Difference between revisions of "Landis+Gyr GridStream Protocol"
|  (→00FF 2A 55 Meter Data:  Changed data tags based on discovery using IWR) | |||
| Line 210: | Line 210: | ||
| |- | |- | ||
| ! colspan="4" |Not part of CRC calc | ! colspan="4" |Not part of CRC calc | ||
| − | ! colspan=" | + | ! colspan="9" |Data Packet | 
| − | ! colspan=" | + | ! colspan="3" |Trailing 6 Bytes | 
| + | ! | ||
| |- | |- | ||
| !Start of   | !Start of   | ||
| Line 460: | Line 461: | ||
| |- | |- | ||
| ! colspan="4" |Not part of CRC calc | ! colspan="4" |Not part of CRC calc | ||
| − | ! colspan=" | + | ! colspan="9" |Data Packet | 
| − | ! colspan=" | + | ! colspan="3" |Trailing 6 Bytes | 
| + | ! | ||
| |- | |- | ||
| !Start of   | !Start of   | ||
| Line 1,194: | Line 1,196: | ||
| |- | |- | ||
| ! colspan="4" |Not part of CRC calc | ! colspan="4" |Not part of CRC calc | ||
| − | ! colspan=" | + | ! colspan="12" |Data Packet (Oncor Meter) | 
| − | ! colspan=" | + | ! colspan="3" |Trailing 6 Bytes | 
| + | ! | ||
| |- | |- | ||
| !Start of | !Start of | ||
Latest revision as of 14:08, 3 April 2023
Contents
Protocol Analysis
Analysis and decoding of the packets used on the Landis+Gyr GridStream mesh network.
Packet Structure
Sync and Header
The Landis+Gyr Gridstream smart meters use a 52 bit sync shown below regardless of Gridstream version. This can be used in GNU Radio along with the header to uniquely identify packets. Note that at the start of the header we begin using start and stop bits. These must be stripped off of the rest of the data packet during processing.
| Sync | ||||||
|---|---|---|---|---|---|---|
| 0xAA | 0xAA | 0xAA | 0xAA | 0xAA | 0xAA | 0xA | 
| 10101010 | 10101010 | 10101010 | 10101010 | 10101010 | 10101010 | 1010 | 
Of particular note is the difference between versions 1-4 and version 5. In version 5 there are two bits [11] that do not respect the start/stop bit checks of the prior versions. The older protocol expects a 0 start bit, 8 data bits and a 1 stop bit. By violating two consecutive start bits the older versions of GridStream ignore version 5 even if they have the same CRC Adder! This appears to be a way to add backwards compatibility to newer versions of GridStream.
| Header v1 - v4 | Header v5 | |||
|---|---|---|---|---|
| 0x00 | 0xFF (10 bit) | 0x00 | 0xFF (11 bit) | |
| 0 00000000 1 | 0 11111111 1 | 0 00000000 1 | [11] 11111111 1 | |
Using GNU Radio it was found that shortening the Sync requirements a bit and incorporating part of the header leads to the cleanest data for further downstream processing. The modified sync in 8 bit chunks is shown below. These two sync's are both loaded into the PDU Align block and if either one is matched the full packet is passed downstream.
| 0xAA | 0xAA | 0x00 | 0x5F | 0xF | 
|---|---|---|---|---|
| 10101010 | 10101010 | 00000000 | 01011111 | 1111 | 
| 0xAA | 0xAA | 0x00 | 0x7F | 0x1F | 
|---|---|---|---|---|
| 10101010 | 10101010 | 00000000 | 01111111 | 11111 | 
Packet Types and Structures
Data is shown in Hexadecimal unless stated otherwise
So far only two types of packets have been observed, a 0x55 and a 0xD5 packet. Multiple lengths and SubTypes of these exist, a few are listed below.
| Start of Frame | Type | Sub Type | Sequence | Packets Purpose | ||
|---|---|---|---|---|---|---|
| 00FF | 00 | 81 or 85 | 1 Byte | Report Power Usage (Device Control Word DCW) | ||
| 00FF | 01 | 81 or 85 | 1 Byte | Report Power Usage (Device Control Word DCW) | ||
| 00FF | 02 | 81 or 85 | 1 Byte | Report Power Usage (Device Control Word DCW) | ||
| 00FF | 03 | 81 or 85 | 1 Byte | Report Power Usage (Device Control Word DCW) | ||
| Start of Frame | Type | Sub Type | Length | Unknown | Packets Purpose | |
| 1 | 00FF | 2A | 55 | 0023 | 30 | Report up-time and other unknown data | 
| 2 | 00FF | 2A | D5 | 0047 | 51 | Includes Epoch and Uptime | 
| 3 | 00FF | 2A | D5 | 00FD | C0 | |
Data
Data varies per packet type but a common theme is the 0x55 packets appear to be broadcasts from the meters with only their own ID. 0xD5 packets usually contain two ID's and appear to be how data is routed across the network. Sometimes one of the meter ID's in a 0xD5 packet is FFFFFFFF which may be a broadcast packet. This was observed when packets were sent that appear to be updating the system time of the meters.
Checksum
C++ source code below used to calculate the CRC, different energy providers use a different initial CRC value. Assume this is to segment traffic, unsure if Routers/Collectors are shared by different providers to return traffic or not.
uint16_t Landis_crc16 (uint16_t crc, const std::vector<uint8_t> &data, size_t size) { 
// CoServ CRC = 0x45F8 
// Oncor CRC = 0x5FD6 
// Hard coded Poly 0x1021
    uint16_t i = 0;
    while (size--) {
        crc ^= data[i] << 8; 
        i++; 
        for (unsigned k = 0; k < 8; k++) 
            crc = crc & 0x8000 ? (crc << 1) ^ 0x1021 : crc << 1;
    }
    return crc; 
}
Captured Meter Data
There have been two packet types observed thus far, a 0x55 and a 0xD5 packet.
- 0x55 appears to be broadcasts from the meters and happen frequently. They have been observed multiple times per minute from a single meter.
- 0xD5 appears to be a packet for transporting data across the mesh network. Each D5 packet will contain two meter ID's, Meter ID #1 and Meter ID #2. There are many 0xD5 packet length and types that have been observed, some are shown below.
00FF 2A 55 Meter Data
The data below was captured from the same meter (F0EE36DB) and shows some of the values that can change with each transmission. Different meters have different fixed data and some of the data changes less frequently as well.
| Pkt | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Not part of CRC calc | Data Packet | Trailing 6 Bytes | |||||||||||||||
| Start of Frame | Type | SubType | Length | Unknown | Unknown | WAN Address | Counter | Uptime | Unknown | LAN Address | Unknown | Unknown | Timing (0.01 increments) | Unknown | Checksum | Trailing | |
| 1 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 0C | 0001ECBF | A483 | F0EE36DB | 0100 | 213204 | 384F | 7E80 | 0896 | 04 | 
| 2 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 16 | 0001ECC6 | A483 | F0EE36DB | 0100 | 213204 | 3AC5 | 7E80 | F47E | 04 | 
| 3 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 2A | 0001ED05 | A483 | F0EE36DB | 0100 | 213204 | 1207 | 7E80 | A412 | 04 | 
| 4 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 34 | 0001ED29 | A483 | F0EE36DB | 0100 | 213204 | 1FF9 | 7E80 | D9C4 | 04 | 
| 5 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 38 | 0001ED37 | A483 | F0EE36DB | 0100 | 213204 | 2571 | 7E80 | 963C | 04 | 
| 6 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 42 | 0001ED5C | A483 | F0EE36DB | 0100 | 213204 | 33A9 | 7E80 | 8384 | 04 | 
| 7 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 4C | 0001ED60 | A483 | F0EE36DB | 0100 | 213204 | 354D | 7E80 | 2CB6 | 04 | 
| 8 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 4E | 0001ED79 | A483 | F0EE36DB | 0100 | 213204 | 3F25 | 7E80 | 871A | 04 | 
| 9 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 60 | 0001EDA6 | A483 | F0EE36DB | 0100 | 213204 | 0F05 | 7E80 | 25C9 | 04 | 
| 10 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | 50CF8DD9E2C0 | 6A | 0001EDCD | A483 | F0EE36DB | 0100 | 213204 | 1E55 | 7E80 | F33F | 04 | 
Commentary on the data fields above, they have been grouped based on sample analysis but this could be wrong. If you see a new pattern not noticed before you may be correct.
- Field 5 - Never observed a packet with this length and subtype that wasn't all FF's
- Field 6 - WAN Address - Oncor uses GPS coordinates, CoServ uses LAN with padding of some kind. The open source gpsdecode library shows one way to translate between WAN Address and GPS coordinates.
- Field 7 - Increments some amount with each transmission and rolls over at 0xFF, always an even hex value
- Field 8 - Value in seconds since meter powered on, easy way to see last time the meter experienced a power outage.
- Field 10 - LAN Address, Meter ID that's listed on the sticker on the front
** NEW **
Field 13 - Timing in hundredths of a second, counts from 0 to 167.99 (0x419F) seconds then rolls over to 0 again. Credit for this discovery goes to an anonymous reader who examined the dataset at the bottom of the page!!
| Pkt | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Not part of CRC calc | Data Packet | Trailing 6 Bytes | |||||||||||||||
| Start of Frame | Type | SubType | Length | Unknown | Unknown | WAN Address | Counter | Uptime | Unknown | LAN Address | Unknown | Unknown | Timing (0.01 increments) | Unknown | Checksum | Trailing | |
| 1 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | 7C | 0003FB20 | A403 | 5021D005 | 0100 | 072001 | 1E56 | 7E00 | 9032 | 04 | 
| 2 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | AE | 0003FB9E | A403 | 5021D005 | 0100 | 072001 | 0DA8 | 7E00 | 83E8 | 04 | 
| 3 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | B8 | 0003FBC1 | A403 | 5021D005 | 0100 | 072001 | 1B54 | 7E00 | 2924 | 04 | 
| 4 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | C0 | 0003FC30 | A403 | 5021D005 | 0100 | 072001 | 052E | 7E00 | 09FC | 04 | 
| 5 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | EA | 0003FC9F | A403 | 5021D005 | 0100 | 072001 | 3062 | 7E00 | C69A | 04 | 
| Power restored after an outage | |||||||||||||||||
| 6 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | 06 | 0000000F | A403 | 5021D005 | 01EA | 6000FE | 26DA | 7E30 | 90CE | 04 | 
| 7 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | 0E | 0000000F | A403 | 5021D005 | 01EA | 6000FE | 26EF | 7E10 | 2740 | 04 | 
| 8 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | 20 | 00000011 | A403 | 5021D005 | 01EA | 6000FE | 2801 | 7E90 | 8B23 | 04 | 
| 9 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | 2C | 00000013 | A403 | 5021D005 | 01EA | 6000FE | 2883 | 7E60 | 1A1A | 04 | 
| 10 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | 54 | 00000017 | A403 | 5021D005 | 01EA | 6000FE | 2A72 | 7E80 | E3CD | 04 | 
00FF 2A D5 Meter Data
There appear to be multiple packet lengths and styles for the 0xD5 packet. Some samples shown below, download as a txt file.
| Pkt | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 10 | 11 | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Not part of CRC calc | CRC'd Data | CRC | ||||||||||||||
| Start of Frame | Type | SubType | Length | Unknown | DST Meter | SRC Meter | Packet Counter | Payload | Timing (0.01 increments) | Unknown | Checksum | Timestamp | ||||
| 1 | 00FF | 2A | D5 | 0011 | 29 | F0611C3E | F03B9FFB | AE | 98 | 4014 | 1630 | 9B47 | Mon Mar 1 08:43:20 2021 | |||
| 2 | 00FF | 2A | D5 | 0011 | 29 | F0611C3E | F03B9FFB | BA | 98 | 04B5 | 1650 | C505 | Mon Mar 1 08:43:36 2021 | |||
| 3 | 00FF | 2A | D5 | 0011 | 29 | F0611C3E | F03B9FFB | CA | 98 | 0844 | 1600 | 413C | Mon Mar 1 08:43:45 2021 | |||
| 4 | 00FF | 2A | D5 | 0016 | 21 | F0653657 | F03B9FFB | 72 | 8801001F3204 | 2E24 | 1140 | B6B1 | Mon Mar 1 11:50:10 2021 | |||
| 5 | 00FF | 2A | D5 | 0016 | 21 | F0EF3BCE | F03B9FFB | 62 | 8801001E3204 | 2393 | 1730 | 6DA6 | Mon Mar 1 12:45:43 2021 | |||
| 6 | 00FF | 2A | D5 | 0016 | 21 | F1419ADD | F03B9FFB | 7C | 9801001E3204 | 332C | 1780 | BB3E | Mon Mar 1 12:46:23 2021 | |||
| 7 | 00FF | 2A | D5 | 0016 | 21 | F07C5F0C | F03B9FFB | 9A | 8801001E3204 | 018C | 1A80 | 4FCF | Mon Mar 1 12:47:04 2021 | |||
| 8 | 00FF | 2A | D5 | 0017 | 29 | 8073AB83 | F03B9FFB | C2 | 8801001E320404 | 06BF | 1390 | 0244 | Mon Mar 1 18:17:41 2021 | |||
| 9 | 00FF | 2A | D5 | 0017 | 29 | 8073AB83 | F03B9FFB | D2 | 8801001E320404 | 0BF4 | 1340 | 2AB3 | Mon Mar 1 18:17:54 2021 | |||
| 10 | 00FF | 2A | D5 | 0017 | 29 | 8073AB83 | F03B9FFB | E4 | 8801001E320404 | 11FF | 1330 | 8517 | Mon Mar 1 18:18:10 2021 | |||
| 11 | 00FF | 2A | D5 | 0017 | 29 | 8073AB83 | F03B9FFB | EA | 8801001E320404 | 1271 | 1340 | 5091 | Mon Mar 1 18:18:11 2021 | |||
| 12 | 00FF | 2A | D5 | 001C | 29 | F0611C3E | F03B9FFB | A1 | 9001001E320406009950D1CA | 097E | 1620 | 46B7 | Mon Mar 1 09:39:48 2021 | |||
| 13 | 00FF | 2A | D5 | 001C | 29 | F05C3966 | F03B9FFB | 1D | 9001001E320406009D50D515 | 158D | 2220 | 18A3 | Mon Mar 1 12:59:07 2021 | |||
| 14 | 00FF | 2A | D5 | 001C | 29 | F0611C3E | F03B9FFB | 69 | 9001001F6C0406009F50B910 | 2957 | 1670 | 207F | Mon Mar 1 15:14:22 2021 | |||
| 15 | 00FF | 2A | D5 | 001C | 29 | F0611C3E | F03B9FFB | 17 | 900100246C0406007A50A501 | 3FF3 | 1680 | 5591 | Mon Mar 1 16:08:32 2021 | |||
| 16 | 00FF | 2A | D5 | 001C | 29 | F0611C3E | F03B9FFB | C7 | 9001001F6C04060091500F11 | 0072 | 1690 | 1F05 | Mon Mar 1 16:14:13 2021 | |||
| 17 | 00FF | 2A | D5 | 001C | 29 | F0611C3E | F03B9FFB | 73 | 900100236C0406007D5014A3 | 0797 | 1620 | D48F | Mon Mar 1 16:28:31 2021 | |||
| 18 | 00FF | 2A | D5 | 001C | 29 | F0FBBC6F | F03B9FFB | 4D | 9101001F6C04060091504CAD | 133C | 1D40 | 2347 | Mon Mar 1 22:13:25 2021 | |||
| 19 | 00FF | 2A | D5 | 001C | 29 | F0611C3E | F03B9FFB | B9 | 90010022320406009E500632 | 03F5 | 1730 | FE1B | Mon Mar 1 23:14:22 2021 | |||
| 20 | 00FF | 2A | D5 | 001C | 29 | F0BCD31D | F03B9FFB | E7 | 900100256C0506009B50D2A7 | 1E0E | 3F60 | 13BE | Tue Mar 2 00:56:17 2021 | |||
| 21 | 00FF | 2A | D5 | 001C | 29 | F0BCD31D | F03B9FFB | E5 | 900100256C0506009850C186 | 181F | 3F90 | 305B | Tue Mar 2 01:21:14 2021 | |||
| 22 | 00FF | 2A | D5 | 001D | 29 | F0611C3E | F03B9FFB | B7 | 9008009150FA0E012ABA0E81B8 | 0F15 | 1630 | 8383 | Mon Mar 1 13:21:15 2021 | |||
| 23 | 00FF | 2A | D5 | 001D | 29 | F0611C3E | F03B9FFB | 27 | 900800A350815D012A17698128 | 16DE | 1680 | 0D58 | Mon Mar 1 19:14:23 2021 | |||
| 24 | 00FF | 2A | D5 | 001D | 29 | F0611C3E | F03B9FFB | 2B | 900800A350815D0129DCBE812C | 172A | 1610 | E799 | Mon Mar 1 19:14:23 2021 | |||
| 25 | 00FF | 2A | D5 | 001D | 29 | F0611C3E | F03B9FFB | 51 | 91080091504CAD0129BD448152 | 1350 | 1740 | 8FAD | Mon Mar 1 22:13:25 2021 | |||
| Pkt | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Not part of CRC calc | Data Packet (Oncor Meter) | Trailing 6 Bytes | ||||||||||||||||||
| Start of Frame | Type | SubType | Length | Unknown | Meter ID1 | Meter ID2 | Counter | Epoch Time | Unknown Reading? | Uptime | Unknown | Unknown | WAN Address Meter ID2 | Meter ID2 | Unknown Data | Timing (0.01 increments) | Unknown | Checksum | Trailing | |
| 1 | 00FF | 2A | D5 | 0047 | 51 | F0C00020 | F03B9FFB | 18 | 60378AB1 | 00033D56 | 0006C31A | A483 | 0101 | 50CFB5D9E400 | F03B9FFB | 000103240602030705070704000000 04C2 C000 204C 0401 FA 2030208180 | 2163 | 1900 | 75F3 | 00 | 
| 2 | 00FF | 2A | D5 | 0047 | 51 | F10679DE | F03B9FFB | 1E | 60378C72 | 00023F96 | 0006C4DB | A483 | 0101 | 50CFB5D9E400 | F03B9FFB | 000103240602030705070704000000 0718 6800 204C 0401 FA 2030208180 | 0BF7 | 1D30 | CDB4 | 00 | 
| 3 | 00FF | 2A | D5 | 0047 | 51 | F159CD44 | F03B9FFB | B4 | 603A627C | 00028F50 | 00099AE5 | A483 | 0101 | 50CFB5D9E400 | F03B9FFB | 000103240602020705070805000000 02A3 C800 1E6C 0401 D9 2030208180 | 226A | 1A10 | 7330 | 00 | 
| Payload (CoServ Meter) | ||||||||||||||||||||
| 4 | 00FF | 2A | D5 | 0047 | 51 | F143250D | 5021D005 | 1A | 603AD051 | 000130D8 | 000D10ED | A403 | 0101 | FE5021D00500 | 5021D005 | 000103200000000000000000000000 02C3 0800 0E20 0200 E3 20301F8180 | 22F0 | 1C40 | 4FEB | 00 | 
| 5 | 00FF | 2A | D5 | 0047 | 51 | F143248A | 5021D005 | 64 | 603AD09C | 000133C6 | 000D1138 | A403 | 0101 | FE5021D00500 | 5021D005 | 000103200000000000000000000000 0BA0 9000 0E20 0200 E3 20301F8180 | 4076 | 1150 | 73A7 | 00 | 
| 6 | 00FF | 2A | D5 | 0047 | 51 | 500F0DD6 | 5021D005 | 80 | 603AD0D3 | 000135EC | 000D116F | A403 | 0101 | FE5021D00500 | 5021D005 | 000103200000000000000000000000 01D8 A800 0E20 0200 E3 20301F8180 | 1412 | 2E40 | ADC1 | 00 | 
- Epoch time calculator and explanation can be found here, first convert time from hex to decimal then input into converter.
00FF2A D5 0016 21 F073B577 F062363D FA88 0100 1F6C04 14E93E70 CF80 04
00FF2A D5 0017 29 8073AEAC F0F28D56 1288 0100 1F3204 041CBB1930 2D2A 04
00FF2A D5 001B 21 F10679E2 8073CE7D F498 0100 106C02 0A15F9055F06571A80 37C5 00
00FF2A D5 001C 29 8073ADB3 8073CE7D 9088 0100 106C02 040A99CF055F3A4B1170 A696 04
00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04
00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A 6032F37F 0001DA2E 00022BE9 A483 0101 50D075D9E2E0 F03D4CD7 000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00
Data captures
*Note: This file does not contain the trailing bytes shown in the captures above, it stops at the 16 bit Checksum.
Dallas
Oncor Capture 01-07-2023 30hrs (CONTAINS NEW PACKETS)
Austin
90C3717A is PV
90C1FD1A is Net meter
GPS Tagged Wardrive Files
Format will likely change for the files as more is learned, currently the format is:
Meter_ID, Uptime(seconds), Uptime(days), GPS_Data($GPGGA)
Wardrive-NTX_to_Highland-Park-03-09-2021.csv
KML File used in YouTube GPS Decoding video
Capture files from various regions
Raw capture from New Jersey
Raw capture for Seattle City Light (SCL) from Seattle, Washington, USA


