Smart Meter Hacking: Difference between revisions

From The Munich Maker Lab's Wiki
Jump to navigation Jump to search
No edit summary
(imst m-bus adapter, rtlsdr)
 
(21 intermediate revisions by one other user not shown)
Line 3: Line 3:
|status=experimental
|status=experimental
|author=[[User:Uli|Uli]]
|author=[[User:Uli|Uli]]
|image=Smart_meter_hacking.jpg
|description=Trying to read radio signals from smart meters e.g. by using the CC1101 (low cost, low power sub-1GHz RF transceiver)
|description=Trying to read radio signals from smart meters e.g. by using the CC1101 (low cost, low power sub-1GHz RF transceiver)
|download=http://www.ti.com/lit/ds/symlink/cc1101.pdf
|download=http://www.ti.com/lit/ds/symlink/cc1101.pdf
Line 10: Line 11:
== Introduction ==
== Introduction ==


Goal of the project is to do smart home stuff , especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [[https://fhem.de/ FHEM]] [[https://www.openhab.org/ openHAB]] or [[https://homegear.eu/ Homegear]] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [[http://ista.de Ista]] who use the TI CC1101 in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.
Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [[https://fhem.de/ FHEM]] [[https://www.openhab.org/ openHAB]] or [[https://homegear.eu/ Homegear]] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [[http://ista.de Ista]] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.




== Setup Uli home ==
== Original Metering Hardware ==


* smart water meters ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Wasserzaehler/Produktbroschuere_Wasserzaehler.pdf Ista istameter product brochure])
* smart water meters "domaqua m" ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Wasserzaehler/Produktbroschuere_Wasserzaehler.pdf Ista istameter product brochure])
* heating meter ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Waerme_-_und_Kaeltezaehler/Produktbroschuere_Waermezaehler_sensonic_II.pdf Ista sensonic II product brochure (german)])
* heating meter "sensonic II" ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Waerme_-_und_Kaeltezaehler/Produktbroschuere_Waermezaehler_sensonic_II.pdf Ista sensonic II product brochure (german)])
* smoke detectors ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Mietersicherheit/Rauchwarnmelderservice/Produktbroschuere_Rauchwarnmelder.pdf Ista fumonic 3 product brochure])
* smoke detectors ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Mietersicherheit/Rauchwarnmelderservice/Produktbroschuere_Rauchwarnmelder.pdf Ista fumonic 3 product brochure])
* basestation "memonic3 radio net" usually installed in the stairways to collect and store radio signals from smart meters of multiple apartments and send them through a VPN tunnel via GPRS to Ista servers
<gallery>
Smart meter hacking.jpg|Water meter Ista "domaqua m" with "radio net 3" module
Sensonic2.jpg|Heating meter Ista "Sensonic II"
Memonic_3_radio_net_board.jpg|Basestation Ista "memonic 3"
</gallery>
== Own Hardware ==
* raspberry pi with cc1101 to read 868 Mhz radio signals
* raspberry pi with cc1101 to read 868 Mhz radio signals
* bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting ([https://www.ebay.de/itm/ISTA-Wasserz%C3%A4hler-Kaltwasser-Istameter-neu/132780767778?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649 ISTA Wasserzähler, Kaltwasser, Istameter])
* got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf]]


== Links ==
== Approach ==
* Try to get the CC1101 to send and receive data
** Ideally mount it on an arduino nano which is then called a CUL (cc1101 USB lite) [[https://wiki.fhem.de/wiki/Selbstbau_CUL DIY manual (german)]]
** Alternatively use an SDR to record and analyze radio signals from smart meters and try to unterstand them
* Integrate it in a wireless home server such as FHEM
* Display the data on something like grafana


[[http://www.ti.com/lit/ds/symlink/cc1101.pdf CC1101 Specs]]
== Status ==
* trying to build my own nanoCUL [[https://wiki.fhem.de/wiki/Selbstbau_CUL as described here]]
** first on a breadboard with arduino uno r3 ([[https://www.smarthome-agentur.de/blog/diy-cul-arduino-stick-smart-home-bauen/ pinout for nano here]])
** did not work to get the culfw running, so I tried it on a nano clone with an ATMEL MEGA328P AU 1714
*** FHEM recognizes the nanoCUL and initializes it but it returns weird values for frequency and other params and even freezes with rfmode set to 'WMBus_t'
*** maybe it has to do with a higher frequency of my [[https://www.mouser.de/ProductDetail/Microchip-Technology-Atmel/ATMEGA328P-AU?qs=K8BHR703ZXiCmmgp6%2FGNmQ%3D%3D nano]] because it seems to have 20MHz but culfw has defined 16MHz and a fallback mode to 8MHz in the config file. tried to build and flash it with a lot of different values but didn't succeed
*** guess I need some help with [[https://forum.fhem.de/index.php?topic=73989.0 debugging]] here, maybe try yet another nano...
*** will try using smaller resistors (470/1000 Ohms instead of 4.7k/10k) because the bigger ones are said to negatively impact the signals with low current especially on breadboards (see [[https://forum.fhem.de/index.php/topic,52865.0.html FHEM forum on smaller resistors]]


[[https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Produktbroschuere_M-Bus-System.pdf ista product brochure m-bus system (german)]]
== History (in reverse order) ==
* bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip
* got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf memonic 3 radio net]] ([[Memonic_3_radio_net_board.jpg opened]]))
** the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
** it also contains a lot of Texas Instruments chips including CC1101 (of course) an [[http://www.ti.com/lit/ds/symlink/msp430f415.pdf M430F417 microcontroller]] and [[https://source.sierrawireless.com/resources/airprime/hardware_specs_user_guides/airprime_q2686_product_technical_specification_and_customer_design_guidelines/ Sierra Wireless AirPrime (Model Q2686RD)]] GSM transceiver module together with a SIM Card and a 10 year battery
* recorded some smart meter radio signals with SDR ([[File:Smart_meter_signal.aup.zip]])
** signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)
* soldered some wire to the cc1101 to use it with raspberry pi serial connection similar to [[https://forum.homegear.eu/uploads/default/optimized/1X/97721e10f8038570a310faf533379c43aedd8b7a_1_690x369.png like this]] and made it send test data  [[https://salmg.net/2017/09/20/cc1101-transceiver-raspberry-pi/ used software to send data from here]] which could be seen with SDR (thx Paul) in a waterfall chart
** could not find proper firmware for reading ista radio signals though and don't have time and knowledge to build one
* ordered a CC1101 radio module


[[https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Protokollbeschreibung_modul_mbus.pdf ista protocol description mbus (german)]]
== Links ==


* [http://www.ti.com/lit/ds/symlink/cc1101.pdf CC1101 Specs]
* [https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Protokollbeschreibung_modul_mbus.pdf Detailed description of mbus protocol]
* [https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Produktbroschuere_M-Bus-System.pdf ista product brochure m-bus system (german)]
* [https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Protokollbeschreibung_modul_mbus.pdf ista protocol description mbus (german)]


=== Alternative Approaches ===
* [https://shop.imst.de/wireless-modules/usb-radio-products/10/im871a-usb-wireless-m-bus-usb-adapter-868-mhz iM871A-USB - Wireless M-Bus USB-adapter 868 MHz by iMST]
** [https://www.openmuc.org/m-bus/ jM-Bus - Java software to go with that dongle]
* [https://github.com/xaelsouth/rtl-wmbus WM-Bus interpreter for RTL-SDRs]
[[Category:Project]][[Category:Smart Home]][[Category:IoT]]
[[Category:Project]][[Category:Smart Home]][[Category:IoT]]

Latest revision as of 13:32, 24 September 2019

     
Smart Meter Hacking

Release status: experimental [box doku]

Smart meter hacking.jpg
Description Trying to read radio signals from smart meters e.g. by using the CC1101 (low cost, low power sub-1GHz RF transceiver)
Author(s)  Uli
Download  http://www.ti.com/lit/ds/symlink/cc1101.pdf


Introduction

Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [FHEM] [openHAB] or [Homegear] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [Ista] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.


Original Metering Hardware

Own Hardware

  • raspberry pi with cc1101 to read 868 Mhz radio signals
  • bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting (ISTA Wasserzähler, Kaltwasser, Istameter)
  • got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[1]]

Approach

  • Try to get the CC1101 to send and receive data
    • Ideally mount it on an arduino nano which is then called a CUL (cc1101 USB lite) [DIY manual (german)]
    • Alternatively use an SDR to record and analyze radio signals from smart meters and try to unterstand them
  • Integrate it in a wireless home server such as FHEM
  • Display the data on something like grafana

Status

  • trying to build my own nanoCUL [as described here]
    • first on a breadboard with arduino uno r3 ([pinout for nano here])
    • did not work to get the culfw running, so I tried it on a nano clone with an ATMEL MEGA328P AU 1714
      • FHEM recognizes the nanoCUL and initializes it but it returns weird values for frequency and other params and even freezes with rfmode set to 'WMBus_t'
      • maybe it has to do with a higher frequency of my [nano] because it seems to have 20MHz but culfw has defined 16MHz and a fallback mode to 8MHz in the config file. tried to build and flash it with a lot of different values but didn't succeed
      • guess I need some help with [debugging] here, maybe try yet another nano...
      • will try using smaller resistors (470/1000 Ohms instead of 4.7k/10k) because the bigger ones are said to negatively impact the signals with low current especially on breadboards (see [FHEM forum on smaller resistors]

History (in reverse order)

  • bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip
  • got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [memonic 3 radio net] (Memonic_3_radio_net_board.jpg opened))
    • the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
    • it also contains a lot of Texas Instruments chips including CC1101 (of course) an [M430F417 microcontroller] and [Sierra Wireless AirPrime (Model Q2686RD)] GSM transceiver module together with a SIM Card and a 10 year battery
  • recorded some smart meter radio signals with SDR (File:Smart meter signal.aup.zip)
    • signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)
  • soldered some wire to the cc1101 to use it with raspberry pi serial connection similar to [like this] and made it send test data [used software to send data from here] which could be seen with SDR (thx Paul) in a waterfall chart
    • could not find proper firmware for reading ista radio signals though and don't have time and knowledge to build one
  • ordered a CC1101 radio module

Links

Alternative Approaches