2

I'm trying to get telemetry from my Solax hybrid inverter which has a "Pocket WIFI" device installed without the information going across the internet (its my data, its sent unencrypted and stored in a country whose values I do not share, and also giving them the right to meddle with my device at my risk in the portal usage terms).

I have been able to connect to the Solax AP and, by pretending to be the Solax App connected to "local" I can get a dump of raw data as a CSV which I think I will be able to decode. That said, I really don't want to have to set up a dedicated AP client just so I can get this information.

I see that the device is also connected to my LAN, and port 80 is open, but this does not behave like a web server, and throwing the request I made to 5.8.8.8 (ie when connected to the Pocket WIFI AP) did not work.

It also looks like it is sending telemetry unencrypted but not in an immediately recogniseable format to a specific IP address (47.254.152.103, port 2901) that it looks like I can change in the configuration, but I can't find details of the protocol.

Does anyone know how I can access this data without connecting specifically to the Pocket WIFI AP, and without the data going to the cloud?

Improve this question

5 Answers 5

Reset to default
0

It is possible to get realtime data in JSON format from the Solax inverter by POST request directly through the Pocket Wifi AP call:

curl -d "optType=ReadRealTimeData&pwd=THE_PASSWORD" -X POST http://5.8.8.8

The result looks like:

{"sn":"XXXXXXXX","ver":"3.003.02","type":14,"Data":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,1,63000,65535,0,0,0,0,0,0,2285,0,0,1,0,2536,256,14876,5139,5644,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9276,0,1,42,0,0,4956,0,5693,0,0,0,9690,0,0,0,0,0,1871,0,42279,0,0,0,906,0,0,0,0,0,0,0,0,0,1,8,1,31,8,0,2628,1800,350,150,283,263,32,32,43,1106,521,9252,9252,0,0,0,0,3182,3168,21428,16,21302,14389,18753,12339,16693,12867,12339,21302,14389,18753,12339,16693,12867,12339,21302,14389,18754,12339,16694,12355,12593,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2561,4098,1795,1537,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"Information":[10.000,14,"HXXXXXXXXXX",8,1.18,0.00,1.17,1.08,0.00,1]}

Unfortunately I did't find any description of the JSON resulting structure but I am sure it can be deduced by comparing the values currently shown by the Solax app. Also check these links that deal with a similar problem for some types of inverters:

The dongle should have a web interface so you can access it at http://5.8.8.8 from a web browser (connected to the Pocket Wifi AP). Default username and password is admin / admin but in my case the password was set to serial number of the inverter. The same password is passed by the pwd parameter in the curl command above.

Improve this answer
1
  • Yup, unfortunately this is not what I want, as it ONLY works on 5.8.8.8 on its own AP - meaning I can't easily integrate it with the next of my network (I need to run an AP client just for that... Yuk). There is a hacked firmware which may help me, but I'm loathe to try it - blog-chrisoft-io.translate.goog/2021/02/14/…
    – davidgo
    Commented Dec 20, 2022 at 20:12
0

I know this might not be what you are looking for (as it is basically a dedicated client), but documenting it in case it fits somebody else's needs.

Assuming you have spare Linux machine (e.g. raspberry pi, even a Zero W would be enough) on your LAN, adding a really cheap USB WiFi Adapter (assuming it's not using Ethernet to connect to the LAN) would allow it use the built in WiFi to connect to the LAN and the USB adapter to attach to the inverter AP.

You can then run a HTTP Reverse Proxy (e.g. nginx) to make the Pi proxy for the web server on the inverter. So then any other devices on the LAN would be able to query the inverter. (You may also be able to use iptables to do direct port forwarding instead of nginx)

Improve this answer
0

This worked for me local information every 5sec from X1 hybrid G4 with pocket WIFI to home assistant (if you use it). Not sure if it uses the API to get the info, but worth checking out

https://community.home-assistant.io/t/solax-x1-hybrid-g4-local-cloud-api/506172

Improve this answer
3
  • 1
    Thank you for your feedback. This is exactly the functionality I was trying to get - unfortunately it appears Solax deliberately removed it on the firmware available for my Soalx Pocket WIFI (its interesting the firmware version they are using is older then what I had. I managed to do exactly this by using a hacked firmware (which changed 2 bytes which nullified the check preventing me doig this!)
    – davidgo
    Commented Dec 26, 2022 at 23:09
  • where are you getting this hacked firmware from?
    – Andy
    Commented Mar 17, 2023 at 23:09
  • @Andy I did not see your comment until now (If you want to bring a comment to someones attention you should put @ (no space) username in it). I believe it was from blog-chrisoft-io.translate.goog/2021/02/14/…
    – davidgo
    Commented May 30, 2023 at 9:15
0

Well, it's probably first making a DNS request to resolve some xyz.abc.com domain and then connecting to the port 2901 on it. So, you'll have to somehow create a fake DNS server, respond with a different local or in-cloud-but-controlled-by-you IP address, accept the incoming connection (if TCP) or packets (if UDP). Else, that IP address can change tomorrow (even if just slightly different because of a server farm used in a certain way).

By observing the initial behavior of the as-it-works-today setup with say, a Wireshark trace, you can know if there is handshakes involved. Wireshark can also identify some protocols (high level).

As far as identifying what the data content is, you can try to see if it is using some off-the-shelf serialization products such as protobuf/flatbuffers/thrift, etc. But I don't know of automated tools to do this identification. You may have to analyze the bytes to see if it makes sense in a certain protocol's wire format schema.

And after doing all this, what do you hope to achieve?

If sending data is your concern, you can just cut off its internet access and let it run in local-only mode, perhaps.

Improve this answer
1
  • Tjank you for answering. Unfortunately this does not help. No DNS lookup is done. What I am trying to achieve is per my post - local control of the device without running a dedicated AP client. I have now discovered that Solax deluberately try thwart what I want to do with deliberately gimping firmware (and prevent best practices), but there may be a solution related to RS485.
    – davidgo
    Commented Jul 19, 2022 at 17:21
0

Not a very satisfying answer, but it appears that Solax take deliberate steps to make this difficult.

This problem can be solved with hacked firmware - it appears that the firmware in the pocket WIFI has a deliberate check (loosly along the lines of checking if the request is coming to 5.8.8.8 and denying it if it doesn't - I have not checked the exact mechanism though). https://github.com/squishykid/solax/issues/46 also points to this.

I also tried to extract the data over modbus - but I did not have much luck - I assume that the problem is my modbus -> ethernet converter, although again, I'm not sure where this is breaking down - ie I could not get an ELFIN modbus to ethernet converter to work. There may be a solution along these lines using some custom hardware and Tasmota - https://tasmota.github.io/docs/SolaX-X1/ (I did not try this)

Update - Dec 2023

So I've been helping someone else with a similar, but newer setup to mine. I don't have one, but it appears that the Pocket WIFI v3 - ie the black colored one - specifically claims to support Modbus (unlike the White V2 one I have), and I believe that will solve the problem. There is also now an ESP32 hack you can build - see https://blog-chrisoft-io.translate.goog/blog/2023/10/01/freepocket-creacion-de-un-pincho-alternativo-para-inversores-solax/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Improve this answer
1
  • I'm not sure of the policy on posting links to hacked binaries on this site - if its appropriate, let me know and I'm happy to do this.
    – davidgo
    Commented Dec 21, 2022 at 18:59

Not the answer you're looking for? Browse other questions tagged or ask your own question.