supportcare.net / Geek Masters / eSupportStation / vlinks tech support scam cold callers.

Another day and, unusually, another tech support scammer but one who called me!

Looking back at my call records it seems they had tried to call on Friday morning too but got through to my answerphone.

This is the first time they have called my number. Normally I have to call them from a fake virus warning page or a friend of mine is called and I have to use the number the friend was given.

The caller ID they called from was “0001632960451” (numbers beginning 000 don’t exist.. but let’s imagine they have broken and / or faked caller ID). At a later date they also called from “00666675”

The initial domain they went to for “ordering” the service I “needed” was:

http://www.supportcare.net/our-plans

The current whois information for the domain is associated with:

Registrant Name: Archit Gupta
Registrant Street: A-4/211 DDA JANTA FLATS
Registrant City: PASCHIM VIHAR
Registrant State/Province: Delhi
Registrant Postal Code: 110063
Registrant Country: IN
Registrant Phone: +91.9953444997
Registrant Email: architguptaa@gmail.com

Yet the website gives a US address and phone number of

276 Fifth Avenue, Suite 704
New York, NY 10001
Ph.: +1-877-848-3948
Email: support@supportcare.net

The email address used is only associated with one other domain that doesn’t seem to be active.

The second part of the payment (the cart stuff) seems to run from zoomworld.ca which gives a logo called Geek Masters.
The zoomworld website code also leaks what appears to be previous name of “SG Technologies Inc.”

ESupportstation is the “merchant name” being used at the payment processor.

The server that their website is hosted on is “45.79.143.121” which has the reverse DNS of “server.studiosos.biz”. The website at www.studiosos.biz, which appears to be an invoice software company, is the same exact template and layout as the supportcare.net site.

studiosos give their address, on their website, as:

1800 Windridge Drive, Sandy Springs
Atlanta GA 30350
Ph.: +1-404-382-0802

Yet their whois details, at the time of writing, give the same address as published on the scam support supportcare.net site:

Registrant ID: DI_47249721
Registrant Name: Studio SOS LLC
Registrant Organization: Studio SOS LLC
Registrant Address1: 276, 5th Avenue, Suite 704
Registrant City: New York
Registrant State/Province: New York
Registrant Postal Code: 10001
Registrant Country: United States
Registrant Phone Number: +1.8622466786
Registrant Email: mail@studiosos.biz

The computer they connected to my test computer from seemed to be on the domain “vlinks”, possibly the name of an outsourcing call center?

Posted in Uncategorized | 2 Comments

ussoftwaresolutionsinc.com fake virus warning message and tech support liars.

Another day and another, what I feel to be, scam tech support company. This time I can attribute them to at least 100 fake virus warning sites and domains.

This time a message pops up when a victim is browsing (in the case I saw) TV streaming websites.

The scam warning was on “http://computerproccesseal.club/?source=70790_600680_  ” but it looks like many other domains are also involved.

us software solutions scam warning.png

The message reads:

0x80070424 Warning: Activation Key Damaged!!! Call Help Desk:

** YOUR COMPUTER HAS BEEN BLOCKED **

Error # 268D3

Please call us immediately at: +44-800-090-3856
Do not ignore this critical alert.
If you close this page, your computer access will be disabled to prevent further damage to our network.

Your computer has alerted us that it has been infected with a virus and spyware. The following information is being stolen…

> Facebook Login
> Credit Card Details
> Email Account Login
> Photos stored on this computer
You must contact us immediately so that our engineers can walk you through the removal process over the phone. Please call us within the next 5 minutes to prevent your computer from being disabled.

Toll Free: +44-800-090-3856

The telephone number used in this scam is a UK number of 0800 090 3856 aka. +448000903856 or 08000903856).

A small javascript file controls the telephone number that shows on the scam warning.

If these tech support liars call you back their caller ID shows as +18443073377

Needless to say the message is a lie, there is no infection the computer and the computer access (other than the scam message) will not be blocked.

When the victim calls up they are given the standard scam tech support routine of being shown the “scary errors” in event viewer and stopped services in msconfig (all normal!)

Their fixes (of which they charge £199) seem to be.

1) Running a .bat file to clear the event viewer history. (“Win 7 Viewer.zip” containing “Win 7 Viewer.bat”)

@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
exit

2) Running SuperAntiSPYWARE to close the web browsers and clean cookies.
3) Installing CCleaner..

Entirely not worth it and their initial sales pitch about infections, firewalls and risks are fiction.

The company who tried to take payment are:

https://www.ussoftwaresolutionsinc.com/
aka. “US Software Solutions Inc.” or “ALW*ussftwrsolution8882551137”.

The domain I came across has the following whois information:

Registrant Name: Ajay Kumar
Registrant Street: C-45, Sec- 5
Registrant City: Noida
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 201301
Registrant Country: IN
Registrant Phone: +91.8802175217
Registrant Email: kidanumer8171@gmail.com

Other domains related to this scam are:
Hosted on the same IP at GoDaddy..

macintosh-security-warning.info
windows-error.co (an active fake virus warning page listing +1-800-737-7785 as the number to call and error code ERR7343DYJ6)
computerprocceslocksmiths.club (a copy of the original scam warning that I’ve posted at the top of this page).
computerprocceslock.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerprocceslock.club (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
processorprocceslock.club
computerproccessecure.club (an active fake virus warning page listing +44-800-090-3846 as the number to call and error S47452D aimed at Mac users)
computerprocceslockservice.club (an active fake virus warning page listing +1-844-564-0211 as the number to call and error S47452D aimed at Mac users)
computerprocceslocks.club (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
pcprocceslock.online
computermycceslock.club (an active fake virus warning page listing +1-888-417-0191as the number to call and error 268D3)
computerproccesseal.online
computerbolt.online (an active fake virus warning page listing +1-888-328-0520 as the number to call and error 268D4 aimed at Mac users)
computerprotection.online
computerprotectionhub.online
computerlocksmiths.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerprotectionworld.online (an active fake virus warning page listing +1-888-608-9575 as the number to call and error 268D3)
computerprotectionservices.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerlock.online (an active fake virus warning page listing +1-888-328-0781 as the number to call and error 268D5 aimed at Mac users)
computerprotectiongroup.online (an active fake virus warning page listing +44-808-238-7566 as the number to call and error 268D3)
processorlock.online (an active fake virus warning page listing +61-180-094-0864 as the number to call and error 268D3)
computersecure.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerlockweb.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerclamp.online (an active fake virus warning page listing +1-888-328-0781 as the number to call and error 268D5)
computerprotectionweb.online (an active fake virus warning page listing +1-888-608-9575 as the number to call and error 268D3)
computerprotectionreviews.online (an active fake virus warning page listing +1-888-328-0466 as the number to call and error S47452D aimed at Mac users)
computerpadlock.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerprotectionstar.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerprotectiontech.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerprotectionzone.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerprotectionhome.online (an active fake virus warning page listing +44-800-090-3856 as the number to call and error 268D3)
computerlockbox.online (an active fake virus warning page listing +1-888-430-9671 as the number to call and error 268D5)
computerlocks.online
computerlockpro.online (an active fake virus warning page listing +61-1800-990-328 as the number to call and error 268D4)
computerlockshop.online (an active fake virus warning page listing +61-1800-940-864 as the number to call and error 268D3)
computerprotectionsystems.online (an active fake virus warning page listing +44-800-090-3846 as the number to call and error 268D3)
computerprotectionnow.online
computer-lock.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
computerlockservice.online
computerprotectionpro.online (an active fake virus warning page listing +1-888-328-0471 as the number to call and error 268D3)
pcvirusalertsystem.today
technicalserrors.online (an active fake virus warning page listing +61 (1800) 893-775 as the number to call and error 268D3) (also related to an Amazon s3 hosting account “technicalserrors.online.s3-website-us-west-2.amazonaws.com”)
safari-infected-with-malwares.s3-website-us-west-2.amazonaws.com (an active fake virus warning page listing +44-800-098-8642 as the number to call and error XX00x1)
pcnetworktrustytrusty.online (an active fake virus warning page listing +1-888-328-0471 to call and error code S47452D)
alertatpc.website
recheck-mac-service.com (an active fake virus warning page listing +64-1800-894-043 as the number to call and error 9ADX400)
pcnetworksteadfastcloud.online (an active fake virus warning page listing +61-1800-940-864 as the number to call and error 268D3)
pcnetworktrustycloud.online (an active fake virus warning page listing +1-888-328-0466 as the number to call and error 268D#3)
pcsystemauthenticcloudservices.online (an active fake virus warning page listing +61-180-094-0864 as the number to call and error 9ADX400)
debuggingerrorinterrupt.club (an active fake virus warning page listing +61-1800-940-864 as the number to call and error 268D3)
pcnetworkreliablecloudservices.online (an active fake virus warning page listing +1-844-564-0211 as the number to call and error 268D#3)
safarifaults.club (a fake apple support “Your mac has been blocked” page listing +44-8000-988-382 as the number to call and error 8UXK307)
pcnetworksteadycloud.online (fake virus warning page listing +1-888-328-0466 as the number to call and error 268D#3)
netservicesupport.website (fake virus warning page listing +1-8777-993-986 as the  number to call and error 9XAX401)
debugginginterrupt.club (fake virus warning page listing +61-1800-875-586 as the number to call and error 9ADX400)
systemexpert.online (fake virus warning page listing +61 (1800) 893-775 as the number to call and error 268D3)
mclimaxasurment.club (fake virus warning page listing +1-877-231-7887 as the number to call and error S47452D)
alertatpc.space
geekcrew.online
computermalwareissue.space
recheck-mac-service.info (fake virus warning listing +61-1800-894-043 as the number to call and error 268D3)
geekcrewservices.club
geekteam.online
supportsupport.online (fake virus warning listing +1-877-937-6922 and +61-1800-940-864 as the numbers to call and errors S47452D and 0x80070424
networkalertnetwork.club (fake virus warning listing +61-1800-894-043 as the number to call and error 268D3)
pcmethodreliablecloudcomputing.online (fake virus warning listing +1-877-231-7887 as the number to call and error 268D#3)
macsystemmeasurwoment.club (fake virus warning listing +1-844-564-0211 as the number to call and error 268D3)
macsystemuseasurment.club (fake virus warning listing +1-844-564-0211 as the number to call and error 268D3)
macsystemusasurment.club (fake virus warning listing +1-844-564-0211 as the number to call and error S47452D)
systemreliablecloudstorage.online (fake virus warning listing +1-844-564-0211 as the number to call and error 268D3)
hxxp://www.supportsupportnetwork.online (fake virus warning listing +1-844-669-3961 as the number to call and error 9XAX400D)
recheck-mac-service.org (fake virus warning listing +61-1800-990-328 as the number to call and error 268D3)
pcgeeksquad.club
systemreliablecloudservices.online (fake virus warning listing +1-844-564-0211 as the number to call and error 354#D7)
techhelp.club (fake virus warning listing +44-8000-988-382 as the number to call and error 8UKX307)
pcassist.online (fake virus warning listing +1-844-669-3961 as the number to call and error 9XAX400D)
methodexpert.online (fake virus warning listing +61-1800-661-980 as the number to call and error 268D3)
pcaid.online (fake virus warning listing +1-844-669-3961 as the number to call and error 268D3)
expert-system-solutions.net (fake virus warning listing +61 (1800) 893-775 as the number to call and error 268D3)
computermeasurmentmart.club (fake virus warning listing +1-844-669-3961 as the number to call and error 9XAX400D)
computermeasurmenthub.club (fake virus warning listing +1-844-669-3961 as the number to call and error 9XAX400D)
xdebugging.club (fake virus warning listing +1-844-669-3961 as the number to call and error 268D3)
somedebugonmycomputer.club (fake virus warning listing +44-8000-988-382 as the number to call and error 8UXK307)
someerroronmypc.club (fake virus warning listing +1-844-669-3961 as the number to call and error 9X#X400D)
hxxp://www.mymacinterrupt.club (fake virus warning listing +1-844-669-3961 as the number to call and error 268D3)
funmaxsteel.club (fake virus warning listing +44-8000-988-382 as the number to call and error 8UXK307)
pcdebuggingerrorinterrupt.club (fake virus warning listing +1-844-669-3961 as the number to call and error 268D3)
alertatpc.online
visitnewyorkcity.club (fake virus warning listing +44-8000-988-382 as the number to call and error 8UXK307)
systemalertsystems.club (fake virus warning listing +1-844-669-3961 as the number to call and error 9XAX400D)
machelpexpert.online (fake virus warning listing +1-844-669-3961 as the number to call and error S47452D)
macbackupexpert.online (fake virus warning listing +1-844-669-3961 as the number to call and error S47452D)
saffaribrowser.com (fake virus warning listing +61 (1800) 157-009 as the number to call and error 268D3)
expert-system-solutions.org (fake virus warning listing +61 (1800) 661-980 as the number to call and error 268D3)
expert-system-solutions.info (fake virus warning listing +61 (1800) 893-775 as the number to call and error 268D3)
mac-safari-repair.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1 (844) 412-6929 as the number to call)
mac-supports.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-844-856-0111 as the number to call)
supportllc.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-844-412-6929 as the number to call)
error-code-229s4.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-844-412-6929 as the number to call)
shop-for-sale.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-844-856-0111 as the number to call and error 268D3)
trackingfacebookfuntime.club.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-844-856-0111 as the number to call and error 268D3)
gamezonly.space.s3-website-us-west-2.amazonaws.com (fake virus warning listing +61 (1800) 893-775 as the number to call and error 268D3)
technicalserrors.online.s3-website-us-west-2.amazonaws.com (fake virus warning listing +61 (1800) 893-775 as the number to call and error 268D3)
trackingfacebookads.club.s3-website-us-west-2.amazonaws.com (fake virus warning listing +61 (1800) 893-775 as the number to call and error 268D3)
mac-alert-38107.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-844-717-2444 as the number to call and error 268D3)
pcnetworkreliablecloudcomputing.online (fake virus warning listing +1-844-231-7887 as the number to call and error 268#D3)
pcnetworkreliablecloudhosting.online (fake virus warning listing +1-888-328-1037 as the number to call and error 268#D3)
macmeasurhombrest.club (fake virus warning listing +1-844-564-0211 as the number to call and error 9XW#X400D)
macmeasurmentpro.club (fake virus warning listing +1-844-564-0211 as the number to call and error S47452D)
macplanreliablecloud.online (fake virus warning listing +1-844-564-0211 as the number to call and error CM74#2D)
macsystemreliablecloud.club (fake virus warning listing +1-844-564-0211 as the number to call and error S47452D)
pcservicecompany.online (fake virus warning listing +1-844-590-7988 as the number to call and error S47452D)
methodsupport.club (fake virus warning listing +44-800-088-5641 as the number to call and error S47452D)
computerseal.online fake virus warning listing +44-800-088-5641 as the number to call and error S47452D)
macsystemsteadycloud.online (fake virus warning listing +1-844-590-7989 as the number to call and error 268D3)
systemalarm.club (fake virus warning listing +1-844-590-7992 as the number to call and error 268D3)
computerprotectioncenter.online (fake virus warning listing +1-888-328-0471 as the number to call and error 268D3)
cpudebuggingerrorinterrupt.club (fake virus warning listing +1-888-871-6288 as the number to call and error 268D3)
systemexpert.website (fake virus warning listing +61-1800-893-775 as the number to call and error 9ADX400)
cpidebuggingerrorinterrupt.club (fake virus warning listing +1-844-590-7989 as the number to call and error 9#XWX400D)
edge-not-working.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-888-328-0471 as the number to call and error 268D3)
pcsteadycurrent.online (fake virus warning listing +1-888-328-0471 as the number to call and error 268D3)
window-error.s3-website-us-west-2.amazonaws.com (fake virus warning listing +1-888-328-0471 as the number to call and error 268D3)
macsystemreliablecloudservices.online (fake virus warning listing +1-888-328-0471 as the number to call and error 268D3)
pcsteadycurrent.online (fake virus warning listing +1-888-328-0471 as the number to call and error 268D3)
supportsupportservices.online (fake virus warning listing +1-844-590-7989 as the number to call and error 268D3)
pcsteadynow.online (fake virus warning listing +44-800-090-3848 as the number to call and error 268D5)
computerinterruptdebuggingexcess.club (fake virus warning listing +1-844-590-7989 and +1-877-937-6922 as the numbers to call and errors S47452D and 0x80070424)
gomicrosoft-errors.website and gomicrosoft-errors.website.s3-website-us-west-2.amazonaws.com (fake virus warning listing +44 (8000) 988-382 as the number to call and error XX00x1 and the full error shown below..)

System Detected Security Error (Error Code : XX00x1) Due to Suspicious Activity. Please Contact MAC Technicians For Help :
‘+ tollfree +’ . Please contact MAC technicians to rectify the issue.
Please do not open internet browser for your security issue to avoid data corruption on your registry of your omacusating system. Please contact MAC technicians at

Tollfree Helpline at ‘+tollfree+’

Tell customer service this error code : XX00x1

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILIURE OF OPERATING SYSTEM , HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS . CONTACT MAC technicians TO RESOLVE THE ISSUE ON TOLL FREE – ‘+tollfree+’

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILIURE OF OPERATING SYSTEM , HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS . CONTACT MAC technicians TO RESOLVE THE ISSUE ON TOLL FREE – ‘+tollfree+’. Please contact MAC technicians to rectify the issue.
Please do not open internet browser for your security issue to avoid data corruption on your registery of your omacusating system. Please contact MAC technicians at

Tollfree Helpline at ‘+tollfree+’

Tell customer service this error code : XX00x1

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILIURE OF OPERATING SYSTEM , HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS . CONTACT MAC technicians TO RESOLVE THE ISSUE ON TOLL FREE – ‘+tollfree+’

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILIURE OF OPERATING SYSTEM , HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS . CONTACT MAC technicians TO RESOLVE THE ISSUE ON TOLL FREE – ‘+tollfree+’.

supportsupport247.club (fake virus warning page listing +61-1800-940-863 as the number to call and the warning message shown below..)

Microsoft System Security Alert

Oops !! Something went wrong with your Unknown OS Platform

Dear Unknown User,

The Website you have recently visited may have downloaded the Malware and Virus on your Unknown OS Platform system.

Microsoft Defender is Suspicious about your Unknown OS Platform System Security.

Your TCP Connection Was Blocked by Your Unknown OS Platform Security System. Your Unknown OS Platform and Internet Explorer has been locked untill we may hear from you to immediately fix this issue.

Please Contact Microsoft Unknown OS Platform Help Desk

——————————————————————-
Customer Support : +61-1800-940-863 (TOLL-FREE)
——————————————————————-

********** IMMEDIATE RESPONSE REQUIRED **********

Please contact network administration to rectify the issue.
Please do not open internet browser for your security issue to avoid data corruption on your registery of your operating system Unknown OS Platform. Please contact Unknown OS Platform network administration department at +61-1800-940-863 (TOLL-FREE)

Virus Info:
A Trojan horse, or Trojan, in computing is a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. The term is derived from the story of the wooden horse used to trick defenders of Troy into taking concealed warriors into their city in ancient Greece, because computer Trojans often employ a form of social engineering, presenting themselves as routine, useful, or interesting in order to persuade victims to install them on their computers.

A Trojan often acts as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. The Trojan and backdoors are not themselves easily detectable, but if they carry out significant computing or communications activity may cause the computer to run noticeably slowly. Malicious programs are classified as Trojans if they do not attempt to inject themselves into other files (computer virus) or otherwise propagate themselves (worm).

A computer may host a Trojan via a malicious program a user is duped into executing files or browsing internet.
Please contact network administration department at +61-1800-940-863 (TOLL-FREE)

Expired domains or also associated and suspicious are:

sincronizarsantander.info – Santander are a bank.
click4support.biz
click4support.us
web-consultant.biz
classifiedline.asia
turkeyclassifieds.asia
classifiedgallery.asia
vehiclesclassifieds.asia
systemsupportalert.online
browsersupportapp.net
helpdeskproductions.org
hxxp://www.hotappdownload.com

The name Anil Verma crops up regularly across the domains I’ve found including being the name used for ussoftwaresolutionsinc.com (anil.verma1392@gmail.com)

The name anil also appears in the javascript source code of the fake virus warning website.

Also related (linked by ga):

ubertechsupport.blogspot.com
dialportsolutionsllc.com “Dialport Solutions llc” (Almost an exact copy of the ussoftwaresolutions website)
usinfosolutions.us
ubertechsupport.tumblr.com

Posted in Uncategorized | 4 Comments

dot-ontechies.com / 0800-090-3906 virus warning and “TourTech” support scam.

This scam is being answered by TourTech (tourtechinc.com) and payments are being processed via FirstData (a payment processor).

Another month another malvertising scam claiming that victim’s computers have the Zeus virus.

dot-ontechies-scam

The message displayed reads:

Security Error Code 0x80070424

****Please Do Not Restart Your Computer ****

Microsoft Windows Detected ZEUS Virus and these Infections indicate that some Un-Authorised File Tampering has taken place on the computer which must be Diagnosed and Rectified to prevent loss of Personal Data.

Call Microsoft Technical support on 0800-090-3906 and share the Error Ticket: WBCKL457 with Support Agent to get it Diagnosed Free of Charge

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT WOULD LEAD TO DATA LOSS AND OPERATING SYSTEM CRASH

CONTACT MICROSOFT TECHNICAL SUPPORT IMMEDIATELY TO RESOLVE THE ISSUE ON TOLL FREE – 0800-090-3906
—————————————————————————–
for Technical Assistance
—————————————————————————-

Terms and Conditions
All rights reserved.

Victims are asked to call the UK freephone number 0800-090-3906 (aka. 08000903906 / “0800 090 3906” / +448000903906). YouTube has a recording of what happens if you call these people:

The URL involved when I came across it was:

http://chksysonlihneeroorserachinefjoiwrfghjytirtytygkhfhgkm.dot-ontechies.com/000053x56435zx

The domain is registered to:

Registrant Name: JANET FREEMAN
Registrant Street: Mysugar Building, Opposite Ravindra Kalakshetra, J C Road, J C Road
Registrant City: Bengaluru
Registrant State/Province: Karnataka
Registrant Postal Code: 560002
Registrant Country: IN
Registrant Phone: +91.8041325277
Registrant Email: jenny.free7478@rediffmail.com

The code on the page has code that relates to a scam run from

pfzenljnfdkjlejrij-044353423warningalert.microsoftfoundsomesuspiciousactivityfromyouripaddress.somespywaremayhavecausedasecuritybreachatyournetworklocation.livetech-solutions.com

And also “www.gth-techies.com” which is another Apple based scam message giving a different telephone number:

gth-techies-dot-com-scam

This scam page claims..

YOUR Apple COMPUTER HAS BEEN LOCKED*

Your Computer is infected with an adware or malware causing you to see this popup.

This may happen due to obsolete virus protections.

To fix, please call Apple Support at 0808-143-3728 immediately. Please ensure you do not restart your computer to prevent data loss.

Possibility of Data & Identity theft, if not fixed immediately.

YOUR Apple COMPUTER HAS BEEN BLOCKED*

YOUR Apple COMPUTER HAS BEEN LOCKED !!

System has been infected due to unexpected error!
Please Contact Apple 0808-143-3728 Immediately!
to unblock your computer.

\Suspicious Activity Detected. Your Browser might have been hijacked or hacked.

ANONYMOUS ACTIVITY

Private and Financial Data is at RISK:
. Your credit card details and banking information
. Your e-mail passwords and other account passwords
. Your Facebook, Skype, AIM, ICQ and other chat logs
. Your private & family photos and other sensitive files
. Your webcam could be accessed remotely by stalkers

IMMEDIATELY CALL Apple SUPPORT AT 0808-143-3728

MORE ABOUT THIS INFECTION:
Seeing these pop-up’s means that you may have a virus installed on your computer which puts the security of your personal data at a serious risk.
It’s strongly advised that you call the number above and get your computer inspected before you continue using your internet, especially for Shopping or Banking.

Call immediately for assistance.
Contact Apple Support At (0808-143-3728 )

Victims for this scam are asked to call 0808-143-3728 (aka. 08081433728 / +448081433728 / “0808 143 3728”).

This domain is registered to another rediffmail user:

Registrant Name: Jermine Atkinson
Registrant Street: Plot No. 11, Shivashri, Burudgaon Road, Near Hotel Vaibhav, Maliwada
Registrant City: Ahmednagar
Registrant State/Province: Maharashtra
Registrant Postal Code: 414001
Registrant Country: IN
Registrant Phone: +91.2412322268
Registrant Email: koov.atkinson414@rediffmail.com

Another domain associated with the same scam or web developers is:

pfrecloudcompuroorwkjowj4323032fjiasfetafwfad.psp-voism.com/pfrecloudcompuroorwkjowj4323032fjiasfetaf

Which is also registered at another rediffmail address:

Registrant Name: Teoric Parker
Registrant Street: WZ-54 Naraina Village, Naraina
Registrant City: NEW DELHI
Registrant State/Province: Delhi
Registrant Postal Code: 110028
Registrant Country: IN
Registrant Phone: +91.8285040300
Registrant Email: teoric.parker252@rediffmail.com

The IP the original domain points to (107.180.48.126), hosted at GoDaddy, is also associated with the following scammy domains:

  • system-info-require-network-maintenance-contact-remote-support.info
  • system-require-urgent-repair.info

As a side note I believe that these scammers use and buy very controlled advertising runs. For example I think this company is only buying adverts Monday to Friday and probably only during their office hours or quiet hours (if they have a legitimate business running out of the same support center).

Posted in Uncategorized | 1 Comment

An old WebRTU Z3 Installation under British Gas Energy360

While trying to track down a timer switch for some street lighting around a building I happened upon this strange set of devices.

IMG_20160902_213416

There are three boxes. The top box is a WebRTU Z3 by EnergyICT. The two below are British Gas Business branded boxes. They appear to be hard-wired into the mains supply with no ability to switch them off. The white cable coming out of the lowest of the 3 boxes is an Ethernet cable that was plugged into a network wall socket.

To the right in the (now empty) electrical cabinet are three clamp meters / current sensors.

It seems these devices must have been installed prior to 2010. Nobody seems to know anything about them, when they were put in or when and why they were decommissioned.

The British Gas box is quite obvious. I expect the bottom of the two (without the display) is the power supply to convert the mains in to low voltage to then power the WebRTU and the LCD box.

The LCD box just displays current throughput and historic energy use over 3 or 4 time periods. This box then communicates with the WebRTU.

It looks like the WebRTU can contain a SIM card but I expect this installation doesn’t have one (given that it was ethernetted in).

The RTU then reports usage back to British Gas’s “Energy360” service. Sadly – given that nobody knows anything about the installation I expect there is also no record of any logins to go snooping about. (Although it will show 0 usage since whenever the machine was disconnected).

The web interface of the WebRTU is very basic..

IMG_20160902_220524

Even a simple default nmap scan crashed the web interface and I’m now also unable to power cycle it given that the devices are hard wired into the electricity supply.

If I open up the boxes in the future I will update this post with photographs of their insides!

Posted in Uncategorized | Leave a comment

Reverse Engineering the Enphase Installer Toolkit

If you are interested in other Enphase information the following other pages may also be of interest:
Enphase Envoy-S “Data Scraping”.
Enphase Envoy-S Open Ports!

While on my quest to create my own logging and analytics for the Envoy-S Solar PV controller I also was interested in how the Installer Toolkit authenticates with the web interface of the Envoy.

Authentication is “Digest” based so it isn’t as simple as just undoing the base64 encoding that “Basic” http authentication uses. Digest uses a nonce, domain and url in the mix to make each request to different pages need it’s own hashed password.

The trouble is – I don’t know what the password is for the Envoy. The username is “installer” but the password isn’t something known. I hoped to extract the password generation method from the Android application.

What helped is the fact that it seems the application is a Xamarin based application. As far as I can work out this means they wrote the application in Microsoft Visual Studio and have ported it to run on multiple mobile devices (Apple, Android, Windows Phone(?)) using “Mono”. Mono is a Common Runtime Language (CRL) compiler? or runtime. I’ve written Visual Studio (vb.net) applications that run in linux using Mono.. very useful.

So – decompressing the APK produces a load of windows .dll files! ILSpy then allows me to investigate the content or code within.

ilspy xamarin enphase about box

So.. all easy for me to understand in the language(s) that I can work with.
Imagine my surprise when I came across the “Configuration” section.

enphase oauth 911wasaninsidejob Oauth1911wasaninsidejob

Private Const OAuth2BogusClientId As String = "installer-toolkit-bogus"

Private Const OAuth2BogusSecret As String = "911wasaninsidejob"

Private Const OAuth1BogusConsumerKey As String = "notavalidconsomerkey"

Private Const OAuth1BogusConsumerSecret As String = "Oauth1911wasaninsidejob"

While being part of code that isn’t used in active connections (I believe the bogus sections are for offline, debug or demonstration testing that don’t authenticate against live systems).. I’m amazed that wording like that has remained within a program written by a company who, I presume, wouldn’t like it against their reputation.

My first thought is maybe a programmer has taken example code and forgotten to change the strings.. but no, a quick Google Search doesn’t reveal any pages at all with the wording in it… so it isn’t a lazy copy and paste from existing public “example” code.

Moving on from that… Other interesting bits of code are:

Public Function UsernameIsReviewUser(username As String) As Boolean
    Return Not String.IsNullOrEmpty(username) AndAlso username.ToLower().Equals("enphase.rev1400@gmail.com")
End Function
Friend Module Crypto
    Private salt As Byte() = Encoding.ASCII.GetBytes("com.enphase-energy.rocksit247")

If you are on Android then the SQLite Database it uses is stored in “/mnt/sdcard/Enphase/EnphaseDB_fixed.db3”.

When the Envoy is in AP mode the IP address might be  “172.30.1.1”

Back onto Task. The Digest Authentication is handled by “Enphase.InstallerToolkit -> Enphase.Installeroolkit.Models -> EnphaseEnvoy” and uses the following code:

Public Sub SetupAuth()
	Dim credentialCache As CredentialCache = New CredentialCache()
	credentialCache.Add(New Uri("http://" + Me.IP_Address), "Digest", New NetworkCredential("installer", Me.GetPasswordForEnvoy()))
	credentialCache.Add(New Uri("http://" + Me.IP_Address + ":9094"), "Digest", New NetworkCredential("installer", Me.GetPasswordForEnvoy()))
	Dim nativeCookieHandler As NativeCookieHandler = New NativeCookieHandler()
	Dim list As List(Of Cookie) = New List(Of Cookie)()
	For Each current As Cookie In nativeCookieHandler.Cookies
		If current.Name.ToUpper().Equals("SESSIONID") Then
			current.Value = Nothing
			list.Add(current)
		End If
	Next
	nativeCookieHandler.SetCookies(list)
	Me.httpClient = New HttpClient(New NativeMessageHandler(False, False, nativeCookieHandler) With { .UseDefaultCredentials = False, .Credentials = credentialCache })
End Sub

Public Function GetPasswordForEnvoy() As String
	Dim bufLen As UInteger = 128UI
	Dim stringBuilder As StringBuilder = New StringBuilder(128)
	EnphaseEnvoy.emupwGetMobilePasswd(Me.Serial_Number, "installer", Nothing, stringBuilder, bufLen)
	Return stringBuilder.ToString()
End Function

Public Shared Declare Function emupwGetMobilePasswd Lib "libemupw.so" (in_serialNumber As String, in_user As String, in_domain As String, out_buf As StringBuilder, bufLen As UInteger) As Integer 

In plain terms this means the function “SetupAuth” adds credentials to the http request using the hard coded username “installer” and the password generated by the function ” GetPasswordForEnvoy”.

GetPasswordForEnvoy, as far as I can read, creates a 128 character buffer and string and then requests another function of “emupwGetMobilePasswd” with the parameters:
Serial Number of Envoy, “installer”, Nothing, Blank String, Blank Buffer

Now; emupwGetMobilePasswd then references to an external “libemupw.so”dependent which appears to be a compiled program or component for ARM architecture processors. Sadly it doesn’t seem to be a drop in component and is likely a custom file for Enphase
It only seems to take the serial number and username as input. The “Domain” string (3rd input) is set to “Nothing” in the code and the final two variables are the out string and buffer.

libemupw.cfg.emupwGetMobilePasswd

libemupw.cfg.emupwGetPasswd

libemupw.cfg.emupwGetPasswdForSn

This is where it gets beyond me skill level. I will continue to research and work out how I can either run the object on demand (to make a web service that people can type in a serial number and get back the password) or just the math or function used to hash the details to return the password. More to come.. Bookmark and return at some point.

Update: 19th November 2016. Version 2.1.10 of the Installer Toolkit is out and has the following notable changes.

It contains a variable WORK_OFFLINE_KEY

Posted in Uncategorized | 8 Comments

Bulk Updating Office 365 Department for users via PowerShell

This has good applications in a school or college where you have cohorts moving up a year. It also is useful for enterprise where a department has been renamed.

$Mailboxes = get-user -Filter {Department -like "Year 11"}
$Mailboxes | ForEach-Object { set-user -Identity $_.Identity  -Department "Year 12" }

Remember to first delete all your Year 12 (aka. leavers) before running the script otherwise it will become complicated very quickly with merged year 12 from year 11 and year 12 who have left.

Posted in Uncategorized | Leave a comment

“AUSE099” Sage Accounts online update error.

I had a customer computer where Sage would prompt to upgrade to be able to open their company file. When it got to the stage where Sage should be downloading the file – I got the error code “AUSE099” and no further information.

There seems to be no decent information on the internet on what can cause the problem. Sage have the boring advice of “download the update manually and install it” which wasn’t what I wanted.

Using Process Monitor I tracked the problem down, in my case, to the Background Intelligent Transfer Service (BITS) being stopped and disabled on the computer.

I enabled it and started the service, re-ran Sage and clicked update – this time it worked!

Hope this helps someone.

Posted in Uncategorized | Leave a comment

“0-800-098-8522” fake virus warning messages.

there is a .net frame work file missing“ip5.ip-158-69-114.net” / “158.69.114.5” seems to be hosting several domains associated with fake virus warnings.

The page I came across was:

hxxp://upwardd.website/0508/E2/
error9/uk/800-098-8522/alert.html

With the fake alert as follows….

Security Error

There is a .net frame work file missing due to some harmfull virus

Debug malware error 895-system 32.exe failure.

Please contact Windows technicians to rectify the issue.
Please do not open internet browser for your security issue to avoid data corruption on your registery of your operating system. Please contact Windows technicians at

Tollfree Helpline at 0-800-098-8522

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILIURE OF OPERATING SYSTEM , HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS . CONTACT ADMINISTRATOR DEPARTMENT TO RESOLVE THE ISSUE ON TOLL FREE – 0-800-098-8522

The message asks victims to call “0-800-098-8522” (aka. 0800 098 8522 / +448000988522 / 08000988522).

If you manage to click past the javascript alerts you then get sent onto another page:
http://upwardd.website/0508/E2/error9/uk/800-098-8522/error.html

This page claims the following along with a scary count down..

0x000314CE VIRUS_DETECTED_WITHOUT_CANCELLING_PENDING_OPERATIONS

Hard Drive Safety Delete Starting In 4:36

To STOP Deleting Hard Drive Call:
0-800-098-8522

ERROR CODE: 0x000314CE

Hard Drive Safety Delete Starting In 4:36

************************************************
************************************************
Please contact technical support Toll Free: 0-800-098-8522
To immediately rectify issue and prevent data loss

Another scam message hosted at “geekbanks.xyz” has the following message:

Call Windows Help Desk Immediately at 0-800-090-3105

The following data will be compromised if you continue:
1. Passwords
2. Browser History
3. Credit Card Information

This virus is well known for complete identity and credit card theft. Further action through his computer or any computer on the network will reveal private information and involve serious risks.

Call Windows Help Desk Immediately at 0-800-090-3105

Along with a fake user / password box of:

0x80070424 Warning: Activation Key Damaged !!! Call Windows Help Desk: +0-800-090-3105 (TOLL-FREE)

asking victims to call 08000903105 aka. “0800 090 3105” or +448000903105

The scam domain I came across is also associated with:

upwardd.website
virtuloan.website
technostarjet.xyz
performancestars.xyz
geekstars.xyz
celebrationbank.xyz
friendlycounsel.xyz
computerstars.xyz
geekbanks.xyz
keygeekcounsil.xyz
ab5.iwla1.org
windows-criticalerror121.com
windows-criticalerror122.com
windows-criticalerror123.com
windows-criticalerror124.com
windows-criticalerror125.com
traading.website
masterfund.website
ranklytic.website
percentt.website
flowbux.website
warnertravel.xyz

Associated with the domains is “sarthak754@gmail.com” and the following set of domains that were previously hosted on another server:

ftp.error-script.info
ftp.error-scripts.info
identityjet.website
warnertravels.xyz
glamswipe.online
dhawanfinance.xyz
dhawanfin.xyz
cloudenic.online
universaltravel.xyz
dhawanfinancegroup.xyz
bunkerup.online
plazafinancegroup.xyz
playfinance.xyz
dhawanfinancial.xyz
microda.online
venusfinancegroup.xyz
windowscrashreport.info
sportfinance.xyz
venusfinance.xyz
techierisk.website
windowscrashreport.info
cavi.website
fibena.online
solesto.online
caqo.website
warnervacation.xyz
internationaltrip.xyz
plazafinance.xyz
appletravel.xyz
playfinancegroup.xyz
globalcommute.xyz
zensoro.online
techierisk.xyz
venusfinancial.xyz
techierisk.site
startingkey.website
venusfin.xyz
stopshopper.net
sifi.website
rankbolt.online
web1.errorscripts.info
globaltravels.xyz
appletravelagency.xyz
fault-script.net
web2.errorscripts.info
cashy.website
techosoo.online
stopshopper.us
scribber.website
internationaltrip.xyz
windows-criticalerror.net
windows-criticalerror.co
warnertrip.xyz
finally.website
web3.errorscripts.info
chil.website
stopshopper.biz
qabla.website
yesmargin.website
vobi.website
snaat.website
windows-criticalerror.xyz
ftp.errorscript.info
accountking.website
venusfin.xyz
windows-criticalerror.org
stopshopper.info
nort.website
windows-criticalerror.info
texuro.online
zoto.website
playfinancegroup.xyz

Posted in Uncategorized | Leave a comment

Enphase Envoy-S Open Ports!

If you are interested in other Enphase information the following other pages may also be of interest:
Reverse Engineering the Enphase Installer Toolkit
Enphase Envoy-S “Data Scraping”.

Further to my last post about the Envoy-S JSON data that can be retrieved.. I did some more intrusive testing.

Several things to note. It seems that a change between the Envoy-S and the Envoy LCD changed two of the hosts to communicate over port 80 instead of HTTPs / Port 443.

envoy https change

The data exchanged over http port 80 does seem to be obfiscated in some way.. beyond my skills to try and decipher but it is a shame that the entire TLS handshake seems to have been abandoned. The reports. hostsname seems to be the hostname that is mainly communicated with. I’ve not noticed any 443 requests to the home. hostname.

Moving on from that – A port scan against my Envoy-S reveals quite a staggering number of open TCP ports:

Port 22
SSH “SSH-2.0-OpenSSH_6.6”

Port 53
Commonly used as the DNS port but doesn’t seem to respond to TCP DNS requests. Upon connection to it via Telnet you instantly get TCP FIN and the connections gets closed.

Port 80
Easy – the web interface! Doesn’t give away what kind of http daemon that it uses though.

Port 8082
Some sort of web server. Responds with an authentication request for Digest realm=”enphaseenergy.com” and the web server in use is Xavante 2.2.0

Port 8100
Another Xavante 2.2.0 webserver that instantly gives a 404 but the 404 contains the entire url requested rather than just “/”.
The requested URL http://10.0.0.177:8100/ was not found on this server.
This almost makes me wonder if it is some sort of open reverse proxy for Enphase to be able to then hop into accessing the IPs(?) of the Inverters for troubleshooting.

Port 9091
Exactly the same as above.

UDP Port 5353
MDNS Responder

Posted in Uncategorized | 2 Comments

Enphase Envoy-S “Data Scraping”.

If you are interested in other Enphase information the following other pages may also be of interest:
Reverse Engineering the Enphase Installer Toolkit
Enphase Envoy-S Open Ports!

I’ve recently had to interface with an EnPhase Envoy Solar PV system. The annoying thing is the lack of documentation.

The API for the “cloud service” exists and is well documented but the API for the local device itself doesn’t seem to exist.

There is one tiny one page document that seems to suggest you can get some data from the device. The information gleaned from their example API ” http://device.ip.address.here/api/v1/production ” is poor.

{
 "wattHoursToday": 6641,
 "wattHoursSevenDays": 6641,
 "wattHoursLifetime": 6669,
 "wattsNow": 90
}

First.. it gives far LESS information than you can just retrieve from the main web page for the device on the LAN. Secondly the wattsNow field doesn’t seem to match the information displayed on the main page of the device. The wattsHoursSevenDays is also slightly off. Third.. it doesn’t even update regularly. You can’t have a system that detects dips in production due to cloud cover etc.

However. I did find some other sensible sources for information – and information that updates at an even more regular rate than the devices main website!

When you visit the site on the device running firmware D4.2.27 it makes the following requests:

http://10.0.0.177/backbone/application.js?version=04.02.43
This URL contains a lot of references to other json files that I need to research. See further down in this post for the other URLs exposed.

http://10.0.0.177/home.json
This json file contains the Database size / utilisation, date and time on the device, connection status and settings and update status.

http://10.0.0.177/production.json
Contains most useful information.. Production and (if fitted) consumption data!

{
   "production":[
      {
         "type":"inverters",
         "wNow":74,
         "whLifetime":6815.014722222222,
         "readingTime":1470250044,
         "activeCount":14
      },
      {
         "type":"eim",
         "activeCount":1,
         "whLifetime":6704.458,
         "whLastSevenDays":6676.458,
         "whToday":6676.458,
         "wNow":66.236,
         "rmsCurrent":1.179,
         "rmsVoltage":246.433,
         "reactPwr":276.774,
         "apprntPwr":290.494,
         "pwrFactor":0.23,
         "readingTime":1470250044
      }
   ],
   "consumption":[
      {
         "type":"eim",
         "activeCount":1,
         "whLifetime":8025.821,
         "whLastSevenDays":7899.821,
         "whToday":7899.821,
         "wNow":2641.386,
         "varhLeadToday":2822.701,
         "varhLagToday":1810.03,
         "vahToday":9018.68,
         "varhLeadLifetime":2951.701,
         "varhLagLifetime":1922.03,
         "vahLifetime":9473.68,
         "rmsCurrent":11.924,
         "rmsVoltage":246.458,
         "reactPwr":-284.009,
         "apprntPwr":2938.817,
         "pwrFactor":0.9,
         "readingTime":1470250044
      }
   ]
}

http://10.0.0.177/inventory.json
Also contains some very useful information. Detailed status about the state of each micro-inverter. So far I’ve seen the following states:

– “envoy.global.ok”
– “envoy.cond_flags.pcu_ctrl.commandedreset”
– “envoy.cond_flags.pcu_ctrl.dc-pwr-low”
– “envoy.cond_flags.obs_strs.discovering”
– “envoy.cond_flags.obs_strs.failure”
The full conversion table on what these status messages mean in english is at the end of this article.

The full output of the page is as follows:

[
   {
      "type":"PCU",
      "devices":[
         {
            "part_num":"800-00356-r04",
            "installed":"1470228526",
            "serial_num":"REDACTED",
            "device_status":[
               "envoy.cond_flags.pcu_ctrl.commandedreset",
               "envoy.cond_flags.pcu_ctrl.dc-pwr-low"
            ],
            "last_rpt_date":"1470249596",
            "admin_state":1,
            "created_date":"1470228526",
            "img_load_date":"1424997903",
            "img_pnum_running":"520-00045-r01-v01.22.00",
            "ptpn":"540-00087-r01-v01.22.00",
            "producing":true,
            "communicating":true,
            "chaneid":1627392273,
            "device_control":[
               {
                  "gficlearset":false
               }
            ]
         },
         {
            "part_num":"800-00356-r04",
            "installed":"1470228529",
            "serial_num":"REDACTED",
            "device_status":[
               "envoy.cond_flags.obs_strs.discovering"
            ],
            "last_rpt_date":"1470249602",
            "admin_state":1,
            "created_date":"1470228529",
            "img_load_date":"1424997903",
            "img_pnum_running":"520-00045-r01-v01.22.00",
            "ptpn":"540-00087-r01-v01.22.00",
            "producing":false,
            "communicating":true,
            "chaneid":1627392529,
            "device_control":[
               {
                  "gficlearset":false
               }
            ]
         },
         {
            "part_num":"800-00356-r04",
            "installed":"1470228533",
            "serial_num":"REDACTED",
            "device_status":[
               "envoy.global.ok"
            ],
            "last_rpt_date":"1470249613",
            "admin_state":1,
            "created_date":"1470228533",
            "img_load_date":"1424997903",
            "img_pnum_running":"520-00045-r01-v01.22.00",
            "ptpn":"540-00087-r01-v01.22.00",
            "producing":true,
            "communicating":true,
            "chaneid":1627392785,
            "device_control":[
               {
                  "gficlearset":false
               }
            ]
         }
      ]
   }
]

All of this means you can make your own system that (in my case) refreshes generation and consumption status up-to-the-second!

A couple of notes: The Consumption metering / data seems to give strange low or even minus values if you fetch the json file more than roughly once per second. (Possibly because it works on a counter and the math goes wrong?)
During nighttime the Production metering goes into a minus value, for example -7 Watts. This is in fact the correct reading. The Envoy-S javascript filters out minus values and ensures a 0 is displayed. Cheeky!
The panel count on the main production.json file is the count of associated panels and not the currently generating panels. I’ve used the inventory.json file to count the number of panels “producing”, I refresh this information every 3 minutes instead of every second.

solar status

solar panel status

My next steps are to investigate the JavaScript and see what other pages are accessible. I also need to see if I can reverse engineer, find out or ask the installer for the “Installer Login” password.

I also wish there was public documentation. No google searches for the status strings or other data I’ve found in the JSON files have returned any results to do with Enphase / SolarPV.

The backbone/application.js file exposes the following sub-files on the devices web server.
– /admin/lib/admin_dcc_display.json
– /ivp/tpm/capability
– /datatab/event_dt.rb?start=0&length=153
– /info.xml
– /ivp/meters
– /installer/pcu_comm_check
– /api/v1/production/inverters
– /prov
– /ivp/peb/newscan
– /installer/profiles/index.json
– /installer/profiles/details.json
– /installer/profiles/inverters_status.json
– /installer/profiles/set_profile.json
– /admin/lib/admin_pmu_display.json
– /ivp/peb/reportsettings
– /ivp/tpm/select
– /ivp/tpm/tpmstatus
– /ivp/tpm/parameters
– /admin/lib/dba.json
– /admin/lib/security_display.json
– /admin/lib/date_time_display.json?tzlist=1&locale=en
– /admin/lib/network_display.json
– /api/v1/production/inverters
– /admin/lib/wireless_display.json?site_info=0

Full status messages system strings to plain english:

        cond_flags: {
            acb_ctrl: {
                bmuhardwareerror: "BMU Hardware Error",
                bmuimageerror: "BMU Image Error",
                bmumaxcurrentwarning: "BMU Max Current Warning",
                bmusenseerror: "BMU Sense Error",
                cellmaxtemperror: "Cell Max Temperature Error",
                cellmaxtempwarning: "Cell Max Temperature Warning",
                cellmaxvoltageerror: "Cell Max Voltage Error",
                cellmaxvoltagewarning: "Cell Max Voltage Warning",
                cellmintemperror: "Cell Min Temperature Error",
                cellmintempwarning: "Cell Min Temperature Warning",
                cellminvoltageerror: "Cell Min Voltage Error",
                cellminvoltagewarning: "Cell Min Voltage Warning",
                cibcanerror: "CIB CAN Error",
                cibimageerror: "CIB Image Error",
                cibspierror: "CIB SPI Error"
            },
            obs_strs: {
                discovering: "Discovering",
                failure: "Failure to report",
                flasherror: "Flash Error",
                notmonitored: "Not Monitored",
                ok: "Normal",
                plmerror: "PLM Error",
                secmodeenterfailure: "Secure mode enter failure",
                secmodeexitfailure: "Secure mode exit failure",
                sleeping: "Sleeping"
            },
            pcu_chan: {
                acMonitorError: "AC Monitor Error",
                acfrequencyhigh: "AC Frequency High",
                acfrequencylow: "AC Frequency Low",
                acfrequencyoor: "AC Frequency Out Of Range",
                acvoltage_avg_hi: "AC Voltage Average High",
                acvoltagehigh: "AC Voltage High",
                acvoltagelow: "AC Voltage Low",
                acvoltageoor: "AC Voltage Out Of Range",
                acvoltageoosp1: "AC Voltage Out Of Range - Phase 1",
                acvoltageoosp2: "AC Voltage Out Of Range - Phase 2",
                acvoltageoosp3: "AC Voltage Out Of Range - Phase 3",
                agfpowerlimiting: "AGF Power Limiting",
                dcresistancelow: "DC Resistance Low",
                dcresistancelowpoweroff: "DC Resistance Low - Power Off",
                dcvoltagetoohigh: "DC Voltage Too High",
                dcvoltagetoolow: "DC Voltage Too Low",
                dfdt: "AC Frequency Changing too Fast",
                gfitripped: "GFI Tripped",
                gridgone: "Grid Gone",
                gridinstability: "Grid Instability",
                gridoffsethi: "Grid Offset Hi",
                gridoffsetlow: "Grid Offset Low",
                hardwareError: "Hardware Error",
                hardwareWarning: "Hardware Warning",
                highskiprate: "High Skip Rate",
                invalidinterval: "Invalid Interval",
                pwrgenoffbycmd: "Power generation off by command",
                skippedcycles: "Skipped Cycles",
                vreferror: "Voltage Ref Error"
            },
            pcu_ctrl: {
                alertactive: "Alert Active",
                altpwrgenmode: "Alternate Power Generation Mode",
                altvfsettings: "Alternate Voltage and Frequency Settings",
                badflashimage: "Bad Flash Image",
                bricked: "No Grid Profile",
                commandedreset: "Commanded Reset",
                criticaltemperature: "Critical Temperature",
                "dc-pwr-low": "DC Power Too Low",
                iuplinkproblem: "IUP Link Problem",
                manutestmode: "In Manu Test Mode",
                nsync: "Grid Perturbation Unsynchronized",
                overtemperature: "Over Temperature",
                poweronreset: "Power On Reset",
                pwrgenoffbycmd: "Power generation off by command",
                runningonac: "Running on AC",
                tpmtest: "Transient Grid Profile",
                unexpectedreset: "Unexpected Reset",
                watchdogreset: "Watchdog Reset"
            },
            rgm_chan: {
                check_meter: "Meter Error",
                power_quality: "Poor Power Quality"
            }
        }

Some more info about errors can be found on page 45 of the manual.
CommandedReset Recommended Action: No action is required; it will automatically resume normal operation momentarily. Description: The microinverter was reset, either following a successful software download or by user command.

DcPowerTooLow Recommended Action: This condition should correct itself. No action is required. Description: This condition may occur at sunrise or sunset, while the modules are covered with snow, or during extreme weather. This event indicates that sunlight levels are too low for effective production. Once sunlight levels increase, the microinverter resumes power production and this event message will clear.

DcVoltageTooLow Recommended Action: This is usually a normal condition during hours of low light and at dawn and dusk. No action is required. Description: The microinverter reports that DC input voltage from the PV module is too low. If this condition does not clear during hours of full day

PowerOnReset Description: The microinverter has powered on after having DC disconnected.

Posted in Uncategorized | 81 Comments