SNIFFING_CAN_INTERFACE: pylon_0

Pylontech lithium batteries are the gold standard for solar storage, but relying on the inverter software (or the manufacturer’s cloud) to read the BMS (Battery Management System) status creates a security and control blind spot.

In this note, we document how to intercept the native BMS communication.

Hardware Required

An ESP32 microcontroller.

A CAN transceiver (such as the SN65HVD230 or TJA1050).

An RJ45 cable (cut to expose the communication pins).

Intercepting the Frames

The Pylontech A/CAN port transmits at 500 kbps. If we connect our transceiver to the CAN-H and CAN-L pins, we start receiving periodic frames.

The CAN message ID tells us what information it contains. For example, ID 0x359 contains the State of Charge (SOC), Voltage, and Current.

ESPHome configuration to read Frame 0x359

canbus:

• platform: esp32_can tx_pin: GPIO5 rx_pin: GPIO4 bit_rate: 500kbps

sensor:

• platform: canbus canbus_id: my_canbus can_id: 0x359 name: “Pylontech SOC” bytes: 4 # SOC is usually in byte 4 and 5

  The mask extracts the corresponding 16 bits

Having this raw data in our MQTT broker allows us to trigger critical automations, such as shutting down crypto miners or the AI server if a single internal cell’s voltage drops below the safety threshold, long before the main inverter reacts.