Enphase Data Access

Re: Enphase Data Access

I wouldn't be so sure it plain text vs encrypted ...Enphase is selling the harvesting and display as a monthly fee and I haven't read of any open access for there system

Re: Enphase Data Access

The only way they would be violating open source rules is if they have modified the source code that was already GPL and refuse to offer the code. They aren't violating anything if they build their own code on top of - and separate from - the underlying OS. I really don't see that their application would require much kernel-level drivers or customized software... (Except perhaps for however it communicates with the panels themselves. How do they do that?) In the end, all they have to do is offer the source code - that still won't help if they're actually using a decent encryption protocol.


To the original question, does the basic web interface provide the necessary data, you just need to get it into a computer? If so, worst-case just compose a screen-scraping script to connect periodically to the EMU pages and pick the desired values out of the supplied pages. I'd use Python, since that's what I know, but Perl is quite adept at text processing.

If they don't provide all available data through the local interface, I'd be pretty ticked. Paying them to massage the data and make it look pretty / more useful is one thing, having to pay them to gain access to the full data set at all is more than I'm willing to do.

Re: Enphase Data Access

Velo Steve wrote: »

There's not enough information on the local interface for screen-scraping to do any good. I used to have per-panel output numbers, but they even deleted that in a recent "upgrade".

Okay, now that right there would tee me off! Hack away! :cool:

I'm sure they feel it's covered in some lousy excuse for an EULA, but removing functionality AFTER the sale just doesn't sit with me. Besides, if it's my hardware odds are good I'm going to play with it just because it's there!

As dwh mentions, I'd put the PC between the Envoy and the network. All packets must pass through, which gives you great control. You'd then be able to see the entire data stream, there are a variety of fun ways to manipulate that. (Maybe set up your own web server and redirect all connects to Enphase there? See what it says or tries to say? Could subsequently proxy everything on through to make it transparent.)

But yeah, getting the ssh user/pass would probably be the most useful method - assuming remote passwords are still enabled. It's possible they have password logins disabled and are using PKI there as well...

One piece of hardware we used to install for web access to HVAC systems used a removable flash card for the "hard drive" on a single-board computer. I was able to get root access by popping the flash card into a PC and editing the /etc/shadow file to reset root's password. (At that point you could also change how sshd is configured.) I'm sure most systems like this use soldered-in flash now though. And of course any future "updates" from Enphase would put you back to square one - or worse...

Re: Enphase Data Access

Has anyone else tried this? I don't see the jumper on my version of the envoy so I can't get it to boot to the SD.

Re: Enphase Data Access

If that actually gets you the access needed, then great. However, with all Linux-based systems I've ever messed with, an account called "admin" would be a user account that was created by the manufacturer. It may or may not have full access to the entire device. (One device I worked on, logging in with 'admin' automatically ran a configuration program without shell access. Exit the program and you're back at the login prompt.)

The password I'd be after is the "root" password. Username 'root' would be the ultimate superuser account, with full access to everything.

It may be possible they even modified this, but the few embedded Linux devices I've worked with all did it this way.

Re: Enphase Data Access

sunxxpress wrote: »

Hi guys, this is my first posting. I read this thread, and I have no understanding of how you are going totry to get the information out of the envoy. Way beyond my knowledge of computers. But I did call the tech support department, and asked them for the username and password to log into administration. They are, "admin/admin" when I asked why this was not in the destruction manual they said that people will change the password and not tell them and then they cannot access the modules to make changes if they notice some thing is not right. I hope this helps you guys out in your quest to extract the info from the Envoy.
Regards from sunny and windy ARUBA:D

Sounds like a limp excuse. I play around with satelite receivers and they all have a master password. Glad I know that now. Good enough reason for me not to buy one. S:Dlarvic

Re: Enphase Data Access

Ooh, fun thread. Hopefully I'll be set up with one of these soon-ish and can help with the hacking.

Their enlighten site looks good an I'm happy to pay for it, but I want my own data access too.

Note: if they're running GPL software inside and they don't tell you that, that alone violates the GPL.

GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
<snip>
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.

Usually a polite reminder is all that's required, though. Accusations of license violation don't build good will. (And for all I know it's somewhere in the docs; I will see when I get set up).

Re: Enphase Data Access

Well i'm close but so far away. I've learned they are running redboot for the bootstrapper. I got my serial console hooked up to the console port (115200 baud 8N1 no parity).. For some odd reason ctrl-c never reaches redboot so I can't break out of the boot cycle. If i can do that I can simply boot another os from the network or tell the damn thing to boot into single user mode... Anyway I'm sure I'll eventually get it.. If anyones got ideas please... I've tried 3 diff os and nothing. You can also telnet to the enphase at port 9000 during a short window of bootup during the redboot boot cycle. But that doesn't seem to help me either. I must be doing something wrong.






FEC: [ FULL_DUPLEX ] [ disconnected ] [ 100M bps ]:
No RedBoot partition table detected in NAND 512MiB
... waiting for BOOTP information




RedBoot(tm) bootstrap and debug environment [ROMRAM] 10 Dec 2004: I cache: 16384 bytes, associativity 4,
Non-certified release, version FSL 200834 - built 16:12:28, Jul 29 2009icee timeout: 256 µ
CPU0: D cache: 16384 bytes, a
hub 1-0:1.0: USB hub

Platform: Envoy (Freescale i.MX27 based) PASS 2.1 [x32 SDR]red new in
Typical full b
Re
Initializing USB Mass Storage
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc. registered new interface driver
MXC MMC/SD driver = 133
... Read from 0x0fee0000-0x0feff000 at 0xc07e0000: .ing timer interrupt.ice 80x30isteredb
Erase Region
... Read from 0x00100000-0x00300000 at 0xc0040000: ................amily 1: irq 56, i
usb:
mxc_nor_flash.0
NET: Registered protocol f
RedBoot> exec -c "console=ttymxc0 root=/dev/mtdblock4 rootfstype=yaffs2 init=/sb/Sharp Extended Query Table at 0x010
RPC: Registered tcp transport module.2 (ord
in/init fec_mac=00:1D:C0:01:A

CPU0: D VIVT write-back cachenected ] [ 100M bps ]:mxcintu
CPU0: I cache: 16384 bytes, associativity 4, 32 byte lines, 128 setsformationnew
RAMDISK driver in
0x007ff000
Ethernet mxc_fec: MAC add
CPU0: D cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
IP: 192.168.20.10/255.255.255.0, Gateway: 192.168.20.1c
TCP bind ha
Real-Time Preemption Support (C) 2004-2007 Ingo Molnarr: 192.168.20.1Cread-only11: Copy
UA
MXC MT
Ethernet F
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024i
Clock input: 26 MHzale MXCV 8-bi
TCP r
Enphase Part Number: 590-00013-r0
Kernel command line: console=ttymxc0 root=/dev/mtdblock4 rootfstype=yaffs2 init=0
usb: DR host (usb3317)


RedBoot(tm) bootstrap and debug environment [ROMRAM]F
/sbin/init fec_mac=00:1D:C0:01:A9:47d precision)T
Non-certified release
MXC IRQ initialized - built 16:12:28,
PID hash table entries: 1024 (order: 10, 4096 bytes) 98h0: etherne
JFFS2 version

Platform: Envoy (Free
MXC GPT timer initialized, rTUN/TA


in/init fec_mac=00:1D

entry=0xa0008000, target=0xa00080003 spi
usbcore: registered new device driver usbddress 0x00100000 and length 0x00200000
F
NET: Registered protocol family 2P device driver
Uncompressing Lin
IP route cache hash table entries: 2048 (order: 1, 8192 bytes) <maxk@qualcomm.com> H
e
Max. bytes in buffer write: 0x40MXC M
TCP established hash table entries: 8192 (order: 4, 65536 bytes) done, booting the kernel.Q
Erase Region #0: BlockSize 0x8
MXC
TCP bind hash table entries: 8192 (order: 6, 262144 bytes)e404 (dhowson@dhowson-lnx) (gcc version 4.1.2) #1 PREEMPnd
TCP: Hash tables configured (established 8192 bind 8192)mxc_nor_flash.0: Foun
T RT Fri Jun 5 16:34:17 PDT 2009e
TCP reno registered: Register
CPU: ARM
MX27: Power management module initializeed Query Ti

mxcintuart.4: ttymxc4 at MMIO 0x1001b000 (irq = 49) is a Freescale MXC2:28, Jul 29 2009lo
)c
nan
0x007ff000-0x00800000 : "RedBoot con
mxc_no
mxcintuart.5: ttymxc5 at MMIO 0x1001c000 (irq = 48) is a Freescale MXCx32 SDR]tart on an erase block boundary
Intel/Sharp Extended Query
Co
RAMDISK driver initialized: 2 RAM disks of 40960K size 1024 blocksizeExtended Query Table at 0x010A 2.1put: 2
Copyright (C) 2003, 2004, 20
loop: module loaded Limiteduery Table
FEC ENET Version 0.2,8V 8-bitng 1 MTD pa
fec: PHY @ 0x1f, ID 0x0007c0c4 -- LAN8700200-0x0fed1000] available)
)o
nand_read_
eth0: ethernet 00:1d:c0:01:a9:47nded Query T
FLASH: 0xc0000000 -
tun: Universal TUN/TAP device driver, 1.6 each.er write methodNAND 512MiB 1,8V 8-b
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>pt in 1.000 seconds
Platform: Envoy (Freesca


Vcc Maximum: 2.0 VIS dir
in/init fec_
Vpp Minimum: 8.5 V7"ck -- force read-
Vpp Maximum: 9.5 Vtry=0xa0008000, tar
Typical byte/word write timeout: 256 µs00:
0x00
Using base address 0x00100000 a
Maximum byte/word write timeout: 512 µs #1
mtd: partition "RedBoot co
Uncompres
Typical full buffer write timeout: 512 µs............................
RedBoot> exe

Maximum full buffer write timeout: 1024 µsad-onlyuting

MXC


RedBoot(tm) bootstrap and debug env
Intel/Sharp Extended Query Table at 0x010A EHCI 1.00, driver 10 Dec
Non-certified rel
Intel/Sharp Extended Query Table at 0x010Aul 29 2009
usb usb1: configuration #1 chose
Using buffer write methodght (C) 2004

Platform: E
cfi_cmdset_0001: Erase suspend on write enabledsetsC: [ FULL_DU
hub 1-0:1.0: 1 port detected..
Searching for RedBoot partition table in mxc_nor_flash.0 at offset 0x7e00002123 spi1.0: setting system c
usbcore: registered
Copyright (C) 2003, 2004,
4 RedBoot partitions found on MTD device mxc_nor_flash.04
USB Mass Storage support re

RAM: 0x00000000-0x0ff000
Creating 4 MTD partitions on "mxc_nor_flash.0":rface driver libusualdblock4 rootfstype=yaf
mmc
0x00000000-0x00040000 : "RedBoot", 64 blocks of 0x00020000 bytes e
0x00040000-0x00240000 : "kernel"_mac=00:1D
pcf2123 spi driverver
0x007e0000-0x007ff000 : "FIS directory" secondsered pcf2123 as rtc0t 0xc07e00l
+++... Read from 0x0fee0000-0x0ff0
fsl-ehci fsl-ehci.0: Freescale On-Chip EHCI Host Controllerght (C) 2003, 20
... Read from 0x0fed3000-0x0fed4000 at 0xc
fsl-ehci fsl-ehci.0: new USB bus registered, assigned bus number 1 [ FULL_DUPLEX ] [ disconnected ] [ 100M bps ]: from 0x0fed3000-0x
fsl-ehci fsl-ehci.0: irq 56, io mem 0x10024000r BOOTP information000, 64 blo
FEC: [ FULL_DUP
fsl-ehci fsl-ehci.0: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004e
in/init fe
usbcore: registered new interface driver libusual
mice: PS/2 mouse device common for all mice
pcf2123 spi driver
pcf2123 spi1.0: rtc core: registered pcf2123 as rtc0
MXC WatchDog Driver 2.0
MXC Watchdog # 0 Timer: initial timeout 60 sec
MXC MMC/SD driver
mxcmci-0 found
oprofile: using timer interrupt.
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
ieee80211: 802.11 data/management/control stack, git-1.1.13
ieee80211: Copyright (C) 2004-2005 Intel Corporation <jketreno@linux.intel.com>
Envoy Post Initialization
pcf2123 spi1.0: setting system clock to 2010-04-09 02:06:11 UTC (1270778771)
yaffs: dev is 32505860 name is "mtdblock4"
yaffs: passed flags ""
mmc0: new SD card at address 867d
mmcblk0: mmc0:867d SU02G 1931264KiB
mmcblk0: p1

Re: Enphase Data Access

No.. It won't tftp a new image unless you can pass redboot the commands to do it. The bootp that you see initially is just a very low level telnet server redboot sets up on port 9000 for low level debug access. You still need to hit ctrl c to get into redboot. Problem is Enphase decided to make the bootup time 1 second and somehow disabled ctrl -c ..

If i can get to the redboot prompt i could just do this:

load -r -b 0x100000 /tftpboot/zImage
exec -b 0x100000 -l 0x200000 -c "noinitrd console=ttymxc0,115200 root=/dev/nfs nfsroot=10.29.244.99:/tftpboot/rootfs init=/linuxrc ip=10.29.241.6:10.29.244.99"


My life would be a lot easier if someone can just let me borrow their old Envoy unit (big square box, not the little one) for a day.

andy

Re: Enphase Data Access

sandeen wrote: »

Somebody should ask; probably best if its' a customer, and I'm not (yet).

So far my questions to support have been pretty much ignored or danced around (it has been combined with other support questions). I may have to open a direct ticket.

sandeen wrote: »

Yes, my first name happens to be Eric

Found your home page - appears that you are the Sandeen I suspected you were - I lurk on LKML. Looks like you have some interesting blog posts regarding Linux & power, will have to read them.

Re: Enphase Data Access

Boy, this thread has me remembering Jordi LaForge talking about the Enterprise systems in Star Trek Next Generation...incomprehensible, but entertaining

Ralph

I follow it because I have 52 Enphase inverters in my basement waiting for installation in a 10kw microFIT feed in tariff...

Re: Enphase Data Access

andyman wrote: »

Thats exactly my plan. Take a dump of shadow and brute it. Problem is getting in first. The person who got into it did it because he had the older unit that allowed bootup from an alternative flash. Enphase disabled this ability or atleast I haven't figured it out yet. So no shadow at this time.

I did however discover the 20pin JTAG interface on the board. I am simply going to dump the contents of the flash and see if I can mount the filesystem that way. Just waiting for the JTAG programmer to arrive.

andy

Does that other person have a copy of his shadow file? bet the hashes have not changed.