diy solar

diy solar

Raw RS485/Modbus logs from SofarSolar and Growatt meters in Zero Export context?

fgerin

New Member
Joined
Jul 5, 2022
Messages
48
Location
Belgium, Europe
Hi,
I'm looking for some raw logs of RS485/Modbus communications between an inverter and its smart meter for both Sofar and Growatt hardware. (The most important for me is Sofar's hardware, since I'll have access to a Growatt one in August, thus will be able to record the logs myself.)
Both 1 phase and 3 phases are of interest for me, but highest interest/priority goes to Sofar 1p and Growatt 3p.


Context:
Zero Export feature of inverters requires a meter, which may be external and/or internal according to the make. Sadly, often the resellers just sell the inverter and there is no way to get the compatible meter... Great, really, especially when you get the information late after buying the hardware that you chose especially for that feature! Yet more when the maker also is non-cooperative at all, telling you to buy some smart meter that, in the end, is not compatible! No support, no reaction to mails or just some to send you towards no-exit directions, no matters the subsidiaries or HQ.

In the end, Growatt just uses the usual Eastron meters and Sofar uses Chint and Solarman meters. BUT, in both case they change the firmware of the meter, so that a genuine Eastron or Chint cannot work with the inverter. (Oops, we "forgot" to mention... So sad.)

On their side, Eastron like Chint were very cooperative, and I'm happy that my money went to those companies and not Growatt. But they have no knowledge or cannot disclose the information regarding the modifications from Growatt and Sofar.
After 1 year of endless attempts with Growatt and Sofar, despite being one of their customers, now I decided to hit back...

To sum up, they irritated me enough for me to write a software to bypass their smart meters and use any other make I have info for. Both Eastron and Chint are already implemented, thanks to their cooperation.
It is just RS485/Modbus, not rocket science, no room for "trade secret" there. Still, they continue to FU** us, their customers.
I just need the registers map they're using... I should be able to guess it quite easily if I can get some raw logs from a working system, preferably with matching info (amps, watts) at the same time as the logs are recorded, but it is not mandatory.
Also, since they implemented some traps, the logs should begin from the start of the inverter and then for several minutes at least. (>16min would be great, but I would already be happy with 5 minutes!)

If someone can provide me with this, it would be greatly appreciated. :)

Thanks a lot in advance!
 
Hi I'm interested to know if you got any further with this?

I have a Growatt inverter (MIN 3600 TLXE) and would like to activate export control dynamically via RS485 rather than with a clamp meter.

Using this project I've configured an ESP8266 with a MAX485 modbus interface and have it dumping data every 2 seconds to MQTT like this:

{ "status":1, "solarpower":446.8, "pv1voltage":102.0, "pv1current":0.0, "pv1power":9.4, "pv2voltage":206.9, "pv2current":1.9, "pv2power":437.4, "outputpower":433.2, "gridfrequency":50.04, "gridvoltage":243.8, "energytoday":3.6, "energytotal":217.5, "totalworktime":1257581.5, "pv1energytoday":0.0, "pv1energytotal":52.0, "pv2energytoday":3.7, "pv2energytotal":172.2, "opfullpower":0.0, "tempinverter":28.4, "tempipm":28.4, "tempboost":0.0, "ipf":20000, "realoppercent":0, "deratingmode":0, "faultcode":0, "faultbitcode":0, "warningbitcode":0 }

Now I would like write to the appropriate registers to activate export control as and when required.

Does that sounds like something that is possible?

Also did you see this already?

This part looks relevant but I've never written to registers before:

Screenshot 2022-08-25 at 17.18.35.png
 
Last edited:
Hi,
I do no catch the use case for this, but one important thing has to be considered: these settings are typically stored into an EEPROM or FLASH memory type, which both have a limited lifetime expressed in "count of writings"...
So, if you intent to automate this setup change, I believe it's because you expect to do it frequently, what would kill the memory "quickly". Probably not what you want! :)

The "correct" way to do something "similar" is to activate once the Zero Export setup, and then regulate it though the "power it reads"... This is the purpose of the software I'd like to finish. (I could not yet get access to the Growatt hardware, the person I'm targeting has not installed it yet, there is a little delay. But for the rest, I implemented the (theoretical) support for several meters yet, I will test this when possible + seek for protection from an open-source license because the makers will definitely not appreciate the release of this software.)

Thanks for the register map link. Yes I had access to it already. But take care that this RS485 channel is the one to communicate with the inverter itself. Like the data you retrieve from it, this is the one documented, the one that allows to know what the inverter "sees".
But this one is different from the RS485 communication between the inverter and an external elec-meter (by opposition to a clamp/transfo directly connected to the inverter). => This is the communication channel that I'm targeting, because I want to mimic a Growatt/Sofar elec-meter (that I cannot buy easily in my region) while using another brand (much more cooperative). And for this communication, they do not disclose their register map. Shame on them.

So, if you want to drive your inverter, I believe you want something similar to what I'm doing. So, I have to bring to your attention another subtlety: most inverters probably have a regulation algorithm based on a loop "reading what is exported/imported, then adapt the produced power, then read again to check the effect". This mean that you are forced to follow the real import/export, or the algorithm may become unstable, correcting far too much in one direction (exporting too much) or the other (blocking any production). => The real variations must be provided in a real-time approach, at the pace the inverter reads from the elec-meter. On top of these variation, My expectation is that it is possible to bring a "correction" that varies at a lower pace, thus influencing the production of the inverter without perturbating its functioning... But for now this is just the result of my analysis/understanding, it is not yet tested.

(With my software, which just acts as a gateway between one elec-meter from a brand and a mimicked other brand, the pace is respected because my software will wait for the request from the inverter and always reply directly with the last known real measurement from the real elec-meter behind, maybe at another pace but quickly enough not to influence the regulation algorithm that exists at the inverter side.)
 
OK I'm pleased that your mentioned the issue of too many writes to the EEPROM as I was planning to use this approach! I will try this anyway for a short time, just to see if it works.

I now have access to the inverter RS485 modbus using this project, I flashed a D1-Mini with the sketch, plugged it into the inverter's USB port and can read/write the registers successfully via MQTT, it works perfectly.

I will build a modbus interface for the export controller inputs and dump the registers, they may be very simple. Or did you do this already?

I have one other question. In the screenshot above it looks like you could enable register 122 option 3 "Enable CT clamp export limit" and directly attached a CT clamp to pins 5 and 6 to get realtime export control. But I'm not sure what the Growatt CT clamp specs are?

CT clamps can output voltage or ampage of different ranges. I wonder If we can directly control the input voltage to these pins and gain control over the export control by emulating the CT clamp.


portpins.png
 
For the Growatt, I can't tell about the CT. But for the Sofar, the specs look similar to the ones of APsystems: current 3000/1. (See attachment.)

You could be lucky to get the answer directly from Growatt if asking. But getting a reply will probably be more successful if asking to the local/regional entity, because the HQ always redirects.

For my case (Sofar), I finally bought a cheap (7€) 3000/1 CT on ebay for one installation, and an APsystems CT (11€) for another installation. For that cost, and given the high probability that Growatt uses the same, I would suggest to have a try.

NOTE: emulating the CT was also a direction that I considered at the beginning, but then abandoned because of the difficulty/time/precision to expect from the result. But I would be interested if someone manages to do it with an acceptable effort/precision. :)

EDIT - Reference of the cheap one I ordered: YHDC sct010
 

Attachments

  • SofarSolar - CT specifications.pdf
    103.7 KB · Views: 52
Last edited:
According to the manual here the Growatt MIN 3600TL-XE range requires a TOP_90-S10_SP4 CT clamp. Which outputs 0-90mA to the inverter. I'm experimenting with my ESP32's build in DAC to see if I can emulate the 0-32mA range.

On a related note, on page 27 of the Growatt manual above it reference the RRCR interface, I think is another way to explorer controlling export.
 
I'm interested to know regarding this emulation. Would be surprised to see a good result, but could be. It definitely deserves a try! :)

RRCR and DRM are possible fallback options. But I will probably go the DRM way as first choice since it allows to "adjust" the generated power, even if not comfortable at all. I consider this one better than RRCR since the latest as only fixed levels (0, 30, 60, 100%)

If I understand well the DRM8 operation, the "adjustment" logic I consider with the DRM would be:
- for a need of 0..50%, use DRM5 (0%) to stop generation, then increase with DRM8
- 50..75%, use DRM6 (50%), then increase with DRM8
- 75..100%, use DRM7 (75%), then increase with DRM8
Sadly, there is no DRM to decrease step by step in a similar way as DRM8 increases. Also, I suspect the DRM8 will be very slow, I think the pulse must be around 2s long... That's why this is really a fallback option for me.

Both the SofarSolar and the Growatt inverters implement the same DRM levels. (As well as the RRCR levels, as per standard most probably.)
 
Just saw this on another thread thought it might be helpful to someone looking here, all credit to Philos:-

"Turns out that not all EASTRON SDM630 Modbus V2 are equal.
Standard meter outputs data over Modbus on adress 001, Growatt uses Adress 002
So long press the lowest button, pincode is 1000 long press again, use the up ad down buttons till you find adress, long press the lowest button again, use the buttons to change the number to 002 long press again to save. Now the standard SDM630 can talk to Growatt.
Hope this helps someone in the future. So many questions here without resolution..."
 
Just saw this on another thread thought it might be helpful to someone looking here, all credit to Philos:-

"Turns out that not all EASTRON SDM630 Modbus V2 are equal.
Standard meter outputs data over Modbus on adress 001, Growatt uses Adress 002
So long press the lowest button, pincode is 1000 long press again, use the up ad down buttons till you find adress, long press the lowest button again, use the buttons to change the number to 002 long press again to save. Now the standard SDM630 can talk to Growatt.
Hope this helps someone in the future. So many questions here without resolution..."
Thanks for the info. I'm surprised, but will have a try when I'll have access to that setup. (For now the installation I expected to test is not yet finished, the owner is not really motivated tio speed up anymore. :-/)
 
Not sure if it's still relevant but I'm in the alpha stage of an Eastron emulator. The goal is to give you fine grained export control rather than letting the meter dictate everything.

Thanks for sharing. On my side I still have to protect the soft through the open source license stuff, probably for this winter.
 
Just saw this on another thread thought it might be helpful to someone looking here, all credit to Philos:-

"Turns out that not all EASTRON SDM630 Modbus V2 are equal.
Standard meter outputs data over Modbus on adress 001, Growatt uses Adress 002
So long press the lowest button, pincode is 1000 long press again, use the up ad down buttons till you find adress, long press the lowest button again, use the buttons to change the number to 002 long press again to save. Now the standard SDM630 can talk to Growatt.
Hope this helps someone in the future. So many questions here without resolution..."
sorry @ee99rsp i have an issue with my Min 6000tl-hx and the smartmeter chnt ddsu66. I find this reply and i think it could help me. I set 002 on smartmeter address, according to your suggestion, but the question is: have i change the address in the inverter too? now is setup as 001.
many thanks.
 
@nikodezzo On my side I still have no access to the needed hardware to test, but I can anyway tell that:
- the master (inverter) has to point to the correct address of the slave (meter). Thus, if you change one, you have to adapt the other.
- the trick mentioned regarding the SDM630 is definitely a custom trick, there are very few chances that it works with other hardware. Nevertheless, it deserves a test, since those guys love to spend time wasting ours.
- I would be very surprised that it works with a standard meter to be addressed 2. The trick, if it exists, can only be done by the maker/rebrand, not on the standard/genuine version. So, a modified SDM630 from Growatt could possibly adopt the normal/standard behavior when the address is changed, but a standard SDM630 will not speak the Growatt-specififc protocol. If your Chint is from Growatt, there is a chance they made the same trick. But if it is a genuine, I would be very surprised they agreed between Growatt and Chint for that.

My 2 cents... Still waiting an opportnity to test. I'll come back on the forum if I find more.
 
Greetings.

Interesting topic! I've done a similar thing for Solis, code is there: https://github.com/peufeu2/GrugBus

Off the top of my head some stuff that could be useful:

The inverter supports two meter placement settings: grid, or load. On "grid" setting, the meter measures total power of house+inverter, so the inverter uses an integration and feedback algorithm to keep exported power to zero. On "load" setting it is much simpler since the meter
only measures power used by the house. In this case, to compensate power used by the house, the inverter simply outputs whatever power is reported by the meter, so this allows direct control without headaches. Unfortunately the Solis applies an absolute value to the power in this mode so it cannot be used to control battery charging.

To reverse engineer the registers in a meter I didn't have (Acrel) I simply setup a fake meter modbus server, and set the value of each register to its own address multiplied by 100. Then I had the inverter query this fake meter, and looked on the display of the inverter, and it said "grid voltage 110 volts". So, this means voltage is in register 11 with units of 0.1 volts. Then it said "Current 12.00A" so current is in register 12 with units of 0.01A. If you get garbage with Int16, try with floats too.

If you want the register map for Acrel and Eastron, it's in the above link, in devices folder.
 
Thank you for sharing! Interesting indeed. :)

The MITM is one approach, passive spying is another. Since my last comment I published a first tool here, acting as a master for now. A passive/spy mode will be added soon.
I may easily add support for other meters... I could add the Solis quickly thanks to the register map, but I have no hardware to test/validate.

The more powerful and complementary tool that I expect to publish ASAP still needs the Growatt missing piece before disclosure. This is where the MITM or spying is the most relevant. It will come, once I'll get access to my neighbor's installation... But he doesn't catch the interest yet, so is quite slow for the installation. :-/
 
Oops I posted the above in the wrong thread ;)

If you have a growatt inverter but not the meter you can do the register number hack I described above, it worked fine for reverse-engineering Acrel meter without documentation. But... if the inverter expects a secret serial number register, it won't work of course.
 
Wow
Very impressive you guys can deconstruct how this stuff communicates to adapt it to something else
 
GREAT project, I have a Growatt mod 3000tl3-x, and would like to control the output via Modbus, I already have a Shelly 3EM connected to my home assistant, so I have the data, just need to deliver them to my inverter.
Today I connected a Recorder to the RS485 port for the smart meter connection, I have attached the log, can that help?
 

Attachments

  • Communication log.txt
    22.7 KB · Views: 33
Here's what your log says:

Read Input Registers address 0 len 18
TX 13:23:33.658 Illegal Function 4
Read Holding Registers address 8192 len 16
Read Holding Registers address 6 len 2
Read Input Registers address 0 len 14
Read Input Registers address 0 len 18

After that it repeats.

I guess you don't have a smartmeter connected?
 
Back
Top