| Electronics > Projects, Designs, and Technical Stuff |
| EM1000 electricity meter Comms protocol |
| (1/3) > >> |
| SL4P:
I'm working on talking to an EM1000 mains power meter ( the type in your meter box ) re: IR protocol to EM1000 power / electricity meter I have the IR interface working, and also the Landis+Gyr meter management software. My problem is reverse engineering the serial protocol with the meter. My project is to create a new tool for local meter readers, but it seems the detail of the protocol are not openly available... I have figured out and logged a simple session, and can 'connect' to the meter, but I believe there is a challenge-response pair that I have yet to work through before I get stuck into the next challenge. in the samples I took, I can see some clear text ( model number / serial retc ), but the bulk of message transactions are in binary, prefixed with an 0xAA byte. These seem to work as expected with the OEM software, but without a successful 'login' from my test code, they return either an empty string, or a recurring 'message' (not logged in?) Any thoughts, ideas or pointers greatly appreciated. |
| tonyarkles:
Well, I don't have much feedback for you, other than 0xAA and 0x55 are often used as sync bytes because they're repeating strings of 1010... Is there any consistency in the messages? Does the challenge/response pair change every time? How many bytes is it? If it's relatively simple, you might be able to collect enough sessions to just make a look-up table to work out the answer. |
| SL4P:
Thanks for responding.... I came to the same conclusions. The AA is definitely a message sync/prefix char... both directions. I'm expecting a byte count and/or a checksum in there as well... Sadly the challenge (and response) do change each time, but as you said - if I take enough samples from the OEM software there may be a visible pattern... hoping! Here is the dialogue I began with (know to work at that time) AA 01 0F DE C2 >> send REQUEST A SESSION LOGIN AA 09 FF 43 38 C8 44 64 22 32 11 C8 6C l << ?challenge from meter FF FF << received not sure what these are... ! AA 06 01 03 BE 3B 3E 36 87 1C >> ?send login RESPONSE AA 07 FF E8 03 02 00 18 00 73 6D << received ?login accepted If I use the same response later (to a different challenge), it returns... AA 01 FD 83 0D which I guess is saying - 'No soup for you!' Then the two way conversation continues with requests and rsponse sfor specific meter registers / data bundles. If you're working on similar challenges - I'm open to sharing knowledge! |
| mikeselectricstuff:
If it's doing challenge-response stuff you're probably going to need to start disassembling the PC software to figure out what it's doing. |
| SL4P:
--- Quote from: mikeselectricstuff on April 26, 2015, 10:33:04 pm ---If it's doing challenge-response stuff you're probably going to need to start disassembling the PC software to figure out what it's doing. --- End quote --- I know - but please don't say that ! |
| Navigation |
| Message Index |
| Next page |