I have started a project that involves tinkering with what some would possibly call a "smart meter", but I believe the proper noun would be an "AMR" or, "Automatic Meter Reading" meter. This project started mainly out of my curiosity in how digital metro-logy works, but also out of my curiosity in "smart grid" security in general. This project is in no way intended to commit "theft of service", nor help anyone else commit such acts. For obvious reasons, I don't plan on posting any intricate details on this blog, and all the code and tools I have wrote up to this point will be on a private git server until I decide when (if ever) I will make them public.
Metro-logy History:
Now, with that out of the way, I'm going to go over some quick history about utility meters in general so that people can have a general idea for why new meters are being developed. Most people remember the old electro-mechanical meters with the spinning dials. These generally worked by having a dial turn at varying speed, depending on how many kW/h (kilowatt hours) were being used, and this in turn turned other gears and gave a readout for a meter reader person to physically come on to your property to check. After this, some calculations were done based on the previous month numbers and they were able to determine how many kilowatt hours were used at your residence.
One of the downfalls of this type of meter was that it was time consuming, costly, and a bit of a hazard for a meter reader to have to physically get out of the vehicle and walk to each and every house directly. On top of that, some of the meters were designed with ferrous metals, which allowed a magnet to be placed on the front of the meter to slow down the spinning dial, which would report a lower kW/h usage, and thus rip the utility company off by cutting the price on your bill. Eventually they started to build the meters with non-ferrous metals, but there was also another "hack" which involved placing a meter inside the meter base inverted, or, turned upside down, which would sometimes cause the spinning dial to move backwards. This allowed one to "roll-back" their reported usage, and thus, again, ripping off the utility company.
Now, this is where AMR became practical. AMR uses a few different communication methods, usually they use either cellnet, ISM band unlicensed RF (radio frequency), and sometimes they even use newer technology like broadband over powerlines. The idea here is that the utility company can remotely gather utility usage information by driving by, or even have it sent to their sub station. These meters are usually digital in nature and this is the type of meter we will be focusing on with this particular project. The AMR meters are usually a one-way communication. Generally these meters just broadcast data at a specified interval for the meter readers to pick up on.
The "smart meters" came into existence mainly to build on top of AMR. Some form of AMR is usually built into every smart meter, but smart meters take it a step further. The smart meters usually allows the customers themselves access to the meter reading data, along with the ability to provide customers with a "time-of-use" utility pricing rate. This allows customers more control over when, and how they use utilities, and it allows "peak use" pricing. There are certain times of the day that put more strain on a utility system, and for this, they usually want to charge higher prices. This also makes it possible for people to actually save on their utility bill too by using this same pricing scheme. The way it works is simple, if it costs 10 cent for 1kW/h during the hours of 7am-5pm and it in turn costs 25 cent per kW/h from 5pm on to 7am and someone decides to use more during the 7am-5pm time, then they in turn save more money, as opposed to the utility company just charging the 25 cent at all times during the day. Smart meters also sometimes have more sophisticated functionality, but this is the bigger part of the idea.
Inside the Itron Centron C1SR:
First of all, Itron seems to have a few patents going on with their meters, and one of their ideas is to have boards built on top of their meter core. They usually call these add-on boards "personality modules". What this means is that if they happen to come up with a new module that a utility company sees fit to update to, all they have to do is change out the interchangeable personality module by just removing it, and the base and all of its components stay the same.
This meter core is under some pretty thick plastic, and is kind of hard to remove without breaking.
Meter Core:
The green thing you see in the picture is a metro-logy board, but I call it the motherboard.
Motherboard:
I'm still doing research on this board, but I have mapped out quite a few pins, but the main chip contains no public datasheet that I could find, so at this point, all I can do is speculate for the most part. What I do know is that the board connects by a "slip connector" over the pads (the ones in the far left of the picture).
What this board (likely) does:
Measure line voltage (Should be in the 240v range)
Measure reference voltage
Check energy flow direction (to make sure meter is not inverted)
Energy pulse data
Check line frequency (to make sure it's 50HZ, or 60HZ, respectively)
This board also has an IR LED (Infra Red Light Emitting Diode) that I suspect is used to calibrate the meter, because it seems to blink once for every 1 kW/h used. The way I suspects that this works is that they have an already calibrated "machine" that probably contains some sort of photo-diode that hooks to the top, and the machine draws exactly 1 kW/h of electricity, and the meter probably plugs directly into the machine, and it changes some kind of calibration setting in order to get the meter tuned in to reading 1 kW/h precisely as 1 kW/h.
The motherboard communicates to the daughter board through the slip connector it seems. The daughter board seems to house most of the "main components".
Daughter-board Front:
Daughter-board Back:
Some of the main components on this board consist of an ATmega MCU, a serial SPI EEPROM, a JTAG header (more on this later), an inversion/shake sensor, and a few other things. The radio itself looks to use the sub-GHZ range, more specifically, the 910-920 MHZ ISM band range. The radio appears to use FSSS (Frequency Hopping Spread Spectrum) as opposed to DSSS (Direct Sequence Spread Spectrum), and I was in fact able to pick up some activity with a hacked IM-ME pager using the spectrum analyzer. On the back of the motherboard there is an LCD header, and what looks to be 4 pins. The 4 pins appear to be the endpoint connector for a "resetting machine" that might, or might not, be able to reprogram the device also. What I do know is that the resetting machine is able to reset usage data, and tamper evidence data (more on this later too.)
What is done so far:
Most of the processing is done on this daughter board, and with some soldering, and code that I've written, I was able to dump the SPI EEPROM, the main program flash, the internal EEPROM, and also re-enable the JTAG port, and also turn on on-chip debugging, as well as have write access to all of the above. I've mapped out where a lot of the hardware and external stuff physically connects on to the MCU. I've also done some reverse engineering on the code that actually runs on the unit, and have made my own code that runs on the unit in the form of a "hello world" that works by printing the text out of the UART port.
Hello World Demo:
I have also managed to build an exact copy of the original firmware into an assemble-able form so that I can readily use the IDE to step through the code with JTAG debugging enabled, and also so I can readily make any changes I see fit to the code without doing any "patching", which makes testing things a lot easier. For now, the rest of this aspect of the project is mainly just figuring out what the code is doing, and also looking for any major security flaws I can find.
Security:
At this point, I'm not really in a position to be speaking on actual security of the meter, as there does not appear to be much. But as far as making headway on reverse engineering the system, I've been able to progress along pretty well. First off, one should know that there is in fact an external "security tamper seal" that you must take off in order to actually get into the meter. This seal is fragile, but with enough care, one could remove the seal, and also put it back on without much evidence left behind.
One of the other security features is the inversion/shake sensor. Apparently the way this works is that there is some contacts with what I assume to be a metal ball inside a canister. This is hooked to the MCU and is able to determine if someone has shaken the unit, or turned it upside down. The shaking of the unit along with a power outage reports as a "meter removal", where as a no shaking power outage is registered as just a power outage. The inversion detection also taps on the tamper counter. All of these signals are transmitted over RF to the meter reader when they check your meter. One could just as easily do some wiring in order to trick the meter into thinking that it's always turned upright and is never shaken, but in order to do that, you would need to remove the meter itself, which would set off at least 1 tamper signal.
The tamper signal register looks to be 4 bits wide, and accounts for 0-3 tamper evidence counts on each tamper tag (meter removal, and inverted meter) it might be theoretically possible to bypass and reset these 2 tamper evidence counters if you know how many times they have been set off, and through some complicated form of using binary arithmetic in order to cause the 4 bit number to "roll over" by doing different wiring with the sensor and such, until both of them roll back to 0, and have the sensor wired to no longer detect any of the above ones afterward (remember, there is a difference between the shake/power out, and inversion, so the sensor would have to be temporarily wired to mimic both until they reset, unless the whole register gets counted, in which case you could use the lower or upper half of 2 bits in order to make it reset.)
The MCU and external EEPROM at this point do not look to be properly protected, as I've been able to read and write to both of the chips, as well as readily map out traces and such to find where they go. So far I have not found any major vulnerabilities (well, ones that I consider to be major), but the fact that I was able to figure any of this out, and get the code to the point that I actually have it able to be rebuilt into a modifiable code base, means that under physical attack, the meter isn't very secure (for what it's worth, I don't think Itron, or anyone else ever claimed that it was.)
And... Closing...:
I still have a bunch more to figure out about the meter at this point, I just thought I would make a post about it at its current stage, maybe there is some interest out there for this kind of thing, and there does not seem to be much information on these types of things. Hopefully I'll know more in the coming months and I'll be able to get to a point where I can program an IM-ME to be able to do meter reading functions, and other things, but, until then, I guess I'll have to just keep researching. :)
I'd like to compare notes and throw some ideas your way on possible security improvements.
ReplyDeleteWhat kind of improvements were you thinking of proposing? Hardware, or software, or both? I have some ideas on how to fix some of the problems, and I'm still thinking of other ways that the rest of them can be fixed while I figure out more about the meter.
DeleteA locked spi would be a nice start. I'm not that great with software so I was focused more on hardware revisions.
DeleteI can't seem to find a datasheet for one of my ic's (at84rf). I have a slightly different revision than you. From what I can see in your pics not much has changed.
DeleteSadly, a locked SPI still wouldn't fix the problems. I'm not currently aware of any hardware revisions other than the older C1SR made by Schlumberger. Here is a picture of that one:
Deletehttp://www.highelectricbill.com/Webpage%20Pictures/meters/schlumberger%20meter.png
This one seems to be a lot different than the newer Itron Centron C1SR meters from what I've seen, and I don't think the Schlumberger C1SR is in production anymore. If you have another hardware revision, and it is in fact an Itron Centron C1SR, then I would be interested in seeing pictures of it.
Also, documentation for that chip does not exist (that I'm aware of. It is the RF radio chip.) Part of the project is going to be documenting the chip, and it's operations.
DeleteI sent you a pic of my revision.
ReplyDeleteInteresting. It looks like a newer revision. Doesn't look like much has changed though.
ReplyDeleteQUESTION:
ReplyDeleteI am a Ham Radio Operator, I own and maintain repeater systems here in Wa State. I read your whole "very informative" evaluation on the Centron C1SR which is the meter that was just recently placed on my home 2 weeks ago. Concerned about high levels of EMF or EMR, I went venturing to see if this was a transceiver (Smart Meter) that would putout such RF. From what I have read elsewhere, the C1SR is not a Smart Meter in the traditional sense and does not work as a WiFi meter, thus not radiate these high levels of EMF's, As far as I can see, these are just digital watt meters that do not transmit Data Packets to a receiver on the polls or sub stations , am I correct?
Joe
Wa State
Hi Joe,
DeleteThe C1SR does in fact transmit a digital data packet over RF. The C1SR specifically uses the 902-928MHz, Region 2, ISM band, instead of the zig-bee, or WiFi protocol broadcasts, which I believe fall in the 2.4GHZ ISM range. There are other Itron Centron meters that use these, and also ones that use cellular networking, as well as ones that don't transmit at all.
There are actually 2 Itron Centron C1SR versions. One appears to be a "low powered" version, and the other a "high powered" version. You can usually tell this distinction by looking beside the FCC ID on the front of your meter where your ERT ID sticker is at, and if it's the high powered version, you should see "HP" written at the far right.
So far the differences I see in the HP version appears to be a less invasive packet broadcasting interval. I believe I've clocked this interval to be somewhere between 30 seconds, to 1 minute. Both of these types of C1SR meters have what is called a "bubble up" mode, which allows the meter to not broadcast anything until it receives a "wake-up" signal, which I assume comes in the form of some specialized preamble, though this mode is very rarely used in installed units, from what I can tell.
Basically what appears to happen is that while the meter is plugged in, it broadcasts a data packet over the 902-928MHZ ISM frequency range at an interval of 30 seconds, to 1 minute. This packet I believe contains your ERT ID, Usage Data, Tamper Detection Statistics, and a checksum to check the integrity of the data packet. This same packet looks to be sent out using a frequency hopping spread spectrum scheme.
As far as I know, the meter has no way of receiving information (aside from the bubble-up mode mentioned earlier), but I haven't looked too far into that concept. It appears that the meter reader just drives by within distance of these transmissions with their reader, and just passively collects them, and then takes the reader back to the station and plugs it into the billing system, which then sorts out the rest of the process.
As far as being concerned over the EMF radiated from the device, I couldn't speak for, or against it, so I guess that's up to the individual themselves to decide on.
Hope this helps. :)
Part 1, and I apologize for the long reply in advance.
ReplyDeleteThanks so much for the info ppcasm. Its night time here, took a flashlight but cant find the FCC sticker yet, but I will tomorrow in the daylight. It does sat 3W type which could me 3 watts out. That to me would probably be low power. Well, it seems I am feeling a bit sick again. I started feeling a bit sick about two weeks ago, not knowing about the meter install, and going as far as going to the doctor who gave me some antibiotics. Well, about 12 days into this sickness I had to leave town for 3 days, stayed in a hotel room and actually started feeling normal again. At that point I figured the antibiotic was working.
Well, when I returned I used that entrance alongside my home only to look up at the new meter, and that is the day I wrote my first comment above. Well I don't have an EMF detector, but I figured the circuitry in my smart phone 2.5 GHz ( cellular ) should be sensitive enough to the RF out from these meters, so I went looking for an app on my HTC and low and behold there are many of them. I downloaded it, and even though its nothing like a good HF meter, it seems to work good enough because all I am doing is looking for low and high pulses which it had detected. My phone reading at lower levels are leveling off at around 457 mG to 580 with packet bursts going as high as 1246 to 1678 looks like.
After being home for one day, now four, I am feeling sick again. I have been living in my home for the past 22 years and never had these problems, nor have I felt this 'kind' confused, unbalanced, achy feeling of sickness in and around my head area, and back of my neck. I was real skeptical about these stories of people getting sick over these meters, but now, I have to say I am a believer. My other problem is I live under a metal roof which is only feet off the meter. The roof is not grounded, and when I walked inside the reading shot up as I raised the meter towards the ceiling, and it was significant, so its possible I am being umbrella showered with this pulsating magnetic fields which can screw with your body.
Well, I figured I needed to bleed this stray/dirty RF from the meter to ground, but I did not want to stop the transmitter from getting signals out to the power company vehicles in the street, so I went to Home Depot and got a roll of aluminum screen door screen, and a shop vac filter rubber band ( the big wide ones). Its a makeshift solution, but it seems to have worked. I took the screen and made a cover around the meter glass, and then wrapped that big rubber band around the glass to hold the screen which was also grounded to the metal power box which went to ground. Its seems to have bled the RF field down to 235 mG to 300 at the meter, when it was well over 1456. This is probably due to some leaks at the base of the screen at the box, and the screen itself which was part of the plan, at the same time I now know I am not blocking the signal entirely to personnel. Even in the house it knocked it down. Tomorrow I am going to run a ground strap down from the roof for my radio tower ground rod. RF is tricky, but grounding surface RF is fairly strait forward. CONTINUED>
PART 2.
ReplyDeleteThese meters are not properly regulated by the FCC, and one reason for this is the fact they place them in the ISM band. The fact that it is in the "scientific" spectrum is why they get away with the regulatory controls by the FCC. We have the same in Ham Radio. We have repeater input and output frequencies controlled by band steps + or - and PL tones. These testing frequencies are called "experiment mode" and are preselected repeater 'pairs' set aside for these test. This part of the band are allocated for new repeaters that are placed on the air, followed by a 90 day test period by the WWARA amd regulations are lax in these areas because of the test frequency allocations.
You mentioned frequency shifting of these data packets, shifting between 902 to 928 Mhz. Normally I think this would be fine to most people, but here is where I feel the problem lie to people sensitive to EMF or EMR.
The problem not taken into account is the mixing of frequencies and subharmonics. In radio, when you take two frequencies and “mix” them, they create a lower and higher frequency. These are basic radio principals. This mixing can happen in open air. If you hold up a piece of wire in the air, it becomes a mixer. Any place two signals can combine becomes a mixer. Brain cells can be a mixer, skin cells, water in the body. One of the frequencies we are dealing with is the frequency of the data packets being transmitted with these meters.
When a lot of meters are within range of each other, more and more data packets are transmitted, raising the frequency (of repetition). This frequency varies due to software algorithms and so they are never constant, always changing. If you happen to be sensitive to electromagnetic radiation, this type of pulsing chaos and shifting frequencies could cause discomfort. It’s possible that people that are sensitive to electromagnetic radiation get used to the constant frequencies of things like radio station transmitters. It becomes normal. But pulses that vary in frequency and duration would be like bright random flashing lights, consistently just out of your view no matter what way you look. They are there just enough to bug you but you can’t quite figure out why.
If this is what is truly making me sick, then I truly feel sorry for people if we cant stop the use of these meters. The FCC really needs to do their jobs, not allow the use of these meters until they are determined to be 100% safe for everyone and not just a portion of the nation. They are pushing these things because of the global smart grid that has and is being created.
Thanks so much for the GREAT info on these meters. I finding the timing of this install with me feeling eternally sick forever uncanny. I am going out of town on business again and am going to see what happens this time. If it repeats, I am going to pay the extra money every month and get my analog meter back. Maybe the screen will work to. I will know by tomorrow or Tuesday. Thanks again for all your help and sorry for the long reply.
Joe,
Wa State
It's no problem with the long reply. I believe the 3W is the amount of current the entire meter itself draws. I have no documentation on the radio, so I'm not sure of it's output strength. I used a hacked IM-ME, re-purposed as a spectrum analyzer (http://ossmann.blogspot.com/2010/03/16-pocket-spectrum-analyzer.html) to pick up on the data transmissions sent out. My eventual plan is to actually modify the firmware on the IM-ME so that I can actually dump the electricity usage information from the meter itself. Instead of asking that the old analog meter be re-installed, you might want to ask if it's possible that they can switch your meter to bubble-up mode. This way you're not getting a constant output of EMF, and the current meter readers they use should be capable of initiating the contact with the meter. One would hope this could be done at no extra cost.
DeleteThanks ppcasm, I will do so. So far the screen is working by bleeding the RF to ground. Its knocks it down enough so I dont feel it. I actually took it off twice and got sick twice. It just makes me feel like one feels at the onset of a flu or something, very weird, uncomfortable sick feeling, most likely caused by throwing off the bodies natural wave lengths and/or 60 Hz which we have grown use to. I will call them and ask about the bubble up mode. This should switch it to aprox 2 minute interval data bursts instead of a constant carrier. ( am I correct ? )
ReplyDeleteOn bubble up mode, there is no data sent out until the reader itself pings the meter. After that, the meter quickly sends the data packets and then stops transmitting.
DeleteThat would be great, thanks for that info. Monday I will be calling PUD and talking to them about this. If they switch the mode, I see no problem with EMF coming out of the meter from that point. Once again thank you for all the great info. I will call them Monday and see what they say and how well their willingness is to do so.
ReplyDeleteJoe
This comment has been removed by the author.
ReplyDeletehello
ReplyDeletehow is everyone today?
this chip(xmega32d4) was build in the circuit board of electric meter is there any way of reprogram it so as t make some modification to the chip if it possible i will attach the photo of the meter.
thanks
Any idea where I can get replacement daughter boards?
ReplyDeleteThanks.
Is this blog still active? I am currently doing smart meter research, interested in any extra information.
ReplyDeleteComo es el metodo de medicion, me refiero a como miden ? Por bobinas? Tc?
ReplyDelete