Smart Meter Hacking: Difference between revisions

From The Munich Maker Lab's Wiki
Jump to navigation Jump to search
(added some images)
No edit summary
Line 11: Line 11:
== Introduction ==
== Introduction ==


Goal of the project is to do smart home stuff , especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [[https://fhem.de/ FHEM]] [[https://www.openhab.org/ openHAB]] or [[https://homegear.eu/ Homegear]] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [[http://ista.de Ista]] who use the TI CC1101 in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.
Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [[https://fhem.de/ FHEM]] [[https://www.openhab.org/ openHAB]] or [[https://homegear.eu/ Homegear]] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [[http://ista.de Ista]] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.




== Hardware ==
== Original Metering Hardware ==


* smart water meters ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Wasserzaehler/Produktbroschuere_Wasserzaehler.pdf Ista istameter product brochure])
* smart water meters "domaqua m" ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Wasserzaehler/Produktbroschuere_Wasserzaehler.pdf Ista istameter product brochure])
** bought an extra cold water meter for tinkering and will bring it to the space when it arrives ([https://www.ebay.de/itm/ISTA-Wasserz%C3%A4hler-Kaltwasser-Istameter-neu/132780767778?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649 ISTA Wasserzähler, Kaltwasser, Istameter])
* heating meter "sensonic II" ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Waerme_-_und_Kaeltezaehler/Produktbroschuere_Waermezaehler_sensonic_II.pdf Ista sensonic II product brochure (german)])
* heating meter ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Waerme_-_und_Kaeltezaehler/Produktbroschuere_Waermezaehler_sensonic_II.pdf Ista sensonic II product brochure (german)])
* smoke detectors ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Mietersicherheit/Rauchwarnmelderservice/Produktbroschuere_Rauchwarnmelder.pdf Ista fumonic 3 product brochure])
* smoke detectors ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Mietersicherheit/Rauchwarnmelderservice/Produktbroschuere_Rauchwarnmelder.pdf Ista fumonic 3 product brochure])
* raspberry pi with cc1101 to read 868 Mhz radio signals
* basestation "memonic3 radio net" usually installed in the stairways to collect and store radio signals from smart meters of multiple apartments and send them through a VPN tunnel via GPRS to Ista servers
* memonic3 radio net device to read, aggregate and upload data form multiple smart meters [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf]]
 
<gallery>
Smart meter hacking.jpg|Water meter Ista "domaqua m" with "radio net 3" module
Smart meter hacking.jpg|Water meter Ista "domaqua m" with "radio net 3" module
Sensonic2.jpg|Heating meter Ista "Sensonic II"
Sensonic2.jpg|Heating meter Ista "Sensonic II"
Memonic_3_radio_net_board.jpg|Basestation Ista "memonic 3"
Memonic_3_radio_net_board.jpg|Basestation Ista "memonic 3"
</gallery>
</gallery>
== Own Hardware ==
* raspberry pi with cc1101 to read 868 Mhz radio signals
* bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting ([https://www.ebay.de/itm/ISTA-Wasserz%C3%A4hler-Kaltwasser-Istameter-neu/132780767778?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649 ISTA Wasserzähler, Kaltwasser, Istameter])
* got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf]]
<gallery>


== Approach ==
== Approach ==
Line 40: Line 44:


== History (in reverse order) ==
== History (in reverse order) ==
* ordered some extra CC1101's to build a nanoCUL without having to de-solder the old wire from the chip
* bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip
* ordered smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf memonic 3 radio net]] ([[Memonic_3_radio_net_board.jpg opened]]))
* got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf memonic 3 radio net]] ([[Memonic_3_radio_net_board.jpg opened]]))
** collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
** the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
** contains a lot of Texas Instruments chips including CC1101 (of course) an [[http://www.ti.com/lit/ds/symlink/msp430f415.pdf M430F417 microcontroller]] and [[https://source.sierrawireless.com/resources/airprime/hardware_specs_user_guides/airprime_q2686_product_technical_specification_and_customer_design_guidelines/ Sierra Wireless AirPrime (Model Q2686RD)]] GSM transceiver module together with a SIM Card and a 10 year battery  
** it also contains a lot of Texas Instruments chips including CC1101 (of course) an [[http://www.ti.com/lit/ds/symlink/msp430f415.pdf M430F417 microcontroller]] and [[https://source.sierrawireless.com/resources/airprime/hardware_specs_user_guides/airprime_q2686_product_technical_specification_and_customer_design_guidelines/ Sierra Wireless AirPrime (Model Q2686RD)]] GSM transceiver module together with a SIM Card and a 10 year battery  
* recorded some smart meter radio signals with SDR ([[File:Smart_meter_signal.aup.zip]])
* recorded some smart meter radio signals with SDR ([[File:Smart_meter_signal.aup.zip]])
** signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)
** signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)

Revision as of 09:55, 19 October 2018

     
Smart Meter Hacking

Release status: experimental [box doku]

Smart meter hacking.jpg
Description Trying to read radio signals from smart meters e.g. by using the CC1101 (low cost, low power sub-1GHz RF transceiver)
Author(s)  Uli
Download  http://www.ti.com/lit/ds/symlink/cc1101.pdf


Introduction

Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [FHEM] [openHAB] or [Homegear] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [Ista] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.


Original Metering Hardware

Smart meter hacking.jpg|Water meter Ista "domaqua m" with "radio net 3" module Sensonic2.jpg|Heating meter Ista "Sensonic II" Memonic_3_radio_net_board.jpg|Basestation Ista "memonic 3" </gallery>

Own Hardware

  • raspberry pi with cc1101 to read 868 Mhz radio signals
  • bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting (ISTA Wasserzähler, Kaltwasser, Istameter)
  • got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[1]]

<gallery>

Approach

  • Try to get the CC1101 to send and receive data
    • Ideally mount it on an arduino nano which is then called a CUL (cc1101 USB lite) [DIY manual (german)]
    • Alternatively use an SDR to record and analyze radio signals from smart meters and try to unterstand them
  • Integrate it in a wireless home server such as FHEM
  • Display the data on something like grafana

Status

History (in reverse order)

  • bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip
  • got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [memonic 3 radio net] (Memonic_3_radio_net_board.jpg opened))
    • the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
    • it also contains a lot of Texas Instruments chips including CC1101 (of course) an [M430F417 microcontroller] and [Sierra Wireless AirPrime (Model Q2686RD)] GSM transceiver module together with a SIM Card and a 10 year battery
  • recorded some smart meter radio signals with SDR (File:Smart meter signal.aup.zip)
    • signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)
  • soldered some wire to the cc1101 to use it with raspberry pi serial connection similar to [like this] and made it send test data [used software to send data from here] which could be seen with SDR (thx Paul) in a waterfall chart
    • could not find proper firmware for reading ista radio signals though and don't have time and knowledge to build one
  • ordered a CC1101 radio module

Links

[CC1101 Specs]

[Detailed description of mbus protocol]

[ista product brochure m-bus system (german)]

[ista protocol description mbus (german)]