This repository documents the reverse engineering process of interpreting binary data sent from a NEP inverter to its monitoring portal. Since NEP does not provide an API to the Inverter, nor it has Modbus, Serial or any other Interface the goal is to understand how various operational parameters such as serial number, AC voltage (V-AC), and AC power (P-AC) are encoded in the transmitted binary data.
The Python server implemented in this project operates on HTTP and listens for GET and POST requests. It serves the following primary functions:
- GET
/metrics
: Responds with the latest wattage readings from all monitored inverters, formatted for easy integration with monitoring solutions (like Prometheus and Grafana). - GET
/data.json
: Responds an json map with the latest wattage readings from all monitored inverters with timestamp, formatted for debugging with. - POST
/i.php
: Receives binary data packets from inverters, extracts operational parameters, and updates the latest readings for each inverter.
- Error Handling: Responds with a 400 Bad Request error for paths other than
/metrics
,/data.json
and/i.php
, indicating invalid endpoints. - Dynamic Data Handling: Utilizes a dictionary to store and update wattage readings from different inverters identified by their serial numbers.
- Simple Deployment: Configurable via environment variables
NEP_LISTEN_ADDR
andNEP_LISTEN_PORT
for flexible deployment.
- Simple Deployment: Configurable via environment variables
NEP_MQTT_ADDR
andNEP_MQTT_PORT
. - MQTT Topics: The MQTT send live on every new incoming
/i.php
-request the following values on the following Topics:- Payload: original payload under
nepserver/payload
- WATT: under
homeassistant/sensor/{serial_number}/watt
- Payload: original payload under
- Home-Assistant ready: it send config topics for discovery so no extra configuration is needed:
- watt sensor:
homeassistant/sensor/{serial_number}/watt/config
- watt sensor:
The binary data sent to the portal is structured as follows:
binary_data = bytes([
#------#------#------#------#------#------#------#------#
0x79, 0x26, 0x00, 0x40, 0x14, 0x00, 0x00, 0x0f, # 8
#------#------#------#------#------#------#------#------#
0x0f, 0x0f, 0x0f, 0x00, 0x00, 0x1c, 0x00, 0xc3, # 8
#------#------#------#-------SERIAL-NUMBER-------#------#
0xc3, 0xc3, 0xc3, sn[0], sn[1], sn[2], sn[3], 0x00, # 8
#------#-V-AC-#-P-AC-#------#------#------#------#------#
0x00, 0x5a, power, 0x9d, 0x16, 0x80, 0x0f, 0x05, # 8
#------#------#------#------#------#------#------#------#
0x02, 0xa6, 0x31, 0xd0, 0x0a, 0x11, 0x03, 0x05, # 8
#------#------#------#------#------#
0x8a, 0x63, 0x17, 0xc0, 0x34 # 5
])
- Note: All of the Bytes are in Little Endianness afaik.
Serial Number: Identified by the bytes following the 0xc3, 0xc3, 0xc3, 0xc3 sequence. This unique identifier is specific to each inverter.
AC Voltage: Represented by the bytes 0x00, 0x5a. This segment indicates the AC voltage, decoded as 230.4V (assuming the value is in millivolts).
AC Power: The mittleres_byte represents the power in watts. The exact conversion factor from the byte value to watts is determined through experimental analysis.
The reverse engineering process involved analyzing the byte sequences sent in packets from the inverter to the monitoring portal. By changing specific bytes and observing the effects on the displayed data in the portal, we were able to deduce the purpose of various segments within the packet.
Decoding the entire structure of the binary data requires a comprehensive understanding of the inverter's operational metrics and potentially more sophisticated analysis techniques. Some segments of the data packet remain undeciphered and could represent other operational parameters like DC voltage, current, or system status indicators.
Contributions to further decode and understand the binary data structure are welcome. If you have insights or have conducted similar reverse engineering efforts, please feel free to contribute to this repository.