Skip to content
View in the app

A better way to browse. Learn more.

Power Forum - Renewable Energy Discussion

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

SunSynk WiFi Dongle Hacking.

Featured Replies

6 hours ago, PUser said:

The reason I want it is because I do MAC address whitelisting on my routers for extra security - so I need to first add the MAC address to my router in order for the router to accept connection from the device.

I'll probably just have to switch off that feature temporarily and then go about as per your suggestion i #1.

Thank you

AFAIK, the dongle registers the DNS name e-linter.
You can use the arp command do display MAC addresses (Linux)
image.png.ef6e7a758fcac38c26a5314db6070d0b.png

On Windows, you man have to ping e-linter and then use the "arp -a" command.

Nmap also displays the mac addresses
nmap -sn 192.168.7.0/24

image.png.b5430442b7f94dd0358634cfc88ec0ae.png

You can also check on your DNS/DHCP server

  • Replies 152
  • Views 49.7k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Have a look at the card I created for HA. I'm sure you can pull all the necessary sensor data through the API.   This is what my dashboard currently looks like

  • Is an ESP32 MCU, would be cool to reflash with ESPhome and pull all the data from the inverter that way.   

  • To confirm do you want to pull the firmware from the nodemcu, or just utilise their API?   It might be easier to just write some HA integration which directly talks to the SunSynk cloud APIs

Posted Images

3 hours ago, system32 said:

AFAIK, the dongle registers the DNS name e-linter.
You can use the arp command do display MAC addresses (Linux)
image.png.ef6e7a758fcac38c26a5314db6070d0b.png

On Windows, you man have to ping e-linter and then use the "arp -a" command.

Nmap also displays the mac addresses
nmap -sn 192.168.7.0/24

image.png.b5430442b7f94dd0358634cfc88ec0ae.png

You can also check on your DNS/DHCP server

Thank you!

 

Turns out my Deco App shows it by default if I just look at the online clients :) - but I'll remember the nmap -sn option...

Also can look through the logs and see what mac address was rejected. But not sure if teh TP-link provides that level of logs 

Yup Mac Whitelisting has so many holes it is not funny. But if it makes you feel secure who am I to argue. Setup the ap's and put in place proper security mentality will mitigate 99% of the threats that are out there. 

Based on the comment "deco App" tell me you have tp-link. Entry level consumer stuff.

 

Go look here and tell me you still feel good :D

TP-Link - Security Advisory

Edited by Gary Waterworth

14 hours ago, Gary Waterworth said:

Also can look through the logs and see what mac address was rejected. But not sure if teh TP-link provides that level of logs 

Yup Mac Whitelisting has so many holes it is not funny. But if it makes you feel secure who am I to argue. Setup the ap's and put in place proper security mentality will mitigate 99% of the threats that are out there. 

Based on the comment "deco App" tell me you have tp-link. Entry level consumer stuff.

 

Go look here and tell me you still feel good :D

TP-Link - Security Advisory

I run my IoT devices (e-linter/sunsynk/tuya/solar-assistant/tasmota/cctv/etc) in an IoT VLAN.
I use nftables to limit access and direction of traffic.

Edited by system32

  • 2 months later...
On 2022/11/11 at 9:42 AM, Gary Waterworth said:

I have been putting together some flows in Home Assistant NodeRed to query the SunSynk API on the website directly.

Been working on endpoints. Looks like I have access to all readings and Inverter settings now.

I have only pulled out some of them into sensors so I can use them in HA.

Still need to make/find some nice cards.

Busy looking at how to set some settings. Basic process is there, just need to make sure it all works :)

 

image.thumb.png.ff083c4839fe9e6e78c67c44deaf2bf9.png

 

Hi Gary, 

 

I am a complete noob when it comes to coding/python etc. All I am trying to do is get data from my Sunsynk inverter into a .csv file with headings. Is there any basic code I can use to get this done? 

I'm going down a bit of a rabbit hole, so would appreciate any guidance! 

On 2024/03/05 at 8:50 AM, Scott Havemann said:

Hi Gary, 

 

I am a complete noob when it comes to coding/python etc. All I am trying to do is get data from my Sunsynk inverter into a .csv file with headings. Is there any basic code I can use to get this done? 

I'm going down a bit of a rabbit hole, so would appreciate any guidance! 

While it is theoretically possible, it is not going to be done with basic code. What data are you looking for exactly ?

  • 1 month later...

Ok, so I finally took the time to flash ESPHome onto my Sunsynk wifi dongle. Took a while to figure out the details, which I wrote up in another thread: https://powerforum.co.za/topic/28044-anyone-noticed-weird-behaviour-from-their-sunsynk-inverter-charging-when-not-supposed-to-resetting-daily-totals-etc/?do=findComment&comment=202244

The end result is that you have a dongle running ESPHome, powered neatly from the inverter via the Ring Indicator pin of the DE9 connector, polling the inverter using modbus over RS232 at 9600 baud.

The diff from slipx06's original ESPHome config is minimal:

diff -w ESPHome-1P-Sunsynk-Deye.yaml sunsynk_dongle.yaml
12c12
<   board: nodemcu-32s
---
>   board: airm2m_core_esp32c3
14a15
>   variant: esp32c3
60,61c61,62
<   tx_pin: GPIO1
<   rx_pin: GPIO3
---
>   tx_pin: GPIO5
>   rx_pin: GPIO6
67d67
<   flow_control_pin: GPIO16

Basically, change the board to an ESP32C3 (I just picked one, there may be better options), set the variant, and update the UART pins. Also, delete the modbus TX control pin, because RS232 is full duplex.

Shout if you have any questions.

14 hours ago, RoganDawes said:

Ok, so I finally took the time to flash ESPHome onto my Sunsynk wifi dongle. Took a while to figure out the details, which I wrote up in another thread: https://powerforum.co.za/topic/28044-anyone-noticed-weird-behaviour-from-their-sunsynk-inverter-charging-when-not-supposed-to-resetting-daily-totals-etc/?do=findComment&comment=202244

The end result is that you have a dongle running ESPHome, powered neatly from the inverter via the Ring Indicator pin of the DE9 connector, polling the inverter using modbus over RS232 at 9600 baud.

The diff from slipx06's original ESPHome config is minimal:

diff -w ESPHome-1P-Sunsynk-Deye.yaml sunsynk_dongle.yaml
12c12
<   board: nodemcu-32s
---
>   board: airm2m_core_esp32c3
14a15
>   variant: esp32c3
60,61c61,62
<   tx_pin: GPIO1
<   rx_pin: GPIO3
---
>   tx_pin: GPIO5
>   rx_pin: GPIO6
67d67
<   flow_control_pin: GPIO16

Basically, change the board to an ESP32C3 (I just picked one, there may be better options), set the variant, and update the UART pins. Also, delete the modbus TX control pin, because RS232 is full duplex.

Shout if you have any questions.

Busy debating buying another dongle to play with this.

Is there anything special i need to be able to flash the dongle or can I just connect it to my pc with a RS232-> usb ? 

EDIT : Never mind , going through the other post

Edited by Gary Waterworth

3 hours ago, Gary Waterworth said:

Busy debating buying another dongle to play with this.

Is there anything special i need to be able to flash the dongle or can I just connect it to my pc with a RS232-> usb ? 

EDIT : Never mind , going through the other post

Just to be clear, I used a USB-TTL (3.3V) adapter, directly connected to the header holes on the PCB, not an RS232 UART connected to the DE9.

4 hours ago, WazzaCPT said:

Would still be amazing to get into the orignal firmware and see if it is possible to retain the original communications but add in a stream server of the RS323 (modbus).

@WazzaCPT I am sure you would be able to this.

Two serial ports are needed (with the same logic as the current one) to monitor TX and RX data
Below is a typical example connection diagram for unobstructed sniffing of serial data.


P1 and P2 represents the existing Sunsynk inverter and Dongle connectors (not sure about actual male and female on dongle/inverter).
P3 and P4 provides a sniffed copy of the TX and RX data between the Dongle and Sunsynk inverter which can be interpreted and used for own monitoring by connecting to micro controller or PC.
Hope this helps to simulate some ideas ...

full-duplex-cable.gif

11 minutes ago, DeonBez said:

@WazzaCPT I am sure you would be able to this.

Two serial ports are needed (with the same logic as the current one) to monitor TX and RX data
Below is a typical example connection diagram for unobstructed sniffing of serial data.


P1 and P2 represents the existing Sunsynk inverter and Dongle connectors (not sure about actual male and female on dongle/inverter).
P3 and P4 provides a sniffed copy of the TX and RX data between the Dongle and Sunsynk inverter which can be interpreted and used for own monitoring by connecting to micro controller or PC.
Hope this helps to simulate some ideas ...

full-duplex-cable.gif

Hello @DeonBez,

Are you saying that you could sniff both the RX and TX packets using an ESP32 with a logic level convert (or a TTL to DB9 serial interface) while not messing with the functions of the dongle and inverter. I would assume this means you can see data but should block sending any data through the sniffing device? Would this mean that technically you would only need to sniff the TX of the inverter?

Would it be possible in theory to sniff directly off the RX pin of the UART on the ESP32 in the dongle? Potentially including a second ESP module inside the same dongle?

I am not very clued up with this type of approach but I do know you can scope a signal, so understand you should be able to read it with a device.

Edited by WazzaCPT

7 minutes ago, WazzaCPT said:

I would assume this means you can see data but should block sending any data through the sniffing device?

@WazzaCPT As long as one connects the TX signal of the inverter to another serial port RX signal and the same for the Dongle, it should not interfere with the existing communications taking into account the cable length limits for RS232 which is dependent on the baud rate but generally stated as around 15m. 

10 minutes ago, WazzaCPT said:

Would this mean that technically you would only need to sniff the TX of the inverter?

I have not looked at the protocol to know if only TX or both TX/RX data packets are needed to implement monitoring but am sure other forum/internet members already reversed engineer it so the info will be available somewhere.  

13 minutes ago, WazzaCPT said:

Would it be possible in theory to sniff directly off the RX pin of the UART on the ESP32 in the dongle? Potentially including a second ESP module inside the same dongle?

If you are prepared to open the Dongle, yes.
Not sure how the ESP32 is powered and if another ESP32 or similar can be powered from the same source, but this information should also be available on the forum / internet.

The diagram attached in previous post was really more to indicate sniffing should be possible without modifying the stock Dongle by just using a breakout sniffing cable 😃

 

53 minutes ago, DeonBez said:

@WazzaCPT I am sure you would be able to this.

Two serial ports are needed (with the same logic as the current one) to monitor TX and RX data
Below is a typical example connection diagram for unobstructed sniffing of serial data.


P1 and P2 represents the existing Sunsynk inverter and Dongle connectors (not sure about actual male and female on dongle/inverter).
P3 and P4 provides a sniffed copy of the TX and RX data between the Dongle and Sunsynk inverter which can be interpreted and used for own monitoring by connecting to micro controller or PC.
Hope this helps to simulate some ideas ...

full-duplex-cable.gif

I actually built something like this, based on an ESP32. I posted some pictures of it, and a little description, here: https://infosec.exchange/deck/@RoganDawes/111595769934719217

Sorry, the pictures are too large for this forum 🙂

ESP32 has 3 UART's, I put an SP3232 on some veroboard to get 2 inbound signals and 2 outbound signals, mapped to U1RX/U1TX and U2RX/U2TX. The jumper pins in the middle let you switch from just snooping to active interception, by connecting the TX signals, and breaking the "Straight through" connections in the middle.

And yes, while it is possible to pass through the data from the genuine dongle (running e-linter firmware) to the inverter, and its responses in the other direction, and then issue your own commands when it is quiet so as not to trample over the e-linter comms, actually identifying and using those intervals of quiet is not the simplest problem to solve.

I think I mentioned it above, but another approach is to emulate the e-linter firmware using Wokwi, and forward the emulated UART to the dongle. Still some impedance matching required (e-linter firmware will expect a response within X ms, otherwise will resend the query, so you can simply drop a duplicated query, etc, etc).

39 minutes ago, WazzaCPT said:

Ok, so all way to complex for me. Is there a way to make use of the firmware bin that you dumped to get to the code and functions?

It’s not easy, I’m afraid. As of last year, the tools for reversing an ESP32 RISC-V binary were not exactly user friendly. There are lots of debugging / logging statements which should help to give an idea of what the code is supposed to be doing, if you can figure out the memory base addresses, etc for your decompiler.

This is how I go about sniffing serial traffic between the ports.

As mentioned the ESP32 has 3 serial ports UART0, UART1 & UART2
 

#define RXD1 4
#define TXD1 2
#define RXD2 16
#define TXD2 17
 
void setup() {
  Serial1.begin(9600, SERIAL_8N1, RXD1, TXD1); //Dongle
  Serial2.begin(9600, SERIAL_8N1, RXD2, TXD2); //Inverter
  Serial.begin(9600);
 
}
 
void loop() {
  //From Dongle
  if (Serial1.available() > 0) {
    // read the incoming byte:
    int incomingByte=0;
    incomingByte = Serial1.read();
    Serial2.write(incomingByte);
  }
  //From Inverter
  if (Serial2.available() > 0) {
    // read the incoming byte:
    int incomingByte=0;
    incomingByte = Serial2.read();
    Serial1.write(incomingByte);
  }  
}

 

Additionally to the above I make use of web serial to monitor the data
https://randomnerdtutorials.com/esp32-webserial-library/

Note the above interferes with the comms but I do get a response from the inverter. Also note the inverter does not send data all the time, It needs to be queried.

Using SolarAssistant as the "Dongle" I receive the following (Without spaces) that is sent to the inverter before the inverter will respond.
 

Below is in decimals, but using serial.print(intvalue,HEX); will format it hex if you like.

0 3 0 0 0 9 132 29 1 3 0 0 0 9 133 204 2 3 0 0 0 9 133 255 3 3 0 0 0 9 132 46 4 3 0 0 0 9 133 153 5 3 0 0 0 9 132 72 6 3 0 0 0 9 132 123 7 3 0 0 0 9 133 170 8 3 0 0 0 9 133 85 9 3 0 0 0 9 132 132 10 3 0 0 0 9 132 183 11 3 0 0 0 9 133 102 12 3 0 0 0 9 132 209 13 3 0 0 0 9 133 0 14 3 0 0 0 9 133 51 

 

Perhaps linking directly to the inverter's TX and then send to webserial may be a better idea.

Not shown in the below image, I use a DB9 Gender Changer to interface with the inverter.

spacer.png

Edited by MartinViljoen

36 minutes ago, MartinViljoen said:

This is how I go about sniffing serial traffic between the ports.

As mentioned the ESP32 has 3 serial ports UART0, UART1 & UART2
 

#define RXD1 4
#define TXD1 2
#define RXD2 16
#define TXD2 17
 
void setup() {
  Serial1.begin(9600, SERIAL_8N1, RXD1, TXD1); //Dongle
  Serial2.begin(9600, SERIAL_8N1, RXD2, TXD2); //Inverter
  Serial.begin(9600);
 
}
 
void loop() {
  //From Dongle
  if (Serial1.available() > 0) {
    // read the incoming byte:
    int incomingByte=0;
    incomingByte = Serial1.read();
    Serial2.write(incomingByte);
  }
  //From Inverter
  if (Serial2.available() > 0) {
    // read the incoming byte:
    int incomingByte=0;
    incomingByte = Serial2.read();
    Serial1.write(incomingByte);
  }  
}

 

Additionally to the above I make use of web serial to monitor the data
https://randomnerdtutorials.com/esp32-webserial-library/

Note the above interferes with the comms but I do get a response from the inverter. Also note the inverter does not send data all the time, It needs to be queried.

Using SolarAssistant as the "Dongle" I receive the following (Without spaces) that is sent to the inverter before the inverter will respond.
 

Below is in decimals, but using serial.print(intvalue,HEX); will format it hex if you like.

0 3 0 0 0 9 132 29 1 3 0 0 0 9 133 204 2 3 0 0 0 9 133 255 3 3 0 0 0 9 132 46 4 3 0 0 0 9 133 153 5 3 0 0 0 9 132 72 6 3 0 0 0 9 132 123 7 3 0 0 0 9 133 170 8 3 0 0 0 9 133 85 9 3 0 0 0 9 132 132 10 3 0 0 0 9 132 183 11 3 0 0 0 9 133 102 12 3 0 0 0 9 132 209 13 3 0 0 0 9 133 0 14 3 0 0 0 9 133 51 

 

Perhaps linking directly to the inverter's TX and then send to webserial may be a better idea.

Not shown in the below image, I use a DB9 Gender Changer to interface with the inverter.

 

This is mine:

 image.png.32dfc5ba259c29b911c46214e67c10ab.png

ESP32 talks to the SP3232 transceiver (yellow wires), which has 2 channels in each direction, perfect for 2 UARTs. The jumpers at the bottom either swap RX/TX (two blocks on either side), or connect/disconnect the TX lines from the transceiver/ESP32. When the ESP32 TX lines are disconnected, the ESP32 can snoop but not transmit, which is enough for most purposes.

I run ESPHome on the ESP32, because it has a ton of useful functionality (OTA updates, built in UART buffering, debug logging via WiFi, etc), and simply put the Sunsynk dongle on one side, and a DE9 cable to the inverter on the other side.

The string of numbers you posted is actually just the dongle trying to identify the address of the inverter (first column). Second column (3) is a "read holding register" command, starting at address 0, and returning 9 registers. last two columns are the CRC. Apparently the inverter was not responding for some reason. Not connected, maybe?

 0 3 0 0 0 9 132 29 
 1 3 0 0 0 9 133 204
 2 3 0 0 0 9 133 255
 3 3 0 0 0 9 132 46
 4 3 0 0 0 9 133 153
 5 3 0 0 0 9 132 72 
 6 3 0 0 0 9 132 123 
 7 3 0 0 0 9 133 170 
 8 3 0 0 0 9 133 85 
 9 3 0 0 0 9 132 132 
10 3 0 0 0 9 132 183 
11 3 0 0 0 9 133 102 
12 3 0 0 0 9 132 209 
13 3 0 0 0 9 133 0 
14 3 0 0 0 9 133 51 

 

7 minutes ago, Gambit said:

This looks like a great project. My only concern is you would lose inverter firmware updates functionality

Sure, that's why you take a backup, and can reinstall it if you ever need to do an upgrade. And while doing so, log all the data written out on the serial port to see how it is done 😛

31 minutes ago, WazzaCPT said:

I wonder how different the firmware update process is compared to say the Nextion firmware upload is.

I suspect it is something like doing a modbus write to a particular holding register (probably with the expected length of the firmware), then writing the bytes of the firmware one after another to a different holding register, then finally writing a "complete" message to either the first or a different holding register.

I have to correct my earlier post, I'm not actually getting any response from the inverter. At the time of testing I swopped the ports. I received data from the dongle and thought its coming from the inverter. Got a little excited.

Not sure why I'm not getting any responses when I copy the byte received as is from the dongle over to the inverter's RX pin.

Starting to wonder if the gender changer is the issue or if the inverter expect RTS and CTS.

 

Going to try what DeonBez suggested. 

 

 

 

 

 


 

 

40 minutes ago, MartinViljoen said:

I have to correct my earlier post, I'm not actually getting any response from the inverter. At the time of testing I swopped the ports. I received data from the dongle and thought its coming from the inverter. Got a little excited.

Not sure why I'm not getting any responses when I copy the byte received as is from the dongle over to the inverter's RX pin.

Starting to wonder if the gender changer is the issue or if the inverter expect RTS and CTS.

 

Going to try what DeonBez suggested. 

There is no RTS/CTS required. You may well have the outbound RX and TX lines swapped. Would try that first.

  • 1 year later...
On 2024/04/16 at 10:05 PM, RoganDawes said:

Basically, change the board to an ESP32C3 (I just picked one, there may be better options), set the variant, and update the UART pins. Also, delete the modbus TX control pin, because RS232 is full duplex.

Shout if you have any questions.

Hey there @RoganDawes :)
I have a spare sunsynk dongle and want to re-flash it.
I have flashed tons of sonoff devices and visia devices, just not too sure about the pads to use on this one.

I see the TX RX GND pins but do not see the +3.3 pad
Also for programing do I BRIDGE/THE isp pads as indicated on the board to put it in flashing mode?

EDIT: I did find your link to more info where you explained the connections for power and confirmed the ISP short for programming :)
Will be giving it a go today.


sunsynk_dongle-reflash-flashing.jpg

Edited by WannabeSolarSparky

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.