Difference between revisions of "Miltel SpeedRead STx"
(Created page with "Miltel External Pulsed-readers (Transmitter) =Device= Device is a separated unit from the actual meter, Enclosed there’s a Battery a pcb with a PIC microcontroller (firmwar...") |
m (Blog post ref) |
||
| Line 1: | Line 1: | ||
Miltel External Pulsed-readers (Transmitter) | Miltel External Pulsed-readers (Transmitter) | ||
| + | |||
| + | For research process, see this [https://hlltech.blogspot.com/2021/09/reverse-engineering-wireless-water.html blog post - Reverse engineering wireless water meter network] | ||
=Device= | =Device= | ||
| Line 28: | Line 30: | ||
Other Names: SpeedRead Networks, Datasense AMR | Other Names: SpeedRead Networks, Datasense AMR | ||
FCC ID: MLLSPEEDHPTX450 Possibly others as well | FCC ID: MLLSPEEDHPTX450 Possibly others as well | ||
| + | <references /> | ||
Latest revision as of 21:10, 12 July 2025
Miltel External Pulsed-readers (Transmitter)
For research process, see this blog post - Reverse engineering wireless water meter network
Contents
Device
Device is a separated unit from the actual meter, Enclosed there’s a Battery a pcb with a PIC microcontroller (firmware-read protected) and an FM encoder Each device can be hooked up to at least 4 (possibly more) sensor, which in turn are connected to the meter Example Photo
Operation
Each probe contains a reed switch and it is pulsed by the meter’s spinner on each full cycle. The meter can count it individually and according to the configured time, transmit this information wirelessly to either the repeater (re-transmits the same signal) or the concentrator (uploads the information to the system’s backend) installed in the area.
Wireless communication
This device can only transmit
Frequency
Frequency varies according to the installation, location and use-case
Modulation
The data is first encoded by the microcontroller as 0 meaning a PWM wave of a given frequency, and 1 given by a PWM in another frequency[1]. The output of the microcontroller is then fed to the frequency modulator and transmitted OTA. In order to demodulate, someone would have to perform FM demod, twice [2] (once for FM demod, and the latter for PWM demod, this can also be correlated instead) and should get the expected outcome.
Protocol
By reverse engineering, protocol possibly contain “fields” of arbitrary data; these fields are assembled from the decoded bit stream, in such a way that the next bit is either 16 or 20 bits after the former. I.E. Lets assume the demodulated bits are D0…Dn, Then “Field 1” would be comprised out of D0, D16, D36, D52, D72, etc… At least the meter id can be extracted this way, possibly more data as well. There is also some data stuffing involved, I suggest seing the examples in this github ticket for how to decode github issue with code
Further information
Technical information from the author in this github issue, and blog-post Miltel Tech sheet - [1], [2] Other Names: SpeedRead Networks, Datasense AMR FCC ID: MLLSPEEDHPTX450 Possibly others as well
