Back in April we posted about "Hash's" RECESSIM YouTube series on hacking electricity smart meters using a software defined radio. Recently his series continues with a video on decoding and logging the GPS coordinates sent by the smart meters used in his area. Using a car, SDR and laptop he was able to drive down the freeway collecting smart meter data as he travelled, decode the data, and plot it on a map. In his video Hash explains why there is GPS data in the signal, and how he was able to reverse engineer and determine the GPS data.
Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.
In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.
In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.
Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.
Smart meters are meters that monitor electricity usage and wirelessly transmit consumption data to the electricity company. They are a part of the “smart grid”, and allow for better electricity control and usage reporting.
Douglas recently wrote in to us to let us know about his work on RTLAMR, an RTL-SDR based Automatic Meter Reader (AMR) decoder. Currently Douglas has tested the decoder on his local Itron C1SR smart meters, but notes that it should work on any meter using the common AMR protocol known as Electronic Receiver Transmitter (ERT).
Over on his website Douglas has also done a neat writeup discussing the ERT protocol and showing how he decoded it, including the steps of preamble detection, matched filtering, bit slicing and error correction.
We would like to note that we also recently posted about a similar project about decoding Elster R2S smart meters.