Security and Monitoring of Sofar HYD 6000-ES Inverters for yourself - an investigation

 A friend has a Sofar HYD 6000-ES hybrid PV inverter installed, and I was interested in

  1. The possible security implications of its nominal WiFi/Internet connection
  2. How to get the logging data directly into one's own software and bypass the "cloud" which is located in China!

Security Issues

In respect of the first point, this webpage has some interesting insights viz. the Access Point (AP) interface remains active even when you've configured it as a Station (STA) to access your home WiFi, including the following interfaces, according to the article:
  1. 53/UDP, DNS
  2. 80/TCP, HTTP
  3. 8899/TCP, Datalogger Info
  4. 48899/UDP, HF AT Interface
Depressingly, the article shows how easy it is to hack the passwords from copies of the firmware :-/, so given the importance of the kit, it's probably good to take some remedial action.
Possible actions:
  1. Access Point access: The configuration screens allow for the SSID to be hidden, which at least prevents casual detection/connection, although obviously not for a proper hacker
  2. DNS: Article doesn't address this, might be worth investigation, not sure what DNS operations this might support, although I guess it will just provide DNS function for devices connecting to the AP
  3. Web interface: I think the most important, and probably simplest, thing is to change the interface user/password to a non-standard value, probably documenting it on the inverter front panel with some printed labels (I love printed labels!!).
  4. Datalogger Info: This is the datalogging interface, apparently "from a security perspective this service is not terribly interesting"!! It presents an interface from which inverter performance data can be extracted, of which more later.
  5. HF AT: This is a potentially interesting vulnerability - it potentially exposes lots of scary functions, including 
    1. Upgrading firmware of WiFi interface
    2. Getting / Setting Wi-Fi configuration data (including keys)
    3. Getting / Setting service (eg. web server) credentials
    4. Getting / Setting 'user' configuration (device-specific info)
    5. Setting GPIO pin status
    6. Navigating to URLs in a proxy-like fashion
    7. "User" functions which potentially include upgrading inverter firmware!

Unfortunately "The only protection for this service is a 'password' which doubles as the network discovery string. The password is hardcoded in the firmware and cannot be changed and since it is part of the discovery protocol it cannot be considered confidential." Urgh. Basically, since this is an AP, it's accessible regardless. The only real remedial action is to use the alternative Ethernet interface, which at least can't be accessed without physical intervention. 

Data Monitoring

There are quite a few examples for this - I'm looking for Python examples:
None of this is particularly complicated, I think if I were looking to do this I'd use an adapter to the EmonHub software running on an RPi, so that would collect all the data and provide lots of useful analysis.

The most recent Sofar firmware lets you add up to two additional destinations for data delivery, so just add the installed EmonHub on the local network. The more interesting thing is to prevent the inverter sending stuff to the SolarMan.cn cloud site, I guess you'd have to sort out a firewall setting or other, probably on the wireless router.

Alternative Monitoring Options

This GitHub site has a C++ library which runs on an ESP8266 connected to your local wifi, and the RS485 S output of the inverter to publish lots of additional data over MQTT. Since it is reckoned to work with Sofar HYD...00ES I'd look at this to either add Battery status info to the Python stuff, or just hack this into the inverter and remove the need for a security problem like the official WiFi interface!

Or there's this which uses an RS422/485 - USB interface connected to an RPi which sends data to an instance of EmonHub. This is just a script that has to be run every n seconds, currently run inside nodeRed. That could easily be changed to just loop. It could also in principle run on an ESP8266, if we can get the RS485 interface to work from that. Excellent.

So it looks like there are lots of home-brew options, and many possible interface devices e.g. NodeMCU (ESP8266), RPi 0 and so on. 

Another Wrinkle...

It turns out that owner of HYD 6000-ES actually wants to use the SolarMan.cn site because the installation engineer can monitor it from there if there are any problems. Hmm. Secure options for that are
  • Install an Ethernet interface, rather than a WiFi one, on the basis that it isn't accessible 
  • Install an RS485-attached wifi-enabled device e.g. ESP8266, that translates the ModBus data into the proprietary SolarMan format, sends it to SolarMan and also records it locally
I suspect the latter is more likely, as there don't seem to be any LSE-3 (the product name apparently) examples for sale. It will probably be a bit fiddly getting the proprietary format to work, but it's been reverse engineered so should be doable. 

For myself, I doubt the engineer will be able to do much over the cloud link, I don't think the SolarMan app allows any configuration changes, and it certainly wouldn't if the reverse channel wasn't available. 

More Discoveries

Reading the dongle manufacturer's manual, it appears that there may be the possibility to turn off the AP function using the configuration screens, or the AT command interface. In that case, maybe it'll be ok to do that - at least the open system access to anyone walking past with a laptop will be prevented!

Comments

Post a Comment

Popular posts from this blog

Replacing Coffee Machine Pump (Dualit Espressivo)

Image
My 5 year old Dualit Espressivo broke on Saturday - disaster!! I was in the throes of making a coffee when the pump stopped, so no steamed microfoamed milk... Off with the back, check of voltages etc., taking extreme care because 240V + H2O is a Bad Thing. I located what seemed to be the pump, and there were volts on the terminals. Hmm. It’s an Ulka EP5FM according to the label. Google... Many people offering to sell me one, but the guys at ulka-ceme.co.uk aka Scintilla Pumps are the UK distributors. They sell a whole range of this type of pump, and the documentation shows that the crucial points are voltage/power, pressure (15 bar) and duty cycle (2m on/1m off). I can buy one online but I call them... they’re about 15 miles away, and are happy to sell me a replacement. We reckon it’s worth a lunch trip, so bowl over and it’s only £16 direct, vs £19.60 mail order. Done. The expensive part was lunch - £50!! Planning to skip dinner though... New pump fitted - looks like the old
Read more

Multiple SHT30 sensors on a single I2C bus with Sonoff-Tasmota

Image
I have a hankering to measure the input and output temperatures of my condensing boiler, in order to determine if it's likely to be actually condensing at any time. I have lots of SHT30 sensors, which attach handily to NodeMCU units. However, running 2 separate rigs, one each for input and output, means that temperature measurements will not be synchronised, which doesn't account for the action of the boiler and its heat output rate of change. It appears that the SHT30 has two I2C addresses (0x44 and 0x45), which are available on the Wemos D1 knock-offs that I have. So I started out by modifying one to use a different bus from the standard one - this is easily done by bridging a link with solder. I then used 2 NodeMCUs running together to check that the newly addressed device is actually detected and works. It does. Pair of NodeMCU/SHT30 setups in action Close-up of SHT30 devices -RH(44) has soldered address link (circled) So, let's see what we can do, eh? I
Read more

NodeMCU + Tasmota code + SHT30

Image
That was cool. Let's try something a bit "easier" - a NodeMCU module, which is easy to connect and upload to, in conjunction with a new sensor, the SHT30 that does humidity and temperature over an I2C interface. This is prompted by this article , which doesn't really say how to do any of this... Obligatory not very illustrative pic - bits are labelled pretty much! Oh yeah, had to solder the header pins onto the SHT30 - piece of cake now :-p. Compiled the latest Tasmota code (using the ESP 2.4.0 API + libs, which significantly improves the WiFi performance) in the Arduino IDE, it's already uploaded while I've been writing this. Gosh. And that was probably a bit rash! Re-compiled and uploaded, now I've edited the user_config.h file to include my Wifi details and a few other useful things. I'm hoping the code uses mDNS, because that's really handy. Hmm, that didn't seem to work - using the Serial Monitor indicates it's still us
Read more