Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023
Вставка
- Опубліковано 12 чер 2023
- BECOME A PATREON!
/ recessim
Reverse Engineering News is a weekly show highlighting topics of interest to Reverse Engineers and Hackers. Watch at your own risk!
Bunnie's Blog - Infrared Inspection
www.bunniestudios.com/blog/?p...
Hacking the XBOX - Free Book!
bunniefoo.com/nostarch/Hackin...
WCH CH573 Memory Read-out Protection bypass
• Exploit Friday: WCH CH...
Peter Fairlie's UA-cam Channel
www.youtube.com/@peterfairlie... - Наука та технологія
![ОРБАН приехал к ПУТИНУ и "отчитался" о поездке в Киев 😁 [Пародия]](http://i.ytimg.com/vi/_0ukDovOWq8/mqdefault.jpg)
Peter wasn't expecting you lol
I take my smart meter hacking seriously 😂
Dude you should be my lawyer. Want a job ?
But then, who does the news?? 🤔
😂👍
Yes
1) Bunny is a legend!
2) It's always a "feature".
3) I call BS
Absolutely loved this video, the news segments and the dry humor. Don't ever change!
Absolutely loving the new News segment! ❤
This news segment you're doing is incredibly good. Very entertaining. Thanks.
Indeed. But the crowd sound effect makes me cringe.
An other way to debunk that he was using the meter to control the power is that even if the meter has a disconnect relay in it the meter will still be powered up and the display will be on when it disconnects service. The meter get's it's power from the line side of the meter socket prior to any measurement or disconnection circuits so that the meter doesn't measure the power required to run itself and so that if the service is disconnected the meter is powered up to listen for the signal to reconnect the power.
Great episode Hash - appreciate you boiling things down for us - concise and enjoyable - nice work!! Keep it up!
Good, but not great. Because: Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
Thank you for reporting on using IR to look through silicon. I absolutely enjoy viewing silicon chips through a microscope but find it tough to find viewable specimens. Im going to study his paper and give it a try.
Get a strong IR diode and prepare for some fun!
Great format, good information, and no flashy noise/junk for the intro or outro. Subscribed!
love these news segments, keep up the good work!
Did he just say "Chooch"?
😂😂😂
Subscribed.
Mmmm skoukum
🤌
First video I have seen on your channel. I suspect that you've just earned a sub.
When I was a kid I used my dads camera and the IR feature to see in the dark and troll my friend. I noticed I could see through silicon when I looked at my see through game boy colour chips. I didnt realize this was an undiscovered thing. Imagine how many people have seen something similar not understanding no one seen or noticed it before?
Thanks for sharing, that's cool!
I did just this but to my friends mums’ outfits. X ray vision, thanks Sony tre51
Oculus 2 has that feature
Love your channel!
Yes, a Peter Fairlie video (not the one in your segment) was the one I had pointed out. Although, I will admit, I believed he was actually controlling or resetting the meter with his Flipper Zero.
Great episode!
I thought that too
I work on testing those old elster meters and me and my coworkers immediately knew it was fake since even if you did disconnect service to someone's house, the display should still be on. And like you said that particular meter doesn't even have a relay, as we noticed from the 6th field in the style number.
Interestingly enough, the energy axis radio was installed in that meter, so even if you could capture the c12.22 packets coming out of it, you wouldn't be able to read it since it had wan encryption enabled by default (unless Ameren disabled it)
Finally, that particular meter wasn't even sold to Ameren (looked up the serial number on our db) so I'm not even sure how that sticker got there. It was actually sold to some research group in the US.
Thanks for sharing what you found as well. The more I dug the weirder it got 😂
I haven’t played with the Elster meters at all, most of my work was on the L+G meters.
DING! We have a winner. The video shown here is of a meter that isn't powered at all! The meter is always connected to the grid and always on. (otherwise, when it turns the power off, how the h*** is it supposed to turn it back on.) The second one I couldn't see the display, but it's pretty safe to say they blew the smoke in through the conduit.
And the module he's talking about is for "load control" - so the utility can turn off water heater, HVAC, etc. to manage load on the grid. Around here (CP&L) they used individual modules at each device - made by ABB. (they also removed them in the 90's because it cost them too much money.)
Maybe Peter is part of that research group? Many honey pots on yt👀
@@RECESSIMI subbed, great vid! 👍
@@-someone-.In what way?
You're actually quite good at this news show stuff, I'm liking the humour. 😉
In New Zealand the extra contacts are used to turn off the water heaters and "Night store" heaters in houses to shed load during peak load times, though they are almost never used by the power supplier. Usually on a seperate meter than the main house meter, they charge you a lower kwh rate for having it setup.
Great stuff love the format 👍🏻👍🏻
You do a good job of seeing through the haze and calling things out for what they are!
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs they need to consider in the future. The other points are still very valid though.
So THATS WHY i couldnt find any information about how to do that 😂
Thank you for finally exposing that last one; I have a Flipper Zero and was experimenting after seeing that video thinking, wow, I have a Flipper, I wonder if I...
Never could I find a shred of code or idea anywhere on how this was done. Was so confused!
Except, he was forgetting one thing: Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
I used to work for Schneider Electric in the power meter division and while the Ion meter had some strange and wonderful features, turning the power off to the panel wasn't one of them. Just like you said, you could drive outputs, but those outputs would have to be wired to a relay that did the shutting off of the panel.
Ion meters had Telnet available for use (some 15 years ago, so don't get too excited), and sure enough, someone came up with a hack. Schneider came out with a bulletin lamenting the world that we live in where innocent hardware gets hacked. I -imagine- hope that it has been fixed since then.
You gotta find that bulletin, those are hilarious to read 😂
If they're running the OS I think that one in the video appears to be running it would be easy to enable SSH and disable Telnet.
Tell me, why is Schneider electric software so utterly crap? The hardware can do LOTS of cool things, but the software appears to be made by a high school kid in the computer lab while constantly switching between coding and porn tabs.
@@sobolanul96 Lay off.
Porn helps me think.
I was told by a local Cert Auth here that hte ION was the finest meter they got their hand into. Elsters A1800 probably not as good (another animal) still a BEAST in terms of precision, while OTHER BRANDS still trying to reach 0.2 today. As close as your refrence standard as you can get.
I've had that book for years... Good read!
props on the gps dox. I know some of those prefab houses have them like that for the fire department so they can shut them off remotely for insurance purposes if it's like a townhouse or apartment's building. I lived in one where the power would go out on purpose if there was a fire to lower the chances of electrocution when the sprinklers turned on.
You nailed him. Good detective work!
Seeing through silicon? That's trippy man!
For sure. I want a whole hour video just on this.
Hello. I have a question regarding smart meters if you could help me. The gist of the matter is, the company installed a smart meter at my house and i suspect that either the meter is faulty and it records wrong, or the technician did something to it to record a higher consumption than it actually is, because i got in a heated argument with them when they installed it and i'm thinking he may have done it out of spite. I tried callind them to come and evaluate the meter, but every time it's the same technician that comes to inspect it and every time he has this weird attitude. Either way, they won't replace it. My question to you is, is there something i could do to damage the unit without breaking the seals, that would warrant a replacement from them?
I found your channel accidentally. Very good content. Subbed. 😃
If you’re glitching around with your power meter the electric company will know because as it’s running, it sends a check signal every few minutes to the tower and if it doesn’t receive that signal within a day or so, you will get a technician showing up to check the meter there is even a gas meter for natural gas that does the same thing and the power company well where I live can turn off your electricity just by punching it into the computer, but within a few days, a technician will show up, pull the meter and put insulators on the socket and then re-apply the meter until you pay the bill
Could that range of light passing silicon be used as an attack vector on silicon photonic chips, light being the interfiering force? Could bits be flipped by fuzzing, following quantum mechanics?
Good job!
Google sent me here - great episode, very interesting - subbed.
an important aspect of the WCH thing was the second firmware from their OTA process. it's interesting that the response was that it's a time saving feature, since there's like no valid use for a partially readable firmware under lockdown; maybe they meant erase was slow? there's stuff to speed it up in chips where the entire flash is lost if the protection bit changes, like they set a flag and the old content is just gone
I felt the video was going to be too long to talk about the OTA part, but you’re 100% right.
Wonder if they were speaking of OTA updates that have minimal code changes being faster due to only changing needed code. Seems like it would waste as much time as it saves due to the device having to compare new to old to not overwrite the unchanged firmware. AKA BS.
That particular chip does only have bank erase as per Patrick. So no full erase at once.
And even with no firmware in the OTA area and with the first bank gone this method helps you a lot.
Since most of the time basic functions come first, like memcpy memset vector table etc. So you can still nicely Reverse engineer the firmware :)
Thanks for the great vid. Nice French cuffs and cufflinks.
Thanks
Amazing video! Had a proper chuckle on this one!
Thanks a lot! Really appreciate the support 😀
Very good show, love it.
Has anybody been able to show what exactly those smart meters are sending to the power companies, I was interested as there’s are discounts if you have one installed, but nobody from the companies could explain the resolution of the data that was being log by the smart meter and sent, only that it transmitted the data once month?
I'm glad you've learned of the place. The 'AU' in Mississauga rhymes with _bog_ though.
If the copy protection is on, the flash must be entirely erased before being able to write any firmware to it. A partial overwrite could be acceptable if there is some kind of signature to the firmware and the new one matches the old one. Ridiculous oversight.
I like your style. Just subscribed.
Nice tie :)
Interesting you are very methodical in your material .. NICE.
Very nicely explained. Thanks John
Remote power off is usually reserved for seasonal cottages in Canada.
Cool video, as an old hacker, I love all of that!
I like the new format
I jumped into a wood chipper and lost my legs. Now I don't have to buy new shoes. It's a feature!
I just saw this new format, this is awesome! I'll go back and watch the ones I missed, Damn YT
I did not know you were going to hold up that book either but I was thinking about it oh yes! I have all three in print myself
Some SERIOUS techniques in there by good neighbors.
Can't find his video on the gps coordinates
“So, looking at Peter’s house” lol instantly subscribed
Need better OPSEC if you’re gonna spread lies 😂
Pure happenstance that I stumbled onto this channel... I LIKE THIS GUY! 👍
Peter is a radio amateur and has another service line coming into his house to run high power amplifiers! The noise you hear is a relay coming from the box next to the meter!
What’s his call sign?
You put a literal cap on the desk😂
I attuly just came across his channel this afternoon and seen you're video this afternoon..., thanks for clearing this up... 🤠👌.
So both videos on the same afternoon?
@@OneAndOnlyZekePolaris yes lol
@@OneAndOnlyZekePolaris i think are phones are listening... that or UA-cam maybe upped there game in there algorithm they use to suggest videos to there users 🤔 🤷♂️
@@stevenwright991 That's crazy, same here. Right after every video I watched that are fake was exposed by tye very next video I see. Unless both uploaders are fakes and just throwing for content. Jk throwing for content is game uploader talk for, dying on purpose to gain watch hours.
RadioShack had the old remote control rf plug adapters. You could control lights fans whatever you want and they multiple frequencies so you control multiple plugs
Ah yes the car sets itself on fire after you buy it... YES that's a feature! No other car can do that. Like is he fr 😂
Just stumbled across ur channel and i love it. The R.E. news segment it's a awesome idea
Love the self-destruct features 😂
Impressive resourcefulness.
this was fire, no cap.
So if the meter has the ability to control other relays does this mean it can control our backup generator?
this is a great video idea
Some cool stuff.
This channel is the Legal Eagle of hardware hacking.
Nothing but Awesome! Oh nice suit!
Landis & Gyr, we have these here in the Netherlands as well!
what a clever man you are,thanks for the info.🍻
Wau you have killed me with your deep knowledge and super detailed investigation, you even found his address. Amazing man amazing!
Nice work keeping it real...
hilarious, and good content, love it
It's really rare that I see a video about this kind of stuff and someone has really knowledge and "IT common sense"... It goes without saying, that you earned a subscription. Your video is funny, it's informative and (as far as I can tell) it's true and you know what you are talking about. Nice!
Thanks a lot! Appreciate the complements and glad you enjoyed it.
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
can we use a faraday cage to block landys en gyr signals?
Yea, but the power company will know something is wrong and come take a look, then forcibly remove the cage. If they don’t, your cage isn’t working good enough!
I need help with my GPS cords. They are incorrect...
tears of laughter the guy ripping Peters hack. The guys so funny he well deserves that sub from me.
DEPENDING ON YOUR " SOCIAL CREDIT SCORE " UTILITIES WILL DETERMINE
WHEN AND HOW MUCH POWER IS AVAILABLE
@Patrick Yang WCH CH573 memory read-out protection bypass is a feature? Why put in the protection in the first place if anyone can simply just read it out? Duh?!?
Perhaps he's just using home assistant to shut off every single light in his house and back on again. Then maybe staged ebay meter also hooked up to home assistant sending the code controls everything in one shot. Adding in some resistors and capacitors in the second video cause the smoke to be let out of the magic bottle
I'm having lots of fun with my flipper zero, probably more fun than allowed.
the IR thing was way more interesting than the powermeter imho.
Glad you liked it! I think I’m going to try modifying my microscope 🔬 to see how well it works. Lots of Flip-Chips in modern devices to take a look at.
@@RECESSIM looking forward to it.
Thanks for calling out the fake! Here in Australia we have all sorts of smart metering. I know you can't hack those things easily even though they have serial comms. Some of the newer smart meters I've worked on have a mini NB IoT 4G modem with a sim card, there's no way a flipper would work by design and I own one! Even with zigbee or wifi the flipper doesn't support it unless you've made some software and whipped up a prototype board.
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
I'm in Australia and had a smart meter installed without my conformation.
I got told go on it or I will have no power.
The only benefit is the old meter reader bloke doesn't have to come up to my second level balcony to read the meter, it keeps him off my land and balcony I guess.
If you put a big magnet near them they play up.
Cheers.
thanks Hash
I discovered the process where it only deletes the pages of flash that is needed to be erase when making the firmware that ran a lift. This is one of those things you put in a car to load boxes.
I can assure you that you would never want to remove that firmware. It also would make it so I can use the rest of the flash for storing diagnostic codes. Flash still kinda sucks if you need to erase it often. So every little thing would help.
So what if you write a firmware file that just has one block of flash - not even enough to read and dump the rest by serial, but just enough to trick the chip into turning off the readout protection. Flash your "one-block" firmware, presto, read out protection disabled, and then just read the rest of it out. Chances are the first block isn't going to be that important, or difficult to recreate (especially like in this case if there's 2 firmware images in the flash as a backup anyway)
@@gorak9000 oh I absolutely understand it is not a great idea to do in applications where someone could gain something by grabbing the firmware.
But on a lot of things the firmware or hardware isn't worth anything to hack.
I think it is a good conversation to have to understand that such features could lead to bad outcomes. But I am not waiting a 50 week lead time because my chips were bricked with some security feature lol (I know it is unlikely just being extreme with that example)
@@XenoTravis I don't know what you're getting at here? 50 week lead time because chips were bricked with some security feature? The correct behavior here is really simple = if read_lock=True erase full flash before writing new firmware / removing read_lock. I don't see how that's a "security feature" that would brick chips. When you're doing development, you're not going to bother enabling the read_lock to begin with. You only do that on the final release build that gets high volume programmed into production parts (and maybe a small test batch beforehand). The fact that you can remove the read lock by programming ANY firmware, no matter how small, without it erasing what's already there, which is supposedly protected by the read lock is clearly a "bug", NOT a "feature".
@@gorak9000 was saying if I could save the chip's memory but also be aware of the security flaw then sometimes it would be worth it.
I think the dude who said it was a feature was not understanding that he was not clear to all the developers.
If I was told I can save my chips memory but I just am warned that the firmware is able to be taken easily, it wouldn't have been a big risk.
But that company made the security sound like the chip was locking and erasing like you explained. But in reality it wasn't securing the entire memory because it was also trying to save and write faster.
Sorry if I explained my point wrong. I was just trying to say I understand why the dude said it was feature. But I do agree it is more of a bug when presented as a full read lock.
😂 Subscribed!
well done good explanation tks you
You deseve it because you dond great job to explain what behind the trick people dint have to belive evrething
Regarding the the "first red flag" for the smart-meter - there is a major caveat with that. It is possible to move from Canada to the supposed location. This needs to be considered in the future. The other points are still very valid though.
Sir, you should consider getting those shoulder divots looked at (likely due to the size of the armholes). Also, those lapels are too narrow, but that's more a matter of taste
Love it. It's not just cap. It's ball cap.
Was suspicious that he didn't post any info on how he used the flipper or the files themselves
@4:07 its a feature because a State Sponsored government agency can access it, its a feature to them..
the way he says Mississauga LOL
The power meter shown in the "Flipper" segment is a peak power recording power accumulator. The meter is read by an electronic meter reader carried by the local walking meter man. It communicates through the infrared port on the front, through the D shaped steel plate on the front. The lever to the right will reset the peak values stored in non-volatile memory in the meter. Reverse engineering the communication protocol is hard, even if you have a reader/programmer.
Yes silicon is transparent to long-wave Infrared, but the resolution of the image is poor for recent silicon integrated circuit technologies. Current bleeding edge technology is in the range of 5nm feature sizes, and the wavelength of the IR is about 1000nm. And to access the back of the silicon you need to remove the heat spreader or remove the epoxy overfill. Most of the reflected signal is from the metal layers, and not much from the actual transistors.
As someone has commented below, a partial readout of the firmware is useless if you have erased the initial setup code on the device.
That device supported OTA updates, two copies of firmware stored in memory so it led to a full dump of the firmware.
The silicon viewing was meant more for block level analysis image comparison, is the chip fundamentally the same as a known good version or something else entirely.
Check out the site below, I have a bit of protocol analysis on L+G Meters, not the same as what he uses but fun none the less. Thanks for commenting!
wiki.recessim.com/view/Advanced_Metering_Infrastructure
😂 Dam shots fired...
I'm thinking a meter on rental property where the power company is capable of turning the power on and off remotely. Check on that. There are several Canadian high tech service companies that come down on service contracts that last up to a year. They usually rent houses while in the states.
Wow Peter! 🤣
I mention you and this video on my video coming out this weekend! Hash, if you want to preview, please let me know!
Love to check it out, you can email a link to hash at recessim.com
That flash behaviour lies in the nature of a flash storage for many many times - the flash controller simply cant reset all of the values per se - if you want to write something it will be "flashed"/resetted at a request :) not by definition each time - clearing flash each time wastes valuable cell cycles :) macrocell macroblock refresh count. BTW the name FLASH stands behind the clearing operation and a flash of light it emitts at the zeroing in case of NOR (one'ing in case of NAND) operation
I’m not into this kind of thing but that is a strong presentation!!!!!!!
EXCELLENT! 🤓👌🖤😅✅
There are manual cameras that have a movable internal ir filter so they can use ir film (not sure the film is made much). I have one. It is a postwar Kodak Medallist 2. It has a setting on the top select knob. The portable ir lights were In use in 43' with the Vampire so night photography was possible. That may be why the option was available.. to record WW3. Operation unthinkable and the aftermath. The military probably bought the lion's share of them.
The filter is easy to remove in disposable cameras too since they are meant to be disassembled to take the film out (some). Prolly not the resolution you're looking for, but maybe for something else.
2meters on single home is most likely tied to grid w solar and can monitor what he is putting back from it one reason you see people w 2 meters great vid love the book :)