New EG4 6000XP Install

[jeremyee]

Unistrut up and one 6000XP on the wall. Wireway and other parts on the way. Will be running the single unit for a month until I order the other two 6000XP units.

Final Design
3x EG4 6000XP
- 4x PV arrays, each 3640 PV total 14560
12x EG4 LifePower 48V 100ah battery's
Victron cerbo & Shunt for monitoring

Thoughts so far
1) EG4 6000XP need a french cleat for mounting like the Victron Quattro
2) EG4 Monitoring - Should be able to add unit without providing sell/installer code and add later for customer support
3) device was packaged securely and arrived undamaged physically
4) would like to see a module/dongle that provided wifi and ethernet for monitoring and not separate units
5) would like to have a access panel with hinges and not 7 small screws (would be willing to pay more this)
6) Prefer the airflow from bottom to top but I understand the current design. would be nice to have a air baffle to deflect hot air away from adjacent device air inlet
7) nice easy to read manual included in box.
8) not sure if this unit has them but would be nice to have breakers that are replaceable *** WILL UPDATE ON STATUS***

More to come

 

[dmkjr]

Installed my first 6kxp yesterday replacing two 6500ex.

Few things:

• Much quieter. This is huge since I installed in my garage and am constantly working (re: tinkering) out there.
• Standard screws, the size needed, typically have larger heads that can be accommodated with the holes in the brackets. Main installing a pain.
• My biggest complaint so far is I had to disable L7 block to China to allow the connection to the cloud. I have verified with my DNS server that it’s processing requests to China for the device. I’ve never had to do this, even with Tuya sponsored devices. There doesn’t appear to be a setting for this.

@EG4_Jarrett maybe you could look into this? A pretty decent issue from a security perspective. I mean, if someone wants to know when I’m using power, whatever. But most people will not know how to proxy the traffic only to the WAN and block LAN access. Seen another engineer reverse engineer the device and found the EG4 US based server address. That seems to be an option that is updatable on the 18kpv. But not the 6kpv variant.

 

[ChrisG]

Installed my first 6kxp yesterday replacing two 6500ex.

Few things:

• Much quieter. This is huge since I installed in my garage and am constantly working (re: tinkering) out there.
• Standard screws, the size needed, typically have larger heads that can be accommodated with the holes in the brackets. Main installing a pain.
• My biggest complaint so far is I had to disable L7 block to China to allow the connection to the cloud. I have verified with my DNS server that it’s processing requests to China for the device. I’ve never had to do this, even with Tuya sponsored devices. There doesn’t appear to be a setting for this.

@EG4_Jarrett maybe you could look into this? A pretty decent issue from a security perspective. I mean, if someone wants to know when I’m using power, whatever. But most people will not know how to proxy the traffic only to the WAN and block LAN access. Seen another engineer reverse engineer the device and found the EG4 US based server address. That seems to be an option that is updatable on the 18kpv. But not the 6kpv variant.

So the 6000xp is sending data over layer 7 protocols (http/https/api calls/etc) to China? I have that blocked on my Mikrotik routers as well in my home. Definitely concerning. Wonder if this is a 6000xp thing vs the wifi dongle for it.

When I connected my first growatt years ago with wifi and Shine App, caught the exact same thing with Mikrotik which lead me to Solar Assistant.

 

[crzykidd]

Got mine installed this last weekend. Talking about security, is there anyway to either turn off the SSID broadcast or set a password for it? As it is anyone and their mom running the EG4 app on their phone can connect to that wifi from the device and change the config. I can't see any place to disable in the config.

 

[jeremyee]

So the 6000xp is sending data over layer 7 protocols (http/https/api calls/etc) to China? I have that blocked on my Mikrotik routers as well in my home. Definitely concerning. Wonder if this is a 6000xp thing vs the wifi dongle for it.

When I connected my first growatt years ago with wifi and Shine App, caught the exact same thing with Mikrotik which lead me to Solar Assistant.

Interesting. I am running a FW with a IOT vlan with an ACl to prevent this. I should have this one online in a day or so to test the online monitoring. I am guessing its a dongle if it works like the growatt as a serial to IP gateway. Yeah, I see the same with Growatt and most china devices.

I saw the Solar Assistant has Lux devices added a few updates ago, does the 6000 XP work with it?

 

[crzykidd]

I saw the Solar Assistant has Lux devices added a few updates ago, does the 6000 XP work with it?

Yes works great, using the local network connection

 

[jeremyee]

Got mine installed this last weekend. Talking about security, is there anyway to either turn off the SSID broadcast or set a password for it? As it is anyone and their mom running the EG4 app on their phone can connect to that wifi from the device and change the config. I can't see any place to disable in the config.

I will check in a few days but I am guessing that the wifi hotspot is not available after you join your home network. I would hope you can change the password to the dongle login for security also. no need to hid the SSID because any hacker can find it in a few seconds as it's transmitted all the time. Hiding the SSID just makes it hard for the average user to find

 

[dmkjr]

I will check in a few days but I am guessing that the wifi hotspot is not available after you join your home network. I would hope you can change the password to the dongle login for security also. no need to hid the SSID because any hacker can find it in a few seconds as it's transmitted all the time. Hiding the SSID just makes it hard for the average user to find

No, it still works after joining your local connection. I'm planning to get on the phone with SS support tomorrow to at least raise the flag. Security risk all over the place with that thing. Great inverter, not so great WiFi implementation.

 

[Markus_EG4]

Installed my first 6kxp yesterday replacing two 6500ex.

Few things:

• Much quieter. This is huge since I installed in my garage and am constantly working (re: tinkering) out there.
• Standard screws, the size needed, typically have larger heads that can be accommodated with the holes in the brackets. Main installing a pain.
• My biggest complaint so far is I had to disable L7 block to China to allow the connection to the cloud. I have verified with my DNS server that it’s processing requests to China for the device. I’ve never had to do this, even with Tuya sponsored devices. There doesn’t appear to be a setting for this.

@EG4_Jarrett maybe you could look into this? A pretty decent issue from a security perspective. I mean, if someone wants to know when I’m using power, whatever. But most people will not know how to proxy the traffic only to the WAN and block LAN access. Seen another engineer reverse engineer the device and found the EG4 US based server address. That seems to be an option that is updatable on the 18kpv. But not the 6kpv variant.

They are all Amazon USA servers they might ping china the first time then move to Amazon servers right after that.

 

[jeremyee]

No, it still works after joining your local connection. I'm planning to get on the phone with SS support tomorrow to at least raise the flag. Security risk all over the place with that thing. Great inverter, not so great WiFi implementation.

I just connected it also and it is wide open after connecting to the local wifi network like you said. NOT GOOD. Let me know what you find out. I hate to pay another $100 for the Ethernet dongle .

Also of you have a Firewall this is what worked for me. at least it's an amazon server in the U.S.

SRC IP: xxx.xxx.xxx.xxx
DST IP: 3.101.7.137
DST: Port 4346

Amazon Technologies Inc. AT-88-Z (NET-3-0-0-0-1) 3.0.0.0 - 3.127.255.255
Amazon.com, Inc. AMAZON-SFO (NET-3-101-0-0-1) 3.101.0.0 - 3.101.255.255

tracert.
.
..
..

9 17 ms 22 ms 20 ms be-1412-cr12.dallas.tx.ibone.comcast.net [68.86.166.126]
10 30 ms 30 ms 30 ms be-303-cr12.1601milehigh.co.ibone.comcast.net [96.110.38.105]
11 41 ms 33 ms 37 ms be-1112-cs01.1601milehigh.co.ibone.comcast.net [96.110.39.81]
12 33 ms 33 ms 36 ms be-1113-cr13.1601milehigh.co.ibone.comcast.net [96.110.39.98]
13 36 ms 30 ms 32 ms be-303-cr13.champa.co.ibone.comcast.net [96.110.36.201]
14 31 ms 33 ms 29 ms be-1313-cs03.champa.co.ibone.comcast.net [96.110.37.233]
15 31 ms 36 ms 32 ms be-3312-pe12.910fifteenth.co.ibone.comcast.net [96.110.33.138]
16 * * * Request timed out.
17 * * * Request timed out.
18 31 ms 30 ms 31 ms 52.93.74.93
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 53 ms 66 ms 53 ms ec2-3-101-7-137.us-west-1.compute.amazonaws.com [3.101.7.137]

 

[ChrisG]

They are all Amazon USA servers they might ping china the first time then move to Amazon servers right after that.

That’s not how networking and changes to destinations work, not through a ping. What I hear you saying is that the 6000xp connnects to a server in China which reconfigures it to connect to a new target in the U.S.? So China can reconfig these inverter systems?

 

[MrWCLeo]

Interesting. I am running a FW with a IOT vlan with an ACl to prevent this. I should have this one online in a day or so to test the online monitoring. I am guessing its a dongle if it works like the growatt as a serial to IP gateway. Yeah, I see the same with Growatt and most china devices.

I saw the Solar Assistant has Lux devices added a few updates ago, does the 6000 XP work with it?

FW with a IOT vlan with an ACl ----- WHAT DOES THIS MEAN????????

 

[crzykidd]

No, it still works after joining your local connection. I'm planning to get on the phone with SS support tomorrow to at least raise the flag. Security risk all over the place with that thing. Great inverter, not so great WiFi implementation.

I am seeing the same thing. Can you post your finding here?

 

[Markus_EG4]

That’s not how networking and changes to destinations work, not through a ping. What I hear you saying is that the 6000xp connnects to a server in China which reconfigures it to connect to a new target in the U.S.? So China can reconfig these inverter systems?

Originally they were Chinese servers we changed it to Amazon servers and we have control over that. Every once in a while I have to move a dongle over to the Amazon server because it wasn’t configured right to automatically switch over.

 

[jeremyee]

FW = Firewall, ACL = Access List and IOT VLAN is a dedicated VLAN for (IOT) Internet Of Things devices to isolate traffic from talking to other devices. Think of VLAN's as putting devices in different rooms with closed doors where they can not talk to each other unless you let them. sorry for all the network jargon. hope this makes sense now.

 

[EG4_Jarrett]

@EG4_Jarrett maybe you could look into this? A pretty decent issue from a security perspective. I mean, if someone wants to know when I’m using power, whatever. But most people will not know how to proxy the traffic only to the WAN and block LAN access. Seen another engineer reverse engineer the device and found the EG4 US based server address. That seems to be an option that is updatable on the 18kpv. But not the 6kpv variant.

Absolutely. Give me some time to document the issue, look into it, and get it in the hands of someone higher up. I will also need to come up with a couple of possible solutions for us to put in place. I think that the obvious answer would be to allow the End-User to secure the datalogger. It's something I will bring up though and look into getting resolved.

 

[jeremyee]

Looks like that the dongle started communicating with China this morning. I caught it in my non U.S. traffic alert list. not a huge deal but will be blocking this traffic and see what doesn't work. looks like this unit came with the latest firmware.

Timestamp	Protocol	Hostname	Username	Client	Client Port	Server	Server Port	Blocked (Firewall)	Flagged (Firewall)	Rule (Firewall)
12/12/2023 11:03	TCP [6]	espressif		x	58275	101.43.203.201	65000	FALSE	TRUE	..
12/12/2023 11:02	TCP [6]	espressif		x	58274	101.43.203.201	65000	FALSE	TRUE	..
12/12/2023 11:01	TCP [6]	espressif		x	58273	101.43.203.201	65000	FALSE	TRUE	..
12/12/2023 11:00	TCP [6]	espressif		x	58272	101.43.203.201	65000	FALSE	TRUE	..

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '101.42.0.0 - 101.43.255.255'

% Abuse contact for '101.42.0.0 - 101.43.255.255' is 'tencent_noc@tencent.com'

inetnum: 101.42.0.0 - 101.43.255.255
netname: TENCENT-CN
descr: Tencent Cloud Computing (Beijing) Co., Ltd
descr: Floor 6, Yinke Building, 38 Haidian St, Haidian District
country: CN
org: ORG-TCCC1-AP
admin-c: TCA15-AP
tech-c: TCA15-AP
abuse-c: AT992-AP
status: ALLOCATED PORTABLE

 

[dmkjr]

Absolutely. Give me some time to document the issue, look into it, and get it in the hands of someone higher up. I will also need to come up with a couple of possible solutions for us to put in place. I think that the obvious answer would be to allow the End-User to secure the datalogger. It's something I will bring up though and look into getting resolved.

Thank you sir. It definitely is still communicating with China. Not sure how to access anything to change it.

 

[Markus_EG4]

Thank you sir. It definitely is still communicating with China. Not sure how to access anything to change it.

Can you pm me your station and dongle serial number this doesn’t sound right

 

[dmkjr]

Can you pm me your station and dongle serial number this doesn’t sound right

Certainly. Incoming.