This is from my earlier notes, hope it helps some.

  Pin 1: RS422 +/B
  Pin 2: RS422 -/A
  Pin 3: ? - appears to be unused; connected to unpopulated pad on PCB
  Pin 4: GND
  Pin 5: ~14.2v DC unloaded
  Pin 6: GND
  Pin 7: ?
  Pin 8: ?
  Shield: GND

Note: the RS422 protocol has a basic bus arbitration built-in to allow both ends to communicate. The control unit sends <U>Ping</U=xx> messages, after which it opens a slot for the Tablet to communicate back to it. At least on my system xx represents a simple CRC value that can be used to validate message authenticity. I haven't seen any AES encryption in use, messages I've seen are all plaintext, maybe the AES encryption was introduced in a later revision.

Wouldn't RS422 need 2 TX and 2 RX?

Normally, yes. Perhaps this could be more properly termed RS-485 operating in 2 wire (half duplex) mode:

* https://en.wikipedia.org/wiki/RS-485

I have something slightly different

1 is RS422 B

2 is RS422 A

3 & 5 - GND

4 & 6 - VCC

Not sure what 7 and 8 do.

Interesting, not sure what's going on there then.. how recently was your system installed? Maybe they have updated the pinout on newer models? I'll go back and check though.

You're right! The serial bus isn't encrypted!

I got inspired, and have plugged in my scope, and then an RS422 to serial adapter, and I'm getting XML encoded (weird) CAN messages, which I presume are the same as what's on the CAN bus exposed on some of the control box's ports. I'll get out the can analyser tomorrow and check.

Now the trick will be to reverse engineer this protocol. Here's a tiny sample:

  <U>setCAN 0201000000236000000000000 </U=ce><U>getCAN 1 </U=00><U>Ping</U=db> <U>ackCAN 1</U=aa><U>Ping</U=db> <U>setCAN </U=b2><U>getCAN 1 </U=00><U>Ping</U=db> <U>ackCAN 1</U=aa><U>Ping</U=db> <U>setCAN </U=b2><U>getCAN 1 </U=00><U>Ping</U=db> <U>ackCAN 1</U=aa><U>Ping</U=db> <U>setCAN </U=b2><U>getCAN 1 </U=00><U>Ping</U=db> <U>ackCAN 1</U=aa><U>Ping</U=db> <U>setCAN </U=b2><U>getCAN 1 </U=00><U>Ping</U=db> <U>ackCAN 1</U=aa><U>Ping</U=db>

The AES encryption might be related to the android intent messages that are sent to the AAservice. I recall they had an encrypted mode and a "signed app" mode that AAservice will respond to

I have decompiled the apk and it produced a somewhat useful (but incomplete) package of Java source files, which can be useful for reverse engineering the serial protocol. For example:

    <string name="parse_block_tag_ping">&lt;U&gt;Ping&lt;/U=db&gt;</string>
    ...
    private static final byte[] f2305f = "getCAN ".getBytes(Charset.defaultCharset());
    private static final byte[] g = MyApp.a().getString(R.string.parse_block_tag_ping).getBytes(Charset.defaultCharset());
    private static final byte[] h = MyApp.a().getString(R.string.parse_block_tag_startu).getBytes(Charset.defaultCharset());
    private static final byte[] i = "<request>Unknown</request>".getBytes(Charset.defaultCharset());

You can do the same, or alternatively ping me if you'd like me to email you the source package.

I have reached out to your email address (as described in your profile) with some additional information that I've been putting together. Let me know if you didn't receive my mail.

Not always - if it's used as a bus, it's 2 wire.

No, sorry - I may be able to buzz one out of the a/c controller later on.

I do, have 2 spare USB-C to JST-SH adapters that suit the round advantage air circuit board if anyone wants one (Perth, Free). Email in profile.