Close

Hack Chat Transcript, Part 2

A event log for Inside Smart Meters Hack Chat

Are you smarter than your electrical meter?

dan-maloneyDan Maloney 04/14/2021 at 20:040 Comments
farmboy12:30 PM

anything good in there?!

Hash12:30 PM
Also the bootloader the M15C processor uses

Hash12:30 PM
M16C

james12:30 PM
Water flow is not a reliable power source. The meters degrade over time and need to be replaced every 20 years

Hash12:30 PM

Hash12:30 PM
Working on disassembling it now

farmboy12:30 PM
dang

Hash12:30 PM
Leave no stones unturned....

FrostWizard412:31 PM
which is why we should all go subscribe if you get what im saying :)

Hash12:31 PM
@FrostWizard4 Much appreciated!

James Murphy12:31 PM
Subscribe Link?

FrostWizard412:31 PM

https://www.youtube.com/channel/UCVa4o0P6xhhSDi3rgLm2SBw

YouTube

RECESSIM

RECESSIM is Latin for "moving backwards" which is what we do when we Reverse Engineer. I hope you enjoy the content here, feel free to contact me to suggest other content you are interested in seeing. Always looking for a new project! -Hash

Read this on YouTube

Beat me to it...

farmboy12:32 PM
forget that. where's your patreon ?!

James Murphy12:32 PM
Done! Subscribed!

Todd Christell12:32 PM
Subscribed.

dolsongte12:32 PM
What about people who think that putting a magnet on the top of the smart meter resets it to zero, you guys consider that a hack?

Hash12:32 PM
@farmboy Nice!!

james12:33 PM
Does not work.

FrostWizard412:33 PM
The link or the magnet thing?

james12:33 PM
Magnet

Hash12:33 PM
@dolsongte Funny you should mention that, they do have a magnetic sensor on top...

farmboy12:33 PM
there actually is a reed switch in there to detect a magnet. but it doesn't do much interesting.

Wim Ton12:33 PM
B.t.w. this is a USA discussion. Non USA meters are totally different (rectangular instead of round to start with)

Hash12:34 PM
But I have seen videos were people had a strong magnet near their meters and got a leter from the power company accusing them of tampering

james12:34 PM
Besides, resetting to zero woul git you a huge bill. The utility would think wrap around on max digits and bill you for heavy usage

Hash12:34 PM
@Wim Ton Correct, I haven't looked at the meters outside North America

Wim Ton12:34 PM
magnets can be used to saturate the current sensor and to disable switching mode power supplies.

Todd Christell12:34 PM
So it appears that the "tamper switch" is a standard alarm system setup, magnet and reed switch.

james12:34 PM
The magnet migh trigger tamper alarms. In some places that is a felony

farmboy12:34 PM
you can certainly screw up the hall effect sensor with a big magnet. not recommended.

Hash12:35 PM
All my invasive experimenting has been done with meters I purchased on eBay... Anything with the live network around me is strictly listening to understand traffic

Wim Ton12:36 PM
In Europe, detection of strong magnetic fields and a tamper switch is a regulatory requirement

Hash12:36 PM
Ultimately we don't own the meters on our house, so can't use those to experiment

farmboy12:36 PM
but you paid for them?

farmboy12:36 PM
i mean... the meter on my house.

Hash12:36 PM
I think a big reason people don't experiment with these is getting hardware, and fear of legal troubles

Wim Ton12:36 PM
Indirectly yes

Hash12:36 PM
No, you pay for service, the meter is part of the service

Bernard12:37 PM
And you pay for the power they use!

Hash12:37 PM
@Bernard I plan to measure how much power they use soon!

Hash12:37 PM
Interesting to see

james12:37 PM
Had the circuit breaker box on the side of my house explode. While the electrician was here working. he messed with the meter. 10 minutes later, a utility truck drove up to find out what we were doing.

Wim Ton12:37 PM
About 5 watt

FrostWizard412:38 PM
@Hash Are you guessing the amount of power the meters will use will be significant or no?

Bernard12:38 PM
5 Watt seems about right

Hash12:38 PM
@FrostWizard4 I'm guessing not super significant, but curious compared to the old analog meters

Hash12:39 PM
@james Here's an older version of the same meter, two boards like you mentioned earlier

farmboy12:39 PM
i believe the meter is powered on the unbilled side anyway.

Rene joined the room.12:39 PM

Hash12:39 PM

Hash12:39 PM

Hash12:40 PM
@farmboy Yea, consumer pays in the end no matter which side it's on

Bernard12:40 PM
I know that for mechanical meters (in some regions) it was a requirement to get the meter "power" billed to consumer. Not sure about smart ones.

Rene12:40 PM
Fair point, @Hash

Erwin (de F/PE3ES) joined the room.12:41 PM

farmboy12:41 PM
what's that blue thing? supercap?

Hash12:41 PM
Yea, 5V 3F

Erwin (de F/PE3ES)12:41 PM

https://www.grdf.fr/grdf-en/smart-gas-meter-france

Grdf

Smart Gas Meter project in France for smarter cities

GRDF took a major step towards Smart Grids for smarter cities through a large scale deployment of the Smart Gas Meter. Today, we are ready to enchance customer satisfaction, improve energy management and to optimize our distribution network!

Read this on Grdf

Rene12:41 PM
Hi, good evening everyone (or whatever time it is at your part of the world)

Hash12:41 PM
@Rene Hi!

james12:42 PM
3:40 PM

Rene12:42 PM
Has anyone here played around with the P1 port on some of the gyr metres?

Hash12:42 PM
That the IR port?

Wim Ton12:42 PM
My nephew connected a web server to it

Hash12:43 PM
I saw a lot of work done on that in old DEFCON talks, "Into the eye of the smart meter" so I stuck to the RF side

Erwin (de F/PE3ES)12:43 PM

https://particulier.edf.fr/en/home/contract-and-consumption/meter/linky-meter.html

farmboy12:43 PM

Hash12:43 PM
Nice annotation!

Wim Ton12:43 PM
The Dutch P1 spits out the readings every seconds in serial format

Rene12:44 PM
@Hash, no the RJ one

Hash12:44 PM
I talk about the changes in design over the years in the next video I am posting

Wim Ton12:44 PM
@rene indeed

anfractuosity12:44 PM
what's the biggest chip on the bottom left?

Hash12:44 PM
@Rene Got ya, no RJ ports on these Landis+Gyr meters

Rene12:44 PM
Yeah @Wim Ton , that one. Have you read it out yourself?

Wim Ton12:44 PM
In am in Switzerland

Hash12:45 PM
@anfractuosity That's the M16C M30626FHPGP

Hash12:45 PM
16 bit processor

Hash12:45 PM
384k eeprom

anfractuosity12:45 PM
ah cheers, and you've managed to dump that? if so, how?

Hash12:45 PM
yes, combination of timing and power attacks

anfractuosity12:45 PM
ooh cool

Hash12:45 PM
and some luck i'd say :)

Hash12:46 PM
I'll post something more detailed and reproducible in the next couple videos

farmboy12:46 PM
omg. it's succeptible to the glitch read attack? lolz.

Hash12:46 PM
Can't distribute firmware, but instructional videos no prob

farmboy12:46 PM
i think that's how the zigbee light link key was leaked too.

Hash12:47 PM
It's like a 15 year old processor, i'm sure its susceptible to a LOT

Wim Ton12:47 PM
The firmware is not considered very confidential, with 10s of millions of meters in the field some will be reverse engineered

Bharbour12:47 PM
What reverse assembly tools are you using?

Hash12:47 PM
That's the trouble with infrastructure meant to live for 15 years... it's all exploitable after that length of time

Hash12:48 PM
Binary Ninja right now

FrostWizard412:48 PM
I wonder how secure the firmware was 15 years ago?

Erwin (de F/PE3ES)12:48 PM
Best reason to keep it all very low tech

farmboy12:48 PM
funny assumption. from the companies that bring you static symmetric key cryptos :)

Hash12:48 PM
15 years ago, probably pretty secure and the RF side tough to monitor with the frequency hopping

Hash12:48 PM
now, I can monitor entire frequency hopping range and capture all traffic

Hash12:49 PM
Not a big corporation or nation state... Some random dude in Texas

farmboy12:49 PM
moore's law.

Wim Ton12:49 PM
@farmboy nothing wrong with static symmetric keys as long as they are unique for every meter

James Murphy12:49 PM
Hash

2:48 PM

now, I can monitor entire frequency hopping range and capture all traffic

Hash, What are you currently using to do that?

Hash12:49 PM
@farmboy Exactly

farmboy12:49 PM
true. that's what i mean by "static"

charliex12:49 PM
i've been checking my various neighbours solar claims with the hackrf/portapack heh

Hash12:49 PM
@James Murphy Using the Ettus Research USRP B200 now, going to adapt to the HackRF soon

Hash12:50 PM
and GNU Radio with Sandia Labs FHSS Utils, i'll post a link

James Murphy12:50 PM
I was looking at the HackRF myself but as a beginner I may be out of my depth..

Hash12:50 PM

https://github.com/sandialabs/gr-fhss_utils

GitHub sandialabs

sandialabs/gr-fhss_utils

This GNU Radio module contains tools for processing frequency hopping spread spectrum signals. Blocks derived from the gr-iridium project exist to detect narrowband bursts within wideband signals and downconvert and center them. Metadata is tracked through this process enabling reconstruction of where the bursts originated in time and frequency.

Read this on GitHub

FrostWizard412:51 PM
RTL-SDR is a great one to start with @James Murphy

FrostWizard412:51 PM
cheap and fairly easy to use

Hash12:51 PM
There's a bit of a learning curve with GNU Radio and SDR, but once you learn it what you can accomplish is staggering

James Murphy12:51 PM

https://greatscottgadgets.com/hackrf/

Greatscottgadgets

HackRF

open source hardware for software-defined radio Antenna Switch for HackRF Acrylic Case for HackRF Documentation is in the wiki. Source code and hardware design files are available in the latest release or in the git repository. Before asking for help with HackRF, check to see if your question is listed in the FAQ or has already been answered in the mailing list archives.

Read this on Greatscottgadgets

Wim Ton12:52 PM
A talk about decoding the LORA PHY

charliex12:52 PM
the hackrf portapack has a meter read mode built in, for some meters.

James Murphy12:52 PM
You talking this setup? https://www.amazon.com/NooElec-NESDR-XTR-HF-Bundle/dp/B07GZKR98X/ref=asc_df_B07GZKR98X/?tag=hyprod-20&linkCode=df0&hvadid=416694317409&hvpos=&hvnetw=g&hvrand=8990602096898662945&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9019126&hvtargid=pla-830751080060&psc=1&tag=&ref=&adgrpid=94693386435&hvpone=&hvptwo=&hvadid=416694317409&hvpos=&hvnetw=g&hvrand=8990602096898662945&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9019126&hvtargid=pla-830751080060

Hash12:52 PM
Also the YARD Stick one for narrowband signals if you just want to listen to one frequency. Less to hassle with... Still not easy but easier to receive data... https://greatscottgadgets.com/yardstickone/

Todd Christell12:53 PM
Got HackRF a few years ago, great unit as it has xmit, albeit low power, but only half duplex and not the most sensitive receiver out there. Lately been playing with and RSPDuo and love it!

charliex12:53 PM

https://github.com/sharebrained/portapack-hackrf

GitHub sharebrained

sharebrained/portapack-hackrf

The PortaPack H1 makes the HackRF One software-defined radio portable. It adds an LCD touchscreen, user interface navigation controls, audio output and input, micro SD card slot, 2.5 PPM crystal oscillator, and real-time clock battery backup. The PortaPack firmware provides a user interface and necessary signal processing to do many useful things without a computer.

Read this on GitHub

farmboy12:53 PM
you using that gr-fhsss tool is definitely my favorite part of your youtube @Hash

Hash12:53 PM
@James Murphy Go to rtl-sdr.com and get from there, lower cost and supporting that site

Hash12:54 PM
@farmboy If there's interest there i'll show more, it's a super cool tool

Erwin (de F/PE3ES)12:54 PM
Adalm Pluto being used as well ?

farmboy12:54 PM
i've got one of those

Hash12:54 PM
@Erwin (de F/PE3ES) I haven't used it but it would work great for this

James Murphy12:54 PM
2:53 PM

@James Murphy Go to rtl-sdr.com and get from there, lower cost and supporting that site

Thank's Hash!

Murph

Hash12:56 PM
There's a quote I like a lot that I think sums up what a hacker is trying to do....

Hash12:56 PM
We shall not cease from exploration. And the end of all our exploring will be to arrive where we started and know the place for the first time. -T.S. Eliot

Erwin (de F/PE3ES)12:58 PM
yes we stand on the shoulders of giants

Yeah, in a lot of ways we're just trying to earn new ways of seeing the world again for the first time

Hash12:59 PM
You can follow me on Twitter @BitBangingBytes for progress between videos

Looks like we're just about out of time here, so we'll officially wrap it up and let Hash get back to the bench. I have to say I enjoyed this immensely, and really appreciate Hash's time today. Really looking forward to more deep-dive videos on this. Thanks Hash! And thanks to all for the great questions!

Hash1:00 PM
There's so much to hack on these meters i'll be busy for a while i'm sure

Hash1:00 PM
Thanks Dan and everyone!

charliex1:00 PM
cheers hash, another interesting hack chat

SimonAllen1:00 PM
Thanks

FrostWizard41:01 PM
yes indeed!

James Murphy1:01 PM
Thank you Hash for your time and your experetise! Very much Appreciated! Murph.

On a semi-related note, don't miss next week's Hack Chat:


https://hackaday.io/event/178502-avr-reverse-engineering-hack-chat

Hackaday

AVR Reverse Engineering Hack Chat

On beyond Arduino Wednesday, April 21, 2021 12:00 pm PDT Local time zone: Hack Chat This event was created on 03/29/2021 and last updated a day ago. Join this event's team Uri Shaked will host the Hack Chat on Wednesday, April 21 at noon Pacific. Time zones got you down?

Read this on Hackaday

Hash1:01 PM
That looks interesting!

Erwin (de F/PE3ES)1:02 PM
Thanks and well done

Thanks all! Transcript coming right up

Discussions