Difference between revisions of "Landis+Gyr GridStream Protocol"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
(→‎00FF 2A 55 Meter Data: Changed data tags based on discovery using IWR)
 
(31 intermediate revisions by 5 users not shown)
Line 7: Line 7:
  
 
====Sync and Header====
 
====Sync and Header====
----The sync word that the Landis+Gyr smart meters send is shown below, this can be used in GNU Radio or other tools to receive only packets transmitted by the meters. Note that at the start of the header we begin using start and stop bits. These must be stripped off of the rest of the data packet during processing.
+
----The Landis+Gyr Gridstream smart meters use a 52 bit sync shown below regardless of Gridstream version. This can be used in GNU Radio along with the header to uniquely identify packets. Note that at the start of the header we begin using start and stop bits. These must be stripped off of the rest of the data packet during processing.
 
{| class="wikitable"
 
{| class="wikitable"
|+Sync and Header
+
|+Sync 52 bits long
! colspan="6" |Sync
+
! colspan="7" |Sync
! colspan="3" |Header
 
 
|-
 
|-
 +
!0xAA
 
!0xAA
 
!0xAA
 
!0xAA
 
!0xAA
Line 19: Line 19:
 
!0xAA
 
!0xAA
 
!0xA
 
!0xA
!0x00
 
!0xFF
 
!0x2A
 
 
|-
 
|-
 +
|10101010
 
|10101010
 
|10101010
 
|10101010
 
|10101010
Line 29: Line 27:
 
|10101010
 
|10101010
 
|1010
 
|1010
 +
|}
 +
----Of particular note is the difference between versions 1-4 and version 5. In version 5 there are two bits [11] that do not respect the start/stop bit checks of the prior versions. The older protocol expects a 0 start bit, 8 data bits and a 1 stop bit. By violating two consecutive start bits the older versions of GridStream ignore version 5 even if they have the same CRC Adder! This appears to be a way to add backwards compatibility to newer versions of GridStream.
 +
{| class="wikitable"
 +
|+Header for Gridstream
 +
! colspan="2" |Header v1 - v4
 +
! rowspan="3" |
 +
! colspan="2" |Header v5
 +
|-
 +
!0x00
 +
!0xFF (10 bit)
 +
!0x00
 +
!0xFF (11 bit)
 +
|-
 
|0 '''00000000''' 1
 
|0 '''00000000''' 1
 
|0 '''11111111''' 1
 
|0 '''11111111''' 1
|0 '''00101010''' 1
+
|0 '''00000000''' 1
 +
|[11] '''11111111''' 1
 
|}
 
|}
Using GNU Radio it was found that shortening the Sync requirements a bit and incorporating part of the header leads to the cleanest data for further downstream processing. The modified sync shown in 8 bit chunks is shown below.
+
----Using GNU Radio it was found that shortening the Sync requirements a bit and incorporating part of the header leads to the cleanest data for further downstream processing. The modified sync in 8 bit chunks is shown below. These two sync's are both loaded into the '''PDU Align''' block and if either one is matched the full packet is passed downstream.
 
{| class="wikitable"
 
{| class="wikitable"
|+Sync Word used with GNURadio
+
|+Sync Word used with GNURadio for v4
 
!0xAA
 
!0xAA
 
!0xAA
 
!0xAA
 +
!0x00
 +
!0x5F
 +
!0xF
 +
|-
 +
|10101010
 +
|10101010
 +
|00000000
 +
|01011111
 +
|1111
 +
|}
 +
{| class="wikitable"
 +
|+Sync Word used with GNURadio for v5
 
!0xAA
 
!0xAA
 
!0xAA
 
!0xAA
!0xA0
+
!0x00
!0x05
+
!0x7F
!0xFF
+
!0x1F
 
|-
 
|-
 
|10101010
 
|10101010
 
|10101010
 
|10101010
|10101010
+
|00000000
|10101010
+
|01111111
|10100000
+
|11111
|00000101
 
|11111111
 
 
|}
 
|}
The final byte of the sync (0x2A) along with it's start and stop bits are discarded as part of the processing.
 
 
----<br />
 
----<br />
====Type, Length and Sub Type====
+
====Packet Types and Structures====
----So far only two types of packets have been observed, a 0x55 and a 0xD5 packet. Multiple lengths and SubTypes of these are listed below.
+
----Data is shown in Hexadecimal unless stated otherwise
 +
 
 +
So far only two types of packets have been observed, a 0x55 and a 0xD5 packet. Multiple lengths and SubTypes of these exist, a few are listed below.
 
{| class="wikitable"
 
{| class="wikitable"
 
|+
 
|+
 
!
 
!
 +
!Start of
 +
Frame
 
!Type
 
!Type
 +
!Sub Type
 +
!Sequence
 +
! colspan="2" |Packets Purpose
 +
|-
 +
!
 +
|00FF
 +
|00
 +
|81 or 85
 +
|1 Byte
 +
| colspan="2" |Report Power Usage (Device Control Word DCW)
 +
|-
 +
!
 +
|00FF
 +
|01
 +
|81 or 85
 +
|1 Byte
 +
| colspan="2" |Report Power Usage (Device Control Word DCW)
 +
|-
 +
!
 +
|00FF
 +
|02
 +
|81 or 85
 +
|1 Byte
 +
| colspan="2" |Report Power Usage (Device Control Word DCW)
 +
|-
 +
!
 +
|00FF
 +
|03
 +
|81 or 85
 +
|1 Byte
 +
| colspan="2" |Report Power Usage (Device Control Word DCW)
 +
|-
 +
!
 +
!Start of
 +
Frame
 +
!Type
 +
!Sub Type
 
!Length
 
!Length
!SubType
+
!Unknown
 
!Packets Purpose
 
!Packets Purpose
 
|-
 
|-
 
!1
 
!1
|0x55
+
|00FF
|0x0023
+
|2A
|0x30
+
|55
 +
|0023
 +
|30
 
|Report up-time and other unknown data
 
|Report up-time and other unknown data
 
|-
 
|-
 
!2
 
!2
|0x55
+
|00FF
|0x0028
+
|2A
|0x30
+
|D5
|
+
|0047
 +
|51
 +
|Includes Epoch and Uptime
 
|-
 
|-
 
!3
 
!3
|0xD5
+
|00FF
|0x0011
+
|2A
|0x21
+
|D5
|
+
|00FD
|-
+
|C0
!4
 
|0xD5
 
|0x0011
 
|0x22
 
|
 
|-
 
!5
 
|0xD5
 
|0x0011
 
|0x29
 
|
 
|-
 
!6
 
|0xD5
 
|0x0016
 
|0x21
 
|
 
|-
 
!8
 
|0xD5
 
|0x0016
 
|0x29
 
|
 
|-
 
!7
 
|0xD5
 
|0x0017
 
|0x21
 
|
 
|-
 
!9
 
|0xD5
 
|0x0017
 
|0x29
 
|
 
|-
 
!10
 
|0xD5
 
|0x001C
 
|0x21
 
|
 
|-
 
!11
 
|0xD5
 
|0x001C
 
|0x29
 
|
 
|-
 
!12
 
|0xD5
 
|0x001D
 
|0x29
 
|
 
|-
 
!13
 
|0xD5
 
|0x0047
 
|0x51
 
|
 
|-
 
!14
 
|0xD5
 
|0x00FD
 
|0xC0
 
 
|
 
|
 
|}
 
|}
Line 183: Line 185:
 
----
 
----
  
====0x55 Meter Data====
+
====00FF 2A 55 Meter Data====
 
The data below was captured from the same meter (F0EE36DB) and shows some of the values that can change with each transmission. Different meters have different fixed data and some of the data changes less frequently as well.
 
The data below was captured from the same meter (F0EE36DB) and shows some of the values that can change with each transmission. Different meters have different fixed data and some of the data changes less frequently as well.
 
{| class="wikitable"
 
{| class="wikitable"
Line 189: Line 191:
 
0x55 Captured packets from Meter F0EE36DB (Oncor)
 
0x55 Captured packets from Meter F0EE36DB (Oncor)
 
! rowspan="3" |Pkt
 
! rowspan="3" |Pkt
 +
!0
 
!1
 
!1
 
!2
 
!2
Line 205: Line 208:
 
!15
 
!15
 
!16
 
!16
!17
 
!18
 
 
|-
 
|-
! colspan="3" |Not part of CRC calc
+
! colspan="4" |Not part of CRC calc
! colspan="13" |Data
+
! colspan="9" |Data Packet
! colspan="2" |
+
! colspan="3" |Trailing 6 Bytes
 +
!
 
|-
 
|-
!Header
+
!Start of
 +
Frame
 
!Type
 
!Type
 +
!SubType
 
!Length
 
!Length
!SubType
 
!Unknown
 
!Unknown
 
 
!Unknown
 
!Unknown
 
!Unknown
 
!Unknown
 +
!WAN Address
 
!Counter
 
!Counter
 
!Uptime
 
!Uptime
 
!Unknown
 
!Unknown
!Meter ID
+
!LAN Address
 
!Unknown
 
!Unknown
 
!Unknown
 
!Unknown
 +
!Timing
 +
(0.01 increments)
 
!Unknown
 
!Unknown
!Unknown
+
!Checksum
!CRC
 
 
!Trailing
 
!Trailing
 
|-
 
|-
|1
+
!1
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''0C'''
 
|'''0C'''
 
|'''0001ECBF'''
 
|'''0001ECBF'''
Line 251: Line 253:
 
|04
 
|04
 
|-
 
|-
|2
+
!2
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''16'''
 
|'''16'''
 
|'''0001ECC6'''
 
|'''0001ECC6'''
Line 271: Line 272:
 
|04
 
|04
 
|-
 
|-
|3
+
!3
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''2A'''
 
|'''2A'''
 
|'''0001ED05'''
 
|'''0001ED05'''
Line 291: Line 291:
 
|04
 
|04
 
|-
 
|-
|4
+
!4
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''34'''
 
|'''34'''
 
|'''0001ED29'''
 
|'''0001ED29'''
Line 311: Line 310:
 
|04
 
|04
 
|-
 
|-
|5
+
!5
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''38'''
 
|'''38'''
 
|'''0001ED37'''
 
|'''0001ED37'''
Line 331: Line 329:
 
|04
 
|04
 
|-
 
|-
|6
+
!6
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''42'''
 
|'''42'''
 
|'''0001ED5C'''
 
|'''0001ED5C'''
Line 351: Line 348:
 
|04
 
|04
 
|-
 
|-
|7
+
!7
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''4C'''
 
|'''4C'''
 
|'''0001ED60'''
 
|'''0001ED60'''
Line 371: Line 367:
 
|04
 
|04
 
|-
 
|-
|8
+
!8
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''4E'''
 
|'''4E'''
 
|'''0001ED79'''
 
|'''0001ED79'''
Line 391: Line 386:
 
|04
 
|04
 
|-
 
|-
|9
+
!9
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''60'''
 
|'''60'''
 
|'''0001EDA6'''
 
|'''0001EDA6'''
Line 411: Line 405:
 
|04
 
|04
 
|-
 
|-
|10
+
!10
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|50
+
|50CF8DD9E2C0
|CF8DD9E2
 
|C0
 
 
|'''6A'''
 
|'''6A'''
 
|'''0001EDCD'''
 
|'''0001EDCD'''
Line 431: Line 424:
 
|04
 
|04
 
|}
 
|}
 +
[[File:55 Packet Timing Analysis.png|thumb|600x600px|Field 15 Timing Analysis  -Anonymous]]
 
Commentary on the data fields above, they have been grouped based on sample analysis but this could be wrong. If you see a new pattern not noticed before you may be correct.
 
Commentary on the data fields above, they have been grouped based on sample analysis but this could be wrong. If you see a new pattern not noticed before you may be correct.
  
 
*Field 5 - Never observed a packet with this length and subtype that wasn't all FF's
 
*Field 5 - Never observed a packet with this length and subtype that wasn't all FF's
  
*Field 6 - Have only seen this change when comparing data from different energy providers
+
*Field 6 - WAN Address - Oncor uses GPS coordinates, CoServ uses LAN with padding of some kind.  The open source [https://github.com/beroset/gpsdecode gpsdecode] library shows one way to translate between WAN Address and GPS coordinates.
  
*Field 7 - Appears to either be location identifier (Oncor) or duplicate meter ID (Coserv)
+
*Field 7 - Increments some amount with each transmission and rolls over at 0xFF, always an even hex value
  
*Field 9 - Increments some amount with each transmission and rolls over at 0xFF
+
*Field 8 - Value in seconds since meter powered on, '''easy way to see last time the meter experienced a power outage.'''
 +
*Field 10 - LAN Address, Meter ID that's listed on the sticker on the front
  
*Field 10 - Value in seconds since meter powered on, '''easy way to see last time the meter experienced a power outage.'''
+
'''** NEW **'''
 
 
*Field 15 - This value counts from near 0 to around 3FFF and rolls over, not sure what it is. Have not been able to correlate the counting value or speed vs time to any sort of power utilization.
 
  
 +
'''Field 13''' - Timing in hundredths of a second, counts from 0 to 167.99 (0x419F) seconds then rolls over to 0 again. Credit for this discovery goes to an anonymous reader who examined the dataset at the bottom of the page!!
 
{| class="wikitable"
 
{| class="wikitable"
 
|+0x55 Captured packets from Meter 5021D005 (Coserv)
 
|+0x55 Captured packets from Meter 5021D005 (Coserv)
 
! rowspan="3" |Pkt
 
! rowspan="3" |Pkt
 +
!0
 
!1
 
!1
 
!2
 
!2
Line 464: Line 459:
 
!15
 
!15
 
!16
 
!16
!17
 
!18
 
 
|-
 
|-
! colspan="3" |Not part of CRC calc
+
! colspan="4" |Not part of CRC calc
! colspan="13" |Data
+
! colspan="9" |Data Packet
! colspan="2" |
+
! colspan="3" |Trailing 6 Bytes
 +
!
 
|-
 
|-
!Header
+
!Start of
 +
Frame
 
!Type
 
!Type
 +
!SubType
 
!Length
 
!Length
!SubType
 
 
!Unknown
 
!Unknown
 
!Unknown
 
!Unknown
!Meter ID
+
!WAN Address
!Unknown
 
 
!Counter
 
!Counter
 
!Uptime
 
!Uptime
 
!Unknown
 
!Unknown
!Meter ID
+
!LAN Address
 
!Unknown
 
!Unknown
 
!Unknown
 
!Unknown
 +
!Timing
 +
(0.01 increments)
 
!Unknown
 
!Unknown
!Unknown
+
!Checksum
!CRC
 
 
!Trailing
 
!Trailing
 
|-
 
|-
|1
+
!1
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|7C
 
|7C
 
|'''0003FB20'''
 
|'''0003FB20'''
Line 510: Line 504:
 
|04
 
|04
 
|-
 
|-
|2
+
!2
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|AE
 
|AE
 
|'''0003FB9E'''
 
|'''0003FB9E'''
Line 530: Line 523:
 
|04
 
|04
 
|-
 
|-
|3
+
!3
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|B8
 
|B8
 
|'''0003FBC1'''
 
|'''0003FBC1'''
Line 550: Line 542:
 
|04
 
|04
 
|-
 
|-
|4
+
!4
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|C0
 
|C0
 
|'''0003FC30'''
 
|'''0003FC30'''
Line 570: Line 561:
 
|04
 
|04
 
|-
 
|-
|5
+
!5
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|EA
 
|EA
 
|'''0003FC9F'''
 
|'''0003FC9F'''
Line 590: Line 580:
 
|04
 
|04
 
|-
 
|-
! colspan="19" |Power restored after an outage
+
! colspan="18" |Power restored after an outage
 
|-
 
|-
|1
+
!6
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|06
 
|06
 
|'''0000000F'''
 
|'''0000000F'''
Line 612: Line 601:
 
|04
 
|04
 
|-
 
|-
|2
+
!7
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|0E
 
|0E
 
|'''0000000F'''
 
|'''0000000F'''
Line 632: Line 620:
 
|04
 
|04
 
|-
 
|-
|3
+
!8
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|20
 
|20
 
|'''00000011'''
 
|'''00000011'''
Line 652: Line 639:
 
|04
 
|04
 
|-
 
|-
|4
+
!9
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|2C
 
|2C
 
|'''00000013'''
 
|'''00000013'''
Line 672: Line 658:
 
|04
 
|04
 
|-
 
|-
|5
+
!10
|00FF2A
+
|00FF
 +
|2A
 
|55
 
|55
 
|0023
 
|0023
 
|30
 
|30
 
|FFFFFFFFFFFF
 
|FFFFFFFFFFFF
|FE
+
|FE5021D00500
|5021D005
 
|00
 
 
|54
 
|54
 
|'''00000017'''
 
|'''00000017'''
Line 694: Line 679:
 
----
 
----
  
====0xD5 Meter Data====
+
====00FF 2A D5 Meter Data====
There appear to be multiple packet lengths and styles for the 0xD5 packet. Some samples shown below.
+
There appear to be multiple packet lengths and styles for the 0xD5 packet. Some samples shown below, [https://wiki.recessim.com/w/images/9/9e/D5-Packets-Table-F03B9FFB.txt download as a txt file].
 
{| class="wikitable"
 
{| class="wikitable"
|+0xD5 Captured packet
+
|+0xD5 Captured packets
 
! rowspan="3" |Pkt
 
! rowspan="3" |Pkt
 
!1
 
!1
 +
!
 
!2
 
!2
 
!3
 
!3
Line 706: Line 692:
 
!6
 
!6
 
!7
 
!7
!8
+
! colspan="3" |8
!9
 
 
!10
 
!10
 +
!
 
!11
 
!11
!12
+
! colspan="2" |
 
|-
 
|-
! colspan="3" |Not part of CRC calc
+
! colspan="4" |Not part of CRC calc
! colspan="7" |Data
+
! colspan="9" |CRC'd Data
 +
!CRC
 
! colspan="2" |
 
! colspan="2" |
 
|-
 
|-
!Header
+
!Start of
 +
Frame
 
!Type
 
!Type
 +
!SubType
 
!Length
 
!Length
!SubType
 
!Meter ID #1
 
!Meter ID #2
 
!Unknown
 
!Unknown
 
 
!Unknown
 
!Unknown
 +
!DST Meter
 +
!SRC Meter
 +
!Packet
 +
Counter
 +
! colspan="3" |'''Payload'''
 +
!Timing
 +
(0.01 increments)
 
!Unknown
 
!Unknown
!CRC
+
!Checksum
!Trailing
+
! colspan="2" |Timestamp
 
|-
 
|-
 
|1
 
|1
|00FF2A
+
|<code>00FF</code>
|D5
+
|<code>2A</code>
|0016
+
|<code>D5</code>
 +
|<code>0011</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>AE</code>
 +
!
 +
|'''<code>98</code>'''
 +
!
 +
|<code>4014</code>
 +
|<code>1630</code>
 +
|<code>9B47</code>
 +
!
 +
|Mon Mar  1 08:43:20 2021
 +
|-
 +
|2
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0011</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>BA</code>
 +
!
 +
|'''<code>98</code>'''
 +
!
 +
|<code>04B5</code>
 +
|<code>1650</code>
 +
|<code>C505</code>
 +
!
 +
|Mon Mar  1 08:43:36 2021
 +
|-
 +
|3
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0011</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>CA</code>
 +
!
 +
|'''<code>98</code>'''
 +
!
 +
|<code>0844</code>
 +
|<code>1600</code>
 +
|<code>413C</code>
 +
!
 +
|Mon Mar  1 08:43:45 2021
 +
|-
 +
|4
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0016</code>
 +
|<code>21</code>
 +
|<code>F0653657</code>
 +
|<code>F03B9FFB</code>
 +
|<code>72</code>
 +
!
 +
|'''<code>8801001F3204</code>'''
 +
!
 +
|<code>2E24</code>
 +
|<code>1140</code>
 +
|<code>B6B1</code>
 +
!
 +
|Mon Mar  1 11:50:10 2021
 +
|-
 +
|5
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0016</code>
 +
|<code>21</code>
 +
|<code>F0EF3BCE</code>
 +
|<code>F03B9FFB</code>
 +
|<code>62</code>
 +
!
 +
|'''<code>8801001E3204</code>'''
 +
!
 +
|<code>2393</code>
 +
|<code>1730</code>
 +
|<code>6DA6</code>
 +
!
 +
|Mon Mar  1 12:45:43 2021
 +
|-
 +
|6
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0016</code>
 +
|<code>21</code>
 +
|<code>F1419ADD</code>
 +
|<code>F03B9FFB</code>
 +
|<code>7C</code>
 +
!
 +
|'''<code>9801001E3204</code>'''
 +
!
 +
|<code>332C</code>
 +
|<code>1780</code>
 +
|<code>BB3E</code>
 +
!
 +
|Mon Mar  1 12:46:23 2021
 +
|-
 +
|7
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0016</code>
 +
|<code>21</code>
 +
|<code>F07C5F0C</code>
 +
|<code>F03B9FFB</code>
 +
|<code>9A</code>
 +
!
 +
|'''<code>8801001E3204</code>'''
 +
!
 +
|<code>018C</code>
 +
|<code>1A80</code>
 +
|<code>4FCF</code>
 +
!
 +
|Mon Mar  1 12:47:04 2021
 +
|-
 +
|8
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0017</code>
 +
|<code>29</code>
 +
|<code>8073AB83</code>
 +
|<code>F03B9FFB</code>
 +
|<code>C2</code>
 +
!
 +
|'''<code>8801001E320404</code>'''
 +
!
 +
|<code>06BF</code>
 +
|<code>1390</code>
 +
|<code>0244</code>
 +
!
 +
|Mon Mar  1 18:17:41 2021
 +
|-
 +
|9
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0017</code>
 +
|<code>29</code>
 +
|<code>8073AB83</code>
 +
|<code>F03B9FFB</code>
 +
|<code>D2</code>
 +
!
 +
|'''<code>8801001E320404</code>'''
 +
!
 +
|<code>0BF4</code>
 +
|<code>1340</code>
 +
|<code>2AB3</code>
 +
!
 +
|Mon Mar  1 18:17:54 2021
 +
|-
 +
|10
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0017</code>
 +
|<code>29</code>
 +
|<code>8073AB83</code>
 +
|<code>F03B9FFB</code>
 +
|<code>E4</code>
 +
!
 +
|'''<code>8801001E320404</code>'''
 +
!
 +
|<code>11FF</code>
 +
|<code>1330</code>
 +
|<code>8517</code>
 +
!
 +
|Mon Mar  1 18:18:10 2021
 +
|-
 +
|11
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>0017</code>
 +
|<code>29</code>
 +
|<code>8073AB83</code>
 +
|<code>F03B9FFB</code>
 +
|<code>EA</code>
 +
!
 +
|'''<code>8801001E320404</code>'''
 +
!
 +
|<code>1271</code>
 +
|<code>1340</code>
 +
|<code>5091</code>
 +
!
 +
|Mon Mar  1 18:18:11 2021
 +
|-
 +
|12
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>A1</code>
 +
!
 +
|'''<code>9001001E320406009950D1CA</code>'''
 +
!
 +
|<code>097E</code>
 +
|<code>1620</code>
 +
|<code>46B7</code>
 +
!
 +
|Mon Mar  1 09:39:48 2021
 +
|-
 +
|13
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F05C3966</code>
 +
|<code>F03B9FFB</code>
 +
|<code>1D</code>
 +
!
 +
|'''<code>9001001E320406009D50D515</code>'''
 +
!
 +
|<code>158D</code>
 +
|<code>2220</code>
 +
|<code>18A3</code>
 +
!
 +
|Mon Mar  1 12:59:07 2021
 +
|-
 +
|14
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>69</code>
 +
!
 +
|'''<code>9001001F6C0406009F50B910</code>'''
 +
!
 +
|<code>2957</code>
 +
|<code>1670</code>
 +
|<code>207F</code>
 +
!
 +
|Mon Mar  1 15:14:22 2021
 +
|-
 +
|15
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>17</code>
 +
!
 +
|'''<code>900100246C0406007A50A501</code>'''
 +
!
 +
|<code>3FF3</code>
 +
|<code>1680</code>
 +
|<code>5591</code>
 +
!
 +
|Mon Mar  1 16:08:32 2021
 +
|-
 +
|16
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>C7</code>
 +
!
 +
|'''<code>9001001F6C04060091500F11</code>'''
 +
!
 +
|<code>0072</code>
 +
|<code>1690</code>
 +
|<code>1F05</code>
 +
!
 +
|Mon Mar  1 16:14:13 2021
 +
|-
 +
|17
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>73</code>
 +
!
 +
|'''<code>900100236C0406007D5014A3</code>'''
 +
!
 +
|<code>0797</code>
 +
|<code>1620</code>
 +
|<code>D48F</code>
 +
!
 +
|Mon Mar  1 16:28:31 2021
 +
|-
 +
|18
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0FBBC6F</code>
 +
|<code>F03B9FFB</code>
 +
|<code>4D</code>
 +
!
 +
|'''<code>9101001F6C04060091504CAD</code>'''
 +
!
 +
|<code>133C</code>
 +
|<code>1D40</code>
 +
|<code>2347</code>
 +
!
 +
|Mon Mar  1 22:13:25 2021
 +
|-
 +
|19
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>B9</code>
 +
!
 +
|'''<code>90010022320406009E500632</code>'''
 +
!
 +
|<code>03F5</code>
 +
|<code>1730</code>
 +
|<code>FE1B</code>
 +
!
 +
|Mon Mar  1 23:14:22 2021
 +
|-
 +
|20
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001C</code>
 +
|<code>29</code>
 +
|<code>F0BCD31D</code>
 +
|<code>F03B9FFB</code>
 +
|<code>E7</code>
 +
!
 +
|'''<code>900100256C0506009B50D2A7</code>'''
 +
!
 +
|<code>1E0E</code>
 +
|<code>3F60</code>
 +
|<code>13BE</code>
 +
!
 +
|Tue  Mar  2 00:56:17 2021
 +
|-
 
|21
 
|21
|F05FCB84
+
|<code>00FF</code>
|F0FC4DB1
+
|<code>2A</code>
|E288
+
|<code>D5</code>
|0100
+
|<code>001C</code>
|273205
+
|<code>29</code>
|00781930
+
|<code>F0BCD31D</code>
|CB72
+
|<code>F03B9FFB</code>
|00
+
|<code>E5</code>
 +
!
 +
|'''<code>900100256C0506009850C186</code>'''
 +
!
 +
|<code>181F</code>
 +
|<code>3F90</code>
 +
|<code>305B</code>
 +
!
 +
|Tue  Mar  2 01:21:14 2021
 +
|-
 +
|22
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001D</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>B7</code>
 +
!
 +
|'''<code>9008009150FA0E012ABA0E81B8</code>'''
 +
!
 +
|<code>0F15</code>
 +
|<code>1630</code>
 +
|<code>8383</code>
 +
!
 +
|Mon Mar  1 13:21:15 2021
 +
|-
 +
|23
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001D</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>27</code>
 +
!
 +
|'''<code>900800A350815D012A17698128</code>'''
 +
!
 +
|<code>16DE</code>
 +
|<code>1680</code>
 +
|<code>0D58</code>
 +
!
 +
|Mon Mar  1 19:14:23 2021
 +
|-
 +
|24
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001D</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>2B</code>
 +
!
 +
|'''<code>900800A350815D0129DCBE812C</code>'''
 +
!
 +
|<code>172A</code>
 +
|<code>1610</code>
 +
|<code>E799</code>
 +
!
 +
|Mon Mar  1 19:14:23 2021
 +
|-
 +
|25
 +
|<code>00FF</code>
 +
|<code>2A</code>
 +
|<code>D5</code>
 +
|<code>001D</code>
 +
|<code>29</code>
 +
|<code>F0611C3E</code>
 +
|<code>F03B9FFB</code>
 +
|<code>51</code>
 +
!
 +
|'''<code>91080091504CAD0129BD448152</code>'''
 +
!
 +
|<code>1350</code>
 +
|<code>1740</code>
 +
|<code>8FAD</code>
 +
!
 +
|Mon Mar  1 22:13:25 2021
 
|}
 
|}
 
+
<br />
 
{| class="wikitable"
 
{| class="wikitable"
 
|+0xD5 Packets where actual time along with uptime is observed
 
|+0xD5 Packets where actual time along with uptime is observed
 
! rowspan="3" |Pkt
 
! rowspan="3" |Pkt
 
!1
 
!1
 +
!
 
!2
 
!2
 
!3
 
!3
Line 762: Line 1,190:
 
!14
 
!14
 
!15
 
!15
 +
!
 +
!
 
!16
 
!16
 
!17
 
!17
!18
 
 
|-
 
|-
! colspan="3" |Not part of CRC calc
+
! colspan="4" |Not part of CRC calc
! colspan="13" |Data (Oncor Meter)
+
! colspan="12" |Data Packet (Oncor Meter)
! colspan="2" |
+
! colspan="3" |Trailing 6 Bytes
 +
!
 
|-
 
|-
!Header
+
!Start of
 +
Frame
 
!Type
 
!Type
 +
!SubType
 
!Length
 
!Length
!SubType
+
!Unknown
 
!Meter ID1
 
!Meter ID1
 
!Meter ID2
 
!Meter ID2
Line 783: Line 1,215:
 
!Unknown
 
!Unknown
 
!Unknown
 
!Unknown
!OptionalID
+
!WAN Address
 
Meter ID2
 
Meter ID2
!
 
 
!Meter ID2
 
!Meter ID2
 
!Unknown Data
 
!Unknown Data
!CRC
+
!Timing
 +
(0.01 increments)
 +
!Unknown
 +
!Checksum
 
!Trailing
 
!Trailing
 
|-
 
|-
|1
+
!1
|00FF2A
+
|00FF
 +
|2A
 
|D5
 
|D5
 
|0047
 
|0047
Line 803: Line 1,238:
 
|0006C31A
 
|0006C31A
 
|A483
 
|A483
|010150
+
|0101
|CFB5D9E4
+
|50CFB5D9E400
|00
 
 
|F03B9FFB
 
|F03B9FFB
|000103240602030705070704000000 04C2 C000 204C 0401 FA 2030208180 2163 1900
+
|000103240602030705070704000000 04C2 C000 204C 0401 FA 2030208180
 +
|2163
 +
|1900
 
|75F3
 
|75F3
 
|00
 
|00
 
|-
 
|-
|2
+
!2
|00FF2A
+
|00FF
 +
|2A
 
|D5
 
|D5
 
|0047
 
|0047
Line 823: Line 1,260:
 
|0006C4DB
 
|0006C4DB
 
|A483
 
|A483
|010150
+
|0101
|CFB5D9E4
+
|50CFB5D9E400
|00
 
 
|F03B9FFB
 
|F03B9FFB
|000103240602030705070704000000 0718 6800 204C 0401 FA 2030208180 0BF7 1D30
+
|000103240602030705070704000000 0718 6800 204C 0401 FA 2030208180
 +
|0BF7
 +
|1D30
 
|CDB4
 
|CDB4
 
|00
 
|00
 
|-
 
|-
|3
+
!3
|00FF2A
+
|00FF
 +
|2A
 
|D5
 
|D5
 
|0047
 
|0047
Line 843: Line 1,282:
 
|00099AE5
 
|00099AE5
 
|A483
 
|A483
|010150
+
|0101
|CFB5D9E4
+
|50CFB5D9E400
|00
 
 
|F03B9FFB
 
|F03B9FFB
|000103240602020705070805000000 02A3 C800 1E6C 0401 D9 2030208180 226A 1A10
+
|000103240602020705070805000000 02A3 C800 1E6C 0401 D9 2030208180
 +
|226A
 +
|1A10
 
|7330
 
|7330
 
|00
 
|00
 
|-
 
|-
! colspan="18" |Data (CoServ Meter)
+
! colspan="5" |
!
+
! colspan="14" |Payload (CoServ Meter)
 +
! colspan="2" |
 
|-
 
|-
|4
+
!4
|00FF2A
+
|00FF
 +
|2A
 
|D5
 
|D5
 
|0047
 
|0047
Line 866: Line 1,308:
 
|000D10ED
 
|000D10ED
 
|A403
 
|A403
|0101FE
+
|0101
|5021D005
+
|FE5021D00500
|00
 
 
|5021D005
 
|5021D005
|000103200000000000000000000000 02C3 0800 0E20 0200 E3 20301F8180 22F0 1C40
+
|000103200000000000000000000000 02C3 0800 0E20 0200 E3 20301F8180
 +
|22F0
 +
|1C40
 
|4FEB
 
|4FEB
 
|00
 
|00
 
|-
 
|-
|5
+
!5
|00FF2A
+
|00FF
 +
|2A
 
|D5
 
|D5
 
|0047
 
|0047
Line 886: Line 1,330:
 
|000D1138
 
|000D1138
 
|A403
 
|A403
|0101FE
+
|0101
|5021D005
+
|FE5021D00500
|00
 
 
|5021D005
 
|5021D005
|000103200000000000000000000000 0BA0 9000 0E20 0200 E3 20301F8180 4076 1150
+
|000103200000000000000000000000 0BA0 9000 0E20 0200 E3 20301F8180
 +
|4076
 +
|1150
 
|73A7
 
|73A7
 
|00
 
|00
 
|-
 
|-
|6
+
!6
|00FF2A
+
|00FF
 +
|2A
 
|D5
 
|D5
 
|0047
 
|0047
Line 906: Line 1,352:
 
|000D116F
 
|000D116F
 
|A403
 
|A403
|0101FE
+
|0101
|5021D005
+
|FE5021D00500
|00
 
 
|5021D005
 
|5021D005
|000103200000000000000000000000 01D8 A800 0E20 0200 E3 20301F8180 1412 2E40
+
|000103200000000000000000000000 01D8 A800 0E20 0200 E3 20301F8180
 +
|1412
 +
|2E40
 
|ADC1
 
|ADC1
 
|00
 
|00
Line 928: Line 1,375:
 
<code>00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04</code>
 
<code>00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04</code>
  
<code>00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A6032F37F0001DA2E00022BE9 A483 010150D075D9E2E0 F03D4CD7</code> <code>000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00</code>
+
<code>00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A 6032F37F 0001DA2E 00022BE9 A483 0101 50D075D9E2E0 F03D4CD7</code> <code>000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00</code>
 
<references />
 
<references />
  
 
===Data captures===
 
===Data captures===
[https://wiki.recessim.com/w/images/d/d3/F03B9FFB.txt Oncor Meter - F03B9FFB - 48 hours capture]
+
'''''*Note: This file does not contain the trailing bytes shown in the captures above, it stops at the 16 bit Checksum.'''''
{| class="wikitable"
+
 
|+Data Requests from SmartMeterTexas (F03B9FFB)
+
====Dallas====
!Date
+
[https://wiki.recessim.com/w/images/9/9b/Oncor_Capture_01-07-2023_30hrs.zip Oncor Capture 01-07-2023 30hrs (CONTAINS NEW PACKETS)]
!Time
+
 
!Meter Read
+
====Austin====
!On Demand Energy Usage
+
[[:File:Austin energy.txt|Austin energy (Two Meters)]]
|-
+
 
|03/01/2021
+
90C3717A is PV
|14:31:08
+
 
|37641.426
+
90C1FD1A is Net meter
|79.415
+
 
|-
+
===GPS Tagged Wardrive Files===
|03/01/2021
+
Format will likely change for the files as more is learned, currently the format is:
|16:44:40
+
Meter_ID, Uptime(seconds), Uptime(days), GPS_Data($GPGGA)
|37648.598
+
[https://wiki.recessim.com/w/images/a/a6/Wardrive-NTX_to_Highland-Park-03-09-2021.csv Wardrive-NTX_to_Highland-Park-03-09-2021.csv]
|37.441
+
 
|-
+
[https://wiki.recessim.com/w/images/2/2b/Dallas-Wardrive-GPS_uptime.zip KML File] used in YouTube [https://youtu.be/Y_sh605Q7oA GPS Decoding video]
|03/01/2021
+
 
|22:14:01
+
===Capture files from various regions===
|37658.906
+
[https://wiki.recessim.com/w/images/7/76/RAW_Capture_NJ.txt.txt Raw capture from New Jersey]<br />[https://wiki.recessim.com/w/images/8/85/Seattle-WA-SCL.txt Raw capture for Seattle City Light (SCL) from Seattle, Washington, USA]
|47.749
+
 
|-
+
<br />
|03/02/2021
 
|21:17:07
 
|37705.09
 
|44.071
 
|-
 
|03/02/2021
 
|21:22:58
 
|37705.234
 
|44.215
 
|}
 
This table lists Real-time data requests from [https://www.smartmetertexas.com/home SmartMeterTexas.com] which allows customers to request current meter readings. You will see 0xD5 packets in the data file closely linked to the times above. When the request is made on the website the meter generally responds within 10-15 seconds meaning the system can send a message to the mesh network, traverse across the meters and return fairly quickly.
 

Latest revision as of 14:08, 3 April 2023

LandisGyrResidentialMeter1.JPG

Protocol Analysis

Analysis and decoding of the packets used on the Landis+Gyr GridStream mesh network.

Packet Structure

Sync and Header


The Landis+Gyr Gridstream smart meters use a 52 bit sync shown below regardless of Gridstream version. This can be used in GNU Radio along with the header to uniquely identify packets. Note that at the start of the header we begin using start and stop bits. These must be stripped off of the rest of the data packet during processing.

Sync 52 bits long
Sync
0xAA 0xAA 0xAA 0xAA 0xAA 0xAA 0xA
10101010 10101010 10101010 10101010 10101010 10101010 1010

Of particular note is the difference between versions 1-4 and version 5. In version 5 there are two bits [11] that do not respect the start/stop bit checks of the prior versions. The older protocol expects a 0 start bit, 8 data bits and a 1 stop bit. By violating two consecutive start bits the older versions of GridStream ignore version 5 even if they have the same CRC Adder! This appears to be a way to add backwards compatibility to newer versions of GridStream.

Header for Gridstream
Header v1 - v4 Header v5
0x00 0xFF (10 bit) 0x00 0xFF (11 bit)
0 00000000 1 0 11111111 1 0 00000000 1 [11] 11111111 1

Using GNU Radio it was found that shortening the Sync requirements a bit and incorporating part of the header leads to the cleanest data for further downstream processing. The modified sync in 8 bit chunks is shown below. These two sync's are both loaded into the PDU Align block and if either one is matched the full packet is passed downstream.

Sync Word used with GNURadio for v4
0xAA 0xAA 0x00 0x5F 0xF
10101010 10101010 00000000 01011111 1111
Sync Word used with GNURadio for v5
0xAA 0xAA 0x00 0x7F 0x1F
10101010 10101010 00000000 01111111 11111


Packet Types and Structures


Data is shown in Hexadecimal unless stated otherwise

So far only two types of packets have been observed, a 0x55 and a 0xD5 packet. Multiple lengths and SubTypes of these exist, a few are listed below.

Start of

Frame

Type Sub Type Sequence Packets Purpose
00FF 00 81 or 85 1 Byte Report Power Usage (Device Control Word DCW)
00FF 01 81 or 85 1 Byte Report Power Usage (Device Control Word DCW)
00FF 02 81 or 85 1 Byte Report Power Usage (Device Control Word DCW)
00FF 03 81 or 85 1 Byte Report Power Usage (Device Control Word DCW)
Start of

Frame

Type Sub Type Length Unknown Packets Purpose
1 00FF 2A 55 0023 30 Report up-time and other unknown data
2 00FF 2A D5 0047 51 Includes Epoch and Uptime
3 00FF 2A D5 00FD C0




Data


Data varies per packet type but a common theme is the 0x55 packets appear to be broadcasts from the meters with only their own ID. 0xD5 packets usually contain two ID's and appear to be how data is routed across the network. Sometimes one of the meter ID's in a 0xD5 packet is FFFFFFFF which may be a broadcast packet. This was observed when packets were sent that appear to be updating the system time of the meters.



Checksum


C++ source code below used to calculate the CRC, different energy providers use a different initial CRC value. Assume this is to segment traffic, unsure if Routers/Collectors are shared by different providers to return traffic or not.

uint16_t Landis_crc16 (uint16_t crc, const std::vector<uint8_t> &data, size_t size) { 
// CoServ CRC = 0x45F8 
// Oncor CRC = 0x5FD6 
// Hard coded Poly 0x1021
    uint16_t i = 0;
    while (size--) {
        crc ^= data[i] << 8; 
        i++; 
        for (unsigned k = 0; k < 8; k++) 
            crc = crc & 0x8000 ? (crc << 1) ^ 0x1021 : crc << 1;
    }
    return crc; 
}

Captured Meter Data

There have been two packet types observed thus far, a 0x55 and a 0xD5 packet.

  • 0x55 appears to be broadcasts from the meters and happen frequently. They have been observed multiple times per minute from a single meter.
  • 0xD5 appears to be a packet for transporting data across the mesh network. Each D5 packet will contain two meter ID's, Meter ID #1 and Meter ID #2. There are many 0xD5 packet length and types that have been observed, some are shown below.

00FF 2A 55 Meter Data

The data below was captured from the same meter (F0EE36DB) and shows some of the values that can change with each transmission. Different meters have different fixed data and some of the data changes less frequently as well.

0x55 Captured packets from Meter F0EE36DB (Oncor)
Pkt 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Not part of CRC calc Data Packet Trailing 6 Bytes
Start of

Frame

Type SubType Length Unknown Unknown WAN Address Counter Uptime Unknown LAN Address Unknown Unknown Timing

(0.01 increments)

Unknown Checksum Trailing
1 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 0C 0001ECBF A483 F0EE36DB 0100 213204 384F 7E80 0896 04
2 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 16 0001ECC6 A483 F0EE36DB 0100 213204 3AC5 7E80 F47E 04
3 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 2A 0001ED05 A483 F0EE36DB 0100 213204 1207 7E80 A412 04
4 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 34 0001ED29 A483 F0EE36DB 0100 213204 1FF9 7E80 D9C4 04
5 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 38 0001ED37 A483 F0EE36DB 0100 213204 2571 7E80 963C 04
6 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 42 0001ED5C A483 F0EE36DB 0100 213204 33A9 7E80 8384 04
7 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 4C 0001ED60 A483 F0EE36DB 0100 213204 354D 7E80 2CB6 04
8 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 4E 0001ED79 A483 F0EE36DB 0100 213204 3F25 7E80 871A 04
9 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 60 0001EDA6 A483 F0EE36DB 0100 213204 0F05 7E80 25C9 04
10 00FF 2A 55 0023 30 FFFFFFFFFFFF 50CF8DD9E2C0 6A 0001EDCD A483 F0EE36DB 0100 213204 1E55 7E80 F33F 04
Field 15 Timing Analysis -Anonymous

Commentary on the data fields above, they have been grouped based on sample analysis but this could be wrong. If you see a new pattern not noticed before you may be correct.

  • Field 5 - Never observed a packet with this length and subtype that wasn't all FF's
  • Field 6 - WAN Address - Oncor uses GPS coordinates, CoServ uses LAN with padding of some kind. The open source gpsdecode library shows one way to translate between WAN Address and GPS coordinates.
  • Field 7 - Increments some amount with each transmission and rolls over at 0xFF, always an even hex value
  • Field 8 - Value in seconds since meter powered on, easy way to see last time the meter experienced a power outage.
  • Field 10 - LAN Address, Meter ID that's listed on the sticker on the front

** NEW **

Field 13 - Timing in hundredths of a second, counts from 0 to 167.99 (0x419F) seconds then rolls over to 0 again. Credit for this discovery goes to an anonymous reader who examined the dataset at the bottom of the page!!

0x55 Captured packets from Meter 5021D005 (Coserv)
Pkt 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Not part of CRC calc Data Packet Trailing 6 Bytes
Start of

Frame

Type SubType Length Unknown Unknown WAN Address Counter Uptime Unknown LAN Address Unknown Unknown Timing

(0.01 increments)

Unknown Checksum Trailing
1 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 7C 0003FB20 A403 5021D005 0100 072001 1E56 7E00 9032 04
2 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 AE 0003FB9E A403 5021D005 0100 072001 0DA8 7E00 83E8 04
3 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 B8 0003FBC1 A403 5021D005 0100 072001 1B54 7E00 2924 04
4 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 C0 0003FC30 A403 5021D005 0100 072001 052E 7E00 09FC 04
5 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 EA 0003FC9F A403 5021D005 0100 072001 3062 7E00 C69A 04
Power restored after an outage
6 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 06 0000000F A403 5021D005 01EA 6000FE 26DA 7E30 90CE 04
7 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 0E 0000000F A403 5021D005 01EA 6000FE 26EF 7E10 2740 04
8 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 20 00000011 A403 5021D005 01EA 6000FE 2801 7E90 8B23 04
9 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 2C 00000013 A403 5021D005 01EA 6000FE 2883 7E60 1A1A 04
10 00FF 2A 55 0023 30 FFFFFFFFFFFF FE5021D00500 54 00000017 A403 5021D005 01EA 6000FE 2A72 7E80 E3CD 04

00FF 2A D5 Meter Data

There appear to be multiple packet lengths and styles for the 0xD5 packet. Some samples shown below, download as a txt file.

0xD5 Captured packets
Pkt 1 2 3 4 5 6 7 8 10 11
Not part of CRC calc CRC'd Data CRC
Start of

Frame

Type SubType Length Unknown DST Meter SRC Meter Packet

Counter

Payload Timing

(0.01 increments)

Unknown Checksum Timestamp
1 00FF 2A D5 0011 29 F0611C3E F03B9FFB AE 98 4014 1630 9B47 Mon Mar  1 08:43:20 2021
2 00FF 2A D5 0011 29 F0611C3E F03B9FFB BA 98 04B5 1650 C505 Mon Mar  1 08:43:36 2021
3 00FF 2A D5 0011 29 F0611C3E F03B9FFB CA 98 0844 1600 413C Mon Mar  1 08:43:45 2021
4 00FF 2A D5 0016 21 F0653657 F03B9FFB 72 8801001F3204 2E24 1140 B6B1 Mon Mar  1 11:50:10 2021
5 00FF 2A D5 0016 21 F0EF3BCE F03B9FFB 62 8801001E3204 2393 1730 6DA6 Mon Mar  1 12:45:43 2021
6 00FF 2A D5 0016 21 F1419ADD F03B9FFB 7C 9801001E3204 332C 1780 BB3E Mon Mar  1 12:46:23 2021
7 00FF 2A D5 0016 21 F07C5F0C F03B9FFB 9A 8801001E3204 018C 1A80 4FCF Mon Mar  1 12:47:04 2021
8 00FF 2A D5 0017 29 8073AB83 F03B9FFB C2 8801001E320404 06BF 1390 0244 Mon Mar  1 18:17:41 2021
9 00FF 2A D5 0017 29 8073AB83 F03B9FFB D2 8801001E320404 0BF4 1340 2AB3 Mon Mar  1 18:17:54 2021
10 00FF 2A D5 0017 29 8073AB83 F03B9FFB E4 8801001E320404 11FF 1330 8517 Mon Mar  1 18:18:10 2021
11 00FF 2A D5 0017 29 8073AB83 F03B9FFB EA 8801001E320404 1271 1340 5091 Mon Mar  1 18:18:11 2021
12 00FF 2A D5 001C 29 F0611C3E F03B9FFB A1 9001001E320406009950D1CA 097E 1620 46B7 Mon Mar  1 09:39:48 2021
13 00FF 2A D5 001C 29 F05C3966 F03B9FFB 1D 9001001E320406009D50D515 158D 2220 18A3 Mon Mar  1 12:59:07 2021
14 00FF 2A D5 001C 29 F0611C3E F03B9FFB 69 9001001F6C0406009F50B910 2957 1670 207F Mon Mar  1 15:14:22 2021
15 00FF 2A D5 001C 29 F0611C3E F03B9FFB 17 900100246C0406007A50A501 3FF3 1680 5591 Mon Mar  1 16:08:32 2021
16 00FF 2A D5 001C 29 F0611C3E F03B9FFB C7 9001001F6C04060091500F11 0072 1690 1F05 Mon Mar  1 16:14:13 2021
17 00FF 2A D5 001C 29 F0611C3E F03B9FFB 73 900100236C0406007D5014A3 0797 1620 D48F Mon Mar  1 16:28:31 2021
18 00FF 2A D5 001C 29 F0FBBC6F F03B9FFB 4D 9101001F6C04060091504CAD 133C 1D40 2347 Mon Mar  1 22:13:25 2021
19 00FF 2A D5 001C 29 F0611C3E F03B9FFB B9 90010022320406009E500632 03F5 1730 FE1B Mon Mar  1 23:14:22 2021
20 00FF 2A D5 001C 29 F0BCD31D F03B9FFB E7 900100256C0506009B50D2A7 1E0E 3F60 13BE Tue Mar  2 00:56:17 2021
21 00FF 2A D5 001C 29 F0BCD31D F03B9FFB E5 900100256C0506009850C186 181F 3F90 305B Tue Mar  2 01:21:14 2021
22 00FF 2A D5 001D 29 F0611C3E F03B9FFB B7 9008009150FA0E012ABA0E81B8 0F15 1630 8383 Mon Mar  1 13:21:15 2021
23 00FF 2A D5 001D 29 F0611C3E F03B9FFB 27 900800A350815D012A17698128 16DE 1680 0D58 Mon Mar  1 19:14:23 2021
24 00FF 2A D5 001D 29 F0611C3E F03B9FFB 2B 900800A350815D0129DCBE812C 172A 1610 E799 Mon Mar  1 19:14:23 2021
25 00FF 2A D5 001D 29 F0611C3E F03B9FFB 51 91080091504CAD0129BD448152 1350 1740 8FAD Mon Mar  1 22:13:25 2021


0xD5 Packets where actual time along with uptime is observed
Pkt 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Not part of CRC calc Data Packet (Oncor Meter) Trailing 6 Bytes
Start of

Frame

Type SubType Length Unknown Meter ID1 Meter ID2 Counter Epoch Time Unknown

Reading?

Uptime Unknown Unknown WAN Address

Meter ID2

Meter ID2 Unknown Data Timing

(0.01 increments)

Unknown Checksum Trailing
1 00FF 2A D5 0047 51 F0C00020 F03B9FFB 18 60378AB1 00033D56 0006C31A A483 0101 50CFB5D9E400 F03B9FFB 000103240602030705070704000000 04C2 C000 204C 0401 FA 2030208180 2163 1900 75F3 00
2 00FF 2A D5 0047 51 F10679DE F03B9FFB 1E 60378C72 00023F96 0006C4DB A483 0101 50CFB5D9E400 F03B9FFB 000103240602030705070704000000 0718 6800 204C 0401 FA 2030208180 0BF7 1D30 CDB4 00
3 00FF 2A D5 0047 51 F159CD44 F03B9FFB B4 603A627C 00028F50 00099AE5 A483 0101 50CFB5D9E400 F03B9FFB 000103240602020705070805000000 02A3 C800 1E6C 0401 D9 2030208180 226A 1A10 7330 00
Payload (CoServ Meter)
4 00FF 2A D5 0047 51 F143250D 5021D005 1A 603AD051 000130D8 000D10ED A403 0101 FE5021D00500 5021D005 000103200000000000000000000000 02C3 0800 0E20 0200 E3 20301F8180 22F0 1C40 4FEB 00
5 00FF 2A D5 0047 51 F143248A 5021D005 64 603AD09C 000133C6 000D1138 A403 0101 FE5021D00500 5021D005 000103200000000000000000000000 0BA0 9000 0E20 0200 E3 20301F8180 4076 1150 73A7 00
6 00FF 2A D5 0047 51 500F0DD6 5021D005 80 603AD0D3 000135EC 000D116F A403 0101 FE5021D00500 5021D005 000103200000000000000000000000 01D8 A800 0E20 0200 E3 20301F8180 1412 2E40 ADC1 00
  • Epoch time calculator and explanation can be found here, first convert time from hex to decimal then input into converter.


00FF2A D5 0016 21 F073B577 F062363D FA88 0100 1F6C04 14E93E70 CF80 04

00FF2A D5 0017 29 8073AEAC F0F28D56 1288 0100 1F3204 041CBB1930 2D2A 04

00FF2A D5 001B 21 F10679E2 8073CE7D F498 0100 106C02 0A15F9055F06571A80 37C5 00

00FF2A D5 001C 29 8073ADB3 8073CE7D 9088 0100 106C02 040A99CF055F3A4B1170 A696 04

00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04

00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A 6032F37F 0001DA2E 00022BE9 A483 0101 50D075D9E2E0 F03D4CD7 000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00


Data captures

*Note: This file does not contain the trailing bytes shown in the captures above, it stops at the 16 bit Checksum.

Dallas

Oncor Capture 01-07-2023 30hrs (CONTAINS NEW PACKETS)

Austin

Austin energy (Two Meters)

90C3717A is PV

90C1FD1A is Net meter

GPS Tagged Wardrive Files

Format will likely change for the files as more is learned, currently the format is:

Meter_ID, Uptime(seconds), Uptime(days), GPS_Data($GPGGA)

Wardrive-NTX_to_Highland-Park-03-09-2021.csv

KML File used in YouTube GPS Decoding video

Capture files from various regions

Raw capture from New Jersey
Raw capture for Seattle City Light (SCL) from Seattle, Washington, USA