Reverse Engineering the TEC-06 Battery Tester

[Syonyk] read that you could solder a few wires to a TEC-06 battery capacity tester, connect it to a TTL serial adapter, and it would interface with some Windows software via a serial port. You can buy it already enabled for serial, but since he had the non-connected version, he was interested in trying it. Not only did it work, but he took the time to reverse engineer the protocol and made a detailed write up about his findings and how he attacked the problem.

Around here, we never need an excuse to reverse engineer anything. But [Synonyk] mentions that he didn’t like using Windows-only software from China. If he wants it on Linux, or if Windows compatibility breaks with a new version, or if the software has spyware in it, he wants to be able to continue using the device. Of course, he also admits — and we get it — that he just enjoys doing it, too.

His first step was to locate the CPU’s datasheet and validate that the pin he’d read about looked like it could be serial data. It was. Then he verified that serial data was coming out with an oscilloscope. That means the serial and non-serial devices likely have exactly the same firmware, and the non-serial device just doesn’t have the components to connect to the port.

After that, he pulled out a better scope, some Windows-based serial port sniffing software, and started working the puzzle. Once he had an idea of the port’s configuration, he moved to Linux where he found how painful it is to set a non-standard baud rate like 128,000 with even parity. He then worked out the protocol and wrote code to push out a CSV file with the data.

This reminded us of when an oddly familiar guy hacked the MHS-5200A protocol for many of the same reasons. With so much electronics from China getting hacked like this, you almost wish they’d save us the trouble and publish the specifications. Then again, what fun is that?

15 thoughts on “Reverse Engineering the TEC-06 Battery Tester

  1. > … Around here, we never need an excuse to reverse engineer anything.
    > But [Synonyk] mentions that he didn’t like using Windows-only software from China. …
    >
    reverse engineering is useful for Non-China software and hardware as well.

    I had to learn how to capture I2C traffic from Raspberry Pi 2B to Raspberry cameras v1 and v2 with Salea Logic Analyzer first:
    https://www.raspberrypi.org/forums/viewtopic.php?f=43&t=109137&start=250#p1237647

    Luckily always when I did run into a dead end road, I got help from a Raspberry engineer who is bound by NDAs.

    By reverse engineering I was able to enhance Raspberry v1 camera (5$ from China) from maximal 90fps to 360fps, 665fps and finally 750fps — really nice for just 5$. Here you can see how to measure the power frequency of German power network (50Hz) by taking a 600fps video and repeating pattern all 600/(50*2)=6 frames!
    https://www.raspberrypi.org/forums/viewtopic.php?f=43&t=109137&p=1243064#p1243594

    Lately I captured all the missing modes 1-7 for Raspberry v2 camera, which @6by9 has just taken into raspiraw master branch as well:
    https://www.raspberrypi.org/forums/viewtopic.php?f=43&t=109137&p=1262879#p1262879

    While v2 camera has a crypto chip inside in order to avoid cheap China clones (like the 5$ v1 camera), capturing raw Bayer frames with up to 120fps does not need to talk to crypto chip at all …. ;-)

    1. “While v2 camera has a crypto chip inside in order to avoid cheap China clones”

      Wait, are you claiming they DRM’ed the camera and you can’t get cheap clones? That’s rather against the raspberry concept isn’t it? Also I did see Chinese clones, albeit not as cheap as $5 so I’m wondering about your statement.
      Perhaps they merely made sure you can’t claim it’s the real thing? Or perhaps it’s all BS..

      Also those samples of supposed 600FPS don’t seem 600FPS to me at all and it looks like wishful thinking to me, it might be faster than standard but not 600 fps I bet.

      1. > Wait, are you claiming they DRM’ed the camera and you can’t get cheap clones?
        >
        Yes.

        > That’s rather against the raspberry concept isn’t it?
        >
        All of Raspbian is open source, but camera GPU code was always closed source.

        > Also I did see Chinese clones, albeit not as cheap as $5 so I’m wondering about your statement.
        >
        There are many on 5-6$ range with free shipping, this one is (currentlly) 4.99$ with free shipping (to Germany):
        https://www.aliexpress.com/item/Camera-Module-Board-5MP-Webcam-Video-1080p-720p-for-Raspberry-Pi-3-2-Model-B/32811023960.html

        > Perhaps they merely made sure you can’t claim it’s the real thing? Or perhaps it’s all BS..
        >
        I have 7 of the cheap v1 cameras, 2 being night vision which cost around 9$ (interesting, they have a part less, the infrared filter, but cost mode). I got one 28£ v2 camera at Christmas, mainly for being able to capture missing modes 1-7 register sets which I did under link of my previous comment.

        > Also those samples of supposed 600FPS don’t seem 600FPS to me at all and it looks like wishful thinking to me, it might be faster than standard but not 600 fps I bet.
        >
        Not wishful thinking, I suspect my results always and built in verification. The raspiraw callback gets called with μs resolution timer, so I determined μs delta times between frames and determined distribution. Up to 665fps(502fps) the recordings are free of frame skips on Pi 2B(Pi Zero).

        One I took a video at 900fps, here you can see the frame quality as well as analysis:
        7171 frames got captured in 8s, with frame delta time being 1101us ± 4us (908.2fps), with 1+73+22+1=97 frame skips. The (needed) /dev/shm ramdisk allows for capturing 16s of 900fps video …
        https://www.raspberrypi.org/forums/viewtopic.php?t=109523&start=25

        One of my favorite videos I took was (only) 350fps 640×128 video of mouse trap chain reaction, played with 25fps (for youtube upload), 14 times slower than real):

      1. > A really cheap high speed camera based on Raspberry Pi is a really interesting project!
        >
        Definitely — while high framerate slowmo videos look nice, my main appliaction is fast moving robot control. At 90fps the robot would get a frame only every 5.6cm at target speed of 5m/s (18km/h). With 360fps a frame is available every 1.4cm.

        Here is all I have collected on Raspberry cameras:
        https://stamm-wilbrandt.de/en/Raspberry_camera.html

        > I better order a compatible camera module before the rest of the hobbyists clear out the stock…
        >
        Not really, there are many suppliers on aliexpress for v1 camera, and the 4.99$ link from my other reply says 947 pieces available ….

  2. [Synonyk] mentions that he didn’t like using Windows-only software from China.

    No kidding. Back before USB was omnipresent, I bought an RS-232-based FM radio (serial port control, 3.5mm stereo audio out). The existing software was ad-ridden, bloated, and extremely ugly, so I fired off an email to the vendor asking for a copy of the RS-232 command spec. I got a response that it was proprietary. Wha?? I responded with the statement that there are software-based serial monitors, and my request for a spec was just to make my job easier, and got a /shrug whatever in response.

    So I figured it out and developed a little tray GUI that was unobtrusive, rock solid, and even stored a buffer of the recent audio in case you missed something. Think TiVo for FM…

    I have a handful of similar units that use USB now instead of serial, and am waiting for some free time to reverse engineer the protocol and write a linux driver for them.

  3. I openly admit I might be stupid in this case, but can that battery tester also reliably measure the internal resistance of a cell?
    Measuring mAh is given it can do, but I got a stack of salvaged laptop li-ion cells I’d like to sort through, and buying something Chinesium that can do both for me would mean I could put the good cells into use sooner.

    1. That would be a great function to have. Of course, there are charger/discharge testers that do this, but they are a lot more expensive. I have a lot of 18650s and SLA D cells I’m testing and refurbishing, it’d be helpful to have more than one capacity tester that can also test for ESR.

    2. I don’t think you can measure ESR directly with that thing. All-Sun sells a handheld meter for $50 and they generally make pretty decent gear – it’s the EM610. Maybe worth it if you need to test batteries frequently.

    3. (Author of the blog post here)

      Yes, it measures internal resistance. You can see a full review of the tester the previous week on my blog. And internal resistance is exported over serial.

      It’s not quite as smooth as the readings on the ZB206+, but it will serve nicely to compare cells to each other during discharge.

      1. Bit of a late brainfart, but wouldn’t it be possible to use a mcu with two independent hardware serial ports to do “translation” between the oddball baud rate and a well used and known one?
        Or perhaps something like the atmega32u4 used on Arduino Leonardo and Micro (and the clones from East) that can simulate a usb-to-serial connection with their USB port and also have a separate dedicated hardware UART.
        Might even be possible with some optocouplers + passives and further refinement of the program to control the battery tester from the computer via that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s