SunSynk WiFi Dongle Hacking.

[WazzaCPT]

Has anyone successly found a way to create a new firmware for the E-linter dongle and still retain the connection to the Sunsynk API? Or was this avenue abandoned thanks to the work from @Gary Waterworth? Currently the way the dongle currently handles wifi and channel hopping and the AP is causing some troubles on the networks at a few sites I know.

This would be solved with the Ethernet edition.

[RoganDawes]

 

Has anyone successly found a way to create a new firmware for the E-linter dongle and still retain the connection to the Sunsynk API? Or was this avenue abandoned thanks to the work from @Gary Waterworth? Currently the way the dongle currently handles wifi and channel hopping and the AP is causing some troubles on the networks at a few sites I know.

This would be solved with the Ethernet edition.

Not that I am aware of. If you want the Sunsynk dashboard, you are stuck with their firmware. At least they updated it to turn off the default access point after it was connected to your own WiFi!

[Gary Waterworth]

 

Not that I am aware of. If you want the Sunsynk dashboard, you are stuck with their firmware. At least they updated it to turn off the default access point after it was connected to your own WiFi!

Where can I get that firmware ? 

 

[RoganDawes]

 

Where can I get that firmware ? 

 

Mine was updated automatically.

[Gary Waterworth]

Pfft I dont have the option to disable that f accesspoint it creates

I had to put in a seperate access point on a different channel that that dongles connects to so it didnt affect my high power ap that services the cameras and automation on the property... 

 

Extremely annoying

Edited October 3, 2023 by Gary Waterworth

[WazzaCPT]

 

Pfft I dont have the option to disable that f accesspoint it creates

I had to put in a seperate access point on a different channel that that dongles connects to so it didnt affect my high power ap that services the cameras and automation on the property... 

 

Extremely annoying

I will ask my installer contact. He has been quite frustrated with it as well on his personal setup. He was also going to give me a dongle to play with if I wanted.

[WazzaCPT]

My contact ordered one of the Ethernet based E-Linter loggers yesterday. He should receive it tomorrow or Friday.

I did also tell him about the supposed update, we will confirm details on the update.

[MartinViljoen]

I tried the following soft mods.

Start up Kali linux and setup a transparent proxy using MITMProxy
Start up Wireshark and filter out all IPs except for the dongle's

Set the default gateway of the Sunsynk dongle to point to my Kali Linux VM and then monitor with both MITMProxy and Wireshark.

This is what I can see.

DNS wise it usually finds tries to find the  IPs of 2 domains elinter and sunsynk.net

I expected the dongle to send a JSON request to tother elinter or Synsynk.net but instead its sending data via port 51100 in binary mode. which agrees with a post made earlier on in this thread.

The hex value shown in the second image translates to 100 which is the size of my sunsynk battery in Ah.

 

Some Ideas that I have not yet seen mentioned here.
Dump the firmware from the Dongle so that you can flash that back to an ESP32 devboard and then mess with it without bricking the original dongle. 

or 

Make use of an ESP32's secondary Serial port to create a serial passthrough and at the same time save the comms somewhere else. SDCard/MQTT/HTTP Web socket. If you can make sense of the comms then you could leave the passthrough as is and send the data to home assistant whilst still keeping the sunsynk dashboard. 

Something as basic as this will hopefully allow us to see what is being communicated back and forth.

void setup() {
  Serial.begin(9600);
  Serial1.begin(9600);
}

void loop() {
  if (Serial.available()) {        
    Serial1.write(Serial.read());  
  }

  if (Serial1.available()) {       
    Serial.write(Serial1.read());  
  }
}

 

 

 

 

 

Edited October 27, 2023 by MartinViljoen

[RoganDawes]

3 minutes ago, MartinViljoen said:

I tried the following soft mods.

Start up Kali linux and setup a transparent proxy using MITMProxy
Start up Wireshark and filter out all IPs except for the dongle's

Set the default gateway of the Sunsynk dongle to point to my Kali Linux VM and then monitor with both MITMProxy and Wireshark.

This is what I can see.

DNS wise it usually finds tries to find the  IPs of 2 domains elinter and sunsynk.net

elinter is the OEM, in fact the dongle reports to their infrastructure, it seems. You can log in to elinter with your Sunsynk creds, and get the unbranded UI.

3 minutes ago, MartinViljoen said:

I expected the dongle to send a JSON request to tother elinter or Synsynk.net but instead its sending data via port 51100 in binary mode. which agrees with a post made earlier on in this thread.

The hex value shown in the second image translates to 100 which is the size of my sunsynk battery in Ah.

 

Some Ideas that I have not yet seen mentioned here.
Dump the firmware from the Dongle so that you can flash that back to an ESP32 devboard and then mess with it without bricking the original dongle. 
 

I have a (n old) copy of the firmware from my dongle. As mentioned previously, it’s a RISC-V ESP32, not Xtensa, so reverse engineering it is a little bit trickier. I wasn’t able to make any progress, but they updated it since then to disable the Access Point when successfully connected in station mode, so I guess that’s all good now!

3 minutes ago, MartinViljoen said:

or 

Make use of an ESP32's secondary Serial port to create a serial passthrough and at the same time save the comms somewhere else. SDCard/MQTT/HTTP Web socket.

Something as basic as this will hopefully allow us to see what is being communicated back and forth.

void setup() {
  Serial.begin(9600);
  Serial1.begin(9600);
}

void loop() {
  if (Serial.available()) {        
    Serial1.write(Serial.read());  
  }

  if (Serial1.available()) {       
    Serial.write(Serial1.read());  
  }
}

 

keeping in mind that the dongle is using RS232 vs the ESP32’s TTL UART, you’d do better with a pair of USB-RS232 dongles connected to a PC. Do be aware that the dongle gets 12v from the inverter on one of the pins (possibly CD or RI, I don’t recall), so it won’t do anything at all without that.

3 minutes ago, MartinViljoen said:

 

[MartinViljoen]

6 minutes ago, RoganDawes said:

keeping in mind that the dongle is using RS232 vs the ESP32’s TTL UART, you’d do better with a pair of USB-RS232 dongles connected to a PC. Do be aware that the dongle gets 12v from the inverter on one of the pins (possibly CD or RI, I don’t recall), so it won’t do anything at all without that.

Thanks for pointing that out, I was under the impression that I could just connect the ESP32's RX to the TX on the inverter and RX to the TX on the ESP and off I go .

[RoganDawes]

10 minutes ago, MartinViljoen said:

Thanks for pointing that out, I was under the impression that I could just connect the ESP32's RX to the TX on the inverter and RX to the TX on the ESP and off I go .

You’d let the magic smoke out if you did

Oh, and socat is a nice way to link the two usb dongles together.

Edited October 27, 2023 by RoganDawes

[MartinViljoen]

Here's another attempt 

 

Note the "Connection Status" is reporting OK. Also note when setting static IP there's no option to set the DNS IP. Thats because the DNS is hardcoded to 8.8.8.8 and I have also seen attempts to connect to a secondary DNS 8.8.4.4

So I setup an ESP32 as a SoftAP with DNS Server and set the IP of the ESP32 to 8.8.8.8. So now the Sunsynk dongle "thinks" its talking to google and therefore reporting that the connection is OK.

ALL DNS request will be pointed to 8.8.8.8 even if it tries to connect to elinter.

In the ESP32's sketch I also set it to dump all data to the console. 

#include <WiFi.h>
#include <DNSServer.h>

const byte DNS_PORT = 53;
IPAddress apIP(8,8,8,8); // The default android DNS
DNSServer dnsServer;
WiFiServer server(51100);


void setup() { 
  Serial.begin(115200);
  WiFi.mode(WIFI_AP);
  WiFi.softAP("ESP32-DNSServer");
  WiFi.softAPConfig(apIP, apIP, IPAddress(255, 255, 255, 0));
  dnsServer.start(DNS_PORT, "*", apIP);

  server.begin();
  Serial.println("Server Started");
}

void loop() {
  dnsServer.processNextRequest();
  WiFiClient client = server.available();   // listen for incoming clients

  if (client) {
    String currentLine = "";
    while (client.connected()) {
      if (client.available()) {
        char c = client.read();
        Serial.print(c);

      }
    }
    client.stop();
  }
}

If I connect to the serial port, the Sunsynk data logger is trying to log into Sunsynk.net by providing the registry key and dongle Serial number.

From here on it appears fail because it's not getting anything back from Sunsynk.net. Perhaps if I setup a second Wifi Conenction on the eSP which is connected to my home fiber router and then take what ever data is being received and then pass it onto Sunsynk.net will continue.

 

 

 

 

Edited October 28, 2023 by MartinViljoen

[Pho3niX90]

1 hour ago, MartinViljoen said:

Here's another attempt 

 

Note the "Connection Status" is reporting OK. Also note when setting static IP there's no option to set the DNS IP. Thats because the DNS is hardcoded to 8.8.8.8 and I have also seen attempts to connect to a secondary DNS 8.8.4.4

So I setup an ESP32 as a SoftAP with DNS Server and set the IP of the ESP32 to 8.8.8.8. So now the Sunsynk dongle "thinks" its talking to google and therefore reporting that the connection is OK.

ALL DNS request will be pointed to 8.8.8.8 even if it tries to connect to elinter.

In the ESP32's sketch I also set it to dump all data to the console. 

#include <WiFi.h>
#include <DNSServer.h>

const byte DNS_PORT = 53;
IPAddress apIP(8,8,8,8); // The default android DNS
DNSServer dnsServer;
WiFiServer server(51100);


void setup() { 
  Serial.begin(115200);
  WiFi.mode(WIFI_AP);
  WiFi.softAP("ESP32-DNSServer");
  WiFi.softAPConfig(apIP, apIP, IPAddress(255, 255, 255, 0));
  dnsServer.start(DNS_PORT, "*", apIP);

  server.begin();
  Serial.println("Server Started");
}

void loop() {
  dnsServer.processNextRequest();
  WiFiClient client = server.available();   // listen for incoming clients

  if (client) {
    String currentLine = "";
    while (client.connected()) {
      if (client.available()) {
        char c = client.read();
        Serial.print(c);

      }
    }
    client.stop();
  }
}

If I connect to the serial port, the Sunsynk data logger is trying to log into Sunsynk.net by providing the registry key and dongle Serial number.

From here on it appears fail because it's not getting anything back from Sunsynk.net. Perhaps if I setup a second Wifi Conenction on the eSP which is connected to my home fiber router and then take what ever data is being received and then pass it onto Sunsynk.net will continue.

 

 

 

 

it seems you have now changed sunsynk.net to point to googles dns (8.8.8.8), which is wrong. 

I assume you are just attempting a MITM interface with whatever is connecting to your arduino, so the following is more in line

    IPAddress localIP(192,168,1,1);
    IPAddress gateway(192,168,1,0); // this should be your routers IP, to still route the packets to where they need to go
    IPAddress subnet(255,255,255,0); // subnet of your router, and your, ip

    WiFi.softAPConfig(localIP, gateway, subnet);

You will need to sniff the connected ip, and not necessarily the endpoint (sunsynk.net)

[Pho3niX90]

if your intentions is to catch all ingress traffic, from sunsynk, you would need to port forward the ports at your router level, to the esp's local ip. if egress towards sunsynk, then the esp just needs to sniff the connected devices packets, and then still send them to sunsynk (unless you want to completely break this connection)

EDIT
nvm, I missed the part where the dongles dns is hardcoded, and you are trying to spoof it. 
I am not sure if this is going to work, since it's in fact hardcoded on the ESP, I would assume it would still relay the true  dns entry since it's own gateway, would be your router.

Try to run a traceroute (tracert) instead of a nslookup

Edited October 28, 2023 by Pho3niX90

[Gary Waterworth]

You may be wasting your time tbh. I have had a look at the tcp dumps between the dongle and sunsynk, but didnt go into much detail on it.

There is a command and response which you will not be able to replicate this way. What you need to do is mirror all wifi data on your router to a wireshark host and then filter on the dongle ip. What may be usefull to do is compare what is sent to sunsynk compared to the dbus data that other people have analysed when connecting direct.

can you maybe indicate what kind of router hardware you have. I use Mikrotiks so doing teh above is easy. Also to spoof 8.8.8.8 is fairly straight forward if you use src/dst nat rules and use your own dns server

Edited October 28, 2023 by Gary Waterworth

[Gary Waterworth]

OK looking at some of the traffic 

There ( on my system ) is allways a 292 byte packet going from the dongle to sunsynk 

When I have some time will wait for the update to go to sunsynk and take a snapshot from my home assistant and see what values I can match up.

I know Node Red in home assistant has a pcap module. WIll try get some time to look at it  

There is a reply back that just seems to be an acknowledgement and increases each time 

Config in my Mikrotik 

Wireshark

 

Edited October 28, 2023 by Gary Waterworth

[MartinViljoen]

Just to clarify in my previous post there's no Internet involved. Im merely hosting an AP on the ESP32 and then connect the dongle to the ESP's access point, which runs both a DHCP Server as well as a DNS server. The DNS server is set to resolve * to 8.8.8.8. Meaning any and every domain resolution request will resolve to 8.8.8.8 i.E If you request the IP of ukiot.Synsynk.net it will resolve to 8.8.8.8 also if you request billybob.com it will also resolve to 8.8.8.8

 

See below drawing. There's no link to my home run of the mill TPlink router connected to the internet via and ONT and fibre line.

The reason I set the IP of the ESP32 to 8.8.8.8 is because I cannot change the DNS IP of the Dongle which is hard coded.
 

 

I dont have a problem capturing packets whilst the Dongle is connected to my home wifi in normal and operational mode. This can easily be done by simply setting the gateway IP of the dongle to a VM running Kali Linux with  a MITM proxy in transparent mode. This way you have full view of data passing by.

See this documentation --> https://docs.mitmproxy.org/stable/howto-transparent/
Just substitute 

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

With

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 51100 -j REDIRECT --to-port 8080

 

I'm aware the above is over complicating things a bit ,The same can actually be done by simply running Wireshark and watch the traffic coming from sunsynk.net's IP and the dongle's IP. 

 

In the end I want to be able re-create the above "Ability" but only using an eSP32 without the need of any extra hardware. Or setting up ARP poisoning or any kind of DNS spoofing.

 

Like this

 

I have a separate project which I created that runs solar monitoring directly on an eSP32 that has some features that allows you to execute webbooks based on certain inverter/battery values or EskomSePush Schedule value.. Currently the monitoring tool which I created relies on the Sunsynk API to get values and set settings on the inverter. And It would be far better if I could read the values locally by mimicking the Sunsynk.net server.

 

I think the show stopper here is if the data between the dongle and Sunsynk.net via port 51100 is encrypted then All of the above will most probably not be possible. I'm also starting to thing I may aswell just get the data using a modbus connection.

 

 

 

 

Edited October 28, 2023 by MartinViljoen

[RoganDawes]

1 hour ago, MartinViljoen said:

I think the show stopper here is if the data between the dongle and Sunsynk.net via port 51100 is encrypted then All of the above will most probably not be possible. I'm also starting to thing I may aswell just get the data using a modbus connection

It doesn’t look to be encrypted in any way, but we have also still not been able to properly reverse engineer the details as yet, I believe.

 

The kellerza/Sunsynk project does a great job, but there are also implementations of modbus for esphome (and examples for Sunsynk in particular) and other platforms as well of course.

[Pho3niX90]

13 hours ago, Gary Waterworth said:

OK looking at some of the traffic 

There ( on my system ) is allways a 292 byte packet going from the dongle to sunsynk 

When I have some time will wait for the update to go to sunsynk and take a snapshot from my home assistant and see what values I can match up.

I know Node Red in home assistant has a pcap module. WIll try get some time to look at it  

There is a reply back that just seems to be an acknowledgement and increases each time 

Config in my Mikrotik 

Wireshark

 

This should point you in the right direction 
https://github.com/kellerza/sunsynk/blob/main/src/sunsynk/definitions.py

https://github.com/kellerza/sunsynk/blob/main/src/sunsynk/sunsynk.py

And here: https://en.wikipedia.org/wiki/Modbus#MODBUS_Messaging_on_TCP/IP

Edited October 29, 2023 by Pho3niX90

[RoganDawes]

5 hours ago, Pho3niX90 said:

This should point you in the right direction 
https://github.com/kellerza/sunsynk/blob/main/src/sunsynk/definitions.py

https://github.com/kellerza/sunsynk/blob/main/src/sunsynk/sunsynk.py

And here: https://en.wikipedia.org/wiki/Modbus#MODBUS_Messaging_on_TCP/IP

The wire protocol between the dongle and the elinter servers doesn’t resemble modbus at all, according to others that have looked at it already.

[bmerry]

1 hour ago, RoganDawes said:

The wire protocol between the dongle and the elinter servers doesn’t resemble modbus at all, according to others that have looked at it already.

Sunsniff decodes the sensor values in the protocol when run on a router between the dongle and the internet. You can see a table relating offsets in the 292-byte packets to the modbus registers here. I never dug into the rest of the protocol (such as sending commands back to the dongle to modify inverter settings) because I ended up going with a Raspberry Pi and an RS-485 cable.

[PUser]

Hi

 

Anybody knows how to obtain the MAC address of the dongle?

[RoganDawes]

1 hour ago, PUser said:

Hi

 

Anybody knows how to obtain the MAC address of the dongle?

There are any number of ways to get it. But I suspect this is an XY problem (https://en.wikipedia.org/wiki/XY_problem). Why don't you tell us what you are trying to achieve, rather than how you think you need to go about doing it?

To answer the question anyway:

1. look on your router for assigned clients and their MAC addresses.

2. ping the IP address, then check the ARP table for the corresponding MAC.

3. ping the IP address while running tcpdump -ne 

4. Open the dongle and use a USB-TTL adapter with esptool to query the ESP32 directly.

etc

Edited December 26, 2023 by RoganDawes

[PUser]

12 hours ago, RoganDawes said:

There are any number of ways to get it. But I suspect this is an XY problem (https://en.wikipedia.org/wiki/XY_problem). Why don't you tell us what you are trying to achieve, rather than how you think you need to go about doing it?

To answer the question anyway:

1. look on your router for assigned clients and their MAC addresses.

2. ping the IP address, then check the ARP table for the corresponding MAC.

3. ping the IP address while running tcpdump -ne 

4. Open the dongle and use a USB-TTL adapter with esptool to query the ESP32 directly.

etc

The reason I want it is because I do MAC address whitelisting on my routers for extra security - so I need to first add the MAC address to my router in order for the router to accept connection from the device.

I'll probably just have to switch off that feature temporarily and then go about as per your suggestion i #1.

Thank you

[RoganDawes]

5 hours ago, PUser said:

The reason I want it is because I do MAC address whitelisting on my routers for extra security - so I need to first add the MAC address to my router in order for the router to accept connection from the device.

I'll probably just have to switch off that feature temporarily and then go about as per your suggestion i #1.

Thank you

That’s probably going to be the simplest approach. Although the utility of registering MAC addresses with your AP is debatable. In order to try access your network, the attacker will need the preshared key as a first pre-requisite. And once they have the key, they can simply snoop to find an authorized station transmitting on the network, then clone that MAC address.