FCSP RS485 port access Success!

[cjueden]

Interesting that there is a USB port on the FCSP which is not apparently mentioned in any documentation that I have seen yet from Ford or SunRun.

I did not find any mention of the P3 debug connection pins either. They do say TX RX and COM on the circuit board so clearly for simple serial 2-way communications for debugging something, probably used by techs for testing and/or repair situations. Does not seem to be involved in normal operation communications with the HIS or the Truck.

I Googled the usb port on the Ford Charge Station Pro and while others have asked about it, nothing pops up about how it could be used, to update software/firmware for example.

Yes the Blue 80 is very similar right down to the rotary micro-switch for setting the max current, it is likely that the FCSP is a modification of that design or visa versa.

May need to snoop out the communications in a working HIS from someone who has one?

To unlock the bidirectionality.

I can confirm that the usb port on the FCSP supports a usb=>ethernet adapter to get ethernet access to the device. But can't get it to connect to the FordPass App. I ran a reset on the FCSP from the Charge Station Pro app and then attempted to run the setup with just the ethernet connection. I'm able to see the FCSP in the Charge Station Pro app while connected to the same network via wifi, but when entering the password It just fails and wants me to connect to it's AP. I'm now convinced this is a Blue 80A varient.

Running nmap on ethernet shows the same ports exposed as on the wifi.

While I have an ethernet connection I tried to access the local webpage on port 80/443 of the FCSP and got some type of Django debug log output webpage that looks like this

Some things I found these things interesting

And when trying to access the /accounts/login/ url suffix I get this

I tried to access these urls but get kicked back to the root page.


Note: I did not add these stars under password
I've attached the file if anyone's interested or know more about Django to dig through. It looks like you're not allowed to upload HTML files so just remove the .txt and it will open in a browser.




Seeing the "root" username I'm running hydra on the FCSP with that username. Currently at 11,xxx tries with no luck.

This data is going to have different formats for different register values. Here is a document which I believe is the valid modbus register mapping. It seems to match up with your testing.

Note that you are starting at 0 and they are starting at 1, so there is an offset you need to account for.

Good eye on that one and I'm playing around with the different data types to see what takes but I'm just guessing. The FCSP does start it's index at 0 not sure why. But I've had success with almost every address with the 0 index. I can add the yaml I'm using for ESPHOME if anyone is interested in trying.
Some of the addresses in your attachment do work but some don't. I'm also referencing THIS document also with the same mixed success.

If anyone is has any ideas/suggests/requests I'm all ears!

Sponsored

 

[ericpullen]

We had enumerated that before in another post, but it led no where at that time.
Here is something new I just found that might be worth looking into, especially the modbus piece.

https://cert-portal.siemens.com/productcert/html/ssa-556937.html

 

[tearitupsports]

Here is what I think is the correct Modbus register map. It is linked directly from the Blue 80 user manual.

 

[cjueden]

We had enumerated that before in another post, but it led no where at that time.
Here is something new I just found that might be worth looking into, especially the modbus piece.

https://cert-portal.siemens.com/productcert/html/ssa-556937.html

I saw this and plan to see what data I can get out of the MCU UART debug pins. Have you found anywhere that explains how to exploit the vulnerability?

Here is what I think is the correct Modbus register map. It is linked directly from the Blue 80 user manual.

I've been using this one plus the other that was linked a couple reply's back. I get mixed success with the addresses. Some work some don't :/

Does anyone know what these switches next to the rs485 ports do or have read about them being involved in the HIS setup?

 

[chl]

I saw this and plan to see what data I can get out of the MCU UART debug pins. Have you found anywhere that explains how to exploit the vulnerability?




I've been using this one plus the other that was linked a couple reply's back. I get mixed success with the addresses. Some work some don't :/

Does anyone know what these switches next to the rs485 ports do or have read about them being involved in the HIS setup?

In summary, "TERM SW" on a circuit board points to a switch specifically used for termination within a circuit or system, such as in RS-485 applications.

In the fully wired HIS (SunRun doc) the top RS485 is wired and the SW are like this (no change):

Too small to read the SW position, probably indicates an ON or OFF state?

 

[ericpullen]

Welp, I have some good news. I'm working on some software to make this a bit easier, but the hard part was getting the developer key:

curl https://192.168.1.197/api/v1/inverterinfo \
  -H "Authorization: Bearer <THISISSECRET>" \
  -k
[{"vendor":"Supreme Electronics","name":"inverter 1","tsInfo":"2020-03-13T15:39:19-04:00","firmware":"SYS-3.0.0","state":"0","slno":"0000000000000_RGM-00000000","model":"Star"}]%

 

[cjueden]

In summary, "TERM SW" on a circuit board points to a switch specifically used for termination within a circuit or system, such as in RS-485 applications.

In the fully wired HIS (SunRun doc) the top RS485 is wired and the SW are like this (no change):

Too small to read the SW position, probably indicates an ON or OFF state?

Hopefully this is a better quality photo. it looks like they're in the off state.

Welp, I have some good news. I'm working on some software to make this a bit easier, but the hard part was getting the developer key:

curl https://192.168.1.197/api/v1/inverterinfo \
  -H "Authorization: Bearer <THISISSECRET>" \
  -k
[{"vendor":"Supreme Electronics","name":"inverter 1","tsInfo":"2020-03-13T15:39:19-04:00","firmware":"SYS-3.0.0","state":"0","slno":"0000000000000_RGM-00000000","model":"Star"}]%

Nice! Is the developer key something that needs to be scraped off device or gotten from signing up with the vendor listed there?

 

[ericpullen]

Nice! Is the developer key something that needs to be scraped off device or gotten from signing up with the vendor listed there?

Right now you have to use a MITM solution to get the developer key, which you can then use to get the Bearer token. I'm writing up some Python code that will show how to do all of this except getting that developer key (although I'm gonna see if there is any way to get programmatically as well).

 

[ericpullen]

The more I think about it, I wonder if the devkey is the same for everyone. Once I get this software written, I may need a few volunteers that are a bit IT savvy to help me check their devkey's. If its the same for everyone, then I may just hardcode this for now (but an update to their app/firmware could break it in the future).

 

[ericpullen]

Making some progress:

# python examples/simple_inverter_example.py
🔌 Connecting to FCSP device at 192.168.1.197...
✅ Successfully connected and authenticated!
📡 Retrieving inverter information...

📊 Inverter Information:
==================================================

🔧 Inverter 1:
   vendor: Supreme Electronics
   name: inverter 1
   tsInfo: 2020-03-13T15:39:19-04:00
   firmware: SYS-3.0.0
   state: 0
   slno: 0000000000000_RGM-00000000
   model: Star

🎉 Example completed successfully!

 

[cjueden]

The more I think about it, I wonder if the devkey is the same for everyone. Once I get this software written, I may need a few volunteers that are a bit IT savvy to help me check their devkey's. If its the same for everyone, then I may just hardcode this for now (but an update to their app/firmware could break it in the future).

Sign me up. I can definitely help with that!

Making some progress:

# python examples/simple_inverter_example.py
🔌 Connecting to FCSP device at 192.168.1.197...
✅ Successfully connected and authenticated!
📡 Retrieving inverter information...

📊 Inverter Information:
==================================================

🔧 Inverter 1:
   vendor: Supreme Electronics
   name: inverter 1
   tsInfo: 2020-03-13T15:39:19-04:00
   firmware: SYS-3.0.0
   state: 0
   slno: 0000000000000_RGM-00000000
   model: Star

🎉 Example completed successfully!

This looks promising. Is the plan to querying these paths to read/see what comes back?

 

[ericpullen]

This looks promising. Is the plan to querying these paths to read/see what comes back?

Yup, already working to enumerate all of those. So far many are just returning status codes or are just POST methods (probably to update settings). Still need to dig more, but so far haven't found the right combo to get what I want. Once I get the test code to pull all the values in one shot, then I need to plug it in for a charge and start the list to see what changes.

Here is what I found so far. This is showing a session where the truck is not plugged in, then I plug it in let it charge for a min, then click "stop charging" in the app. As you can see, it will give you all the status changes, but not the charging rate.

#python examples/fcsp_correct_status.py --monitor 5
⚡ FCSP Correct Charging Status
==================================================
✅ Connected to FCSP device

📊 CORRECT STATUS SUMMARY
==============================
🔌 Real Device State: CS00
⚡ Max Capacity: 80 Amps
🏷️  Station ID: SWA33ROU
💻 System Version: 5.0.25

🔄 INVERTER STATUS
--------------------
Inverter 1 (Star): State 0

🔍 STATUS INTERPRETATION
-------------------------
Device State 'CS00': ✅ Ready/Idle - Available for charging
Inverter 1 State '0': 💤 Idle/Ready - No active charging

🎯 OVERALL STATUS: Ready and available for charging

🔄 Monitoring for State Changes (5 minutes)
==================================================
Connect a vehicle or change charging state to see status changes...

🔔 [16:09:31] STATE CHANGE DETECTED!
   Device: None → CS00
   Inverters: None → ['0']
[16:09:45] Device: CS00, Inverters: ['0']
[16:09:59] Device: CS00, Inverters: ['0']
[16:10:14] Device: CS00, Inverters: ['0']
[16:10:29] Device: CS00, Inverters: ['0']

🔔 [16:10:44] STATE CHANGE DETECTED!
   Device: CS00 → CS02
   Inverters: ['0'] → ['0']
[16:10:58] Device: CS02, Inverters: ['0']
[16:11:12] Device: CS02, Inverters: ['0']
[16:11:27] Device: CS02, Inverters: ['0']



[16:11:41] Device: CS02, Inverters: ['0']




🔔 [16:11:55] STATE CHANGE DETECTED!
   Device: CS02 → CS01
   Inverters: ['0'] → ['0']
[16:12:09] Device: CS01, Inverters: ['0']
[16:12:23] Device: CS01, Inverters: ['0']
[16:12:37] Device: CS01, Inverters: ['0']
[16:12:51] Device: CS01, Inverters: ['0']
[16:13:06] Device: CS01, Inverters: ['0']

 

[chl]

Hopefully this is a better quality photo. it looks like they're in the off state.

Yes "off state", which mine were when new, and are with a fully wired HIS.

"ON CTS" generally means "ON Clear To Send" line.

• CTS (Clear To Send): CTS is a handshaking signal that helps devices communicate data reliably. It allows the receiving device (e.g., your circuit board) to signal to the transmitting device (e.g., another microchip) when it is ready to receive data.

• "ON CTS" on a switch: A switch labeled "ON CTS" likely controls whether the CTS signal is active or not. When the switch is in the "ON" position, the CTS signal is enabled, allowing hardware handshaking to be used for data flow control between the circuit board and another device

The process is similar to a conversation.

• RTS (Request To Send): The transmitter indicates it has data to send.
• CTS (Clear To Send): The receiver indicates it is ready to receive data

If the "ON CTS" switch is enabled, the circuit board (receiver) can signal to the transmitter when it's ready to receive data, preventing data loss.

However, that is just the general usual situation - what the FCSP circuit board uses these switches for has not been in any documentation I have seen yet, so they could have a special purpose.

Anyway if there is no HARDWARE handshaking going on it is all software by default.

 

[chl]

For more info, maybe look at these questions about CTS and RTS:

https://electronics.stackexchange.com/questions/236319/are-cts-and-rts-necessary-on-uart-port

 

[K6CCC]

Following, and likely able to do some testing. I have a FCSP but do NOT have a the SunRun inverter part, so only able to talk / test with the FCSP.

Sponsored