Difference between revisions of "EPEVER SCCs"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
VisualWikitext
 
(2 intermediate revisions by the same user not shown)
Line 27: Line 27:
 
Tracer8420AN/Tracer10420AN
 
Tracer8420AN/Tracer10420AN
 
|Solar Charge Controller
 
|Solar Charge Controller
|STM32F051C8T7
+
|[https://www.st.com/en/microcontrollers-microprocessors/stm32f051c8.html STM32F051C8T7]
G4A36AFNNT
+
[https://www.ti.com/lit/ds/symlink/tms320f28023.pdf TMS320F28023PT]
 
|J2
 
|J2
 
|-
 
|-
Line 42: Line 42:
 
Tracer3210AN/Tracer4210AN
 
Tracer3210AN/Tracer4210AN
 
|Solar Charge Controller
 
|Solar Charge Controller
|STM32F030C8T6
+
|[https://www.st.com/en/microcontrollers-microprocessors/stm32f030c8.html STM32F030C8T6]
 
|J6
 
|J6
 
|-
 
|-
Line 50: Line 50:
 
TRIRON4210N/TRIRON4215N
 
TRIRON4210N/TRIRON4215N
 
|Solar Charge Controller
 
|Solar Charge Controller
|STM32F030C8T6
+
|[https://www.st.com/en/microcontrollers-microprocessors/stm32f030c8.html STM32F030C8T6]
 
|J6
 
|J6
 
|-
 
|-
Line 68: Line 68:
 
XTRA3415N/XTRA4415N
 
XTRA3415N/XTRA4415N
 
|Solar Charge Controller
 
|Solar Charge Controller
|STM32F030C8T6
+
|[https://www.st.com/en/microcontrollers-microprocessors/stm32f030c8.html STM32F030C8T6]
 
|J6
 
|J6
 
|-
 
|-
Line 84: Line 84:
 
|
 
|
 
|-
 
|-
|MT50/MT52
+
|MT50
 
|Configuration Tool / Display
 
|Configuration Tool / Display
|STM32F030C8T6
+
|[https://www.st.com/en/microcontrollers-microprocessors/stm32f051k8.html STM32F051K8]
 +
|F2/F9
 +
|-
 +
|MT52
 +
|Configuration Tool / Display
 +
|[https://www.st.com/en/microcontrollers-microprocessors/stm32f030c8.html STM32F030C8T6]
 
|F2/F9
 
|F2/F9
 
|-
 
|-
Line 96: Line 101:
 
|PAL-ADP-50AN
 
|PAL-ADP-50AN
 
|Synchronization Accessory
 
|Synchronization Accessory
|STM32F030C8T6
+
|[https://www.st.com/en/microcontrollers-microprocessors/stm32f030c8.html STM32F030C8T6]
 
|J1
 
|J1
 
|}
 
|}
  
=== Modbus Protocol Investigation ===
+
===Decrypting Firmware Update (.prg) Files===
 
 
https://diysolarforum.com/threads/epever-tracer-modbus-digging-deeper.108305/
 
 
 
=== Decrypting Firmware Update (.prg) Files ===
 
  
 
Bytes 18 thru the end of the file can be decrypted with AES CBC IV=[all zeroes] keys below. Pad with pkcs7 16 byte block size.
 
Bytes 18 thru the end of the file can be decrypted with AES CBC IV=[all zeroes] keys below. Pad with pkcs7 16 byte block size.
  
 
'''Key for Larger 50A - 100A units'''
 
'''Key for Larger 50A - 100A units'''
:: <code>54726163 72414e43 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec</code>
+
 
 +
::<code>54726163 72414e43 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec</code>
  
 
'''Key for Smaller 10A - 40A units'''
 
'''Key for Smaller 10A - 40A units'''
:: <code>54726952 6f6e2eda 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec</code>
+
 
 +
::<code>54726952 6f6e2eda 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec</code>
  
 
https://gist.github.com/symbioquine/88e7148b4df143822f3b0d565619f80b
 
https://gist.github.com/symbioquine/88e7148b4df143822f3b0d565619f80b
  
=== Dumping Firmware ===
+
===Dumping Firmware===
  
 
Works with https://github.com/racerxdl/stm32f0-pico-dump (See SWD pins in top table)
 
Works with https://github.com/racerxdl/stm32f0-pico-dump (See SWD pins in top table)
  
=== Unlocking SWD ===
+
===Unlocking SWD===
  
 
<code>
 
<code>
Line 142: Line 145:
 
</code>
 
</code>
  
:: Power cycle & reconnect st-link
+
::Power cycle & reconnect st-link
  
 
<code>
 
<code>
Line 152: Line 155:
 
</code>
 
</code>
  
=== Dumping Running RAM ===
+
===Dumping Running RAM===
  
 
<code>
 
<code>
Line 165: Line 168:
 
resume
 
resume
 
</code>
 
</code>
 +
 +
=== Protocol Documentation ===
 +
 +
{| class="wikitable"
 +
|[https://diysolarforum.com/resources/epever-scc-modbus-protocol-docs.512/version/878/download?file=329342 1733_modbus_protocol.pdf]
 +
|V1.1
 +
|FENG
 +
|2013-11-25
 +
|234.2 KB
 +
|86c05193b7f6e1945eb67616c6658366ef4033b110f506a33c1eeef03b0eafbf
 +
|-
 +
|[https://diysolarforum.com/resources/epever-scc-modbus-protocol-docs.512/version/878/download?file=329340 EpeverBSeriesControllerProtocolV2.3.pdf]
 +
|V2.3
 +
|sunb
 +
|2015-10-22
 +
|374.8 KB
 +
|a3fccf914928118def85223482e3091956d046810a01c20152006e6f68c61b70
 +
|-
 +
|[https://diysolarforum.com/resources/epever-scc-modbus-protocol-docs.512/version/878/download?file=329339 MODBUS-Protocol-v25.pdf]
 +
|V2.5
 +
|sunb
 +
|2018-09-27
 +
|847.6 KB
 +
|d0f9f08be06b5125134c3be24d9acc1430dcd4e9e82478df68d451489aaa77fb
 +
|-
 +
|[https://diysolarforum.com/resources/epever-scc-modbus-protocol-docs.512/version/878/download?file=329341 A or BSeriesControllerProtocolv2.6.pdf]
 +
|V2.6
 +
|sunb
 +
|2021-12-21
 +
|711.9 KB
 +
|3c2cf42f5f440d06db36280d41f0a8dd632da32396b820529db76eef53fd4351
 +
|}
 +
 +
Modbus Protocol Investigation: https://diysolarforum.com/threads/epever-tracer-modbus-digging-deeper.108305/

Latest revision as of 16:07, 12 September 2025

Model Device Type Microcontroller(s) SWD Pins
ET5420NC G3

ET7420NC G3 ET10420NC G3

Solar Charge Controller TBD TBD
IT5420NC G3, IT6415NC G3,

IT6420NC G3, IT7415NC G3, IT7420NC G3, IT8420NC G3, IT10415NC G3, IT10420NC G3 IT6415NC G3 BLE, IT10415NC G3 BLE

Solar Charge Controller TBD TBD
Tracer6210AN

Tracer5415AN/Tracer6415AN Tracer8415AN/Tracer10415AN Tracer5420AN/Tracer6420AN Tracer8420AN/Tracer10420AN

Solar Charge Controller STM32F051C8T7

TMS320F28023PT

J2
Tracer1206AN G3/Tracer1210AN G3

Tracer2206AN G3/Tracer2210AN G3 Tracer3210AN G3/Tracer4210AN G3

Solar Charge Controller TBD TBD
Tracer1206AN/Tracer2206AN

Tracer1210AN/Tracer2210AN Tracer3210AN/Tracer4210AN

Solar Charge Controller STM32F030C8T6 J6
TRIRON1206N/TRIRON1210N

TRIRON2206N/TRIRON2210N TRIRON3210N/TRIRON3215N TRIRON4210N/TRIRON4215N

Solar Charge Controller STM32F030C8T6 J6
XTRA1206N G3 (BLE)?/XTRA2206N G3 (BLE)?

XTRA1210N G3 (BLE)?/XTRA2210N G3 (BLE)? XTRA3210N G3 (BLE)?/XTRA4210N G3 (BLE)? XTRA3215N G3 (BLE)?/XTRA4215N G3 (BLE)? XTRA3415N G3 (BLE)?/XTRA4415N G3 (BLE)?

Solar Charge Controller TBD TBD
XTRA1206N/XTRA2206N

XTRA1210N/XTRA2210N XTRA3210N/XTRA4210N XTRA3215N/XTRA4215N XTRA3415N/XTRA4415N

Solar Charge Controller STM32F030C8T6 J6
DR1106N-DDB/DDS DR1206N-DDB/DDS

DR2106N-DDB/DDS DR2206N-DDB/DDS DR3106N-DDB/DDSDR3206N-DDB/DDS DR2210N-DDB/DDSDR3210N-DDB/DDS

Solar Charge Controller TBD TBD
MT50 Configuration Tool / Display STM32F051K8 F2/F9
MT52 Configuration Tool / Display STM32F030C8T6 F2/F9
MT53 Configuration Tool / Display TBD TBD
PAL-ADP-50AN Synchronization Accessory STM32F030C8T6 J1

Decrypting Firmware Update (.prg) Files

Bytes 18 thru the end of the file can be decrypted with AES CBC IV=[all zeroes] keys below. Pad with pkcs7 16 byte block size.

Key for Larger 50A - 100A units

54726163 72414e43 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec

Key for Smaller 10A - 40A units

54726952 6f6e2eda 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec

https://gist.github.com/symbioquine/88e7148b4df143822f3b0d565619f80b

Dumping Firmware

Works with https://github.com/racerxdl/stm32f0-pico-dump (See SWD pins in top table)

Unlocking SWD

openocd -s $(pwd) -f interface/stlink-dap.cfg -f target/stm32f0x.cfg

telnet localhost 4444

reset init

stm32f0x unlock 0

flash erase_address unlock 0x08000000 0x10000

Power cycle & reconnect st-link

flash write_image /path/to/dumped_firmware.bin 0x08000000

reset

Dumping Running RAM

halt

dump_image /path/to/save/tracer6420an_running_ram.bin 0x20000000 0x2000

resume

Protocol Documentation

1733_modbus_protocol.pdf V1.1 FENG 2013-11-25 234.2 KB 86c05193b7f6e1945eb67616c6658366ef4033b110f506a33c1eeef03b0eafbf
EpeverBSeriesControllerProtocolV2.3.pdf V2.3 sunb 2015-10-22 374.8 KB a3fccf914928118def85223482e3091956d046810a01c20152006e6f68c61b70
MODBUS-Protocol-v25.pdf V2.5 sunb 2018-09-27 847.6 KB d0f9f08be06b5125134c3be24d9acc1430dcd4e9e82478df68d451489aaa77fb
A or BSeriesControllerProtocolv2.6.pdf V2.6 sunb 2021-12-21 711.9 KB 3c2cf42f5f440d06db36280d41f0a8dd632da32396b820529db76eef53fd4351

Modbus Protocol Investigation: https://diysolarforum.com/threads/epever-tracer-modbus-digging-deeper.108305/

Retrieved from "https://wiki.recessim.com/w/index.php?title=EPEVER_SCCs&oldid=3214"