EcoFlow PowerKit CANBUS Hack

I posted the following to EcoFlow’s now private developer group on Facebook. Reposting here so search, crawlers, and the public can find it.

tl;dr I have written software to capture and analyze PowerKit CANBUS traffic as well as replay CAN messages to control the PowerKit entirely locally without network or cloud. this was necessary to work around unresolved critical bugs in EF’s latest firmware.

backstory: I’ve had an “independence” PowerKit running an off-grid site for a couple of years. I wanted local control without Eco’s cloud connectivity (which was unreliable anyway), so I slapped a CAN hat on a Raspberry Pi and started decoding the RJ45 CANBUS messages. it progressed to the point where I could replicate all 400+ data points available through their API, so the project moved to the back-burner since I now had the data I needed for my dashboards.

fast forward to a about 10 days ago when I ran a firmware update. that night, the PV inputs spontaneously shut off. the iOS app was able to toggle the inputs back on, but this did not actually turn the PV back on. I was forced to travel over an hour to the site and manually re-enable the PV inputs on the console attached to the PowerKit. this continued for the next week with PV inputs shutting off each night, the app unable to restart them requiring me to make a site visit.

naturally, I reported these two bugs to EcoFlow (spontaneous PV shutoff and the inability of the iOS app to turn them back on). there has been some back and forth with me providing data and screenshots, but it’s unresolved and I’m not very hopeful.

the situation completely untenable, I restarted work on my CANBUS project. I created a series of tests to toggle inputs through the phone app and the console at specific times. then I used the data analysis tools I’d created to isolate the messages specific to these events.

it turns out the iOS app and the console on the PowerKit send different messages that look somewhat similar. after isolating the relevant messages, I was able to create a script to replay PV on/off events on the CANBUS simulating standing at the console. now I can remotely re-enable PV without the iOS app or EF’s cloud.

things to note. the CANBUS produces a torrent of data (450MB per hour, 11GB per day). there are at least 4 “generations” of message types that seem to reflect their software maturation. there are hundreds of message types. some message streams contain XOR obfuscation and random number sequences. not sure why since the messages are also protected with CRC.

happy to share my findings and code with anyone who is interested. it’s all written in nodejs.

Hi, could you please share CAN protocol details? I am trying to talk to EcoFow PowerStream and use it with other 48V battery but CAN revese engineering skills are not yet high enough. I wonder if some of PowerKit comms are aplicable and reuseable. THere is a Github project created buy bulldog5046 who was trying to do the same, I have uploade some CAN loghs there Github - bulldog5046/EcoFlow-CanBus-Reverse-Engineering

Well this is interesting. Thanks for the link.

All of my work has been with a PowerKit which has RJ45 CANBUS ports. I fabricated a “tap” that allows me to sit on the bus and send/receive using a Raspberry Pi CAN bus hat. I’ll document this when I make my github project public.

If the protocol for the PowerStream, or any EF product that uses the same “smart extra battery” cables, is the same, then I have a ton of relevant information about how to decode and re-encode EF messages.

I also happen to have a Delta Pro and a Delta 3 which share this port. I can try to tap into them and see if my existing code works with them.

here’s the new github repo for the EF CANbus analysis and data extraction tool. it’s also possible to extract user events to replay allowing for local control of devices using CANbus.