- 1 The dismantling, dismantling or "teardown" of the CO2 meter
- 2 Reverse engineering of protocols
After doing the initial analysis it was time to do what I really bought the DM306 for. Gut it!
Curiosity kills me, and I need to know what's inside and how it's made.
In case you haven't read the previous article with the analysis (I recommend you do so) we talked about this meter:
- ★ 𝗠𝗢𝗡𝗜𝗧𝗢𝗥𝗜𝗭𝗔𝗖𝗜𝗢𝗡 𝗗𝗘 𝗗𝗔𝗧𝗢𝗦 𝗘𝗘𝗡 𝗧𝗜𝗘𝗠𝗣𝗢 𝗥𝗘𝗔𝗟 - This is a gas monitor that is able to accurately monitor CO2 concentration in real time, air quality, ambient humidity and temperature. The product comes with a built-in high-performance chip of a sophisticated infrared sensor, uses the recognition of big data algorithms, has advanced technology, and can evaluate and monitor data in real time.
- ★ 𝟰 𝗘𝗡 𝟭: 𝗖𝗢𝗡𝗧𝗥𝗢𝗟 𝗗𝗘 𝗖𝗔𝗟𝗜𝗗𝗔𝗗 𝗗𝗘 𝗔𝗜𝗥𝗘 𝗣𝗠𝟮.𝟱 - Multifunctional air quality detector, effectively measuring CO2, air quality (PM2.5), temperature and humidity. It has independent NDIR sensors for measuring CO2, temperature, humidity, and laser scattering sensor for air quality (PM2.5).
- ★ 𝗩𝗜𝗦𝗨𝗔𝗟𝗜𝗭𝗔𝗖𝗜𝗢𝗡 𝗖𝗢𝗡𝗝𝗨𝗡𝗧𝗔 𝗬 𝗔𝗠𝗣𝗟𝗜𝗔- It has a large, wide digital display with unified record measurement on common screen. Compared with ordinary and old air quality detectors, its interface design is more concise, intuitive, with clear area division and excellent texture.
- ★ 𝗣𝗢𝗥𝗧𝗔𝗧𝗔𝗧𝗜𝗟 𝘆 𝗩𝗘𝗥𝗦𝗔𝗧𝗜𝗟 - This TACKLY measuring device has a lightweight design which makes it easily portable thanks to its small size. It is easy to carry and you can put it wherever you want, therefore, it can detect air quality in terraces, bars, bedrooms, living rooms, kitchens, offices, cars, schools, hotels, campsites. Real-time 24-hour monitoring to protect healthy life and safety, ideal for Christmas holidays.
- ★ 𝗛𝗢𝗠𝗢𝗟𝗢𝗚𝗔𝗖𝗜𝗢𝗡 𝗖𝗘 / 𝗖𝗔𝗔𝗟𝗜𝗗𝗔𝗗 - TACKLY CO2 and air quality meter is approved by EU bodies, and features CE certification, guarantee of use and product quality. In addition, the CO2 alarm detector is made of high quality waterproof ABS material, and the data is updated in real time at 1.5 seconds per time, ensuring a very high consumer experience.
The dismantling, dismantling or "teardown" of the CO2 meter
Opening the meter
One of the main objectives of buying this meter was precisely to be able to open it and investigate how it was made and to get to know its components, especially its sensorsWe were able to find out what we could expect from it and what hacking possibilities there were.
Opening it is not very easy. Under the front of the screen, which is glued to the case, there are four screws that have to be removed and removing the front is a bit scary because it is well glued and gives the feeling that it is going to break.
When you start to take off, you don't know exactly how it's mounted either, so you're even more afraid, thinking that you might damage the screen.
Finally you realise that the screen is not attached to the front, but is instead attached with a double-sided adhesive tapeThe screen is not in danger by removing it carefully and it is more a problem of not spoiling the aesthetic aspect of the case. In my case I did it with a cutter and patienceby cutting the adhesive and prying it off.
Once you have removed the front, you can remove the four screws and the box opens like a shell in two halves without any problem.
When separating the two halves of the box, care must be taken to separate the two halves because we have elements glued on both sidesThe main board is on the front panel and the particle sensor, temperature sensor and battery on the rear. The main board is at the front and the particle sensor, temperature sensor and battery are at the rear.
Care must be taken with these cables, especially the temperature sensor, because it has some very thin cablesThe sensor is taped with double-sided tape next to the vents and needs to be peeled off to separate the two parts. The sensor is taped with double-sided tape next to the vents and needs to be peeled off in order to separate the two parts of the case, which is not too difficult.
Structure and components
The structure of the meter is quite simple and, if we follow the board clockwise from the micro USB port, we find:
The battery charger is built around a not very well known ETA6002 integrated circuit.
One positive thing about this chip is that it incorporates a feature called "Power Path" which allows the meter to operate while the battery is charging and to do so without putting the battery and charger at risk, unlike other devices.
Although the chip allows a charging current of 2.5A it seems to be regulated to about 1A, which is quite good and a good compromise between charging speed and battery longevity.
Next, we have a section containing the power supply, or more precisely, the power supplies.
Power to the meter can be from a micro USB or from the battery, which means that the supply voltage can move between just over 3V and 5.25V.
These power supplies provide the different voltages that the meter needs to operate.
Firstly, we have a voltage booster, which is responsible for raising the voltage up to 5V and which is built with a DC-DC booster integrated circuit AP2005 of Chinese origin, and of which I have not been able to find datasheet in English.
From what I've been able to discover, the AP2005 is an asynchronous PWM booster up to 3.5A at 1Mhz. It has a maximum efficiency of 92% and 100μA of current consumption at idle.
The meter also has a 3.3 V AMS1117 integrated to supply this voltage, with up to 1A of current, to the parts of the meter that require it. This chip has a typical quiescent current consumption of 5mA, which is quite high for a device that can run on battery power.
I leave you here the AMS1117 datasheet in case you want to know more.
The buzzer circuit is very simple. It has only a small, apparently passive, buzzer and a transistor to supply it with the current it needs.
The airborne particulate sensor is a laser-type sensor and is almost identical to the model ZH03B of Winsen, although not exactly the sameas we shall see below. It does not carry any kind of label or marking indicating its model.
It is very likely to be an older, smaller or less accurate version of the ZH03B, although the differences will probably not be too great.
In the following table you can see main characteristics of the ZH03B sensor:
As you can see the accuracy of their measurements is ±15 µg/m3 when measuring between 0 and 100 µg/m3 and ±15 µg/m3 of the measurement when measuring between 101 and 1000 µg/m3.
Note also the MTTF (Mean Time Between Failure Time) of only 10000h. This means that the sensor will not last foreverThis is by no means the case (no sensor of this type does this and this is a common figure for such laser sensors).
So that you don't have to do the maths, I'll tell you that 10000 hours are 416,667 daysThe average time between failures is just under one and a half years.
Here is the ZH03B datasheet in case you want to know more.
Here you can see the ZH03B sensor on AliExpress in case you want to see how much it costs in the official Winsen shop - surprisingly, it costs more than the meter!
The CO2 sensor in the meter has been a surprise, as I am used to many different sensors on the market.
I'll start by saying that this is not a sensor made by Winsen, although it looks very similar (see the update below).
Its physical layout, in terms of pins, distribution of the ventilation windows, etc., is the same as that of the Winsen MH-Z19 sensor (an older model that has been discontinued for some years).
The biggest surprise is that this sensor has electronic components in the air on its printed circuit board (underneath the sensor) whereas all other Winsen sensors I know of have all the components inside (in this respect it resembles the sensors made by the Chinese manufacturer Cubic).
Another difference is in its case. Its case is a shiny silver-coloured plastic while all the sensors I knew so far from Winsen were gold-coloured.
As we will see below, the sensor's communication protocol does not resemble that of other Winsen sensors either.
After further investigation, it appears that it is the QC103 sensor from the Chinese company Q&C Sensing Technology (Shenzhen Qincheng Sensing Technology Co., Ltd.). A little known sensor, until now.
On paper its characteristics are indeed very similar to the Winsen MH-Z19B, although in practice it seems to be much less accurate in its measurements.
A major limitation is that you do not have access to its full communications protocol, which means that you do not know for sure whether you have your self-calibration enabled or how to do an on-demand calibration.
In the datasheet you can see that there is a sensor configuration program called MK46XTestTool, although I have not been able to find it no matter how hard I have looked for it.
Here are the most important technical specifications, which I have translated from Chinese:
|The measurement range||400~5000ppm Expandable 0-6000 ppm|
|accuracy||+/-50ppm plus5%reading (1)(2).|
|Response time (t90)||<120s|
|Warm-up time||<8s (output value).<120s(accurate output).|
|Temperature dependence||± 5 ppm/C or 0.5% reading/|
|Output signal||UART, PWM, I2C (customised).|
|Average current||<30mA (5V)|
|Operating temperature||0 ~ 50 °C|
|Operating humidity||0 to 95%RH no condensation|
|Store the temperature||-20.0 ~ 60.0 °C|
|Product size||33mm X 21mm X 11mm (without pins).|
|Life expectancy||10 years|
|Calibration cycle||No calibration required (turn on self-calibration in normal IAQ applications).|
(1): Accuracy is measured at room temperature of 25degrees C and atmospheric pressure of 101.3kpa. To verify sensor uncertainty, add uncertainty (±2%) of the standard gas used for calibration.
(2): In normal indoor air quality applications, sensor accuracy is defined for more than 3 minutes after the auto-calibration function is turned on and running continuously for three weeks.
(3): Auto-calibration is based on the atmospheric atmosphere CO2 concentration of 400ppm, as a reference point sensor automatically perform calibration algorithm, the default auto-calibration cycle is 24 hours, support custom calibration cycle.
The temperature sensor is some kind of thermistor.
A thermistor is a special type of resistor whose resistive value varies more strongly with temperature than that of a common resistor. Its operation is based on the change in resistivity of a semiconductor with temperature.
It does not have any markings on it so I have not been able to find out what it is, and therefore its measuring range and accuracy.
The relative humidity sensor looks like some kind of capacitive type sensor.
Nor is there any reference to identify it, so we do not know its measurement range and precision.
The microprocessor is a MS51FB9AE from the Asian manufacturer Nuvoton.
This is a Chinese version of the 8051 microprocessor. A near-standard in industrial microprocessors and certainly a chip with plenty of power for this meter and great peripheral management.
I leave you here the MS51FB9AE datasheet.
The display controller chip looks like a TM1621 from the Chinese company Shenzhen Titan Micro Elec. As in other cases of components of Chinese origin I have not found datasheet in English, nor more information.
If you dare with its datasheet in Chinese, here it is.
The battery is a Li-Ion (lithium-ion) type in 16850 format and is unmarked, although I have to say that it comes shrink-wrapped in an opaque blue plastic, which I have not removed, so you can't see the cell directly.
I didn't think it was important to see the cell, so I didn't take the trouble to remove the shrink-wrap. I have tested the charge, and I have been able to verify that it charges approximately 1900mAh.
Reverse engineering of protocols
Once we know the components of the meter, it is time to reverse-engineer the protocols that the meter's sensors use to communicate. to try to be able to understand them in order to be able to use them in other projects.
Armed with a logic analyserwhich is an apparatus together with software specialised in the capture and analysis of communications between different elements, I set out to capture these communications and analyse them.
CO₂ sensor protocol
Since the sensor is very similar in appearance to the Winsen MH-Z19, I carry out some checks on its pins, with the help of a multimeter and oscilloscope, and I check that its connections match (at least the power and communications connections, which are the ones I am interested in at the moment).
I activate the capture on the logic analyser while I check the CO2 measurements on the screen and capture the data for 30 seconds.
This is the result, enlarged to the area of interest:
You can see on channel 0 the communication from the sensor to the microcontroller and on channel 1 the communication from the microcontroller to the sensor.
As you can see, the controller sends a sequence to the sensor (channel 1) requesting the measurement and the sensor responds, 100ms later (channel 0), with a frame containing the measurement data.
This is the query that the microcontroller launches the sensor:
Although it is always the same, it seems to be composed of a two-byte header (0x64 0x69), the data length (0x03) and a two-byte CRC (0x5E 0x4E).
If we focus on the data received, we find the following:
We can see a structure very similar to what would be produced in an MH-Z19 sensor and, making some assumptions, I can figure out the command that the microcontroller sends to the sensor to request a measurement and decipher the protocol in order to be able to extract such a measure. The first part is achieved!
I have circled in red the two bytes (0xA4 0x05) that correspond to the CO2 concentration. If we invert the two bytes and convert it to decimal 0x05A4 = 1444. Just what the DM306 shows us on the screen, we have it!
The protocol appears to be a modified Modbus, with a 28-byte frame split into: a 2-byte 0x64 0x69 header (always the same), two bytes with unknown content, two bytes containing the CO₂ measurement in hexadecimal in reverse order (most significant byte first), 6 bytes with unknown content and a two-byte checksum of type ModbusCRC16 which is used by the receiver to check if all the received data is correct (if the sum of the received data does not match, the whole frame is discarded).
The particle sensor protocol
As I did in the previous case, I capture the data for 30 seconds with the help of the logic analyser and analyse the result, comparing it with the already known protocol of the ZH03B sensor.
The result is encouraging.
This is a longer frame than ZH03B but keeps the same bytes in the header.
After some simple calculations, comparing them with the measurements displayed on the screen, which I have taken the precaution of recording on video synchronously with the data capture, I decipher how the measurements are transmitted.
The structure is very similar to that of the CO2 sensor, two start bytes, two bytes with the length of the data, then the sensor data, a few bytes at 0 and a checksum (a simple checksum from byte 1 to byte 30).
I also note that the protocol is very similar, and has the same header and length, to that of the PMS1003, PMS5003 and PMS7003 sensors.
DON'T MISS THE NEXT ARTICLE TO FIND OUT WHAT WE ARE GOING TO DO WITH THIS INFORMATION 😉.