TCP Packet Spec - celsworth/lxp-bridge GitHub Wiki
WIP
TCP Header
Packets to/from the inverter have an 18 byte TCP header; I think this is actually specific to the datalogger stick, if you talk RS485 directly to the inverter (I've never tried), this part is probably not there.
| Offset | Bytes | Description |
|---|---|---|
| 0 | 2 | Prefix (0xa1, 0x1a) |
| 2 | 2 | Protocol version |
| 4 | 2 | Packet length |
| 6 | 1 | Address? (this always seems to be 1) |
| 7 | 1 | TCP Function |
| 8 | 10 | Datalog Serial Number |
The protocol version and packet length are little-endian, so 02, 00 is protocol 2. The packet length is the length of all remaining bytes, so excluding the prefix, protocol, and length itself.
| TCP Function | Description |
|---|---|
| 0xc1 | Heartbeat |
| 0xc2 | Translated Data |
| 0xc3 | Read Param |
| 0xc4 | Write Param |
There are others, but they're a bit specialist (firmware updates etc I believe) so not of much concern to us.
TCP Function 0xc1 - Heartbeats
Heartbeats don't have any content and consist of a single zero byte after the above header, which simply represents a zero payload length, ie nothing follows it. I suspect this is datalogger-specific and doesn't actually talk to the inverter proper.
A complete heartbeat example (with redacted datalog serial number), might be:
a1 1a 02 00 0d 00 01 c1 XX XX XX XX XX XX XX XX XX XX 00
So protocol 2, 0x0d 0x00 length (13 bytes following this 0x00), 0x01 address, and 0xc1 tcp function.
TCP Function 0xc2 - Translated Data
This is the meat of communications with the inverter itself. This TCP Function is used for reading and writing holdings, and reading inputs. These offsets are reset to zero-based, but this all follows the header detailed above.
FIXME: this table might be wrong, actually I think there's two bytes of length at the start of this header!
| Offset | Bytes | Description |
|---|---|---|
| 0 | 1 | Address (appears to be 0 when writing to inverter, 1 when reading from it) |
| 1 | 1 | Device Function |
| 2 | 10 | Inverter Serial Number |
| 18 | 2 | Data Length |
| Device Function | Description |
|---|---|
| 0x3 | Read Holding |
| 0x4 | Read Input |
| 0x6 | Write Single Holding |
| 0x10 | Write Multi Holding |
When sent over the network, registers are split into 8bit bytes, little-endian. So for example if I read holding register 30, which is GRID_VOLT_LIMIT1_HIGH, I get back [62, 10] (you can see this in the DEBUG log messages, all the network traffic is logged).
62 + (10 << 8) = 2622
This is 1/10th of a volt, so 262.2v (for the UK market).