W-MBUS protocol reading in APATOR water meters - encryption and documentation

mks 48306 70

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply | New topic

#61 19274244 22 Feb 2021 12:26

BartekLegnica BartekLegnica

Level 7

» | Helpful post? (0)

Post #61
19274244 22 Feb 2021 12:26

44 01 06 10 36 80 01 05 07 7A 39 00 30 85 96 74 DB F3 F7 15 B7 9B 3E B8 25 C7 38 18 73 0E B1 21 6B B2 66 B8 6C 56 DF 84 C4 04 55 42 6B F6 46 A8 42 9E 7F C1 A7 8E 30 26 B2 A7 4B DA E6 F2

Can anyone help about reading the value from this water meter?
Frame type: 44
Manufacturer: 0601
Serial: 0180361
Version: 05
Medium: 07
Header: 7A - Short: 7A
Counter: 3A
Status00
ADVERTISEMENT
#62 19282493 25 Feb 2021 22:03

sholek sholek

Level 12

» | Helpful post? (0)

Post #62
19282493 25 Feb 2021 22:03

TvWidget wrote:
Data can be collected but
- may be sent very rarely e.g. once a month
- can be encrypted
.

The data I know
module no 04B648045515[XXXX] , status both stored in the overlay and the water meter still such information OBIS channel:0x08000100[XXXX]

where [XXXX] is a string
ADVERTISEMENT
#63 19292365 02 Mar 2021 16:44

vania vania

Level 24

» | Helpful post? (0)

Post #63
19292365 02 Mar 2021 16:44

BartekLegnica wrote:
44 01 06 10 36 80 01 05 07 7A 39 00 30 85 96 74 DB F3 F7 15 B7 9B 3E B8 25 C7 38 18 73 0E B1 21 6B B2 66 B8 6C 56 DF 84 C4 04 55 42 6B F6 46 A8 42 9E 7F C1 A7 8E 30 26 B2 A7 4B DA E6 F2
Can anyone help about reading the value from this water meter?
Frame type: 44
Manufacturer: 0601
Serial: 0180361
Version: 05
Medium: 07
Header: 7A - short: 7A
Counter: 3A
Status00
.

After decoding the frame it comes out that all the data is contained in "manufacture specific data"
Meter values:
DIF:0Fh (SpecialFunctions)
Manufacture specific data:
4A5282952D02004380008051648C51648C01010000108000000071013A0000003A000000A008C9F503FFFF3A7B

I decoded the frame online: http://www.miller-alex.de/WMbus, AES key 00000000000000000000000000000000. At the beginning of the frame you need to add its length in hex (3E).
Look in this "manufacture specific data", write down some water meter states and the corresponding frames and you will see where things change.

I don't have access to APATOR, I play around with B-METERS. There, in manufacture specific data, the reading history and error flags are stored. The current status is in the standard fields: DIF:0Ch (Bcd8) VIF:13h Date:34120700h Volume 71,234 m³
#64 19869990 07 Feb 2022 14:49

Idealsound Idealsound

Level 1

» | Helpful post? (0)

Post #64
19869990 07 Feb 2022 14:49

Hello Dear all, I need help to clarify some issues related to the WMbus radio module.
Do any of you have enough knowledge to help me with the design ? write on priv any help is welcome !!!
ADVERTISEMENT
#65 19895171 20 Feb 2022 13:52

olekdata olekdata

Company Account
Level 12

» | Helpful post? (0)

Post #65
19895171 20 Feb 2022 13:52

Greetings,
I have the simplest receiver connected to the RPi
.
after rtl_test I get

and after rtl_sdr -f 868.95M -s 1.6e6 -n 100 -

Seemingly receives something, but no frame from Apator.
Listened for several hours in the middle of the day.
after rtl_sdr -f 868.95M -s 1.6e6 - | rtl_wmbus
nothing selects although there are two meters with Apator overlays in the same room

What else can I check?
Is the receiver responding correctly and this received "rubbish" is the correct response of the receiver?

Greetings.

Company Account:
DataSoft
ul. Wejherowska 110, Szemud, 84-217 | Company Website: olekdata.pl
#66 19895387 20 Feb 2022 15:35

matidyba matidyba

Level 10

» | Helpful post? (0)

Post #66
19895387 20 Feb 2022 15:35

https://www.smartnydom.pl/forum/domoticz/wmbus-odczyt-danych-z-wodomierza/

Maybe this will help? Let me know
ADVERTISEMENT
#67 19896753 21 Feb 2022 10:05

olekdata olekdata

Company Account
Level 12

» | Helpful post? (0)

Post #67
19896753 21 Feb 2022 10:05

rtl_sdr I had installed from the standard package
apt-get install rtl_sdr

However, I compiled it from scratch as was done in the indicated post.

unfortunately no change.

Company Account:
DataSoft
ul. Wejherowska 110, Szemud, 84-217 | Company Website: olekdata.pl
#68 19940320 20 Mar 2022 15:13

Vivant Vivant

Level 1

» | Helpful post? (0)

Post #68
19940320 20 Mar 2022 15:13

olekdata wrote:
rtl_sdr I had installed from the standard package
apt-get install rtl_sdr

However, I compiled it from scratch as was done in the indicated post.

unfortunately no change.

You may have a meter in a metal box that attenuates the signal when the overlay battery is weak. This was the case for me.
#69 20128772 03 Aug 2022 22:11

olekdata olekdata

Company Account
Level 12

» | Helpful post? (0)

Post #69
20128772 03 Aug 2022 22:11

Welcome back.

I most likely have a non-functioning rtl-sdr usb dongle.
I also found that I can't read the weather station on the same 868Mh frequency. Although FM radio could be listened to, but it's a different range.
So I made a receiver on esp8266 and cc1101 and it went, with the station.
With the same set up he wants to get on with the apator162. Following the thread on reading w-mbus Remote water meter reading with IZAR overlay .
reads w-mbus, not wanting to play with decoding I send the frames to wmbusmeters
Code: Bash
Log in, to see the code
.
(:hex is intentional)
Something pops up for me, but without meaning to. Different id every time, let alone the rest.
Code: Bash
Log in, to see the code
.
Or is there a different key to the zeros themselves?
Is it possible to ask for some guidance.

Company Account:
DataSoft
ul. Wejherowska 110, Szemud, 84-217 | Company Website: olekdata.pl
#70 20162373 26 Aug 2022 19:43

_Szczepan_ _Szczepan_

Level 11

» | Helpful post? (0)

Post #70
20162373 26 Aug 2022 19:43

Component for ESPHome to read wMBus T1 868.95Mhz frames.
https://github.com/SzczepanLeon/esphome-components
#71 20335856 15 Dec 2022 11:01

_Szczepan_ _Szczepan_

Level 11

» | Helpful post? (+1)

Post #71
20335856 15 Dec 2022 11:01

Component for ESPHome to read wMBus T1 868.95Mhz frames.
https://github.com/SzczepanLeon/esphome-components
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply | New topic

Report a violation of the law

Topic summary

The discussion focuses on reading W-MBUS (Wireless M-Bus) protocol data from Polish water meters, particularly those manufactured by APATOR. Users report significant variability in frame lengths and note that APATOR employs AES-128 encryption (AES CBC mode) on most or all data fields, except for frame headers and CRC. The AES key for new overlays is often set to 16 zero bytes by default, but suppliers typically do not share encryption keys or detailed protocol documentation, citing security and anti-tampering concerns. Physical access and interference with the overlay hardware may allow key extraction, but this is complex and legally sensitive. Some users have reverse-engineered parts of the frame structure, identifying standard W-MBUS fields (SOF, length, CField, MField, AField, CIField) and manufacturer-specific data blocks containing encrypted consumption and status information. Tools used include ADEUNIS USB WMBUS dongles, RTL-SDR receivers, and software such as Inkasent PC3 and open-source projects like wmbusmeters on GitHub. The SPIRIT1 and CC1101 radio chips are commonly found in overlays. Other manufacturers like BMeters provide OMS-compliant frames, which are easier to interpret. Attempts to read APATOR meters with alternative radio modules (e.g., RFM22, RFM69) and LoRaWAN networks are ongoing. Some users develop custom software APIs in Python and C for frame decoding. Overall, the community faces challenges due to encryption, proprietary data formats, and limited manufacturer cooperation, but progress is made through reverse engineering and open-source tools.
Summary generated by the language model.