PLCguy

Yeah also doing eyeball matching but with the browser link

Bytes 0 - 10 -> payload header Byte 2 = A1 when packet from server, = 01 when packet from wifi dongle Bytes 9-10 -> Actual data byte count from byte 11 Byte 11-20 -> Inverter ID Byte 37 -> Year Byte 38 -> Month Byte 39 -> Day Byte 40 -> Hour Byte 41 -> Minute Byte 66-67 -> Daily battery charge totalizer (resets to zero @ 00:00) | kWh = raw value / 10 Byte 68-69 -> Daily battery discharge totalizer (resets to zero @ 00:00) | kWh = raw value / 10 Byte 74-75 -> Total battery discharge since beginning of time | kWh = raw value / 10 Byte 82-83 -> Total grid import since beginning of time | kWh = raw value / 10 Byte 84-85 -> Grid instantaneous frequency | Hz = raw value / 100 Byte 96-97 -> Load usage totalizer since beginning of time | kWh = raw value / 10 Byte 140-141 -> Battery capacity (Battery setup screen parameter) | Ah = raw value Byte 182-183 -> V-grid-L1 | V = raw value / 10 Byte 186-187 -> Inverter AC output Byte 190-191 -> Unidentified voltage Byte 192-193 -> Unidentified voltage Byte 212-213 -> Grid power (Instantaneous) | watt = raw value Byte 216-217 -> Unidentified power Byte 218-219 -> Unidentified power Byte 220-221 -> Inverter power Byte 228-229 -> Inverter load output | watt = raw value / 10 Byte 242-243 -> Battery watts (instantaneous) Byte 244-245 -> Battery current (instantaneous) Byte 246-247 -> Unidentified frequency Byte 248-249 -> Unidentified frequency Byte 280-281 -> Battery capacity (0 when grid present, capacity value when grid off) Byte 282-283 -> Discharge limit Byte 285 -> SOC (State of charge) | % = raw value Byte 286-287 -> Battery voltage from BMS Byte 288-289 -> Battery current from BMS Byte 290-291 -> Real time battery temperature (range -99.9 degrees to +99.9 degrees scaled between 0x01 AND 0x7CF, where 0 degrees = 0x3E8

@RoganDawes ahh makes sense 🙈 saw the image earlier in the thread but didn't register 😄

🙂 I think I DOS'ed mine this morning when I ran gobuster against it, so I added delays of .2s between single queries, unfortunately no fruitful results. I'm still capturing packets atm and dont' want to stop the capture till at least after 00:00, I suspect some bytes will reset when it is the next day but want to confirm this with the current capture that has been running since this morning. With those "magic" bytes that start in the payload byte 7/8 (starting from 0) is an incremental counter that gets incremented by both the dongle and the server (hosted in China, and owned by Alibaba data center) each time one of them transmit a packet in the stream, since the capture this morning this counter is still going... the dongle represent the even values and responses from the server are odd values, but they are sequential. bytes 42/42 (from 0) is also some form of a counter that increments every 4 or 5 transmits, this is not consistent, but it keeps increasing (this may be a totalizing value), will confirm.

It is this parameter entered on the HMI, see attached

I guess it's the branded one as it has "Sunsynk" printed on it, but it also does have the red and green LED's. The same one posted earlier by @valienté with the picture. Below is the UI served from it. I have also checked and it's only port 80 open on the unit, the web server is mongoose6.7 but don't know if there are any exploits to try and get root on the unit. cgi-scripts that can be executed on the unit are, and there are others: http://<device-ip>/config?command=status http://<device-ip>/config?command=devinfo but the interesting one is this: just going to keep digging...

Hi all, don't know if this thread is still alive but here is what I have deciphered so far, in the 292 bytes payload of the dongle. If anyone else can maybe confirm that this corresponds to their inverter data as well, I have the SUNSYNK-5K-SG01LP1