If you are interested in other Enphase information the following other pages may also be of interest:
What is inside the Enphase Envoy-S (teardown)
Reverse Engineering the Enphase Installer Toolkit
Enphase Envoy-S “Data Scraping”.
Further to my last post about the Envoy-S JSON data that can be retrieved.. I did some more intrusive testing.
Several things to note. It seems that a change between the Envoy-S and the Envoy LCD changed two of the hosts to communicate over port 80 instead of HTTPs / Port 443.
The data exchanged over http port 80 does seem to be obfiscated in some way.. beyond my skills to try and decipher but it is a shame that the entire TLS handshake seems to have been abandoned. The reports. hostsname seems to be the hostname that is mainly communicated with. I’ve not noticed any 443 requests to the home. hostname.
Moving on from that – A port scan against my Envoy-S reveals quite a staggering number of open TCP ports:
Commonly used as the DNS port but doesn’t seem to respond to TCP DNS requests. Upon connection to it via Telnet you instantly get TCP FIN and the connections gets closed.
Easy – the web interface! Doesn’t give away what kind of http daemon that it uses though.
Some sort of web server. Responds with an authentication request for Digest realm=”enphaseenergy.com” and the web server in use is Xavante 2.2.0
Another Xavante 2.2.0 webserver that instantly gives a 404 but the 404 contains the entire url requested rather than just “/”.
The requested URL http://10.0.0.177:8100/ was not found on this server.
This almost makes me wonder if it is some sort of open reverse proxy for Enphase to be able to then hop into accessing the IPs(?) of the Inverters for troubleshooting.
Exactly the same as above.
UDP Port 5353