Reverse Engineering the Enphase Installer Toolkit

If you are interested in other Enphase information the following other pages may also be of interest:
What is inside the Enphase Envoy-S (teardown)
Enphase Envoy-S “Data Scraping”.
Enphase Envoy-S Open Ports!

While on my quest to create my own logging and analytics for the Envoy-S Solar PV controller I also was interested in how the Installer Toolkit authenticates with the web interface of the Envoy.

Authentication is “Digest” based so it isn’t as simple as just undoing the base64 encoding that “Basic” http authentication uses. Digest uses a nonce, domain and url in the mix to make each request to different pages need it’s own hashed password.

The trouble is – I don’t know what the password is for the Envoy. The username is “installer” but the password isn’t something known. I hoped to extract the password generation method from the Android application.

What helped is the fact that it seems the application is a Xamarin based application. As far as I can work out this means they wrote the application in Microsoft Visual Studio and have ported it to run on multiple mobile devices (Apple, Android, Windows Phone(?)).

So – decompressing the APK produces a load of windows .dll files! ILSpy then allows me to investigate the content or code within.

ilspy xamarin enphase about box

So.. all easy for me to understand in the language(s) that I can work with.
Imagine my surprise when I came across the “Configuration” section.

enphase oauth 911wasaninsidejob Oauth1911wasaninsidejob

Private Const OAuth2BogusClientId As String = "installer-toolkit-bogus"

Private Const OAuth2BogusSecret As String = "911wasaninsidejob"

Private Const OAuth1BogusConsumerKey As String = "notavalidconsomerkey"

Private Const OAuth1BogusConsumerSecret As String = "Oauth1911wasaninsidejob"

While being part of code that isn’t used in active connections (I believe the bogus sections are for offline, debug or demonstration testing that don’t authenticate against live systems).. I’m amazed that wording like that has remained within a program written by a company who, I presume, wouldn’t like it against their reputation.

My first thought is maybe a programmer has taken example code and forgotten to change the strings.. but no, a quick Google Search doesn’t reveal any pages at all with the wording in it… so it isn’t a lazy copy and paste from existing public “example” code.

Moving on from that… Other interesting bits of code are:

Public Function UsernameIsReviewUser(username As String) As Boolean
    Return Not String.IsNullOrEmpty(username) AndAlso username.ToLower().Equals("enphase.rev1400@gmail.com")
End Function
Friend Module Crypto
    Private salt As Byte() = Encoding.ASCII.GetBytes("com.enphase-energy.rocksit247")

If you are on Android then the SQLite Database it uses is stored in “/mnt/sdcard/Enphase/EnphaseDB_fixed.db3”.

When the Envoy is in AP mode the IP address might be  “172.30.1.1”

Back onto Task. The Digest Authentication is handled by “Enphase.InstallerToolkit -> Enphase.Installeroolkit.Models -> EnphaseEnvoy” and uses the following code:

Public Sub SetupAuth()
	Dim credentialCache As CredentialCache = New CredentialCache()
	credentialCache.Add(New Uri("http://" + Me.IP_Address), "Digest", New NetworkCredential("installer", Me.GetPasswordForEnvoy()))
	credentialCache.Add(New Uri("http://" + Me.IP_Address + ":9094"), "Digest", New NetworkCredential("installer", Me.GetPasswordForEnvoy()))
	Dim nativeCookieHandler As NativeCookieHandler = New NativeCookieHandler()
	Dim list As List(Of Cookie) = New List(Of Cookie)()
	For Each current As Cookie In nativeCookieHandler.Cookies
		If current.Name.ToUpper().Equals("SESSIONID") Then
			current.Value = Nothing
			list.Add(current)
		End If
	Next
	nativeCookieHandler.SetCookies(list)
	Me.httpClient = New HttpClient(New NativeMessageHandler(False, False, nativeCookieHandler) With { .UseDefaultCredentials = False, .Credentials = credentialCache })
End Sub

Public Function GetPasswordForEnvoy() As String
	Dim bufLen As UInteger = 128UI
	Dim stringBuilder As StringBuilder = New StringBuilder(128)
	EnphaseEnvoy.emupwGetMobilePasswd(Me.Serial_Number, "installer", Nothing, stringBuilder, bufLen)
	Return stringBuilder.ToString()
End Function

Public Shared Declare Function emupwGetMobilePasswd Lib "libemupw.so" (in_serialNumber As String, in_user As String, in_domain As String, out_buf As StringBuilder, bufLen As UInteger) As Integer 

In plain terms this means the function “SetupAuth” adds credentials to the http request using the hard coded username “installer” and the password generated by the function ” GetPasswordForEnvoy”.

GetPasswordForEnvoy, as far as I can read, creates a 128 character buffer and string and then requests another function of “emupwGetMobilePasswd” with the parameters:
Serial Number of Envoy, “installer”, Nothing, Blank String, Blank Buffer

Now; emupwGetMobilePasswd then references to an external “libemupw.so”dependent which appears to be a compiled program or component for ARM architecture processors. Sadly it doesn’t seem to be a drop in component and is likely a custom file for Enphase
It only seems to take the serial number and username as input. The “Domain” string (3rd input) is set to “Nothing” in the code and the final two variables are the out string and buffer.

libemupw.cfg.emupwGetMobilePasswd

libemupw.cfg.emupwGetPasswd

libemupw.cfg.emupwGetPasswdForSn

This is where it gets beyond me skill level. I will continue to research and work out how I can either run the object on demand or just the math or function used to hash the details to return the password. More to come.. Bookmark and return at some point.

Update: 19th November 2016. Version 2.1.10 of the Installer Toolkit is out and has the following notable changes.

It contains a variable WORK_OFFLINE_KEY

Update: 21st August 2018. My own password cracked!

I’ve finally managed to make my own software that can interface with the libemupw.so file mentioned above! I can now, on demand, generate passwords against Envoy-S serial numbers.

I need to investigate if I can either package it up and distribute it for others to generate their own passwords or if I can make it a web based password generator somehow. The biggest problem is the .so is compiled for ARM… so getting data into and out of it will require an ARM emulator or a mobile phone.

Success.. web access to the installer interface on a computer!

Update: 22nd August 2018. Application made!

Enphase Energy Envoy-S password algorithm runner app!

You can download the Android app here.. Install then run it.. type in your units serial number and the blue box will show the installer password!

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

31 Responses to Reverse Engineering the Enphase Installer Toolkit

  1. RRM says:

    I’ll also bookmark this topic. Interesting progress you’re making!

  2. Paul says:

    yes – good info.

    Yet to try using the returned key with http outside of the installer ap.
    Could you post the format of the http command you were able to use?

    I have my own key.

  3. GET /api/v1/production/inverters HTTP/1.1
    Host: 10.0.0.177
    Connection: keep-alive
    Authorization: Digest username="installer", realm="enphaseenergy.com", nonce="XXXXXXXXXX", uri="/api/v1/production/inverters", response="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", qop=auth, nc=00000014, cnonce="XXXXXXXXXXXXXXXX"
    
    

    I expect the keep-alive line could be removed too.

  4. jam says:

    Well done! I took a similar path a few months ago, and got as far as decompiling the android app as well, resulting in extracting the dll files and that’s where I stopped as I don’t have a windows machine.

  5. Pingback: Enphase Envoy-S Open Ports! | thecomputerperson

  6. Pingback: Enphase Envoy-S “Data Scraping”. | thecomputerperson

  7. Al says:

    Well beyond my limited knowledge but I’m interested in what you’ve been able to achieve. I’m getting a Envoy S Metered installed in the next month and been pondering the ability to run a small pi box running a script to monitor the generation vs consumption to see what is excess and if over a certain threshold, close a dry contact that will operate a relay that will bring in the hot water system. Do you think this would be possible with what you’ve seen with the API? Or would it be easier to do it locally with CT clamps and measure local currents etc?

  8. Absolutely possible and I do it with a fab heater and an Omega Onion (similar to a pi). Just watch out for the envoy being laggy or crapping out under high load or many requests. See the comment thread about it queueing failed or timed out requests and snowballing. Make sure your script backs off and waits if the envoy doesn’t respond.

  9. Pingback: What is inside the Enphase Envoy-S (teardown) | thecomputerperson

  10. It has been a while.. but if anyone has this bookmarked or subscribes to comment updates… I’ve made some progress! I can generate installer passwords on demand for Envoy-S serial numbers.

    See the section titled “Update: 22nd August 2018. My own password cracked!” in the post above.

  11. Kimo says:

    Just an FYI, I tested this with my envoy-iq, and the generated password did not work. (I wasn’t sure it would since you developed this for an envoy-s, but it was worth a shot.)

  12. Very interesting – do you use the same “Installer Toolkit” to get it setup or configure it or does it have it’s own app?

  13. Kimo says:

    I never used the installer toolkit, I tried the password via the web interface on the envoy itself (going to the same link shown above, but of course using my envoy’s local IP). I don’t even think the installer used the installer toolkit yet, but rather detected the micros via the button on the envoy. (The installer still needs to enable the consumption meter.)

    When I try to login to an installer page, I use the installer login and the password generated by the app, but it just re-prompts me for the credentials.

  14. It would be worth installing the Enphase Installer Toolkit to see if that can find and log into your envoy. You don’t need a log in to be able to do this.. you load it, then click the lines in the top left and select “Connect to Envoy” from the menu. Check that the serial number displayed matches the one you were trying to use with my password generation app… then see if you can click it and get into the settings pages.

    If you can use the installer toolkit I’d be interested to try and work out what is not working correctly with the password generation app in your instance / setup.

  15. Kimo says:

    Interesting. When I install and run the toolkit on my android device, it requires me to log in to Enlighten, with no ability to change / select any options.

  16. Humm, with no ability to bypass it? If you can create or log into your account you then may get a message saying “no installer access” or similar, then you still get the ability to get the menu option I refer to in my last reply.

  17. kbonnel says:

    I thought it might do that as well, and the app does report insufficient rights. Unfortunately, it will not go past that part. I will have to do more playing/testing.

  18. Ben says:

    Can confirm that the generated passwords allow me access to the installer section of the Envoy web server using my newer Envoy IQ. I also spent a little bit of time finishing up reverse engineering the password generation algorithm and have a python script that will do it directly. Of note, there’s another function called `emupwGetPublicPasswd` that seems to call the same hash routine that `emupwGetMobilePasswd` uses; I’m sortof hoping that by guessing some of the input parameters, one might be able to use this to get a username/password that would work for an ssh login to the Envoy, which would enable a lot more interesting exploring.

  19. Scott Dee says:

    I got an envoy second hand and this worked great for getting in and checking things out.
    What I don’t have is a CT for production and there’s no place to buy one. Through your hacking have you come across any way to add a coil and calibrate it?

  20. Matthew says:

    I see with great interest you have a way of generating a password fro the local envoy-s – I downloaded the app – but no idea of how to run a .apk file (I am on my PC). Alternately my unit serial number is 121548011842 could you run your app and tell me what my password is please? Many thanks!

  21. Jaap says:

    Hi! Your code-generator works great!
    Is it possible to extract panel-level-information by json/api/etc?
    Now I’m using my Fibaro domotica-system to monitor total-production (via /production.json, but I’d like to monitor at panel-level.
    Hope you or someone else has the answer!

  22. JR says:

    Excellent work! I’ve been asking the manufacturer for months and they have ignored me. I can also confirm this pw tool works on the new IQ Envoy.

    @Scott, isn’t this the CT you’re looking for? https://www.invertersupply.com/index.php?main_page=product_info&cPath=1304_649_650&products_id=6253

  23. Matt says:

    Hi, Thanks for all the info. I downloaded your Android app but upon install the phone gives me an error stating, “Parse error: There is a problem parsing the package”. I’ve tried installing it on an LG phone and a Samsung tablet. Is there anything else I need to do to get this package working? Cheers, Matt.

  24. The only time I remember seeing that was when I hadn’t cryptographically signed the package. not sure what to suggest in your case because the one that has uploaded should be the signed one :/

  25. Matt says:

    I’ve still had absolutely no luck running this program. I’ve even tried emulators on my Win 7 computer with no luck. The two devices I’ve tried it on have Android version 4.4.2. Would this be an issue? Could you possibly upload it again please so I can try a fresh copy? I’m not real up with Android apps and their peculiarities so I’m running a bit blind with this one. Cheers, Matt.

  26. Does the official installer app install and run ok on your devices?

  27. Matt says:

    Thanks for your replies. I installed it on my daughter’s old HTC phone and it works like a new one. Must have been the older phone/tablet that wouldn’t install it. Thanks for your efforts. Matt.

  28. Matt says:

    I just tried the password generator and I’m able to log on as an installer. Cheers, Matt.

  29. cpngn says:

    You cannot add a 3rd party CT and calibrate it. If you bought a CT enabled Envoy-S or IQ, you would have 1 or 2 CTs in hand. If not, don’t waste your time, it will never work until you buy the right equipment. You WILL need Enphase Support to set this up after the fact.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s