Lib.rs

Network programming
#mqtt #ess #command #hardware #inverter #sermatec #smt-5k-tl-lv

app sermatec-ess

Sermatec ESS CLI

by Sebastien Bechet

3 releases

0.2.5 Jan 12, 2024
0.2.3 Jun 17, 2023
0.2.1 May 14, 2023

#1230 in Network programming

MIT license

54KB
1K SLoC

My small contribution to write a Sermatec-Ess CLI 光储一体机协议

  • Tested on SMT-5K-TL-LV hardware with PCU 6.0.9
  • Tested on STM-10K-TL-TH (someone want to test?)

Maybe one day:

  • Configuration commands?
  • Nice GUI using egui?

Compilation

Useful to remove libc dependencies (clean ldd)

apt install musl musl-dev musl-tools
rustup target add x86_64-unknown-linux-musl
cargo build --target x86_64-unknown-linux-musl --release

CLI Example

$ ./sermatec-ess
Usage: sermatec-ess [OPTIONS] [COMMAND]

Commands:
  get     Get a specific things
  list    Get listing of all things
  daemon  Daemon mode use sermatec-ess as a MQTT client
  help    Print this message or the help of the given subcommand(s)

Options:
  -i, --inverter <Inverter IPv4>  Sets Sermatec ESS Ipv4Addr [default: 10.10.100.254]
  -p, --port <Port number>        Sets Sermatec ESS Port number [default: 8899]
  -d, --debug...                  Turn debugging information on
  -h, --help                      Print help

$ ./sermatec-ess list  
--===~ Sermatec ESS CLI AND MQTT PROXY ~===--
Asking to Sermatec Inverter 10.10.100.254:8899
listing commands:

sermatec-ess get --el 0a : Battery information display
sermatec-ess get --el 0b : Control cabinet information display
sermatec-ess get --el 0c : Equipment running status
sermatec-ess get --el 0d : bmsMeter connection status
sermatec-ess get --el 1e : BMS alarm information display
sermatec-ess get --el 1f : System fault status display
sermatec-ess get --el 64 : Control command settings (*)
sermatec-ess get --el 66 : Operating mode setting (*)
sermatec-ess get --el 67 : Working parameter setting 2 (*)
sermatec-ess get --el 68 : Time Calibration Settings (*)
sermatec-ess get --el 69 : Grid battery type setting (*)
sermatec-ess get --el 6a : Operating mode setting 2 (*)
sermatec-ess get --el 70 : reset (*)
sermatec-ess get --el 71 : Set mandatory charging and discharging information (*)
sermatec-ess get --el 94 : Set WIFI password (*)
sermatec-ess get --el 95 : Set parameter query
sermatec-ess get --el 98 : System Information Query
sermatec-ess get --el 99 : total power data
sermatec-ess get --el 9a : Grid power data
sermatec-ess get --el 9b : Load power data
sermatec-ess get --el 9c : Grid battery power data
sermatec-ess get --el 9d : Set parameter information 2
sermatec-ess get --el 9e : Set router information (*)
sermatec-ess get --el 9f : Set cloud server information (*)
sermatec-ess get --el a1 : Query DRM status
sermatec-ess get --el a2 : Forced charge and discharge information
sermatec-ess get --el a3 : Local WIFI module network configuration (*)
sermatec-ess get --el b0 : Set up routers and servers (*)
sermatec-ess get --el b1 : Query routers and servers
sermatec-ess get --el ba : Register settings (*)
sermatec-ess get --el bb : Register query (*)
(*) DO NOT USE!

./sermatec-ess get --el 98
--===~ Sermatec ESS CLI AND MQTT PROXY ~===--
Asking to Sermatec Inverter 10.10.100.254:8899
protocol version number: 609
Battery manufacturer number (code list): PYLON Low-voltage Battery 485
model code: 5kW
product_sn: STXXXXXXXXXXXXXXXXXXX
product_sn_ln:

MQTT Example

All Working fluently with Home Assistant MQTT Discovery!

$ ./sermatec-ess daemon --help
Daemon mode use sermatec-ess as a MQTT client

Usage: sermatec-ess daemon [OPTIONS] --host <HOST>

Options:
  -m, --host <HOST>  MQTT Server hostname
  -t, --port <PORT>  MQTT Server TCP port [default: 1883]
  -w, --wait <WAIT>  waiting time between two updates (seconds) [default: 300]
  -f, --fork         Detaching from the controlling terminal
  -h, --help         Print help

$ ./sermatec-ess daemon --host 10.10.100.42 --port 1883 -k
--===~ Sermatec ESS CLI AND MQTT PROXY ~===--
Asking to Sermatec Inverter 10.10.100.254:8899
Detaching from terminal
$

Help WANTED

I'm looking for 5K PCU firmware, specificly for PCU5KSL_609.bin please help me :)

You can dump payload exchanges beetween your phone and the inverter using PCAPdroid on f-droid to help.

TODO

BB is a special query to ask internal registers.

  • BB: do not use or reboot! (two parts message)

Note

Sermatec in AP mode

(we connect as a client on the Sermatec Interter)

  • Sermatec Inverter try to connect to our IP station on TCP/18899 port every second
  • We can connect on TCP/8899 port

When TCP Stream is open we can use OSIM protocol

Sermatec in Station mode

(Sermatec Interter connects itself to the wifi access point)

Sermatec Interter try to connect to IP cloud server on default port 19042 every second.

** THIS IS A SECURITY ISSUE **

  • Cloud server can send commands to Sermatec Inverter and reconfigure (or destroy) all directly.
  • Cloud server can ask Query routers and servers (B1) to get SSID and PASSWORD AP!

Denial of Service (DoS) App Access

** THIS IS A SECURITY ISSUE **

Register query (BB) is a two messages parts! If you send only first message, you block state-macine forever and must reboot.

Open TCP Ports

  • 23/tcp open telnet
  • 80/tcp open http (UART-TCP module web config admin/admin)
  • 8000/tcp open http-alt (?)
  • 8899/tcp open osim (internal) protocol

Sermatec TCP Port connecting

Cloud server send...

8.209.71.159 is Sermatec European Cloud server: you can try.

$ netcat -o 19042.txt 8.209.71.159 19042
...
cat 19042_2.bin 
< 00000000 fe 55 64 14 98 00 00 4c ae                      # .Ud....L.
< 00000009 fe 55 64 14 98 00 00 4c ae                      # .Ud....L.
< 00000012 75 9a b0 f9 8a 06 68 85 fc                      # u.....h..
< 0000001b 75 9a b0 f9 8a 06 68 85 fc                      # u.....h..

Interesting, because I do not know "75 9a". Maybe for another hardware?

Dependencies

~9–18MB
~253K SLoC