Enphase Data Access

I have been using Enphase inverters and their "Envoy" Energy Management Unit (EMU) since summer, and I am very happy with their performance. I'm not as happy with access to the data in the unit.

The EMU provides a very limited display of data through a local web interface, and a somewhat more complete one at their web site. I'd like to go beyond this and analyze the data the box is collecting in more depth.

There must be some other management or diagnostic interface to the EMU. Does anyone know how to get in that door? I'm willing to do HTTP, telnet, FTP, or whatever works.

I can see that there's a SQLite database on the box - I'd love to just get directly to those tables and generate my own reports.

Thanks!
«134567

Comments

  • dwhdwh Solar Expert Posts: 1,341 ✭✭✭
    Re: Enphase Data Access

    Haven't seen one myself but...

    You say it has a built-in web interface - then it's running a web server daemon. I would start out by running Nmap on it and see what ports it listens on. I would also run a Snort and take a look at the communications between the Envoy and the Enphase web site.

    It's quite possibly running a micro-Linux.

    I doubt there is a whole lot of encryption to deal with, so it's quite possible that with enough analysis you can find a way directly into the Envoy's OS. It may be running a telnetd or an sshd as well as the httpd.
  • Solar GuppySolar Guppy Solar Expert Posts: 1,959 ✭✭✭
    Re: Enphase Data Access

    I wouldn't be so sure it plain text vs encrypted ...Enphase is selling the harvesting and display as a monthly fee and I haven't read of any open access for there system
  • System2System2 Posts: 6,290 admin
    Re: Enphase Data Access

    Thanks for the responses. The Envoy is running some sort of small Linux, but so far it has rejected my attempts to FTP or Telnet.

    I'm downloading Nmap right now, and I'll share what I find.

    As for the encryption, I wouldn't be surprised of Solar Guppy is right. I don't mind paying for their services such as the ability to send notifications automatically. On the other hand, it's my array and I paid for the Envoy - I think the data about my array's performance should be open to me.
  • BB.BB. Super Moderators Posts: 26,758 admin
    Re: Enphase Data Access

    Your best position is to negotiate before paying for the system... If a bunch of people refused to buy the system until the protocol went open-source, perhaps they would change.

    On the other hand, the website moneys are probably an important profit motive for them too.

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • mike95490mike95490 Solar Expert Posts: 7,249 ✭✭✭✭
    Re: Enphase Data Access
    Velo Steve wrote: »
    Thanks for the responses. The Envoy is running some sort of small Linux, but so far it has rejected my attempts to FTP or Telnet.....

    Hmm, I'm wondering if they are using open source s/w, and not following the os rules.... maybe that's a lever to prod them with. You'd think the goodwill they get with being really open, with the 2% who will go all ga-ga with personal use of the data from their bought and paid for arrays (any disclaimer that you are signing away your data rights?) should overwhelm the 90% HTML challenged that will continue to buy data logging.
    Powerfab top of pole PV mount | Listeroid 6/1 w/st5 gen head | XW6048 inverter/chgr | Iota 48V/15A charger | Morningstar 60A MPPT | 48V, 800A NiFe Battery (in series)| 15, Evergreen 205w "12V" PV array on pole | Midnight ePanel | Grundfos 10 SO5-9 with 3 wire Franklin Electric motor (1/2hp 240V 1ph ) on a timer for 3 hr noontime run - Runs off PV ||
    || Midnight Classic 200 | 10, Evergreen 200w in a 160VOC array ||
    || VEC1093 12V Charger | Maha C401 aa/aaa Charger | SureSine | Sunsaver MPPT 15A

    solar: http://tinyurl.com/LMR-Solar
    gen: http://tinyurl.com/LMR-Lister ,

  • RandomJoeRandomJoe Solar Expert Posts: 472 ✭✭✭
    Re: Enphase Data Access

    The only way they would be violating open source rules is if they have modified the source code that was already GPL and refuse to offer the code. They aren't violating anything if they build their own code on top of - and separate from - the underlying OS. I really don't see that their application would require much kernel-level drivers or customized software... (Except perhaps for however it communicates with the panels themselves. How do they do that?) In the end, all they have to do is offer the source code - that still won't help if they're actually using a decent encryption protocol.


    To the original question, does the basic web interface provide the necessary data, you just need to get it into a computer? If so, worst-case just compose a screen-scraping script to connect periodically to the EMU pages and pick the desired values out of the supplied pages. I'd use Python, since that's what I know, but Perl is quite adept at text processing.

    If they don't provide all available data through the local interface, I'd be pretty ticked. Paying them to massage the data and make it look pretty / more useful is one thing, having to pay them to gain access to the full data set at all is more than I'm willing to do.
  • GreenerPowerGreenerPower Solar Expert Posts: 264 ✭✭✭✭✭✭
    Re: Enphase Data Access

    You can plug the Envoy and a PC to an ethernet hub (not a switch) and up link the hub to your gateway router. You can see what's its IP from your gateway router. You can run Ethereal et al on the PC and filter only to monitor messages to/from the Envoy IP address to their server. This way it might give you an idea what kind of comm protocol, port they are using. If it is not encrypted, maybe you can tell what kind of data.
    GP
  • System2System2 Posts: 6,290 admin
    Re: Enphase Data Access

    A little more info...
    - The OS is reported as "Linux 2.6.9 - 2.6.28"
    - Open ports include 22 (SSH), 80 (HTTP), 120 (CFDPTKT), 123 (NTP v4), 1020, 1065(SYSCOMLAN), and seven 5-digit port numbers.
    - The SSH port seems to act normally, but I don't know a name or password.
    - Port 80 is of course where the user interface is, but I haven't tried the other ports.

    Responses to some items from RandomJoe:

    I got Ethereal (actually the newer Wireshark), but I can't see packets between arbitrary addresses. Maybe I'm missing something, but I only see broadcast information and packets where my PC is the source or destination.

    I can get syslogd info from the router, but of course that doesn't have the actual data. Maybe I need a real sniffer, but the harder I look the more I suspect that the data is encrypted.

    There's not enough information on the local interface for screen-scraping to do any good. I used to have per-panel output numbers, but they even deleted that in a recent "upgrade". I can get that data from their web site, but it seems really silly to go to them for a delayed, watered down version of what is already in a little database right here in my house. At least it would allow me to make the information persistent. Enlighten (their site) provides some very nice graphs, but they are only available for as long as they choose. I can't (for example) compare a typical day's output curve from June 21 versus December 21. With control over the data I could see what I want when I want.

    Of course BB. is right - I could have tried to make full data access a contractual obligation before I bought. I made the mistake of asking the person I bought from, who was knowledgeable about panels and inverters, but not about data.


    Steve
  • dwhdwh Solar Expert Posts: 1,341 ✭✭✭
    Re: Enphase Data Access

    I did take a look at some info on the Enphase site and it says the Envoy establishes two outbound connections - one for NTP to get current time, and one HTTPS to upload to the Enphase web site.

    So the uploaded data is being sent over that encrypted link on 443. There are ways to capture and analyze that stream.


    Since it's listening on 22, you can brute force it there. As small as it is, it's pretty much guaranteed it won't be uploading anything about failed login attempts. But since you can see the syslogd info, you can check that before you try. The docs don't mention it establishing an outbound syslogd connection, so you could block that at your router if need be.

    You won't crack SSH, but you can definitely brute it - and I bet there is a single default password used by every Envoy unit out there.

    Of course, it might be worthwhile to just go ahead and try logging in with "admin/password". (It works on some Linksys boxes :D )

    I got Ethereal (actually the newer Wireshark), but I can't see packets between arbitrary addresses. Maybe I'm missing something, but I only see broadcast information and packets where my PC is the source or destination.

    Yea, that's a problem with sniffing on switched networks. Even if your card is in promiscuous mode, the switch isn't routing packets down the wire to it. You can *sometimes* get around that with a handy little thing called a "gratuitous arp".

    Some switches (big expensive ones with their own OS) can be configured to echo all traffic for Port X to also be sent to Port Y for diagnostic purposes...but small switches rarely can do that.

    You might have to set your PC up as a router (in Windows it's called connection sharing - (NT used to properly call it routing)) between the Envoy and your router so that you can grab the packets as they pass through (man in the middle).


    As for full data access - if you bought it instead of leasing it, then if you so choose, you can beat on it with a hammer...or a packet analyzer. :D
  • RandomJoeRandomJoe Solar Expert Posts: 472 ✭✭✭
    Re: Enphase Data Access
    Velo Steve wrote: »
    There's not enough information on the local interface for screen-scraping to do any good. I used to have per-panel output numbers, but they even deleted that in a recent "upgrade".

    Okay, now that right there would tee me off! Hack away! :cool:

    I'm sure they feel it's covered in some lousy excuse for an EULA, but removing functionality AFTER the sale just doesn't sit with me. Besides, if it's my hardware odds are good I'm going to play with it just because it's there! :p

    As dwh mentions, I'd put the PC between the Envoy and the network. All packets must pass through, which gives you great control. You'd then be able to see the entire data stream, there are a variety of fun ways to manipulate that. (Maybe set up your own web server and redirect all connects to Enphase there? See what it says or tries to say? Could subsequently proxy everything on through to make it transparent.)

    But yeah, getting the ssh user/pass would probably be the most useful method - assuming remote passwords are still enabled. It's possible they have password logins disabled and are using PKI there as well...

    One piece of hardware we used to install for web access to HVAC systems used a removable flash card for the "hard drive" on a single-board computer. I was able to get root access by popping the flash card into a PC and editing the /etc/shadow file to reset root's password. (At that point you could also change how sshd is configured.) I'm sure most systems like this use soldered-in flash now though. And of course any future "updates" from Enphase would put you back to square one - or worse...
  • System2System2 Posts: 6,290 admin
    Re: Enphase Data Access

    I'm surprised you all haven't just opened up the Envoy to see what's inside. I opened my Emu (old version) and discovered Enphase is using an Embedded Arm TS-7800. Obtaining root was as easy as switching the boot-from-sd-card jumper, booting a generic arm linux distro, and installing an ssh key in the flash. Enphase uses crypto (https) for uploading your data to their web site, so you may not get very far with man-in-the-middle attacks. Really, your best bet is to crack the case and figure out how to boot the device using an alternate boot image. Some quick stats for those who are interested:

    [11:07:12][ts7000:~$] uname -a
    Linux ts7000 2.6.21-tsx-ee187 #1 PREEMPT RT Wed Sep 10 23:29:50 PDT 2008 armv5tejl unknown
    [11:07:23][ts7000:~$] df
    Filesystem 1k-blocks Used Available Use% Mounted on
    /dev/mtdblock3 3963 1706 2257 43% /initrd
    none 63316 76 63240 0% /dev
    /dev/mtdblock3 515968 53228 462740 10% /
    [11:11:32][ts7000:~$] top
    top - 11:13:26 up 48 days, 20:48, 1 user, load average: 1.90, 1.71, 1.68
    Tasks: 51 total, 2 running, 49 sleeping, 0 stopped, 0 zombie
    Cpu(s): 20.5%us, 6.8%sy, 0.0%ni, 72.6%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
    Mem: 126636k total, 80540k used, 46096k free, 4096k buffers
    Swap: 0k total, 0k used, 0k free, 17780k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    19889 root 20 0 4476 2548 1160 R 22.0 2.0 0:00.67 ruby
    707 root 20 0 15352 5308 1376 S 3.0 4.2 1814:51 ruby
    19707 root 20 0 2492 1144 900 R 1.3 0.9 0:02.35 top
    762 root 20 0 72772 3748 2108 S 0.7 3.0 549:16.18 emu
    19119 root 20 0 4380 2004 1568 S 0.3 1.6 0:00.54 sshd
    1 root 20 0 1628 584 512 S 0.0 0.5 0:00.47 init
    ...
  • andymanandyman Solar Expert Posts: 32
    Re: Enphase Data Access

    Has anyone else tried this? I don't see the jumper on my version of the envoy so I can't get it to boot to the SD.
  • System2System2 Posts: 6,290 admin
    Re: Enphase Data Access

    Hi guys, this is my first posting. I read this thread, and I have no understanding of how you are going totry to get the information out of the envoy. Way beyond my knowledge of computers. But I did call the tech support department, and asked them for the username and password to log into administration. They are, "admin/admin" when I asked why this was not in the destruction manual they said that people will change the password and not tell them and then they cannot access the modules to make changes if they notice some thing is not right. I hope this helps you guys out in your quest to extract the info from the Envoy.
    Regards from sunny and windy ARUBA:D
  • RandomJoeRandomJoe Solar Expert Posts: 472 ✭✭✭
    Re: Enphase Data Access

    If that actually gets you the access needed, then great. However, with all Linux-based systems I've ever messed with, an account called "admin" would be a user account that was created by the manufacturer. It may or may not have full access to the entire device. (One device I worked on, logging in with 'admin' automatically ran a configuration program without shell access. Exit the program and you're back at the login prompt.)

    The password I'd be after is the "root" password. Username 'root' would be the ultimate superuser account, with full access to everything.

    It may be possible they even modified this, but the few embedded Linux devices I've worked with all did it this way.
  • dreesdrees Solar Expert Posts: 481 ✭✭✭
    Re: Enphase Data Access

    The EMU does have SSH enabled, and I tried a bunch of common username/passwords but was still unable to log in.

    The admin/admin did work to get into the admin section, though.
  • solarvicsolarvic Solar Expert Posts: 1,041 ✭✭✭
    Re: Enphase Data Access
    sunxxpress wrote: »
    Hi guys, this is my first posting. I read this thread, and I have no understanding of how you are going totry to get the information out of the envoy. Way beyond my knowledge of computers. But I did call the tech support department, and asked them for the username and password to log into administration. They are, "admin/admin" when I asked why this was not in the destruction manual they said that people will change the password and not tell them and then they cannot access the modules to make changes if they notice some thing is not right. I hope this helps you guys out in your quest to extract the info from the Envoy.
    Regards from sunny and windy ARUBA:D
    Sounds like a limp excuse. I play around with satelite receivers and they all have a master password. Glad I know that now. Good enough reason for me not to buy one. S:Dlarvic
  • andymanandyman Solar Expert Posts: 32
    Re: Enphase Data Access

    Ok let me try this a different way. Anyone got the older enphase available? I'll buy it from you so I can get into it. U can use the money to buy the newer unit. I believe the older enphases do have the jumper (big square box)..


    andy
  • sandeensandeen Solar Expert Posts: 47 ✭✭✭
    Re: Enphase Data Access

    Ooh, fun thread. Hopefully I'll be set up with one of these soon-ish and can help with the hacking.

    Their enlighten site looks good an I'm happy to pay for it, but I want my own data access too.

    Note: if they're running GPL software inside and they don't tell you that, that alone violates the GPL.
    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
    <snip>
    1. You may copy and distribute verbatim copies of the Program's
    source code as you receive it, in any medium, provided that you
    conspicuously and appropriately publish on each copy an appropriate
    copyright notice and disclaimer of warranty; keep intact all the
    notices that refer to this License and to the absence of any warranty;
    and give any other recipients of the Program a copy of this License
    along with the Program.

    Usually a polite reminder is all that's required, though. Accusations of license violation don't build good will. (And for all I know it's somewhere in the docs; I will see when I get set up).
  • dreesdrees Solar Expert Posts: 481 ✭✭✭
    Re: Enphase Data Access
    sandeen wrote: »
    Note: if they're running GPL software inside and they don't tell you that, that alone violates the GPL
    Since it's been confirmed that it's running a Linux kernel - that's a given. Who wants to ask them for the source code for the GPL bits first? :D

    BTW - sandeen, does your first name happen to be Eric?
  • andymanandyman Solar Expert Posts: 32
    Re: Enphase Data Access

    Well i'm close but so far away. I've learned they are running redboot for the bootstrapper. I got my serial console hooked up to the console port (115200 baud 8N1 no parity).. For some odd reason ctrl-c never reaches redboot so I can't break out of the boot cycle. If i can do that I can simply boot another os from the network or tell the damn thing to boot into single user mode... Anyway I'm sure I'll eventually get it.. If anyones got ideas please... I've tried 3 diff os and nothing. You can also telnet to the enphase at port 9000 during a short window of bootup during the redboot boot cycle. But that doesn't seem to help me either. I must be doing something wrong.






    FEC: [ FULL_DUPLEX ] [ disconnected ] [ 100M bps ]:
    No RedBoot partition table detected in NAND 512MiB
    ... waiting for BOOTP information




    RedBoot(tm) bootstrap and debug environment [ROMRAM] 10 Dec 2004: I cache: 16384 bytes, associativity 4,
    Non-certified release, version FSL 200834 - built 16:12:28, Jul 29 2009icee timeout: 256 µ
    CPU0: D cache: 16384 bytes, a
    hub 1-0:1.0: USB hub

    Platform: Envoy (Freescale i.MX27 based) PASS 2.1 [x32 SDR]red new in
    Typical full b
    Re
    Initializing USB Mass Storage
    Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc. registered new interface driver
    MXC MMC/SD driver = 133
    ... Read from 0x0fee0000-0x0feff000 at 0xc07e0000: .ing timer interrupt.ice 80x30isteredb
    Erase Region
    ... Read from 0x00100000-0x00300000 at 0xc0040000: ................amily 1: irq 56, i
    usb:
    mxc_nor_flash.0
    NET: Registered protocol f
    RedBoot> exec -c "console=ttymxc0 root=/dev/mtdblock4 rootfstype=yaffs2 init=/sb/Sharp Extended Query Table at 0x010
    RPC: Registered tcp transport module.2 (ord
    in/init fec_mac=00:1D:C0:01:A

    CPU0: D VIVT write-back cachenected ] [ 100M bps ]:mxcintu
    CPU0: I cache: 16384 bytes, associativity 4, 32 byte lines, 128 setsformationnew
    RAMDISK driver in
    0x007ff000
    Ethernet mxc_fec: MAC add
    CPU0: D cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
    IP: 192.168.20.10/255.255.255.0, Gateway: 192.168.20.1c
    TCP bind ha
    Real-Time Preemption Support (C) 2004-2007 Ingo Molnarr: 192.168.20.1Cread-only11: Copy
    UA
    MXC MT
    Ethernet F
    Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024i
    Clock input: 26 MHzale MXCV 8-bi
    TCP r
    Enphase Part Number: 590-00013-r0
    Kernel command line: console=ttymxc0 root=/dev/mtdblock4 rootfstype=yaffs2 init=0
    usb: DR host (usb3317)


    RedBoot(tm) bootstrap and debug environment [ROMRAM]F
    /sbin/init fec_mac=00:1D:C0:01:A9:47d precision)T
    Non-certified release
    MXC IRQ initialized - built 16:12:28,
    PID hash table entries: 1024 (order: 10, 4096 bytes) 98h0: etherne
    JFFS2 version

    Platform: Envoy (Free
    MXC GPT timer initialized, rTUN/TA


    in/init fec_mac=00:1D

    entry=0xa0008000, target=0xa00080003 spi
    usbcore: registered new device driver usbddress 0x00100000 and length 0x00200000
    F
    NET: Registered protocol family 2P device driver
    Uncompressing Lin
    IP route cache hash table entries: 2048 (order: 1, 8192 bytes) <maxk@qualcomm.com> H
    e
    Max. bytes in buffer write: 0x40MXC M
    TCP established hash table entries: 8192 (order: 4, 65536 bytes) done, booting the kernel.Q
    Erase Region #0: BlockSize 0x8
    MXC
    TCP bind hash table entries: 8192 (order: 6, 262144 bytes)e404 (dhowson@dhowson-lnx) (gcc version 4.1.2) #1 PREEMPnd
    TCP: Hash tables configured (established 8192 bind 8192)mxc_nor_flash.0: Foun
    T RT Fri Jun 5 16:34:17 PDT 2009e
    TCP reno registered: Register
    CPU: ARM
    MX27: Power management module initializeed Query Ti

    mxcintuart.4: ttymxc4 at MMIO 0x1001b000 (irq = 49) is a Freescale MXC2:28, Jul 29 2009lo
    )c
    nan
    0x007ff000-0x00800000 : "RedBoot con
    mxc_no
    mxcintuart.5: ttymxc5 at MMIO 0x1001c000 (irq = 48) is a Freescale MXCx32 SDR]tart on an erase block boundary
    Intel/Sharp Extended Query
    Co
    RAMDISK driver initialized: 2 RAM disks of 40960K size 1024 blocksizeExtended Query Table at 0x010A 2.1put: 2
    Copyright (C) 2003, 2004, 20
    loop: module loaded Limiteduery Table
    FEC ENET Version 0.2,8V 8-bitng 1 MTD pa
    fec: PHY @ 0x1f, ID 0x0007c0c4 -- LAN8700200-0x0fed1000] available)
    )o
    nand_read_
    eth0: ethernet 00:1d:c0:01:a9:47nded Query T
    FLASH: 0xc0000000 -
    tun: Universal TUN/TAP device driver, 1.6 each.er write methodNAND 512MiB 1,8V 8-b
    tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>pt in 1.000 seconds
    Platform: Envoy (Freesca


    Vcc Maximum: 2.0 VIS dir
    in/init fec_
    Vpp Minimum: 8.5 V7"ck -- force read-
    Vpp Maximum: 9.5 Vtry=0xa0008000, tar
    Typical byte/word write timeout: 256 µs00:
    0x00
    Using base address 0x00100000 a
    Maximum byte/word write timeout: 512 µs #1
    mtd: partition "RedBoot co
    Uncompres
    Typical full buffer write timeout: 512 µs............................
    RedBoot> exe

    Maximum full buffer write timeout: 1024 µsad-onlyuting

    MXC


    RedBoot(tm) bootstrap and debug env
    Intel/Sharp Extended Query Table at 0x010A EHCI 1.00, driver 10 Dec
    Non-certified rel
    Intel/Sharp Extended Query Table at 0x010Aul 29 2009
    usb usb1: configuration #1 chose
    Using buffer write methodght (C) 2004

    Platform: E
    cfi_cmdset_0001: Erase suspend on write enabledsetsC: [ FULL_DU
    hub 1-0:1.0: 1 port detected..
    Searching for RedBoot partition table in mxc_nor_flash.0 at offset 0x7e00002123 spi1.0: setting system c
    usbcore: registered
    Copyright (C) 2003, 2004,
    4 RedBoot partitions found on MTD device mxc_nor_flash.04
    USB Mass Storage support re

    RAM: 0x00000000-0x0ff000
    Creating 4 MTD partitions on "mxc_nor_flash.0":rface driver libusualdblock4 rootfstype=yaf
    mmc
    0x00000000-0x00040000 : "RedBoot", 64 blocks of 0x00020000 bytes e
    0x00040000-0x00240000 : "kernel"_mac=00:1D
    pcf2123 spi driverver
    0x007e0000-0x007ff000 : "FIS directory" secondsered pcf2123 as rtc0t 0xc07e00l
    +++... Read from 0x0fee0000-0x0ff0
    fsl-ehci fsl-ehci.0: Freescale On-Chip EHCI Host Controllerght (C) 2003, 20
    ... Read from 0x0fed3000-0x0fed4000 at 0xc
    fsl-ehci fsl-ehci.0: new USB bus registered, assigned bus number 1 [ FULL_DUPLEX ] [ disconnected ] [ 100M bps ]: from 0x0fed3000-0x
    fsl-ehci fsl-ehci.0: irq 56, io mem 0x10024000r BOOTP information000, 64 blo
    FEC: [ FULL_DUP
    fsl-ehci fsl-ehci.0: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004e
    in/init fe
    usbcore: registered new interface driver libusual
    mice: PS/2 mouse device common for all mice
    pcf2123 spi driver
    pcf2123 spi1.0: rtc core: registered pcf2123 as rtc0
    MXC WatchDog Driver 2.0
    MXC Watchdog # 0 Timer: initial timeout 60 sec
    MXC MMC/SD driver
    mxcmci-0 found
    oprofile: using timer interrupt.
    TCP cubic registered
    NET: Registered protocol family 1
    NET: Registered protocol family 17
    RPC: Registered udp transport module.
    RPC: Registered tcp transport module.
    ieee80211: 802.11 data/management/control stack, git-1.1.13
    ieee80211: Copyright (C) 2004-2005 Intel Corporation <jketreno@linux.intel.com>
    Envoy Post Initialization
    pcf2123 spi1.0: setting system clock to 2010-04-09 02:06:11 UTC (1270778771)
    yaffs: dev is 32505860 name is "mtdblock4"
    yaffs: passed flags ""
    mmc0: new SD card at address 867d
    mmcblk0: mmc0:867d SU02G 1931264KiB
    mmcblk0: p1
  • dreesdrees Solar Expert Posts: 481 ✭✭✭
    Re: Enphase Data Access
    andyman wrote: »
    Well i'm close but so far away.
    FEC: [ FULL_DUPLEX ] [ disconnected ] [ 100M bps ]:
    No RedBoot partition table detected in NAND 512MiB
    ... waiting for BOOTP information
    
    Hmm, I wonder if you set up the right BOOTP server you could get it to boot an alternate image?

    While I've got a good deal of Linux experience (been using it for almost 15 years!) I haven't done any embedded Linux work like this.
  • andymanandyman Solar Expert Posts: 32
    Re: Enphase Data Access

    No.. It won't tftp a new image unless you can pass redboot the commands to do it. The bootp that you see initially is just a very low level telnet server redboot sets up on port 9000 for low level debug access. You still need to hit ctrl c to get into redboot. Problem is Enphase decided to make the bootup time 1 second and somehow disabled ctrl -c ..

    If i can get to the redboot prompt i could just do this:

    load -r -b 0x100000 /tftpboot/zImage
    exec -b 0x100000 -l 0x200000 -c "noinitrd console=ttymxc0,115200 root=/dev/nfs nfsroot=10.29.244.99:/tftpboot/rootfs init=/linuxrc ip=10.29.241.6:10.29.244.99"


    My life would be a lot easier if someone can just let me borrow their old Envoy unit (big square box, not the little one) for a day.

    andy
  • ag4wakeag4wake Registered Users Posts: 18
    Re: Enphase Data Access

    I believe that's normal with redboot, you have around 2 seconds to telnet to the port 9000 and then press Ctrl-C to get access to it.


    while ! ping -W 1 -c 1 192.168.0.1 2>&1 >/dev/null; do true; done && telnet 192.168.0.1 9000

    once it connects hit Ctrl-C (of course put your IP addr in there instead)

    There's a bunch of other ways to do it also shown at http://www.nslu2-linux.org/wiki/HowTo/TelnetIntoRedBoot
  • dak664dak664 Registered Users Posts: 13
    Re: Enphase Data Access

    I'd spring for an enphase unit or two to make more efficient use of some 75 watt panels after all my batteries are charged. Given I already have the panels I'd expect the payback from the dollar-a-watt inverter to be positive over its lifetime. But the energy management unit at $350 kills any payback if used with just one or two panels.

    It appears they communicate using Ariane’s PLM-1 modem http://www.enphaseenergy.com/downloads/Enphase_Ariane_Release_021009.pdf for which an evaluation kit and source library is available http://www.arianecontrols.com/firmware.php. Wonder if anyone is interested in trying to figure out the protocols and talk directly to the inverter?
  • sandeensandeen Solar Expert Posts: 47 ✭✭✭
    Re: Enphase Data Access
    drees wrote: »
    Since it's been confirmed that it's running a Linux kernel - that's a given. Who wants to ask them for the source code for the GPL bits first? :D

    BTW - sandeen, does your first name happen to be Eric?

    Somebody should ask; probably best if its' a customer, and I'm not (yet).

    Yes, my first name happens to be Eric :)
  • dreesdrees Solar Expert Posts: 481 ✭✭✭
    Re: Enphase Data Access
    sandeen wrote: »
    Somebody should ask; probably best if its' a customer, and I'm not (yet).
    So far my questions to support have been pretty much ignored or danced around (it has been combined with other support questions). I may have to open a direct ticket.
    sandeen wrote: »
    Yes, my first name happens to be Eric :)
    Found your home page - appears that you are the Sandeen I suspected you were :) - I lurk on LKML. Looks like you have some interesting blog posts regarding Linux & power, will have to read them.
  • solar_davesolar_dave Solar Expert Posts: 2,329 ✭✭✭✭
    Re: Enphase Data Access

    If you can get on the box with admin/admin, just copy off the shadow file and start a brute force crack against the root hash.

    Not going into cracking details here but lots of tool around to do this.
  • Ralph DayRalph Day Solar Expert Posts: 871 ✭✭✭
    Re: Enphase Data Access

    Boy, this thread has me remembering Jordi LaForge talking about the Enterprise systems in Star Trek Next Generation...incomprehensible, but entertaining :D

    Ralph

    I follow it because I have 52 Enphase inverters in my basement waiting for installation in a 10kw microFIT feed in tariff...
  • andymanandyman Solar Expert Posts: 32
    Re: Enphase Data Access

    Thats exactly my plan. Take a dump of shadow and brute it. Problem is getting in first. The person who got into it did it because he had the older unit that allowed bootup from an alternative flash. Enphase disabled this ability or atleast I haven't figured it out yet. So no shadow at this time.

    I did however discover the 20pin JTAG interface on the board. I am simply going to dump the contents of the flash and see if I can mount the filesystem that way. Just waiting for the JTAG programmer to arrive.

    andy
  • solar_davesolar_dave Solar Expert Posts: 2,329 ✭✭✭✭
    Re: Enphase Data Access
    andyman wrote: »
    Thats exactly my plan. Take a dump of shadow and brute it. Problem is getting in first. The person who got into it did it because he had the older unit that allowed bootup from an alternative flash. Enphase disabled this ability or atleast I haven't figured it out yet. So no shadow at this time.

    I did however discover the 20pin JTAG interface on the board. I am simply going to dump the contents of the flash and see if I can mount the filesystem that way. Just waiting for the JTAG programmer to arrive.

    andy


    Does that other person have a copy of his shadow file? bet the hashes have not changed.
«134567
Sign In or Register to comment.