• Have you tried out dark mode?! Scroll to the bottom of any page to find a sun or moon icon to turn dark mode on or off!

diy solar

diy solar

Protecting EG4 18kPV from Remote Attacks

Even your electrical supply company could leak your data so you're kind of cutting off your nose to spite your face there. Buy your inverters, set them up, grab any firmware updates you need and then remove the dongle, problem solved.
or, and again keeping it simple, do as one should do with any IOT device...

isolate it untill one wills it online

to add all inverters using the cloud have the same issue
 
Last edited:
  • Like
Reactions: DPC
Look up Navy Federal data breach, April 23
when was this? right after they they took over the army and the air force federal credit unions or recently?

Edit: this was not a data breach of the type we are discussing, this was as below from letter to members that were affected in the state that the two scumbags in the branch office worked at

"
C0015442
September 6, 2024
NOTICE OF DATA BREACH
On behalf of Navy Federal Credit Union, I am writing to inform you about an incident that involved
personal information about you. We regret that this incident occurred and take the security of personal
information seriously.
WHAT HAPPENED? We recently discovered that, between April 2024 and May 2024, two former
Navy Federal employees allegedly wrongfully obtained your personal information and shared this
information with unauthorized external parties."

april of 2023 was different the data for some members was shared with by an employee on a transaction of some sort and was exposed.

so these are bad actors internally... there computer side to date is pretty strong.

I am not overly worried as i ogt my data stolen a few years ago by BOA where i had an account as they did community bank on the base at the time and were the only authorized yen exchangers on the base outside of the MWR or the NEX, both of which are full blown grifters so I avoid. MY NFCU Account is over 40 years old and I have all my loans, DD and etc form there.

when that happened I had a lock put on my credit reports dumped BOA and have had NFCU monitoring ever since... can not get a line of credit except at the Branch on Yokosuka. thats listed on my credit reports... only place it can be lifted while I am alive is at Yokosuka Branch office and you would need a CAC card or passport with your face and my name as well as some other data... feeling pretty safe at the moment.
 
Last edited:
and now you know why all military contracts now make you sign a disclaimer that you are not using any (ANY) chineese made equipment that records, communicates, or plugs into the internet in any fashion. Just watched a commands CO and XO get fired for this here in japan...
Well the Modbus protocol is old as dirt.
in the late 1960s GM wanted a faster way to retool lines so they had a company called Modicon build them industrial computers that eventually became the PLCs we knew up until fairly recently.

Modbus was the first common communication protocol.
One master device talks to slave devices ( 256 I think was the max ).
Only one modbus master is allowed on a network and it controls when Data is exchanged ( in practice two or more master can be in the network but its tricky needs timing and a real cracker jack tech guy with the right loadables to pull off )
You can also use a bridge MUX this allows a master on a modbus network to also communicate with other Modicon products using a second peer to peer protocol later introduced called Modbus + ( there was another one called Modbus 2 also but it failed to catch on ).

Slaves master bridges peer to peer networks...
You can have a lot of computers, PLCs drives and even things like automatic valves or sampling and data collection use these protocols.
And all this stuff can talk to all the other stuff going back to the 1970s machines.
But what was never conceived of I guess was the IOT world we live in.

I first became aware of Modbus TCP/IP around 2003.
At this point in time Modicon let anyone who wanted to use the original modbus protocol with their equipment and it became the defacto standard for anything that had to talk to anything.
Then the internet and remote accessing of these networks began with a new version of the same basic protocol but with all the internet identifiers added.
I never learned how this works....
I was happy with Modbus+ over a twisted pair and the occasional fiber optic link with an Weed modem

1730463955510.jpeg1730464980141.jpeg

At this point in my life I stopped being trained on anything new.
My employer did not want us to be too smart, and I think I have actually regressed to a more primitive form of 1980s electrician now....

But technology marched on...

Now that big rack is gone and the devices themselves in the field are connected to Ethernet
What ever the hell Wonderware is it does everything.
The programs still appear to be in relay logic but I never see them anymore...
Does this even use Modbus TCP/IP ?
I don't know...
Thats not my job to know anymore.

But still they make this stuff that at its heart uses Modbus or data highway or anynumber of com protocols layerd over the TCP/IP stuff.
And the weakness if no one ever thought about how to make this secure at the point of use.
The work around has seemed to be automation only networks with dedicated fibre and copper between them and a gate keeper computer that the IT people look after that allows some people to access the automation and the rest are locked out.

The operations and machines are only as secure as the gatekeeper computers and the people that look after them.
The fear is someone with malware will put a memory stick in computer or share a password thats lets the inside and outside worlds meet....
Its not fails safe because its accessible.
Sometimes you read a post from me here during work hours.
Its me with a password I somehow got and I am texting a reply through the automation network or surfing the web .

I'm just a stupid old electrician...
But I'm smart enough to get out...
I dont understand it all and I dont have too I just need to find an open port or open door so to speak or someone just leaves the electronic keys on a table and I am into it and outside in the world.
And someone outside is probably going to do the same thing one day and maybe wreck the place.

In conclusion I think its a bad idea to let an IOT device into your home unless its isolated from everything else by a plane old mechanical relay.
You cant talk to a relay just turn it on and off and thats all it should ever be able to do.
One off and status..
But to chain everything together and let the TV set talk to the washing machine and your solar charge controller YIKES, that sounds like trouble.
 
Last edited:
Port mapping, etc isn't really going to work if you're trying to use their monitoring. You really have 2 choices.
1. Use some sort of deep packet inspection rules like the OP says.
2. Disconnect the thing from the internet. (IE: Physically or firewall rules.
This. . .
The fear for a man in the middle attack is real. Yes, nation states have better things to do than attack all of us one at a time. If there is a grid attack (false flag or otherwise) you can guarantee things like this will be targets as well.
Footprint is tough on this one. Can you? Of course? Would you? You have very volatile target surface area. ROI is pretty bad for the attacker. The biggest problem with this one is the possibility of pushing a firmware update that trashes the inverter. To this end they really should have a USB stick for plug and go updating. But how many inverters are out there? So your going to spend a zillion dollars to write exploitive software against a narrow use product, then work out a MIM scenario by greasing some palms and redirecting packets on the internet backbone ...

MIM is generally only effective in a localized scenario. i.e. I can compromise a box close to and between a target server, and it's gateway or between a client and it's gateway. For example scraping credit card numbers by putting a device on the card reader on a gas pump. MIM *sounds* scary, but the reality is it's generally difficult to actually accomplish without being noticed. To make it worth the effort, you need a big target, and then compromise the data path between the client and server somewhere. Since the internet does not guarantee a path between the two, you have to compromise machines in the path at one edge or the other.

The point? If your paranoid, unplug it unless you are doing an upgrade or something. If TSHTF unplug it. Otherwise the real worry is going to be that the vendor itself screws the pooch by being careless, or from some software bug, not some bad actor. I've had my units inexplicably restart twice. I have since blocked it from regular access, might be totally unrelated.
 
I would have thought SS or Lux power could design a program onto a CD we could buy to install onto our computer, that would interface with the 18kpv off line or remotely. Wouldn't that be simple enough? and fix this thought of sabotage.
 
Isn’t that what BGP is all about? Several state actors have been “inadvertently“ testing this for years now.

Not sure your technical level. I eat breathe and tweak BGP for a living. The bottom line does not change. I need divert packets traveling across a network of routers owned by dozens of ISP's. It can be done. I would note IANA reserved IP blocks have leaked onto the internet, interesting to say the least. Over time this has gotten somewhat tighter. A misbehaving ASN is going to get it's wings clipped fairly quickly these days. It can and does happen all the time. About 2 weeks ago in CA/Frontier. To make this happen you would need to get control of AWS's BGP edge that is advertising the block, then advertise it from somewhere else. There is nothing that prevents a given ip from routing to multiple endpoints/servers. Case in point: 1.1.1.1 and 8.8.8.8. So should I simply advertise the IP I have to prioritze the path to my nefarious server. Nobody will take any advertisement less than /24 so I gotta grab more than I may want, the more I grab the more likely to trip an alarm. Again the ROI on the effort is going to be dubious.

There are technical details (stripping aspath's, MED's community mangling) involved with attempting something like this, that are varied with widespread differences that will make it annoying. What idiot would try this to hit just EG4 gear? What has been testing is CRASHING the internet by injecting routes to create loops and such, not stealing traffic for a specific server. If someone is doing a man in the midde (MIM) they have compromised one of the two edges. It's just not happening on the backbone.
 
Not sure your technical level. I eat breathe and tweak BGP for a living. The bottom line does not change. I need divert packets traveling across a network of routers owned by dozens of ISP's. It can be done. I would note IANA reserved IP blocks have leaked onto the internet, interesting to say the least. Over time this has gotten somewhat tighter. A misbehaving ASN is going to get it's wings clipped fairly quickly these days. It can and does happen all the time. About 2 weeks ago in CA/Frontier. To make this happen you would need to get control of AWS's BGP edge that is advertising the block, then advertise it from somewhere else. There is nothing that prevents a given ip from routing to multiple endpoints/servers. Case in point: 1.1.1.1 and 8.8.8.8. So should I simply advertise the IP I have to prioritze the path to my nefarious server. Nobody will take any advertisement less than /24 so I gotta grab more than I may want, the more I grab the more likely to trip an alarm. Again the ROI on the effort is going to be dubious.

There are technical details (stripping aspath's, MED's community mangling) involved with attempting something like this, that are varied with widespread differences that will make it annoying. What idiot would try this to hit just EG4 gear? What has been testing is CRASHING the internet by injecting routes to create loops and such, not stealing traffic for a specific server. If someone is doing a man in the midde (MIM) they have compromised one of the two edges. It's just not happening on the backbone.
:)
 
paranoia - it runs rampant on the Home Assistant forum
Hackers have better (more profitable) things to go after than some off grid residence's inverter LOL. I'm a geek and I laugh at my industry, it's job security for pr0grammers to fan the flames of doomsday attacks --- don't forget that little fact.
Any time they smell fear the hawkers will hawk their wares. So if they can fan a flame, to make a buck you know they are!
Still, when it's time for chaos to reign, I'm sure someone has plans to exploit any weakness and will get with it.
 
@jsharkey - How did you figure this out? I just started looking at the same thing for my Sol-Ark. I've got a pcap and they're sending all the data plain text as well, including my ssid. According to their own UI, I have wifi disabled but it's still the IP it's using. I'm not happy right now.

I'm looking to do the same thing you did just with my 15k.
 
I've got a LAN with no Internet access. I have a second LAN with Internet access. They are currently not connected. Is it possible to connect them with a hardware firewall that locks down and prevents ALL communication between them except for a Python script I have created on each LAN to transfer files between the LANs. I don't want anything else on either LAN communicating through the firewall. I don't want to open a port where any service or app running on a device could get through that port. Just my one single Python script. Is this level of control possible?

I'm guessing even this would be a security risk as some attacker could get on the LAN through the Internet and modify the Python script to do whatever they wanted on the other LAN.

I think I may be creating a light bridge between the two LANs instead. Set of small screens and cameras between the two and I'll program a way to send light signals between them that the other side can decode. So the two LANs will be air gapped but communicate with some version of light morse code or something. That way I can get remote alerts over the Internet when I'm away. There are some commercial models that do something similar I've seen but they're expensive. Should be more difficult for an attacker to get through that way.

It's inconceivable to me that anybody puts their electric equipment on the Internet.
 
Last edited:
paranoia - it runs rampant on the Home Assistant forum
Hackers have better (more profitable) things to go after than some off grid residence's inverter LOL. I'm a geek and I laugh at my industry, it's job security for pr0grammers to fan the flames of doomsday attacks --- don't forget that little fact.
Oh please, these inverter dongles are practically the same as any cheap Alibaba IoT device. They might not hack your dongle to blow up your solar array, but they would sure love to take over that little esp32 dongle and use it as another node for DDoSing.

I am not an overly paranoid person, I try to host my own stuff where I can and try to take some reasonable privacy and security steps, but saying "lol don't worry about the insecure IoT crap you slap on your network!" is nonsense.

I was going to end with "no, a nation-state isn't going to hack your solar and burn your house down, that is ridiculous" but then again with recent world events I should probably hold my tongue.

I've got a LAN with no Internet access. I have a second LAN with Internet access. They are currently not connected. Is it possible to connect them with a hardware firewall that locks down and prevents ALL communication between them except for a Python script I have created on each LAN to transfer files between the LANs. I don't want anything else on either LAN communicating through the firewall. I don't want to open a port where any service or app running on a device could get through that port. Just my one single Python script. Is this level of control possible?
This is the nature of networking, if you want to pass data, you need to poke a hole. The best you can generally do as a home user is have sensible firewall rules. Making multiple isolated subnets and poking holes on specific ports as needed is obviously better than one or two big networks, but it gets complicated quickly, and if it's WiFi connected devices rather than wired, you're often gonna be limited in the number of networks your WAP will even be able to broadcast, so it hits the point of infeasibility pretty quickly in many circumstances.

You gotta find a balance between "secure enough for me" and "not an absolute nightmare to manage and use".
 
Last edited:
Oh please, these inverter dongles are practically the same as any cheap Alibaba IoT device. They might not hack your dongle to blow up your solar array, but they would sure love to take over that little esp32 dongle and use it as another node for DDoSing.

I am not an overly paranoid person, I try to host my own stuff where I can and try to take some reasonable privacy and security steps, but saying "lol don't worry about the insecure IoT crap you slap on your network!" is nonsense.

I was going to end with "no, a nation-state isn't going to hack your solar and burn your house down, that is ridiculous" but then again with recent world events I should probably hold my tongue.


This is the nature of networking, if you want to pass data, you need to poke a hole. The best you can generally do as a home user is have sensible firewall rules. Making multiple isolated subnets and poking holes on specific ports as needed is obviously better than one or two big networks, but it gets complicated quickly, and if it's WiFi connected devices rather than wired, you're often gonna be limited in the number of netoworks your WAP will even be able to broadcast, so it hits the point of infeasibility pretty quickly in many circumstances.

You gotta find a balance between "secure enough for me" and "not an absolute nightmare to manage and use".

Yeah, it's a tradeoff. I think I'm going to just make my own bridge. Have one script on one LAN display images/light on a small screen, another script on the other LAN looking at it with a camera, and pass data that way. The script on the non-internet LAN won't have write permission. That should allow me to lock it down pretty good and just send the data I want.

Although there is probably a one way hardware firewall that would do the same thing and wouldn't require too much configuration.

Actually, one of these might fit the bill. That way your solar equipment can send stuff out for you to monitor, but nothing from the Internet *should* be able to mess around with that equipment.


This one might fit the bill: https://sphyrnasecurity.com/ngxs-ugw-100-unidirectional-gateway/
 
Last edited:
I did some testing. I setup the IOT dongle to use a static IP address and then blocked out outbound traffic from that IP. Without rebooting the IOT dongle the connection to EG4 stays working, but once I reboot the the IOT dongle the dongle is staying disconnected.

I pull my data from the EG4 via a rs485/modbus script and could probably simply disconnect the dongle but this way as needed I can remove the block from the firewall, let it connect to eg4 and then do firmware updates easily, and then set back up the disconnect.
 
Not trying to sound like a shill for Solar Assistant, but man it's like a new thread every week on how awful these cloud services and WiFi dongles for these AIOs are.

I would be going to great lengths to use basically anything other than these provided dongles, i.e. Solar Assistant or any other product. Solar Assistant, block WAN traffic to it, pipe everything to Home Assistant with mqtt to track stats or control it... Or just use Solar Assistant locally (works great).

I did some testing. I setup the IOT dongle to use a static IP address and then blocked out outbound traffic from that IP. Without rebooting the IOT dongle the connection to EG4 stays working, but once I reboot the the IOT dongle the dongle is staying disconnected.

I pull my data from the EG4 via a rs485/modbus script and could probably simply disconnect the dongle but this way as needed I can remove the block from the firewall, let it connect to eg4 and then do firmware updates easily, and then set back up the disconnect.
Does EG4 publish firmware update files? Is there any way to get the binaries or are you forced to use their app?

This thread, the Deye thread, and I imagine only more to come.
 
Not trying to sound like a shill for Solar Assistant, but man it's like a new thread every week on how awful these cloud services and WiFi dongles for these AIOs are.

I would be going to great lengths to use basically anything other than these provided dongles, i.e. Solar Assistant or any other product. Solar Assistant, block WAN traffic to it, pipe everything to Home Assistant with mqtt to track stats or control it... Or just use Solar Assistant locally (works great).


Does EG4 publish firmware update files? Is there any way to get the binaries or are you forced to use their app?

This thread, the Deye thread, and I imagine only more to come.
EG4 is currently providing updates a few times a year.

I looked at solar assistant and for my AIO the setting's seem to be rather limited and somewhat of a disorganized mess.

I am sorting out what improvements to make to the current modbus + mqtt setup to make it function better.

The risk I see is either a hacker getting control of the vendors web site OR the country that made the hardware starting something with step #1 being to tell the manufactures to disable as many of the devices that they have some control off immediately to cause extra chaos.
 
The value of Solar Assistant is in it's data display and charting capabilities. I use the EG4 phone app to make changes and to update firmware (infrequently). So far EG4 doesn't offer files for general download.
 
The value of Solar Assistant is in it's data display and charting capabilities. I use the EG4 phone app to make changes and to update firmware (infrequently). So far EG4 doesn't offer files for general download.
I have built up a good enough solar status page in HomeAssistant that I can see what is going on and it graphs the data points of interest.
 
I have a background from SCADA systems and currently work as an OT network engineer... I am amazed that the modern world still has running water and electricity, because the security measures protecting these systems are often lacking, to put it mildly.

In the case of data export from an EG4 inverter, I'd pull data locally via modbus (much like the EG4 cloud system does...) to a small computer, and then push the data from there to somewhere I could access and use it. Modbus with the rx pins cut is one way, there are others, it really depends on your risk assessment.
 
IMG_8328.jpegI harvest and store my own data, and push a very simple webpage to an S3 bucket set up as a static webpage every minute:
 

diy solar

diy solar
Back
Top