Home

Fox-ess make a line of solar inverters. These inverters communicate with www.foxesscloud.com and this is an attempt to understand and document the protocol used.

From snooping the traffic from an inverter I have seen that a TCP connection to port 10001 on www.foxesscloud.com is made and kept open.

Aside from the standard TCP keep-alive and Ack, data is sent from the inverters wifi module periodically (approximately every 30 seconds).

Below is a list of the packets I have seen and an explanation of the contents.

general packet structure

The packet starts and ends with the following (byte values written in hex)

7e 7e ... e7 e7

Within the boundary markers there appears to be a header and body as follows:

1 byte packet identifier
4 byte timestamp (unix seconds since 1970)
1 byte separator (0x00)
1 byte body length
body as specified by the packet identifier
2 bytes (probably a checksum)

Body analysis

packet 01

example

0030                     7e 7e 01 62 0e fb 95 00 28 31         ~~.b....(1
0040   2e 32 34 00 00 31 2e 30 32 00 00 31 2e 31 37 00   .24..1.02..1.17.
0050   00 00 01 48 00 48 31 2d 33 2e 37 2d 45 20 20 20   ...H.H1-3.7-E   
0060   20 20 20 20 20 0e 60 f7 2b e7 e7                       .`.+..

decoding

Bytes	meaning
0-3	Software version "Master" '1.24'
4-5	? zero separator ?
6-9	Software version "Slave" '1.02'
10-11	? zero separator ?
12-15	Software version "Manager" '1.17'
16-17	? zero separator ?
...	Software version "afci" '' (no bytes long in my example)
18-19	? zero separator ?
20-29	inverter model 'H.H1-3.7-E'
30-37	spaces
38-39	unknown (0e 60)

packet 02

example

packet 03

example

0030                     7e 7e 03 62 0e f5 a6 00 87 36         ~~.b.....6
0040   37 42 42 48 56 31 30 31 37 41 47 33 34 35 36 30   7BBHV1017AG34560
0050   32 48 32 36 32 30 31 39 57 42 31 30 38 36 30 32   2H262019WB108602
0060   48 32 36 32 30 31 39 4a 41 30 35 38 00 00 00 00   H262019JA058....
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0   00 00 00 00 00 00 9c 69 e7 e7                     .......i..

Decoding

Unknown.

It appears to contain 3 serial numbers:

67BBHV1017AG345
602H262019WB108
602H262019JA058 I have yet to match these to any of the equipment I own.

packet 06

example

                         7e 7e 06 62 0e fb 8b 00 15 48         ~~.b.....H
0040   31 30 36 30 30 36 36 42 48 33 37 32 54 31 37 54   1060066BH372T17T
0050   45 30 36 38 ae 3c e7 e7                           E068.<..

decoding

Bytes	meaning
0-5	the protocol version 'H10600' = H1.06.00
6-21	the inverter serial number '66BH372T17TE068'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Home

general packet structure

Body analysis

packet 01

example

decoding

packet 02

example

packet 03

example

Decoding

packet 06

example

decoding

Clone this wiki locally