Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023
HTML-код
- Опубликовано: 12 июн 2023
- BECOME A PATREON!
/ recessim
Reverse Engineering News is a weekly show highlighting topics of interest to Reverse Engineers and Hackers. Watch at your own risk!
Bunnie's Blog - Infrared Inspection
www.bunniestudios.com/blog/?p...
Hacking the XBOX - Free Book!
bunniefoo.com/nostarch/Hackin...
WCH CH573 Memory Read-out Protection bypass
• Exploit Friday: WCH CH...
Peter Fairlie's RUclips Channel
www.youtube.com/@peterfairlie... - Наука
Peter wasn't expecting you lol
I take my smart meter hacking seriously 😂
Dude you should be my lawyer. Want a job ?
But then, who does the news?? 🤔
😂👍
Yes
1) Bunny is a legend!
2) It's always a "feature".
3) I call BS
An other way to debunk that he was using the meter to control the power is that even if the meter has a disconnect relay in it the meter will still be powered up and the display will be on when it disconnects service. The meter get's it's power from the line side of the meter socket prior to any measurement or disconnection circuits so that the meter doesn't measure the power required to run itself and so that if the service is disconnected the meter is powered up to listen for the signal to reconnect the power.
Did he just say "Chooch"?
😂😂😂
Subscribed.
Mmmm skoukum
🤌
Thank you for reporting on using IR to look through silicon. I absolutely enjoy viewing silicon chips through a microscope but find it tough to find viewable specimens. Im going to study his paper and give it a try.
Get a strong IR diode and prepare for some fun!
This news segment you're doing is incredibly good. Very entertaining. Thanks.
Indeed. But the crowd sound effect makes me cringe.
Absolutely loved this video, the news segments and the dry humor. Don't ever change!
When I was a kid I used my dads camera and the IR feature to see in the dark and troll my friend. I noticed I could see through silicon when I looked at my see through game boy colour chips. I didnt realize this was an undiscovered thing. Imagine how many people have seen something similar not understanding no one seen or noticed it before?
Thanks for sharing, that's cool!
I did just this but to my friends mums’ outfits. X ray vision, thanks Sony tre51
Oculus 2 has that feature
I work on testing those old elster meters and me and my coworkers immediately knew it was fake since even if you did disconnect service to someone's house, the display should still be on. And like you said that particular meter doesn't even have a relay, as we noticed from the 6th field in the style number.
Interestingly enough, the energy axis radio was installed in that meter, so even if you could capture the c12.22 packets coming out of it, you wouldn't be able to read it since it had wan encryption enabled by default (unless Ameren disabled it)
Finally, that particular meter wasn't even sold to Ameren (looked up the serial number on our db) so I'm not even sure how that sticker got there. It was actually sold to some research group in the US.
Thanks for sharing what you found as well. The more I dug the weirder it got 😂
I haven’t played with the Elster meters at all, most of my work was on the L+G meters.
DING! We have a winner. The video shown here is of a meter that isn't powered at all! The meter is always connected to the grid and always on. (otherwise, when it turns the power off, how the h*** is it supposed to turn it back on.) The second one I couldn't see the display, but it's pretty safe to say they blew the smoke in through the conduit.
And the module he's talking about is for "load control" - so the utility can turn off water heater, HVAC, etc. to manage load on the grid. Around here (CP&L) they used individual modules at each device - made by ABB. (they also removed them in the 90's because it cost them too much money.)
Maybe Peter is part of that research group? Many honey pots on yt👀
@@RECESSIMI subbed, great vid! 👍
@@-someone-.In what way?
I used to work for Schneider Electric in the power meter division and while the Ion meter had some strange and wonderful features, turning the power off to the panel wasn't one of them. Just like you said, you could drive outputs, but those outputs would have to be wired to a relay that did the shutting off of the panel.
Ion meters had Telnet available for use (some 15 years ago, so don't get too excited), and sure enough, someone came up with a hack. Schneider came out with a bulletin lamenting the world that we live in where innocent hardware gets hacked. I -imagine- hope that it has been fixed since then.
You gotta find that bulletin, those are hilarious to read 😂
If they're running the OS I think that one in the video appears to be running it would be easy to enable SSH and disable Telnet.
Tell me, why is Schneider electric software so utterly crap? The hardware can do LOTS of cool things, but the software appears to be made by a high school kid in the computer lab while constantly switching between coding and porn tabs.
@@sobolanul96 Lay off.
Porn helps me think.
I was told by a local Cert Auth here that hte ION was the finest meter they got their hand into. Elsters A1800 probably not as good (another animal) still a BEAST in terms of precision, while OTHER BRANDS still trying to reach 0.2 today. As close as your refrence standard as you can get.
Great format, good information, and no flashy noise/junk for the intro or outro. Subscribed!
Absolutely loving the new News segment! ❤
Great episode Hash - appreciate you boiling things down for us - concise and enjoyable - nice work!! Keep it up!
Good, but not great. Because: Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
Yes, a Peter Fairlie video (not the one in your segment) was the one I had pointed out. Although, I will admit, I believed he was actually controlling or resetting the meter with his Flipper Zero.
Great episode!
I thought that too
In New Zealand the extra contacts are used to turn off the water heaters and "Night store" heaters in houses to shed load during peak load times, though they are almost never used by the power supplier. Usually on a seperate meter than the main house meter, they charge you a lower kwh rate for having it setup.
love these news segments, keep up the good work!
If you’re glitching around with your power meter the electric company will know because as it’s running, it sends a check signal every few minutes to the tower and if it doesn’t receive that signal within a day or so, you will get a technician showing up to check the meter there is even a gas meter for natural gas that does the same thing and the power company well where I live can turn off your electricity just by punching it into the computer, but within a few days, a technician will show up, pull the meter and put insulators on the socket and then re-apply the meter until you pay the bill
Seeing through silicon? That's trippy man!
For sure. I want a whole hour video just on this.
First video I have seen on your channel. I suspect that you've just earned a sub.
You do a good job of seeing through the haze and calling things out for what they are!
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs they need to consider in the future. The other points are still very valid though.
Thank you for finally exposing that last one; I have a Flipper Zero and was experimenting after seeing that video thinking, wow, I have a Flipper, I wonder if I...
Never could I find a shred of code or idea anywhere on how this was done. Was so confused!
Except, he was forgetting one thing: Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
props on the gps dox. I know some of those prefab houses have them like that for the fire department so they can shut them off remotely for insurance purposes if it's like a townhouse or apartment's building. I lived in one where the power would go out on purpose if there was a fire to lower the chances of electrocution when the sprinklers turned on.
I attuly just came across his channel this afternoon and seen you're video this afternoon..., thanks for clearing this up... 🤠👌.
So both videos on the same afternoon?
@@OneAndOnlyZekePolaris yes lol
@@OneAndOnlyZekePolaris i think are phones are listening... that or RUclips maybe upped there game in there algorithm they use to suggest videos to there users 🤔 🤷♂️
@@stevenwright991 That's crazy, same here. Right after every video I watched that are fake was exposed by tye very next video I see. Unless both uploaders are fakes and just throwing for content. Jk throwing for content is game uploader talk for, dying on purpose to gain watch hours.
I've had that book for years... Good read!
You're actually quite good at this news show stuff, I'm liking the humour. 😉
an important aspect of the WCH thing was the second firmware from their OTA process. it's interesting that the response was that it's a time saving feature, since there's like no valid use for a partially readable firmware under lockdown; maybe they meant erase was slow? there's stuff to speed it up in chips where the entire flash is lost if the protection bit changes, like they set a flag and the old content is just gone
I felt the video was going to be too long to talk about the OTA part, but you’re 100% right.
Wonder if they were speaking of OTA updates that have minimal code changes being faster due to only changing needed code. Seems like it would waste as much time as it saves due to the device having to compare new to old to not overwrite the unchanged firmware. AKA BS.
That particular chip does only have bank erase as per Patrick. So no full erase at once.
And even with no firmware in the OTA area and with the first bank gone this method helps you a lot.
Since most of the time basic functions come first, like memcpy memset vector table etc. So you can still nicely Reverse engineer the firmware :)
Great stuff love the format 👍🏻👍🏻
Peter is a radio amateur and has another service line coming into his house to run high power amplifiers! The noise you hear is a relay coming from the box next to the meter!
What’s his call sign?
Love your channel!
Thanks for the great vid. Nice French cuffs and cufflinks.
So THATS WHY i couldnt find any information about how to do that 😂
I'm glad you've learned of the place. The 'AU' in Mississauga rhymes with _bog_ though.
Remote power off is usually reserved for seasonal cottages in Canada.
Hello. I have a question regarding smart meters if you could help me. The gist of the matter is, the company installed a smart meter at my house and i suspect that either the meter is faulty and it records wrong, or the technician did something to it to record a higher consumption than it actually is, because i got in a heated argument with them when they installed it and i'm thinking he may have done it out of spite. I tried callind them to come and evaluate the meter, but every time it's the same technician that comes to inspect it and every time he has this weird attitude. Either way, they won't replace it. My question to you is, is there something i could do to damage the unit without breaking the seals, that would warrant a replacement from them?
You nailed him. Good detective work!
Ah yes the car sets itself on fire after you buy it... YES that's a feature! No other car can do that. Like is he fr 😂
Just stumbled across ur channel and i love it. The R.E. news segment it's a awesome idea
Love the self-destruct features 😂
I just saw this new format, this is awesome! I'll go back and watch the ones I missed, Damn YT
I did not know you were going to hold up that book either but I was thinking about it oh yes! I have all three in print myself
Some SERIOUS techniques in there by good neighbors.
the IR thing was way more interesting than the powermeter imho.
Glad you liked it! I think I’m going to try modifying my microscope 🔬 to see how well it works. Lots of Flip-Chips in modern devices to take a look at.
@@RECESSIM looking forward to it.
Amazing video! Had a proper chuckle on this one!
Thanks a lot! Really appreciate the support 😀
Interesting you are very methodical in your material .. NICE.
Good job!
It's really rare that I see a video about this kind of stuff and someone has really knowledge and "IT common sense"... It goes without saying, that you earned a subscription. Your video is funny, it's informative and (as far as I can tell) it's true and you know what you are talking about. Nice!
Thanks a lot! Appreciate the complements and glad you enjoyed it.
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
RadioShack had the old remote control rf plug adapters. You could control lights fans whatever you want and they multiple frequencies so you control multiple plugs
@4:07 its a feature because a State Sponsored government agency can access it, its a feature to them..
Pure happenstance that I stumbled onto this channel... I LIKE THIS GUY! 👍
Very nicely explained. Thanks John
I jumped into a wood chipper and lost my legs. Now I don't have to buy new shoes. It's a feature!
Google sent me here - great episode, very interesting - subbed.
Thanks
Nice tie :)
Landis & Gyr, we have these here in the Netherlands as well!
Very good show, love it.
Cool video, as an old hacker, I love all of that!
A3 was sold with Disconnect option inside. They use BIESTABLE relays that you can varely hear even in silence and they cannot be turned on and off like in the vid, because they they are kicked from a bigcap that need to be charged using the existing PSU. Like you said, moslty a relay out controlling a contactor or something. But those outputs are used in general at industrial application to signal that the demand limit has been reached or something like that. This meters have been run over EMC tests at 30V/m (no load) and 10V/m (Inom). So, this thing has been already tested. And yes, functional deviation is allowed as soon as the REGISTERS DO NOT ADD UP (30V/m) or accuracy variation (MAX-MIN) does not exceed 2% (Inom). So send Flipper to read the IEC 62053 first because, just by entering in TEST MODE or ALT MODE, meter is not having a bad time at all. Also, the maker of the vid claims that the way it measures can be changed. Well, anything can be changed. Now, understanding ANSI is ONE thing. Making this alterations are another thing. You need to understand the meter first, then try to find the information that ELSTER have obscured up even to their own employes ... I mean, you will end trashing the measurement or stalling the DSP .... thats the most likely scernario. Now Flipper, do your homework.
Thanks for calling out the fake! Here in Australia we have all sorts of smart metering. I know you can't hack those things easily even though they have serial comms. Some of the newer smart meters I've worked on have a mini NB IoT 4G modem with a sim card, there's no way a flipper would work by design and I own one! Even with zigbee or wifi the flipper doesn't support it unless you've made some software and whipped up a prototype board.
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
I like your style. Just subscribed.
I found your channel accidentally. Very good content. Subbed. 😃
If the copy protection is on, the flash must be entirely erased before being able to write any firmware to it. A partial overwrite could be acceptable if there is some kind of signature to the firmware and the new one matches the old one. Ridiculous oversight.
Perhaps he's just using home assistant to shut off every single light in his house and back on again. Then maybe staged ebay meter also hooked up to home assistant sending the code controls everything in one shot. Adding in some resistors and capacitors in the second video cause the smoke to be let out of the magic bottle
The power meter shown in the "Flipper" segment is a peak power recording power accumulator. The meter is read by an electronic meter reader carried by the local walking meter man. It communicates through the infrared port on the front, through the D shaped steel plate on the front. The lever to the right will reset the peak values stored in non-volatile memory in the meter. Reverse engineering the communication protocol is hard, even if you have a reader/programmer.
Yes silicon is transparent to long-wave Infrared, but the resolution of the image is poor for recent silicon integrated circuit technologies. Current bleeding edge technology is in the range of 5nm feature sizes, and the wavelength of the IR is about 1000nm. And to access the back of the silicon you need to remove the heat spreader or remove the epoxy overfill. Most of the reflected signal is from the metal layers, and not much from the actual transistors.
As someone has commented below, a partial readout of the firmware is useless if you have erased the initial setup code on the device.
That device supported OTA updates, two copies of firmware stored in memory so it led to a full dump of the firmware.
The silicon viewing was meant more for block level analysis image comparison, is the chip fundamentally the same as a known good version or something else entirely.
Check out the site below, I have a bit of protocol analysis on L+G Meters, not the same as what he uses but fun none the less. Thanks for commenting!
wiki.recessim.com/view/Advanced_Metering_Infrastructure
I discovered the process where it only deletes the pages of flash that is needed to be erase when making the firmware that ran a lift. This is one of those things you put in a car to load boxes.
I can assure you that you would never want to remove that firmware. It also would make it so I can use the rest of the flash for storing diagnostic codes. Flash still kinda sucks if you need to erase it often. So every little thing would help.
So what if you write a firmware file that just has one block of flash - not even enough to read and dump the rest by serial, but just enough to trick the chip into turning off the readout protection. Flash your "one-block" firmware, presto, read out protection disabled, and then just read the rest of it out. Chances are the first block isn't going to be that important, or difficult to recreate (especially like in this case if there's 2 firmware images in the flash as a backup anyway)
@@gorak9000 oh I absolutely understand it is not a great idea to do in applications where someone could gain something by grabbing the firmware.
But on a lot of things the firmware or hardware isn't worth anything to hack.
I think it is a good conversation to have to understand that such features could lead to bad outcomes. But I am not waiting a 50 week lead time because my chips were bricked with some security feature lol (I know it is unlikely just being extreme with that example)
@@XenoTravis I don't know what you're getting at here? 50 week lead time because chips were bricked with some security feature? The correct behavior here is really simple = if read_lock=True erase full flash before writing new firmware / removing read_lock. I don't see how that's a "security feature" that would brick chips. When you're doing development, you're not going to bother enabling the read_lock to begin with. You only do that on the final release build that gets high volume programmed into production parts (and maybe a small test batch beforehand). The fact that you can remove the read lock by programming ANY firmware, no matter how small, without it erasing what's already there, which is supposedly protected by the read lock is clearly a "bug", NOT a "feature".
@@gorak9000 was saying if I could save the chip's memory but also be aware of the security flaw then sometimes it would be worth it.
I think the dude who said it was a feature was not understanding that he was not clear to all the developers.
If I was told I can save my chips memory but I just am warned that the firmware is able to be taken easily, it wouldn't have been a big risk.
But that company made the security sound like the chip was locking and erasing like you explained. But in reality it wasn't securing the entire memory because it was also trying to save and write faster.
Sorry if I explained my point wrong. I was just trying to say I understand why the dude said it was feature. But I do agree it is more of a bug when presented as a full read lock.
Impressive resourcefulness.
I like the new format
Can't find his video on the gps coordinates
“So, looking at Peter’s house” lol instantly subscribed
Need better OPSEC if you’re gonna spread lies 😂
I'm thinking a meter on rental property where the power company is capable of turning the power on and off remotely. Check on that. There are several Canadian high tech service companies that come down on service contracts that last up to a year. They usually rent houses while in the states.
I'm in Australia and had a smart meter installed without my conformation.
I got told go on it or I will have no power.
The only benefit is the old meter reader bloke doesn't have to come up to my second level balcony to read the meter, it keeps him off my land and balcony I guess.
If you put a big magnet near them they play up.
Cheers.
Wau you have killed me with your deep knowledge and super detailed investigation, you even found his address. Amazing man amazing!
This channel is the Legal Eagle of hardware hacking.
what a clever man you are,thanks for the info.🍻
That flash behaviour lies in the nature of a flash storage for many many times - the flash controller simply cant reset all of the values per se - if you want to write something it will be "flashed"/resetted at a request :) not by definition each time - clearing flash each time wastes valuable cell cycles :) macrocell macroblock refresh count. BTW the name FLASH stands behind the clearing operation and a flash of light it emitts at the zeroing in case of NOR (one'ing in case of NAND) operation
Sir, you should consider getting those shoulder divots looked at (likely due to the size of the armholes). Also, those lapels are too narrow, but that's more a matter of taste
Could that range of light passing silicon be used as an attack vector on silicon photonic chips, light being the interfiering force? Could bits be flipped by fuzzing, following quantum mechanics?
Has anybody been able to show what exactly those smart meters are sending to the power companies, I was interested as there’s are discounts if you have one installed, but nobody from the companies could explain the resolution of the data that was being log by the smart meter and sent, only that it transmitted the data once month?
2meters on single home is most likely tied to grid w solar and can monitor what he is putting back from it one reason you see people w 2 meters great vid love the book :)
Love it. It's not just cap. It's ball cap.
I'm having lots of fun with my flipper zero, probably more fun than allowed.
Nothing but Awesome! Oh nice suit!
Excellent digging work, ya the smart meters in Canada don't disconnect, at the service, they must be pulled out. They just send data.
You put a literal cap on the desk😂
Nice work keeping it real...
this was fire, no cap.
Those "flip chips" are called BGA (Ball Grid Array) mounted Integrated Circuits.
BGA is the mounting style, but it has to also be bare silicon on top for it to work. I believe they call that style of BGA a “flip chip”
@@RECESSIM Never heard of that... I stick mostly to sockets when I'm working with chips. I prefer sockets, avoid BGA at all costs unless absolutely necessary.
I’m not into this kind of thing but that is a strong presentation!!!!!!!
Some cool stuff.
this is a great video idea
Hash?! Like from the L0pht?! Wow, man, I made it to 2600 in like, '95. Hash, if that's really you, you look like a million bucks. Thanks for sharing all the info, man, take it easy!
I’m not the Hash from the L0pht, but glad you enjoyed the video!
well done good explanation tks you
You deseve it because you dond great job to explain what behind the trick people dint have to belive evrething
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
DEPENDING ON YOUR " SOCIAL CREDIT SCORE " UTILITIES WILL DETERMINE
WHEN AND HOW MUCH POWER IS AVAILABLE
I mention you and this video on my video coming out this weekend! Hash, if you want to preview, please let me know!
Love to check it out, you can email a link to hash at recessim.com
There are manual cameras that have a movable internal ir filter so they can use ir film (not sure the film is made much). I have one. It is a postwar Kodak Medallist 2. It has a setting on the top select knob. The portable ir lights were In use in 43' with the Vampire so night photography was possible. That may be why the option was available.. to record WW3. Operation unthinkable and the aftermath. The military probably bought the lion's share of them.
The filter is easy to remove in disposable cameras too since they are meant to be disassembled to take the film out (some). Prolly not the resolution you're looking for, but maybe for something else.
Case use could only be remote power management for a discount. But thos go on ac units and pool heaters . Not kitchen lights
I need help with my GPS cords. They are incorrect...
A meter is literally just a coupling literally like a three pronged plug so if you're completely disconnected they put a plastic cover to block the circuit joining
can we use a faraday cage to block landys en gyr signals?
Yea, but the power company will know something is wrong and come take a look, then forcibly remove the cage. If they don’t, your cage isn’t working good enough!
hilarious, and good content, love it
So if the meter has the ability to control other relays does this mean it can control our backup generator?
tears of laughter the guy ripping Peters hack. The guys so funny he well deserves that sub from me.
thanks Hash
I li k e this guy his therapist does a great Job. So refreshing since Most youtubers are not due medicated or counselled..