Author Topic: Reverse your smart energy meter with this simple trick!  (Read 12901 times)

0 Members and 2 Guests are viewing this topic.

Online Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Reverse your smart energy meter with this simple trick!
« Reply #25 on: August 16, 2021, 03:35:29 pm »
You just need to sample the current and voltage about 1000 times per the 50Hz cycle (..)
If the sample is made at that frequency then conditioning circuit starts from anti-aliasing filter (it has to attenuate all frequencies above F/2) otherwise you get junk. At higher frequencies you can happily draw power in between ADC samples. And that is what this dumb eBay jammer does I suspect. I think it (unintentionally) locks fast rising edge with ADC, offset with zero crossing.

With this brute force approach and keeping within 1% accuracy you would have to increase sampling to more than 2*some frequencies limited by RLC bandwidth of a piece of cable that separates power meter and jammer. Otherwise a purposely built jammer can be/will be created that locks into ADC sampling and extracts 1.01kWh when ADC counts 1.00kWh (thus defying your concept). That is essentially a proposition of a 1% accurate measurement instrument with DC to tens of MHz bandwidth.

Once you have a proper low pass filter in front of the ADC you can't have pulses just "slip trough". No matter at what point between the samples the huge narrow pulse happens the low pass filter will flatten it out enough to be seen over a few consecutive samples of the ADC. As far as the ADC is concerned drawing 1000A for 1/1000th of a ADC sample time is the same as drawing 1A for the whole sample time, the same amount of charge has also flown trough the meter.

There is no need to have a ridiculously fast ADC. It just needs to be fast enough to reasonably accurately capture a weird wavy waveform. That way the correct parts of the waveform get calculated to the correct parts of the voltage sine wave. Once you get to a fine resolution it doesn't matter anymore, the voltage sine wave does not change that much in 1/1000th of a cycle time. At that point the buckets of charge get assigned to pretty much the right voltage. Also even if you ware to time it to the ADCs sample rate, how would you get the sample rate and lock on to it? You are not allowed to open up the meter and hook into it. The actual sample rate it likely also drifting around since you wouldn't have some incredibly precise OCXO oscillator in there.

What actually likely happens is that RF noise is not filtered away properly and gets demodulated somewhere in an amplifier or ADC. Here is one example of such a thing happening to a big name brand multimeter:
https://www.eevblog.com/2016/10/12/eevblog-933-keysight-u1272a-emc-issue/
 

Offline Zero999

  • Super Contributor
  • ***
  • Posts: 20357
  • Country: gb
  • 0999
Re: Reverse your smart energy meter with this simple trick!
« Reply #26 on: August 16, 2021, 03:53:22 pm »
You don't actually need to know the waveform to measure the RMS voltage, current and power. You could sample at 1Hz, for a long period of time and still get an accurate reading, so long as the sample clock isn't in phase with the mains, so it gets samples from the whole waveform, after a long enough period.
 

Offline Alti

  • Frequent Contributor
  • **
  • Posts: 404
  • Country: 00
Re: Reverse your smart energy meter with this simple trick!
« Reply #27 on: August 16, 2021, 05:19:59 pm »
Once you have a proper low pass filter in front of the ADC you can't have pulses just "slip trough".
Any high frequency disturbance signal with frequency content starting above cutoff frequency is not going to get through low pass antialiasing filter and some of the information is lost. Remember that power meter neither integrates current nor voltage but the product of both. So if you superimpose high frequency disturbances: on current path that is in phase with disturbance on voltage path, none of the ADC channels is going to register that so some energy is going to get through unregistered.

So if ADC sampled voltage: U and current I then the meter is going to register at this point:
P=U*I
I these samples on mains cable were (U+1) and (U-1) with (I+1) and (I-1) respectively (for halves of the sampling period), then:
P' = ((U+1)*(I+1) + (U-1)*(I-1))/2 = U*I+1

I think this shows that you cannot measure something that you filtered out.



« Last Edit: August 16, 2021, 05:31:16 pm by Alti »
 

Offline Zero999

  • Super Contributor
  • ***
  • Posts: 20357
  • Country: gb
  • 0999
Re: Reverse your smart energy meter with this simple trick!
« Reply #28 on: August 16, 2021, 06:09:00 pm »
I wonder if spread spectrum sampling would help? Random would be idea, but you'll still be confined to the quantum of the clock frequency. I suppose using a VCO, fed with a white noise generator, for the clock would produce a random enough sample rate. The problem then becomes interfacing the randomly sampling hardware, with other devices, running at a steady clock rate.
 

Offline Jeroen3Topic starter

  • Super Contributor
  • ***
  • Posts: 4209
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Re: Reverse your smart energy meter with this simple trick!
« Reply #29 on: August 17, 2021, 06:35:52 am »
From what I know, most energy meters lock the sampling rate to 64, 128 or 256 samples per cycle.
A way to do this, though I'm not sure if this is the way it is actually done, is to oversample royally, then decimate to your required samples per cycle.

This ensures all further calculations, like power and reactive power, are done with the same phase error free stream.
However, that is only the sampling, the power units calculation is another subject. Different methods, different speeds and errors.
https://www.mdpi.com/1996-1073/13/17/4322
 

Offline coppice

  • Super Contributor
  • ***
  • Posts: 10031
  • Country: gb
Re: Reverse your smart energy meter with this simple trick!
« Reply #30 on: August 17, 2021, 11:32:40 am »
From what I know, most energy meters lock the sampling rate to 64, 128 or 256 samples per cycle.
A way to do this, though I'm not sure if this is the way it is actually done, is to oversample royally, then decimate to your required samples per cycle.

This ensures all further calculations, like power and reactive power, are done with the same phase error free stream.
However, that is only the sampling, the power units calculation is another subject. Different methods, different speeds and errors.
https://www.mdpi.com/1996-1073/13/17/4322
I don't know of any energy measurement front end for a consumer meter which locks the frequency of the ADC sampling to the mains. They all sample at a fixed rate, and calculate at the same rate. What you are describing sounds like the design of a power quality monitor. Most of those process synchronised samples, typically at 256 samples per mains cycle these days. However. most modern designs don't actually run their ADCs synchronously with the mains. They let them run at a fixed rate, and then digitally resample to a precise power of two multiple of the prevailing mains frequency. Then they can perform things like FFTs without worrying about windowing effects, which can really hurt accuracy when you are trying to measure to 0.1% or better. They work out the exact mains frequency by analysing the raw sampled stream, and continuously adapting as the frequency of the mains, or their own raw sample clock, might drift with time.
 

Offline Alti

  • Frequent Contributor
  • **
  • Posts: 404
  • Country: 00
Re: Reverse your smart energy meter with this simple trick!
« Reply #31 on: August 17, 2021, 12:12:34 pm »
I wonder if spread spectrum sampling would help?
I think that the knowledge about exact moment of when ADC is sampling, for the purpose of tampering the measurement results, has minimal practical value. It might be advantageous when the disturbance is at about similar frequency as sampling but when the disturbance is tens or hundreds of times faster then what difference that might be? The meter is not going to notice that upper part of BW anyway.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf