Reverse Engineering the Enphase Installer Toolkit

If you are interested in other Enphase information the following other pages may also be of interest:
What is inside the Enphase Envoy-S (teardown)
Enphase Envoy-S “Data Scraping”.
Enphase Envoy-S Open Ports!

While on my quest to create my own logging and analytics for the Envoy-S Solar PV controller I also was interested in how the Installer Toolkit authenticates with the web interface of the Envoy.

Authentication is “Digest” based so it isn’t as simple as just undoing the base64 encoding that “Basic” http authentication uses. Digest uses a nonce, domain and url in the mix to make each request to different pages need it’s own hashed password.

The trouble is – I don’t know what the password is for the Envoy. The username is “installer” but the password isn’t something known. I hoped to extract the password generation method from the Android application.

What helped is the fact that it seems the application is a Xamarin based application. As far as I can work out this means they wrote the application in Microsoft Visual Studio and have ported it to run on multiple mobile devices (Apple, Android, Windows Phone(?)).

So – decompressing the APK produces a load of windows .dll files! ILSpy then allows me to investigate the content or code within.

ilspy xamarin enphase about box

So.. all easy for me to understand in the language(s) that I can work with.
Imagine my surprise when I came across the “Configuration” section.

enphase oauth 911wasaninsidejob Oauth1911wasaninsidejob

Private Const OAuth2BogusClientId As String = "installer-toolkit-bogus"

Private Const OAuth2BogusSecret As String = "911wasaninsidejob"

Private Const OAuth1BogusConsumerKey As String = "notavalidconsomerkey"

Private Const OAuth1BogusConsumerSecret As String = "Oauth1911wasaninsidejob"

While being part of code that isn’t used in active connections (I believe the bogus sections are for offline, debug or demonstration testing that don’t authenticate against live systems).. I’m amazed that wording like that has remained within a program written by a company who, I presume, wouldn’t like it against their reputation.

My first thought is maybe a programmer has taken example code and forgotten to change the strings.. but no, a quick Google Search doesn’t reveal any pages at all with the wording in it… so it isn’t a lazy copy and paste from existing public “example” code.

Moving on from that… Other interesting bits of code are:

Public Function UsernameIsReviewUser(username As String) As Boolean
    Return Not String.IsNullOrEmpty(username) AndAlso username.ToLower().Equals("enphase.rev1400@gmail.com")
End Function
Friend Module Crypto
    Private salt As Byte() = Encoding.ASCII.GetBytes("com.enphase-energy.rocksit247")

If you are on Android then the SQLite Database it uses is stored in “/mnt/sdcard/Enphase/EnphaseDB_fixed.db3”.

When the Envoy is in AP mode the IP address might be  “172.30.1.1”

Back onto Task. The Digest Authentication is handled by “Enphase.InstallerToolkit -> Enphase.Installeroolkit.Models -> EnphaseEnvoy” and uses the following code:

Public Sub SetupAuth()
	Dim credentialCache As CredentialCache = New CredentialCache()
	credentialCache.Add(New Uri("http://" + Me.IP_Address), "Digest", New NetworkCredential("installer", Me.GetPasswordForEnvoy()))
	credentialCache.Add(New Uri("http://" + Me.IP_Address + ":9094"), "Digest", New NetworkCredential("installer", Me.GetPasswordForEnvoy()))
	Dim nativeCookieHandler As NativeCookieHandler = New NativeCookieHandler()
	Dim list As List(Of Cookie) = New List(Of Cookie)()
	For Each current As Cookie In nativeCookieHandler.Cookies
		If current.Name.ToUpper().Equals("SESSIONID") Then
			current.Value = Nothing
			list.Add(current)
		End If
	Next
	nativeCookieHandler.SetCookies(list)
	Me.httpClient = New HttpClient(New NativeMessageHandler(False, False, nativeCookieHandler) With { .UseDefaultCredentials = False, .Credentials = credentialCache })
End Sub

Public Function GetPasswordForEnvoy() As String
	Dim bufLen As UInteger = 128UI
	Dim stringBuilder As StringBuilder = New StringBuilder(128)
	EnphaseEnvoy.emupwGetMobilePasswd(Me.Serial_Number, "installer", Nothing, stringBuilder, bufLen)
	Return stringBuilder.ToString()
End Function

Public Shared Declare Function emupwGetMobilePasswd Lib "libemupw.so" (in_serialNumber As String, in_user As String, in_domain As String, out_buf As StringBuilder, bufLen As UInteger) As Integer 

In plain terms this means the function “SetupAuth” adds credentials to the http request using the hard coded username “installer” and the password generated by the function ” GetPasswordForEnvoy”.

GetPasswordForEnvoy, as far as I can read, creates a 128 character buffer and string and then requests another function of “emupwGetMobilePasswd” with the parameters:
Serial Number of Envoy, “installer”, Nothing, Blank String, Blank Buffer

Now; emupwGetMobilePasswd then references to an external “libemupw.so”dependent which appears to be a compiled program or component for ARM architecture processors. Sadly it doesn’t seem to be a drop in component and is likely a custom file for Enphase
It only seems to take the serial number and username as input. The “Domain” string (3rd input) is set to “Nothing” in the code and the final two variables are the out string and buffer.

libemupw.cfg.emupwGetMobilePasswd

libemupw.cfg.emupwGetPasswd

libemupw.cfg.emupwGetPasswdForSn

This is where it gets beyond me skill level. I will continue to research and work out how I can either run the object on demand or just the math or function used to hash the details to return the password. More to come.. Bookmark and return at some point.

Update: 19th November 2016. Version 2.1.10 of the Installer Toolkit is out and has the following notable changes.

It contains a variable WORK_OFFLINE_KEY

Update: 21st August 2018. My own password cracked!

I’ve finally managed to make my own software that can interface with the libemupw.so file mentioned above! I can now, on demand, generate passwords against Envoy-S serial numbers.

I need to investigate if I can either package it up and distribute it for others to generate their own passwords or if I can make it a web based password generator somehow. The biggest problem is the .so is compiled for ARM… so getting data into and out of it will require an ARM emulator or a mobile phone.

Success.. web access to the installer interface on a computer!

Update: 22nd August 2018. Application made!

Enphase Energy Envoy-S password algorithm runner app!

You can download the Android app here.. Install then run it.. type in your units serial number and the blue box will show the installer password!

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

65 Responses to Reverse Engineering the Enphase Installer Toolkit

  1. RRM says:

    I’ll also bookmark this topic. Interesting progress you’re making!

  2. Paul says:

    yes – good info.

    Yet to try using the returned key with http outside of the installer ap.
    Could you post the format of the http command you were able to use?

    I have my own key.

  3. GET /api/v1/production/inverters HTTP/1.1
    Host: 10.0.0.177
    Connection: keep-alive
    Authorization: Digest username="installer", realm="enphaseenergy.com", nonce="XXXXXXXXXX", uri="/api/v1/production/inverters", response="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", qop=auth, nc=00000014, cnonce="XXXXXXXXXXXXXXXX"
    
    

    I expect the keep-alive line could be removed too.

  4. jam says:

    Well done! I took a similar path a few months ago, and got as far as decompiling the android app as well, resulting in extracting the dll files and that’s where I stopped as I don’t have a windows machine.

  5. Pingback: Enphase Envoy-S Open Ports! | thecomputerperson

  6. Pingback: Enphase Envoy-S “Data Scraping”. | thecomputerperson

  7. Al says:

    Well beyond my limited knowledge but I’m interested in what you’ve been able to achieve. I’m getting a Envoy S Metered installed in the next month and been pondering the ability to run a small pi box running a script to monitor the generation vs consumption to see what is excess and if over a certain threshold, close a dry contact that will operate a relay that will bring in the hot water system. Do you think this would be possible with what you’ve seen with the API? Or would it be easier to do it locally with CT clamps and measure local currents etc?

  8. Absolutely possible and I do it with a fab heater and an Omega Onion (similar to a pi). Just watch out for the envoy being laggy or crapping out under high load or many requests. See the comment thread about it queueing failed or timed out requests and snowballing. Make sure your script backs off and waits if the envoy doesn’t respond.

  9. Pingback: What is inside the Enphase Envoy-S (teardown) | thecomputerperson

  10. It has been a while.. but if anyone has this bookmarked or subscribes to comment updates… I’ve made some progress! I can generate installer passwords on demand for Envoy-S serial numbers.

    See the section titled “Update: 22nd August 2018. My own password cracked!” in the post above.

  11. Kimo says:

    Just an FYI, I tested this with my envoy-iq, and the generated password did not work. (I wasn’t sure it would since you developed this for an envoy-s, but it was worth a shot.)

  12. Very interesting – do you use the same “Installer Toolkit” to get it setup or configure it or does it have it’s own app?

  13. Kimo says:

    I never used the installer toolkit, I tried the password via the web interface on the envoy itself (going to the same link shown above, but of course using my envoy’s local IP). I don’t even think the installer used the installer toolkit yet, but rather detected the micros via the button on the envoy. (The installer still needs to enable the consumption meter.)

    When I try to login to an installer page, I use the installer login and the password generated by the app, but it just re-prompts me for the credentials.

  14. It would be worth installing the Enphase Installer Toolkit to see if that can find and log into your envoy. You don’t need a log in to be able to do this.. you load it, then click the lines in the top left and select “Connect to Envoy” from the menu. Check that the serial number displayed matches the one you were trying to use with my password generation app… then see if you can click it and get into the settings pages.

    If you can use the installer toolkit I’d be interested to try and work out what is not working correctly with the password generation app in your instance / setup.

  15. Kimo says:

    Interesting. When I install and run the toolkit on my android device, it requires me to log in to Enlighten, with no ability to change / select any options.

  16. Humm, with no ability to bypass it? If you can create or log into your account you then may get a message saying “no installer access” or similar, then you still get the ability to get the menu option I refer to in my last reply.

  17. kbonnel says:

    I thought it might do that as well, and the app does report insufficient rights. Unfortunately, it will not go past that part. I will have to do more playing/testing.

  18. Ben says:

    Can confirm that the generated passwords allow me access to the installer section of the Envoy web server using my newer Envoy IQ. I also spent a little bit of time finishing up reverse engineering the password generation algorithm and have a python script that will do it directly. Of note, there’s another function called `emupwGetPublicPasswd` that seems to call the same hash routine that `emupwGetMobilePasswd` uses; I’m sortof hoping that by guessing some of the input parameters, one might be able to use this to get a username/password that would work for an ssh login to the Envoy, which would enable a lot more interesting exploring.

  19. Scott Dee says:

    I got an envoy second hand and this worked great for getting in and checking things out.
    What I don’t have is a CT for production and there’s no place to buy one. Through your hacking have you come across any way to add a coil and calibrate it?

  20. Matthew says:

    I see with great interest you have a way of generating a password fro the local envoy-s – I downloaded the app – but no idea of how to run a .apk file (I am on my PC). Alternately my unit serial number is 121548011842 could you run your app and tell me what my password is please? Many thanks!

  21. Jaap says:

    Hi! Your code-generator works great!
    Is it possible to extract panel-level-information by json/api/etc?
    Now I’m using my Fibaro domotica-system to monitor total-production (via /production.json, but I’d like to monitor at panel-level.
    Hope you or someone else has the answer!

  22. JR says:

    Excellent work! I’ve been asking the manufacturer for months and they have ignored me. I can also confirm this pw tool works on the new IQ Envoy.

    @Scott, isn’t this the CT you’re looking for? https://www.invertersupply.com/index.php?main_page=product_info&cPath=1304_649_650&products_id=6253

  23. Matt says:

    Hi, Thanks for all the info. I downloaded your Android app but upon install the phone gives me an error stating, “Parse error: There is a problem parsing the package”. I’ve tried installing it on an LG phone and a Samsung tablet. Is there anything else I need to do to get this package working? Cheers, Matt.

  24. The only time I remember seeing that was when I hadn’t cryptographically signed the package. not sure what to suggest in your case because the one that has uploaded should be the signed one :/

  25. Matt says:

    I’ve still had absolutely no luck running this program. I’ve even tried emulators on my Win 7 computer with no luck. The two devices I’ve tried it on have Android version 4.4.2. Would this be an issue? Could you possibly upload it again please so I can try a fresh copy? I’m not real up with Android apps and their peculiarities so I’m running a bit blind with this one. Cheers, Matt.

  26. Does the official installer app install and run ok on your devices?

  27. Matt says:

    Thanks for your replies. I installed it on my daughter’s old HTC phone and it works like a new one. Must have been the older phone/tablet that wouldn’t install it. Thanks for your efforts. Matt.

  28. Matt says:

    I just tried the password generator and I’m able to log on as an installer. Cheers, Matt.

  29. cpngn says:

    You cannot add a 3rd party CT and calibrate it. If you bought a CT enabled Envoy-S or IQ, you would have 1 or 2 CTs in hand. If not, don’t waste your time, it will never work until you buy the right equipment. You WILL need Enphase Support to set this up after the fact.

  30. Bryan McCoy says:

    My installer did not install the production current sense coil, as they have been taking them out for inconsistent operation. The micro inverters tell the Envoy what they are producing, and it tabulates it, hence the coil is not actually required (for just a panel installation).

  31. cpngn says:

    The Envoy (and a couple other) meters are more accurate than the 5% on the microinverters. They are “revenue grade” whereas the microinverters are not (so if you’re getting incentive rebates from the utility or state, they’ll almost always require you to use a revenue grade meter). But yes, just to get a site producing and get a good sense of what is or isn’t working, you do not need the CT coils, but having both can help with troubleshooting a LOT (being able to compare the sum of individual inverters’ data to the meter which includes them all coming down into your box).

  32. Suleiman says:

    Hi theComputerPerson,

    a) Mind generating my pwd (can’t run the apk). 121750030649
    b) I noticed that your ToolKit screenshot shows Production -7 W just after midnight – manual states it should be 0. Is your grid 120/208V by any chance?
    Mine is 120/208V and also shows a negative number as L1 has -ive power factor while L2 is +ive during non-production.

  33. 58e26e4b I believe.. My envoy has always reported IRO -7 W overnight. The web interface on the Envoy itself hides any minus values :) 7 W is probably the power draw of the envoy controller itself.

    I’m on single phase 230 V. (Or if that sounds wrong, look up whatever standard UK installs are.)

  34. Mns says:

    For my recently purchased envoy-s (Dec. 2018) the pwd generator is not successful in generating an accepted pwd. Anyone can help me out? Or is an update of the pwd generator possible?

    Thnx and regards

  35. Does the serial number you are filling in start 121? (and sorry, just checking, you are typing in the serial number too – it doesn’t auto detect it :) )
    Does the official installer toolkit work and log in to your envoy ok?

  36. Mns says:

    My s/n starts with 12175….. and is 12 characters long. Do I put in all 12 chars? Enlighten installer app installs fine on my apple devices, after starting it it immediately asks for logging into enlighten with a email and per. Apparently these are different than the one I use for app enlighten and on enlighten through the web.

    I am confused.

    Helping me out will be appreciated.

  37. jamguy says:

    I’ve finally got around to testing this out and it works perfectly. I dont have any android devices so I installed NOX Player for mac which is an Android emulator.
    https://downloadnox.onl/mac/

    Running it in “phone” mode, i uploaded the APK from this page into it and it worked perfectly.

    Thank you, and mega-kudos for the reverse engineering efforts!

  38. Suleiman says:

    Thanks @thecomputerperson for the code. It works. Thanks @jamguy for the Nox tip. Now I can run the Apk

  39. cbabkirk says:

    I have a dual Envoy Array. One Envoy-S and One IQ-Envoy. Inverters are a mix of older M215s and the rest are the new IQ-7 inverters. Thus the dual envoys. Both work fine with Installer Toolkit. I want to access the admin console for each envoy for datascraping inverter power now and other metrics. I have no Android devices here. Would it be possible for you to decode passwords for me for these serial numbers: ES = 121630006578 & EQ = 121834015273

    I am assuming the uname will be “installer”

    I have consumption and production CTs installed on the Envoy-S but just the production CT installed on the IQ-Envoy. The the production CT comes with th envoy. I had to order the consumption CTs.

  40. See the comment a few lines above for an ARM android emulator for the mac. I’ve used BlueStacks to emulate on Windows.

  41. cbabkirk says:

    Thanks…I will look into that. I am trying to use the published API calls to collect inverter power now metrics. I could get them off the Devices page on enlighten but that is delayed. It appeared to work when I had the older LCD envoy which used admin/admin but these newer Envoy-S and IQ-Envoy seem to use something else. I will see if I can decrypt these serial numbers using your app and will assume that the uname needs to be “installer”. Thanks for your help so far.

  42. Username is indeed installer.

  43. cbabkirk says:

    Just to be clear, the unanme and password I am trying to understand is for admin console access directly on the envoy and not the password needed for the installer app. On my originnal LCD envoy I used admin/admin. You’re saying for the newer envoy-S & IQ it is now installer/???

  44. [..] I also was interested in how the Installer Toolkit authenticates with the web interface of the Envoy. [..] The username is “installer” but the password isn’t something known. I hoped to extract the password generation method from the Android application.[..]

  45. interested one says:

    Hi your API worked perfectly for me for accessing the installer area on a mobile phone.
    But when trying to log in to the local Administration full size web page
    http://192.168.1.3/home?locale=en&classic=1 via my pc it appears that there is another user name other than Installer required or both the user name and another password are required.

    Without this there is no access to the unit like there was with the old evoy using user= admin password= admin

    as a result it is no longer possible to things light modify a grid profile or several other nice to have functions.

    there is limited access via the installer toolkit but not enough.

    or limited access via the immobile looking page http://192.168.1.3/home with the generated password and user= installer.

    IP address obviously to be what ever you get for the Envoy

  46. interested one says:

    oops re the above spelling hmmm dam predictive text

  47. I’ve updated the link to the APK for the Android app – it now takes the username as an input too which is used by the password generating file from Enphase.. however I can’t get any combination or “admin” or “root” to work on my Envoy.

  48. interested one says:

    what about user= Envoy

  49. Also doesn’t work on mine.. If you have an android device or an android ARM emulator (see above) you can test the new apk and generate and test all you want :)

  50. interested one says:

    with the last message sn last 6 with as pw, has limited use but not full.
    But is full before assigning to a system
    I have a nexus 9 Android I tablet I will have a go with your APK again

  51. interested one says:

    nice APK now if only I knew the correct user id, it will be related to customer support.
    it is a shame as a virgin unit Envoy plus last 6 of sn as in the installer manual gives full access, but once the unit is assigned to a system that stops working and requires a support login, which is obviously quite different, I think I remember a firmware update just after the unit was assigned to a system, but not sure if the update was before or after.

  52. Interested one says:

    I wonder if in the code there is a section that produces a login user name based on the Envoy serial number or the site ID once the Envoy is assigned to a system?

  53. d says:

    Hi, Excellent work!
    Just a hint, for me your APK had to be renamed before I could execute it on my phone running Android 9.
    Question: Did you find any way to stop these extremely annoying time-out messages and freezes that appear in both the official Installer Toolkit, and also the login to the Envoy’s AP via web at 172.30.x.x (using the installer login and generated key)? Thank you.

  54. Thanks for the info about the file name. I too have the times where the web interface stops responding. It used to crash and never come back requiring a reboot of the envoy.
    At some point the envoy did a firmware update and the problem was just reduced to just short freezes. I’ve coded my fetcher to back off for 30 seconds if it detects a delay or timeout from the envoy. Otherwise it seems to have a denial of service effect where the envoy never catches up.

  55. Marco Papa says:

    Wow thanks for the NOX Player for MacOS and the app file. Worked great to generate the password for my Envoy-S Standard.

  56. Andrew says:

    Could someone please help me to generate the password for this serial: 121904084331
    Can’t make it run with emulators or on the phone.

  57. moulindegavray says:

    I can do it for you.

  58. moulindegavray says:

    Perfectly working on my Enphase Envoy-s Metered Multiphase.
    Merci beaucoup @thecomputerperson !
    The hardest for me was to run your Android app (2019-02-05a) on a 64-bit Ubuntu (18.04.2 LTS, itself on a old MacBook Air) via anBox (beta devmode 4-c732719 2019-07-22) with the famous error [INSTALL_FAILED_NO_MATCHING_ABIS: Failed to extract native libraries, res=-113] solved by https://www.linuxuprising.com/2018/07/anbox-how-to-install-google-play-store.html.
    Thanks to you I can now manage my hydroelectric watermill at a distance of a thousand kilometers (with an OpenVPN VPN bridge to access the LAN).

  59. Great to have some feedback, thank you.

  60. J says:

    Worked great, thank you.

  61. cbabkirk says:

    Have you developed api calls to collect metrics of an IQ-Envoy? I am using your past documents to collect data off my Envoy-S. Using the same calls for the IQ-Envoy does not get the same data as when used with the Envoy-S.

  62. I’ve not come across and am unlikely to come across an IQ so… out of luck there :(

  63. Stevens says:

    Does anyone know where to get the firmware files ? It would be interesting to try to get at the SSH password file.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s