All Electric?

**Jen-in-Wellies** · November 13, 2023

Over the last year, Victron have stopped shipping the blue(tooth) boxes with a default bluetooth password of 000000. They now come with a random and presumably unique pass code on a sticker. You can still change it yourself, once logged in. Found this on a B2B we got recently. Seems that Victron have caught up with best practice of not shipping with a fixed default password. They insisted you changed it when first connecting, but if some one does not use Bluetooth, then the first random towpath war~~driver~~walker could log in to a default Victron box and change all sorts of settings.

The temptation is to change the six digit password to your six digit CaRT boat index number, but that is the second thing a random person on the towpath is going to try after 000000!

magnetman · November 13, 2023

Sensible. Its unlikely to happen but if someone had a bank of lets say NMC lithium batteries without a BMS and were relying on solar to protect the high voltage and the inverter to protect the low voltage then someone fiddling with the charging voltage could burn the boat out.

Improbable but all sorts of improbable things do happen so maybe Victron saw a potential legal case against them.

Its the first thing I thought of when I got the MPPT controllers.

IanD · November 13, 2023

8 minutes ago, magnetman said:

Sensible. Its unlikely to happen but if someone had a bank of lets say NMC lithium batteries without a BMS and were relying on solar to protect the high voltage and the inverter to protect the low voltage then someone fiddling with the charging voltage could burn the boat out.

Improbable but all sorts of improbable things do happen so maybe Victron saw a potential legal case against them.

Its the first thing I thought of when I got the MPPT controllers.

I doubt a legal case would work, since I'm sure the manual will say that the first thing you should do is change the password. But having a non-default random password is certainly much better practice, which is why most suppliers do it nowadays.

If you have electronic systems on your boat or at home -- router, bluetooth, smartphone, computer, whatever -- that shouldn't be accessible to any wandering miscreant, it's obviously a good idea to set reasonably secure passwords (so not 000000, or 123456, or boat index...). If you don't then on your own head be it... 😉

Edited November 13, 2023 by IanD

magnetman · November 13, 2023

There will be cases of people with no smartphone or computer buying the products.

A friend of mine on the River who can't read and write and has no computer literacy or smartphone bought a top of the range Victron MPPT. He didn't even know it had bluetooth. I changed the passcode for him.

These unusual situations do occur.

IanD · November 13, 2023

14 hours ago, ditchcrawler said:

Less than that for cheap insulated return ones

The Iskra ones are widely available for about £250 each.

Whichever you use, check the data sheet though -- when I looked at doing exactly this for 48V I found that for typical charging rpm the 24V 80A had the same or even a bit higher output than the 24V 100A one. Torque limiting (e.g. on the Wakespeed) at low rpm is also pretty much essential to stop the idle speed being pulled down and having too much load on the engine.

Also don't forget that using alternators on the propulsion engine to provide large amounts of power when moored is very inefficient by the time you add the low engine efficiency to the low alternator efficiency, probably not much more than 10% overall compared to about 25% for a standalone diesel generator. Even ignoring engine wear and tear and servicing this makes the power pretty expensive, with diesel at £1/l the cost comes out about 40p/kWh for a genny and £1/kWh for the diesel/alternator... 😞

Edited November 13, 2023 by IanD

wakey_wake · November 13, 2023

(on knowing how much the alternator can give under thee conditions)

13 hours ago, dmr said:

Thats silly, its the case temperature that matters (or strictly the windings and diodes) so its much better to measure alternator temperature directly rather than to measure other things and try to predict what you want to know. Alternator air slots will clog up over time so compromise your prediction.

The copper and silicon temperatures need protecting, but the case temperature is the obvious observable. It lags - the case gets hot after the coil gets hot. This is why the system that spots overtemperature and cuts output to 50% will cycle repeatedly, and that is going to cause the internals to repeatedly get hotter than the case.

Air input, current output and RPM are also observables so they can be used. "Last time we drew 120A at this RPM, the case overheated a minute later. Let's back it off a bit now and see how it goes".

Using only the other observables would be silly, yes, but combining them should give a more steady performance with less temperature cycling.

13 hours ago, dmr said:

I too have mixed feelings about Bluetooth but its very convenient. Its a weak signal so not much chance of getting at it from outside the boat, and is anybody really interested?

I do find that looking at settings and making adjustments on a mobile phone with a good screen is very convenient. The alternatives are loads of DIP switches or lots of complicated sequential presses of a button with maybe a tiny LCD alpha-numeric display....yuk.

Here's another way: Bluetooth being read-only, to tell you what's going on if that's what you want. Maybe a few virtual "toggle switches" for things like the immersion heater or defined charging modes.

Then for writing configuration, add a press switch on the case - the only hardware change needed. The software says "we have your changes ready to write - now press the Set button and we'll write them". This new requirement for physical access to the hardware makes the software write-access much safer.

And it prevents many clases of the following -

22 minutes ago, magnetman said:

Its unlikely to happen but if someone had a bank of lets say NMC lithium batteries without a BMS and were relying on solar to protect the high voltage and the inverter to protect the low voltage then someone fiddling with the charging voltage could burn the boat out.

One enemy is one too many. Don't keep fireworks (NMC) in your home. Don't install magic portals that allow silent access to things you thought were locked up.

This is not a random rat looking for cheese on his boat. Only humans do that kind of thing.

1 hour ago, Jen-in-Wellies said:

The temptation is to change the six digit password to your six digit CaRT boat index number, but that is the second thing a random person on the towpath is going to try after 000000!

This is better than open access (such as Bluetooth headphones have), and it's perfectly rational to pick a random number for the new PIN and write it on the back of the equipment with a Sharpie. If you got physical access, the PIN can only be an inconvenience.

How many times can you try a PIN? What does it do after the limit?

If your answer is "the app won't let you", then hopefully it's not true. The box itself must be the thing that doesn't let you 'cos bad guys don't use the manufacturer's app.

1 hour ago, IanD said:

I doubt a legal case would work, since I'm sure the manual will say that the first thing you should do is change the password. But having a non-default random password is certainly much better practice, which is why most suppliers do it nowadays.

If you have electronic systems on your boat or at home -- router, bluetooth, smartphone, computer, whatever -- that shouldn't be accessible to any wandering miscreant, it's obviously a good idea to set reasonably secure passwords (so not 000000, or 123456, or boat index...). If you don't then on your own head be it... 😉

Politicians are starting to see the consequence of default passwords on Internet-connected kit, and are in some places? thinking about? making laws to forbid it. It's not just "on your own head" when the kit has Internet access.

I'm sure new law is the wrong tool for the job - look at what the browser cookie laws have done for privacy and usability - but nobody asked me.

Um, IT security rants. Sorry... am I :offtopic: yet?

ditchcrawler · November 13, 2023

5 hours ago, Jen-in-Wellies said:

Over the last year, Victron have stopped shipping the blue(tooth) boxes with a default bluetooth password of 000000. They now come with a random and presumably unique pass code on a sticker. You can still change it yourself, once logged in. Found this on a B2B we got recently. Seems that Victron have caught up with best practice of not shipping with a fixed default password. They insisted you changed it when first connecting, but if some one does not use Bluetooth, then the first random towpath war~~driver~~walker could log in to a default Victron box and change all sorts of settings.

The temptation is to change the six digit password to your six digit CaRT boat index number, but that is the second thing a random person on the towpath is going to try after 000000!

Don't have you number visible, lots of boaters dont

Sign In

All Electric?

Featured Posts

Jen-in-Wellies

Link to comment

Share on other sites

magnetman

Link to comment

Share on other sites

IanD

Link to comment

Share on other sites

magnetman

Link to comment

Share on other sites

IanD

Link to comment

Share on other sites

wakey_wake

Link to comment

Share on other sites

ditchcrawler

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

All Activity

My Activity Streams

Important Information