Post date: Nov 10, 2019 7:21:33 PM
The messages going from PowerChute to the UPS have a variable length, as opposed to the messages from the UPS that are always 19 bytes. By toggling the outlet from PowerCute, for example, the following message is sent to the UPS:
Turn off outlet
71 08 02 41 04 5b e3
Turn on outlet
71 08 02 41 22 1f 02
We can derive again the message ID (0x71) at byte 0, and a data length at byte 2. Then the 2-byte data follows (0x41 0x04). The last two bytes are the Fletcher 8-bit checksum applied on all the earlier bytes.
Byte 1 corresponds to the offset of the parameter in the data of the message of the same ID that was previously sent by the UPS to the PC.
Most likely this specific data, to switch the outlet, is some kind of bitfield. To turn off the outlet, bit 1 is unset, and bit 2 and 5 are set, and vice versa.
The status of the outlet is mirrored in message ID 0x72, again a bitfield. Following states are identified:
In the meantime I also got (I believe) a step closer to generating a valid challenge, based on the first byte of the header and the 14-byte serial number. The challenge consists of 4 bytes, for example:
7e 0c 04 3d e7 0d fe a8 97
7e 0c 04 70 67 89 4c 9a 29
7e 0c 04 83 a7 18 01 25 08
7e 0c 04 4d 3e 9b 60 90 59
For now, I use PowerChute to pass the challenge, then kill the service and continue communicating using my Python script. If you don't kill PowerChute, it will send a message to 'reset' the UPS link upon exit.