIO lines on the ESP32 and I can clearly see serial activity, but it’s hard to analyze properly without the right tools. I’ve just ordered a cheap 24 MHz USB logic analyzer similar to the one used here.

    Between the MKE02 and the ESP32 I measure about 4.4 V on one of the communication lines.
    Question: is it safe to use the same low-cost logic analyzer for this, assuming I add a resistor divider or level shifting?

    I also made a full 4 MB flash dump of the ESP32 (ESP32-WROOM-32D), but most of the application area appears to be encrypted / high-entropy, so extracting protocol logic from the firmware doesn’t seem feasible.

    From the hardware side it looks like there are two main communication lines between the MKE02 and the ESP32:

    one line with a series resistor (likely MCU → ESP TX),

    one line going through transistor level shifting (likely ESP → MCU RX).

    I’m hoping the Lydos Hybrid uses the same UART-based protocol as the models discussed here , and that by sharing captures and observations we can help each other understand the protocol and eventually enable local control without cloud dependency.

    Any tips or confirmation from people who already captured this bus would be greatly appreciated(not sure its the same).

    Thanks!
  • #46 21803304
    DeDaMrAz
    Level 21  
    @geert2991

    Check this out for your product to avoid the headaches I am having - https://github.com/fustom/ariston-remotethermo-home-assistant-v3

    I am not relaying on the API I want to replace the WiFi and decode the protocol entirely and make this device convertible to OBK, but that is a process and a pain which I would not recommend.
  • #47 21804926
    DeDaMrAz
    Level 21  
    I got a descent amount of data decoded, still working on verifying it but what I have for sure now are

    - power toggle
    - temp change (set temperature)
    - reading current temp value (value on the appliance screen)
    - reading set value
    - reading from both temperature probes (inlet tank - outlet tank)
    - time to set temp
    - number of showers counter
    - at least one heater state

    More to come....

    Figured I need to provide example:

    C3 41 33 04 79 2D B2 02 95 -> set temp command
    broken down it looks like this:
    Code: text Expand Select all Copy to clipboard
    C3 41 -> frame header
33 -> WiFi CMD designator
04 -> data length
79 2D -> set/change temperature command 
b2 02 -> u16 based LE temp/10 -> 2b2/10=69.0
95 -> checksum
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
Report a violation of the law

Topic summary

The discussion focuses on the Ariston Velis 80 Wi-Fi electric water heater, exploring its hardware architecture, Wi-Fi module integration, and potential for firmware modification. The device includes two heaters and two temperature sensors per tank, likely enabling selective heating based on temperature differentials to maintain constant outlet temperature. The Wi-Fi module is based on an ESP32 chip with a 5V UART interface, connected only to test points on the board, complicating direct firmware flashing due to flash encryption and locked re-flash via UART. The community is analyzing the communication protocol between the MCU and Wi-Fi module using logic analyzers and PulseView with custom UART decoders, aiming to decode intermediate frames and commands. The device also features an RTC crystal with a supercapacitor backup and an NFC tag containing device metadata. Discussions include the possibility of replacing the Wi-Fi module with alternative ESP32 or ESP8266 modules, considering level shifting for UART signals. The goal is to develop open-source firmware to enable local control without reliance on manufacturer cloud services, enhancing user control and privacy. Service and maintenance aspects are also covered, including heater cleaning and magnesium electrode replacement every two years, with references to official manuals and service diagrams. The Wi-Fi functionality facilitates remote control and installation flexibility, although the hardware design imposes challenges for modification and firmware replacement.
Summary generated by the language model.
Today's popular
ADVERTISEMENT