Smart Meter Hacking

From The Munich Maker Lab's Wiki
Jump to navigation Jump to search
Smart Meter Hacking

Release status: experimental [box doku]

Smart meter hacking.jpg
Description Trying to read radio signals from smart meters e.g. by using the CC1101 (low cost, low power sub-1GHz RF transceiver)
Author(s)  Uli


Goal of the project is to do smart home stuff, especially reading smart meter data without having to buy proprietary, expensive, insecure devices from datahungry, privacy-ingorant and profitmaximizing companies. Therefore alternative hardware and open source "smart home"/"IoT" solutions such as [FHEM] [openHAB] or [Homegear] are preferred. Since Uli already has some smart meters installed in his flat from the energy billing company [Ista] who use the TI CC1101 radio transmitter in their metering devices. Reading the emitted radio signals from these (or similar) devices might be the first step to get a data source and therefore an overview of water, electricity and heating consumption in an open source smart home environment.

Original Metering Hardware

Own Hardware

  • raspberry pi with cc1101 to read 868 Mhz radio signals
  • bought a cold and warm water meter for tinkering - unfortunately they do not have a radio module (radio net 3) installed opposed to what I was expecting (ISTA Wasserzähler, Kaltwasser, Istameter)
  • got a memonic3 radio net device to read, aggregate and upload data from multiple smart meters [[1]]


  • Try to get the CC1101 to send and receive data
    • Ideally mount it on an arduino nano which is then called a CUL (cc1101 USB lite) [DIY manual (german)]
    • Alternatively use an SDR to record and analyze radio signals from smart meters and try to unterstand them
  • Integrate it in a wireless home server such as FHEM
  • Display the data on something like grafana


  • trying to build my own nanoCUL [as described here]
    • first on a breadboard with arduino uno r3 ([pinout for nano here])
    • did not work to get the culfw running, so I tried it on a nano clone with an ATMEL MEGA328P AU 1714
      • FHEM recognizes the nanoCUL and initializes it but it returns weird values for frequency and other params and even freezes with rfmode set to 'WMBus_t'
      • maybe it has to do with a higher frequency of my [nano] because it seems to have 20MHz but culfw has defined 16MHz and a fallback mode to 8MHz in the config file. tried to build and flash it with a lot of different values but didn't succeed
      • guess I need some help with [debugging] here, maybe try yet another nano...
      • will try using smaller resistors (470/1000 Ohms instead of 4.7k/10k) because the bigger ones are said to negatively impact the signals with low current especially on breadboards (see [FHEM forum on smaller resistors]

History (in reverse order)

  • bought some extra CC1101's to build a nanoCUL without having to de-solder the old wire from my first CC1101 chip
  • got some smart meter hardware for tinkering on ebay ("domaqua m" meter unfortunately without radio modules and a [memonic 3 radio net] (Memonic_3_radio_net_board.jpg opened))
    • the memonic 3 collects and store radio signals from CC1101 and sends them regularly to Ista via GPRS
    • it also contains a lot of Texas Instruments chips including CC1101 (of course) an [M430F417 microcontroller] and [Sierra Wireless AirPrime (Model Q2686RD)] GSM transceiver module together with a SIM Card and a 10 year battery
  • recorded some smart meter radio signals with SDR (File:Smart meter
    • signal not yet analyzed since I did not succeed to make GNUradio run on my macbook (with homebrew which seems unfortunate in this case)
  • soldered some wire to the cc1101 to use it with raspberry pi serial connection similar to [like this] and made it send test data [used software to send data from here] which could be seen with SDR (thx Paul) in a waterfall chart
    • could not find proper firmware for reading ista radio signals though and don't have time and knowledge to build one
  • ordered a CC1101 radio module


Alternative Approaches