Post date: Nov 9, 2019 9:05:11 PM
In my previous post I mentioned the variables that I discovered inside the message IDs.
Using a Python script I can select an ID from the captured traffic and see how the data corresponds to the values reported by PowerChute. The values reported usually have fractional parts, but I did not recognize floating point style byte structures in the message data. Combined with the fact that the complexity of these devices is limited, I focused on identfying fixed-point representations for the reported values.
This is quite easy when you know the integer part. I started with this for the AC voltage (e.g. 230V, as displayed on the LED display of the UPS and with more pecision in PowerChute). Then I move a window over the data in the message IDs until I identify a binary representation of 230 (0b11100110).
This way we got message ID 0x70, spread over bytes 4 and 5. This message only appears after the challenge was passed by PowerChute.
Assuming a 16-bit fixed-point value, the integer part is represented by the first 10 bits and the fractional part by the last 6. Conversion is as easy as dividing the 16-bit number by 2^6 = 64. Thank you StackOverflow.