Lutetium-
Hack Chat Transcript, Part 2
04/14/2021 at 20:04 • 0 commentsanything good in there?!
![]()
Also the bootloader the M15C processor uses![]()
M16C![]()
Water flow is not a reliable power source. The meters degrade over time and need to be replaced every 20 years![]()
![]()
Working on disassembling it now![]()
dang![]()
Leave no stones unturned....![]()
which is why we should all go subscribe if you get what im saying :)![]()
@FrostWizard4 Much appreciated!![]()
Subscribe Link?![]()
https://www.youtube.com/channel/UCVa4o0P6xhhSDi3rgLm2SBw
RECESSIM
RECESSIM is Latin for "moving backwards" which is what we do when we Reverse Engineer. I hope you enjoy the content here, feel free to contact me to suggest other content you are interested in seeing. Always looking for a new project! -Hash
![]()
Beat me to it...![]()
forget that. where's your patreon ?!![]()
Done! Subscribed!![]()
Subscribed.![]()
What about people who think that putting a magnet on the top of the smart meter resets it to zero, you guys consider that a hack?![]()
@farmboy Nice!!![]()
Does not work.![]()
The link or the magnet thing?![]()
Magnet![]()
@dolsongte Funny you should mention that, they do have a magnetic sensor on top...![]()
there actually is a reed switch in there to detect a magnet. but it doesn't do much interesting.![]()
B.t.w. this is a USA discussion. Non USA meters are totally different (rectangular instead of round to start with)![]()
But I have seen videos were people had a strong magnet near their meters and got a leter from the power company accusing them of tampering![]()
Besides, resetting to zero woul git you a huge bill. The utility would think wrap around on max digits and bill you for heavy usage![]()
@Wim Ton Correct, I haven't looked at the meters outside North America![]()
magnets can be used to saturate the current sensor and to disable switching mode power supplies.![]()
So it appears that the "tamper switch" is a standard alarm system setup, magnet and reed switch.![]()
The magnet migh trigger tamper alarms. In some places that is a felony![]()
you can certainly screw up the hall effect sensor with a big magnet. not recommended.![]()
All my invasive experimenting has been done with meters I purchased on eBay... Anything with the live network around me is strictly listening to understand traffic![]()
In Europe, detection of strong magnetic fields and a tamper switch is a regulatory requirement![]()
Ultimately we don't own the meters on our house, so can't use those to experiment![]()
but you paid for them?![]()
i mean... the meter on my house.![]()
I think a big reason people don't experiment with these is getting hardware, and fear of legal troubles![]()
Indirectly yes![]()
No, you pay for service, the meter is part of the service![]()
And you pay for the power they use!![]()
@Bernard I plan to measure how much power they use soon!![]()
Interesting to see![]()
Had the circuit breaker box on the side of my house explode. While the electrician was here working. he messed with the meter. 10 minutes later, a utility truck drove up to find out what we were doing.![]()
About 5 watt![]()
@Hash Are you guessing the amount of power the meters will use will be significant or no?![]()
5 Watt seems about right![]()
@FrostWizard4 I'm guessing not super significant, but curious compared to the old analog meters![]()
@james Here's an older version of the same meter, two boards like you mentioned earlier![]()
i believe the meter is powered on the unbilled side anyway.![]()
![]()
![]()
@farmboy Yea, consumer pays in the end no matter which side it's on![]()
I know that for mechanical meters (in some regions) it was a requirement to get the meter "power" billed to consumer. Not sure about smart ones.![]()
Fair point, @Hash![]()
what's that blue thing? supercap?![]()
Yea, 5V 3F![]()
https://www.grdf.fr/grdf-en/smart-gas-meter-france
Smart Gas Meter project in France for smarter cities
GRDF took a major step towards Smart Grids for smarter cities through a large scale deployment of the Smart Gas Meter. Today, we are ready to enchance customer satisfaction, improve energy management and to optimize our distribution network!
![]()
Hi, good evening everyone (or whatever time it is at your part of the world)![]()
@Rene Hi!![]()
3:40 PM![]()
Has anyone here played around with the P1 port on some of the gyr metres?![]()
That the IR port?![]()
My nephew connected a web server to it![]()
I saw a lot of work done on that in old DEFCON talks, "Into the eye of the smart meter" so I stuck to the RF side![]()
https://particulier.edf.fr/en/home/contract-and-consumption/meter/linky-meter.html
![]()
![]()
Nice annotation!![]()
The Dutch P1 spits out the readings every seconds in serial format![]()
@Hash, no the RJ one![]()
I talk about the changes in design over the years in the next video I am posting![]()
@rene indeed![]()
what's the biggest chip on the bottom left?![]()
@Rene Got ya, no RJ ports on these Landis+Gyr meters![]()
Yeah @Wim Ton , that one. Have you read it out yourself?![]()
In am in Switzerland![]()
@anfractuosity That's the M16C M30626FHPGP![]()
16 bit processor![]()
384k eeprom![]()
ah cheers, and you've managed to dump that? if so, how?![]()
yes, combination of timing and power attacks![]()
ooh cool![]()
and some luck i'd say :)![]()
I'll post something more detailed and reproducible in the next couple videos![]()
omg. it's succeptible to the glitch read attack? lolz.![]()
Can't distribute firmware, but instructional videos no prob![]()
i think that's how the zigbee light link key was leaked too.![]()
It's like a 15 year old processor, i'm sure its susceptible to a LOT![]()
The firmware is not considered very confidential, with 10s of millions of meters in the field some will be reverse engineered![]()
What reverse assembly tools are you using?![]()
That's the trouble with infrastructure meant to live for 15 years... it's all exploitable after that length of time![]()
Binary Ninja right now![]()
I wonder how secure the firmware was 15 years ago?![]()
Best reason to keep it all very low tech![]()
funny assumption. from the companies that bring you static symmetric key cryptos :)![]()
15 years ago, probably pretty secure and the RF side tough to monitor with the frequency hopping![]()
now, I can monitor entire frequency hopping range and capture all traffic![]()
Not a big corporation or nation state... Some random dude in Texas![]()
moore's law.![]()
@farmboy nothing wrong with static symmetric keys as long as they are unique for every meter![]()
Hash2:48 PM
now, I can monitor entire frequency hopping range and capture all traffic
Hash, What are you currently using to do that?
![]()
@farmboy Exactly![]()
true. that's what i mean by "static"![]()
i've been checking my various neighbours solar claims with the hackrf/portapack heh![]()
@James Murphy Using the Ettus Research USRP B200 now, going to adapt to the HackRF soon![]()
and GNU Radio with Sandia Labs FHSS Utils, i'll post a link![]()
I was looking at the HackRF myself but as a beginner I may be out of my depth..![]()
https://github.com/sandialabs/gr-fhss_utils
sandialabs/gr-fhss_utils
This GNU Radio module contains tools for processing frequency hopping spread spectrum signals. Blocks derived from the gr-iridium project exist to detect narrowband bursts within wideband signals and downconvert and center them. Metadata is tracked through this process enabling reconstruction of where the bursts originated in time and frequency.
![]()
RTL-SDR is a great one to start with @James Murphy![]()
cheap and fairly easy to use![]()
There's a bit of a learning curve with GNU Radio and SDR, but once you learn it what you can accomplish is staggering![]()
https://greatscottgadgets.com/hackrf/
HackRF
open source hardware for software-defined radio Antenna Switch for HackRF Acrylic Case for HackRF Documentation is in the wiki. Source code and hardware design files are available in the latest release or in the git repository. Before asking for help with HackRF, check to see if your question is listed in the FAQ or has already been answered in the mailing list archives.
Read this on Greatscottgadgets
![]()
A talk about decoding the LORA PHY ![]()
the hackrf portapack has a meter read mode built in, for some meters.![]()
You talking this setup? https://www.amazon.com/NooElec-NESDR-XTR-HF-Bundle/dp/B07GZKR98X/ref=asc_df_B07GZKR98X/?tag=hyprod-20&linkCode=df0&hvadid=416694317409&hvpos=&hvnetw=g&hvrand=8990602096898662945&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9019126&hvtargid=pla-830751080060&psc=1&tag=&ref=&adgrpid=94693386435&hvpone=&hvptwo=&hvadid=416694317409&hvpos=&hvnetw=g&hvrand=8990602096898662945&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9019126&hvtargid=pla-830751080060![]()
Also the YARD Stick one for narrowband signals if you just want to listen to one frequency. Less to hassle with... Still not easy but easier to receive data... https://greatscottgadgets.com/yardstickone/![]()
Got HackRF a few years ago, great unit as it has xmit, albeit low power, but only half duplex and not the most sensitive receiver out there. Lately been playing with and RSPDuo and love it!![]()
https://github.com/sharebrained/portapack-hackrf
sharebrained/portapack-hackrf
The PortaPack H1 makes the HackRF One software-defined radio portable. It adds an LCD touchscreen, user interface navigation controls, audio output and input, micro SD card slot, 2.5 PPM crystal oscillator, and real-time clock battery backup. The PortaPack firmware provides a user interface and necessary signal processing to do many useful things without a computer.
![]()
you using that gr-fhsss tool is definitely my favorite part of your youtube @Hash![]()
@James Murphy Go to rtl-sdr.com and get from there, lower cost and supporting that site![]()
@farmboy If there's interest there i'll show more, it's a super cool tool![]()
Adalm Pluto being used as well ?![]()
i've got one of those![]()
@Erwin (de F/PE3ES) I haven't used it but it would work great for this![]()
2:53 PM@James Murphy Go to rtl-sdr.com and get from there, lower cost and supporting that site
Thank's Hash!
Murph
![]()
There's a quote I like a lot that I think sums up what a hacker is trying to do....![]()
We shall not cease from exploration. And the end of all our exploring will be to arrive where we started and know the place for the first time. -T.S. Eliot![]()
yes we stand on the shoulders of giants![]()
Yeah, in a lot of ways we're just trying to earn new ways of seeing the world again for the first time![]()
You can follow me on Twitter @BitBangingBytes for progress between videos![]()
Looks like we're just about out of time here, so we'll officially wrap it up and let Hash get back to the bench. I have to say I enjoyed this immensely, and really appreciate Hash's time today. Really looking forward to more deep-dive videos on this. Thanks Hash! And thanks to all for the great questions!![]()
There's so much to hack on these meters i'll be busy for a while i'm sure![]()
Thanks Dan and everyone!![]()
cheers hash, another interesting hack chat![]()
Thanks![]()
yes indeed!![]()
Thank you Hash for your time and your experetise! Very much Appreciated! Murph.![]()
On a semi-related note, don't miss next week's Hack Chat:![]()
https://hackaday.io/event/178502-avr-reverse-engineering-hack-chat
AVR Reverse Engineering Hack Chat
On beyond Arduino Wednesday, April 21, 2021 12:00 pm PDT Local time zone: Hack Chat This event was created on 03/29/2021 and last updated a day ago. Join this event's team Uri Shaked will host the Hack Chat on Wednesday, April 21 at noon Pacific. Time zones got you down?
![]()
That looks interesting!![]()
Thanks and well done![]()
Thanks all! Transcript coming right up -
Hack Chat Transcript, Part 1
04/14/2021 at 20:03 • 0 commentsOK, folks, here we go! Welcome to the Hack Chat, I'm Dan and I'll be moderating today along with Dusan as we welcome Hash to the Hack Chat for a discussion on smart meters. Really looking forward to this one!
Hash, I saw you one before, you still out there? If so, can you tell us a little about how you got interested in meter hacking?
![]()
It also lets them evaluate electrical outages and prioritize their dispatch -- if you're looking for a positive.![]()
Hey everyone!![]()
And just for the record, when we say "meter hacking", we're not talking about anything illegal -- just listening in on meter comms.![]()
Hey Hash!![]()
Exactly![]()
I was always interested in hacking and using devices for reasons other than their intended purpose. It’s like a game between me and the device, a puzzle with an unknown number of pieces and no box with an image showing you how it should look when you are done. The prize is the feeling humans have been searching for since the beginning of time: Discovering new places no one else has been.![]()
Now I can afford a nice lab setup so in my spare time I hack for fun, hardware and RF interest me most and I program when needed towards those ends. Power meters caught my eye initially because they get deployed and then basically stay the same for 15 years! This allows me to leisurely hack them knowing what I learn won’t be obsolete in 6 months like with consumer goods.![]()
![]()
Smart Meter networks are pretty huge, but look like this in a very basic view![]()
Hey Hash, assuming I have no testing hardware whatsoever what would it take for me to get in to this game?![]()
I noticed so many routers on light poles today on my morning walk. Never really saw them before for some reason.![]()
2 finger and a plug?![]()
That is not necessarily a correct view.![]()
@James Murphy Could start with a RTL-SDR, learn the basics of RF and SDR and you're well on your way for $30![]()
Not all smart meters are mesh![]()
RTL-SDR ??![]()
@james Indeed, I am specifically looking at Landis+Gyr![]()
@Dan Maloney You'll see them all over the place now!![]()
https://www.rtl-sdr.com/about-rtl-sdr/
About RTL-SDR
What is RTL-SDR? RTL-SDR is a very cheap ~$25 USB dongle that can be used as a computer based radio scanner for receiving live radio signals in your area (no internet required). Depending on the particular model it could receive frequencies from 500 kHz up to 1.75 GHz.
![]()
Yes, The comm module on a Landis Gyr can be replaced.![]()
![]()
As @Hash was saying ..![]()
This a view of the boards I am analyzing![]()
how can you tell what tech is inside the smart meter on my house?![]()
Ususally depends on the Utility for the tech.![]()
Thank's Hash...![]()
@dbcorbin Take a pic of it and post it here, if it has a FCCID then you got something worth analyzing![]()
Those two long zig-zaggy chains of resistors are curious...![]()
https://fccid.io/ is better than the offficial FCC site for looking that up![]()
FCCID ??![]()
yes, the identifier for the FCC![]()
Some utilities still use power-line carrier systems.![]()
Yea, I am working on reverse engineering the layout of the PCB as well....![]()
https://sensus.com/communication-networks/sensus-technologies/flexnet-north-america/ list an alternative that is not mesh.![]()
![]()
@James Murphy note the FCC id in his photo.![]()
It is what is on my house.![]()
is there no audio sound with these chats?![]()
Thank's Weberzach![]()
No, text only![]()
ok. thanks.![]()
@Hash , are you interested in their ability to communicate, or measure usage accurately?![]()
@felix1063 Like oldschool IRC Hacking days!![]()
The zigzag resistors are used because a single resistor is not specified for the full mains voltage![]()
Are they reporting Brown-Outs?![]()
@weberzach I am interested in the mesh network, how they route messages, what messages get sent etc![]()
@James Murphy They report power outages for sure, likely line conditions and brownouts too but not sure what data they would send for that![]()
Mine is a PGE FCC-id: OWS-NIC514 Silver Spring networks![]()
Hod do they measure correct power factor?![]()
I've been using one of these with my meter (but it requires you do a setup with the power company): https://www.rainforestautomation.com/rfa-z105-2-emu-2-2/![]()
@hash is there any easy way to monitor with an RTL my own home's usage? Or is the best bet still the "IR" sensors?![]()
Thanks Hash...![]()
@felix1063 They use a chip made by Teridian (Maxim now) to do that![]()
@hash what is the protocol format?![]()
and is it LoRa on 900 Mhz ?![]()
@richard I have one of those as well but in Dallas they killed that functionality recently![]()
Mine is Open Wave, FCC ID: SK9ACT1![]()
Depending on the Utility. The communications can be encrypted.![]()
@baldrick (NE2Z) More info on the protocol here. https://wiki.recessim.com/view/Landis%2BGyr_GridStream_Protocol![]()
cheers![]()
Have you checked out rtlamr?![]()
9600 baud with start/stop bits![]()
Yea, it doesn't work for these meters unfortunately![]()
RTLAMR doesn't apply to smart meters.![]()
Ah, thanks![]()
Landis+Gyr engineers wrote a paper about how their routing protocol works that was very interesting, here's an excerpt![]()
![]()
link to the paper?![]()
![]()
I had to pay for it on IEEE...![]()
but might be available somewhere with some googling![]()
The idea of a geographic routing protocol was very interesting![]()
https://pdfs.semanticscholar.org/5ab2/6a0c8722d29e3780ac77310f07388a674d43.pdf
Semanticscholar
Read this on Semanticscholar![]()
The PDF looks like a presentation based on the paper, could be useful![]()
PG&E has partnered with NTS to provide real-time consumption data. It appears that they validate devices that are able to become nodes on PG&E's Zigbee network. These devices may provide some insight. https://www.nts.com/services/certification/pge/han-devices/![]()
Thank's Dan!![]()
Yea, that's a solid presentation![]()
![]()
The paper and testing was done in Dallas where I live!![]()
there was a lot of mesh research going on.... back in 2000s. this looks like a university paper.![]()
what's the date on it the IEEE doc from L&G? i wonder if that just ended up becoming the "standards" for field area network routing... . published in Wi-Sun/ RPL / 802.15.4g ?![]()
I see some of the meters use the zigbee standard, would getting a USB zigbee adapter to sniff zigbee packets be helpful?, something like this: https://www.microchip.com/DevelopmentTools/ProductDetails/AC182015-1![]()
@farmboy It's from the same IEEE paper![]()
zigbee isn't the network hash is decoding.![]()
@richard These use Zigbee for a local home area network, and 900MHz proprietary mesh for comms back to power company![]()
Thank's Richard!![]()
![]()
ahh ok, thanks![]()
@Hash what do you suppose is the next step decoding this L&G fan?![]()
You can see under the RF cans on this pic, left side zigbee, right CC1020 for mesh![]()
There is usually a daughter board for the actual comm.![]()
cc1020 is publically documented - so.... if there is a static key in there... you could get it sniffing the spi bus when it boots![]()
@Hash what software are you using to explore/decode the protocol? GNU Radio?![]()
So then what is the Zigbee network talking to? Stuff inside the customer property?![]()
(assumming the key is in the host processor)![]()
@james On these ones it's all one PCB, I have some others that are split![]()
@farmboy Decode the power data, so far I don't have it yet![]()
@farmboy The keys are different for each meter.![]()
@Todd Christell Yes, custom block I wrote to decode L+G and Frequency hopping utilities by Sandia Labs![]()
Where do you get electric meters from?![]()
@Dan Maloney Correct, zigbee to consumer![]()
@Bharbour eBay!!![]()
SO maybe one of those little dongles that customers can use to view their usage, etc?![]()
https://www.ebay.com/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313&_nkw=landis%2Bgyr&_sacat=0
1,409 results for landis+gyr
![]()
@Hash do you know of any cheap enough hardware to play with zigbee? i tried the ApiMote but stopped working after a while. I have a hackrf too but it can't do duplex tx/rx. didn't find any reasonable alternatives... :/![]()
I used to have one of these dongle and SCE stopped supporting them![]()
@andrellobbello I'd say get a board dedicated to ZigBee, I haven't worked with it though![]()
SCE: Southern California Edison![]()
@Bernard Same here in Dallas![]()
yes, SCE gave up on SEP 1.x (zigbee). they shut down their home energy portal.![]()
Yeah the ApiMote was supposed to but it let me down haha thanks tho! :)![]()
HAN (home area network) ZigBee / consumer <- Meter -> FAN (field area network) / utility![]()
Is anyone addressing forensic analytics to identify the hack after it happens?![]()
If I'm doing things correctly it appears to be a "chirp." I know that the water and gas communicate with the electric meter and that is higher power signal to an intermediate node so not sure which I'm seeing.![]()
@dolsongte What do you mean?![]()
@Todd Christell Your water/gas/power meters all made by same manufacturer?![]()
very few utilities cover gas, water, and electric.![]()
so all the meters are usually different.![]()
SCE is maybe the exception there.![]()
That's how it is out here![]()
all different![]()
@Hash Yes, they bought it as a package.![]()
Database analytics that the utility may use to identify when and where the meter was hacked![]()
Good for them, probably more efficient that way![]()
what are some of the common rf frequencies used for communications of the network?![]()
you guys are going to love the NEXT generaiton smart meter. have you heard about it?![]()
400, 900, and 2.4![]()
And the meters have tamper switch![]()
@felix1063 902-928MHz is what these use![]()
https://developer.itron.com/content/distributed-intelligence-introductionLinux and WiFi. hackers DREAM
![]()
@farmboy That's going to be fun![]()
@dolsongte I am sure at the head end system they have ways of detecting suspicious activity and flagging it![]()
My utility in MI, DTE, uses itrons, and customer can also get a Powerley 'energy bridge' from zigbee->wifi/eth->cloud->phone app, and it even has an mqtt server on it that's open to subscribe to on local network. The meter configuration for what tariff or rate you have is programmed in by a technician using the IR interface, or they also can change the configuration remotely over the mesh network. Have you noticed different sets of messages on the mesh network depending on what tariff the customer has? ie: fixed flat rate, time of use, demand rate, etc.![]()
nothing like a stranded linux distro on the side of your house! connected with wifi and bot-net ready :)![]()
Thanks. Do the meters transmit in a set interval and if so, what is that interval?![]()
Interval is configurable by utility![]()
@Dale I haven't noticed traffic differences there that I could discern, but it's a good idea of what to search for!![]()
Meters tend not to use Linux, too resource hungry![]()
@felix1063 Mine transmit once a minute normally and power data every 15 mins![]()
Lots of other traffic as well![]()
there's some old meters that only transmit once a month! (gas)![]()
Uptime![]()
That sounds like it got wiped to a default rate![]()
Yeah, people worry about that with the energy bridge, it is linux. @farmboy I worry more about the utility screwing things up than hackers out here.![]()
Gas meters I looked at were VERY interesting... Battery powered FOR 10 YEARS!![]()
transmit is usually not that often to reduce traffic![]()
What worries me is ransomware. Bad guy targets the utility company. Accesses their system. Turns off everyone's meter then encrypts their system and sits back waiting for a ransom to be paid before giving them the key. Meanwhile, the end-user sits in the dark.![]()
@Dale that's a good point. utlities are kinda only good at... uhhh... collecting bills and turning off your power![]()
@james Nope, all the live meters around here transmit once a minute![]()
Gas meter; 10 year battery, this is why they cannot transmit very often![]()
TONS of traffic to snoop![]()
@SimonAllen yeah![]()
Not all meters have remote disconnect.![]()
@hash, not necessarily can the head end systems detect it. Depends on the utility's scada/ems systems.![]()
Firmware update are digitally signed on modern meters![]()
I know of water meters with 20 year batteries.![]()
So yeah, that brings up a good point -- what about powering water meters? Battery too I'd imagine![]()
@dolsongte That's true![]()
Yes, both out gas an water are battery powered which is why they communicate locally with our power meter which has the "available" power for a more powerful radio. They had to replace all of the water pit covers with plastic so the RF could get out :)![]()
Never looked at water meters but probably...would be cool to power them based on water flow spinning some kind of generator![]()
^ i don't think you'll get the firmware of the meter.... but you can sure as heck get the data (before it goes over rf)... via the spi bus between the meter's micro and the radio micro.![]()
@farmboy I already got the firmware off the meter :)![]()
awesome!![]()
anything good in there?!![]()
Also the bootloader the M15C processor uses![]()
M16C![]()
Water flow is not a reliable power source. The meters degrade over time and need to be replaced every 20 years![]()
![]()
Working on disassembling it now![]()
Beat me to it...
