Tagged: smart meter

Remoticon 2021: Smart Meter Hacking Talk

Remoticon 2021 was an online conference held in November 2021 and videos of presentations have recently been uploaded to the Hackaday YouTube channel this month. One very interesting talk was the presentation by Hash Salehi (RECESSIM) on reverse engineering electricity smart meters that are used to remotely monitor and bill home electricity usage in some neighborhoods.

In the past we've posted about Hash (RECESSIM)'s series on smart meter hacking a few times before. In this latest talk Hash summarizes his smart meter hacking experience, talking about how he went from reverse engineering the firmware, to using an SDR to capture and decode information from all the smart meters in his neighborhood, and finally to determining how to actually transmit data to his own smart meter network.

Hackaday have also posted a full writeup on his talk. This is a very in depth reverse engineering project so it is a great talk to learn from.

Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

Decoding and Logging GPS Coordinates From Wireless Smart Meters

Back in April we posted about "Hash's" RECESSIM YouTube series on hacking electricity smart meters using a software defined radio. Recently his series continues with a video on decoding and logging the GPS coordinates sent by the smart meters used in his area. Using a car, SDR and laptop he was able to drive down the freeway collecting smart meter data as he travelled, decode the data, and plot it on a map. In his video Hash explains why there is GPS data in the signal, and how he was able to reverse engineer and determine the GPS data.

Smart Meter Hacking - Decoding GPS Coordinates

Reverse Engineering Wireless Mesh Smart Meters with Software Defined Radio

Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.

In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.

In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.

Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.

Playlist: Smart Meter Hacking

RTLAMR: An RTL-SDR Receiver for 900MHz ISM Smart Meters

Smart meters are meters that monitor electricity usage and wirelessly transmit consumption data to the electricity company. They are a part of the “smart grid”, and allow for better electricity control and usage reporting.

Douglas recently wrote in to us to let us know about his work on RTLAMR, an RTL-SDR based Automatic Meter Reader (AMR) decoder. Currently Douglas has tested the decoder on his local Itron C1SR smart meters, but notes that it should work on any meter using the common AMR protocol known as Electronic Receiver Transmitter (ERT).

Over on his website Douglas has also done a neat writeup discussing the ERT protocol and showing how he decoded it, including the steps of preamble detection, matched filtering, bit slicing and error correction.

We would like to note that we also recently posted about a similar project about decoding Elster R2S smart meters.

RTLAMR Smart Meter Decoder Flow Diagram
RTLAMR Smart Meter Decoder Flow Diagram