Smart Meter Hacking: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(imst m-bus adapter, rtlsdr) |
||
| (9 intermediate revisions by one other user not shown) | |||
| Line 11: | Line 11: | ||
== Introduction == | == Introduction == | ||
Goal of the project is to do smart home stuff , especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [[https://fhem.de/ FHEM]] [[https://www.openhab.org/ openHAB]] or [[https://homegear.eu/ Homegear]] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [[http://ista.de Ista]] who use the TI CC1101 in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment. | Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [[https://fhem.de/ FHEM]] [[https://www.openhab.org/ openHAB]] or [[https://homegear.eu/ Homegear]] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [[http://ista.de Ista]] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment. | ||
== Hardware == | == Original Metering Hardware == | ||
* smart water meters ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Wasserzaehler/Produktbroschuere_Wasserzaehler.pdf Ista istameter product brochure | * smart water meters "domaqua m" ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Wasserzaehler/Produktbroschuere_Wasserzaehler.pdf Ista istameter product brochure]) | ||
* heating meter "sensonic II" ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Waerme_-_und_Kaeltezaehler/Produktbroschuere_Waermezaehler_sensonic_II.pdf Ista sensonic II product brochure (german)]) | |||
* heating meter ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/Waerme_-_und_Kaeltezaehler/Produktbroschuere_Waermezaehler_sensonic_II.pdf Ista sensonic II product brochure (german)]) | |||
* smoke detectors ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Mietersicherheit/Rauchwarnmelderservice/Produktbroschuere_Rauchwarnmelder.pdf Ista fumonic 3 product brochure]) | * smoke detectors ([https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Mietersicherheit/Rauchwarnmelderservice/Produktbroschuere_Rauchwarnmelder.pdf Ista fumonic 3 product brochure]) | ||
* basestation "memonic3 radio net" usually installed in the stairways to collect and store radio signals from smart meters of multiple apartments and send them through a VPN tunnel via GPRS to Ista servers | |||
<gallery> | |||
Smart meter hacking.jpg|Water meter Ista "domaqua m" with "radio net 3" module | |||
Sensonic2.jpg|Heating meter Ista "Sensonic II" | |||
Memonic_3_radio_net_board.jpg|Basestation Ista "memonic 3" | |||
</gallery> | |||
== Own Hardware == | |||
* raspberry pi with cc1101 to read 868 Mhz radio signals | * raspberry pi with cc1101 to read 868 Mhz radio signals | ||
* memonic3 radio net device to read, aggregate and upload data | * bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting ([https://www.ebay.de/itm/ISTA-Wasserz%C3%A4hler-Kaltwasser-Istameter-neu/132780767778?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649 ISTA Wasserzähler, Kaltwasser, Istameter]) | ||
* got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf]] | |||
== Approach == | == Approach == | ||
| Line 33: | Line 42: | ||
* trying to build my own nanoCUL [[https://wiki.fhem.de/wiki/Selbstbau_CUL as described here]] | * trying to build my own nanoCUL [[https://wiki.fhem.de/wiki/Selbstbau_CUL as described here]] | ||
** first on a breadboard with arduino uno r3 ([[https://www.smarthome-agentur.de/blog/diy-cul-arduino-stick-smart-home-bauen/ pinout for nano here]]) | ** first on a breadboard with arduino uno r3 ([[https://www.smarthome-agentur.de/blog/diy-cul-arduino-stick-smart-home-bauen/ pinout for nano here]]) | ||
** did not work to get the culfw running, so I tried it on a nano clone with an ATMEL MEGA328P AU 1714 | |||
*** FHEM recognizes the nanoCUL and initializes it but it returns weird values for frequency and other params and even freezes with rfmode set to 'WMBus_t' | |||
*** maybe it has to do with a higher frequency of my [[https://www.mouser.de/ProductDetail/Microchip-Technology-Atmel/ATMEGA328P-AU?qs=K8BHR703ZXiCmmgp6%2FGNmQ%3D%3D nano]] because it seems to have 20MHz but culfw has defined 16MHz and a fallback mode to 8MHz in the config file. tried to build and flash it with a lot of different values but didn't succeed | |||
*** guess I need some help with [[https://forum.fhem.de/index.php?topic=73989.0 debugging]] here, maybe try yet another nano... | |||
*** will try using smaller resistors (470/1000 Ohms instead of 4.7k/10k) because the bigger ones are said to negatively impact the signals with low current especially on breadboards (see [[https://forum.fhem.de/index.php/topic,52865.0.html FHEM forum on smaller resistors]] | |||
== History (in reverse order) == | == History (in reverse order) == | ||
* | * bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip | ||
* | * got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [[https://www.ista.com/fileadmin/twt_customer/countries/content/Arab/Documents/Memonic_3_Radio_net.pdf memonic 3 radio net]] ([[Memonic_3_radio_net_board.jpg opened]])) | ||
** collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS | ** the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS | ||
** contains a lot of Texas Instruments chips including CC1101 (of course) an [[http://www.ti.com/lit/ds/symlink/msp430f415.pdf M430F417 microcontroller]] and [[https://source.sierrawireless.com/resources/airprime/hardware_specs_user_guides/airprime_q2686_product_technical_specification_and_customer_design_guidelines/ Sierra Wireless AirPrime (Model Q2686RD)]] GSM transceiver module together with a SIM Card and a 10 year battery | ** it also contains a lot of Texas Instruments chips including CC1101 (of course) an [[http://www.ti.com/lit/ds/symlink/msp430f415.pdf M430F417 microcontroller]] and [[https://source.sierrawireless.com/resources/airprime/hardware_specs_user_guides/airprime_q2686_product_technical_specification_and_customer_design_guidelines/ Sierra Wireless AirPrime (Model Q2686RD)]] GSM transceiver module together with a SIM Card and a 10 year battery | ||
* recorded some smart meter radio signals with SDR ([[File:Smart_meter_signal.aup.zip]]) | * recorded some smart meter radio signals with SDR ([[File:Smart_meter_signal.aup.zip]]) | ||
** signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case) | ** signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case) | ||
| Line 47: | Line 61: | ||
== Links == | == Links == | ||
* [http://www.ti.com/lit/ds/symlink/cc1101.pdf CC1101 Specs] | |||
* [https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Protokollbeschreibung_modul_mbus.pdf Detailed description of mbus protocol] | |||
* [https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Produktbroschuere_M-Bus-System.pdf ista product brochure m-bus system (german)] | |||
* [https://www.ista.com/fileadmin/twt_customer/countries/content/Germany/Documents/Loesungen/Funk/M-Bus_System/Protokollbeschreibung_modul_mbus.pdf ista protocol description mbus (german)] | |||
=== Alternative Approaches === | |||
* [https://shop.imst.de/wireless-modules/usb-radio-products/10/im871a-usb-wireless-m-bus-usb-adapter-868-mhz iM871A-USB - Wireless M-Bus USB-adapter 868 MHz by iMST] | |||
** [https://www.openmuc.org/m-bus/ jM-Bus - Java software to go with that dongle] | |||
* [https://github.com/xaelsouth/rtl-wmbus WM-Bus interpreter for RTL-SDRs] | |||
[[Category:Project]][[Category:Smart Home]][[Category:IoT]] | [[Category:Project]][[Category:Smart Home]][[Category:IoT]] | ||
Latest revision as of 13:32, 24 September 2019
| Smart Meter Hacking Release status: experimental [box doku] | |
|---|---|
| |
| Description | Trying to read radio signals from smart meters e.g. by using the CC1101 (low cost, low power sub-1GHz RF transceiver) |
| Author(s) | Uli |
| Download | http://www.ti.com/lit/ds/symlink/cc1101.pdf |
Introduction
Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [FHEM] [openHAB] or [Homegear] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [Ista] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.
Original Metering Hardware
- smart water meters "domaqua m" (Ista istameter product brochure)
- heating meter "sensonic II" (Ista sensonic II product brochure (german))
- smoke detectors (Ista fumonic 3 product brochure)
- basestation "memonic3 radio net" usually installed in the stairways to collect and store radio signals from smart meters of multiple apartments and send them through a VPN tunnel via GPRS to Ista servers
Water meter Ista "domaqua m" with "radio net 3" module
Heating meter Ista "Sensonic II"
Basestation Ista "memonic 3"
Own Hardware
- raspberry pi with cc1101 to read 868 Mhz radio signals
- bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting (ISTA Wasserzähler, Kaltwasser, Istameter)
- got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[1]]
Approach
- Try to get the CC1101 to send and receive data
- Ideally mount it on an arduino nano which is then called a CUL (cc1101 USB lite) [DIY manual (german)]
- Alternatively use an SDR to record and analyze radio signals from smart meters and try to unterstand them
- Integrate it in a wireless home server such as FHEM
- Display the data on something like grafana
Status
- trying to build my own nanoCUL [as described here]
- first on a breadboard with arduino uno r3 ([pinout for nano here])
- did not work to get the culfw running, so I tried it on a nano clone with an ATMEL MEGA328P AU 1714
- FHEM recognizes the nanoCUL and initializes it but it returns weird values for frequency and other params and even freezes with rfmode set to 'WMBus_t'
- maybe it has to do with a higher frequency of my [nano] because it seems to have 20MHz but culfw has defined 16MHz and a fallback mode to 8MHz in the config file. tried to build and flash it with a lot of different values but didn't succeed
- guess I need some help with [debugging] here, maybe try yet another nano...
- will try using smaller resistors (470/1000 Ohms instead of 4.7k/10k) because the bigger ones are said to negatively impact the signals with low current especially on breadboards (see [FHEM forum on smaller resistors]
History (in reverse order)
- bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip
- got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [memonic 3 radio net] (Memonic_3_radio_net_board.jpg opened))
- the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
- it also contains a lot of Texas Instruments chips including CC1101 (of course) an [M430F417 microcontroller] and [Sierra Wireless AirPrime (Model Q2686RD)] GSM transceiver module together with a SIM Card and a 10 year battery
- recorded some smart meter radio signals with SDR (File:Smart meter signal.aup.zip)
- signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)
- soldered some wire to the cc1101 to use it with raspberry pi serial connection similar to [like this] and made it send test data [used software to send data from here] which could be seen with SDR (thx Paul) in a waterfall chart
- could not find proper firmware for reading ista radio signals though and don't have time and knowledge to build one
- ordered a CC1101 radio module
Links
- CC1101 Specs
- Detailed description of mbus protocol
- ista product brochure m-bus system (german)
- ista protocol description mbus (german)
