Hacking the Bryant / Carrier Touchscreen Thermostats

At this point, I’ve done a sizable amount of reversing on the wire protocol.

I’ve come to the following conclusions.

  1. The wire protocol is little-endian. The addresses (and the serial I/O) make more sense in LE.
  1. You have to thinK like an embedded guy from the late 90’s to figure this stuff out. This is low-level C stuff, most of the early communicating boards and equipment are based on PICs with tiny EEPROMS and small amounts of RAM. They run tight loops without an operating system, or with very little of one.