7
edits
Changes
Jump to navigation
Jump to search
no edit summary
|J1
|}
=== Modbus Protocol Investigation ===
https://diysolarforum.com/threads/epever-tracer-modbus-digging-deeper.108305/
=== Decrypting Firmware Update (.prg) Files ===
Bytes 18 thru the end of the file can be decrypted with AES CBC IV=[all zeroes] keys below. Pad with pkcs7 16 byte block size.
'''Key for Larger 50A - 100A units'''
:: <code>54726163 72414e43 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec</code>
'''Key for Smaller 10A - 40A units'''
:: <code>54726952 6f6e2eda 0cdd527b 05c16b01 ff17cd6f 8c1e3e09 cf1f0c78 87ef8aec</code>
https://gist.github.com/symbioquine/88e7148b4df143822f3b0d565619f80b
=== Dumping Firmware ===
Works with https://github.com/racerxdl/stm32f0-pico-dump (See SWD pins in top table)
=== Unlocking SWD ===
<code>
openocd -s $(pwd) -f interface/stlink-dap.cfg -f target/stm32f0x.cfg
</code>
<code>
telnet localhost 4444
</code>
<code>
reset init
</code>
<code>
stm32f0x unlock 0
</code>
<code>
flash erase_address unlock 0x08000000 0x10000
</code>
:: Power cycle & reconnect st-link
<code>
flash write_image /path/to/dumped_firmware.bin 0x08000000
</code>
<code>
reset
</code>
=== Dumping Running RAM ===
<code>
halt
</code>
<code>
dump_image /path/to/save/tracer6420an_running_ram.bin 0x20000000 0x2000
</code>
<code>
resume
</code>
