Killing the "Internet of shiT" 23 mar 2019



The only IoT device in my LAN is the inverter (ca. 400V DC to 230V@50Hz AC) for my solar panels. I don't like devices that do not/can not update in my network. Now that the website I used to pull the measurement data from is changed (and thus broken) I decided to reverse what the device does and build my own service.

Killing the

Security?

First order of business is to find out what the inverter actually does and to see if it is in any way secure.

Summary:

  • admin:admin as credentials
  • Plain-text web-services
  • Likely no protection against spoofing measurements

Where are you?

The inverter is connected to my wireless LAN and uses DHCP to get an IP-address. Thus it gets the DNS configuration I push from my FreeBSD home-server. There's an unknown device in my network with a MAC OUI AC:CF:23 which apparently is registered by Hi-Flyin. The IP-address has port 80 open (no other ports) and runs a webserver. It even has a login (realm A11)! So how do I get in?!? Let's just try Username admin and Password admin... Lo' and behold!

Goodwe WebUI

From the WebUI we can see that this is the Goodwe Inverter, so let's move on!

What are you doing?

Now that we know the IP-address of the inverter, it's time to find out what the thing is actually doing on the network. My home-server is not acting as the gateway, but it is hosting DNS. Time to fire up pcap to see where it connects to.

tcpdump -i em0 -p host ....2.107

This quickly results in some DNS requests

14:22:51.819712 IP HF-A11.20306 > brnrd.eu.domain: 454+ A? www.goodwe-power.com. (38)
14:22:51.819814 IP brnrd.eu.domain > HF-A11.20306: 454* 1/0/0 A 172.17.2.8 (54)

This tells us they're simply connecting to www.goodwe-power.com. Waiting a bit longer doesn't result in any other addresses it resolves using DNS.

DNS: Unbound

Now it's time to convince the inverter to connect to some other host where I can capture the data. To do this I just add a simple line to my unbound configuration in /var/unbound/conf.d/spoof.conf

local-data: "www.goodwe-power.com. IN A ....2.8"

and reload the configuration, test if this does what it says on the tin.

service unbound reload
host www.goodwe-power.com
www.goodwe-power.com has address ....2.8

Any traffic from the inverter should now go to my web-server.

Again, what are you doing?

Again, we fire up tcpdump to check what the inverter tries to do. This time we can see more traffic

14:30:52.612884 IP HF-A11.1620 > gw.http: Flags [S], seq 1910663072, win 16384, options [mss 1460,nop,wscale 0,nop,nop,TS val 55601 ecr 0], length 0
14:30:52.612933 IP gw.http > HF-A11.1620: Flags [S.], seq 1593908410, ack 1910663073, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 594925872 ecr 55601], length 0
14:30:52.614563 IP HF-A11.1620 > gw.http: Flags [.], ack 1, win 18824, options [nop,nop,TS val 55601 ecr 594925872], length 0

BINGO! The inverter simply connects to the HTTP port. No security here!

Re-routing the traffic via my web-server

I tear down the DNS spoofing temporarily to prepare my web-server for interception. I don't want to loose measurements!

Now we go over to the web-server and add a virtual host that simply relays the requests to the Goodwe server.

<VirtualHost *:80>
   ServerName www.goodwe-power.com

   ProxyPreserveHost On
   ProxyPass /        http://47.254.132.36/
   ProxyPassReverse / http://47.254.132.36/
</VirtualHost>

After reloading the apache configuration, I run a quick test to see if this all works as expected (relevant output only):

service apache24 reload
curl -vI http://www.goodwe-power.com/
...
* Connected to www.goodwe-power.com (172.17.2.8) port 80 (#0)
> HEAD / HTTP/1.1
...
< Server: nginx

That's the Goodwe server's response, not Apache's, on the correct IP-address and port.

Again again, what are you doing?

Enabled the DNS spoofing again, and fired up tcpdump. This time I log all output to a file.

tcpdump -i em0 -p -s0 -w./goodwe.pcap host ....2.107 and port 80

The output file is then inspected in WireShark. The only thing the inverter is doing is posting content.

0000   b4 99 ba eb fe af ac cf 23 aa bb cc 08 00 45 00   ........#.S)..E.
0010   00 da 12 f0 00 00 40 06 0a 99 01 01 02 6b 01 01   ......@......k..
0020   02 08 42 65 00 50 38 4b 52 94 49 a3 8b ad 80 18   ..Be.P8KR.I.....
0030   49 88 b9 14 00 00 01 01 08 0a 00 00 9e 56 14 33   I............V.3
0040   49 90 50 4f 53 54 20 2f 41 63 63 65 70 74 6f 72   I.POST /Acceptor
0050   2f 44 61 74 61 6c 6f 67 20 48 54 54 50 2f 31 2e   /Datalog HTTP/1.
0060   31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 43 6c   1..Connection:Cl
0070   6f 73 65 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e   ose..Content-Len
0080   67 74 68 3a 30 36 36 0d 0a 48 6f 73 74 3a 77 77   gth:066..Host:ww
0090   77 2e 67 6f 6f 64 77 65 2d 70 6f 77 65 72 2e 63   w.goodwe-power.c
00a0   6f 6d 0d 0a 0d 0a 00 31 33 36 30 30 44 53 55 31   om.....13600DSU1
00b0   31 30 30 30 30 34 31 01 00 2e 0a 5d 08 06 00 10   1000041....]....
00c0   00 0e 09 05 00 1e 13 85 02 9a 00 01 00 f2 00 00   ................
00d0   00 00 00 02 16 30 00 00 40 4e 00 14 00 00 00 00   .....0..@N......
00e0   00 00 0e 1d 00 00 00 0f                           ........

In the output, I recognize my inverter's ID as I also see it on the Goodwe website "13600DSU11100041".

NOTE: The device ID has been modified, I don't want anyone to pollute my data!

The POST body contains binary data, what does it mean!? I decided to collect some more samples to see if I can find out what's what in this binary data.

Reverse-engineering the payload

Here are 3 of the POST bodies, without the device ID for brevity

12:25:18 01 00 2e 0a 5d 08 06 00 10 00 0e 09 05 00 1e 13 85 02 9a 00 01 00 f2 00 00 00 00 00 02 16 30 00 00 40 4e 00 14 00 00 00 00 00 00 0e 1d 00 00 00 0f
12:33:19 01 00 2e 0a 47 08 04 00 0e 00 0b 08 f2 00 1b 13 85 02 46 00 01 00 f3 00 00 00 00 00 02 16 31 00 00 40 4e 13 1d 00 00 00 00 00 00 0e 06 00 00 00 10
12:41:20 01 00 2e 0a 2c 08 05 00 0e 00 0a 08 fa 00 19 13 88 02 18 00 01 00 f4 00 00 00 00 00 02 16 32 00 00 40 4e 00 14 00 00 00 00 00 00 0e 11 00 00 00 11
12:49:21 01 00 2e 0a 49 08 31 00 0e 00 0b 09 05 00 1a 13 87 02 3f 00 01 00 f4 00 00 00 00 00 02 16 33 00 00 40 4f 13 1d 00 00 00 00 00 00 0e 20 00 00 00 12

On the new Goodwe portal, I can download measurements using the "Reports" section. I selected all available measurements for my inverter, and downloaded the excel sheet.

Time Mode Vpv1(V) Vpv2(V) Ipv1(A) Ipv2(A) Vac1(V) Iac1(A) Fac1(Hz) Pac(W) Temp(℃) Daily(kWh) Total(kWh) HTotal(Hrs) RSSI(%)
12:25:18 Normal 265.3 205.4 1.6 1.4 230.9 3.0 49.97 666 24.2 1.5 13675.2 16462 0
12:33:19 Normal 263.1 205.2 1.4 1.1 229.0 2.7 49.97 582 24.3 1.6 13675.3 16462 0
12:41:20 Normal 260.4 205.3 1.4 1.0 229.8 2.5 50.00 536 24.4 1.7 13675.4 16462 0
12:49:21 Normal 263.3 209.7 1.4 1.1 230.9 2.6 49.99 575 24.4 1.8 13675.5 16463 0

There's no directly visible relation between these 2 sets of data. From the tcpdump output we see that there are hardly any plain ASCII characters in here either. Let's try to convert some of the values to hex and see where that leads. The simple targets are the ones without decimals, so Pac(W) it must be! Using the dec2hex() function of LibreOffice or Excel makes this an easy task.

Pac Hex(Pac)
666 02 9a
582 02 46
536 02 18
575 02 3f

These are all present in the table above! (somewhere halfway the binary output). The values with decimals, I multiplied by 10 (100 for the frequency) and converted to hex:

Time Vpv1 Vpv2 Ipv1 Ipv2 Vac1 Iac1 Fac1 Pac Temp Daily Total HTotal
12:25:18 0A 5D 08 06 00 10 00 0E 09 05 00 1E 13 85 02 9A 00 F2 00 0F 00 02 16 30 40 4E
12:33:19 0A 47 08 04 00 0E 00 0B 08 F2 00 1B 13 85 02 46 00 F3 00 10 00 02 16 31 40 4E
12:41:20 0A 2C 08 05 00 0E 00 0A 08 FA 00 19 13 88 02 18 00 F4 00 11 00 02 16 32 40 4E
12:49:21 0A 49 08 31 00 0E 00 0B 09 05 00 1A 13 87 02 3F 00 F4 00 12 00 02 16 33 40 4F

As you can see, all these values can be found in the binary POST body. They're even in the right order, apart from the Daily kWh which is the last column. That leaves us with the remaining data (hex, then decimal where not "00 00"):

Mode? 2nd 3rd 4th 5th 6th 7th Dec(2nd) Dec(6th)
01 00 2e 00 14 00 00 00 00 00 00 0e 1d 00 00 20 3613
01 00 2e 13 1d 00 00 00 00 00 00 0e 06 00 00 4893 3590
01 00 2e 00 14 00 00 00 00 00 00 0e 11 00 00 20 3601
01 00 2e 13 1d 00 00 00 00 00 00 0e 20 00 00 4893 3616

There doesn't seem to be any relevant data in here, perhaps some checksum?

What I've ended up with:

Bytes Field Value Hex
1 - 17 Device ID .13600DSU11000041 00 31 33 36 30 30 44 53 55 31 35 33 30 30 30 34 37
18 - 20 Mode? 01 00 2e
21 - 22 Vpv1 (V) 265.3 0a 5d
23 - 24 Vpv2 (V) 205.4 08 06
25 - 26 Ipv1 (A) 1.6 00 10
27 - 28 Ipv2 (A) 1.4 00 0e
29 - 30 Vac1 (V) 230.9 09 05
31 - 32 Iac1 (A) 3.0 00 1e
33 - 34 Fac1 (Hz) 49.97 13 85
35 - 36 Pac (W) 666 02 9a
37 - 38 unknown .. 00 01
39 - 40 Temp (°C) 24.2 00 f2
41 - 44 unknown .... 00 00 00 00
45 - 48 Total (kWh) 13675.2 00 02 16 30
49 - 52 HTotal (Hrs) 16462 00 00 40 4e
53 - 64 unknown ...... 00 14 00 00 00 00 00 00 0e 1d 00 00
65 - 66 Daily (kWh) 1.5 00 0f

Writing a parser

Now that I know what the structure of the data is, I can start writing a parser. This will allow me to push the data straight into PVoutput.org without having to scrape it from the Goodwe website first.

To be continued!