Archived Forum

See my post here re SolarBob's script

http://openenergymonitor.org/emon/node/10377

Simple perl script running on a raspberry Pi and the gateway! Job done!

Hi, and thanks for the info.  I'm still stuck, though.  I understand that there is a perl script that runs on a raspberry pi (although I'd probably run it on my linux server) that can decode the data output by the enecsys gateway.  Everyone says something like "point your gateway to the ip address of your raspberry pi".

I can't see how to do this.  I have a Generation 2 gateway.  In setup mode, it has 6 sections:

"Inverter Settings"    "Gateway Settings"   "Repeater Settings"

"Server Settings"     "Restart/Shutdown"    "Installation Wizard"

"Server Settings" seems promising; it has:

    Server Report URL (dcs.monitor.enecsys.net)

    Server Command URL (ccs.monitor.enecsys.net)

However, no matter how you poke at the touch screen you can't change anything.

"Restart/Shutdown" only lets you do that.

The "Installation Wizard" lets you select your inverter serial numbers if you enter the 2100 pin, but you can't change anything else.  None of the other choices let you do anything, either.

You can try to log into the gateway with a web browser through the IP address shown on the main screen, but it requires a username and password.  I've tried everything there without success.

I must be missing something obvious, but how do you change the report IP address?  Maybe the US gateway has different firmware?

Hi, again-

Well, after carefully reading the Enecsys Gen 2 rack mount inverter installation guide, I know more.  In that guide, it shows a screenshot of the setup mode screen.  In this screenshot, the center button at the bottom reads "Maintenance Mode" instead of "Restart/Shutdown" like it does on my gateway.  There is some text about needing a password to go into maintenance mode.  I think that this is what allows you to actually change the server settings.

I don't know why my gateway is different.  Maybe they changed the firmware to disable maintenance mode, or maybe there is some secret way to enable the "Maintenance Mode" button. 

I have dis-assembled my gateway (remove the 4 stick on rubber feet on the bottom to reveal the screws that hold it together).  There is a 4Gb SanDisk microsd-hc card on the bottom side of the board which I have removed.  I'm about to go get another one and copy the data from the stock card to that.  I'll make sure that the replacement card boots, and then I can experiment with less chance of breaking everything.

There are also two pins on the board which looks like they take one of those small jumpers.  I bet that if I short them it will put the gateway into factory reset mode or something.  I don't want to brick my gateway, though, so I want to have a backup SD card before I try it.

I'm going to poke around on the linux filesystem on the SD card and see if I can access /etc/password and /etc/shadow.  I can hopefully patch the encoded passwords from my linux box into there and be able to log in via telnet or the web interface.  I may try and crack the stock passwords (they might have used something insecure).  This would allow anyone to log into their gateway without taking it apart..

Well, I keep replying to my own posts as I figure more stuff out...

I figured out how to log into the web interface on my Gen 2 gateway.  Before you read how to do this, however, you need to READ THE FOLLOWING WARNINGS, and agree that you PROCEED AT YOUR OWN RISK:

1.  The web interface seems to give you a lot of power.  YOU CAN CHANGE THE POWER LIMIT ON YOUR INVERTERS AND A LOT OF OTHER THINGS THAT LOOK LIKE THEY MIGHT HAVE THE POTENTIAL TO BURN THINGS OUT, START FIRES, BRICK YOUR GATEWAY OR INVERTERS, AND OTHERWISE CREATE EXPENSIVE AND DANGEROUS CHAOS.  Enecsys is now out of business, so anything you break you can't replace. You might render your $10,000 PV array useless.  I think you shouldn't change any settings related to the inverters at all.

2. As you will see below, the security on the Enecsys Generation 2 gateway web interface is EXTREMELY POOR.  The password protection is a nearly useless fig leaf.  Do not, under any circumstances, place your gateway on a subnet that is not well protected by a firewall.  Considering the above described dangers, it should probably be on its own subnet behind its own firewall, with no other computers and no inbound access to the internet at all.

Here we go:

I plugged the SD card from my Gen 2 gateway into my linux box and found that it had a straightforward linux file system with two partitions, boot and rootfs.  The /etc/passwd file in the root file system has only one user with shell access, root.  There is another file (etc/passwd-) in the partition that is identical, except that the root login has no password at all.

Before I changed anything I tried to make a raw copy with dd of the data on the SD card.  This failed after 935 mb with a disk error.  I don't know what was up.  I thought that maybe the SD card was copy protected somehow, but I seemed to be able to access all of its files.  Anyway, I took the first 935MB and copied it to another 4Gb SD card, repaired the linux file system on the rootfs partition on the new card, and copied the files from the original card to the new one with cp -a.

The new card booted my gateway just fine.  I took the card out and copied the /etc/passwd- file to /etc/passwd, and I was able to boot the gateway, telnet to it and log in as root without a password.

You have access to what looks like a standard linux command line interface.  You can look around, edit files with vi, etc.

The linux system runs thttpd as its web server.  The web directory is /srv/www.  If you look in there you will fine two HTML files, index.htm (the default) and CommandControl.htm.

I looked at the index.htm file and it creates the login page.  When you enter your username and password it runs the following script:

$(document).ready(function () {
    $("button").button();
    $("#LoginFail").hide();

    $("#btnSubmit").click(function () {
        
        $.post(    
            "/cgi-bin/fetchDatabase.py",
            { user: $("#txtLogin").val(),
              pass: $("#txtPassword").val()},
            function(data) {
                                var returnVal = String(data);
        
                if (returnVal.indexOf("True") != -1) {
                    $("form").submit();
                }
                else {
                    $('#LoginFail').show();
                    $('#LoginFail').delay(3000).fadeOut(2000);
                    return false;
                }
            
            }
        );
    });
});

If you look at cgi-bin/fetchDatabase.py it connects to a sqlite database and looks up the username to see if the password matches.  Opening the database on my linux box you find the following username/password pairs in the users database:

admin/robin

maintenance/batman

helpdesk/superman

However, if you try to enter these usernames and passwords into the web interface they don't work for me.  If you run the javascript debugger you get "OperationalError:No such table USERS".  I don't know what is up; maybe the problem is with the case on the database name.

In any case, all that happens if the password matches is the form gets submitted to ./CommandControl.htm.  If you just type:

<gateway ip address>/CommandControl.htm into your browser you get the web interface WITH NO PASSWORD NEEDED AT ALL.

At this point you can look at your inverters, see their status, and probably screw everything up.

The "Properties" tab seems to let you change the reporting URL for your gateway.  Here is where it seems like you would point it to whatever new server you wanted.

After looking at this it is clear that the software on the Enecsys Gen 2 gateway is barely beta test quality.  It contains an insecure web interface that doesn't even work as designed.  In hindsight, you can figure out everything I did just with an internet connection and a copy of firefox without opening the gateway.

Be careful.

I've investigated this 9 months ago as well when enecsys started to fall apart and the monitoring went out.

The risks are high and that's why I didn't post this information here for everyone available. As you have mentioned the risk to destroy the firmware of the inverter or Gateway is too high! The risk of frying your inverters is DEFINITELY there! I know that because I learned that the hard way. 
They never built a 100% solution and everything is just a development disaster from my point of view. They completely fooled all the clients by thinking they are buying stronger 300W Inverters whereas it is just a firmware setting limiting it to 240 or 300W. However, playing around in this UI and saving stuff to the inverter could lead into corrupt data if light conditions are not perfect (full sunshine on the panels!) If during storing the data to the inverter the DC Power is not enough to keep it powered on you will have maybe a dead inverter and no exchange available for it! 

That's why I started to offer it as a service to others. Besides that I also built some workarounds and a real-time dashboard on the gateway itself with feeds to EmonCMS and pvoutput.org.

The gateway process showing the UI is the GatewayUI binary. It also has others to control the DBUS etc.

The db is a SQlite DB but be careful to not lock it as the gateway has a watchdog which will constantly reboot until it has access again. Also it has Watchdogs for sending the data. If there are more than 5 entries in the reporting table it will trigger a watchdog which will also reboot the gateway. Thousand of Gateways are doing this at the moment. I also did a workaround for that to avoid that 99% of the time. However, I still try to find the perfect Server response which the gateway then will acknowledge and does delete the data in the reporting table. Without that it's doing the reboots until it was able to send the data.

Furthermore it also has a watchdog which checks if there is connections to the inverters. If there is no connection for a certain time it will also trigger reboots. The reboots are just reloading the GatewayUI and not doing a complete reboot. It's still annoying to see your gateway in a blue screen state for 20s every 30-40 mins.

The binaries are written in Q't. The rest is python 2.6 and Javascript. My code is written also in python also the dashboard

Be careful when changing the URL's. It sometimes (50% of the time) happens that the Gateway DB is stuck in a locked condition where you will never be able anymore to change the URLs ;-)  And this lock situation will not even clear with shutdown restart. You have to manually change the URL then via SQL queries etc.

The 1st Gens are very simple. Their gateway is just sending the data and not storing them. The 2nd Gen has a lot of logic (poorly written and executed) which will prevent it to be a nice solution.

If you want to know more you can look here: http://swiss-solar-log.ch/products-services/enhanced-enecsys-2nd-gen-gateway-firmware-external-portals/

For the ones who do not need the realtime dashboard or pvoutput.org stream I can offer the simple URL change to my emonCMS instance. I already have more than 200+ 1st and 2nd Gen Inverters running on it.

Kind Regards
Andreas

10-27-2015

Hello from St Louis Missouri.  My name is Dan and I'm a software and hardware engineer.  I have a few questions for you Andreas or anybody else who might have some answers. First let me lay a foundation.

I have about 150 Enecys inverters that I bought cheap on ebay.  Most of them are 1st generation.  About 30 are 2nd gen units.  I'm going to install 50 of them on a close friends roof system.  We are old time ham radio / electronics buddies.  Back in the late 70s and early 80s we made antennas.  Ok so I made a first class inverter test / repair work bench.  It has a meter socket and electrical panel. There is a 10amp double pole breaker connected to a cord with a wieland 3 pin plug that mates with the enecsys inverter. This breaker feeds the meter socket.  There is an electronic LCD meter that shows energy flow direction and kw/watts flowing.  It connects two a 30 amp 240 vac outlet which in turn is connected to a two 100 watt light bulbs in series which is connected to a very high performance 10kw trip lite always on power / battery backup system with a toroid transformer.  The trip lite system is used to simulate perfect sine wave grid power with a display of the amount of load.

When I connect up an enecsys inverter I can see it pumping power out through the LCD amp meter.  I can also see the load drop on the trip lite unit while the enecys inverter is running. 

Ok so I know these 1st inverters have problems.  It is very easy to cause them to fail.  I am am able to reproduce the exact conditions that cause the 1st gen units to self destruct.  When I open / throw the double pull breaker that supplies the grid power to the wieland 3 pin plug, it normally causes no problem.  The inverter shuts down.  But if the grid power is turned back on too soon it causes a fire cracker pop sound and the inverter is damages. 

When you do an autoposy of the 1st gen inverter you discover a surface mount 3 amp fuse is blown and one sometimes two mosfets are shorted out.  Obviously these 1st gen units have a engineering flaw with the Q5 mosfet driver circuit. 

Ok so my 1st question is ... Im curious if anyone has engineered a true modification that will prevent this from happening.  You can use a heat gun and warm up the solder and remove the bad mosfet.  When I replace it and the blown fuse the unit starts working again.  So I have proven that I can damage the unit and then repair it.  You can put a larger mosfet in and it seems to hold up better. 

I want to come up with a quick modification that can be done to all these units to prevent this failure.  Im wondering if maybe the circuit needs a zener diode, a resister to prevent the stock 20N60 mosfet from shorting out.  Or maybe these 20N60 mosfet are a bad low quality.  After all you can buy them in  quantities of 10 for about .30 cents each.  Enecys was prob only paying about ten cents each for these.

So does anybody have any suggestions for modify this gen mosfet driver circuit ?

I read here that on gen 2 inverters you can use the gateway to re-program the inverter firmware.

Does anybody know if the firmware on gen 1 units can be changed from a gen 2 gateway?

The gen one units have a nasty 6-8 minutes delay timer.  The gen 2 units only have a few seconds of grid delay timer.  Does anybody know if this can be changed?  Can the firmware on gen 1 units be changed perhaps from a gen 2 gateway?
 

Dan

St Louis, MO

Hi Dan

Sorry, never saw your questions here.  No the 1st and 2nd Gen Firmwares are not compatible. They even did never manage to bring the new gateway firmware which was able to read 1st and 2nd Gen inverters. They always promised but never delivered.

I think this 6-8 delay is exactly because of the high possibility for self destruction. I would not change it. I even would say ramp it up to 10mins to be sure not to fry them. :-(

I'm still trying to find the perfect server response for the 2nd Gens so that they drop their reporting table. The gatewas otherwise will panic and try to send their data non-stop.  It was a nice feature storing the data to the gateway in case the connection was lost to the server. However it's hard to figure out the necessary response which says that the reception of the data was ok.

Any chance you could send me a copy of the firmware? I want to have a look for the response code.

Regards

Hey Max, did you ever develop the program you need for your Gen2 Gateway?  I just got one, and like you I also need a solution.

Jim Luschen

Here is my solution. It bases on my enhancements and workarounds and uses EmonCMS for data visualizing.

http://swiss-solar-log.ch/products-services/enhanced-enecsys-2nd-gen-gateway-firmware-external-portals/