Dan Maloneyanything good in there?!
Also the bootloader the M15C processor uses
M16C
Water flow is not a reliable power source. The meters degrade over time and need to be replaced every 20 years
Working on disassembling it now
dang
Leave no stones unturned....
which is why we should all go subscribe if you get what im saying :)
@FrostWizard4 Much appreciated!
Subscribe Link?
https://www.youtube.com/channel/UCVa4o0P6xhhSDi3rgLm2SBw
RECESSIM
RECESSIM is Latin for "moving backwards" which is what we do when we Reverse Engineer. I hope you enjoy the content here, feel free to contact me to suggest other content you are interested in seeing. Always looking for a new project! -Hash
Beat me to it...
forget that. where's your patreon ?!
Done! Subscribed!
Subscribed.
What about people who think that putting a magnet on the top of the smart meter resets it to zero, you guys consider that a hack?
@farmboy Nice!!
Does not work.
The link or the magnet thing?
Magnet
@dolsongte Funny you should mention that, they do have a magnetic sensor on top...
there actually is a reed switch in there to detect a magnet. but it doesn't do much interesting.
B.t.w. this is a USA discussion. Non USA meters are totally different (rectangular instead of round to start with)
But I have seen videos were people had a strong magnet near their meters and got a leter from the power company accusing them of tampering
Besides, resetting to zero woul git you a huge bill. The utility would think wrap around on max digits and bill you for heavy usage
@Wim Ton Correct, I haven't looked at the meters outside North America
magnets can be used to saturate the current sensor and to disable switching mode power supplies.
So it appears that the "tamper switch" is a standard alarm system setup, magnet and reed switch.
The magnet migh trigger tamper alarms. In some places that is a felony
you can certainly screw up the hall effect sensor with a big magnet. not recommended.
All my invasive experimenting has been done with meters I purchased on eBay... Anything with the live network around me is strictly listening to understand traffic
In Europe, detection of strong magnetic fields and a tamper switch is a regulatory requirement
Ultimately we don't own the meters on our house, so can't use those to experiment
but you paid for them?
i mean... the meter on my house.
I think a big reason people don't experiment with these is getting hardware, and fear of legal troubles
Indirectly yes
No, you pay for service, the meter is part of the service
And you pay for the power they use!
@Bernard I plan to measure how much power they use soon!
Interesting to see
Had the circuit breaker box on the side of my house explode. While the electrician was here working. he messed with the meter. 10 minutes later, a utility truck drove up to find out what we were doing.
About 5 watt
@Hash Are you guessing the amount of power the meters will use will be significant or no?
5 Watt seems about right
@FrostWizard4 I'm guessing not super significant, but curious compared to the old analog meters
@james Here's an older version of the same meter, two boards like you mentioned earlier
i believe the meter is powered on the unbilled side anyway.
@farmboy Yea, consumer pays in the end no matter which side it's on
I know that for mechanical meters (in some regions) it was a requirement to get the meter "power" billed to consumer. Not sure about smart ones.
Fair point, @Hash
what's that blue thing? supercap?
Yea, 5V 3F
https://www.grdf.fr/grdf-en/smart-gas-meter-france
Smart Gas Meter project in France for smarter cities
GRDF took a major step towards Smart Grids for smarter cities through a large scale deployment of the Smart Gas Meter. Today, we are ready to enchance customer satisfaction, improve energy management and to optimize our distribution network!
Hi, good evening everyone (or whatever time it is at your part of the world)
@Rene Hi!
3:40 PM
Has anyone here played around with the P1 port on some of the gyr metres?
That the IR port?
My nephew connected a web server to it
I saw a lot of work done on that in old DEFCON talks, "Into the eye of the smart meter" so I stuck to the RF side
https://particulier.edf.fr/en/home/contract-and-consumption/meter/linky-meter.html
Nice annotation!
The Dutch P1 spits out the readings every seconds in serial format
@Hash, no the RJ one
I talk about the changes in design over the years in the next video I am posting
@rene indeed
what's the biggest chip on the bottom left?
@Rene Got ya, no RJ ports on these Landis+Gyr meters
Yeah @Wim Ton , that one. Have you read it out yourself?
In am in Switzerland
@anfractuosity That's the M16C M30626FHPGP
16 bit processor
384k eeprom
ah cheers, and you've managed to dump that? if so, how?
yes, combination of timing and power attacks
ooh cool
and some luck i'd say :)
I'll post something more detailed and reproducible in the next couple videos
omg. it's succeptible to the glitch read attack? lolz.
Can't distribute firmware, but instructional videos no prob
i think that's how the zigbee light link key was leaked too.
It's like a 15 year old processor, i'm sure its susceptible to a LOT
The firmware is not considered very confidential, with 10s of millions of meters in the field some will be reverse engineered
What reverse assembly tools are you using?
That's the trouble with infrastructure meant to live for 15 years... it's all exploitable after that length of time
Binary Ninja right now
I wonder how secure the firmware was 15 years ago?
Best reason to keep it all very low tech
funny assumption. from the companies that bring you static symmetric key cryptos :)
15 years ago, probably pretty secure and the RF side tough to monitor with the frequency hopping
now, I can monitor entire frequency hopping range and capture all traffic
Not a big corporation or nation state... Some random dude in Texas
moore's law.
@farmboy nothing wrong with static symmetric keys as long as they are unique for every meter
Hash
2:48 PM
now, I can monitor entire frequency hopping range and capture all traffic
Hash, What are you currently using to do that?
@farmboy Exactly
true. that's what i mean by "static"
i've been checking my various neighbours solar claims with the hackrf/portapack heh
@James Murphy Using the Ettus Research USRP B200 now, going to adapt to the HackRF soon
and GNU Radio with Sandia Labs FHSS Utils, i'll post a link
I was looking at the HackRF myself but as a beginner I may be out of my depth..
https://github.com/sandialabs/gr-fhss_utils
sandialabs/gr-fhss_utils
This GNU Radio module contains tools for processing frequency hopping spread spectrum signals. Blocks derived from the gr-iridium project exist to detect narrowband bursts within wideband signals and downconvert and center them. Metadata is tracked through this process enabling reconstruction of where the bursts originated in time and frequency.
RTL-SDR is a great one to start with @James Murphy
cheap and fairly easy to use
There's a bit of a learning curve with GNU Radio and SDR, but once you learn it what you can accomplish is staggering
https://greatscottgadgets.com/hackrf/
HackRF
open source hardware for software-defined radio Antenna Switch for HackRF Acrylic Case for HackRF Documentation is in the wiki. Source code and hardware design files are available in the latest release or in the git repository. Before asking for help with HackRF, check to see if your question is listed in the FAQ or has already been answered in the mailing list archives.
Read this on Greatscottgadgets
A talk about decoding the LORA PHY
the hackrf portapack has a meter read mode built in, for some meters.
You talking this setup? https://www.amazon.com/NooElec-NESDR-XTR-HF-Bundle/dp/B07GZKR98X/ref=asc_df_B07GZKR98X/?tag=hyprod-20&linkCode=df0&hvadid=416694317409&hvpos=&hvnetw=g&hvrand=8990602096898662945&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9019126&hvtargid=pla-830751080060&psc=1&tag=&ref=&adgrpid=94693386435&hvpone=&hvptwo=&hvadid=416694317409&hvpos=&hvnetw=g&hvrand=8990602096898662945&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9019126&hvtargid=pla-830751080060
Also the YARD Stick one for narrowband signals if you just want to listen to one frequency. Less to hassle with... Still not easy but easier to receive data... https://greatscottgadgets.com/yardstickone/
Got HackRF a few years ago, great unit as it has xmit, albeit low power, but only half duplex and not the most sensitive receiver out there. Lately been playing with and RSPDuo and love it!
https://github.com/sharebrained/portapack-hackrf
sharebrained/portapack-hackrf
The PortaPack H1 makes the HackRF One software-defined radio portable. It adds an LCD touchscreen, user interface navigation controls, audio output and input, micro SD card slot, 2.5 PPM crystal oscillator, and real-time clock battery backup. The PortaPack firmware provides a user interface and necessary signal processing to do many useful things without a computer.
you using that gr-fhsss tool is definitely my favorite part of your youtube @Hash
@James Murphy Go to rtl-sdr.com and get from there, lower cost and supporting that site
@farmboy If there's interest there i'll show more, it's a super cool tool
Adalm Pluto being used as well ?
i've got one of those
@Erwin (de F/PE3ES) I haven't used it but it would work great for this
2:53 PM
@James Murphy Go to rtl-sdr.com and get from there, lower cost and supporting that site
Thank's Hash!
Murph
There's a quote I like a lot that I think sums up what a hacker is trying to do....
We shall not cease from exploration. And the end of all our exploring will be to arrive where we started and know the place for the first time. -T.S. Eliot
yes we stand on the shoulders of giants
Yeah, in a lot of ways we're just trying to earn new ways of seeing the world again for the first time
You can follow me on Twitter @BitBangingBytes for progress between videos
Looks like we're just about out of time here, so we'll officially wrap it up and let Hash get back to the bench. I have to say I enjoyed this immensely, and really appreciate Hash's time today. Really looking forward to more deep-dive videos on this. Thanks Hash! And thanks to all for the great questions!
There's so much to hack on these meters i'll be busy for a while i'm sure
Thanks Dan and everyone!
cheers hash, another interesting hack chat
Thanks
yes indeed!
Thank you Hash for your time and your experetise! Very much Appreciated! Murph.
On a semi-related note, don't miss next week's Hack Chat:
https://hackaday.io/event/178502-avr-reverse-engineering-hack-chat
AVR Reverse Engineering Hack Chat
On beyond Arduino Wednesday, April 21, 2021 12:00 pm PDT Local time zone: Hack Chat This event was created on 03/29/2021 and last updated a day ago. Join this event's team Uri Shaked will host the Hack Chat on Wednesday, April 21 at noon Pacific. Time zones got you down?
That looks interesting!
Thanks and well done
Thanks all! Transcript coming right up
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.