Siemens Dishwasher research

[Nurster]

Hello

I am following this repository for quite some time now with great interest. I own a Siemens-Dishwasher SN66P080EU/D4 and managed to dump the USART-Registers of the running machine. It is controlled by an STM32F301VCT6 Arm Cortex M4. An STLink-V2-Dongle is connected to the machine with a custom made RAST-cable. OpenOCD, Ghidra (gdb) and Saelae Logic are the tools being used. Right after power up the programme selection is flashing with the time being displayed in the LED-Display. The D-Bus is monitored with a logic analyzer so I can be sure the bus is quiet. This is the state of the registers after the module finished booting:

MSB first

Control register 1 (USART_CR1):

00000000000000000000000000101101
Bit 0 UE: USART enable
Bit 2 RE: Receiver enable
Bit 3 TE: Transmitter enable
Bit 5 RXNEIE: RXNE interrupt enable

Baud rate register (USART_BRR):

00000000000000000001110101001100
0x1D4C
Oversampling by 16 (OVER8 = 0)
9.6 KBps

Interrupt and status register (USART_ISR):

00000000011000100001000011010000
Bit 4 IDLE: Idle line detected
Bit 6 TC: Transmission complete
Bit 7 TXE: Transmit data register empty
Bit 12 EOBF: End of block flag
Bit 17 CMF: Character match flag (character stored in USART_CR2 ADD[7:0])
Bit 21 TEACK: Transmit enable acknowledge flag
Bit 22 REACK: Receive enable acknowledge flag

All other USART-Registers are empty (zero) apart from TDR and RDR that contain the Data received and about to be transmitted. The CR2 Bits 13:12 being 00 would mean that serial line configuration is 8N1 rather than 8N2. During and after selecting a programme and pressing start the CR2 and CR3 are zero as well.

excerpt from reference manual:

Bits 13:12 STOP[1:0]: STOP bits
These bits are used for programming the stop bits.
00: 1 stop bit
01: 0.5 stop bit
10: 2 stop bits
11: 1.5 stop bits
This bit field can only be written when the USART is disabled (UE=0).

I hope this information is useful for further developments. I much appreciate the deciphering of the D-Bus protocol frames for the WM14S750. Since I don't have any clue regarding dishwasher frames maybe someone with knowledge could help out decrypting those as well.

LL   DS CC CC   MM MM MM MM MM MM MM MM MM MM MM MM MM MM MM MM MM MM MM MM   RR RR            ACK
16 | 25.20-11 | a5 0a 0d 0e 0f 15 11 a1 a0 80 83 81 84 a2 ff ff ff ff ff ff | db 7e (crc=ok) | 2a (ack ok)

a5 - identification byte
0a - 70°C intensive 2:15
0d - 45°C-65°C auto 2:40
0e - eco 50°C 3:30
0f - one hour 60°C
11 - pre wash
a1 - minus key
a0 - plus key
80 - vario speed
83 - half load 
81 - intensive zone
84 - hygiene plus
a2 - start button

Destination:

0x0 network management / broadcast
0x1 power module
0x2 user control panel
0x3 timelight projector module ?

Subsystem:

0x5 set parameters / map buttons

regards,

Till

[hn]

Thank you for sharing, that's great!

I have some questions and/or comments:

• The STM32F301VCT6 you speak of is located in the control board (the one with 230V mains connector), right?
• Can you share in more detail how you connected the ST-Link debugger to the board and read the USART registers?
• The difference 8N2 vs. 8N1 may well be a mistake on my part, I have only measured the bus timing once and may have been slightly inaccurate.
• Is it possible that you are sending a longer D-Bus log? It would be perfect to have a complete log from bootup, program selection and start to the end of the wash program.
• My Timelight module (stand-alone spare part) sends ACKs for address D=6 (96de2cf).
• I don't understand how you came up with your interpretation of the frame 25.20-11 | a5 0a ....

[Nurster]

Hello hn,

I'm going through your comments/questions step by step:

• Yes STM32F301VCT6 (on some Models STM32P301VCT6) is located on the power module pcb.
  The user control panel modul utilizes an MC9S08AC60 from NXP semiconductors that is powered off the D-Bus

• almost every ARM based power module for BSH-dishwashers I came across uses a six pin terminal on the left most bottom corner of the pcb

The pinout is as follows:

1. SWCLK
2. SWDIO
3. BOOT0
4. RESET
5. GND
6. VCC (3.3V)

It might be the case that pins 3 and 4 are swapped and I don't yet have time to check them out. They are not needed for hooking up an STLinkV2-Dongle and establishing a connection successfully. The OpenOCD command is:

$ openocd -f interface/stlink.cfg \
-c "transport select hla_swd" \
-f target/stm32f3x.cfg \
-c "stm32f3x.cpu configure -rtos auto"

Open On-Chip Debugger 0.12.0
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
hla_swd
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 1000 kHz
Info : STLINK V2J43S7 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.234369
Info : [stm32f3x.cpu] Cortex-M4 r0p1 processor detected
Info : [stm32f3x.cpu] target has 6 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f3x.cpu on 3333
Info : Listening on port 3333 for gdb connections

Although OpenOCD doesn't manage to detect an RTOS, I leave it in just in case a pcb with rtos-symbols exposed comes along.

To read the USART1-Registers gdb will suffice.

$ gdb-multiarch -ex 'target extended-remote :3333'
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
Remote debugging using :3333
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
0x08004756 in ?? ()
(gdb) interrupt
(gdb) monitor reset run
(gdb) monitor reset run
(gdb) x/11t 0x40013800
0x40013800:	00000000000000000000000000101101	00000000000000000000000000000000	 
                00000000000000000000000000000000	00000000000000000001110101001100
0x40013810:	00000000000000000000000000000000	00000000000000000000000000000000	 
                00000000000000000000000000000000	00000000011000100001000011010000
0x40013820:	00000000000000000000000000000000	00000000000000000000000000101010	 
                00000000000000000000000010011010

• You might be right with your timing measurements regarding the 8N2 configuration since I witnessed some framing errors. They could result from a configuration change in the CR2 register I was not able to detect somehow. But it could be possible that my USB-Line is too heavily loaded with devices and the logic analyzer cannot keep up.

• I will be able to log a boot process, selection of programs, error condition and pressing the start button. A full cycle I cannot yet provice since my lab setup here is running on a different module than my dishwasher. There were some of things to discover which I can get back to later. I don't want to work on live mains yet but when I've got time I'll try to connect a logic analyzer directly to the pcb installed in my machine in the kitchen.

• Thanks for the information about the time light module. I can tell very soon if there's any difference since I ordered myself a used one in order to hook it up to my dishwasher and lab setup of course. I'm curious about the bitmaps and where they are stored.

• The frame data is coming from the button panel. If you hold two random buttons except power and turn the unit on it'll get you into service mode (P0). Once you manage to select P4 the display goes blank and for every button you press a uint8_t number will appear in decimal. I digged through the firmware locating the minus (0xa1) and plus (0xa0). There is only one location in flash memory where they can be found and that is the feature array where the programmes and additional function numbers are stored.

During startup it is being transferred from flash into ram and then fed into one of the dbus2_usart_send functions accordingly. Since my grandma and some of my friends got BSH-dishwashers as well I was able to obtain and collect some more of the function numbers and mappings respectively. I even found a power module in a pile of junk near a lake. According to the model printed on the base pan nearby I could resolve the the functions displayed on a product picure on the BOSCH-Website and map them to the uint8_t numbers stored in the firmware. The module is perfectly fine btw. and did a successful run in my dishwasher but with the Siemens firmware.

main functions:

0a - 10 - 70 °C Intensive pots and pans
0d - 13 - Auto 65 °C
0e - 14 - Eco 50 °C 
0f - 15 - Glassware 40 °C
11 - 17 - Fast (glassware and cups) 45 °C
12 - 18 - Pre Rinse
14 - 20 - Night Rinse (quiet) 50 °C
15 - 21 - 1h °60C
17 - 23 - Intensive eco
19 - 25 - Turbo Speed / Party Plus (only with installed liquor reservoir)
1f - 31 - Mixed 60°C
21 - 33 - Machine Care

additional functions:

80 - 128 - VarioSpeed 
81 - 129 - Intensive Zone (higher water pressure in lower rack)
83 - 131 - Half Load
84 - 132 - Hygiene Plus
86 - 134 - Extra Dry
88 - 136 - Brilliant Shine (Glassware)

basic functions: 

a0 - 160 - Plus
a1 - 161 - Minus
a2 - 162 - Start

internet of stings:

a6 - 166 - HomeConnect
a7 - 167 - Setup 3 sec.

regards,

Till

[hn]

Thanks for the detailed explanation!

• By chance, I just got access to a (stand alone, maybe broken) EPG70012 power module, which features a 32P301VCT6, the PCB looks exactly like the one you have. With your findings, I'll try to dump the firmware for further (Ghidra) analysis.
• I think I now understand what you mean with "map buttons". But the frame 25.20-11 | a5 0a ... likely is send from the power module to the user control module (D=2). It looks like the power module tells the user control module what to do when keys are pressed. That's interesting, I've a very vague suspicion that the 12.13-00 frame used in washing machines might do something similiar (there are 15 washing programs and the payload length of that frame is 15+1=16 bytes).
• If you are able to log frames with D=6 on a live dishwasher, please post them here. Then I would be able to test my Timelight spare part by replaying this commands.

[Nurster]

Hello hn,

• even with the power supply switch reguluator TNY264 or 267 broken it is possible to dump a firmware image. The 3.3v rail of the STlink-V2 is able powering the STM32F301VCT6 without problems.

• I issued the following OpenOCD-command to dump an image named firmware.bin with 262144 byte in size hence the C in VCT6:

$ openocd -f interface/stlink.cfg \
-c "transport select hla_swd" \
-f target/stm32f3x.cfg \
-c "stm32f3x.cpu configure -rtos auto" \
-c "init" \
-c "reset init" \
-c "flash read_bank 0 firmware.bin 0 0x40000" \
-c "exit"

Open On-Chip Debugger 0.12.0
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
hla_swd
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
Info : clock speed 1000 kHz
Info : STLINK V2J43S7 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.242384
Info : [stm32f3x.cpu] Cortex-M4 r0p1 processor detected
Info : [stm32f3x.cpu] target has 6 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f3x.cpu on 3333
Info : Listening on port 3333 for gdb connections
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : Unable to match requested speed 1000 kHz, using 950 kHz
[stm32f3x.cpu] halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x080000e4 msp: 0x200001fc
Info : Unable to match requested speed 8000 kHz, using 4000 kHz
Info : Unable to match requested speed 8000 kHz, using 4000 kHz
Info : device id = 0x10036422
Info : flash size = 256 KiB
wrote 262144 bytes to file firmware.bin from flash bank 0 at offset 0x00000000 in 1.736218s (147.447 KiB/s)

• To write it back into flash memory I used this command:

$ openocd -f interface/stlink.cfg \
-c "transport select hla_swd" \
-f target/stm32f3x.cfg \
-c "stm32f3x.cpu configure -rtos auto" \
-c "init" \
-c "reset init" \
-c "program firmware.bin 0x8000000 verify exit"

Open On-Chip Debugger 0.12.0
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
hla_swd
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
Info : clock speed 1000 kHz
Info : STLINK V2J43S7 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.242384
Info : [stm32f3x.cpu] Cortex-M4 r0p1 processor detected
Info : [stm32f3x.cpu] target has 6 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f3x.cpu on 3333
Info : Listening on port 3333 for gdb connections
[stm32f3x.cpu] halted due to breakpoint, current mode: Thread 
xPSR: 0x01000000 pc: 0x080000e4 msp: 0x200001fc
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : Unable to match requested speed 1000 kHz, using 950 kHz
[stm32f3x.cpu] halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x080000e4 msp: 0x200001fc
Info : Unable to match requested speed 8000 kHz, using 4000 kHz
Info : Unable to match requested speed 8000 kHz, using 4000 kHz
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : Unable to match requested speed 1000 kHz, using 950 kHz
[stm32f3x.cpu] halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x080000e4 msp: 0x200001fc
Info : Unable to match requested speed 8000 kHz, using 4000 kHz
Info : Unable to match requested speed 8000 kHz, using 4000 kHz
** Programming Started **
Info : device id = 0x10036422
Info : flash size = 256 KiB
** Programming Finished **
** Verify Started **
** Verified OK **
shutdown command invoked

• This will cause the board to throw error E01 because only the microcontroller is powered and none of the power module's other components requiring 5-12Vish voltages. These are provided by the TNY264GN.

• Yes you're right about the "map buttons" frame. D=2, the user control panel is receiving and sending a lot more frames than just the buttons during startup. Some of them being responsible for determining what kind of control panel is attached. If a panel module from a fully integrated machine is present the software adapts and behaves accordingly. You're able to select an info light or a beeper in the configuration menu. Programmes can be selected only with the door open and all leds turn dark when it is closed. Contrary to that a semi integrated or free standing appliances panel will let the user select programmes only when the door is closed and the LEDs keep being lit as the time counts down. No beeper or info light is available.

• Once the firmware finished booting, is halted with the gdb interrupt command and a button is pressed on the user control panel, no answer is sent back from the power module. This causes the panel module to flash the tap water and rinse aid leds in 250ms steps. The D-Bus is flooded with frames targeting the power module desperately trying to communicate.

• All additional functions available on the right side of the panel module are tied to the respective programmes. That means even with a broken data connection you can only select the functions a programme allows you to. So for example half load or vario speed isn't available for the pre rinse programme but for 70°c intensive. This information is transferred to the panel module during startup.

• On the contrary the time a programme or cycle takes to finish is being transmitted if the push of a button results in a time change. This applies to additional functions as well.

• I have three modules: one EPG70002 in my machine in the kitchen and two EPG70003 for experiements. One of which I found on pile of junk outdoors. The EPG70002 got two relays for heating while the 70003 got three. There is also an additional motor driver chip FSB50550AB from fairchild semiconductors to power the fan motor for the zeolith active drying technology.

• During boot the firmware detects the additional motor driver and relay on the 70003. On the 70002 without the extra components there are zero ohm resistors soldered instead. This enables the firmware to adapt itself in any case.

• If a 70003 zeolith module is running inside a non-zeolith machine the cycle will complete flawlessly but with one catch being an error message E10 or whatever regading the non present drying fan, heater and temperature sensor.

• On the module I found outdoors there's a daughter board installed with a power- and a ribbon cable. I have no idea what it is used for other than a piezo-controlled button panel perhaps.

• I'm waiting for my time light projector to arrive. I hope it is not broken since the led seems very bright and I saw a case of a fried LCD glass panel.

• You can hook up yours to the D-Bus and see what happens. I managed to retrieve some RAST-plugs from outdoors and cut the restraining lugs with a sharp knife. In fact I use the panel module's port which is intended for the time light to hook up the logic analyzer. If you're able to get your hands on an old wiring harness there are plenty of plugs to use and abuse.

• I almost forgot. Here is a capture of the boot procedure from start to finish. Running on an EPG70003.

epg70003_boot_dbus2.csv

[hn]

• Yes, you're right. The control board tries to communicate with all components if they do not reply to commands (e.g. last paragraph here)
• The main logic of those home appliances seems to be located in the control (power) module. Every user-side wash program is a collection of sub-modules. If the user selects a program via the user control panel, the control module calculates the needed time and reports it back to the display. That seems to be the same process for dishwashers and washing machines.
• Thanks for all the other details. With your kind permission, I will later integrate them into the documentation of this project.

[hn]

With 50b99e7 one can parse your CSV file. It seems the logic analyzer is missing some bits sometimes (or there might be bus collisions, don't know):

Ignoring byte 0xd4 at pos 0: frame exceeds min or max size
03 | 22.7f-f1 | 10 | f2 0c (crc=ok) | 2a (ack=ok)
03 | 17.10-07 | 01 | 6e 8d (crc=ok) | 1a (ack=ok)
0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok)
0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | 2a (ack=ok)
06 | 26.20-02 | 00 04 00 00 | e2 53 (crc=ok) | 2a (ack=ok)
06 | 26.20-02 | 00 04 00 00 | e2 53 (crc=ok) | 2a (ack=ok)
03 | 24.20-06 | 03 | 0f 6e (crc=ok) | 2a (ack=ok)
0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | 2a (ack=ok)
16 | 25.20-11 | a5 0a 0d 0e 0f 15 11 a1 a0 80 83 81 84 a2 ff ff ff ff ff ff | db 7e (crc=ok)
Ignoring byte 0x23 at pos 117: frame exceeds min or max size
16 | 25.20-11 | a5 0a 0d 0e 0f 15 11 a1 a0 80 83 81 84 a2 ff ff ff ff ff ff | db 7e (crc=ok) | 2a (ack=ok)
03 | 25.20-12 | 01 | 96 2f (crc=ok) | 2a (ack=ok)
04 | 25.20-13 | ff ff | 1d 30 (crc=ok) | 2a (ack=ok)
06 | 25.10-20 | 00 00 00 00 | 85 aa (crc=ok) | 2a (ack=ok)
11 | 25.10-17 | 40 81 09 6a 20 00 e4 0e 00 00 00 00 00 00 00 | 47 01 (crc=ok) | 2a (ack=ok)
11 | 25.10-17 | 40 81 09 6a 20 00 e4 0e 00 00 00 00 00 00 00 | 47 01 (crc=ok)
Ignoring byte 0x23 at pos 216: frame exceeds min or max size
11 | 25.10-17 | 40 81 09 6a 20 00 e4 0e 00 00 00 00 00 00 00 | 47 01 (crc=ok) | 2a (ack=ok)
17 | 25.20-10 | 0e 00 02 04 04 00 40 00 00 b3 41 81 09 6a 20 80 01 00 e4 00 00 | 10 9e (crc=ok)
Ignoring byte 0x23 at pos 266: frame exceeds min or max size
17 | 25.20-10 | 0e 00 02 04 04 00 40 00 00 b3 41 81 09 6a 20 80 01 00 e4 00 00 | 10 9e (crc=ok) | 2a (ack=ok)
03 | 27.20-07 | 02 | b7 a2 (crc=ok) | 2a (ack=ok)
Ignoring byte 0x0a at pos 303: crc checksum error
Ignoring byte 0x25 at pos 304: frame exceeds min or max size
Ignoring byte 0x00 at pos 305: frame exceeds min or max size
Ignoring byte 0x08 at pos 306: crc checksum error
Ignoring byte 0x07 at pos 307: crc checksum error
Ignoring byte 0xfe at pos 308: frame exceeds min or max size
Ignoring byte 0x0a at pos 309: crc checksum error
Ignoring byte 0x25 at pos 310: frame exceeds min or max size
Ignoring byte 0x20 at pos 311: crc checksum error
Ignoring byte 0x08 at pos 312: crc checksum error
Ignoring byte 0xd2 at pos 313: frame exceeds min or max size
Ignoring byte 0x30 at pos 314: frame exceeds min or max size
Ignoring byte 0x00 at pos 315: frame exceeds min or max size
Ignoring byte 0x00 at pos 316: frame exceeds min or max size
Ignoring byte 0xfc at pos 317: frame exceeds min or max size
Ignoring byte 0x0a at pos 318: crc checksum error
Ignoring byte 0x25 at pos 319: frame exceeds min or max size
Ignoring byte 0x20 at pos 320: crc checksum error
Ignoring byte 0x08 at pos 321: crc checksum error
Ignoring byte 0xd2 at pos 322: frame exceeds min or max size
Ignoring byte 0x30 at pos 323: frame exceeds min or max size
Ignoring byte 0x30 at pos 324: frame exceeds min or max size
Ignoring byte 0x01 at pos 325: frame exceeds min or max size
Ignoring byte 0x07 at pos 326: crc checksum error
Ignoring byte 0x03 at pos 327: crc checksum error
Ignoring byte 0x1e at pos 328: crc checksum error
Ignoring byte 0x10 at pos 329: crc checksum error
Ignoring byte 0x05 at pos 330: crc checksum error
03 | 17.10-01 | 00 | d4 0a (crc=ok) | 1a (ack=ok)
Ignoring byte 0x0a at pos 339: crc checksum error
Ignoring byte 0x25 at pos 340: frame exceeds min or max size
Ignoring byte 0x00 at pos 341: frame exceeds min or max size
Ignoring byte 0x00 at pos 342: frame exceeds min or max size
Ignoring byte 0xd2 at pos 343: frame exceeds min or max size
Ignoring byte 0x30 at pos 344: frame exceeds min or max size
Ignoring byte 0x0a at pos 345: crc checksum error
Ignoring byte 0x25 at pos 346: frame exceeds min or max size
Ignoring byte 0x20 at pos 347: crc checksum error
Ignoring byte 0x08 at pos 348: crc checksum error
Ignoring byte 0xd2 at pos 349: frame exceeds min or max size
Ignoring byte 0x30 at pos 350: frame exceeds min or max size
Ignoring byte 0x30 at pos 351: frame exceeds min or max size
Ignoring byte 0x03 at pos 352: crc checksum error
Ignoring byte 0x1e at pos 353: crc checksum error
Ignoring byte 0x00 at pos 354: frame exceeds min or max size
Ignoring byte 0x03 at pos 355: crc checksum error
Ignoring byte 0x1a at pos 356: crc checksum error
Ignoring byte 0x40 at pos 357: frame exceeds min or max size
03 | 17.10-10 | 0e | 05 86 (crc=ok) | 1a (ack=ok)
0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok)
04 | 17.10-00 | 00 00 | 7e 88 (crc=ok) | 1a (ack=ok)
0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok)
Ignoring byte 0x02 at pos 403: crc checksum error
Ignoring byte 0x05 at pos 404: crc checksum error
Ignoring byte 0x10 at pos 405: crc checksum error
Ignoring byte 0x0a at pos 406: crc checksum error
Ignoring byte 0x00 at pos 407: frame exceeds min or max size
Ignoring byte 0x42 at pos 408: frame exceeds min or max size
Ignoring byte 0xd2 at pos 409: frame exceeds min or max size
Ignoring byte 0x30 at pos 410: frame exceeds min or max size
03 | 17.10-11 | 0e | 36 b7 (crc=ok) | 1a (ack=ok)
0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok)
0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | 2a (ack=ok)
03 | 27.20-07 | 02 | b7 a2 (crc=ok) | 2a (ack=ok)
05 | 25.20-04 | 00 00 00 | cd eb (crc=ok) | 2a (ack=ok)
04 | 25.20-15 | 0f ff | bc 51 (crc=ok) | 2a (ack=ok)
09 | 25.10-12 | 00 00 00 00 03 1e 00 | 19 7a (crc=ok) | 2a (ack=ok)
03 | 25.10-13 | 00 | 70 9a (crc=ok) | 2a (ack=ok)

[Nurster]

Hello hn,

thanks for putting so much effort into writing a perl script just for the data I managed to capture. I'm not sure what happened to my logic analyzer because at high frequencies it is possible to get verified SPI-Data without issues same applies to I2C or Serial. Nevertheless I tried your bsh-dbus-logger.ino sketch on a Wemos D1 ESP8266 I found at the very bottom of my microcontroller box. Button panel of fully integrated unit is hooked up.

• boot process

01:18:47.492 -> 03 | 17.10-10 | 15          | a6 dc (crc=ok) | 1a (ack=ok)
01:18:47.525 -> 0a | 25.20-08 | 3c 44 30 01 00 00 01 00 | d3 69 (crc=ok) | (ack=err, re-evaluate byte)
01:18:47.525 -> 0a | 25.20-08 | 3c 44 30 01 00 00 01 00 | d3 69 (crc=ok) | 2a (ack=ok)
01:18:47.558 -> 04 | 25.20-15 | 0e 40       | d9 54 (crc=ok) | 2a (ack=ok)
01:18:47.592 -> 04 | 17.10-00 | 00 00       | 7e 88 (crc=ok) | 1a (ack=ok)
01:18:47.592 -> 0a | 25.20-08 | 3c 44 30 01 00 00 01 00 | d3 69 (crc=ok) | 2a (ack=ok)
01:18:47.625 -> 03 | 17.10-11 | 15          | 95 ed (crc=ok) | 1a (ack=ok)
01:18:47.658 -> 0a | 25.20-08 | 3c 44 30 01 00 00 01 00 | d3 69 (crc=ok) | 2a (ack=ok)
01:18:48.386 -> 54 | (read=timout)
01:18:48.684 -> 03 | 22.7f-f1 | 10          | f2 0c (crc=ok) | 2a (ack=ok)
01:18:48.717 -> 03 | 17.10-07 | 01          | 6e 8d (crc=ok) | 1a (ack=ok)
01:18:48.717 -> 0a | 25.20-08 | 3c 44 30 01 00 00 01 00 | d3 69 (crc=ok) | (ack=err, re-evaluate byte)
01:18:48.750 -> 0a | 25.20-08 | 3c 44 30 01 00 00 01 00 | d3 69 (crc=ok) | 2a (ack=ok)
01:18:48.883 -> 06 | 26.20-02 | 00 04 00 00 | e2 53 (crc=ok) | 2a (ack=ok)
01:18:48.916 -> 06 | 26.20-02 | 00 04 00 00 | e2 53 (crc=ok) | 2a (ack=ok)
01:18:48.916 -> 03 | 24.20-06 | 03          | 0f 6e (crc=ok) | 2a (ack=ok)
01:18:48.982 -> 0a | 25.20-08 | 3c 44 30 01 00 00 01 00 | d3 69 (crc=ok) | 2a (ack=ok)
01:18:48.982 -> 16 | 25.20-11 | a5 0a 0d 0e 0f 15 11 a1 a0 80 83 81 84 a2 ff ff ff ff ff ff | db 7e (crc=ok) | 2a (ack=ok)
01:18:49.015 -> 03 | 25.20-12 | 01          | 96 2f (crc=ok) | 2a (ack=ok)
01:18:49.015 -> 04 | 25.20-13 | ff ff       | 1d 30 (crc=ok) | 2a (ack=ok)
01:18:49.048 -> 06 | 25.10-20 | 00 00 00 00 | 85 aa (crc=ok) | 2a (ack=ok)
01:18:49.115 -> 11 | 25.10-17 | 40 01 09 6a 20 00 e4 0e 00 00 00 00 00 00 00 | 10 7f (crc=ok) | 2a (ack=ok)
01:18:49.148 -> 11 | 25.10-17 | 40 01 09 6a 20 00 e4 0e 00 00 00 00 00 00 00 | 10 7f (crc=ok) | 2a (ack=ok)
01:18:49.181 -> 17 | 25.20-10 | 0e 00 02 04 04 00 40 00 00 b3 41 01 09 6a 20 80 01 00 e4 00 00 | f4 aa (crc=ok) | (ack=err, re-evaluate byte)
01:18:49.181 -> 23 | 17.25-20 | 10 0e 00 02 04 04 00 40 00 00 b3 41 01 09 6a 20 80 01 00 e4 00 00 f4 aa 2a 03 27 20 07 02 b7 a2 2a | 0a 25 (crc=err, len=39)
01:18:49.247 -> 20 | 08.d2-30 | 30 03 1e 00 03 1e 10 05 2a 05 25 20 04 00 00 00 40 c1 05 25 20 04 00 73 fd 05 25 20 04 00 | 00 00 (crc=err, len=36)
01:18:49.280 -> cd | eb.03-17 | 10 10 0e 05 86 1a 05 25 20 04 00 00 00 cd eb 05 25 20 00 00 05 25 20 00 cd 05 25 00 00 05 25 20 04 00 cd eb 05 25 20 04 00 00 fd 05 04 05 25 20 04 00 00 00 cd eb 04 17 10 00 00 00 7e 88 1a 05 25 20 04 00 00 00 cd eb 03 17 05 25 20 00 05 25 20 05 25 20 04 00 89 eb 05 00 00 00 08 0a 25 20 82 fe 0a 25 20 08 d2 1e 00 0a 25 20 08 d2 30 30 03 1e 00 00 04 03 17 10 11 0e 36 b7 1a 0a 25 20 08 d2 30 30 03 1e 00 03 1e 10 05 0a 25 20 08 d2 30 30 03 1e 00 03 1e 10 05 2a 05 25 20 04 00 00 00 cd eb 2a 04 25 20 15 0f ff bc 51 2a 09 25 10 12 00 00 00 00 03 1e 00 19 7a 2a 03 25 10 13 00 70 9a 2a 

• rinse aid led on

01:23:45.046 -> 03 | 17.10-07 | 01          | 6e 8d (crc=ok) | 1a (ack=ok)
01:23:45.046 -> 0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | (ack=err, re-evaluate byte)
01:23:45.079 -> 0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | 2a (ack=ok)
01:23:45.079 -> 03 | 24.20-06 | 03          | 0f 6e (crc=ok) | 2a (ack=ok)

• rinse aid led off

01:23:47.066 -> 03 | 17.10-07 | 00          | 7e ac (crc=ok) | 1a (ack=ok)
01:23:47.099 -> 0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | (ack=err, re-evaluate byte)
01:23:47.099 -> 0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | 2a (ack=ok)
01:23:47.132 -> 03 | 24.20-06 | 01          | 2f 2c (crc=ok) | 2a (ack=ok)

• salt led on

01:28:47.932 -> 03 | 24.20-06 | 01          | 2f 2c (crc=ok) | 2a (ack=ok)

• salt led off

01:28:49.653 -> 03 | 24.20-06 | 00          | 3f 0d (crc=ok) | 2a (ack=ok)

• select intensive 70 °C

01:31:02.197 -> 03 | 17.10-10 | 0a          | 45 02 (crc=ok) | 1a (ack=ok)
01:31:02.197 -> 0a | 25.20-08 | 8c 50 58 02 14 00 02 14 | f4 b1 (crc=ok) | 2a (ack=ok)
01:31:02.230 -> 04 | 25.20-15 | 0f ff       | bc 51 (crc=ok) | 2a (ack=ok)
01:31:02.263 -> 04 | 17.10-00 | 00 00       | 7e 88 (crc=ok) | 1a (ack=ok)
01:31:02.296 -> 0a | 25.20-08 | 8c 50 58 02 14 00 02 14 | f4 b1 (crc=ok) | 2a (ack=ok)
01:31:02.296 -> 03 | 17.10-11 | 0a          | 76 33 (crc=ok) | 1a (ack=ok)
01:31:02.329 -> 0a | 25.20-08 | 8c 50 58 02 14 00 02 14 | f4 b1 (crc=ok) | 2a (ack=ok)

• select options

• vario speed on

01:34:22.572 -> 04 | 17.10-00 | 00 80       | ef 00 (crc=ok) | 1a (ack=ok)
01:34:22.605 -> 0a | 25.20-08 | 5f 23 00 03 17 10 11 0a | 76 33 (crc=err, len=14)
01:34:22.605 -> 1a | 0a.25-20 | 08 5f 58 64 01 23 00 01 23 3d 12 0a 25 20 08 5f 58 64 01 23 00 01 23 3d | 12 2a (crc=err, len=30)

• vario speed on, half load on

01:36:04.666 -> 04 | 17.10-00 | 00 90       | fd 31 (crc=ok) | 1a (ack=ok)
01:36:04.666 -> 03 | 17.10-11 | 0a          | 76 33 (crc=ok) | 1a (ack=ok)
01:36:04.699 -> 0a | 25.20-08 | 4b 50 4c 01 0f 00 01 0f | 39 be (crc=ok) | (ack=err, re-evaluate byte)
01:36:04.699 -> 0a | 25.20-08 | 4b 50 4c 01 0f 00 01 0f | 39 be (crc=ok) | 2a (ack=ok)

• vario speed on, half load on, intensive zone on

01:37:10.852 -> 04 | 17.10-00 | 00 d0       | b5 f5 (crc=ok) | 1a (ack=ok)
01:37:10.885 -> 0a | 25.20-08 | 50 54 4c 01 14 b5 81 03 | 17 10 (crc=err, len=14)
01:37:10.885 -> 11 | 0a.76-33 | 0a 25 20 08 50 54 4c 01 14 51 fb 0a 08 50 54 | 0a 25 (crc=err, len=21)
01:37:10.918 -> 20 | 08.50-54 | 4c 01 01 0a 25 20 08 10 00 f1 03 17 10 11 0a 76 33 1a 0a 25 20 08 50 54 4c 01 14 00 01 14 | b5 81 (crc=err, len=36)
01:37:11.018 -> 0a | 25.20-08 | 50 54 4c 01 14 00 01 14 | b5 81 (crc=ok) | 2a (ack=ok)

• vario speed on, half load on, intensive zone on, hygiene plus on

01:38:21.644 -> 04 | 17.10-00 | 00 d8       | 34 fd (crc=ok) | 1a (ack=ok)
01:38:21.644 -> 03 | 17.10-11 | 0a          | 76 33 (crc=ok) | 1a (ack=ok)
01:38:21.677 -> 0a | 25.20-08 | 5f 58 4c 01 23 00 01 23 | 05 58 (crc=ok) | (ack=err, re-evaluate byte)
01:38:21.677 -> 0a | 25.20-08 | 5f 58 4c 01 23 00 01 23 | 05 58 (crc=ok) | 2a (ack=ok)

• door closed while power on

• beeper went off
• leds turn dark

01:39:47.706 -> 03 | 24.20-06 | 0b          | 8e 66 (crc=ok) | 2a (ack=ok)

• door opened

• leds came back on

01:39:48.335 -> 03 | 24.20-06 | 03          | 0f 6e (crc=ok) | 2a (ack=ok)

• start button pressed

01:44:06.576 -> 05 | 17.10-12 | 00 00 00    | 59 f7 (crc=ok) | 1a (ack=ok)
01:44:06.609 -> 03 | 17.10-13 | 01          | a1 3a (crc=ok) | 1a (ack=ok)
01:44:06.609 -> 0a | 25.20-08 | 5f 58 4c 01 23 00 01 23 | 05 58 (crc=ok) | (ack=err, re-evaluate byte)
01:44:06.642 -> 0a | 25.20-08 | 5f 58 4c 01 23 00 01 23 | 05 58 (crc=ok) | 2a (ack=ok)
01:44:06.675 -> 03 | 27.20-07 | 01          | 87 c1 (crc=ok) | 2a (ack=ok)

• door closed, cycle starts

• relays click
• error E20 thrown because of missing components
• beeper still works

01:45:14.234 -> 03 | 24.20-06 | 0b          | 8e 66 (crc=ok) | 2a (ack=ok)
01:45:14.267 -> 03 | 27.20-07 | 01          | 87 c1 (crc=ok) | 2a (ack=ok)
01:45:14.300 -> 06 | 26.20-02 | 00 04 00 00 | e2 53 (crc=ok) | 2a (ack=ok)
01:45:20.525 -> 06 | 26.20-02 | 00 04 4c 00 | aa f2 (crc=ok) | 2a (ack=ok)
01:45:20.525 -> 03 | 24.20-06 | 0b          | 8e 66 (crc=ok) | 2a (ack=ok)
01:45:20.558 -> 03 | 27.20-07 | 03          | a7 83 (crc=ok) | 2a (ack=ok)
01:45:20.558 -> 0a | 25.58-0a | 25 20 08 00 58 4c 00 00 | 00 02 (crc=err, len=14)
01:45:20.591 -> 0d | 0a.25-20 | 00 f1 0a 25 20 4c 00 0a 04 17 04 | 17 10 (crc=err, len=17)
01:45:20.624 -> 00 | 00.00-7e | (ack=err, re-evaluate byte)
01:45:20.624 -> 88 | 1a.0a-25 | 20 08 00 58 4c 00 00 00 53 f8 0a 25 20 08 00 58 4c 00 00 00 00 0a 25 20 08 00 40 4c 0a 25 58 4c 03 17 10 10 0a 45 02 1a 0a 25 00 58 0a 25 20 08 00 58 4c 00 00 00 00 09 0a 25 20 08 00 00 00 0a 25 0a 25 20 00 00 0a 25 20 08 00 58 4c 00 00 00 53 f8 0a 01 17 03 17 10 11 0a 76 33 1a 0a 25 20 08 00 58 4c 00 00 00 00 00 36 0d 0a 25 20 08 00 58 4c 00 00 00 00 00 36 0d 2a 03 25 20 05 20 38 88 2a 03 25 20 00 64 cf 3d 2a 04 25 20 13 03 02 75 2e 2a 04 25 20 15 0f ff bc 51 2a 03 25 10 13 00 70 9a 2a (read=timout)
01:45:33.967 -> 03 | 24.20-06 | 03          | 0f 6e (crc=ok) | 2a (ack=ok)
01:45:34.761 -> 03 | 25.20-12 | 00          | 86 0e (crc=ok) | 2a (ack=ok)

• error E15

• microswitch pressed
• relays click
• beeper

01:54:02.458 -> 03 | 24.20-06 | 0b          | 8e 66 (crc=ok) | 2a (ack=ok)
01:54:02.690 -> 03 | 24.20-06 | 0f          | ce e2 (crc=ok) | 2a (ack=ok)
01:54:02.690 -> 06 | 26.20-02 | 00 44 00 00 | ff fe (crc=ok) | 2a (ack=ok)
01:54:03.253 -> 03 | 24.20-06 | 0e          | de c3 (crc=ok) | 2a (ack=ok)
01:54:04.974 -> 04 | 25.20-13 | ff 02       | 23 82 (crc=ok) | 2a (ack=ok)

• microswitch released

01:54:05.636 -> 03 | 24.20-06 | 0a          | 9e 47 (crc=ok) | 2a (ack=ok)
01:54:05.670 -> 06 | 26.20-02 | 00 04 00 00 | e2 53 (crc=ok) | 2a (ack=ok)
01:54:08.981 -> 06 | 26.20-02 | 00 04 4c 00 | aa f2 (crc=ok) | 2a (ack=ok)

I have an Isolation Transformer rated 160VA so a pre rinse cycle would be possible to capture since there is no heating involved. The circulation pump draws about 70 Watts full speed. I'm not ready to get myself electrocuted but in the mean time I try to make up my mind on how to capture a full 70°C cycle with all options selected.

You're very welcome to use any information I provided. This project is awesome and its great how much information has been gathered so far.

[Nurster]

This is a pre rinse full cycle of a SN66P080EU/D4 running on EPG70002 with TimeLight attached.

(read=timout)
power up
13:17:39.889 -> 54 | 54.54-(read=timout)
13:17:39.922 -> 03 | 02.7f-f1 | 60          | bb d5 (crc=ok) | (ack=err, re-evaluate byte)
13:17:39.922 -> 6a | (read=timout)
13:17:40.188 -> 03 | 22.7f-f1 | 10          | f2 0c (crc=ok) | (ack=err, re-evaluate byte)
13:17:40.188 -> 03 | 22.7f-f1 | 10          | f2 0c (crc=ok) | (ack=err, re-evaluate byte)
13:17:40.221 -> 03 | 22.7f-f1 | 10          | f2 0c (crc=ok) | (ack=err, re-evaluate byte)
13:17:40.221 -> 03 | 22.7f-f1 | 10          | f2 0c (crc=ok) | (ack=err, re-evaluate byte)
13:17:40.254 -> 03 | 22.7f-f1 | 10          | f2 0c (crc=ok) | 2a (ack=ok)
13:17:40.387 -> 06 | 26.20-02 | 00 00 00 00 | 3e 93 (crc=ok) | 2a (ack=ok)
13:17:40.420 -> 03 | 24.20-06 | 00          | 3f 0d (crc=ok) | 2a (ack=ok)
13:17:40.487 -> 0a | 25.20-08 | 0f 0c 18 00 0f 00 00 0f | 97 aa (crc=ok) | 2a (ack=ok)
13:17:40.520 -> 16 | 25.20-11 | a5 0a 0d 0e 0f 11 12 a1 a0 80 83 81 84 a2 ff ff ff ff ff ff | cd 6f (crc=ok) | 2a (ack=ok)
13:17:40.520 -> 03 | 25.20-12 | 01          | 96 2f (crc=ok) | 2a (ack=ok)
13:17:40.553 -> 04 | 25.20-13 | ff ff       | 1d 30 (crc=ok) | 2a (ack=ok)
13:17:40.553 -> 06 | 25.10-20 | 00 00 00 00 | 85 aa (crc=ok) | 2a (ack=ok)
13:17:40.620 -> 11 | 25.10-17 | 40 01 09 6a 20 00 e4 0e 00 00 10 00 00 00 00 | 14 25 (crc=ok) | 2a (ack=ok)
13:17:40.653 -> 11 | 25.10-17 | 40 01 09 6a 20 00 e4 0e 00 00 10 00 00 00 00 | 14 25 (crc=ok) | (ack=err, re-evaluate byte)
13:17:40.653 -> 23 | 11.25-10 | 17 40 01 09 6a 20 00 e4 0e 00 00 10 00 00 00 00 14 25 2a 17 25 20 10 0e 00 01 04 04 00 40 00 00 b3 | 41 01 (crc=err, len=39)
13:17:40.686 -> 09 | 6a.20-80 | 01 00 e4 00 00 86 aa | 23 17 (crc=err, len=13)
13:17:40.720 -> 25 | 20.10-0e | 00 01 04 04 00 40 00 00 b3 41 01 09 6a 20 80 01 00 e4 00 00 86 aa 2a 03 27 20 07 02 b7 a2 2a 0a 25 20 82 | fe 0a (crc=err, len=41)
13:17:40.753 -> 25 | 20.08-82 | fe 0a 25 20 08 00 03 1e 03 17 10 01 00 d4 0a 1a 0a 25 20 08 d2 30 30 03 1e 00 03 1e 00 05 0a 25 20 00 f1 | 0a 25 (crc=err, len=41)
13:17:40.819 -> 20 | 00.30-03 | 0a 25 20 82 fe 0a 25 20 08 82 fe 0a d2 30 04 17 10 00 00 00 7e 88 1a 0a 25 20 08 d2 30 30 | 03 1e (crc=err, len=36)
13:17:40.886 -> 10 | 10.0a-25 | 20 08 d2 30 30 03 1e 00 03 01 0a 25 20 82 | fe 0a (crc=err, len=20)
13:17:40.919 -> 25 | 20.07-fe | 03 17 10 10 0e 05 86 1a 0a 25 20 08 d2 30 30 03 1e 00 03 03 17 10 11 0e 36 b7 1a 0a 25 20 08 d2 30 30 03 | 1e 00 (crc=err, len=41)
13:17:40.985 -> 03 | 1e.10-05 | (read=timout)
- select pre rinse
13:17:41.019 -> 0a | 25.20-08 | d2 30 30 03 1e 00 03 1e | 10 05 (crc=ok) | 2a (ack=ok)
13:17:41.052 -> 03 | 27.20-07 | 02          | b7 a2 (crc=ok) | 2a (ack=ok)
13:17:41.052 -> 05 | 25.20-04 | 00 00 00    | cd eb (crc=ok) | 2a (ack=ok)
13:17:41.085 -> 04 | 25.20-15 | 0f ff       | bc 51 (crc=ok) | 2a (ack=ok)
13:17:41.085 -> 09 | 25.10-12 | 00 00 00 00 03 1e 00 | 19 7a (crc=ok) | 2a (ack=ok)
13:17:41.085 -> 03 | 25.10-13 | 00          | 70 9a (crc=ok) | 2a (ack=ok)
- press start
13:17:45.333 -> 03 | 17.10-10 | 12          | d6 3b (crc=ok) | 1a (ack=ok)
13:17:45.366 -> 0a | 25.20-08 | 0f 0c 18 00 0f 00 00 0f | 97 aa (crc=ok) | 2a (ack=ok)
13:17:45.366 -> 04 | 25.20-15 | 0a 00       | 5d 54 (crc=ok) | 2a (ack=ok)
13:17:45.433 -> 04 | 17.10-00 | 00 00       | 7e 88 (crc=ok) | 1a (ack=ok)
13:17:45.466 -> 0a | 25.20-08 | 0f 0c 18 00 0f 00 00 0f | 97 aa (crc=ok) | (ack=err, re-evaluate byte)
13:17:45.466 -> 0a | 25.20-08 | 0f 0c 18 00 0f 97 aa 0a | 25 20 (crc=err, len=14)
13:17:45.499 -> 08 | 0f.0f-00 | 0a 25 20 00 02 03 | 17 10 (crc=err, len=12)
13:17:45.532 -> 11 | 12.e5-0a | 1a 0a 25 20 08 0f 0c 18 00 0f 00 00 0f 97 aa | 0a 25 (crc=err, len=21)
13:17:45.566 -> 20 | 08.0f-0c | 18 00 0f 00 00 0f 97 aa 2a (read=timout)
- close door
- cycle starts
- relays click
- drain pump spins to full speed
13:17:53.221 -> 05 | 17.10-12 | 00 00 00    | 59 f7 (crc=ok) | 1a (ack=ok)
13:17:53.254 -> 0a | 25.e0-f8 | 0a 25 20 08 0f 0c 18 00 | 0f 00 (crc=err, len=14)
13:17:53.254 -> 83 | aa.0a-25 | 20 08 0f 00 00 0a 0f 0c 03 17 10 13 01 a1 3a 1a 0a 25 20 08 0f 0c 18 00 0f 00 00 0f 97 aa (read=timout)
- water points spins
13:17:53.354 -> 0a | 25.20-08 | 0f 0c 18 00 0f 00 00 0f | 97 aa (crc=ok) | 2a (ack=ok)
13:17:53.354 -> 03 | 27.20-07 | 01          | 87 c1 (crc=ok) | 2a (ack=ok)
- water points stops
13:18:01.187 -> 03 | 24.20-06 | 08          | be 05 (crc=ok) | 2a (ack=ok)
- circulation pump spins
13:18:01.220 -> 11 | 25.10-17 | 40 01 09 6a 20 00 e4 0e 00 00 00 00 00 00 00 | 10 7f (crc=ok) | 2a (ack=ok)
13:18:01.220 -> 03 | 27.20-07 | 01          | 87 c1 (crc=ok) | 2a (ack=ok)
13:18:01.254 -> 06 | 26.20-02 | 00 00 00 00 | 3e 93 (crc=ok) | 2a (ack=ok)
13:18:03.144 -> 0a | 25.20-08 | 0f 0c 18 00 0f 00 00 0f | 97 aa (crc=ok) | 2a (ack=ok)
13:18:03.179 -> 05 | 25.20-04 | 00 00 00    | cd eb (crc=ok) | 2a (ack=ok)
13:18:03.179 -> 03 | 25.20-00 | 00          | e3 1f (crc=ok) | 2a (ack=ok)
13:18:03.278 -> 05 | 25.20-04 | 80 00 00    | f6 b1 (crc=ok) | 2a (ack=ok)
13:18:03.643 -> 05 | 25.20-04 | 20 00 00    | 4b 2d (crc=ok) | 2a (ack=ok)
13:18:07.658 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:18:09.649 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:18:20.665 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:18:22.656 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:18:42.697 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:18:47.208 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:18:51.722 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:18:56.035 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:00.745 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:03.133 -> 0a | 25.20-08 | 0e 0c 18 00 0e 00 00 0e | b6 ec (crc=ok) | 2a (ack=ok)
13:19:03.133 -> 03 | 25.20-00 | 07          | 93 f8 (crc=ok) | 2a (ack=ok)
13:19:03.730 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:18.790 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:29.668 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:38.823 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:39.089 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:40.349 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:19:41.809 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:20:03.231 -> 0a | 25.20-08 | 0d 0c 18 00 0d 00 00 0d | d5 26 (crc=ok) | 2a (ack=ok)
13:20:03.265 -> 03 | 25.20-00 | 0d          | 32 b2 (crc=ok) | 2a (ack=ok)
13:20:21.865 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:20:21.964 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:20:26.872 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:20:31.149 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:20:35.890 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:20:38.906 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:20:53.926 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:21:03.309 -> 0a | 25.20-08 | 0c 0c 18 00 0c 00 00 0c | f4 60 (crc=ok) | 2a (ack=ok)
13:21:03.342 -> 03 | 25.20-00 | 14          | b1 aa (crc=ok) | 2a (ack=ok)
13:21:05.033 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:21:14.981 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:21:16.971 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:21:17.004 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:21:36.399 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:21:51.023 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:22:03.424 -> 0a | 25.20-08 | 0b 0c 18 00 0b 00 00 0b | 12 b2 (crc=ok) | 2a (ack=ok)
13:22:03.457 -> 03 | 25.20-00 | 1b          | 40 45 (crc=ok) | 2a (ack=ok)
13:23:03.540 -> 0a | 25.20-08 | 0a 0c 18 00 0a 00 00 0a | 33 f4 (crc=ok) | 2a (ack=ok)
13:23:03.540 -> 03 | 25.20-00 | 21          | d7 5c (crc=ok) | 2a (ack=ok)
13:24:03.633 -> 0a | 25.20-08 | 09 0c 18 00 09 00 00 09 | 50 3e (crc=ok) | 2a (ack=ok)
13:24:03.633 -> 03 | 25.20-00 | 28          | 46 75 (crc=ok) | 2a (ack=ok)
- door opened
13:25:02.288 -> 03 | 24.20-06 | 00          | 3f 0d (crc=ok) | 2a (ack=ok)
13:25:02.288 -> 11 | 25.10-17 | 40 01 09 6a 20 00 e4 0e 00 00 00 00 00 00 00 | 10 7f (crc=ok) | 2a (ack=ok)
13:25:02.321 -> 17 | 25.20-10 | 12 00 01 04 04 00 40 00 00 b3 41 01 09 6a 20 80 01 00 e4 00 00 | a0 aa (crc=ok) | 2a (ack=ok)
13:25:02.354 -> 03 | 27.20-07 | 01          | 87 c1 (crc=ok) | 2a (ack=ok)
13:25:02.354 -> 05 | 25.20-04 | 20 00 00    | 4b 2d (crc=ok) | 2a (ack=ok)
13:25:02.387 -> 04 | 25.20-15 | 0a 00       | 5d 54 (crc=ok) | 2a (ack=ok)
13:25:02.387 -> 09 | 25.10-12 | 00 00 00 00 00 09 00 | da ce (crc=ok) | 2a (ack=ok)
- door closed
- relays click
- circulation pump spins
13:25:06.401 -> 03 | 24.20-06 | 08          | be 05 (crc=ok) | 2a (ack=ok)
13:25:06.500 -> 03 | 25.20-05 | 20          | 38 88 (crc=ok) | 2a (ack=ok)
13:25:06.533 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:25:16.347 -> 03 | 27.20-07 | 01          | 87 c1 (crc=ok) | 2a (ack=ok)
13:25:19.266 -> 05 | 25.20-04 | 20 00 00    | 4b 2d (crc=ok) | 2a (ack=ok)
13:25:20.725 -> 0a | 25.20-08 | 08 0c 18 00 08 00 00 08 | 71 78 (crc=ok) | 2a (ack=ok)
13:25:20.758 -> 03 | 25.20-00 | 2f          | 36 92 (crc=ok) | 2a (ack=ok)
13:26:20.839 -> 0a | 25.20-08 | 07 0c 18 00 07 00 00 07 | 8d bb (crc=ok) | 2a (ack=ok)
13:26:20.839 -> 03 | 25.20-00 | 35          | 85 e9 (crc=ok) | 2a (ack=ok)
13:27:20.928 -> 0a | 25.20-08 | 06 0c 18 00 06 00 00 06 | ac fd (crc=ok) | 2a (ack=ok)
13:27:20.928 -> 03 | 25.20-00 | 3c          | 14 c0 (crc=ok) | 2a (ack=ok)
13:28:21.014 -> 0a | 25.20-08 | 05 0c 18 00 05 00 00 05 | cf 37 (crc=ok) | 2a (ack=ok)
13:28:21.047 -> 03 | 25.20-00 | 43          | 9b b8 (crc=ok) | 2a (ack=ok)
13:29:21.099 -> 0a | 25.20-08 | 04 0c 18 00 04 00 00 04 | ee 71 (crc=ok) | 2a (ack=ok)
13:29:21.132 -> 03 | 25.20-00 | 49          | 3a f2 (crc=ok) | 2a (ack=ok)
13:30:21.212 -> 0a | 25.20-08 | 03 0c 18 00 03 00 00 03 | 08 a3 (crc=ok) | 2a (ack=ok)
13:30:21.212 -> 03 | 25.20-00 | 50          | b9 ea (crc=ok) | 2a (ack=ok)
13:31:21.322 -> 0a | 25.20-08 | 02 0c 18 00 02 00 00 02 | 29 e5 (crc=ok) | 2a (ack=ok)
13:31:21.322 -> 03 | 25.20-00 | 57          | c9 0d (crc=ok) | 2a (ack=ok)
13:32:16.501 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:32:21.408 -> 0a | 25.20-08 | 01 0c 18 00 01 00 00 01 | 4a 2f (crc=ok) | 2a (ack=ok)
13:32:21.441 -> 03 | 25.20-00 | 5d          | 68 47 (crc=ok) | 2a (ack=ok)
13:33:32.093 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:33:46.649 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:34:16.723 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:34:44.111 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:34:44.210 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:34:53.760 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:35:03.775 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
13:35:13.791 -> 03 | 25.20-09 | 00          | 59 87 (crc=ok) | 2a (ack=ok)
- circulation pump spins
13:35:14.189 -> 03 | 25.20-05 | 10          | 0e db (crc=ok) | 2a (ack=ok)
13:35:14.255 -> 0a | 25.20-08 | 01 0c 18 00 01 00 00 01 | 4a 2f (crc=ok) | 2a (ack=ok)
13:35:14.255 -> 03 | 25.20-05 | 20          | 38 88 (crc=ok) | 2a (ack=ok)
13:35:14.321 -> 03 | 27.20-07 | 03          | a7 83 (crc=ok) | 2a (ack=ok)
13:35:14.354 -> 0a | 25.20-08 | 00 0c 18 00 00 00 00 00 | 6b 69 (crc=ok) | (ack=err, re-evaluate byte)
13:35:14.354 -> 0a | 25.20-08 | 00 0c 18 00 00 6b 69 0a | 25 20 (crc=err, len=14)
13:35:14.354 -> 08 | 00.0c-18 | 00 00 00 00 12 da | 0a 25 (crc=err, len=12)
13:35:14.388 -> 20 | 08.00-00 | 00 0a 00 f1 0a 00 0c 04 17 10 00 00 00 7e 88 1a 0a 25 20 08 00 0c 18 00 00 6b 69 0a 25 20 | 08 00 (crc=err, len=36)
13:35:14.454 -> 0c | 18.00-00 | 00 00 00 6b 69 0a 25 20 08 00 | 00 00 (crc=err, len=16)
13:35:14.487 -> 0a | 25.0c-0a | 25 0c 0a 25 20 0c 18 0a | 25 0c (crc=err, len=14)
13:35:14.554 -> 0a | 25.00-0c | 03 17 10 01 02 f4 48 1a | 0a 25 (crc=err, len=14)
13:35:14.554 -> 0c | 18.0a-25 | 20 08 00 0c 18 00 00 6b 69 0a | 25 20 (crc=err, len=16)
13:35:14.587 -> 08 | 00.0c-18 | 00 00 00 69 03 24 | 20 06 (crc=err, len=12)
13:35:14.620 -> 00 | a2.03-24 | (ack=err, re-evaluate byte)
13:35:14.620 -> 20 | 00.ff-03 | 17 10 10 12 d6 3b 1a 03 24 20 06 08 be 05 2a 0a 25 20 08 00 0c 18 00 00 6b 69 0a 25 20 08 | 00 0c (crc=err, len=36)
13:35:14.686 -> 18 | 00.00-00 | 00 00 6b 69 03 17 10 11 12 e5 0a 1a 0a 25 20 08 00 0c 18 00 00 00 | 00 00 (crc=err, len=28)
13:35:14.720 -> 6b | 69.(read=timout)
13:35:14.753 -> 0a | 25.20-08 | 00 0c 18 00 00 00 00 00 | 6b 69 (crc=ok) | 2a (ack=ok)
13:35:14.753 -> 05 | 25.20-04 | 20 00 00    | 4b 2d (crc=ok) | 2a (ack=ok)
13:35:14.786 -> 03 | 25.20-05 | 20          | 38 88 (crc=ok) | 2a (ack=ok)
13:35:14.786 -> 03 | 25.20-00 | 64          | cf 3d (crc=ok) | 2a (ack=ok)
13:35:14.786 -> 04 | 25.20-13 | ff ff       | 1d 30 (crc=ok) | 2a (ack=ok)
13:35:14.786 -> 04 | 25.20-15 | 0a 00       | 5d 54 (crc=ok) | 2a (ack=ok)
- relays click
- beeper
13:35:14.820 -> 03 | 25.10-13 | 00          | 70 9a (crc=ok) | 2a (ack=ok)
13:36:22.561 -> 03 | 24.20-06 | 00          | 3f 0d (crc=ok) | 2a (ack=ok)
13:36:26.110 -> 03 | 25.20-12 | 00          | 86 0e (crc=ok) | 2a (ack=ok)
- power off
13:36:26.839 -> 54 | 54.

The TimeLight EPG53511 didn't do anything whatsoever. No light no frames just nothing :( I maybe got a broken unit but at least with the metal sheet to mount working unit in the future.

[Edit]
I tried the best I could to map the events to the capture output maybe I got some of them wrong. On request I can run another pre-rinse cycle or a full cycle if I figured out which way to insert the plug into the wall socket in order to not get electrocuted.

[hn]

• The second line in you log (03 | 02.7f-f1 | 60) likely comes from the Timelight ("hello world", see here). So it probably is not dead. 22.7f-f1 | 10 likely is the power module (D=1) saying hello to the user control module.
• I'm pretty sure that the Timelight LED is activated by software, you'll (just a guess) need to send a command to light up and probably another command to choose the bitmap animation.
• There is no command with D=6 in you log (there is one at 13:17:40.686 -> 09 | 6a.20-80 but the crc error shows it is probably just noise). Without D=6 commands the Timelight likely will not light up. Maybe the power module firmware has no/disabled support for Timelight.
• With bsh-dbus-logger.ino you can send commands to the D-Bus. Just type in command and payload (length and crc will be automatically calculated). Would be interesting if you can start the wash program by sending 17.10-10 | 12 or something else. If you send a fictious cmd 60.12-34 the Timelight should send an ACK 6a (at least mine does).
• I like the authentic bottle of beer in the photo :)

[Nurster]

I issued the following commands you suggested:

60.12-34

02 | 60.12-34 | 65 c5 (crc=ok) | 6a (ack=ok)
0a | 25.20-08 | ff 58 00 16 2e 00 0f 05 | df e1 (crc=ok) | 2a (ack=ok)
06 | 25.10-20 | 07 29 00 00 | cc d0 (crc=ok) | 2a (ack=ok)

17 10 10 (works as well without the dot and dash)

02 | 17.10-10 | 3a d9 (crc=ok) | 1a (ack=ok)
0a | 25.20-08 | ff 58 00 16 2c 00 0f 05 | 32 89 (crc=ok) | 2a (ack=ok)
04 | 25.20-15 | ff ff       | af 90 (crc=ok) | 2a (ack=ok)
0a | 25.20-08 | ff 58 00 16 2d 00 0f 05 | 44 3d (crc=ok) | 2a (ack=ok)
06 | 25.10-20 | 07 28 00 00 | fb e0 (crc=ok) | 2a (ack=ok)

• Time display on panel module says 4:15 now which is ridiculously long.
• I also tried several other random 60 commands without any luck. I guess it is just playing around until a clear pattern is known.
• You're right, the firmware probably isn't programmed for the use of a time light. I ordered mine hoping it would be detected like the panel module and the pcb components for zeolith drying.
• I saw TimeLight modules on eBay dating back to 2013 when there was no STM32 being used but a Renesas R8C. So my guess is the software components in ARM boards are present but not configured to be used.
• I might try to convice Ghidra to help me search for any '60' related datagrams.

[hn]

• Thanks to your help, I was able to read out the firmware (Timelight support included) from the EPG70012. I currently have very little time, but this will definitely interesting to analyze later.
• Do you know if the EPG70012 has more than one connector for D-Bus? The connector on the top left of my PCB seems to be dead, the DATA pin has 0V.
• You can try to 'ping' the logical D-Bus modules of your appliance: If you send fictious commands X0.12-34 (iterate X=0x1 ... 0xE), you can see who responds with ACKs.
• If you receive an ACK for X=0xA, it may be that your firmware supports Home Connect. Then you could send the command a0.80-00 02 02, which is exactly what the Internet module sends at startup. It is unclear what the response will be.

[Nurster]

• You're welcome. The second module I found outdoors is very likely to be the same as yours as it has no EPG70012 printed on it's enclosur but looks exactly like the 70012.
• On 70003, 70002, and 70012 I used the top left socket on the side. There's two in total.
• The terminal on the top has a seperate 3 pin socket at the left most side when viewing the component side. This is where the cable for time light fits. But it is also possible to plug it into a user panel module's port used in fully integrated machines.
• To answer your question if there is more than one D-Bus socket on the power module. Yes there's two more. One right above the one for the wiring harness on the left hand side and one on the top of the board for the time light.
• Three if you consider the panel module's port for the time light as a D-Bus port like I did for the power module

• data pins work on all ports with either logic analyzer or esp8266 running bsh-dbus-logger.ino and measure close to 5V.
• The pinging sounds like something to implement in the future in order to scan the bus for devices. Nice.
• The "Home Connect" string is somewhere stored in the firmware blob as Ghidra was able to pin point it.

power module:
10 12 34
02 | 10.12-34 | bd cd (crc=ok) | 1a (ack=ok)
panel module
20 12 34
02 | 20.12-34 | 78 68 (crc=ok) | 2a (ack=ok)
time light 🥇
60 12 34
02 | 60.12-34 | 65 c5 (crc=ok) | 6a (ack=ok)
a0 12 34
02 | a0.12-34 | 43 32 (crc=ok) | (nothing)
a0.80-00 02 02
04 | a0.80-00 | 02 02       | b7 dd (crc=ok) | (nothing)

• Selection of programmes or cycles I derived from the log file

17 10 10 0a (Intensive 70 °C, 2:15)
03 | 17.10-10 | 0a          | 45 02 (crc=ok) | 1a (ack=ok)
0a | 25.20-08 | 87 50 58 02 22 00 02 0f | 8a 34 (crc=ok) | 2a (ack=ok)
04 | 25.20-15 | 0f ff       | bc 51 (crc=ok) | 2a (ack=ok)
0a | 25.20-08 | 87 50 58 02 23 00 02 0f | fc 80 (crc=ok) | 2a (ack=ok)

17 10 10 12 (pre rinse, 0:15)
03 | 17.10-10 | 12          | d6 3b (crc=ok) | 1a (ack=ok)
0a | 25.20-08 | 0f 0c 18 01 2a 00 00 0f | b6 f0 (crc=ok) | 2a (ack=ok)
04 | 25.20-15 | 0a 00       | 5d 54 (crc=ok) | 2a (ack=ok)

• time changes led lit button doesn't

• The second and fourth frame 0a | 25.20-08 | 87 ... being the cycle's estimated time sent back to the user panel module. 87 == 135 Minutes == 2:15 for full cycle or 0f == 15 Minutes == 0:15.

• the time can be altered and sent to the panel module

• The other bytes are either submodules or fixed points in time but that is pure guess work.

• Judging from your work in your other repositories I assume you are familiar with Ghidra. There's a script called SVD-Loader https://github.com/leveldown-security/SVD-Loader-Ghidra
  helped me setting up the memory regions and is useful for analysis using ARM aggressive instruction finder.

• I use Ghidra for about month now and I'm not that experienced in reverse engineering.

• What works for me is stepping through code while the firmware is running live on the module with mappings turned on:
  

• break points seem to work only if the system is halted, bp enabled, and then execution resumed again

• watch points may fire every time whether enabled or not

• the watch dogs can screw up the system with an Error E01 so if you want to enable a previously created break point you've got to be fast

• this might not be necessary if the IWDG and WWDG are disabled.

• with SVD-Loader it is much easier to get the referring functions accessing their peripheral memory addresses.

• the WWDG once enabled cannot be disabled except on reset. So the function enabling the WWDG has to either be patched out or the assembler command to be altered not enabling the WWDG.

• I didn't make my mind up yet regarding the IWDG but If I've got more time I'll try disabling it as well.

• It is very much possible there's an rtos running underneath. It might explain sudden address changes of the stack pointer for a possible context change. Ghidra is aware of these changes and puts a warning in the affected functions after analysis finished.

[Edit]

• I cannot tell for sure whether one of the watchdogs is responsible for error E01 since if triggered they reset the system as a whole and that would be noticed and look different
• If it is a software watchdog it would be halted as well on an interrupt command gdb receives, being unable to count any further.
• Something else independently clocked like the IWDG is likely to cause E01 after interrupt and continue.
• Due to lack of time and knowledge I've not yet looked into it but I believe there's something in the DBG registers that could prevent that
• excerpt from reference manual:

28.15.4
RM0366
Debug MCU APB1 freeze register (DBGMCU_APB1_FZ)
The DBGMCU_APB1_FZ register is used to configure the MCU under DEBUG. It concerns
the APB1 peripherals:
• Timer clock counter freeze
• I2C SMBUS timeout freeze
• Window watchdog and independent watchdog counter freeze support
[...]

[Nurster]

• With gdb I was able to set the registers DBGMCU_APB1_FZ and DBGMCU_APB2_FZ

(gdb) mon reset halt
Unable to match requested speed 1000 kHz, using 950 kHz
Unable to match requested speed 1000 kHz, using 950 kHz
[stm32f3x.cpu] halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x080000e4 msp: 0x200001fc
(gdb) set *0xe0042008 = 0b00000000000000000001110000010001
(gdb) set *0xe004200C = 0b00000000000000000001000000010111
(gdb) x/2t 0xe0042008
0xe0042008:     00000000000000000001110000010001        00000000000000000001000000010111
(gdb) mon reset run
Unable to match requested speed 1000 kHz, using 950 kHz
Unable to match requested speed 1000 kHz, using 950 kHz
(gdb) x/2t 0xe0042008
0xe0042008:     00000000000000000001110000010001        00000000000000000001000000010111

• this stops or halts all timers (i know of), both watchdogs and the rtc when the execution is interrupted with the pause button or gdb interrupt command
• error E01 still persists if running firmware is halted with interrupt (pause button) then resumed with mon reset run or play button on Ghidra debugger

[hn]

@nophead has some interesting dishwasher findings here, e.g.

I presume for safety reasons, the touch sensitive button controller in the door is isolated from the mains, hence the optocouplers for the comms. It also has a separate 12V supply coming from an isolated second secondary winding on the switch mode transformer.

@Nurster If I understand correctly you say that X9, X10, X11 are D-Bus (4 pin for X10 and X11, only the bottom 3 are used?) in this picture