CHINA kills all non Sol-Ark branded DEYE unit in the USA this morning.

[Hedges]

Sweet Home 3D is open source. I've used it, and still use it, to design everything from a woodshed to the sauna (and did the house with it) and I'm definitely not paying anything. Must have been something else.

Yeah, I have Sweet Home 3D on my laptop and it seems to run.
Might have been Dassault DraftSight that was initially free, then wanted money.

I now use OpenOffice Draw, a Visio clone.

 

[Danke]

Yep. I enjoying working on cars again now. I actually spent more money on my scan tools than any of my computers

That's actually a key to owning a bmw. They have a reputation of being horribly expensive to keep on the road when in reality they are one of the cheapest ones to own IF you can do your own work.

I watched one auto mechanics video where a car would not start. He had seen this same problem before, so he knew basically where to begin. He had a sophisticated scan tool. Anyway, he had to tear out a lot of of panels in the liftgate to get at the rear camera wiring and disconnect it… then Car started.

 

[rogerheflin]

No need to break windows or bust the columns anymore on many models. Just pull the bumper cover loose by the wheel, grab the CAN BUS wires that go to the headlights, clip on your hacking tool, unlock the doors with it, start the engine and just get in and drive off. Less than 2 minutes.

This has now created the Auto Authority registration where you pay each year to have a scan tool registered, have to pay each month to keep the software updated (subscription based) and an internet connection is required the entire time the scan tool is connected. When accessing any comms, the scan tool will check the registration at Auto Authority and also ensure the software is up to date.

The OE manufacturer, scan tool companies and the government came up with this solution. I have a better idea, either quit running CAN wires to the headlamps or run the wires so access is difficult. Just another way to get into someone's pocket.

You have to love the stupidity of putting a basic microcontroller in the lights/unprotected areas and connecting it to the main control bus such that it can talk to everything and allow this sort of stupidity. The reason must be it was easier/cheaper to put it on the main canbus than to wire the lights to a dedicated control wires for just the light. I have had discussions about security issues with other engineers and the dumb-ass response is well no one would do that or think to do that (access the bus going to the poorly protected headlights to steal the car). It is purely a failure to consider how things could fail and it is also why software sucks because everyone codes for perfect and checks nothing and assumes everything will always work (even when it is known/documented otherwise).

I worked for a company that came out with a credit card in the 60's (gas card, really really early one) and they were dumb enough to not put ANY check digits in the card number and also use a sequential dense space (so that a single typo in the lower numbers) was almost certain to match someone else's card. Even with scanners reading in the imprints this seems like a less than great idea--ie no ability to handle any error). Clearly Barney (the trusting innocent clueless optimistic purple dianosaur) does design work. I have heard it said that every design team needs a token pessimist to offset the barney-like innocance of the rest of the team.

 

[SparkyJJO]

CAN to the headlights is stupid. That is all.

 

[Tulex]

Again, I think you completely miss the point of what is important. If you own a Deye inverter, you live under the foot of a giant, and it does not matter a bit whether he follows this agreement or that agreement. You live under his foot. He can squash you like a bug at any moment and for any reason.

The lesson here should be that smart people don't live under the foot of a giant, not a long legal analysis of the giant's motivations today.

And how is this different than anything else? Turning off the inverter like they did was just a method. If China decided to halt all exports to the US, there'd be no reason to go to Walmart. Ever notice the smell in the box from something from China? Is that killing us? Any time you rely on another person, company, or country, you are under their foot. Again, people are going crazy over this inverter thing like it's unique. It's not, it's just more relevant to our situation. My water heater, refrigerator, wall oven, range can all be connected to the internet. They could probably kill all those if I had them connected. I have Alexa tied to my automated house, so they can probably turn my lights on and off. Companies too numerous to list are in bed with China and other countries. At any time, any of them could do the equivalent of turning off an inverter.

So again, relevant to the OP, I disagree as to what is most important. What happened may be a major eye opener, but it's not specific to this situation. The relevant issue here is that if you install a Deye inverter in Sol-Ark territory, bad things can happen.

 

[teal95]

The OBD diagnostic connector is behind a security gateway. However the only thing behind the gateway is the OBD port, the entire rest of the CAN network is unprotected. And it's known, that's how engineering accesses the CAN bus most of the time.

 

[PVGeezer]

Apologies in advance if this questions is answered already somewhere in this 106! page thread.

Does anyone know if this product line is part of the set of inverters Deye has bricked in the US?

Deye SUN-(5-8K)K-SG01LP1-US

Thanks!

 

[timselectric]

Apologies in advance if this questions is answered already somewhere in this 106! page thread.

Does anyone know if this product line is part of the set of inverters Deye has bricked in the US?

Deye SUN-(5-8K)K-SG01LP1-US

Thanks!

Yes

 

[pone]

you know I wish i had your knowledge of stuff like this... I can fab the heck out of anything you need with a welder, a plasma cutter and a mill and lathe... but stuff like this is a friggin black art to me.

Emporia is a great product. For $34 you buy four 120V wall plugs that connect by Wifi to their cloud and get real-time and historical energy monitoring. When you are ready you can add their box to your main panel and use donuts to monitor the 240V lines. In their software they integrate that information together with the 120V wall plugs and you get a complete understanding of your energy use throughout the house. Starting with just four wall plugs is a low cost and reasonable way to get familiar with their app

 

[quantum`]

Again, people are going crazy over this inverter thing like it's unique. It's not, it's just more relevant to our situation. My water heater, refrigerator, wall oven, range can all be connected to the internet. They could probably kill all those if I had them connected. I have Alexa tied to my automated house, so they can probably turn my lights on and off. Companies too numerous to list are in bed with China and other countries. At any time, any of them could do the equivalent of turning off an inverter.

So everyone, give up. There is no solution. It's hopeless.

The OBD diagnostic connector is behind a security gateway. However the only thing behind the gateway is the OBD port, the entire rest of the CAN network is unprotected. And it's known, that's how engineering accesses the CAN bus most of the time.

There are special plugs which bypass the security gateway. I have one in my 2019 Grand Cherokee so I can run my BT adapter and AlfaOBD.

 

[Tulex]

So everyone, give up. There is no solution. It's hopeless.

Not sure how you came to that conclusion from my post. Everyone can find their own reality. How they deal with it is up to them.

 

[Bleedingblue]

Just saw this thread. I've been expecting this. Look at my post from a couple years back

B

Post in thread 'Sol-Ark needs a serious Change!'

Aug 31, 2021

Aren’t these inverters made by the Chinese (Deye) and basically rebranded for the USA. Hard to avoid the topic of this post when basically using a Chinese inverter.

Yes they are. I made the comment on a solark installation video on YouTube. Solark then commented on it saying if I did buy a Deye and install it they would remotely shut it off. That they solark are the sole proprietor of that inverter in North America.
And yes it's way more pricey than a deye but you also have a support staff and a built in emp shield so to speak

• Bleedingblue

• 
• 

 

[quantum`]

Not sure how you came to that conclusion from my post. Everyone can find their own reality. How they deal with it is up to them.

This is my response when someone only points out some flaw in others' reasoning, without some alternative/workaround/solution.

In a former life I was enterprise infosec. As a result I buy nothing-cloud. Nothing with no somebody-else's-cloud for me, thank you. I have my own WireGuard cloud. And that includes nothing G**gle, except Android stripped of G**gle apps. (Lineage) They still have sneaky pernicious ways of getting in though. I delete all my cookies and restart Firefox, and Surprise! I am still logged in to spewtube. I have a good idea how, but am waiting for the Duck to make a Linux browser.

 

[norbi771]

IMHO, Deye has no interest in remotely shutting down Deye inverters in the USA (at this moment). Sol-Ark does. The US government, IMHO, could be interested as well, but I won’t go into details or share my thoughts here.

If you use Solarman or the Deye cloud, then yes, they can remotely upgrade your firmware, change inverter settings, and do both useful and potentially harmful things to your inverter. The real question is: who actually did this? And I think the answer is simple—follow the money. Deye has already sold the inverter, so what interest would they have in turning it off now? On the other hand, Sol-Ark is losing money if someone imports privately, which I assume is cheaper than buying locally from Sol-Ark.

That’s why I disconnect all my Deye inverters from the cloud and use Home Assistant to control them remotely via a VPN tunnel that I have fully under my control.

 

[Steve777]

That’s why I disconnect all my Deye inverters from the cloud and use Home Assistant to control them remotely via a VPN tunnel that I have fully under my control.

Probably a good way to go with Deye or any Chinese made inverter.

As to why Deye might want to disable inverters they have already sold, because of legal pressure from SolArk and other distributors with exclusive territory agreements.

 

[Brucey]

ESP32 kicks a$$

I wasn't sure if this was the proper thread for it:

Undocumented commands found in Bluetooth chip used by a billion devices

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

www.bleepingcomputer.com

 

[ULR]

I wasn't sure if this was the proper thread for it:

Undocumented commands found in Bluetooth chip used by a billion devices

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

www.bleepingcomputer.com

Seems reasonable to me.

We're discussing brick-it back doors that are known to be present in at least Deye inverters that can be activated by external commands. People are talking about defending by disconnecting, firewalling, and/or filter-proxying network traffic.

This new article describes a firemware backdoor built into a VERY common bluetooth chip that appears to allow injection of traffic and connection backdoors over malicious bluetooth activity, including persistence and authentication bypass.

If the inverter uses this common chip and the two backdoors can be combined, you have drive-by, over-the-air, brick-it and pown-it exploits that don't require credentials or other info that isn't being broadcast already by the target.

But this thread was already 2,641 posts long and this new exploit changes the subject somewhat. So perhaps starting a new one and posting a link to it in this one might be a better move.

 

[crossy]

Interestingly, one of our new Deye hybrids sold in Thailand has an updated MMI version.

It adds a "Warning" tab bottom left.



Clicking it brings up a very similar screen to the "brick" screen seen by others. The inverter functions normally, no PIN or anything needed, so this really is just a warning.

And our units are not connected to the net (anyone want some Deye Wifi dongles?) everything is done via Solar Assistant which is also firewalled and accessed via my own personal VPN.

Paranoid, moi??

 

[Brucey]

Seems reasonable to me.

We're discussing brick-it back doors that are known to be present in at least Deye inverters that can be activated by external commands. People are talking about defending by disconnecting, firewalling, and/or filter-proxying network traffic.

This new article describes a firemware backdoor built into a VERY common bluetooth chip that appears to allow injection of traffic and connection backdoors over malicious bluetooth activity, including persistence and authentication bypass.

If the inverter uses this common chip and the two backdoors can be combined, you have drive-by, over-the-air, brick-it and pown-it exploits that don't require credentials or other info that isn't being broadcast already by the target.

But this thread was already 2,641 posts long and this new exploit changes the subject somewhat. So perhaps starting a new one and posting a link to it in this one might be a better move.

Thanks looks like supervstech has started one: https://diysolarforum.com/threads/b...ifi-chip-found-in-billions-of-devices.101159/

 

[SilverbackMP]

Only read the first ten or so pages (been off the forum for a while). People are saying…these are “gray market.” Horse crap. How many other markets have 120/240v split phase? Other than Canada, USA, or Mexico? Without Googling it, I’ve been all over the world and haven’t encountered any. I think there might be a sprinkling in South America. Regardless, these were designed made, from the outset, to be sent to North America.

 

[Daddy Tanuki]

Like this :

View attachment 273814View attachment 273815View attachment 273816View attachment 273817View attachment 273818View attachment 273819View attachment 273820

Wowzers.. how did I miss this post? Crowz we gotta get you laid or something...entirely to much backed up baby batter driving you to do things like this...

 

[Daddy Tanuki]

Only read the first ten or so pages (been off the forum for a while). People are saying…these are “gray market.” Horse crap. How many other markets have 120/240v split phase? Other than Canada, USA, or Mexico? Without Googling it, I’ve been all over the world and haven’t encountered any. I think there might be a sprinkling in South America. Regardless, these were designed made, from the outset, to be sent to North America.

japan... split phase, 100/200 i use US made inverters at 120/240 and they work fine of course. Parts of PI and thailand I believe as well but you are correct with your thesis... these were made for the US and Deye got caught backdooring solark. hope they got a reach around ...

 

[pilotdrh]

Interestingly, one of our new Deye hybrids sold in Thailand has an updated MMI version.

It adds a "Warning" tab bottom left.

View attachment 283681

Clicking it brings up a very similar screen to the "brick" screen seen by others. The inverter functions normally, no PIN or anything needed, so this really is just a warning.

And our units are not connected to the net (anyone want some Deye Wifi dongles?) everything is done via Solar Assistant which is also firewalled and accessed via my own personal VPN.

Paranoid, moi??

View attachment 283682

I guess this is what you get if you need the code. This was from a post on the DEYE help group I saw last year.

I can't believe this stuff blew past me over the past months.

I retired and moved to the Philippines in 2021. In 2022 I decided to go solar. I liked the Sol-Ark but the price and then shipping was killer. Coming from the commercial power world I liked the design so I decided to go with a DEYE Hybrid 16 kW single phase. I did my research and requested quotes from 4 companies, 3 replied, none of them were close in meeting my specs. So I asked for updates and only one responded. Apparently they were basically quoting me what they usually install. Nothing about the ground mount I wanted and not even including batteries that were in the spec. So I decided to learn myself. The DEYE inverter $3070 plus %50 shipping. Ordered the PV panels (30 x 700 watt bifacial), ground mount and batteries from China. Installed everything myself. I did hire a couple of my wife's cousins and her brother to put up the panels, 86 lbs each. For that and some concrete work I paid less than $200 for 4 days work. The actual hardest part was putting the 2 meter ground screws in by hand...impossible to find the power equipment for doing it here. System has been online for 2 1/2 years, working fine. I added SA about a month ago.

 

[Quattrohead]

Disconnect the dongle from the inverter and just use solar assistant and you will be fine.
That is an absolutely gorgeous home.

 

[pilotdrh]

Disconnect the dongle from the inverter and just use solar assistant and you will be fine.
That is an absolutely gorgeous home.

Yup. I also know the guy that is the DEYE country manager for the Philippines so he would probably have warned me. We had the house built in 2020/2021 in a golf community. I don't play golf but we like the area and the view. Plus it's very quiet which is somewhat of a rarity here.