Difference between revisions of "Landis+Gyr GridStream Protocol"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
Line 9: Line 9:
 
===Packet Structure===
 
===Packet Structure===
  
====Sync Word====
+
====Sync and Header====
0xAA     0xAA     0xAA     0xAA     0xA0     0x05     0xFF
+
----The sync word that the Landis+Gyr smart meters send is shown below, this can be used in GNU Radio or other tools to receive only packets transmitted by the meters. Note that at the start of the header we begin using start and stop bits. These must be stripped off the the data during processing.
 
+
{| class="wikitable"
10101010 10101010 10101010 10101010 10100000 00000101 11111111  Sync Word (no start/stop bits)
+
|+Sync and Header
 
+
! colspan="6" |Sync
PDU align syncword: 0xAAAAAAAAAAA005FF but I use one less 0xAA at the start 0xAA.AA.AA.AA.A0.05.FF
+
! colspan="3" |Header
 
+
|-
0xAA     0xAA     0xAA     0xAA     0xAA     0xA        0x00         0xFF     |     0x2A
+
!0xAA
 
+
!0xAA
10101010 10101010 10101010 10101010 10101010 1010   0 00000000 1 0 11111111 1 | 0 00101010 1       Sync Word (no start/stop bits)
+
!0xAA
 
+
!0xAA
====Start and Stop Bits====
+
!0xAA
 
+
!0xA
====Header====
+
!0x00
 
+
!0xFF
 +
!0x2A
 +
|-
 +
|10101010
 +
|10101010
 +
|10101010
 +
|10101010
 +
|10101010
 +
|1010
 +
|0 '''00000000''' 1
 +
|0 '''11111111''' 1
 +
|0 '''00101010''' 1
 +
|}
 +
Using GNU Radio it was found that shortening the Sync requirements a bit and incorporating part of the header leads to the cleanest data for further downstream processing. The modified sync shown in 8 bit chunks is shown below.
 +
{| class="wikitable"
 +
|+Sync Word used with GNURadio
 +
!0xAA
 +
!0xAA
 +
!0xAA
 +
!0xAA
 +
!0xA0
 +
!0x05
 +
!0xFF
 +
|-
 +
|10101010
 +
|10101010
 +
|10101010
 +
|10101010
 +
|10100000
 +
|00000101
 +
|11111111
 +
|}
 +
The final byte of the sync (0x2A) along with it's start and stop bits are discarded as part of the processing.
 +
----<br />
 
====Type, Length and Sub Type====
 
====Type, Length and Sub Type====
 
+
----Add data here
 +
<br />
 +
----<br />
 
====Data====
 
====Data====
 
+
----Add data here
 +
----<br />
 
====Checksum====
 
====Checksum====
 
<br />
 
<br />
Line 345: Line 381:
 
{| class="wikitable"
 
{| class="wikitable"
 
|+0xD5 Captured packet
 
|+0xD5 Captured packet
 +
! rowspan="3" |Pkt
 +
!1
 +
!2
 +
!3
 +
|
 +
!4
 +
!5
 +
!6
 +
!7
 +
!8
 +
!9
 +
!10
 +
|
 +
!11
 +
!12
 +
|-
 +
! colspan="3" |Not part of CRC calc
 +
|
 +
! colspan="7" |Data
 +
|
 
!
 
!
 +
!
 +
|-
 
!Header
 
!Header
 
!Type
 
!Type
 
!Length
 
!Length
 +
|
 
!SubType
 
!SubType
 
!Meter ID #1
 
!Meter ID #1
Line 356: Line 415:
 
!Unknown
 
!Unknown
 
!Unknown
 
!Unknown
 +
|
 
!CRC
 
!CRC
 
!Trailing
 
!Trailing
 
|-
 
|-
|Packet #1
+
|1
 
|00FF2A
 
|00FF2A
 
|D5
 
|D5
 
|0016
 
|0016
 +
!
 
|21
 
|21
 
|F05FCB84
 
|F05FCB84
Line 370: Line 431:
 
|273205
 
|273205
 
|00781930
 
|00781930
 +
!
 
|CB72
 
|CB72
 
|00
 
|00
Line 379: Line 441:
 
<code>3) Packet Length = 0x0016</code>
 
<code>3) Packet Length = 0x0016</code>
  
<code>4) Unknown Identifier #1 = 0x21</code>
+
<code>4) Unknown = 0x21</code>
  
 
<code>5) Meter ID #1 = F05FCB84</code>
 
<code>5) Meter ID #1 = F05FCB84</code>
Line 385: Line 447:
 
<code>6) Meter ID #2 = F0FC4DB1</code>
 
<code>6) Meter ID #2 = F0FC4DB1</code>
  
<code>7) Unknown Identifier #2 = 0xE288</code>
+
<code>7) Unknown = 0xE288</code>
  
<code>8) Unknown Identifier #3 = 0x0100</code>
+
<code>8) Unknown = 0x0100</code>
  
<code>9) Unknown Data #1 = 0x273205</code>
+
<code>9) Unknown= 0x273205</code>
  
<code>10) Unknown Data #2 = 0x00781930</code>
+
<code>10) Unknown = 0x00781930</code>
  
 
<code>11) Checksum = 0xCB72</code>
 
<code>11) Checksum = 0xCB72</code>

Revision as of 00:00, 6 March 2021


Reverse Engineering and Analysis

Packet Structure

Sync and Header


The sync word that the Landis+Gyr smart meters send is shown below, this can be used in GNU Radio or other tools to receive only packets transmitted by the meters. Note that at the start of the header we begin using start and stop bits. These must be stripped off the the data during processing.

Sync and Header
Sync Header
0xAA 0xAA 0xAA 0xAA 0xAA 0xA 0x00 0xFF 0x2A
10101010 10101010 10101010 10101010 10101010 1010 0 00000000 1 0 11111111 1 0 00101010 1

Using GNU Radio it was found that shortening the Sync requirements a bit and incorporating part of the header leads to the cleanest data for further downstream processing. The modified sync shown in 8 bit chunks is shown below.

Sync Word used with GNURadio
0xAA 0xAA 0xAA 0xAA 0xA0 0x05 0xFF
10101010 10101010 10101010 10101010 10100000 00000101 11111111

The final byte of the sync (0x2A) along with it's start and stop bits are discarded as part of the processing.



Type, Length and Sub Type


Add data here




Data


Add data here



Checksum


Captured Meter Data

There have been two packet types observed thus far, a 0x55 and a 0xD5 packet.

  • 0x55 appears to be broadcasts from the meters and happen frequently. They have been observed multiple times per minute from a single meter.
  • 0xD5 appears to be a packet for transporting data across the mesh network. Each D5 packet will contain two meter ID's, Meter ID #1 and Meter ID #2. There are many 0xD5 packet length and types that have been observed, some are shown below.

0x55 Meter Data

The data below was captured from the same meter (F0EE36DB) and shows some of the values that can change with each transmission. Different meters have different fixed data and some of the data changes less frequently as well.

0x55 Captured packets from Meter F0EE36DB
Pkt 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Not part of CRC calc Data
Header Type Length SubType Unknown Unknown Unknown Unknown Counter Uptime (seconds) Unknown Meter ID Unknown Unknown Unknown Unknown CRC Trailing
1 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 0C 0001ECBF A483 F0EE36DB 0100 2132 04384F 7E80 0896 04
2 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 16 0001ECC6 A483 F0EE36DB 0100 2132 043AC5 7E80 F47E 04
3 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 2A 0001ED05 A483 F0EE36DB 0100 2132 041207 7E80 A412 04
4 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 34 0001ED29 A483 F0EE36DB 0100 2132 041FF9 7E80 D9C4 04
5 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 38 0001ED37 A483 F0EE36DB 0100 2132 042571 7E80 963C 04
6 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 42 0001ED5C A483 F0EE36DB 0100 2132 0433A9 7E80 8384 04
7 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 4C 0001ED60 A483 F0EE36DB 0100 2132 04354D 7E80 2CB6 04
8 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 4E 0001ED79 A483 F0EE36DB 0100 2132 043F25 7E80 871A 04
9 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 60 0001EDA6 A483 F0EE36DB 0100 2132 040F05 7E80 25C9 04
10 00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 6A 0001EDCD A483 F0EE36DB 0100 2132 041E55 7E80 F33F 04

1) Header = 0x00FF2A

2) Packet Type = 0x55

3) Packet Length = 0x0023

4) SubType = 0x30

5) Unknown = FFFFFFFFFFFF (Empty Data Slot?)

6) Unknown = 0x50

7) Unknown = CF8DD9E2 (Appears to either be location identifier or duplicate meter ID in some cases)

8) Unknown = C0

9) Counter = 02 (Increments some amount with each transmission and rolls over at 0xFF)

10) Uptime = 0x0001ECA3 (Value in seconds since meter powered on, easy way to see last time there was an outage!)

11) Unknown Identifier #5 = 0xA483

12) Meter ID = 0xF0EE36DB

13) Unknown = 0x0100

14) Unknown = 0x2132

15) Unknown = 0x042D19

16) Unknown = 0x7E80

17) Checksum = 0xF154

18) Trailing byte = 0x04


0xD5 Meter Data

There appear to be multiple packet lengths and styles for the 0xD5 packet. There are some samples below showing

0xD5 Captured packet
Pkt 1 2 3 4 5 6 7 8 9 10 11 12
Not part of CRC calc Data
Header Type Length SubType Meter ID #1 Meter ID #2 Unknown Unknown Unknown Unknown CRC Trailing
1 00FF2A D5 0016 21 F05FCB84 F0FC4DB1 E288 0100 273205 00781930 CB72 00

1) Header = 0x00FF2A

2) Packet Type = 0xD5

3) Packet Length = 0x0016

4) Unknown = 0x21

5) Meter ID #1 = F05FCB84

6) Meter ID #2 = F0FC4DB1

7) Unknown = 0xE288

8) Unknown = 0x0100

9) Unknown= 0x273205

10) Unknown = 0x00781930

11) Checksum = 0xCB72

12) Trailing byte = 0x00


00FF2A D5 0016 21 F073B577 F062363D FA88 0100 1F6C04 14E93E70 CF80 04

00FF2A D5 0017 29 8073AEAC F0F28D56 1288 0100 1F3204 041CBB1930 2D2A 04

00FF2A D5 001B 21 F10679E2 8073CE7D F498 0100 106C02 0A15F9055F06571A80 37C5 00

00FF2A D5 001C 29 8073ADB3 8073CE7D 9088 0100 106C02 040A99CF055F3A4B1170 A696 04

00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04

00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A6032F37F0001DA2E00022BE9 A483 010150D075D9E2E0 F03D4CD7 000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00