Andy, I love your work. I especially like the "and it doesn't work, amazing" Got to love someone who can happily show you what happens when it goes wrong. :).
Thanks Andy for sharing, this will however be a security risk when people are "wardriving with bluetooth scanners", but this is inherent for wireless tech.
Just started to use the JK again ,after putting it away for crap bluetoothe, Reinstalled with some new cells and password no worki. So lucky to find Andy has the answer.
adding a space to the end of the password breaks the JK BMS application... Iths not only about forgetting passowrd... This solution helped me to restore BMS... but...
Good day to you, Thank you for your channel and all the valuable information that you share freely. It has helped me a lot to understand my LiFePo4 batteries and programme the hybrid inverter MPPT charger to suit the chemistry and my power demands
This is exactly the right video at exactly the right time!! Thank you, Andy (and Miro)!! After using the BMS all the time some months ago I managed to forget the password as well as to write it down.. Also I disabled charge/discharge because I knew I wouldn't need the battery for a while. With the time difference to the vendor, the reset code I got from them always was invalid when I got the chance to enter it finally. With the generated code I was able to turn the BMS fully back on and also to set a new password. With app version 4.21 (android) nothing worked at first either (not even the seperate pairing password 1234 to pair with the BMS after reinstalling the app) but then I downgraded to app version 4.18 (found the apk it via google) and everything worked perfectly fine afterwards. Now I am wondering if I really forgot my password or if the app version 4.21 just failed to process my inputs correctly all along.. But anyway, thanks to this video I managed to get my battery charging again!
Sounds like a label maker might be good. Make label with the new generated password and stick it on the battery. I figure it’s only a risk if someone takes your batteries. But they will probably take things that are not as heavy.
This looks like a programmers backdoor. If someone is within Bluetooth range, they could do ... things. JK needs to address this ... scary stuff. Though it is a nice fix for a lost password. 👍
YES way! Just walk by, open the JK app, use 1234 to make the connection handshake, copy the serialnumber, paste it in the codegenerator and you are IN. 😢
Your videos helped us a lot! Please tell me if the latest version of the firmware for the new JK-BMS has solved all the problems? Can JK-BMS be put on batteries? Thank you !
You might have already figured this out, but you can change your password with this tool: Just use the generated password in the 'old' password box. Worked fine in my V15.24 firmware. Note - some of the codes are time sensitive, so make sure that the time of set correctly (from the control pane of the app)
Hello everyone. Thanks Andy for this Video (and all the others..). THANKS to Miro for this program. Actually, it seems that it is possible to reset the Password with this code generated by Miro, but this "Miro-code" is TEMPORARY.... it is only valid until the next full hour. I managed to generate a new code by going to the "Control" pane. At the very top, there is a prompt to "Change password". By this path, the BMS accepted my new password. It remains to be seen if it will be valid indefinitely..... Thanks for reading me and telling me if it also worked for you. P.S. I do not know how to write or speak English. If the translation is bad, please excuse me.... (it's G....e's fault)
JK should fix this. It would be nice to have a password reset feature based on the serial number that only works shortly after booting the BMS. If the serial number is physically printed on the BMS, they could choose to partially hide/obfuscate the serial number in the app with password access needed.
Lots of comments already saying that this is very bad, as in anyone within range can change the settings. It would be better if recovery required physical access through the RS485-1 port to enable the factory password.
It is indeed possible afaik, they all have the "gps" port or whatever it's called, that can communicate via a rs485 or rs232 adapter. might not be the easiest thing but the more people do it, the more support for it will be available on the internet...
I hope jk will fix this security gap with a firmware upgrade soon. They must disable this "feature"/backdoor and only allow password reset at least via physical contact to bms. Ideally via force upgrade using cable.
@@OffGridGarageAustralia is there an unused switch or similar that could be used to factory reset? That would seem to be the only way of avoiding the BT risk without getting into unnecessarily complex cryptographic solutions (that could still fail if you lose the key...) Edit: I thought of a potential solution in another reply.
@@OffGridGarageAustralia (Thanks for replying to all the comments. It's informative to reread the comments after you have responded) The BMS should require some proof of physcal presence. Maybe a window in time that is only open 30 sec after disconnecting and reconnecting the battery.
@@OffGridGarageAustraliaAs a lot of people have said, in order to be allowed to reset a password you need to proof a physical access to the device. It could be a specific set of button presses or series of connecting& disconnecting operations, whatever.
@@bitcointabs7173 I'm trying my best replying to as many as possible. But there are so many....😄 JK can also remove the serial number of the app and only have it on the sticker on the BMS. I'll put forward some recommendations from the comments here and will report back to you guys what they are going to do.
@@OffGridGarageAustralia Upgrading. lol. It's an unacceptable security and safety risk for many people unless you like out in the sticks like myself. Good video even though I'm a bit unsettled by what you uncovered. Thanks and stay charged. ;)
@@Greg-bx4idThinking about it, you could have a factory password reset that requires you to disconnect the power (and hence be physically there) within a specified time period, say 30 seconds. It could reset the storage, but store the non-factory setting in memory (and put it back if nothing happens within the time period). It's a bit ugly, but could work. Edit 2: this was meant to be a reply to another thread where I'd already replied but it works here too. Edit: it shouldn't allow someone to use the factory set password until it's restarted, or you're creating another vulnerability. Easiest may be to disallow new connections for the duration of the timeout (or use the value/hash in memory all the time).
@@davidpenfold Yes, I think that would work too and would just be a simple software upgrade. Now that Andy has us all thinking about it, maybe one of the settings in a software upgrade could be a toggle switch making the device discoverable or not over bluetooth. It's hard to hack what you can't see and it's a time tested wi-fi security feature. I still like the turn off bluetooth switch as it will save you from any attacks over bluetooth. lol.
@@OffGridGarageAustralia does BD Series also have a power Button? Long press: BMS off. Short press: toggle BT. Same for the new one, while the new one also could have that option on the touchscreen If no Button: disable BT via BT and Auto start it with the BMS for 1 or 5 Minutes only when the BMS was started, then auto disable it Or instead of auto disable BT set a dB minimum value where the BMS will ignore the connection. So that Bluetooth only works while you’re in front of the battery and not through walls like in my case from outside the house…
There is slight misleading message in the video. This "new" generated password is not forever password, but rather the password for next hour or so. It's made from two part "force password"+"bit made from serial". Just have a look on Miro's generator and see the numbers . And as "force password" is made from time rounded to hour so the settings password is also valid for that period of time. Which is not a problem as at any moment one can generate new "settings password". Just to prevent confusion from anyone who will try to generate ones and then write it down "for later". Nope - one needs to click generator at the time of use.
The one that changes with the date (and does not depend on the serial number) is the force update code. The "master password" is calculated by the crc8_rohc function and it doesn't depend on the date.
@@LucaOlivetti last two characters are from crc8.rohc(serial) and they stay the same. Time dependent first 8 chars are new. For example right now: - 04072417 force code - 0407241735 my settings password
IMPORTANT INFORMATION Andy, I´ve found the problem is getting the people to this issue: The app has a bug, at least for the non-inverter JK BMS. If you ACTUALLY REMEMBER YOUR PASSWORD but you put it and have this message of "Verify permission of settings failure", then press Ok and you will see all those dots. Then press "Verify" again and you will be in. The same happens when you try to set a new password using a generated one. You need to insist. I´ve even seen the dots and having failure messages, then pressing in another field, trying again, or pressing outside and trying again until getting the new password set. Now I´m able to modify the settings and I´m struggling to set new UPV values because the app doesn´t manage the commas properly. Hope this can help everybody, as it happens after setting the new password, so this video can not be of any help if you don´t know this issue
There is no doubt that this is now a serious security issue. Regardless of any possible solution, every owner of a JK BMS would need to implement or apply the fix be it a hardware fix or firmware upgrade to secure their system. The other problem is, how do you inform battery owners that have bought a battery with a JK BMS or just a BMS for a DIY project that they have an insecure system. It seems that the most logical solution is for JK to put out a firmware upgrade that will hide the Serial number as a minimum. It will not help everyone, but it is a start. BTW, now any person can also upgrade or downgrade the firmware without you knowledge with the password hack! What a disaster !!!!
Great video but REALLY want to know when JK will fix the RCV/100% SOC issues with Pylontech. It’s ridiculous that we need ESP32 custom code in front of these new inverter BMS to get it to work, charge, balance.
@@OffGridGarageAustralia it’s the pylon protocol JK uses. For several all in ones, Deye, Solis, Lux, etc the JK is not sending the right info to the inverter. There is basically no absorption time, 98%, 99%, 100% and the SCC stops charging so no balancing. There are other Peter Board open source ESP projects that sit between the JKs and inverter to solve for this where it keeps the inverter at 99% until RCV is hit then sends the charge complete 100%. Would love to just have a working BMS. Several of us have emailed JK Support but nothing back for months.
@@OffGridGarageAustralia Hi Andy, It is me again, I concur @cgutowski471, Not sure if you still remember the post from months ago, but here it was: The issue is more of a philosophical one: JK considers that the cell is at 100% SOC during the entire CV period of the charge (RCV->RFV->RCV cycle when float mode is enabled). This is enforced in the firmware by requiring that 'soc-100% volt' must be set below the RCV (presumably to ensure that the cell SOC is reset reliably at each charge). This makes sense from a coulomb counting point of view, as the trigger point where you go from CC to CV charging is the most reliable time to reset the coulomb counter. But the SOC is not truly 100% the moment that you hit RCV, you need to let the battery absorb! However... Growatt, Voltronic OEM based inverter, luxpower, et al, look at the situation differently, and as soon as the battery reports 100% SOC it turns the charge controller off completely. This does makes sense from a true SOC perspective, because if the battery is reporting 100% SOC why bother keeping the charge controller on. But, with the way JKBMS reports the SOC, this means that the charge controller turns off as soon as one cell in the battery hits RCV (or worse yet: if you have negative drift in the coulomb counter it will report 100% SOC before you even get to that point!), so no absorption or balancing is possible. They both make compelling arguments, but their logic is mutually incompatible. Either JKBMS needs to report the SOC as 99% during the whole of the absorption process (as the infamous 'peter boards' do), or the inverter needs to actually respect the pylontech 'charger enable' flag and leave the charge controller enabled as long as the BMS requests charging. *I believe you had posted a possible solution which is to have the JKBMS to report 99% during RCV Time duration and only set it to 100% after the RCV Time expired. Or even better, just set the SOC at 99% throughout the RFV and RCT time if "Controlled Float Charge" is enabled to prevent the Voltronic OEM based inverter from shutting down the charger. * More information can be found at diysolarforum thread titled "anybody-tried-new-jk-bms-with-inverter-communication-support.68964" page 10 - 16 . *Unfortunately, I had sent several emails to JK every months with no reply and luck. Please help us to get the "controlled float charge" working for our inverters. *
@@OffGridGarageAustralia Still remember my post on the SOC 100% issue? You can find more information at diysolarforum "anybody-tried-new-jk-bms-with-inverter-communication-support.68964" page 10 - 16 The issue is more of a philosophical one: JK considers that the cell is at 100% SOC during the entire CV period of the charge (RCV->RFV->RCV cycle when float mode is enabled). This is enforced in the firmware by requiring that 'soc-100% volt' must be set below the RCV (presumably to ensure that the cell SOC is reset reliably at each charge). This makes sense from a coulomb counting point of view, as the trigger point where you go from CC to CV charging is the most reliable time to reset the coulomb counter. But the SOC is not truly 100% the moment that you hit RCV, you need to let the battery absorb! However... luxpower, et al, look at the situation differently, and as soon as the battery reports 100% SOC it turns the charge controller off completely. This does makes sense from a true SOC perspective, because if the battery is reporting 100% SOC why bother keeping the charge controller on. But, with the way JKBMS reports the SOC, this means that the charge controller turns off as soon as one cell in the battery hits RCV (or worse yet: if you have negative drift in the coulomb counter it will report 100% SOC before you even get to that point!), so no absorption or balancing is possible. They both make compelling arguments, but their logic is mutually incompatible. Either JKBMS needs to report the SOC as 99% during the whole of the absorption process (as the infamous 'peter boards' do), or the inverter needs to actually respect the pylontech 'charger enable' flag and leave the charge controller enabled as long as the BMS requests charging.
@@OffGridGarageAustralia Your proposed solution is to have the BMS report 99% during RCV Time duration. However, due to Voltronic OEM based inverter design, the JKBMS will have to report 99% throughout RCV time and RFV time when controlled float mode is enabled to prevent the charger from shutting off. Can you get JK to implement this 99%
@Off-Grid Garage Andy can you do a video on BMS firmware version 15.24. I have 15.17 and it seems to be working fine however I have no charge-discharge history being reported on the GX which I would like.
Muito obrigado pelo vídeo você é muito especial.. Sugiro que faça um vídeo conectando o app em dois celulares E também onde achar a senha para o segundo celular..
More like a backdoor / factory master password. Question, does this password allow reset to factory settings? making 123456 the default password again? (I do not have a jk to try this myself)
There is no factory default as such. Once the password has been entered, you can select a battery profile which resets all settings. But not the master password.
My BMS serial number has the letter F in it. The password generator does not appear to accept letters. I left out the letter and the password generated does not work.
@@OffGridGarageAustralia Hardware reset button. I'm also a bit concerned about the Neeeey not needed a password to connect. Glad my house (and your shed) are far enough away from the street but silly friends could still mess up the system!
@@OffGridGarageAustralia The easiest way would be to make the serial number not visible in the app. Only on a sticker, or with another soution, which requires physical access to the BMS.
This is not a good thing Andy. This should have been a breaking news video with Andy 2, 3 and 4 like when the settings were defaulting back to unsafe values. Please use a password manager for all your passwords like bitwarden or KeePass. You'll never have to forget another password. But that still would not prevent this massive security flaw.
Thanks for the tutorial. What I experienced was that I forgot the bluetooth connection password. So I can't do monitoring at all. Maybe you can help me
Andy Technically the BMS broadcasts the password via bluetooth LE. As you already mentioned in your other videos. Technically every app could read the set password. This generator is not really necessary. I actually working on a hobby app to show and record BMS data. I could implement this feature but i think maybe it is better when it is not public available to read the pin? What do you think?
I think it was a really bad Idea to make this password calculation tool public. Please do not provide more exploids to make it posible to harm the JKs.
Is that a battery powered lawn mower? In the process of buying a RYOBI 80V HP Brushless 42in. Cordless Zero Turn Riding Mower with (2) 80V & (2) 40V Batteries & Charger
@off-grid-garage I need help with the new jk bms i have one bms all the cell temperature sensors show N/A on the app but when you measure them with multimeter they are ohky
Thank you very much for your help. But my problem is that when I enter the application and select the BMS, it asks me for a password. I tried with 1234 and 123456, and it doesn't work. Could you help me? Thank you in advance!!!
there is a vulnerability here - vandals can ruin your battery... Now this can be done with the snap of your fingers - using a drone with a Bluetooth module, etc.
@@OffGridGarageAustralia the right solution would be to have a button or jumper that would reset the password, similar to how we reset the BIOS settings on a computer motherboard... when there was a problem with the password - I initially expected that there should be such an option on the board... but the manufacturer got weird here
@@vpchelko a hardware solution will not fix existing BMS already out there. And I doubt they will come out with a V16 for this BMS design. JK is already working on other projects. Sell, sell, sell... that's all it matters unfortunately.
So now anyone driving by my house can use that to enter my JK BMSes? That's not good... Anyway we can avoid that? Or can you make a video on how it would be best to "secure" these JK BMSes ?
While it is not not going to stop someone else from publish the password tool, it may be the ethical thing to do is to remove access to this password tool until a solution can be found.
Just because some bolloks forget their passwords, the BMSs are now without any security? Not very clever!!! This should be only accessible by RS485, but not by Bluetooth!
Not really. You need pairing your cell phone with the Bms and it's not the same password to access the parameters. Unless you put them both the same passwords. And where Andy shows the menu "Modify Password", i think is where you change the password for pairing with the cell phone.
There is a BT pair password when you connect for the very first time to the BMS. It is 1234. Then there is the default JK-BMS App password which is 123456.
If someone has physical access he/she could short the battery. Important is only that no one can connect via BT remotely. Imagine a sailboat or people walking next to your house beeing “funny” which could lead to fire.
This begs the question if it's the app verfying the code or it's the bms itself. I'm using an old version of the app (V4.7.6), since the phone I'm using doesn't allow any newer version (jk removed support for arm 32 bits), and the generated code doesn't work, hence my doubt. When I go to the van I'll check with the latest version of the app. If it's the app verifying the password it's even worse: it means that somebody implementing the bluetooth communication with the bms doesn't need the password at all. Edit: besides, the bms has no way to know the current date/time (unless the app sends it someway), so the app verifying the password is the most probable option.
This won't work with the older BD series as there is no other way to connect it. But, yes, it is on my list to discuss with JK. Seplos does the same and BT can be disabled in the settings.
They use some standard ble modue on board. With sone soldering it should be possible to turn off Vcc on it. Or check datasheet, maybe it has enable signal
In my case, I suddenly started receiving "wrong password" messages. Tried everything and thought I'd forgot the password. It happens that when I receive the message, I simply click the "ok" button again (without touching the pwd field) and it went thru! It appears to be a bug. That happened with 4 BMSs with different firmwares. Give it a try!
Is there a way to fix the garbage Bluetooth connection. I'M 15 feet away and nothing. My other xiaoxiang BMS 's that have a module to plug in, work from outside my house ,in a camper, a good 30 feet away.
When I updated the application, there was a problem with the password. I thought I forgot my password because I was changing it. But when connecting the board to the computer, the password was correct. I installed an older version of the app on my phone. And the password also worked. So don't update the app on your phone
I have discovered a weird issue. I thought that I have forgotten my password, but it was not the case. I set the password that has letters in it. when I tried to login, I was able to see this password while typing (no points or start, but actual password). And if I would hit OK right away, then I would get error, my password is incorrect. But, if I type in my password and then hit ENTER, the password would turn into stars, then if I hit OK, everything works. So, it might be that you don't need to reset your password, just hit ENTER on your keyboard before you hit OK in the login form.
hi, a friend installed the BMS and setup a password using iPhone. I use an Android, I am unable to login even with the password he set. Can someone please help? I'm in Laidley Qld.
Tja... das ist wohl ein großes Problem wenn der Nachbar dich eh nicht mag 😢.. hoffentlich können die das mit einem FW update fixen. kann man Bluetooth irgendwie komplett deaktivieren?
Do I understand it right that this is for the settings app. What to do if I forgot the BT pair password? I messaged JK on aliexpress and they gave me the same code as on the github generator page and it doesn't work Edit: I managed to login with my old password, turns out the app from store is bugged and doesn't accept it even if the password is right. I used older version JK BMS_4.15.3 apk and it works1 But I still don't know what I would do if I couldn't remember the BT pair password.
HELP!, or BOOOM? Not quite sure yet. I tried Miro's generator but it takes a 10 digit numerical serial number. Both of my Jk-B2A20S20P's have an 11 digit number with a "D" in them and the generator only accepts numbers. What do I do?
Lots of people writing here, it is safety problem. But without SN, you can not generate this password. I dont see big problem. Only big problem is, not possible to reset password. Or I missing someting?🤔
THE 'FUNNY' PART IS THAT - THE BMS DO NOT USE ANY PASSWORD! I have crated ESP32 wifi module that comunicates with JK-BMS via bluetooth and i can set settings, read everything and it doesnt requere ANY password. Looks like only app uses password, so anybody can still change settings on your JK bms no matter your password.
my bug still remains.. it never accept code at first try it needs a second finger enter button .. not erased ,, if my pasword erased and writen again it will fail again.. it needs to stay writen and retry . if anyone has similar situation i would be glad to know
Now we need a physical button to disable Bluetooth or to get it read only. This is BAD! Now anyone can come and change our setting, removing all protections and increasing the charge voltage to destroy it
@@OffGridGarageAustralia I sent you an email from a previous short email conversation we had. I sent screenshots. In your video, you say after putting in the key generated passcode you cannot change it but if you look at the screenshot, you can see a user input password, 1234, and a little further a password again of 1234. On the right of the screenshot is the parsed hex data.
Thank you all for replies. Solved my problem without generator. Someone suggested just to ignore error msg and just close notification. And it worked. No more errors for me.
Andy, I love your work. I especially like the "and it doesn't work, amazing" Got to love someone who can happily show you what happens when it goes wrong. :).
Thanks Andy for sharing, this will however be a security risk when people are "wardriving with bluetooth scanners", but this is inherent for wireless tech.
Thanks for information! BTW 6:37 You can change old password by using as old password temporary generated password.
That doesn't work, I tried, you can't change the password.
The new code is updated every hour so it's no good after that.
Thanks!
Been waiting for this for months (JK couldn't help me)... Mucho Gracias from an old forgetful guy ;)
You are welcome!
I have a JK-B2A8S20P, and the generated password will allow me to change the password.
Result!! Thank Andy and Miro
Just started to use the JK again ,after putting it away for crap bluetoothe, Reinstalled with some new cells and password no worki. So lucky to find Andy has the answer.
adding a space to the end of the password breaks the JK BMS application... Iths not only about forgetting passowrd...
This solution helped me to restore BMS... but...
What do you mean by 'breaks the app'?
Thanks Andy, excellent work, thanks for your help.
Three hours after posting, 89.9k.. you'll be 90k soon!
I think it was already at 88.900 or so at the time of filming. But yeah, we're getting closer and closer...
LOL, I've just spent 2 days this week, speaking to a nice gentlemen in Beijing, who reset both my BMS's...:)
Probably with the same method? Or did you get access to the old password again somehow?
Good day to you,
Thank you for your channel and all the valuable information that you share freely.
It has helped me a lot to understand my LiFePo4 batteries and programme the hybrid inverter MPPT charger to suit the chemistry and my power demands
Thanks for sharing this info, it's really useful. Always good idea to have a spare password, let alone an eternal one ;)
Vielen Dank! Das neue Passwort funktioniert und ich konnte es auch ändern, wobei ich als altes Passwort dieses neu generierte verwendet habe.
You are my life-savior!
This is exactly the right video at exactly the right time!! Thank you, Andy (and Miro)!!
After using the BMS all the time some months ago I managed to forget the password as well as to write it down.. Also I disabled charge/discharge because I knew I wouldn't need the battery for a while.
With the time difference to the vendor, the reset code I got from them always was invalid when I got the chance to enter it finally. With the generated code I was able to turn the BMS fully back on and also to set a new password. With app version 4.21 (android) nothing worked at first either (not even the seperate pairing password 1234 to pair with the BMS after reinstalling the app) but then I downgraded to app version 4.18 (found the apk it via google) and everything worked perfectly fine afterwards.
Now I am wondering if I really forgot my password or if the app version 4.21 just failed to process my inputs correctly all along..
But anyway, thanks to this video I managed to get my battery charging again!
Holy sh*t 🤦♂️
Now I need to build a faraday cage for my batteries.
Yep, good but not great!
Not if you don't go slinging around your serial numbers.
@@orlovsskibet you are wrong. you can read the serial without the password
@@andreasw5925 but doesn't that require physical access?
@@orlovsskibetWRONG! The serialnumber is shown within the app!
Sounds like a label maker might be good. Make label with the new generated password and stick it on the battery. I figure it’s only a risk if someone takes your batteries. But they will probably take things that are not as heavy.
This looks like a programmers backdoor. If someone is within Bluetooth range, they could do ... things. JK needs to address this ... scary stuff. Though it is a nice fix for a lost password. 👍
without the serial Nr - no way!
YES way! Just walk by, open the JK app, use 1234 to make the connection handshake, copy the serialnumber, paste it in the codegenerator and you are IN. 😢
Your videos helped us a lot! Please tell me if the latest version of the firmware for the new JK-BMS has solved all the problems? Can JK-BMS be put on batteries? Thank you !
I hope Andy does a follow up vid for this.
Actually, this password is easy to find out)))
My jk bms controller serial number has a Letter in it. The code generator does not allow to enter letter number combinations. Plesa advise.
Use a zero instead of the letter!
@0:50 that's actually a good idea
You might have already figured this out, but you can change your password with this tool: Just use the generated password in the 'old' password box. Worked fine in my V15.24 firmware.
Note - some of the codes are time sensitive, so make sure that the time of set correctly (from the control pane of the app)
App Settings Pass isn`t time sensitive
0:49 OK OK! 3D printed numbers with magnet is alot better!
Great solution, right?🤭
thank you you're absolutely amazing
Hello everyone. Thanks Andy for this Video (and all the others..). THANKS to Miro for this program.
Actually, it seems that it is possible to reset the Password with this code generated by Miro, but this "Miro-code" is TEMPORARY.... it is only valid until the next full hour.
I managed to generate a new code by going to the "Control" pane. At the very top, there is a prompt to "Change password". By this path, the BMS accepted my new password. It remains to be seen if it will be valid indefinitely.....
Thanks for reading me and telling me if it also worked for you.
P.S. I do not know how to write or speak English. If the translation is bad, please excuse me.... (it's G....e's fault)
JK should fix this. It would be nice to have a password reset feature based on the serial number that only works shortly after booting the BMS. If the serial number is physically printed on the BMS, they could choose to partially hide/obfuscate the serial number in the app with password access needed.
Lots of comments already saying that this is very bad, as in anyone within range can change the settings. It would be better if recovery required physical access through the RS485-1 port to enable the factory password.
And we have the older BD series where this is not possible.
It is indeed possible afaik, they all have the "gps" port or whatever it's called, that can communicate via a rs485 or rs232 adapter.
might not be the easiest thing but the more people do it, the more support for it will be available on the internet...
I hope jk will fix this security gap with a firmware upgrade soon.
They must disable this "feature"/backdoor and only allow password reset at least via physical contact to bms. Ideally via force upgrade using cable.
Yes, but what about the older BD series? BT is the only connection.
@@OffGridGarageAustralia is there an unused switch or similar that could be used to factory reset? That would seem to be the only way of avoiding the BT risk without getting into unnecessarily complex cryptographic solutions (that could still fail if you lose the key...)
Edit: I thought of a potential solution in another reply.
@@OffGridGarageAustralia (Thanks for replying to all the comments. It's informative to reread the comments after you have responded) The BMS should require some proof of physcal presence. Maybe a window in time that is only open 30 sec after disconnecting and reconnecting the battery.
@@OffGridGarageAustraliaAs a lot of people have said, in order to be allowed to reset a password you need to proof a physical access to the device. It could be a specific set of button presses or series of connecting& disconnecting operations, whatever.
@@bitcointabs7173 I'm trying my best replying to as many as possible. But there are so many....😄
JK can also remove the serial number of the app and only have it on the sticker on the BMS.
I'll put forward some recommendations from the comments here and will report back to you guys what they are going to do.
There needs to be a hardware switch to turn BT on and off to limit unauthorized access.
What are we doing for the older JK-BMS though? BT is the only option.
@@OffGridGarageAustralia Upgrading. lol. It's an unacceptable security and safety risk for many people unless you like out in the sticks like myself. Good video even though I'm a bit unsettled by what you uncovered. Thanks and stay charged. ;)
@@Greg-bx4idThinking about it, you could have a factory password reset that requires you to disconnect the power (and hence be physically there) within a specified time period, say 30 seconds.
It could reset the storage, but store the non-factory setting in memory (and put it back if nothing happens within the time period). It's a bit ugly, but could work.
Edit 2: this was meant to be a reply to another thread where I'd already replied but it works here too.
Edit: it shouldn't allow someone to use the factory set password until it's restarted, or you're creating another vulnerability. Easiest may be to disallow new connections for the duration of the timeout (or use the value/hash in memory all the time).
@@davidpenfold Yes, I think that would work too and would just be a simple software upgrade. Now that Andy has us all thinking about it, maybe one of the settings in a software upgrade could be a toggle switch making the device discoverable or not over bluetooth. It's hard to hack what you can't see and it's a time tested wi-fi security feature. I still like the turn off bluetooth switch as it will save you from any attacks over bluetooth. lol.
@@OffGridGarageAustralia does BD Series also have a power Button?
Long press: BMS off. Short press: toggle BT. Same for the new one, while the new one also could have that option on the touchscreen
If no Button: disable BT via BT and Auto start it with the BMS for 1 or 5 Minutes only when the BMS was started, then auto disable it
Or instead of auto disable BT set a dB minimum value where the BMS will ignore the connection. So that Bluetooth only works while you’re in front of the battery and not through walls like in my case from outside the house…
There is slight misleading message in the video.
This "new" generated password is not forever password, but rather the password for next hour or so.
It's made from two part "force password"+"bit made from serial". Just have a look on Miro's generator and see the numbers .
And as "force password" is made from time rounded to hour so the settings password is also valid for that period of time. Which is not a problem as at any moment one can generate new "settings password".
Just to prevent confusion from anyone who will try to generate ones and then write it down "for later". Nope - one needs to click generator at the time of use.
The one that changes with the date (and does not depend on the serial number) is the force update code. The "master password" is calculated by the crc8_rohc function and it doesn't depend on the date.
Mmh, with the new hour it generated a different password, but by looking at the crc8_rohc function I cannot see where it depends on the date.
I'm blind: I totally missed the "GetCode()+" in the event.
@@LucaOlivetti last two characters are from crc8.rohc(serial) and they stay the same. Time dependent first 8 chars are new.
For example right now:
- 04072417 force code
- 0407241735 my settings password
IMPORTANT INFORMATION
Andy, I´ve found the problem is getting the people to this issue: The app has a bug, at least for the non-inverter JK BMS.
If you ACTUALLY REMEMBER YOUR PASSWORD but you put it and have this message of "Verify permission of settings failure", then press Ok and you will see all those dots. Then press "Verify" again and you will be in.
The same happens when you try to set a new password using a generated one. You need to insist. I´ve even seen the dots and having failure messages, then pressing in another field, trying again, or pressing outside and trying again until getting the new password set.
Now I´m able to modify the settings and I´m struggling to set new UPV values because the app doesn´t manage the commas properly.
Hope this can help everybody, as it happens after setting the new password, so this video can not be of any help if you don´t know this issue
Greetings from Spain BTW
Thank you!
underrated comment, you saved me!
There is no doubt that this is now a serious security issue. Regardless of any possible solution, every owner of a JK BMS would need to implement or apply the fix be it a hardware fix or firmware upgrade to secure their system. The other problem is, how do you inform battery owners that have bought a battery with a JK BMS or just a BMS for a DIY project that they have an insecure system.
It seems that the most logical solution is for JK to put out a firmware upgrade that will hide the Serial number as a minimum. It will not help everyone, but it is a start.
BTW, now any person can also upgrade or downgrade the firmware without you knowledge with the password hack!
What a disaster !!!!
Heya. really nice to have this possiblity wen you forget your password and it happens I KNOW
Great video but REALLY want to know when JK will fix the RCV/100% SOC issues with Pylontech. It’s ridiculous that we need ESP32 custom code in front of these new inverter BMS to get it to work, charge, balance.
What's the exact problem with Pylontech? Is it the Pylontech batteries (15s) or the Pylontech protocol? Explain so I can add it to the list.
@@OffGridGarageAustralia it’s the pylon protocol JK uses. For several all in ones, Deye, Solis, Lux, etc the JK is not sending the right info to the inverter. There is basically no absorption time, 98%, 99%, 100% and the SCC stops charging so no balancing. There are other Peter Board open source ESP projects that sit between the JKs and inverter to solve for this where it keeps the inverter at 99% until RCV is hit then sends the charge complete 100%. Would love to just have a working BMS.
Several of us have emailed JK Support but nothing back for months.
@@OffGridGarageAustralia Hi Andy, It is me again, I concur @cgutowski471, Not sure if you still remember the post from months ago, but here it was:
The issue is more of a philosophical one:
JK considers that the cell is at 100% SOC during the entire CV period of the charge (RCV->RFV->RCV cycle when float mode is enabled).
This is enforced in the firmware by requiring that 'soc-100% volt' must be set below the RCV (presumably to ensure that the cell SOC is reset reliably at each charge). This makes sense from a coulomb counting point of view, as the trigger point where you go from CC to CV charging is the most reliable time to reset the coulomb counter. But the SOC is not truly 100% the moment that you hit RCV, you need to let the battery absorb!
However... Growatt, Voltronic OEM based inverter, luxpower, et al, look at the situation differently, and as soon as the battery reports 100% SOC it turns the charge controller off completely. This does makes sense from a true SOC perspective, because if the battery is reporting 100% SOC why bother keeping the charge controller on. But, with the way JKBMS reports the SOC, this means that the charge controller turns off as soon as one cell in the battery hits RCV (or worse yet: if you have negative drift in the coulomb counter it will report 100% SOC before you even get to that point!), so no absorption or balancing is possible.
They both make compelling arguments, but their logic is mutually incompatible. Either JKBMS needs to report the SOC as 99% during the whole of the absorption process (as the infamous 'peter boards' do), or the inverter needs to actually respect the pylontech 'charger enable' flag and leave the charge controller enabled as long as the BMS requests charging.
*I believe you had posted a possible solution which is to have the JKBMS to report 99% during RCV Time duration and only set it to 100% after the RCV Time expired.
Or even better, just set the SOC at 99% throughout the RFV and RCT time if "Controlled Float Charge" is enabled to prevent the Voltronic OEM based inverter from shutting down the charger.
* More information can be found at diysolarforum thread titled "anybody-tried-new-jk-bms-with-inverter-communication-support.68964" page 10 - 16 .
*Unfortunately, I had sent several emails to JK every months with no reply and luck. Please help us to get the "controlled float charge" working for our inverters.
*
@@OffGridGarageAustralia Still remember my post on the SOC 100% issue? You can find more information at diysolarforum "anybody-tried-new-jk-bms-with-inverter-communication-support.68964" page 10 - 16
The issue is more of a philosophical one:
JK considers that the cell is at 100% SOC during the entire CV period of the charge (RCV->RFV->RCV cycle when float mode is enabled).
This is enforced in the firmware by requiring that 'soc-100% volt' must be set below the RCV (presumably to ensure that the cell SOC is reset reliably at each charge). This makes sense from a coulomb counting point of view, as the trigger point where you go from CC to CV charging is the most reliable time to reset the coulomb counter. But the SOC is not truly 100% the moment that you hit RCV, you need to let the battery absorb!
However... luxpower, et al, look at the situation differently, and as soon as the battery reports 100% SOC it turns the charge controller off completely. This does makes sense from a true SOC perspective, because if the battery is reporting 100% SOC why bother keeping the charge controller on. But, with the way JKBMS reports the SOC, this means that the charge controller turns off as soon as one cell in the battery hits RCV (or worse yet: if you have negative drift in the coulomb counter it will report 100% SOC before you even get to that point!), so no absorption or balancing is possible.
They both make compelling arguments, but their logic is mutually incompatible. Either JKBMS needs to report the SOC as 99% during the whole of the absorption process (as the infamous 'peter boards' do), or the inverter needs to actually respect the pylontech 'charger enable' flag and leave the charge controller enabled as long as the BMS requests charging.
@@OffGridGarageAustralia Your proposed solution is to have the BMS report 99% during RCV Time duration. However, due to Voltronic OEM based inverter design, the JKBMS will have to report 99% throughout RCV time and RFV time when controlled float mode is enabled to prevent the charger from shutting off. Can you get JK to implement this 99%
@Off-Grid Garage Andy can you do a video on BMS firmware version 15.24. I have 15.17 and it seems to be working fine however I have no charge-discharge history being reported on the GX which I would like.
Congratulation, Andy!
Ca-n you help my, please, send again link to miro's. I can''t find that link.
Thank you!
Good morning.
I have letters (one letter actually) in my serial number. But the generator accepts only digits. Is there any trick to handle it?
Use a zero instead of the letter!
Muito obrigado pelo vídeo você é muito especial..
Sugiro que faça um vídeo conectando o app em dois celulares
E também onde achar a senha para o segundo celular..
More like a backdoor / factory master password. Question, does this password allow reset to factory settings? making 123456 the default password again? (I do not have a jk to try this myself)
There is no factory default as such. Once the password has been entered, you can select a battery profile which resets all settings. But not the master password.
My BMS serial number has the letter F in it. The password generator does not appear to accept letters. I left out the letter and the password generated does not work.
Use a zero instead of the letter!
Thats a huge security and safety flaw. Basicly everyone in bluetooth range can mess with your battery settings.
What's the solution?
@@OffGridGarageAustralia Hardware reset button. I'm also a bit concerned about the Neeeey not needed a password to connect. Glad my house (and your shed) are far enough away from the street but silly friends could still mess up the system!
@@OffGridGarageAustralia The easiest way would be to make the serial number not visible in the app. Only on a sticker, or with another soution, which requires physical access to the BMS.
@@Meiestrix Great suggestion!
@@Meiestrix Thats not really a Solution... it gives another Way to read out both Passwords without the Serial Number ;)
This is not a good thing Andy.
This should have been a breaking news video with Andy 2, 3 and 4 like when the settings were defaulting back to unsafe values.
Please use a password manager for all your passwords like bitwarden or KeePass.
You'll never have to forget another password.
But that still would not prevent this massive security flaw.
Exactly.
Thanks for the tutorial. What I experienced was that I forgot the bluetooth connection password. So I can't do monitoring at all. Maybe you can help me
DO you have some changelog what changef in the current Firmware Upgrade in JKBMS? 15.24?
Andy, how can I change the screen time for more time on?
Andy Technically the BMS broadcasts the password via bluetooth LE. As you already mentioned in your other videos. Technically every app could read the set password. This generator is not really necessary. I actually working on a hobby app to show and record BMS data. I could implement this feature but i think maybe it is better when it is not public available to read the pin? What do you think?
I think it was a really bad Idea to make this password calculation tool public.
Please do not provide more exploids to make it posible to harm the JKs.
@@Juergen_Miessmer Its not the only Way... it gives also another Way to read out both Passwords without the Serial Number ;).
Is that a battery powered lawn mower? In the process of buying a RYOBI 80V HP Brushless 42in. Cordless Zero Turn Riding Mower with (2) 80V & (2) 40V Batteries & Charger
Yes, testing the Luba2 atm on my other channel. Unless people here are interested as well... It's a bit out of spec of the usual stuff.
@off-grid-garage I need help with the new jk bms i have one bms all the cell temperature sensors show N/A on the app but when you measure them with multimeter they are ohky
Do you have them turned on in the app?
Thank you very much for your help. But my problem is that when I enter the application and select the BMS, it asks me for a password. I tried with 1234 and 123456, and it doesn't work. Could you help me? Thank you in advance!!!
I have the same problem, can not connect the device with mobile phone, please help
now you need to paint a block box behind the numbers to make them POP.
there is a vulnerability here - vandals can ruin your battery...
Now this can be done with the snap of your fingers - using a drone with a Bluetooth module, etc.
Yes, absolutely. Nut sure what the solution can be though. There is a clearly a problem with showing the password in the software.
@@OffGridGarageAustralia the right solution would be to have a button or jumper that would reset the password, similar to how we reset the BIOS settings on a computer motherboard...
when there was a problem with the password - I initially expected that there should be such an option on the board... but the manufacturer got weird here
@@vpchelko a hardware solution will not fix existing BMS already out there. And I doubt they will come out with a V16 for this BMS design. JK is already working on other projects. Sell, sell, sell... that's all it matters unfortunately.
So now anyone driving by my house can use that to enter my JK BMSes? That's not good... Anyway we can avoid that? Or can you make a video on how it would be best to "secure" these JK BMSes ?
While it is not not going to stop someone else from publish the password tool, it may be the ethical thing to do is to remove access to this password tool until a solution can be found.
So that means the passwort is useless and anyone can connect to your jk bms and change your settings..
Just because some bolloks forget their passwords, the BMSs are now without any security? Not very clever!!! This should be only accessible by RS485, but not by Bluetooth!
Not really. You need pairing your cell phone with the Bms and it's not the same password to access the parameters. Unless you put them both the same passwords.
And where Andy shows the menu "Modify Password", i think is where you change the password for pairing with the cell phone.
@@nunosantos79 you don't need to pair when the app asks. I can click No and it just connects as usual.
There is a BT pair password when you connect for the very first time to the BMS. It is 1234.
Then there is the default JK-BMS App password which is 123456.
If someone has physical access he/she could short the battery.
Important is only that no one can connect via BT remotely. Imagine a sailboat or people walking next to your house beeing “funny” which could lead to fire.
This begs the question if it's the app verfying the code or it's the bms itself. I'm using an old version of the app (V4.7.6), since the phone I'm using doesn't allow any newer version (jk removed support for arm 32 bits), and the generated code doesn't work, hence my doubt.
When I go to the van I'll check with the latest version of the app.
If it's the app verifying the password it's even worse: it means that somebody implementing the bluetooth communication with the bms doesn't need the password at all.
Edit: besides, the bms has no way to know the current date/time (unless the app sends it someway), so the app verifying the password is the most probable option.
Thank u its working
Thank you soooo much
It sounds like I need to change my Bluetooth pairing code immediately! Can you even change it?
thank you bro!
OK, next question, how do I disable the jk bms Bluetooth before some random person destroys my batteries....
This won't work with the older BD series as there is no other way to connect it.
But, yes, it is on my list to discuss with JK. Seplos does the same and BT can be disabled in the settings.
They use some standard ble modue on board. With sone soldering it should be possible to turn off Vcc on it. Or check datasheet, maybe it has enable signal
Mine uses BK3432 chip. It doesnt have enable pin, but rstn pin which is active while in low state.
In my case, I suddenly started receiving "wrong password" messages. Tried everything and thought I'd forgot the password.
It happens that when I receive the message, I simply click the "ok" button again (without touching the pwd field) and it went thru! It appears to be a bug.
That happened with 4 BMSs with different firmwares.
Give it a try!
I just confirmed your experience with my jk BMS. Andy needs to pin your comment right away.
Is there a way to fix the garbage Bluetooth connection. I'M 15 feet away and nothing.
My other xiaoxiang BMS 's that have a module to plug in, work from outside my house ,in a camper, a good 30 feet away.
When I updated the application, there was a problem with the password. I thought I forgot my password because I was changing it. But when connecting the board to the computer, the password was correct. I installed an older version of the app on my phone. And the password also worked. So don't update the app on your phone
Great news
Yes, and scary! Everyone can now break into the JK BMS.
it's very dangerous. because a stranger can come to your garage door and change the settings without your permission. 😢
I had a problem not able to log in with my password (written on the box).
Miros generator saved me.
Yes, the solution is great for some but also highlights the vulnerability of all their BMS.
I have discovered a weird issue. I thought that I have forgotten my password, but it was not the case. I set the password that has letters in it. when I tried to login, I was able to see this password while typing (no points or start, but actual password). And if I would hit OK right away, then I would get error, my password is incorrect. But, if I type in my password and then hit ENTER, the password would turn into stars, then if I hit OK, everything works.
So, it might be that you don't need to reset your password, just hit ENTER on your keyboard before you hit OK in the login form.
It did not work on my JK-B1A8S20P. Hardware V9.X .Software V9.08W .App version V4.7.1
89.9
Write down the password on the unit. Back, side, or front 😂
That's where the serial should be a s well. The only place...
I tried this method but it didn't work for me.
2+
hi, a friend installed the BMS and setup a password using iPhone. I use an Android, I am unable to login even with the password he set.
Can someone please help? I'm in Laidley Qld.
very good
Tja... das ist wohl ein großes Problem wenn der Nachbar dich eh nicht mag 😢.. hoffentlich können die das mit einem FW update fixen. kann man Bluetooth irgendwie komplett deaktivieren?
Do I understand it right that this is for the settings app. What to do if I forgot the BT pair password? I messaged JK on aliexpress and they gave me the same code as on the github generator page and it doesn't work
Edit: I managed to login with my old password, turns out the app from store is bugged and doesn't accept it even if the password is right. I used older version JK BMS_4.15.3 apk and it works1 But I still don't know what I would do if I couldn't remember the BT pair password.
Where do you download the older version from?
Thanks
@@Ramjet7777 from apkpure . Keep the apk from auto updating or it will update and even the correct password won't work .
Needs to be a jumper or push button on the BMS that resets the password and/or a factory reset.
That would be a great solution!
HELP!, or BOOOM? Not quite sure yet. I tried Miro's generator but it takes a 10 digit numerical serial number. Both of my Jk-B2A20S20P's have an 11 digit number with a "D" in them and the generator only accepts numbers. What do I do?
I replaced the letter with a 0 and it actually worked with the new password!
@@johankarlsson308 Okay, thanks, I'll let you know....
@@johankarlsson308 Well, unfortunately, it does produce a passcode, but it won't open settings. Thanks for trying.
Sometimes I genuinely forget 123456
Hahahaha, Gaza!
Couldn't get it to work... generated the code but it doesn't work in the app..... Any advise???
After app bluetooth scan when try to coonnect 1234 pass not work. Any solution
what about if the password to pair it doesnt work, so you cant even view it in the app
Adding a 0 for an A in my serial number is not working.. Is there a new solution??
Maby a very bad idea to make this password calcuator puplic. ☹️
Unfortunately didnt work for me. I got the same wrong password mesage.
Lots of people writing here, it is safety problem. But without SN, you can not generate this password. I dont see big problem. Only big problem is, not possible to reset password.
Or I missing someting?🤔
Top tip, use a password manager!
Hope everyone reads that.
I know the password, and the app accepts it, but it still doesn't allow making changes to settings.
👍👍👍
Salut! Poți sa-mi spui unde a pus link-ul către fereastra de la jk? Nu dau de el. Multumesc@
thanks lost mine generated new one yet to test it how long it last ? so good
Can this generator used with JK B2A8S20P? In my case i have one letter in the serial number that won´t recognize by the tool.
Same here, letter doesn’t work.
I did put in zero instead of the letter and that did work for me.
@@steinhelgoe Thanks. It worked and immediately set my new pw only with 0-9.
🐸🐸🐸
🥈
THE 'FUNNY' PART IS THAT - THE BMS DO NOT USE ANY PASSWORD! I have crated ESP32 wifi module that comunicates with JK-BMS via bluetooth and i can set settings, read everything and it doesnt requere ANY password. Looks like only app uses password, so anybody can still change settings on your JK bms no matter your password.
Sir, i am haneefa from India Kerala..
I wants a live program with you if you possible 😊
Like# 135
my bug still remains.. it never accept code at first try it needs a second finger enter button .. not erased ,, if my pasword erased and writen again it will fail again.. it needs to stay writen and retry . if anyone has similar situation i would be glad to know
Yes, i had this problem. And then it disappeared... My solution is to press enter on the keyboard before pressing verify.
Force update? 🤔
My serial number jk bms is 11 digits, no work
Now we need a physical button to disable Bluetooth or to get it read only.
This is BAD!
Now anyone can come and change our setting, removing all protections and increasing the charge voltage to destroy it
With the rs485 connected you can easily retrieve your forgotten password.
Oh? Can you explain?
How?
@@rdflo6739 I have done it using Windows 10, a USB to RS485 adapter and a Windows
It's not that easy...
@@OffGridGarageAustralia I sent you an email from a previous short email conversation we had. I sent screenshots. In your video, you say after putting in the key generated passcode you cannot change it but if you look at the screenshot, you can see a user input password, 1234, and a little further a password again of 1234. On the right of the screenshot is the parsed hex data.
Скажите пожалуйста не могу связать с приложением нет пароля можете помочь?
Уточнення: не такий вєлікій і мугучій ваш язик, щоб на ньому розмовляв увесь світ, бо тільки мумія лєнін ним розмовляв!
My s/n have letter. Code generator not accepting letters. So not working for me.
They are upper case. My code has letters as well and it works
Use a zero instead of the letter!
Thank you all for replies. Solved my problem without generator. Someone suggested just to ignore error msg and just close notification. And it worked. No more errors for me.
@@kamelotaslt thanks for your feedback and sharing