IT TOOK ME 5 YEARS TO FIND THIS
HTML-код
- Опубликовано: 7 янв 2023
- BECOME A PATREON!
/ recessim
There's always something new to learn! In this video I explain recent changes to the #GNURadio Smart Meters module and ultimately how I found data I was missing that may contain power readings.
These long unknown packets you can check out!
github.com/BitBangingBytes/Gr...
GitHub Smart Meters repository:
github.com/BitBangingBytes/gr...
Jacob Gilbert's Github:
github.com/jacobagilbert
Sandia Labs FHSS Utils:
github.com/sandialabs/gr-fhss...
RECESSIM Wiki:
wiki.recessim.com/view/Advanc...
You can get this up and running FAST using DragonOS by @cemaxecuter7783
cemaxecuter.com/ 
Наука
Why on earth (no pun intended) would they use GPS coordinates as an unencrypted node identifier!? I can't imagine what led to such decision.
I suppose it could make routing by physical proximity easier.
It's self configuring, good for rolling out a large project.
It also means they don't have to rely on installers to enter the correct serial number and hose number in a system, saves a lot of work and fault finding. Why it's not encrypted? If the radio uses GPS coordinates for routing it would probably be too cpu intensive to decrypt each packet.
@@mrfrenzy. and it's easier to "disregard" based off arbitrary information as long as the GPS data is unencrypted. Wouldn't work in the boonies, but could be "self learning".
Just my $0.02
@@mrfrenzy. CPU resources in these meters aren't the problem. Heck, I can use encryption with ESP8266 without an issue. Problem is key management. They have to keep track of the encryption keys and if they bork that up hundreds of man hours in trying to fix all those broken meters.
Man this is one of my favorite projects I've seen evolve. Thanks so much for documenting it.
Thanks, that means a lot! Glad you’re enjoying it.
Can confirm!
As someone who is involved in the development of Smart Meter Gateways in Germany, it's crazy to see how different they work in different countries.
Glad you were able to get a peek behind the curtain! More on the protocol at: wiki.recessim.com/view/Landis%2BGyr_GridStream_Protocol
Ach...interessant... Do you have a link too? :-)
germany=little china
The smart meters gateways in germany are practically the same in the netherlands right? We can use a RJ11 connector and shove it in and read it all
@@xusdom Sage jetzt mal keinen Namen, aber wir sind schon ziemlich weit vorne wenn es um SMGW-Testsysteme geht ;)
It's been a lot of fun watching you deconstruct the way these systems work. Might be some benefit in helping others learn how to create these types of IoT mesh networks for other important projects.
You explain something extremely difficult in such an easy way. Not that I know what you were talking about with all the technical stuff, but you did explain what it is about and what happens on the electric net.
Thanks for watching!
MTM ;)
your thumbnail is genius. i literally HAD to know what data this is 😂 then i also realized, i've had a major data loss recently. years of work gone. i'm happy for you, whatever you recovered
Hey, this is awesome! Thank you so much for putting it out. Especially getting some insight on how you can approach debugging GNURadio blocks, you have no idea how valuable this is to someone who is getting their feet wet with SDR radios. Definitely going to leave a subscription. Cheers from Germany!
The decoder handles non 0x2A frames that is why I required it for the input. Look at the messyEater parameter. I thought it might be OTA corruption, or QoS since it was outside of the CRC and that it was somehow intentionally designed that way. but I took that raw data and normalized it into a proper format and continued to decode it. I didn't discard it. I've already broken down some of those longer packets. There also seems to be some kind of multicast feature with them. I saw them when you went to the apartment complex and Bob's network. I also saw the repeating packets and repeating frames. I did not think to use the same 0x(8|0)0FF as the start of an encapsulated packet, but a histogram showed it was encrypted. The formats are all documented in the latest decoder. I think Bob has a copy.
i was told that they intentionally bounce pings and messages a specific amount of times from meter to meter within a territory ( defined area of a substation) to make sure that the streams were not tampered with and were always validated with CRC's to maintain the validity and soundness of messages to substation.
Your work and research is absolutely amazing. ANd you explain it really well too.
Thanks, really appreciate that! Glad you’re following along.
The youtube algo brought me here and I'm glad it did. This was such a cool project to see you working on, thanks for sharing it.
Thanks for watching, appreciate your kind words.
The interesting thing would be to work out if the network can be used to piggy back your own messages. So person one side of town uses the smart meter network which passes meter to meter to the person the other side of town lol
That idea is actually what started me down this path years ago!
Excellent! This is awesome! It's been several months since my power co-op started switching over to RF meters. I may take this back up again to see what I can find.
Wow I would love to be able to help but you are so far ahead of anything I could ever dream of doing its mind boggling just to watch what you are doing. Great stuff
If these packets are unencrypted, then I'd be careful sniffing other house's packets, as, according to the Supreme Court case Joffe v Google, "the Wiretap Act covers the interception of unencrypted Wi-Fi communications." Granted, I'm very ignorant of the full context of this work, so this may not apply (as most network packets nowadays have some form of encryption).
Edit: I don't want to sound like a hater, this is some seriously amazing work, keep it up!
It's astounding the lengths authority will go to. Open,, 360 degree, unencrypted data is free reign to anyone who cares to listen.
Does the law cover listening or acting upon what you hear/discover?
@@ianhelsbyservices Yeah I agree, the ruling shocked me too as pretty far-reaching. As for it's general applicability, see any discussion of how the Wiretap Act is applied, though I think the gist is any form of interception of communication where you were not the intended target while using covered mediums is a violation. Usage of the information is immaterial AFAIK. Obligatory I am not a lawyer, just got a CS degree and took Computer Law.
It’s one of the main problems, the CFAA was recently amended I believe to cover “good faith security research” which is what I would consider I am doing. If people like us don’t actively search for vulnerabilities for the public good, we leave vulnerable systems that can be exploited by bad actors.
I was doing it prior to the CFAA change, but fundamentally I believe it’s worth the risk. If you believe something is unjust, you gotta take a stand. Thanks for commenting!
@@RECESSIM Ah yeah excellent point, I definitely believe you're doing a good thing. I'm sure the DOJ has plenty of better things to do with their time :)
Fingers crossed!
Thanking you most kindly from England UK
Well done. This was very cool and explained clearly. I have no idea what you were talking about but it was cool. Keep up the hard work.
1:22 am I have no idea how youtube suggested your channel to me but I am glad it did... That si cools stuff you are doing here...
Thanks! I feel the same way when some random thing pops up. Happy the AI Algo was able to read my mind 😂
Finally a useful channel with useful stuff.
I was involved with PLC Weymouth (Power Line Communications) in the UK in the 90s, they had an early 100/300 KHz hierarchical meter system, 300 khz over RYB local to hub nodes up poles, 100 khz between control hubs and HQ ,
The system was fragile and hardware expensive and limited. part of the problem was installers using sidecutters to cut (shatter) 1mm fibre terminations. OMFG.
I really love this project.... You are the reason I bought an SDR....
Polar satellites excite me, fun to watch them pop up over the horizon, then listen to their beacons. then they go bye bye.
A radio telescope would be fun, but alas neighbors. trees, and nasty noisy ISP cables.
I’d be interesting to see the inverse of the meter uptime as the metric for height - I.e. taller = shorter uptime, as a quick way to visualise outages. Great work !!
That’s a great idea, could also use different icons depending on uptime.
@@RECESSIM Something like a heatmap with different colors to show low to high uptime would be great.
This would be good info when researching a purchase of a new home... Which homes have high power uptime
I saw this absolutely not clickbait video on my feed and it took me a second to realize it's a hacking video. My favorite
I may at some point dig out my SDR kit I bought a couple of years ago to play with this myself, it's not as fancy as yours but still, could be fun
Awesome find
This is amazing. Thank you for sharing
This is great and I’m only halfway through!
I see some things I need to add 😮
Happy new year GOD bless you
Great work on the decoding. The long packets are on-demand reads. Modern electric meters usually read in five-minute intervals. Landis+Gyr defaults to 15 minutes (I believe). Readings are sent into the HES less frequently. When the HES requests the meter to send in its latest readings, it's typically either for the latest reading or the last X number or reads. Battery powered devices (Gas & Water) read and send less frequently. The fact that so much data is not encrypted suggest this is an older AMI solution. If you have questions, you can email.
Thanks! That’s interesting information. Any insight into the data that appears to be encrypted/encoded/compressed?
Awesome work 👍
Wow, nice work. What an interesting project.
Thanks a lot! It’s been a great learning opportunity. Glad you enjoyed the video.
Dude, this is awesome!
Zigbee is a mesh that can use many paths. The data is a format we call MV-90 it will have a months worth of of 32 bit data. If you are in ERCOT it 32 bit ieee-745 for each 15 min time integrations of kw based on the meters K sub h. Zigbee is a isocrouns data format. I can tell you more if you want
This is so cool! And judging from your geolocation, I might be able to do the same thing.
Give it a go! Oncor network is fun to monitor
Its 1:39 AM, I dont know how I got here nor do I understand anything that is being said, but it is very entertaining.
Could be worse, you could have been on TikTok 😂
Just discovered your vchannel, i dont live in Texas, regardles if ound it fascinating. Great work, ill be keeping my eye out for more! Sub earned.
Heeeeeey! Count me in! Lol! I live just down the road from you in Plano. Back when Oncor kicked off the smart meter stuff, I had bought several of those remote meter tracker boxes that was supposed to help people be able to monitor their usage to save money. Anyhow, I had it linked up, I pestered the guys at the Smart Meter office trying to get more information but they told me the meter trackers were eventually going to get kicked off the system and we would have to use the website if we wanted to know our meter reading and usage. Anyhow at the time I knew of nobody else who was pursuing learning about this stuff so I sort of got tired of it and just dropped it.
Anyhow, I have a ton of stuff you might be interested in that involves zigbee, which is the protocol the Smart Meters use as their Layer 2 (I think), and I would really like to collaborate with you on this. Holler back if you would like to meet up and discuss further. Cheers! -jim-
Hey Jim, I had one of those ZigBee readers too! Was surprised when it was discontinued. You can find me in the Discord server linked off www.recessim.com or email info there.
@@RECESSIM Managed to get signed in to the Discord server, said hello in #general but can't find an email address I can email except for the consulting address, which I did email but not sure if it works.
I have borderline zero knowledge in code and I still was mesmerized by this video lol. subbed
I would imagine the data is utilised by the onboard software via the microcontroller. So you might want to monitor the input and output pins of the microcontroller when it RX/TX data packets to get a better handle on it.
I've not been looking at github/discord - but did you get anywhere with reversing any applicable flash dumps? Might be able to get an idea at least about any decryption/checksums even if the presumably RSA keys aren't for your meter.
I started looking at the .NET source code I have from the Collector video from a year or so ago… There are some libraries in there that make more sense in light of this new data I found 😎
Very interesting...i learned a serious amount!!!
Glad you enjoyed it!
This is super cool work!
Thanks Mark!
Hash, your videos and sheer dedication are inspiring. This might be total noise from me, but, I was wondering what benefit the meter would have communicating directly with the substation. The thing that pops to mind is -- can these communications be precisely timed? If so, it might be something to do with "Ze" measurements (external fault loop impedance testing)
Once upon a time I did a little stuff reading smart meter packets locally where I live, but never got much in the way of what seemed like meaningful data besdies some unix timestamps. It looks like the reverse engineered has progressed a little further since last time I looked, perhaps I should take another look at packets from my smart meter, see if it matches up with the decoders in that repository.
Any additional eyes are appreciated!
Other than knowledge about radio, SDRs and a basic understanding of packet data, I have no idea what you are talking about. But it was still very interesting.
More fantastic work. I wonder how much the smart meter companies are following this series 🤣😂
Just wait until we decrypt this data 😳
@@RECESSIM I know haha. Looking forward to it 😀
@@RECESSIM Not sure about your meters in the USA but here in the UK the payloads are encrypted using RSA Elliptic Curve. My info on that however is ten years old, I haven't worked in the industry since 2013.
@@RECESSIM
What do you need to be able to decrypt it? Just a ton of computing horsepower to throw at it?
Likely to find a flaw in the implementation, poor key management, or something like that. Brute forcing it probably wouldn’t work.
Where there’s a will, there’s a way! 😁
Wow.. I really want to try playing around with this grid stream program.. that looks so cool!
I wonder if I can use this with my RTL sdr? More research is required
interesting. maybe that burst is a ident to the network saying i am ready/alive/give me data etc?
This is the good stuff. After watching this, you now have my sub.
Love this kind of hacking.
Appreciate that brother 👊🏽
Hey Recessim, I've recently been interested in getting data from my smart meter. How's the progress going on getting energy data from the meter? I had stopped in during one of your livestreams a week or two ago and you said you were trying to examine the firmware to see if you could find what the data was encrypted with. Unfortunately it seems like that stream got privated so I wasn't able to see the rest of the progress you made. If you could give an update, that would be great!
Looks like it's a packet switched Network. That's pretty neat. A lot of that follows MAC protocol.
9:45 "Not that complex...." yes. That is highly relative. 🤣🤣
I was editing the video and was going to show the code on the screen… At that moment, I realized it was indeed complex 😂
@@RECESSIM I am sure the data extraction techniques you are doing is full of hard coded magic.
Whenever I've created logical loops to address a data source I don't understand, I look for what I know and always export any exceptions to analyze when something doesn't match the desiered patteren. Example: padded DNS packets.
Thanks for the comment
In my experience I was dealing with Intel from multiple sources and while looking for formated data like IP and MAC it was all obfuscated differently by every data source. Without an exception output file I'd miss an indicator. The same routine helped identify identical data from multiple sources:) happy hunting!
Been following you for a long time
Thanks for following me on this journey!
I used to work as an engineer developing smart metering networks. Gridstream was a competing product to ours.
I have some iTron and Silver Spring Networks meters but haven’t spent a lot of time with them. Did setup the SSN meter and capture a bit of data to see what it looked like. Fun seeing how various systems are designed. What did you work on? Software, hardware, overall architecture?
@@RECESSIM Yep. I'm familiar with SilverSpring and iTron too.
I worked on embedded software for Trilliant, on their SecureMesh, cellular and long range technologies. So yes, a lot of involvement with system design and hardware design too.
Very cool, love wireless networks. I read the IEEE paper some of the L+G guys wrote on this network. I’m sure working on/designing the ones you were a part of was a challenging and rewarding project.
@@RECESSIM You quickly learn that even the most improbable bug requiring the craziest coincidence will still happen in the field when you have millions of units running the same piece of software.
Participating in the design of new protocols and new standards was fun, be it within IEEE, IETF, ZigBee or others.
The challenge of building lots of features to a really low cost - saving a penny is worth it.
New technologies such as embedded tiny OFDM radios, network stack doing TSCH (Time Slotted Channel Hoping) with very precise timing to the microseconds, synchronized Network wide. Or just dealing with the biggest cellular carriers.
Yes, the challenges were endless and the tech very fun and rewarding. I kinda miss it. But I've done other cool stuff since too.
Thanks a lot for commenting, very interesting stuff you’ve worked on. Gives me things to read about this weekend! :)
This is a very interesting topic! Sadly in my country (Spain) the systems used to transfer data from the smart meters to the electric companies are different.
Sounds like something fun to analyze!
Which make & model USRP B200 do you use? I can make see that info clearly enough from your vid.
Which make & model USRP B200 do you recommend, if you were to buy one today?
Even though I only understand "bits" 😜 of what is being said I find it really interesting. I do not know what crc means for example. I will feel dumb when someone tells me and go ohhhhhhhh.....lol. I wish I had the equipment to do this type of thing....sdr means...(blank) defined radio? I can't remember. I do remember it can be used for a lot of things like tracking satellites and planes. Didn't know you could do this though. I may be way off so don't be too hard on me.
CRC = Cyclic Redundancy Check. Serves pretty much the same purpose as a checksum, only better. See Wikipedia for a decent explanation.
SDR = Software Defined Radio
Think you could get the network to send your own data packets around and have like a old torrent bbs set up for transferring data?
Funny enough that exact thought 5 years ago is what made me start researching this! Great minds… 😀
While that would be super illegal, it would also be dirt slow. These mesh networks aren't designed for bandwidth.
I don't know much about this, but I do know these meters repeat each others signals because of the limited range. Just to ensure reception at the designated endpoint. I don't know if there is any other logic to the scheme.
70 sec in made me subscribe
Great content
you are legend to me, i put my hands down. 🤲
My nerdy heart is so happy.
Logically speaking, this would be a compressed blob of data that is related to the appliances that use the locations' electrical wiring for communication.
I wish RUclips would recommend cool informative content like this to me rather than memes and other nonsense.
Cool what you're doing here. I just want to know how the golfing is at that Stonebridge Ranch Country Club next door...all but a couple of those fairways look pretty dried out!
I don’t golf, but a lot of people play it so it must be nice!
this looks like a peer to peer network, with each meter acting like network switch, passing the information to the next closest meter it can talk to clearly.
I'm trying to figure out why my electric usage spikes randomly early in the am eg at 3am. Have been switching every thing off and checking thermostat history etc. It's so weird. I even wonder if the Power companies are skimming us for more bucks
Oh, SUPER COOL!
what is that map app you are using? Im looking for a map i can add many locations and see weather data overlaid
Does your environment have a “repeated start”? I2C communication has repeated starts.
You may not have learnt from other youtubers, what can happen when you reveal your location.
I'd advise caution when being this specific.
Also they appear to be operating as a mesh network from the data you have.
Yeah, some people can be very abnoxious, not sure if i typed the good word :) but on the otherhand if you dont show big emotions, stay calm like he does you can be secure of them, not attrackting.
@@TymexComputing In my experience, simply being a "tall poppy" is all that is needed for some.
Subjected to subscriber unit flash changes by administer master code? They could be hacked into network chaos
When you do the reads are you sure the packets take the same path between meters each time ?
Most likely they do not, the network is supposedly self-healing and will choose the best path given any obstacles (truck parked in front of a meter) in the way. But baring any environmental change, it’s probably pretty consistent. Just a guess though
how much of a good idea is it to show a map with a marker where your house is publicly on the internet?
Its believing that internally every human is good, and that feds alreeady Got that info from his Meter ;)
I didn't understand a thing, yet I watched till the end.
Any feedback for me? Appreciate you watching it!
It seems to be running on the back end of the 911 mapping database. Capturing 911 mapping data produces the same mapping results.
That's pretty cool.
Good morning!!!
Interesting dude well done, Im thinking of using GNU and that Map plugin for decoding WIFI beacon frames that have drones GPS etc encoded in there
That’s a very cool application!
I’d be rechecking what is transmitted after the power is turned off.
Are you tracking data on one phase or across all 3 phases? Every hit may be used to collect data across the phases.
(a) almost all residential power is single phase.
(b) residential power can come off any phase. unless you go look where your transformer is fed, there's no way to know. (powerco records will know, but the customer doesn't.)
(c) he's listening to the RADIO communications from Smart Meters. A 3ph commercial meter will look almost exactly like a residential 1ph meter, maybe with a little more data in it.
@@jfbeam (a) sure that's normal (b) agree (c) the multiple meter response as he makes a request of his meter and the data collection process for the power company might require data from the other phases at the same time.
dude this is so fucking awesome !
Does yours also have ZigBee? I connect using that
They shut down that service for Oncor customers in Dallas a few years ago.
Noob question: what is the GUI shown (the one with the connected blocks)?
It’s called GNURadio, great question! I’ve been using it so long sometimes I forget to explain the high level items.
@@RECESSIM Thanks!
This is cool
Wow!
Why have you allowed them to install "smart" meters in the first place?
Awsome
Hi not to bug you but what is this video about it just popped up in my feed and was curious but I'm a little confused as to what the subject matter is
Random RUclips video... Me: Time for me to do that!
What do you think happened to me 5 years ago! Run while you can! 🏃♂️ 😂
What is this all about? Seems very interesting but I feel like I am missing very important context :c
yo im out here in ocliff. im super interested in this. i got an sdr and be needing a new project.
Oh man! Oncor the energy provider out there? Look at the meters, if so you can have some serious GPS fun!
Wow unexpected indeed, btw you should censor your exact location, some people not very nice on the internet.
Interesting video but quick question: what is going on and why and why does it matter
I’m reverse engineering the smart power grid to make sure it’s secure and no one is going to wipe out our power!
so what data is it?
I know these meters draw hardly any current so its kinda negligable, but it'd be interesting to know if the electronics in the meter are supplied from the grid-side or the internal metered-side.
So, like, who's paying for it to do it's stuff? You? or the power company?
It’s powered from the grid side, but in the end we all pay for it since we pay for the power company to continue to run. It’s just not broken out separately on the bill.
@@RECESSIM yeah that’s true. They’ll just cover it in the rates. Apart from the headers with the source destination etc, have you been able to decode the main content of the packets? Or is that heavily encrypted? If not, what’s to stop someone using a carefully crafted packet transmitted with an SDR, to submit a false reading?
Working on decoding/decrypting the data now… And that’s a good question, lots of options open up for people to transmit malicious data back. I actually built a SDR transmitter capable of getting around the frequency hopping component I should talk about!
@@RECESSIM I suppose the other real risk is that some systems have a mechanism by which you can cut someone’s power off due to non-payment. It doesnt bear thinking about, if someone could send this data to every destination they found in all their local scanned headers.
The electricity for the radios and cost of smart meters will be A LOT cheaper than having meter readers driving around checking each meter.
Did I smash my screen or the video has lines popping up on it?
I have zero idea what you're doing but I want to learn how to do it
So has Zillow reached out to you yet or what's the deal???