Author Topic: EM1000 electricity meter Comms protocol  (Read 4675 times)

0 Members and 1 Guest are viewing this topic.

Offline SL4PTopic starter

  • Super Contributor
  • ***
  • Posts: 2318
  • Country: au
  • There's more value if you figure it out yourself!
EM1000 electricity meter Comms protocol
« on: April 26, 2015, 09:29:06 am »
I'm working on talking to an EM1000 mains power meter ( the type in your meter box )
re: IR protocol to EM1000 power / electricity meter

I have the IR interface working, and also the Landis+Gyr meter management software.

My problem is reverse engineering the serial protocol with the meter.  My project is to create a new tool for local meter readers, but it seems the detail of the protocol are not openly available...

I have figured out and logged a simple session, and can 'connect' to the meter, but I believe there is a challenge-response pair that I have yet to work through before I get stuck into the next challenge.

in the samples I took, I can see some clear text ( model number / serial retc ), but the bulk of message transactions are in binary, prefixed with an 0xAA byte.

These seem to work as expected with the OEM software, but without a successful 'login'  from my test code, they return either an empty string, or a recurring 'message' (not logged in?)

Any thoughts, ideas or pointers greatly appreciated.
Don't ask a question if you aren't willing to listen to the answer.
 

Offline tonyarkles

  • Regular Contributor
  • *
  • Posts: 118
Re: EM1000 electricity meter Comms protocol
« Reply #1 on: April 26, 2015, 09:27:21 pm »
Well, I don't have much feedback for you, other than 0xAA and 0x55 are often used as sync bytes because they're repeating strings of 1010...

Is there any consistency in the messages? Does the challenge/response pair change every time? How many bytes is it? If it's relatively simple, you might be able to collect enough sessions to just make a look-up table to work out the answer.


 

Offline SL4PTopic starter

  • Super Contributor
  • ***
  • Posts: 2318
  • Country: au
  • There's more value if you figure it out yourself!
Re: EM1000 electricity meter Comms protocol
« Reply #2 on: April 26, 2015, 09:38:20 pm »
Thanks for responding.... I came to the same conclusions.
The AA is definitely a message sync/prefix char...  both directions.

I'm expecting a byte count and/or a checksum in there as well...

Sadly the challenge (and response) do change each time, but as you said - if I take enough samples from the OEM software there may be a visible pattern... hoping!

Here is the dialogue I began with (know to work at that time)

AA 01 0F DE C2                                      >> send REQUEST A SESSION LOGIN
AA 09 FF 43 38 C8 44 64 22 32 11 C8 6C     l   <<  ?challenge from meter

FF FF   << received not sure what these are... !

AA 06 01 03 BE 3B 3E 36 87 1C                 >> ?send login RESPONSE
AA 07 FF E8 03 02 00 18 00 73 6D          << received ?login accepted

If I use the same response later (to a different challenge), it returns...
AA 01 FD 83 0D          which I guess is saying - 'No soup for you!'

Then the two way conversation continues with requests and rsponse sfor specific meter registers / data bundles.

If you're working on similar challenges - I'm open to sharing knowledge!
Don't ask a question if you aren't willing to listen to the answer.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 14117
  • Country: gb
    • Mike's Electric Stuff
Re: EM1000 electricity meter Comms protocol
« Reply #3 on: April 26, 2015, 10:33:04 pm »
If it's doing challenge-response stuff you're probably going to need to start disassembling the PC software to figure out what it's doing.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline SL4PTopic starter

  • Super Contributor
  • ***
  • Posts: 2318
  • Country: au
  • There's more value if you figure it out yourself!
Re: EM1000 electricity meter Comms protocol
« Reply #4 on: April 26, 2015, 11:00:41 pm »
If it's doing challenge-response stuff you're probably going to need to start disassembling the PC software to figure out what it's doing.
I know - but please don't say that !
Don't ask a question if you aren't willing to listen to the answer.
 

Offline SL4PTopic starter

  • Super Contributor
  • ***
  • Posts: 2318
  • Country: au
  • There's more value if you figure it out yourself!
Re: EM1000 electricity meter Comms protocol
« Reply #5 on: April 27, 2015, 02:51:19 am »
Here's a more complete dump of the dialogue between the OEM software and the meter...
This has a successful login to the meter, followed by a couple of other functions to dump specific data...

->  SEND TO METER
<-  RECV FROM METER

--- START OF METER LOGIN / REPORT STATUS ---

-> AA 01 02 73 13
<- AA 01 FF C1 2D
-> AA 01 0F DE C2
<- AA 09 FF D9 1A 85 55 2B 72 FC 61 BC 16
-> FF
-> FF
-> AA 06 01 04 14 19 E2 F1 C9 E8
<- AA 07 FF E8 03 02 00 18 00 73 6D
-> AA 02 00 01 41 7E
<- AA 01 FF C1 2D
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 01 00 00 00 67 DB
<- AA 0F FF 0A 00 F4 01 00 00 00 00 00 00 00 00 00 00 68 6D
-> AA 05 03 02 00 00 00 BB 40
<- AA 63 FF 4E FF 01 01 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01 02 03 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3D 8B
-> AA 05 03 06 00 00 00 4A 8A
<- AA 4B FF 99 FF 11 11 11 11 FF 83 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF EF FF FF 46
<- AA
-> AA 05 03 07 00 00 00 FE FC
<- AA 4B FF 86 FF 00 00 00 00 FF 03 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F 88 FF FD 48 A2
-> AA 05 03 80 00 00 00 EB 70
<- AA 23 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 75 C9
-> AA 05 03 81 00 00 00 5F 06
<- AA 23 FF E8 03 02 00 18 00 E8 03 60 09 64 00 E8 03 01 01 01 01 01 28 13 89 00 52 00 00 00 00 00 00 00 00 00 00 DA BB
-> AA 05 03 10 00 00 00 74 B6
<- AA 01 FA 64 7D
-> AA 05 03 23 33 00 01 95 8D
<- AA 02 FF 18 A6 FE
-> AA 05 03 8C 00 00 08 D1 BE
<- AA 09 FF 0E 00 0C 1B 04 0F 01 00 95 01
-> AA 05 03 11 00 00 00 C0 C0
<- AA 0D FF FF 00 00 00 00 00 00 00 00 00 00 00 A3 45
-> AA 01 02 73 13
<- AA 01 FF C1 2D

---- END OF LOGIN - STATUS ----

--- READ BILLING ---  (ALL ZEROES) ---

-> AA 01 0F DE C2
<- AA 09 FF FE 30 7F 18 D6 54 6B 2A A6 FA
-> FF
-> FF
-> AA 06 01 04 C4 2B E4 32 86 A8
<- AA 07 FF E8 03 02 00 18 00 73 6D
-> AA 02 00 01 41 7E
<- AA 01 FF C1 2D
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 01 00 00 00 67 DB
<- AA 0F FF 0A 00 F4 01 00 00 00 00 00 00 00 00 00 00 68 6D
-> AA 05 03 02 00 00 00 BB 40
<- AA 63 FF 4E FF 01 01 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01 02 03 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3D 8B
-> AA 05 03 06 00 00 00 4A 8A
<- AA 4B FF 99 FF 11 11 11 11 FF 83 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF EF FF FF 46
<- AA
-> AA 05 03 07 00 00 00 FE FC
<- AA 4B FF 86 FF 00 00 00 00 FF 03 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F 88 FF FD 48 A2
-> AA 05 03 80 00 00 00 EB 70
<- AA 23 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 75 C9
-> AA 05 03 81 00 00 00 5F 06
<- AA 23 FF E8 03 02 00 18 00 E8 03 60 09 64 00 E8 03 01 01 01 01 01 28 13 89 00 52 00 00 00 00 00 00 00 00 00 00 DA BB
-> AA 05 03 10 00 00 00 74 B6
<- AA 01 FA 64 7D
-> AA 05 03 23 33 00 01 95 8D
<- AA 02 FF 18 A6 FE
-> AA 05 03 8C 00 00 08 D1 BE
<- AA 09 FF 28 01 0C 1B 04 0F 01 00 57 42
-> AA 05 03 11 00 00 00 C0 C0
<- AA 0D FF FF 00 00 00 00 00 00 00 00 00 00 00 A3 45
-> AA 05 03 14 00 00 00 85 7C
<- AA 0D FF E1 00 02 00 04 00 0C 00 00 00 0C 00 0C FD
-> AA 05 03 15 00 00 00 31 0A
<- AA 13 FF F2 0A 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 34
-> AA 05 03 23 00 00 00 41 01
<- AA 35 FF D0 00 00 09 09 09 09 09 00 09 09 00 09 09 09 09 09 00 09 09 00 09 09 09 09 09 00 09 09 00 09 09 09 09 09 00 09 09 01 01 11 03 00 00 00 00 00 02 01 01 01 18 52 BD
-> AA 05 03 11 0A 00 01 20 17
<- AA 02 FF 00 9F 6D
-> AA 05 03 24 00 00 00 6C 50
<- AA 0D FF C8 00 00 0F 1E 00 05 05 00 00 00 00 BF 4F
-> AA 05 03 28 00 00 00 5E 1F
<- AA 33 FF 4A 00 06 01 01 00 00 00 2B 38 00 00 06 00 00 00 09 0C 00 0A 00 0B 00 00 00 00 00 08 07 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 AF C7
-> AA 01 16 C6 41
<- AA 83 7F 00 10 00 1B 04 0F 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 1B 04 0F 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D E3
<- AA 83 7F 80 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AD 67
<- AA 83 7F 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E5 A1
<- AA 83 7F 80 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 51
<- AA 83 7F 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 FA
<- AA 83 7F 80 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5B 0A
<- AA 83 7F 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 CC
<- AA 83 7F 80 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 3C
<- AA 83 7F 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F2 4C
<- AA 83 7F 80 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 BC
<- AA 17 FF 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 C8
-> AA 05 03 96 00 00 00 D5 4C
<- AA 0D FF 05 00 00 00 00 00 00 00 05 00 00 00 B5 CA
-> AA 01 02 73 13
<- AA 01 FF C1 2D

--- END OF READ BILLING ---

--- READ ALL LOAD PROFILES ---  150402 to 150427 -- all null/zeroes at 30 min intervals

-> AA 01 0F DE C2
<- AA 09 FF DC 4D EE 26 77 13 52 51 4F 5C
-> FF
-> FF
-> AA 06 01 04 65 57 7A 8D FD F4
<- AA 07 FF E8 03 02 00 18 00 73 6D
-> AA 02 00 01 41 7E
<- AA 01 FF C1 2D
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 01 00 00 00 67 DB
<- AA 0F FF 0A 00 F4 01 00 00 00 00 00 00 00 00 00 00 68 6D
-> AA 05 03 02 00 00 00 BB 40
<- AA 63 FF 4E FF 01 01 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01 02 03 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3D 8B
-> AA 05 03 06 00 00 00 4A 8A
<- AA 4B FF 99 FF 11 11 11 11 FF 83 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF EF FF FF 46
<- AA
-> AA 05 03 07 00 00 00 FE FC
<- AA 4B FF 86 FF 00 00 00 00 FF 03 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F 88 FF FD 48 A2
-> AA 05 03 80 00 00 00 EB 70
<- AA 23 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 75 C9
-> AA 05 03 81 00 00 00 5F 06
<- AA 23 FF E8 03 02 00 18 00 E8 03 60 09 64 00 E8 03 01 01 01 01 01 28 13 89 00 52 00 00 00 00 00 00 00 00 00 00 DA BB
-> AA 05 03 10 00 00 00 74 B6
<- AA 01 FA 64 7D
-> AA 05 03 23 33 00 01 95 8D
<- AA 02 FF 18 A6 FE
-> AA 05 03 8C 00 00 08 D1 BE
<- AA 09 FF 2F 02 0C 1B 04 0F 01 00 CD 5D
-> AA 05 03 11 00 00 00 C0 C0
<- AA 0D FF FF 00 00 00 00 00 00 00 00 00 00 00 A3 45
-> AA 05 03 32 00 00 56 61 56
<- AA 57 FF B5 01 FF 69 00 16 00 02 00 1E 01 02 E8 03 00 00 FF 34 FF 4A 00 00 00 1E 00 00 E8 03 00 00 00 00 F1 FF 00 00 00 1E 00 00 00 00 00 00 00 00 F1 FF 00 00 00 1E 00 00 00 00 00 00 00 00 F1 FF 00 00 00 1E 00 00 00 00 00 00 00 00 F1 FF 00 00 00 1E 00 00 00 00 00 00 D6 2D
-> AA 05 03 BE 00 00 60 FE 92
<- AA 61 FF 00 16 6F 17 02 00 00 0C 1B 04 0F 00 02 00 00 00 FF 4A FF 4A 00 35 16 0F 02 04 0F 00 00 00 1F 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 00 00 0F 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 00 00 07 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 00 00 03 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 32 00 49 00 AC E1
-> AA 05 03 BE 00 00 60 FE 92
<- AA 61 FF 00 16 6F 17 02 00 00 0C 1B 04 0F 00 02 00 00 00 FF 4A FF 4A 00 35 16 0F 02 04 0F 00 00 00 1F 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 00 00 0F 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 00 00 07 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 00 00 03 00 F1 FF F1 FF 00 35 16 0F 02 04 0F 00 32 00 49 00 AC E1
-> AA 05 03 BE 00 00 10 69 EC
<- AA 11 FF 00 16 6F 17 02 00 00 0C 1B 04 0F 00 02 00 00 00 73 85
-> AA 03 10 01 01 AF FB
<- AA 83 7F 00 16 CA 35 16 00 00 E5 16 1D EF C7 27 2F 00 00 E5 31 31 F0 C7 28 33 00 00 00 00 E5 14 02 F1 C7 13 11 00 00 E5 16 1D F1 C7 08 35 00 00 00 00 00 00 E5 37 23 F6 A6 02 C7 2E 08 00 00 00 00 00 00 00 00 00 00 00 00 E5 17 32 EE A6 16 C7 12 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B9 A7
<- AA 83 7F 80 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E2 09 2D F5 C4 01 2D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E5 00
<- AA 72 FF 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E5 2E 0C EB C7 2F 0C 00 00 00 00 A4 A7
-> AA 05 03 11 00 00 0E 0E 21
<- AA 0D FF FF 00 00 00 00 00 00 00 00 00 00 00 A3 45
-> AA 05 03
-> AA 00 00 7C 15 90
<- AA 0D FF 05 00 00 00 00 00 00 00 05 00 00 00 B5 CA
-> AA 05 03 8C 00 00 08 D1 BE
<- AA 09 FF 30 02 0C 1B 04 0F 01 00 BB B9
-> AA 05 03 03 00 00 00 0F 36
<- AA 63 FF 46 FF 04 08 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 4C 28
-> AA 01 02 73 13
<- AA 01 FF C1 2D

--- END OF READ ALL PROFILES ---

--- SET TIME --- APPROX 12:03:xx  on 2015-04-27

-> AA 01 0F DE C2
<- AA 09 FF A9 28 BD 4C B7 7E B2 67 FF A3
-> FF
-> FF
-> AA 06 01 04 01 0B 61 D3 C3 28
<- AA 07 FF E8 03 02 00 18 00 73 6D
-> AA 02 00 01 41 7E
<- AA 01 FF C1 2D
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 01 00 00 00 67 DB
<- AA 0F FF 0A 00 F4 01 00 00 00 00 00 00 00 00 00 00 68 6D
-> AA 05 03 02 00 00 00 BB 40
<- AA 63 FF 4E FF 01 01 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01 02 03 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3D 8B
-> AA 05 03 06 00 00 00 4A 8A
<- AA 4B FF 99 FF 11 11 11 11 FF 83 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF EF FF FF 46
<- AA
-> AA 05 03 07 00 00 00 FE FC
<- AA 4B FF 86 FF 00 00 00 00 FF 03 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F 88 FF FD 48 A2
-> AA 05 03 80 00 00 00 EB 70
<- AA 23 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 75 C9
-> AA 05 03 81 00 00 00 5F 06
<- AA 23 FF E8 03 02 00 18 00 E8 03 60 09 64 00 E8 03 01 01 01 01 01 28 13 89 00 52 00 00 00 00 00 00 00 00 00 00 DA BB
-> AA 05 03 10 00 00 00 74 B6
<- AA 01 FA 64 7D
-> AA 05 03 23 33 00 01 95 8D
<- AA 02 FF 18 A6 FE
-> AA 05 03 8C 00 00 08 D1 BE
<- AA 09 FF 2C 03 0C 1B 04 0F 01 00 D9 2D
-> AA 05 03 11 00 00 00 C0 C0
<- AA 0D FF FF 00 00 00 00 00 00 00 00 00 00 00 A3 45
-> AA 04 07 35 03 0C A1 62
<- AA 01 FF C1 2D
-> AA 05 03 00 00 00 00 D3 AD
<- AA 1B FF 6E 00 53 32 31 33 30 37 37 39 20 20 20 20 20 20 00 02 13 07 79 01 58 01 99 89 8E 9E
-> AA 05 03 01 00 00 00 67 DB
<- AA 0F FF 0A 00 F4 01 00 00 00 00 00 00 00 00 00 00 68 6D
-> AA 05 03 02 00 00 00 BB 40
<- AA 63 FF 4E FF 01 01 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01 02 03 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3D 8B
-> AA 05 03 06 00 00 00 4A 8A
<- AA 4B FF 99 FF 11 11 11 11 FF 83 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF EF FF FF 46
<- AA
-> AA 05 03 07 00 00 00 FE FC
<- AA 4B FF 86 FF 00 00 00 00 FF 03 FF FF 7F FF C7 E1 FF 00 00 00 00 00 00 00 07 F0 C1 3F 07 2C F0 F3 80 00 00 00 00 00 00 00 18 80 0D 00 40 FE C3 61 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F 88 FF FD 48 A2
-> AA 05 03 80 00 00 00 EB 70
<- AA 23 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 75 C9
-> AA 05 03 81 00 00 00 5F 06
<- AA 23 FF E8 03 02 00 18 00 E8 03 60 09 64 00 E8 03 01 01 01 01 01 28 13 89 00 52 00 00 00 00 00 00 00 00 00 00 DA BB
-> AA 05 03 10 00 00 00 74 B6
<- AA 01 FA 64 7D
-> AA 05 03 23 33 00 01 95 8D
<- AA 02 FF 18 A6 FE
-> AA 05 03 8C 00 00 08 D1 BE
<- AA 09 FF 36 03 0C 1B 04 0F 01 00 11 81
-> AA 05 03 11 00 00 00 C0 C0
<- AA 0D FF FF 00 00 00 00 00 00 00 00 00 00 00 A3 45
-> AA 01 02 73 13
<- AA 01 FF C1 2D
-> AA 01 02 73 13
<- AA 01 FF C1 2D

---  END OF SET TIME ---
Don't ask a question if you aren't willing to listen to the answer.
 

Offline tonyarkles

  • Regular Contributor
  • *
  • Posts: 118
Re: EM1000 electricity meter Comms protocol
« Reply #6 on: April 27, 2015, 03:23:41 am »
So here's another observation, if it helps:

Quote
<- AA 09 FF D9 1A 85 55 2B 72 FC 61 BC 16

AA = sync
09 = number of bytes
(9 bytes here)
BC 16 = checksum, crc-ccitt

To verify the checksum part, I installed https://pypi.python.org/pypi/crc16/0.1.1 and did:

>>> import crc16
>>> d = [0xaa, 0x09, 0xff, 0xd9, 0x1a, 0x85, 0x55, 0x2b, 0x72, 0xfc, 0x61, 0xbc, 0x16]
>>> '%x' % (crc16.crc16xmodem(''.join(chr(c) for c in d[1:-2])),)
'16bc'

So that's taking the crc16, ignoring the initial sync byte, but include the length value.

Maybe that'll help get you going?

(Note: it was a total fluke that that worked. I installed the crc16 module without realizing that it only implemented one of the many versions of CRC and luckily it had the right one!)
 

Offline SL4PTopic starter

  • Super Contributor
  • ***
  • Posts: 2318
  • Country: au
  • There's more value if you figure it out yourself!
Re: EM1000 electricity meter Comms protocol
« Reply #7 on: April 27, 2015, 04:44:29 am »
That's great - thanks

I was expecting a 16-bit CRC, from reading other loosely docs, but hadn't got around to pulling the whole sentence apart.... as you say it was incredibly lucky, but armed with your prior knowledge, you came through!

Now to identify the command format(s) - I'll parse them down and post some hints.....

Cheers
(Ths may be a great help to others looking at the interface if I can get past the challenge & response.)
Don't ask a question if you aren't willing to listen to the answer.
 

Offline tonyarkles

  • Regular Contributor
  • *
  • Posts: 118
Re: EM1000 electricity meter Comms protocol
« Reply #8 on: April 27, 2015, 05:08:10 am »
Hmmm... http://forums.whirlpool.net.au/archive/1900793 suggests that there's a 32-bit password with a 1hr lockout after 3 attempts. That will make things tricker, maybe.
 

Offline SL4PTopic starter

  • Super Contributor
  • ***
  • Posts: 2318
  • Country: au
  • There's more value if you figure it out yourself!
Re: EM1000 electricity meter Comms protocol
« Reply #9 on: April 27, 2015, 05:11:26 am »
Ya, that makes sense -
I locked myself out. but I'm now able to log in again with OEM software
... playing with CRC16 code in C now...
Don't ask a question if you aren't willing to listen to the answer.
 

Online coppice

  • Super Contributor
  • ***
  • Posts: 10034
  • Country: gb
Re: EM1000 electricity meter Comms protocol
« Reply #10 on: April 27, 2015, 05:39:52 am »
Those meters using a protocol from Ampy, from before the time when L&G bought Ampy (and Toshiba bought L&G). I think its only used in Australia, so its probably only people in Australia who might be able to help with it.
 

Offline Geoff Carroll

  • Newbie
  • Posts: 1
  • Country: au
Re: EM1000 electricity meter Comms protocol
« Reply #11 on: December 10, 2019, 11:05:20 pm »

I know this is an old thread however, just wanting to know if you had any success reading the RS232 data?

Needing some assistance

 
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf