Last Modified May 6, 2021
- 1 The dismantling, gutting or «teardown» of the CO2 meter
- 2 Reverse engineering of the protocols
After doing the initial analysis it was time to do what I had actually bought the DM306 for. Gut it!
Curiosity kills me, and I need to know what is inside and how it is made.
In case you have not read the previous article with the analysis (I recommend that you do so) we are talking about this meter:
- REAL-TIME DATA MONITORING - This is a gas monitor that is capable of accurately and real-time monitoring of CO2 concentration, air quality, ambient humidity and temperature. The product is embedded with a high-performance chip of a sophisticated infrared sensor, uses Big data algorithm recognition, has advanced technology, can already evaluate and monitor effective and real-time data.
- 4 IN 1: AIR QUALITY CONTROL PM2.5 - Multifunctional air quality detector, as it effectively measures CO2, air quality (PM2.5), temperature and humidity. It has independent NDIR sensors for the measurement of CO2, temperature, humidity, and a laser scattering sensor for air quality (PM2.5).
- JOINT AND WIDE DISPLAY - It has a large wide digital screen with unified record measurement on a common screen. Compared with ordinary and old air quality detectors, its interface design is more concise, intuitive, with clear area division and excellent texture.
- PORTABLE and VERSATILE - This TACKLY measuring device has a lightweight design that makes it easily portable thanks to its small size. It is easy to transport and you can put it wherever you want, therefore, it can detect the quality of gas in terraces, bars, bedrooms, living rooms, kitchens, offices, cars, schools, hotels, camps. 24-hour real-time monitoring to protect healthy life and safety, ideal for the Christmas holidays.
- CE / QUALITY APPROVAL - The TACKLY CO2 and air quality meter is approved by EU bodies, and presents CE certification, guarantee of use and product quality. In addition, the CO2 alarm detector is made of high-quality waterproof ABS material, and the data is updated in real time at 1.5 seconds at a time, ensuring a very high consumer experience.
The dismantling, gutting or «teardown» of the CO2 meter
Opening the meter
One of the main objectives of buying this meter was precisely to be able to open it and investigate how it was made and to know its components, especially its sensors, to be able to know what we could expect from it and what possibilities of hacking there were.
Opening it is not very easy. Under the front of the screen, which is glued to the case, there are four screws that must be removed and removing the front is a bit scary because it is well glued and gives the feeling that it is going to break.
When you start to take off you do not know exactly how it is mounted, so you are even more afraid, thinking that you can damage the screen.
Finally you realize that the screen is not attached to the front, but is glued with a double-sided tape, so removing it carefully the screen is not in danger and it is more a problem of not spoiling the aesthetic appearance of the box. In my case I did it with a cutter and patience, cutting the adhesive and prying.
Once you have removed the front, you can remove the four screws and the case opens like a shell in two halves without problem.
When separating the two halves of the box you have to do it carefully because we have items pasted on both sides, attached with cables. The main board is in the front and the particle sensor, the temperature sensor and the battery in the back.
You have to be careful with those cables, especially the temperature sensor, because it has some very fine cables, quite short and if you are not careful you could spoil it. The sensor is glued with double-sided tape next to the vents and needs to be peeled off in order to separate the two parts of the case, which is not too difficult.
Structure and components
The structure of the meter is quite simple and, if we follow the board from the micro USB port in a clockwise direction, we find:
The battery charger is built around an ETA6002 integrated circuit, not very well known.
One positive thing about this chip is that it incorporates a feature called "Power Path" which allows the meter to work while the battery is charging and to do so without putting the battery or charger at risk, unlike other devices.
Although the chip allows a charging current of 2.5A, it seems that it is regulated to approximately 1A, which is quite good and represents a good compromise between charging speed and battery longevity.
Next, we have a section that contains the power supply, or more precisely. power supplies.
The meter can be powered from a micro USB or from the battery, which means that the supply voltage can move between just over 3V and 5.25V.
These power supplies provide the different voltages that the meter needs to operate.
First of all, we have a voltage booster, which is responsible for raising the voltage to 5V and which is built with an integrated circuit DC-DC booster AP2005 of Chinese origin, and of which I have not been able to find a datasheet in English.
From what I have been able to discover, the AP2005 is an asynchronous PWM booster rated up to 3.5A at 1Mhz. It has a maximum efficiency of 92% and 100μA of current draw while idle.
The meter also has an integrated 3.3 V AMS1117 to supply that voltage, with up to 1A of intensity, to the parts of the meter that require it. This IC has a typical quiescent current draw of 5mA, quite high for a device that can run on battery.
I leave you here the AMS1117 datasheet in case you want to know more.
The buzzer circuit is very simple. It only has a small buzzer, apparently passive, and a transistor to supply the current it needs.
The airborne particle sensor is laser type and is practically the same as the model ZH03B from Winsen, though not the same exactly, as discussed below. It does not carry any type of label or brand indicating its model.
It is very likely that it is an older, reduced or lower precision version than the ZH03B, although the differences probably will not be too great.
In the following table you can see ZH03B sensor main features:
As you can see, the precision of its measurements is ± 15 µg / m3 when measuring between 0 and 100 µg / m3 and ± 15 µg / m3 of the measurement when measuring between 101 and 1000 µg / m3.
Also look at the MTTF (mean time between failures) of only 10000h. Which means that the sensor won't last forever, far from it (no sensor of this type does it and this is a common figure in this type of laser sensors).
So you don't have to do the math, I'll tell you that 10,000 hours are 416,667 days, so the mean time between failures of just under a year and a half.
Here is the ZH03B datasheet in case you want to know more.
Here you can see the sensor ZH03B on AliExpress in case you want to see how much it costs in the official Winsen store. Amazing, it costs more than the meter!
The CO2 sensor that the meter incorporates has been quite a surprise, accustomed to many different sensors that exist on the market.
I will start by saying that it is not a sensor made by Winsen, although it looks very similar (see the update, below).
Its physical arrangement, in terms of pins, distribution of the ventilation windows, etc., is the same as that of the Winsen MH-Z19 sensor (an old model that has not been manufactured for some years).
The biggest surprise is that this sensor carries electronic components to the air on its printed circuit board (below the sensor) whereas all the other Winsen sensors that I know of have all the components inside (in this sense it looks like sensors manufactured by the Chinese manufacturer Cubic).
Another difference is in its box. Its case is shiny silver plastic while all the sensors I knew of so far from Winsen were gold.
As we will see later, the sensor's communications protocol is not similar to that of other Winsen sensors.
Upon further investigation, it appears that it is the QC103 sensor from the Chinese company Q&C Sensing Technology (Shenzhen Qincheng Sensing Technology Co., Ltd.). A little known sensor, until now.
On paper, its characteristics are, indeed, very similar to Winsen's MH-Z19B, although in practice it seems considerably less precise in measurements.
An important limitation is that of not having access to its complete communications protocol, which causes you to not know with certainty if you have your autocalibration activated or how to do an on-demand calibration.
In the datasheet you can see that there is a sensor configuration program called MK46XTestTool, although I have not been able to find it no matter how much I have searched for it.
Here I leave you the most important of its technical specifications, which I have translated from Chinese:
|The measurement range||400 ~ 5000ppm Expandable 0-6000ppm|
|accuracy||+/- 50ppm plus5%reading (1) (2).|
|Response time (t90)||<120s|
|Warm-up time||<8s (output value). <120s (accurate output).|
|Temperature dependence||± 5 ppm / C or 0.5% reading /|
|Operating voltage||4.5 ~ 5.5V|
|Output signal||UART, PWM, I2C (customized).|
|Average current||<30mA (5V)|
|Operating temperature||0 ~ 50 ° C|
|Operating humidity||0 to 95%RH no condensation|
|Operating pressure||700 ~ 1100mbar|
|Store the temperature||-20.0 ~ 60.0 ° C|
|Product size||33mm X 21mm X 11mm (without pins).|
|Life expectancy||10 years|
|Calibration cycle||No calibration required (turn on self-calibration in normal IAQ applications).|
(1): Accuracy is measured at room temperature of 25degrees C and atmospheric pressure of 101.3kpa. To verify sensor uncertainty, add uncertainty (± 2%) of the standard gas used for calibration.
(2): In normal indoor air quality applications, sensor accuracy is defined for more than 3 minutes after the auto-calibration function is turned on and running continuously for three weeks.
(3): Auto-calibration is based on the atmospheric atmosphere CO2 concentration of 400ppm, as a reference point sensor automatically perform calibration algorithm, the default auto-calibration cycle is 24 hours, support custom calibration cycle.
The temperature sensor is some kind of thermistor.
A thermistor is a special type of resistance whose resistive value varies as a function of temperature in a more pronounced way than in the case of a common resistance. Its operation is based on the variation of resistivity presented by a semiconductor with temperature.
It does not have any type of mark so it has not been possible for me to find out what it is, and therefore its measurement range and precision.
The relative humidity sensor looks like some kind of capacitive type sensor.
Nor does any type of reference appear to be able to identify it, so we are left without knowing its measurement range and precision.
The microprocessor is an MS51FB9AE from the Asian manufacturer Nuvoton.
It is a Chinese version of the 8051 microprocessor. A standard practically in industrial microprocessors and, without a doubt, a chip with plenty of power for this meter and great peripheral management.
I leave you here the MS51FB9AE datasheet.
The display controller chip looks like a TM1621 from Chinese company Shenzhen Titan Micro Elec. As in other cases of components of Chinese origin, I have not found a datasheet in English, nor more information.
If you dare with your datasheet in Chinese, here I leave it to you.
The battery is Li-Ion (lithium ion) in 16850 format. It does not bear any type of mark, although I have to say that it is shrink-wrapped in an opaque blue plastic, which I have not removed, so it cannot be view your cell directly.
I didn't think it was important to see the cell, so I didn't bother to remove the shrink wrap. If I have done load tests, and I have been able to verify that it charges a 1900mAh, approximately.
Reverse engineering of the protocols
Once we know the components of the meter, Now is the time to reverse engineer the protocols that the meter's sensors use to communicate to try to be able to understand them in order to be able to use them in other projects.
Armed with a logic analyzer, which is a device together with specialized software in the communication capture and analysis between different elements, I am about to capture these communications and analyze them.
The CO₂ sensor protocol
Assuming that the sensor is very similar, in appearance, to Winsen's MH-Z19, I carry out some checks on its pins, with the help of a multimeter and oscilloscope, and check that their connections match (at least the power and communications connections, which are the ones that interest me right now).
I activate the capture in the logic analyzer while checking the CO2 measurements on the screen and capturing the data for 30 seconds.
This is the result, expanded to the area of interest:
You can see in channel 0 the communication from the sensor to the microcontroller and in channel 1 that of the microcontroller to the sensor.
As you can see, the controller launches a sequence to the sensor (channel 1) requesting the measurement and the sensor responds, 100ms later (channel 0), with a frame containing the measurement data.
This is the query that the microcontroller launches the sensor:
Although it is always the same, it appears to be composed of a two-byte header (0x64 0x69) the length of the data (0x03) and a two-byte CRC (0x5E 0x4E).
If we focus on the data received, we find the following:
We can see a structure very similar to the one that would occur in an MH-Z19 sensor and, making some assumptions, I am able to find out the command that the microcontroller sends to the sensor to request a measurement and decrypt the protocol to be able to extract said measurement. The first part is done!
I have marked in a red circle the two bytes (0xA4 0x05) that correspond to the CO2 concentration. If we invert the two bytes and convert it to decimal 0x05A4 = 1444. Just what the DM306 shows us on screen, we have it!
The protocol appears to be a modified Modbus, with a 28-byte frame that is divided into: a 2-byte header 0x64 0x69 (always the same), two bytes with unknown content, two bytes containing the CO₂ measurement in hexadecimal in order reverse (most significant byte first), 6 bytes with unknown content, and a two-byte checksum of type ModbusCRC16 This is used by the receiver to check if all the received data are correct (if by adding the received data the result does not match, the entire frame is discarded).
The particle sensor protocol
As I did in the previous case, I capture the data for 30 seconds with the help of the logic analyzer and analyze the result, comparing it with the already known protocol of the ZH03B sensor.
The result is encouraging.
It is a longer frame than ZH03B but it keeps the same bytes in the header.
After some simple calculations, comparing them with the measurements shown on the screen and having taken the precaution of recording video in sync with the data capture, I can figure out how the measurements are transmitted.
The structure is very similar to that of the CO2 sensor, two start bytes, two bytes with the length of the data, and then the data from the sensors, a few bytes to 0 and a checksum (a simple checksum of byte 1 up to byte 30).
I also observe that the protocol is very similar, and has the same header and length, to that of the PMS1003, PMS5003 and PMS7003 sensors.
DO NOT MISS THE FOLLOWING ARTICLE TO KNOW WHAT WE ARE GOING TO DO WITH THIS INFORMATION 😉