This is awesome. I like mesh, I like ripping things apart, and I really like learning about hardware and software. Great video. That’s it, I’m ordering the meter!
> I've been in the utility business since 1982 and worked with "Smart Meters" and Automated Meter Reading (AMR) since 1990s. The benefits of the Smart Meter for customers is the ability to use the Lat/Long coordinates to more easily locate their assets. The other benefit is the ability to quickly map power outages and their assets. Finally the Smart Meters provide ability to download energy data. Smart Meters are are like little computers/smart devices at the service point or end point. The Smart Meters are also important for utilities to obtain meter reads remotely and do other work remotely ping the device, test if power is on or off. Great stuff.
Exceptional breakdown. I wonder what would happen if one were to fake a packet with a GPS coordinate hundreds of miles away. The smart thing to do would be to route the packet to the nearest collector. The dumb (but interesting) thing to do would be to route it across the mesh network for hundreds of miles until it reached the nearest collector to that coordinate.
I’ve seen some anomaly meters like that, they report a far away location. My guess is the routing isn’t actually using the GPS, but perhaps the GPS is used in some other parts of their system.
This is fascinating. Out of curiosity, how do you find /make the time to dig into stuff like this? Is it a side hustle or is it done more or less full time?
I’m working on more hands on content, just trying to find the balance. I have a couple vids and an idea for sharing more attack methods that I am trying to flesh out. Soon… :)
Excellent video! As a mapper, I really enjoyed seeing the ArcGIS map pop up and your creative use of GE. As a nerd, I loved the decoding process you went through to un-hash the coordinates! Is the KML on the wiki? I didn't see it.
Have you heard of meshtastic radios? They operate exactly the same way you just described the meters work. Exactly the same. Could I use the smart meter grid to increase the rand of my meshtastic grid. Both systems operate on same frequency. What do you think?
Awesome videos! Any progress on figuring out where the energy data is encoded in the packets? I took a crack at the data you posted on your website, but haven't come up with anything yet.
I’m working on a new strategy right now, logging data from a meter that has super low power usage for a week. Then going to log a meter with higher usage and compare packets to see what I can find.
@@RECESSIM The amount of data generated by a meter is quite large. I'm sure you read all this in the docs you found: There is typical reading data for that meter is 8 channels for load profile (15min data), plus all the extra goodies with monitoring voltage and events as you noted in the wiki (Packets Purpose) section. If I had to guess Oncor initiates some type of reading schedule 2-3x a day for batches of meters to collect all that data. I scanned the unknown data pretty quickly and its still a mystery to me. I've seen most of the data after it was collected by the AMI.
@@cnicholson123456 Yea, it's quite the challenge looking at the raw data. The meters are obviously reporting their usage, but what they report and how they encode it in the different length packets is a mystery. I feel if I understood the Device Control Word (DCW) language they use it might make things clearer.
Great job reverse-engineering the coordinates encoding! Fascinating to learn how these smart meters organize into mesh networks. It seems like they know the location of the routers/collectors that they're trying to reach, did I understand that correctly? Each broadcasts its packets with a known target, and the ones catching it that might be closer will just re-broadcast it until it reaches this connection point into the backing network? If so, how do they know the location of these endpoints? Are these also propagated through the mesh network when new base stations come online? I don't really see any other way.
This is what I found for older Landis + Gyr powermeters: "Upon power up or reboot, and at intervals while powered on, a radio automatically scans the frequency band searching for other UtiliNet radios in its vicinity to learn about its RF neighbors. As the radios learn about one another, they pass their geographic address coordinates for routing and to keep communication statistics for choosing the best data transmission paths. This allows the radios to automatically route packets and dynamically build routing tables to choose the best paths if RF conditions change. Once configured by the user, radios automatically acquire radios and route packets."
@@znewt99 Oh, awesome! Thanks for the details, that makes sense. It must be pretty cool to work on this kind of mesh network; ~12 hops in some cases makes it sound almost adversarial, it's certainly not an ideal environment. One thing I can see being a challenge is the lack of software updates and what this means if devices are shipped with bugs in their routing logic. You could have one device messing up the whole neighborhood by miscalculating routes and blackholing the mesh traffic or causing all packets to be routed through itself for example, and you'd have no easy way to fix it without manual intervention (if you can find it!). You just need one neighbor to cheap out with a poor product for it to impact a whole area.
great job, and so impressive. but words cannot describe how giddy it makes me to see a hacker print screenshots onto paper, rather than showing on a screen... the ultimate... i could, but i'm not gonna.
@@znewt99 Sure, if they are targeting something specific... But this way they could do much more burglaries in shorter time and wouldn't even have to get out from the car before deciding to go in.
Following the Wiki. Appreciate the man HOURS you have devoted. If kW and GPS data can be decoded that means the entire smart meter protocol in use by Landis will have to change? GPS+kW is not good data to have publicly available.
@@RECESSIM This is really good work and represents the best of persistence and cleverness. May I use this as a beautiful example of how humans reverse-engineer things in future security presentations? I'd love to point people to this.
I'm struggling with the value of these devices to the consumer vs. the old school mechanical clock meters, i.e. the cost benefit ratio does not seem to benefit the ratepayer.
I think the value is hidden, like the value of good roads. No one thinks twice about having nice roads and how much money is saved by people who’s car isn’t hitting hundreds of potholes. The information the grid operator has with these allows for better service to the customer. But that’s where the value lies, with the grid operator to have better visibility and lower operating costs (at least in theory) than manually read meters.
@@user-ew1ku3yg7u Probably for the best. In RECESSIM's area if they are transmitting GPS location, and usage data, then it doesn't seem hard for bad guys to determine when and where properties may be vacant due to owners on vacation. I don't know how much of a real world risk that is, but it doesn't sound good system design unless I've misunderstood something.
You can look at your meter and see if there is some RF identifier. In the US it’s the FCC ID that you can look up to see what frequencies they transmit on. Will vary by country
@@RECESSIM We don't actually have a smart meter (yet), but iam sure someone in the neighbourhood has. Sounds like we are a little ahead of the game, if it uses GSM, just thought that would be more expensive for the companies to run.
@@miketaylor253 Design is usually driven by country regulations, utility requirements and depth of pockets along with any technical limitations. Have seen RF Mesh, point to point, cellular and power line communication so far. Mixed bag really!
BINARY !! Joi: Mere data makes a man. A and C and T and G. The alphabet of you. All from four symbols. I am only two: 1 and 0. 'K': Half as much but twice as elegant, sweetheart.
@@RECESSIM oh well, you might get a shock in not much time at all. I heavily research metaphysics and from what I've learned, safety testing was ignored. Wifi 2.4ghz causes autism in children and dementia in old people. Their immune systems are just not strong enough. Also GPS from space is 2.4ghz and does the same damage. Smart meters is just like more 4g mobile data. But the real problem will be 5g. It will make us sick. So bad that it will cause a pandemic worse than covid. Because your shops were still stacked during covid, they wont be next time. Once they turn it all off, (and they will), good things are philosophized to happen. Like ESP stuff. It would be a good movie, yet, doesn't need to be. Its our future
Great work! Few will appreciate all the man hours.
Thanks a lot! Those who know, know!
This guy plays life like a video game. I did not know what a smart meter was before i found this channel, thank you.
Glad you enjoyed it
This is awesome. I like mesh, I like ripping things apart, and I really like learning about hardware and software. Great video. That’s it, I’m ordering the meter!
Thank you so much for all these details, great explanations. Understanding your way of thinking and reversing it makes a big difference.
> I've been in the utility business since 1982 and worked with "Smart Meters" and Automated Meter Reading (AMR) since 1990s. The benefits of the Smart Meter for customers is the ability to use the Lat/Long coordinates to more easily locate their assets. The other benefit is the ability to quickly map power outages and their assets. Finally the Smart Meters provide ability to download energy data. Smart Meters are are like little computers/smart devices at the service point or end point. The Smart Meters are also important for utilities to obtain meter reads remotely and do other work remotely ping the device, test if power is on or off. Great stuff.
Just recently discovered some key data I have been missing, working on a new video to share my updated code. Thanks for watching!
Neat -- I do hope your effort decoding all this will get shared and incorporated into the RTLAMR utility meter SDR decoding project for others to use!
Exceptional breakdown. I wonder what would happen if one were to fake a packet with a GPS coordinate hundreds of miles away. The smart thing to do would be to route the packet to the nearest collector. The dumb (but interesting) thing to do would be to route it across the mesh network for hundreds of miles until it reached the nearest collector to that coordinate.
I’ve seen some anomaly meters like that, they report a far away location. My guess is the routing isn’t actually using the GPS, but perhaps the GPS is used in some other parts of their system.
This is fascinating. Out of curiosity, how do you find /make the time to dig into stuff like this? Is it a side hustle or is it done more or less full time?
Just a hobby, and have been doing it for quite a while before speaking about it or posting videos.
Love your new news stuff, but I miss the hands-on content like this!
I’m working on more hands on content, just trying to find the balance. I have a couple vids and an idea for sharing more attack methods that I am trying to flesh out. Soon… :)
This guy is a flipping genius!
That’s awful kind of you!
Wow! This is brilliant!
Excellent video! As a mapper, I really enjoyed seeing the ArcGIS map pop up and your creative use of GE. As a nerd, I loved the decoding process you went through to un-hash the coordinates! Is the KML on the wiki? I didn't see it.
I didn’t post the KML but will upload so you can check it out in the next couple days.
I added the KML file to the bottom of the wiki page: wiki.recessim.com/view/Landis%2BGyr_GridStream_Protocol#GPS_Tagged_Wardrive_Files
Have you heard of meshtastic radios? They operate exactly the same way you just described the meters work. Exactly the same. Could I use the smart meter grid to increase the rand of my meshtastic grid. Both systems operate on same frequency. What do you think?
really cool stuff, thanks for posting these videos
How did you determine the number of Hops that was taken?
Awesome videos! Any progress on figuring out where the energy data is encoded in the packets? I took a crack at the data you posted on your website, but haven't come up with anything yet.
I’m working on a new strategy right now, logging data from a meter that has super low power usage for a week. Then going to log a meter with higher usage and compare packets to see what I can find.
@@RECESSIM That sounds like a great idea! Looking forward to your next video/update.
@@RECESSIM The amount of data generated by a meter is quite large. I'm sure you read all this in the docs you found: There is typical reading data for that meter is 8 channels for load profile (15min data), plus all the extra goodies with monitoring voltage and events as you noted in the wiki (Packets Purpose) section. If I had to guess Oncor initiates some type of reading schedule 2-3x a day for batches of meters to collect all that data. I scanned the unknown data pretty quickly and its still a mystery to me. I've seen most of the data after it was collected by the AMI.
@@cnicholson123456 Yea, it's quite the challenge looking at the raw data. The meters are obviously reporting their usage, but what they report and how they encode it in the different length packets is a mystery. I feel if I understood the Device Control Word (DCW) language they use it might make things clearer.
Great job reverse-engineering the coordinates encoding! Fascinating to learn how these smart meters organize into mesh networks. It seems like they know the location of the routers/collectors that they're trying to reach, did I understand that correctly? Each broadcasts its packets with a known target, and the ones catching it that might be closer will just re-broadcast it until it reaches this connection point into the backing network? If so, how do they know the location of these endpoints? Are these also propagated through the mesh network when new base stations come online? I don't really see any other way.
This is what I found for older Landis + Gyr powermeters:
"Upon power up or reboot, and at intervals while powered on, a radio automatically scans the
frequency band searching for other UtiliNet radios in its vicinity to learn about its RF
neighbors. As the radios learn about one another, they pass their geographic address
coordinates for routing and to keep communication statistics for choosing the best data
transmission paths. This allows the radios to automatically route packets and dynamically
build routing tables to choose the best paths if RF conditions change. Once configured by the
user, radios automatically acquire radios and route packets."
@@znewt99 Oh, awesome! Thanks for the details, that makes sense. It must be pretty cool to work on this kind of mesh network; ~12 hops in some cases makes it sound almost adversarial, it's certainly not an ideal environment. One thing I can see being a challenge is the lack of software updates and what this means if devices are shipped with bugs in their routing logic. You could have one device messing up the whole neighborhood by miscalculating routes and blackholing the mesh traffic or causing all packets to be routed through itself for example, and you'd have no easy way to fix it without manual intervention (if you can find it!). You just need one neighbor to cheap out with a poor product for it to impact a whole area.
So what happens if I put a ferriday cage around my meter?
great job, and so impressive.
but words cannot describe how giddy it makes me to see a hacker print screenshots onto paper, rather than showing on a screen...
the ultimate... i could, but i'm not gonna.
PaperPoint is the future! :)
So burglars (or anyone) can verify the power is out before breaking an entering - nice!
A burglar could just look at the meter
@@znewt99 Sure, if they are targeting something specific... But this way they could do much more burglaries in shorter time and wouldn't even have to get out from the car before deciding to go in.
Some good old war driving 😁
Fun war driving for things other than Wi-Fi
What we need to know is how to change the output of the meters so we control what the meter is sending
Hash for TX Gov!
To what extent are these devices sending kW type data that can be publicly collected?
Working on figuring out how to decode that data
@@RECESSIM thanks! Have you set up any type of notices to keep interested peeps informed of your progress? Much mahalo (thanks in Hawaiian).
Following the Wiki. Appreciate the man HOURS you have devoted. If kW and GPS data can be decoded that means the entire smart meter protocol in use by Landis will have to change? GPS+kW is not good data to have publicly available.
I always thought these were sent via DSSS and encrypted? How do you capture and read a raw packet?
Check this video where I show the full setup: ua-cam.com/video/fUK8tcFQwpo/v-deo.html
@@RECESSIM I appreciate it. Are you.having any luck with deeper access,such as meter reads, leg voltage, tamper, or disconnect relay?
Still working on that along with frequency hopping pattern
@@RECESSIM This is really good work and represents the best of persistence and cleverness. May I use this as a beautiful example of how humans reverse-engineer things in future security presentations? I'd love to point people to this.
Go for it, if I can help in any way feel free to reach out.
The real life Rust, where we are the nodes...
Awesome video.
This is amazing
Glad you enjoyed it!
I'm struggling with the value of these devices to the consumer vs. the old school mechanical clock meters, i.e. the cost benefit ratio does not seem to benefit the ratepayer.
I think the value is hidden, like the value of good roads. No one thinks twice about having nice roads and how much money is saved by people who’s car isn’t hitting hundreds of potholes.
The information the grid operator has with these allows for better service to the customer. But that’s where the value lies, with the grid operator to have better visibility and lower operating costs (at least in theory) than manually read meters.
Iam not sure if we have these smart meters in the UK, where can I can find which frequency they transmit on, so I can monitor with the SDR?
@@user-ew1ku3yg7u Probably for the best. In
RECESSIM's area if they are transmitting GPS location, and usage data, then it doesn't seem hard for bad guys to determine when and where properties may be vacant due to owners on vacation.
I don't know how much of a real world risk that is, but it doesn't sound good system design unless I've misunderstood something.
You can look at your meter and see if there is some RF identifier. In the US it’s the FCC ID that you can look up to see what frequencies they transmit on. Will vary by country
@@RECESSIM We don't actually have a smart meter (yet), but iam sure someone in the neighbourhood has. Sounds like we are a little ahead of the game, if it uses GSM, just thought that would be more expensive for the companies to run.
@@miketaylor253 Design is usually driven by country regulations, utility requirements and depth of pockets along with any technical limitations. Have seen RF Mesh, point to point, cellular and power line communication so far. Mixed bag really!
Awsome.
I have a Sensus meter on my home. Any experience with those?
I have a Dr. Seuss meter on my home!!
@@HardRockMaster7577 Huh? What is a Dr. Seuss meter?
@@jaredg2078 It was Joke Jared...
Way over my head but very interesting,
BINARY !!
Joi: Mere data makes a man. A and C and T and G. The alphabet of you. All from four symbols. I am only two: 1 and 0.
'K': Half as much but twice as elegant, sweetheart.
Imagine these people, trying to understand biology, instead of trying to understand what another human being created...
I dunno, if I had a full bio lab in my home I think it would freak people out…
@@RECESSIM no. sheeps don't believe in independent researchers and critical thinkers.
thats a lot of traffic to fry your brain. kids and old people don't stand a chance
The start of the next X-Men movie… 🍿
@@RECESSIM oh well, you might get a shock in not much time at all. I heavily research metaphysics and from what I've learned, safety testing was ignored. Wifi 2.4ghz causes autism in children and dementia in old people. Their immune systems are just not strong enough. Also GPS from space is 2.4ghz and does the same damage. Smart meters is just like more 4g mobile data. But the real problem will be 5g. It will make us sick. So bad that it will cause a pandemic worse than covid. Because your shops were still stacked during covid, they wont be next time. Once they turn it all off, (and they will), good things are philosophized to happen. Like ESP stuff. It would be a good movie, yet, doesn't need to be. Its our future
“It definitely scared me and made me realize that no one cares more about my well being than me.” - Welcome to the Libertarian party.
Leave a not that you are not feeling sad
I do not want to visit McAfee