Smart Meter Hacking

From The Munich Maker Lab's Wiki
Revision as of 13:52, 16 January 2019 by Uli (talk | contribs)
Jump to navigation Jump to search
     
Smart Meter Hacking

Release status: experimental [box doku]

Smart meter hacking.jpg
Description Trying to read radio signals from smart meters e.g. by using the CC1101 (low cost, low power sub-1GHz RF transceiver)
Author(s)  Uli
Download  http://www.ti.com/lit/ds/symlink/cc1101.pdf


Introduction

Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [FHEM] [openHAB] or [Homegear] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [Ista] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.


Original Metering Hardware

Own Hardware

  • raspberry pi with cc1101 to read 868 Mhz radio signals
  • bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting (ISTA Wasserzähler, Kaltwasser, Istameter)
  • got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[1]]

Approach

  • Try to get the CC1101 to send and receive data
    • Ideally mount it on an arduino nano which is then called a CUL (cc1101 USB lite) [DIY manual (german)]
    • Alternatively use an SDR to record and analyze radio signals from smart meters and try to unterstand them
  • Integrate it in a wireless home server such as FHEM
  • Display the data on something like grafana

Status

  • trying to build my own nanoCUL [as described here]
    • first on a breadboard with arduino uno r3 ([pinout for nano here])
    • did not work to get the culfw running, so I tried it on a nano clone with an ATMEL MEGA328P AU 1714
      • FHEM recognizes the nanoCUL and initializes it but it returns weird values for frequency and other params and even freezes with rfmode set to 'WMBus_t'
      • maybe it has to do with a higher frequency of my [nano] because it seems to have 20MHz but culfw has defined 16MHz and a fallback mode to 8MHz in the config file. tried to build and flash it with a lot of different values but didn't succeed
      • guess I need some help with [debugging] here, maybe try yet another nano...
      • will try using smaller resistors (470/1000 Ohms instead of 4.7k/10k) because the bigger ones are said to negatively impact the signals with low current especially on breadboards (see [FHEM forum on smaller resistors]

History (in reverse order)

  • bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip
  • got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [memonic 3 radio net] (Memonic_3_radio_net_board.jpg opened))
    • the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
    • it also contains a lot of Texas Instruments chips including CC1101 (of course) an [M430F417 microcontroller] and [Sierra Wireless AirPrime (Model Q2686RD)] GSM transceiver module together with a SIM Card and a 10 year battery
  • recorded some smart meter radio signals with SDR (File:Smart meter signal.aup.zip)
    • signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)
  • soldered some wire to the cc1101 to use it with raspberry pi serial connection similar to [like this] and made it send test data [used software to send data from here] which could be seen with SDR (thx Paul) in a waterfall chart
    • could not find proper firmware for reading ista radio signals though and don't have time and knowledge to build one
  • ordered a CC1101 radio module

Links

[CC1101 Specs]

[Detailed description of mbus protocol]

[ista product brochure m-bus system (german)]

[ista protocol description mbus (german)]