Difference between revisions of "Silver Spring Networks Protocol"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
(add grc file for capturing Itron data)
(Added more information about the Itron/SSN traffic)
 
Line 12: Line 12:
 
<br />
 
<br />
  
The following capture file was created using this gnuradio file:
+
===Capturing Itron/SSN traffic===
 +
In 2012 a permissive change was filed at the FCC to certify and document an RF mode not initially supported.  Specifically, it uses 2-FSK over 64 channels from 902.4MHz to 927.6MHz (inclusive) and a data rate of 150kbps.  This appears to be the predominantly used mode today among such devices.  A summary of all modes of FCC ID SK9AMI7 are shown below.
 +
{| class="wikitable"
 +
|+
 +
!Modulation
 +
!Frequency range (MHz)
 +
!Number of channels
 +
!Channel separation (kHz)
 +
!Data rates supported (kbps)
 +
|-
 +
|FSK
 +
|902.25 - 927.75
 +
|52
 +
|500
 +
|19.2
 +
|-
 +
|FSK
 +
|902.25 - 927.75
 +
|52
 +
|500
 +
|152.3
 +
|-
 +
|OOK
 +
|909.6 - 921.8
 +
|50
 +
|200
 +
|16.4
 +
|-
 +
|FSK
 +
|902.4 - 927.6
 +
|64
 +
|400
 +
|150.0
 +
|}
 +
The following capture file was created using this gnuradio file.  It has the 64 channels explicitly listed within the Center Freq Estimation block.  It uses a syncword of 0xAAAAAAAA (which is probably too short) and makes the assumption that data is transmitted most significant bit first, but this is an unverified guess.  No checking is done of the packets, so there are very likely to be many packets with errors.  In looking through this capture file, the majority of packets start with <syntaxhighlight>
 +
aa aa aa aa aa aa aa aa de 9d 27 27 16 66 f0 6c
 +
</syntaxhighlight>For that reason, it's likely that those packets are probably mostly correct, while the others should be viewed with suspicion.
 +
<br />
 
[[File:Meter data capture.grc.txt|left|thumb|capture grc file (rename from txt to just .grc to run)]]
 
[[File:Meter data capture.grc.txt|left|thumb|capture grc file (rename from txt to just .grc to run)]]
  
  
 
[[File:Raw itron packet dump.zip|left|thumb|Raw dump of an Itron/Silver Springs Networks network.]]
 
[[File:Raw itron packet dump.zip|left|thumb|Raw dump of an Itron/Silver Springs Networks network.]]
'''2950 sample packets in a zip file (one file per packet)'''
+
<br />
 
<br />
 
<br />

Latest revision as of 18:14, 11 June 2022

Data capture from a Silver Spring Networks smart meter that was initially powered on. The text is very wide so open the file in a text editor, it won't look right in the browser most likely.


Initial capture of data - small file

Silver_Spring_Networks_Smart_Meter_00135005008C900A.txt


170 samples sorted by "Mask" column, notice the data appears similar for each mask, need to figure out how it's being transformed.

Silver_Spring_Networks_Extended_Parsed_02-22-2022_00135005008C900A.txt

Capturing Itron/SSN traffic

In 2012 a permissive change was filed at the FCC to certify and document an RF mode not initially supported. Specifically, it uses 2-FSK over 64 channels from 902.4MHz to 927.6MHz (inclusive) and a data rate of 150kbps. This appears to be the predominantly used mode today among such devices. A summary of all modes of FCC ID SK9AMI7 are shown below.

Modulation Frequency range (MHz) Number of channels Channel separation (kHz) Data rates supported (kbps)
FSK 902.25 - 927.75 52 500 19.2
FSK 902.25 - 927.75 52 500 152.3
OOK 909.6 - 921.8 50 200 16.4
FSK 902.4 - 927.6 64 400 150.0

The following capture file was created using this gnuradio file. It has the 64 channels explicitly listed within the Center Freq Estimation block. It uses a syncword of 0xAAAAAAAA (which is probably too short) and makes the assumption that data is transmitted most significant bit first, but this is an unverified guess. No checking is done of the packets, so there are very likely to be many packets with errors. In looking through this capture file, the majority of packets start with

aa aa aa aa aa aa aa aa de 9d 27 27 16 66 f0 6c

For that reason, it's likely that those packets are probably mostly correct, while the others should be viewed with suspicion.


File:Meter data capture.grc.txt


File:Raw itron packet dump.zip