Silver Spring Networks Protocol

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search

Data capture from a Silver Spring Networks smart meter that was initially powered on. The text is very wide so open the file in a text editor, it won't look right in the browser most likely.

Initial capture of data - small file


170 samples sorted by "Mask" column, notice the data appears similar for each mask, need to figure out how it's being transformed.


Capturing Itron/SSN traffic

In 2012 a permissive change was filed at the FCC to certify and document an RF mode not initially supported. Specifically, it uses 2-FSK over 64 channels from 902.4MHz to 927.6MHz (inclusive) and a data rate of 150kbps. This appears to be the predominantly used mode today among such devices. A summary of all modes of FCC ID SK9AMI7 are shown below.

Modulation Frequency range (MHz) Number of channels Channel separation (kHz) Data rates supported (kbps)
FSK 902.25 - 927.75 52 500 19.2
FSK 902.25 - 927.75 52 500 152.3
OOK 909.6 - 921.8 50 200 16.4
FSK 902.4 - 927.6 64 400 150.0

The following capture file was created using this gnuradio file. It has the 64 channels explicitly listed within the Center Freq Estimation block. It uses a syncword of 0xAAAAAAAA (which is probably too short) and makes the assumption that data is transmitted most significant bit first, but this is an unverified guess. No checking is done of the packets, so there are very likely to be many packets with errors. In looking through this capture file, the majority of packets start with

aa aa aa aa aa aa aa aa de 9d 27 27 16 66 f0 6c

For that reason, it's likely that those packets are probably mostly correct, while the others should be viewed with suspicion.

File:Meter data capture.grc.txt

File:Raw itron packet