• Have you tried out dark mode?! Scroll to the bottom of any page to find a sun or moon icon to turn dark mode on or off!

diy solar

diy solar

EG4 Solution: Encrypting your Wi-Fi dongle connection

I also have a DJ series dongle that says it is up to date with 2.06 and missing the encryption mode options (seeing same as screenshots as Verbs )

any updates on this?
 
EG4TechSolutionsTeam said:
If you try with apple again, let us know what app version you are using. We have not had any issues with apple users not having encryption available.
Click to expand...
Mine does not show on iOS either App Version 1.4.8 . DJ Series Dongle on V2.06.

The AP Parameter Section under Dongle Connect Parameters only shows SSID and Restart Dongle.

What is the part number for a wired dongle? Until this is resolved I will be shutting mine down and bypassing the GridBoss and FlexBoss21 this is a huge security vulnerability. It's also in violation several states laws regarding IoT devices, by default it needs to be asking the user to set a password when being setup, not using no encryption or a generic password. California SB-327 is the one most manufactures use as the guideline.


1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

While we are on the security topic the EG4 Monitor Center really needs to support multi-factor authentication as well, something like Google Authenticator standards (which work with many applications not just Google Authenticator) or similar would be great. SMS may be options as well for people who are okay with less phish resistant mfa.
 
Last edited:
thecreativeone91 said:
Mine does not show on iOS either App Version 1.4.8 . DJ Series Dongle on V2.06.

The AP Parameter Section under Dongle Connect Parameters only shows SSID and Restart Dongle.
Click to expand...
The same. I installed the latest EG4 monitor last night on a friends Apple device. It doesn't show encryption options for the AP.
 
thecreativeone91 said:
Until this is resolved I will be shutting mine down and bypassing the GridBoss and FlexBoss21 this is a huge security vulnerability.
Click to expand...
Wouldn't it make more sense to program things appropriately and unplug the dongles? That would let you benefit from the savings of the system.
 
thecreativeone91 said:
What is the part number for a wired dongle? Until this is resolved I will be shutting mine down and bypassing the GridBoss and FlexBoss21 this is a huge security vulnerability.
Click to expand...

The wired dongle doesn't expose TCP port 8000 for 3rd party systems to monitor it locally. I think Solar Assistant now has an RS485 interface for EG4/LuxPower that will work, you have to do some custom modules/wiring.

thecreativeone91 said:
While we are on the security topic the EG4 Monitor Center really needs to support multi-factor authentication as well, something like Google Authenticator standards (which work with many applications not just Google Authenticator) or similar would be great. SMS may be options as well for people who are okay with less phish resistant mfa.
Click to expand...
I would recommend for EG4 to not manage my credentials, but use authentication from Google, Meta, Microsoft, etc, Identity Providers to manage the credentials. EG4 just uses the e-mail on the account to correlate it.

You forgot to bring up that the bluetooth interface is sitting there wide open with no authentication and no stated plans to close that vulnerability either. Wifi and Bluetooth are relatively local vulnerabilities, but "nearest neighbor" attacks bypass that challenge pretty easily.

The FBI/CISA have stated that solar generation systems are at high risk for compromise due to the lack of reasonable security controls. I completely understand your desire to disconnect the dongle.
 
thecreativeone91 said:
I don't plan on using the system if a fix is not implemented within the week.
Click to expand...
It's just the dongle that's the vulnerability, don't throw out the baby with the bath water. EG4/LuxPower is not the only system with these security vulnerabilities, it's a pervasive problem in the whole industry.

If they could fix this within a week, I'd be even more worried about what other security steps did they skip.
 
Verbs said:
It's just the dongle that's the vulnerability, don't throw out the baby with the bath water. EG4/LuxPower is not the only system with these security vulnerabilities, it's a pervasive problem in the whole industry.

If they could fix this within a week, I'd be even more worried about what other security steps did they skip.
Click to expand...
They posted this on July 2024. The settings are likely already there; they just havn't exposed it in the UI.

They haven't fixed this in since July 2024, and their response to this will will show what they plan on doing. If they don't fix it I will be returning it. EG4 & SS both as a whole are great at trying to pass the buck rather than taking responsibility. They are hoping people will just hold on to them with no plans of fixing it; I for one will not accept a half baked product. @James Showalter Can learn to take some responsibility. The fact that this even still exists coming up on a year later shows there a major problems with leadership and project management.
 
Last edited:
It is the EG4 Monitor app that is the problem. I downloaded the LuxPower app https://apps.apple.com/za/app/luxpower/id1415841608 and go to Dongle Connect and I can set the AP Password. This does not change any of the server settings. Even after setting the password which works in the LuxPower App the settings will not show in the EG4 Monitor app, as it's missing those settings completely. I think EG4 Monitor app latest updates have a regression in the latest code from LuxPower

Sadly it's still only weak TKIP not WPA2 AES once encrypted but better than nothing. I plan on looking to making a PowerShell script to set both encryption and potentially even just disabling the AP mode all together (as is normal). You would have to connect a system to the local Wifi connection from the dongle, not over your normal network as these commands get sent to 10.10.10.1

Still somewhat trival to get in but with no password for the Wifi SSID nor control we aren't even in script kiddie territory; we are in a kid messing around territory. or should I say "Blasted Meddling Kids!" - Scooby doo

So in summary: EG4 needs to check their current modified code base against LuxPower for a regression that happened in recent updates. Also it would be great if EG4 had the option to just completely disable the AP mode, I understand a reset would be needed on the dongle to change wifi or get back in that way but I think to many people this would be worth it. Looking at the LuxPower APK Code in Jadx this looks like it might be possible but it is currently disabled.
 
Last edited:
thecreativeone91 said:
It is the EG4 Monitor app that is the problem. I downloaded the LuxPower app https://apps.apple.com/za/app/luxpower/id1415841608 and go to Dongle Connect and I can set the AP Password. This does not change any of the server settings. Even after setting the password which works in the LuxPower App the settings will not show in the EG4 Monitor app, as it's missing those settings completely. I think EG4 Monitor app latest updates have a regression in the latest code from LuxPower
Click to expand...
Oooo! I will have my friend come over and try that! I looked for the LuxPower app in Google Play store, it's not there. I see the app still advertised as being available on Lux's web site. I wonder if LuxPower geo restricted it from the US for EG4.

thecreativeone91 said:
Sadly it's still only weak TKIP not WPA2 AES once encrypted but better than nothing. I plan on looking to making a PowerShell script to set both encryption and potentially even just disabling the AP mode all together (as is normal). You would have to connect a system to the local Wifi connection from the dongle, not over your normal network as these commands get sent to 10.10.10.1
Click to expand...
That's disappointing... TKIP is breakable in less than 5 minutes with less than $100 in hardware. That's not security, that's theatre.

thecreativeone91 said:
Still somewhat trival to get in but with no password for the Wifi SSID nor control we aren't even in script kiddie territory; we are in a kid messing around territory. or should I say "Blasted Meddling Kids!" - Scooby doo
Click to expand...

thecreativeone91 said:
So in summary: EG4 needs to check their current modified code base against LuxPower for a regression that happened in recent updates. Also it would be great if EG4 had the option to just completely disable the AP mode, I understand a reset would be needed on the dongle to change wifi or get back in that way but I think to many people this would be worth it. Looking at the LuxPower APK Code in Jadx this looks like it might be possible but it is currently disabled.
Click to expand...
Agree, I'd much rather be able to shut down the AP and Bluetooth interfaces. If I needed those back, factory reset the device. It's easy enough to reconfigure and that's the way almost every other device like this on the market works.

I really wish the Ethernet adapter supported TCP port 8000, I'd have already ordered that and moved on from this subject.
 
Verbs said:
Oooo! I will have my friend come over and try that! I looked for the LuxPower app in Google Play store, it's not there. I see the app still advertised as being available on Lux's web site. I wonder if LuxPower geo restricted it from the US for EG4.
Click to expand...

Sounds like they pulled it from GooglePlay https://powerforum.co.za/topic/31983-where-has-the-luxpower-app-gone/ but you can get a mirror of it here if you trust it: https://apkpure.com/luxpowerview/com.nfcx.luxinvpower or direct from the site: https://cs.luxpowertek.com/resource/apk/LUX_POWER/new

www.instagram.com

LUXPOWERTEK on Instagram: "📣Important Notice📣 Dear LuxpowerTek users, Due to system maintenance, the download service for the LUXPOWER Monitoring APP on Google Play is temporarily unavailable. To ensure no disruption to your experience, we’ve provid

6 likes, 0 comments - luxpowertek on March 9, 2025: "📣Important Notice📣 Dear LuxpowerTek users, Due to system maintenance, the download service for the LUXPOWER Monitoring APP on Google Play is temporarily unavailable. To ensure no disruption to your experience, we’ve provided a QR code below...
www.instagram.com www.instagram.com
 
You must log in or register to reply here.

Similar threads

A
EG4 Dongle Connecting to New Router or Network
Replies
11
Views
417
TM48
T
P
EG4 Monitoring App/Dongle Connectivity
Replies
1
Views
139
rogerheflin
R
EPicTony
EG4 dongle "lost" - any idea on how to get it back ??
2
Replies
29
Views
862
EPicTony
EPicTony
B
Eg4 Wi-Fi dongle signal SN numbers not coming up on iPhone s
Replies
2
Views
403
SignatureSolarJess
SignatureSolarJess
ddxv
12000XP Firmware update caused stuck in standby mode
2
Replies
25
Views
1K
Fisherguy66
Fisherguy66

diy solar

diy solar
Back
Top