Author Topic: StecaGrid 5003, how not to do it, and reverse-engineering  (Read 5789 times)

0 Members and 1 Guest are viewing this topic.

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
StecaGrid 5003, how not to do it, and reverse-engineering
« on: February 17, 2022, 03:35:27 pm »
> Design a solar inverter
> Add Ethernet connectivity
> Add RS485 connectivity
> Add another secondary RS485 connectivity, call it "Modbus RTU" (everybody knows what this implies)
> Market the product and its interfaces

What next? Follow Sunspec? OK fair enough, maybe it didn't exist back then. Failing that, give the customers a list of modbus registers in traditional way? Create a custom not-invented-here protocol and describe it? Discuss the protocol under NDA?

Apparently none of these, not even the last one. Maybe? Hard to say, because they tell you absolutely nothing, except that:

This Thing Of Internet only allows sending data to a fixed, hardcoded Internet service. With subscription cost. Which no one is willing to pay. So the service is discontinued after a few years, obviously.

Apparently, the "Modbus RTU" connectivity is not meant for getting any data out. It has only one hard-coded purpose: feeding energy metering data in.

Does anyone have any experience or pointers on any method of getting data (maybe as little as "current power out") out of this thing? I could give it a shot at reverse-engineering it, but I don't even think where I'd start. I found one reference of polling the internal web server for live numbers and parsing the HTML, but the model I have does not even expose the live numbers on the web server, you can only get fancy graphs. Besides, working with this is extremely difficult because the web server crashes after 1 minute of darkness, so the work needs to be done during daytime, with snow removed from the panels. I'm not going to connect a HVDC power supply just to access the web UI...

EDIT: The assumption of not getting help was surprisingly wrong! The custom protocol documentation was supplied on request, even without signing NDA. Never seen such turn of events before.
« Last Edit: February 18, 2022, 03:13:09 pm by Siwastaja »
 

Offline f4eru

  • Super Contributor
  • ***
  • Posts: 1117
  • Country: 00
    • Chargehanger
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #1 on: February 17, 2022, 03:52:30 pm »
why not simply add an external logger ?

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #2 on: February 17, 2022, 03:54:17 pm »
why not simply add an external logger ?

That's exactly what I am trying to do, but maybe it wasn't obvious from my post.

The logger is by me, and currently supports SunSpec, and has been in active use non-stop for... two years? Tested on a few SMA inverters and some other Modbus devices.

Any protocol from the Ethernet port (through TCP or any other internet protocol), the RS485 port, or the secondary "modbus RTU" port is fine to me, as long as I know what the protocol is, or at least some starting point for reverse-engineering.

If these things followed any standard, even an internal one, and disclosed what it is, then it would be indeed matter of "simply".
« Last Edit: February 17, 2022, 04:04:49 pm by Siwastaja »
 

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #3 on: February 17, 2022, 05:56:11 pm »
Looking at more marketing material, it appears some proprietary logger devices support this thing, and they do have a PC software available, too.

This would mean, there is data output, and its existence means, it can be reverse-engineered! The process would be this:

1) Buy Microsoft Windows
2) Buy a specific model of USB-RS485 Adapter, supported by Steca's software,
3) Download and install Stecagrid User
4) Connect logic analyzer to RS485 bus
5) Reverse-engineer the shit out of it.

Failing to have #2 right now, I'm making a wild assumption that maybe the protocol is Modbus RTU after all, and running through different baudrates, parity settings and register addresses; maybe something pops out.

It really appears no one else has ever reverse-engineered this to the point of publicizing the results, at least. Not even hint about baud rate, or similar.

But hey, the more I google, the more names I find for this undocumented bus: latest find is "The Steca solar bus".
« Last Edit: February 17, 2022, 05:59:34 pm by Siwastaja »
 

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #4 on: February 17, 2022, 06:12:55 pm »
It appears at least some individual has got hold of this protocol information:
https://forums.homeseer.com/forum/homeseer-products-services/general-discussion-area/96999-help-with-serial-protocol-for-stecagrid-inverter

Sadly, others who ask about it haven't got a reply, and Steca obviously refuses to help.

Anyway, by looking at this guy's 16-byte "read AC power" command, it clearly is not a modbus RTU packet: 02 01 suggests "read coils of slave 2", and then the rest of the message is too long for that.

So the protocol indeed is some custom thing. Now the big question is where this my fellow countryman got this secret specification; I don't think he reverse-engineered it from scratch.
 

Offline f4eru

  • Super Contributor
  • ***
  • Posts: 1117
  • Country: 00
    • Chargehanger
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #5 on: February 17, 2022, 07:20:27 pm »
I mean, an analog logger with measurement torus!
So you don't need any interface.

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 8133
  • Country: gb
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #6 on: February 17, 2022, 07:43:33 pm »
I propose the Aliexpress solution: https://www.aliexpress.com/item/32349129725.html

E: That might be the Mbus one, their listings aren't the clearest.. they have CT versions, too.
« Last Edit: February 17, 2022, 07:52:29 pm by Monkeh »
 

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #7 on: February 18, 2022, 07:05:15 am »
I mean, an analog logger with measurement torus!
So you don't need any interface.

Oh yes, this is the obvious solution.

What I am really doing, is getting at a project which is meant to interface with as large number of devices as possible, including PV, storage, heat pumps, etc. One box to replace all those gazillion of boxes; one that actually controls Everything^tm. This is still lacking from the market.

And it would be obviously nice to interface with the products that do have some kind of digital interface, directly.

While you can monitor PV production installing an external electricity meter, it duplicates components, and requires an electrician (clamp-on hall effect or CT maybe not) so is wasted cost and effort.

But it appears that still in 2022 (especially in presence of existing devices from 2016), the access to these interfaces is purposely prevented by obfuscation and secrecy, probably because some suit guy thought that it would increase the sales of their proprietary converter/logger boxes. Obviously the opposite is true; these boxes get no sales, people just see that the interface promise was a scam, and go on with their lives, living without the feature, or duplicating the functionality with something cheaper and simpler than the manufacturer's converter box: like the Chinese clamp-on CT.

Maybe I was just naive. I have worked with a few SMA products and they did follow the standards quite well. Data was available with a few quirks. They implement SunSpec, but they also just simply publish modbus register numbers to be accessed without all the SunSpec enumeration stuff. I guess this is what they were doing even before SunSpec.

I have been wondering why many people install meters to their inverters and not use the internal measurements, but now I have my answer; mine did not really support data output either, although I assumed it did based on marketing material.
« Last Edit: February 18, 2022, 07:08:21 am by Siwastaja »
 

Offline f4eru

  • Super Contributor
  • ***
  • Posts: 1117
  • Country: 00
    • Chargehanger
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #8 on: February 18, 2022, 07:39:27 am »
Yep sure, makes sense.
Voting with the wallet is the best sorting out long term :)

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #9 on: February 18, 2022, 01:06:38 pm »
Wow!

I have to take my rude words back... at least partially! Despite the experience of others who tried to ask for specifications but got refused, I thought what the heck, I'll come up with a nice story and try to ask for the specifications. Lo and behold, I have the documentation now! Way to go Steca, at least you do the aftercare right!
 

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 8133
  • Country: gb
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #10 on: February 18, 2022, 04:50:38 pm »
Well, excellent! Now to see if the documentation is right.

Myself I have a Fronius inverter, they have a nicely documented protocol for that, so no need for an additional meter or any reverse engineering. I just use one of those Eastron meters for the main supply (because smart meters don't talk to mere mortals).
 

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #11 on: February 18, 2022, 04:56:11 pm »
Well, excellent! Now to see if the documentation is right.

It seems right, and being a classic "header after header, some length fields, IDs and CRCs thrown in" protocol, easy to work with.

However, supplementary documents that contain actual register address/ID lists were not delivered. Let's see if they are still eager to work with me.

Nevertheless, huge help as I can form valid requests, with valid CRCs, and parse the responses, and by design this thing only has 255 addresses so it's trivial to just scan all registers to find what I need, and fun fact: the responses contain an ASCII part:

Code: [Select]
Read 31 bytes:
02    2    2 
01    1    1 
00    0    0 
1f   31   31 
c9  201  -55 
01    1    1 
84  132 -124 
41   65   65 A
00    0    0 
00    0    0 
10   16   16 
29   41   41 )
00    0    0 
00    0    0 
08    8    8 
41   65   65 A
43   67   67 C
50   80   80 P
6f  111  111 o
77  119  119 w
65  101  101 e
72  114  114 r
3a   58   58 :
0c   12   12 
ff  255   -1 
ff  255   -1 
ff  255   -1 
5a   90   90 Z
b2  178  -78 
13   19   19 
03    3    3 

This makes reverse-engineering it a breeze!
« Last Edit: February 18, 2022, 04:58:32 pm by Siwastaja »
 

Offline RichardBl

  • Newbie
  • Posts: 2
  • Country: nl
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #12 on: August 28, 2024, 05:42:32 pm »
Hi,

Not sure if anyone is still active on this topic.
I just found this topic about the documentation of a steca inverter.

I have the documentation containing the full ID list of all addresses for the RS485 protocol and was able to convert the respons value (measurement) from AC power to a value using Node-red. The request is made via a Waveshare rs485 to TCP converter using serial ptotocol with a Hex code. It works flawlessly!
Unfortunately Steca won't give me further support for the protocol description, It is definitely not Modbus RTU.

I wonder if you want to share the protocol description they gave you. The reason I'm asking is that I want to be able to control my power output dynamicly based on returned power into the Grid. It is possible to use commercial hardware like Steca SEM of Kiwigrid voyager X, but unfortunately they are obsolete and no langer available.
So my idea is to simulate the SEM using Node-red. 

I have no Idea which hex code to use to make a serial write command to reduce the power output for ID 13 (derating) see attachment for details.
Are you willing to help me?

Kind regards in advance.
« Last Edit: August 28, 2024, 05:45:39 pm by RichardBl »
 

Offline and74

  • Newbie
  • Posts: 1
  • Country: de
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #13 on: November 24, 2024, 11:31:45 pm »
Hi @RichardBI,
I'm facing the same problem. Do you have any progress on this that you can share?
 

Offline RichardBl

  • Newbie
  • Posts: 2
  • Country: nl
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #14 on: November 25, 2024, 07:21:02 pm »
Unfortunately not,

Tried to contact Steca via my solar installer, no luck at all. Even my solar installer can't contact them for information anymore.
My latest attempt is to get an original Steca SEM controller to reduce the output power via a German reseller. Unfortunately it is in backorder without any information when it will be in stock again.

Otherwise I'm going to buy a resistive load and burn access energy into the open air to reduce power fed into the grid. Not very sustainable but switching it on an off directly is even more worse and can damage the inverter.
I still can't buy why Steca makes it so difficult.
 

Offline SiwastajaTopic starter

  • Super Contributor
  • ***
  • Posts: 9291
  • Country: fi
Re: StecaGrid 5003, how not to do it, and reverse-engineering
« Reply #15 on: November 26, 2024, 01:10:47 pm »
Unfortunately not,

Tried to contact Steca via my solar installer, no luck at all. Even my solar installer can't contact them for information anymore.
My latest attempt is to get an original Steca SEM controller to reduce the output power via a German reseller. Unfortunately it is in backorder without any information when it will be in stock again.

Otherwise I'm going to buy a resistive load and burn access energy into the open air to reduce power fed into the grid. Not very sustainable but switching it on an off directly is even more worse and can damage the inverter.
I still can't buy why Steca makes it so difficult.

Can you figure out any house loads you could turn on automagically when you have excess production combined with zero or negative export price? For this you need to bidirectionally meter the grid connection point (status output from inverter is not of much help).

And it's not like switching on a load to heat outdoor air is any less sustainable compared to limiting inverter power. If you limit inverter power that same extra power is dissipated in the panels making them heat up more (and slightly decrease their lifetime). Or if you had black roof material without solar panels, then same thing again.

The reason why inverters are controlled to prevent export instead of such loads is that it's often easier to control them than to drive external loads. But if you can't do it easily on Steca then... just add loads. Even semi-useful loads (bitcoin mining  :-DD) would be of course preferable but worst case just heat the air outside. It's the same solar heat that's hitting the planet anyway.

I have only polled status output from Steca so no experience trying to control it unfortunately.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf