Difference between revisions of "Landis+Gyr GridStream Protocol"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
Line 8: Line 8:
 
There have been two packet types observed thus far, a 0x55 and a 0xD5 packet.
 
There have been two packet types observed thus far, a 0x55 and a 0xD5 packet.
  
* 0x55 appears to be broadcasts from the meters and happen frequently. They have been observed multiple times per minute from a single meter.  
+
*0x55 appears to be broadcasts from the meters and happen frequently. They have been observed multiple times per minute from a single meter.
  
* 0xD5 appears to be a packet for transporting data across the mesh network. Each D5 packet will contain two meter ID's, Meter ID #1 and Meter ID #2. There are many 0xD5 packet length and types that have been observed, some are shown below.
+
*0xD5 appears to be a packet for transporting data across the mesh network. Each D5 packet will contain two meter ID's, Meter ID #1 and Meter ID #2. There are many 0xD5 packet length and types that have been observed, some are shown below.
  
==== 0x55 Meter Data ====
+
----
<br />
+
 
 +
====0x55 Meter Data====
 +
The data below was captured from the same meter (F0EE36DB) and shows some of the values that can change with each transmission. Different meters have different fixed data and some of the data changes less frequently as well.
 +
 
 +
<code>1) Header = 0x00FF2A</code>
 +
 
 +
<code>2) Packet Type = 0x55</code>
 +
 
 +
<code>3) Packet Length = 0x0023</code>
 +
 
 +
<code>4) Unknown Identifier #1 = 0x30</code>
 +
 
 +
<code>5) Unknown Empty Data Slot = FFFFFFFFFFFF</code>
 +
 
 +
<code>6) Unknown Identifier #2 = 0x50</code>
 +
 
 +
<code>7) Unknown Identifier #3 = CF8DD9E2 (Appears to either be location identifier or duplicate meter ID in some cases)</code>
 +
 
 +
<code>7) Unknown Identifier #4 = C0</code>
 +
 
 +
<code>8) Unknown Data #1 = '''02''' (Increments some amount with each transmission and rolls over at 0xFF)</code>
 +
 
 +
<code>9) Uptime = 0x'''0001ECA3''' (Value in seconds since meter powered on, easy way to see last time there was an outage!)</code>
 +
 
 +
<code>10) Unknown Identifier #5 = 0xA483</code>
 +
 
 +
<code>11) Meter ID = 0xF0EE36DB</code>
 +
 
 +
<code>12) Unknown Identifier #6 = 0x0100</code>
 +
 
 +
<code>13) Unknown Data #2 = 0x2132</code>  
 +
 
 +
<code>13) Unknown Data #3 = 0x'''042D19'''</code>
 +
 
 +
<code>14) Unknown Identifier #7 = 0x7E80</code>
 +
 
 +
<code>15) Checksum = 0xF154 04</code>
 +
 
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''0C''' '''0001ECBF''' A483 F0EE36DB 0100 2132 '''04384F''' 7E80 0896 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''16''' '''0001ECC6''' A483 F0EE36DB 0100 2132 '''043AC5''' 7E80 F47E 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''2A''' '''0001ED05''' A483 F0EE36DB 0100 2132 '''041207''' 7E80 A412 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''34''' '''0001ED29''' A483 F0EE36DB 0100 2132 '''041FF9''' 7E80 D9C4 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''38''' '''0001ED37''' A483 F0EE36DB 0100 2132 '''042571''' 7E80 963C 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''42''' '''0001ED5C''' A483 F0EE36DB 0100 2132 '''0433A9''' 7E80 8384 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''4C''' '''0001ED60''' A483 F0EE36DB 0100 2132 '''04354D''' 7E80 2CB6 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''4E''' '''0001ED79''' A483 F0EE36DB 0100 2132 '''043F25''' 7E80 871A 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''60''' '''0001EDA6''' A483 F0EE36DB 0100 2132 '''040F05''' 7E80 25C9 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''6A''' '''0001EDCD''' A483 F0EE36DB 0100 2132 '''041E55''' 7E80 F33F 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''74''' '''0001EDE7''' A483 F0EE36DB 0100 2132 '''042873''' 7E80 B091 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''76''' '''0001EDF6''' A483 F0EE36DB 0100 2132 '''042E31''' 7E80 048D 04</code>
 +
 
 +
<code>00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 '''80''' '''0001EE02''' A483 F0EE36DB 0100 2132 '''04331D''' 7E80 5271 04</code>
 +
----
 +
 
 +
====0xD5 Meter Data====
 +
There appear to be multiple packet lengths and styles for the 0xD5 packet. There are some samples below showing
  
==== 0xD5 Meter Data ====
 
 
<code>1)      2)  3)  4) 5)      6)      7)  8)  9)    10)      11)  12)</code>
 
<code>1)      2)  3)  4) 5)      6)      7)  8)  9)    10)      11)  12)</code>
  
Line 55: Line 121:
 
<code>00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04</code>
 
<code>00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04</code>
  
<code>00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A6032F37F0001DA2E00022BE9 A483 010150D075D9E2E0 F03D4CD7 000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00</code>
+
<code>00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A6032F37F0001DA2E00022BE9 A483 010150D075D9E2E0 F03D4CD7</code><ref>MeterID</ref> <code>000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00</code>

Revision as of 01:11, 22 February 2021

Captured Meter Data Analysis

There have been two packet types observed thus far, a 0x55 and a 0xD5 packet.

  • 0x55 appears to be broadcasts from the meters and happen frequently. They have been observed multiple times per minute from a single meter.
  • 0xD5 appears to be a packet for transporting data across the mesh network. Each D5 packet will contain two meter ID's, Meter ID #1 and Meter ID #2. There are many 0xD5 packet length and types that have been observed, some are shown below.

0x55 Meter Data

The data below was captured from the same meter (F0EE36DB) and shows some of the values that can change with each transmission. Different meters have different fixed data and some of the data changes less frequently as well.

1) Header = 0x00FF2A

2) Packet Type = 0x55

3) Packet Length = 0x0023

4) Unknown Identifier #1 = 0x30

5) Unknown Empty Data Slot = FFFFFFFFFFFF

6) Unknown Identifier #2 = 0x50

7) Unknown Identifier #3 = CF8DD9E2 (Appears to either be location identifier or duplicate meter ID in some cases)

7) Unknown Identifier #4 = C0

8) Unknown Data #1 = 02 (Increments some amount with each transmission and rolls over at 0xFF)

9) Uptime = 0x0001ECA3 (Value in seconds since meter powered on, easy way to see last time there was an outage!)

10) Unknown Identifier #5 = 0xA483

11) Meter ID = 0xF0EE36DB

12) Unknown Identifier #6 = 0x0100

13) Unknown Data #2 = 0x2132

13) Unknown Data #3 = 0x042D19

14) Unknown Identifier #7 = 0x7E80

15) Checksum = 0xF154 04


00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 0C 0001ECBF A483 F0EE36DB 0100 2132 04384F 7E80 0896 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 16 0001ECC6 A483 F0EE36DB 0100 2132 043AC5 7E80 F47E 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 2A 0001ED05 A483 F0EE36DB 0100 2132 041207 7E80 A412 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 34 0001ED29 A483 F0EE36DB 0100 2132 041FF9 7E80 D9C4 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 38 0001ED37 A483 F0EE36DB 0100 2132 042571 7E80 963C 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 42 0001ED5C A483 F0EE36DB 0100 2132 0433A9 7E80 8384 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 4C 0001ED60 A483 F0EE36DB 0100 2132 04354D 7E80 2CB6 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 4E 0001ED79 A483 F0EE36DB 0100 2132 043F25 7E80 871A 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 60 0001EDA6 A483 F0EE36DB 0100 2132 040F05 7E80 25C9 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 6A 0001EDCD A483 F0EE36DB 0100 2132 041E55 7E80 F33F 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 74 0001EDE7 A483 F0EE36DB 0100 2132 042873 7E80 B091 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 76 0001EDF6 A483 F0EE36DB 0100 2132 042E31 7E80 048D 04

00FF2A 55 0023 30 FFFFFFFFFFFF 50 CF8DD9E2 C0 80 0001EE02 A483 F0EE36DB 0100 2132 04331D 7E80 5271 04


0xD5 Meter Data

There appear to be multiple packet lengths and styles for the 0xD5 packet. There are some samples below showing

1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11) 12)

00FF2A D5 0016 21 F05FCB84 F0FC4DB1 E288 0100 273205 00781930 CB72 00

1) Header = 0x00FF2A

2) Packet Type = 0xD5

3) Packet Length = 0x0016

4) Unknown Identifier #1 = 0x21

5) Meter ID #1 = F05FCB84

6) Meter ID #2 = F0FC4DB1

7) Unknown Identifier #2 = 0xE288

8) Unknown Identifier #3 = 0x0100

9) Unknown Data #1 = 0x273205

10) Unknown Data #2 = 0x00781930

11) Checksum = 0xCB72

12) Trailing byte = 0x00

00FF2A D5 0016 21 F073B577 F062363D FA88 0100 1F6C04 14E93E70 CF80 04

00FF2A D5 0017 29 8073AEAC F0F28D56 1288 0100 1F3204 041CBB1930 2D2A 04

00FF2A D5 001B 21 F10679E2 8073CE7D F498 0100 106C02 0A15F9055F06571A80 37C5 00

00FF2A D5 001C 29 8073ADB3 8073CE7D 9088 0100 106C02 040A99CF055F3A4B1170 A696 04

00FF2A D5 0021 22 F05A1A60 8073CE7D D8010100106C020520301D81800A99CF055F3ADD1410 A560 04

00FF2A D5 0047 51 F05A4BCC F03D4CD7 5A6032F37F0001DA2E00022BE9 A483 010150D075D9E2E0 F03D4CD7[1] 000103240403030806080801000000036EE8001F6C0401E9203020818018C22930 9294 00

  1. MeterID