Difference between revisions of "User:Ctag/Landis+Gyr Focus AXRe-SD"
Jump to navigation
Jump to search
(Added intro and images.) |
(Added initial set of device info from OEM webpage.) |
||
| Line 1: | Line 1: | ||
| − | [[File:PXL 20240920 184927492.MP.jpg|border|thumb|FCC ID: TEB-HUNTSU864, GRIDSTREAM RF]] | + | ===ExecSum=== |
| + | [[File:PXL 20240920 184927492.MP.jpg|border|thumb|FCC ID: TEB-HUNTSU864, GRIDSTREAM RF]][[File:PXL 20240920 184923808.MP.jpg|thumb|Type: FOCUS AXRe-SD, FORM 2S CL200]] | ||
| + | My local utility company installed one of these doohickies on the house, and now I want to get realtime data from it after reading [https://pdx.su/blog/2024-03-17-reading-my-electric-meter-with-rtlsdr/ this article]. | ||
| − | === | + | === Device Info === |
| − | + | The smart meter in question: <code>Landis+Gyr FOCUS AXRe-SD FORM 2S CL200</code> | |
| − | + | ||
| + | Here is the official landing page for this family of products: https://www.landisgyr.com/product/focus-axe-axre-rxre-platform/ | ||
| + | |||
| + | From this page I gather: | ||
| − | The | + | * The base product is called FOCUS AX. The AX'''e''' is a product refresh with better specs. |
| + | ** Still no lead on the 'R' or '-SD' portions of AXRe-SD. I suspect 'R' is for reactive, as in it can meter [https://www.theelectricalguy.in/tutorials/active-reactive-apparent-power-easiest-explanation/ reactive loads]. | ||
| + | * Capable of remote disconnect. | ||
| + | ** So as a consumer, I have an interest in these devices both giving me the data I want, but not being imminently pwnable. | ||
| + | * Built-in tamper detection | ||
| + | * OTA firmware updates (Cell? Mesh?) | ||
| + | * Some models have an optical port? IR? | ||
| + | * Two variations: Modular and Integrated. | ||
| + | ** Modular: with or without AMI comms (AMI is Advanced Metering Infrastructure, but I'm not sure if this means ZigBee, 802.15.4, or something else?) | ||
| + | ** Integrated: With radio built-in (I assume radio != AMI comms?) | ||
Hash sent this link in discord, showing that the 'e' variants should have increased microcontroller specs: https://documents.dps.ny.gov/public/Common/ViewDoc.aspx?DocRefId=%7BBE3EBED1-4973-440D-A2BD-A28ED46F9FC1%7D | Hash sent this link in discord, showing that the 'e' variants should have increased microcontroller specs: https://documents.dps.ny.gov/public/Common/ViewDoc.aspx?DocRefId=%7BBE3EBED1-4973-440D-A2BD-A28ED46F9FC1%7D | ||
<br /> | <br /> | ||
| − | === Packet Captures === | + | ===Packet Captures=== |
{| class="wikitable" | {| class="wikitable" | ||
|+0x55 Captured packets from Meter 40DA952B, compared with reference | |+0x55 Captured packets from Meter 40DA952B, compared with reference | ||
Revision as of 03:21, 23 September 2024
ExecSum
My local utility company installed one of these doohickies on the house, and now I want to get realtime data from it after reading this article.
Device Info
The smart meter in question: Landis+Gyr FOCUS AXRe-SD FORM 2S CL200
Here is the official landing page for this family of products: https://www.landisgyr.com/product/focus-axe-axre-rxre-platform/
From this page I gather:
- The base product is called FOCUS AX. The AXe is a product refresh with better specs.
- Still no lead on the 'R' or '-SD' portions of AXRe-SD. I suspect 'R' is for reactive, as in it can meter reactive loads.
- Capable of remote disconnect.
- So as a consumer, I have an interest in these devices both giving me the data I want, but not being imminently pwnable.
- Built-in tamper detection
- OTA firmware updates (Cell? Mesh?)
- Some models have an optical port? IR?
- Two variations: Modular and Integrated.
- Modular: with or without AMI comms (AMI is Advanced Metering Infrastructure, but I'm not sure if this means ZigBee, 802.15.4, or something else?)
- Integrated: With radio built-in (I assume radio != AMI comms?)
Hash sent this link in discord, showing that the 'e' variants should have increased microcontroller specs: https://documents.dps.ny.gov/public/Common/ViewDoc.aspx?DocRefId=%7BBE3EBED1-4973-440D-A2BD-A28ED46F9FC1%7D
Packet Captures
| Pkt | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Not part of CRC calc | Data Packet | Trailing 6 Bytes | |||||||||||||||
| Start of
Frame |
Type | SubType | Length | Unknown | Unknown | WAN Address | Counter | Uptime | Unknown | LAN Address | Unknown | Unknown | Timing
(0.01 increments) |
Unknown | Checksum | Trailing | |
| Examples | |||||||||||||||||
| 1 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | 7C | 0003FB20 | A403 | 5021D005 | 0100 | 072001 | 1E56 | 7E00 | 9032 | 04 |
| 2 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | AE | 0003FB9E | A403 | 5021D005 | 0100 | 072001 | 0DA8 | 7E00 | 83E8 | 04 |
| 3 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE5021D00500 | B8 | 0003FBC1 | A403 | 5021D005 | 0100 | 072001 | 1B54 | 7E00 | 2924 | 04 |
| HVAC Running | |||||||||||||||||
| 6 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE40DA952B00 | 7E | 006D627B | A40B | 40DA952B | 0100 | 161505 | 147E | 7E00 | F2B5 | XX |
| HVAC Off | |||||||||||||||||
| 7 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE40DA952B00 | 3A | 006D6381 | A40B | 40DA952B | 0100 | 161505 | 052E | 7E00 | 0A80 | XX |
| Someone else's meter? | |||||||||||||||||
| 8 | 00FF | 2A | 55 | 0023 | 30 | FFFFFFFFFFFF | FE40DA235100 | 00 | 006D65A4 | A40B | 40DA2351 | 0100 | 161505 | 0B32 | 7E00 | 3FB7 | XX |
