tsun-gen3-proxy icon indicating copy to clipboard operation
tsun-gen3-proxy copied to clipboard

Published 20 hours ago verified publisher icon s-allius

Possibly Custom Firmware for GEN3PLUS Inverters

Open Complexicon opened this issue 8 months ago • 6 comments

Hi Salli, i did some digging on my MS2000(800) (SN with Y47...) and got my hands onto a Wireshark File containing the Upgrade Process of the Inverter, from which i was able to recover the Firmware (i still have to decompile and reverse the firmware image).

I didnt know how much of this is already public knowledge so i thought i'll open a github issue to let everybody know and track progress here.

The Firmware Header states that its a "HF-LPx70x1 Image" so i did some googling and badabing badabong i got broken chinese documentation for the wifi chip that runs the Webserver on the Inverter.

Seems to be mostly complete INCLUDING AT+ commands. Some of the AT+ Commands work some dont, but theres a whole lot that arent documented here in the Wiki so i thought i'll leave this here: http://www.hi-flying.com/hf-lpb170 (if this goes offline i have copies archived 😄)

In their documentation sheet there seems to be some option to directly enable MQTT on-chip, didnt figure out yet how. Firmware seems pretty generic and looks identical to the Web Portal from the AP - but in chinese

Image

On the Weekend i'll do more digging/decompiling and try to port micropython over to that thing so that i maybe can run your proxy directly on device.

Thanks for your great work 😄

Complexicon avatar Mar 05 '25 13:03 Complexicon

Update: Also got the English Documentation now!

Image

Also the Firmware File is either Compressed or Encrypted (i hope its not the latter...)

Image

Complexicon avatar Mar 05 '25 14:03 Complexicon

Interesting idea. I never thought about running the proxy on the device himself.

I know the documentation for the IOT module. On the MS-2000 is a firmware running which supports the SolarmanV5Protocol. I think the firmware will get the measurements from the inverter DSP over a serial port.

If you get an image to run on the device, it will run instead of the Solarman firmware, right?

s-allius avatar Mar 05 '25 17:03 s-allius

I'll try to inject another Webpage first, but yeah that would be the plan: Replace Solarman V5 with either your Proxy Software or MQTT Directly.

You are probably right, the Documentation suggests that the WIFI Chip Receives Data via Serial from the actual DSP and forwards it to the cloud/proxy as SolarmanV5.

The Firmware seems similar to https://github.com/dasrecht/deye-firmware as i was able to unpack it with lzma I looked at the strings in the firmware binary and the Base SDK seems to be bl_iot_sdk with extensive documentation here https://pine64.github.io/bl602-docs/

Also there are some new interesting webpages i've found:

Image

Cant Test them Today, Suns already down 🌞

Complexicon avatar Mar 05 '25 18:03 Complexicon

I have discovered that the /iweb.html Endpoint also exists and it behaves like stated in the Official Documentation (a.k.a. you can upload your own webpages with custom display variables and own firmware)

I've ordered the exact Chipset that is used in the MS2000 (and probably in all other GEN3 and GEN3PLUS inverters) to play with and start writing a custom firmware. Unfortunately, since its shipped from China it wont arrive before 3. April... and i dont want to destroy my Main Inverter that i currently have in Production Use

I'll nevertheless test and explore everything i find in the stock firmware and report back (the firmware is a gigantic hackjob)

Additionally I've started to collect information and notes here if anyone is interested: https://github.com/Complexicon/chinese-microinverters

Complexicon avatar Mar 11 '25 18:03 Complexicon

@Complexicon you mention the deye inverters above. Do you think, it's also possible to recovery deye fw files from the online update? May you can share how to get the firmware file(s) out of wireshark recordings (if there is a tutorial, just share the url).

I own a MP3000, I guess your findings, will also a good start to get this inverter supported too (by the proxy)...

TheSmartGerman avatar Mar 13 '25 15:03 TheSmartGerman

@Complexicon you mention the deye inverters above. Do you think, it's also possible to recovery deye fw files from the online update? May you can share how to get the firmware file(s) out of wireshark recordings (if there is a tutorial, just share the url).

I own a MP3000, I guess your findings, will also a good start to get this inverter supported too (by the proxy)...

Should be doable, simply open the pcap in wireshark, filter by the ip of your inverter and http and then just grab the firmware from the response assuming its http traffc and not https/ssl else your chances of getting it are bad but since most of these chinese inverters operate similar i guess you should be fine.

Image

Image

Complexicon avatar Mar 18 '25 12:03 Complexicon

DSC_6753.JPG

Image Image

https://fcc.report/FCC-ID/2ACSVHF-LPT270/5020788.pdf

Or see dirct from vendor. Unable to link it directly: http://www.hi-flying.com/ -> HF-LPX70 Series Wi-Fi_BLE Module User Manual CN-V2.8(20241011).pdf

Just opened the Inverter. It's a plug in module with WiFi and BT. The Chip i a HF-LPT270. Both uarts (Debug UART 1 and 0) are connected UART 1 goes to a pin header and UART 0 goes down to the Inverter. It's just a 2x4 2,54mm socket.

I'll See If i can hock a Logic Analyser to it and see what happens... Or just FTDI and have see whats out on putty.

TheSmartGerman avatar Sep 25 '25 19:09 TheSmartGerman