-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Fox-ess make a line of solar inverters. These inverters communicate with www.foxesscloud.com and this is an attempt to understand and document the protocol used.
From snooping the traffic from an inverter I have seen that a TCP connection to port 10001 on www.foxesscloud.com is made and kept open.
Aside from the standard TCP keep-alive and Ack, data is sent from the inverters wifi module periodically (approximately every 30 seconds).
Below is a list of the packets I have seen and an explanation of the contents.
The packet starts and ends with the following (byte values written in hex)
7e 7e ... e7 e7
Within the boundary markers there appears to be a header and body as follows:
- 1 byte packet identifier
- 4 byte timestamp (unix seconds since 1970) offset by -9 hours
- 1 byte separator (0x00)
- 1 byte body length
- body as specified by the packet identifier
- 2 bytes (probably a checksum)
0030 7e 7e 01 62 0e fb 95 00 28 31 ~~.b....(1
0040 2e 32 34 00 00 31 2e 30 32 00 00 31 2e 31 37 00 .24..1.02..1.17.
0050 00 00 01 48 00 48 31 2d 33 2e 37 2d 45 20 20 20 ...H.H1-3.7-E
0060 20 20 20 20 20 0e 60 f7 2b e7 e7 .`.+..
This appears to be sent every 304 seconds.
| Bytes | meaning |
|---|---|
| 0-3 | Software version "Master" '1.24' |
| 4-5 | ? zero separator ? |
| 6-9 | Software version "Slave" '1.02' |
| 10-11 | ? zero separator ? |
| 12-15 | Software version "Manager" '1.17' |
| 16-17 | ? zero separator ? |
| ... | Software version "afci" '' (no bytes long in my example) |
| 18-19 | ? zero separator ? |
| 20-29 | inverter model 'H.H1-3.7-E' |
| 30-37 | spaces |
| 38-39 | unknown (0e 60) |
0000 7e 7e 02 62 0e f5 a7 00 e2 05 1d 00 01 00 10 00 ~~.b............
0010 25 00 00 00 00 04 0b 00 00 00 00 09 62 00 06 ff %...........b...
0020 f2 13 81 00 00 00 00 00 00 00 00 01 96 01 82 00 ................
0030 00 00 c0 01 1b 00 00 01 e4 00 00 00 91 00 00 00 ................
0040 7f 00 00 00 01 00 00 07 2a 00 00 01 82 00 00 00 ........*.......
0050 75 00 00 08 38 04 17 00 00 00 13 00 67 00 87 04 u...8.......g...
0060 90 03 20 00 aa 01 db 00 7b 00 72 00 21 00 21 0c .. .....{.r.!.!.
0070 c8 0c be 03 02 00 03 00 00 68 1a 00 0a 00 01 00 .........h......
0080 00 00 01 00 00 00 52 01 07 10 15 20 15 00 00 00 ......R.... ....
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 02 00 00 00 01 00 ................
00c0 01 00 00 00 d2 00 00 00 00 00 00 00 03 00 00 ff ................
00d0 ef 02 03 0e 60 f1 a0 02 02 01 c9 01 67 00 20 00 ....`.......g. .
00e0 e5 00 04 00 00 00 00 00 00 00 00 68 f0 e7 e7 ...........h...
approximately every 304 seconds, ocaisionally every 608
It appears to be null separated binary values. I suspect this is the main block of statistics. I shall attempt to match them to likely similar values that my inverter was reporting at this time.
| value number | hex values in my capture | meaning |
|---|---|---|
| 1 | 05 1d | |
| 2 | 01 | |
| 3 | 10 | |
| 4 | 25 | |
| 5-7 | missing | |
| 8 | 04 0b | |
| 9-11 | missing | |
| 12 | 09 62 | |
| 13 | 06 ff f2 13 81 | |
| 14 | missing | |
| 15-20 | missing | |
| 21 | 01 96 01 82 | |
| 22 | missing | |
| 23 | missing | |
| 24 | c0 01 1b | |
| 25 | missing | |
| 26 | 01 e4 | |
| 27-28 | missing | |
| 29 | 91 | |
| 30-31 | missing | |
| 32 | 7f | |
| 33-34 | missing | |
| 35 | 01 | |
| 36 | missing | |
| 37 | 07 2a | |
| 38 | missing | |
| 39 | 01 82 | |
| 40-41 | missing | |
| 42 | 75 | |
| 43 | missing | |
| 44 | 08 38 04 17 | |
| 45-46 | missing | |
| 47 | 13 | |
| 48 | 67 | |
| 49 | 87 04 90 03 20 | |
| 50 | aa 01 db | |
| 51 | 7b | |
| 52 | 72 | |
| 53 | 21 | |
| 54 | 21 0c c8 0c be 03 02 | |
| 55 | 03 | |
| 56 | missing | |
| 57 | 68 1a | |
| 58 | 0a | |
| 59 | 01 | |
| 60-61 | missing | |
| 62 | 01 | |
| 63-64 | missing | |
| 65 | 52 01 07 10 15 20 15 | |
| 66-110 | missing | |
| 111 | 02 | |
| 112-113 | missing | |
| 114 | 01 | |
| 115 | 01 | |
| 116-117 | missing | |
| 118 | d2 | |
| 119-124 | missing | |
| 125 | 03 | |
| 127 | missing | |
| 128 | ff ef 02 03 0e 60 f1 a0 02 02 01 c9 01 67 | |
| 129 | 20 | |
| 130 | e5 | |
| 131 | 04 | |
| 132-138 | missing |
0030 7e 7e 03 62 0e f5 a6 00 87 36 ~~.b.....6
0040 37 42 42 48 56 31 30 31 37 41 47 33 34 35 36 30 7BBHV1017AG34560
0050 32 48 32 36 32 30 31 39 57 42 31 30 38 36 30 32 2H262019WB108602
0060 48 32 36 32 30 31 39 4a 41 30 35 38 00 00 00 00 H262019JA058....
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 9c 69 e7 e7 .......i..
Approximately every 304 seconds.
Unknown.
It appears to contain 3 serial numbers:
- 67BBHV1017AG345
- 602H262019WB108
- 602H262019JA058
I have yet to match these to any of the equipment I own.
7e 7e 06 62 0e fb 8b 00 15 48 ~~.b.....H
0040 31 30 36 30 30 36 36 42 48 33 37 32 54 31 37 54 1060066BH372T17T
0050 45 30 36 38 ae 3c e7 e7 E068.<..
approximately every 30 seconds
| Bytes | meaning |
|---|---|
| 0-5 | the protocol version 'H10600' = H1.06.00 |
| 6-21 | the inverter serial number '66BH372T17TE068' |