W-MBUS protocol reading in APATOR water meters - encryption and documentation

mks 53550 70

Best answers

How do I read APATOR W-MBUS water meters, and are their frames encrypted or documented?

Apator W-MBUS overlays use AES-CBC encryption for the payload, with the default key reported as 16 zero bytes on new overlays, while the frame header and CRC remain unencrypted [#16996548] The standard W-MBUS part of the frame can still be parsed: for example, 0x3E is the length, 0x44 is the frame type, 0x0106 identifies manufacturer APA, then come the device ID, version 05, type 07, short header 0x7A, access number, status, and config fields; the remaining bytes are manufacturer-specific/encrypted data [#17268764][#18112678] One reply notes that Apator’s own Inkasent PC3 software is where the decoding logic lives, and that Apator software is available from their server, but competitor software usually does not contain other vendors’ protocols [#17311046][#18436669] In practice, people in the thread used tools like ADEUNIS WMBUS dongles or RTL-SDR, and support for Apator overlays was added to wmbusmeters, which can at least decode the current consumption [#17883347][#17268764] The thread also indicates that Apator meters can transmit extra information such as reverse flow, leakage, low battery, and historical readings, but that extracting the full meaning likely requires reverse-engineering the vendor software or getting access to the overlay configuration tools [#18436669][#16854306]

Generated by the language model.

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply | New topic

#61 19274244 22 Feb 2021 12:26

BartekLegnica BartekLegnica

Level 7

Posts: 52

Help: 1

Rate: 2
Board Language: polish
» | Helpful post? (0)

Post #61
19274244 22 Feb 2021 12:26

44 01 06 10 36 80 01 05 07 7A 39 00 30 85 96 74 DB F3 F7 15 B7 9B 3E B8 25 C7 38 18 73 0E B1 21 6B B2 66 B8 6C 56 DF 84 C4 04 55 42 6B F6 46 A8 42 9E 7F C1 A7 8E 30 26 B2 A7 4B DA E6 F2

Can anyone help about reading the value from this water meter?
Frame type: 44
Manufacturer: 0601
Serial: 0180361
Version: 05
Medium: 07
Header: 7A - Short: 7A
Counter: 3A
Status00
ADVERTISEMENT
#62 19282493 25 Feb 2021 22:03

sholek sholek

Level 12

Posts: 22

Help: 1

Rate: 9
Board Language: polish
» | Helpful post? (0)

Post #62
19282493 25 Feb 2021 22:03

TvWidget wrote:
Data can be collected but
- may be sent very rarely e.g. once a month
- can be encrypted
.

The data I know
module no 04B648045515[XXXX] , status both stored in the overlay and the water meter still such information OBIS channel:0x08000100[XXXX]

where [XXXX] is a string
ADVERTISEMENT
#63 19292365 02 Mar 2021 16:44

vania vania

Level 24

Posts: 382

Help: 84

Rate: 64
Board Language: polish
» | Helpful post? (0)

Post #63
19292365 02 Mar 2021 16:44

BartekLegnica wrote:
44 01 06 10 36 80 01 05 07 7A 39 00 30 85 96 74 DB F3 F7 15 B7 9B 3E B8 25 C7 38 18 73 0E B1 21 6B B2 66 B8 6C 56 DF 84 C4 04 55 42 6B F6 46 A8 42 9E 7F C1 A7 8E 30 26 B2 A7 4B DA E6 F2
Can anyone help about reading the value from this water meter?
Frame type: 44
Manufacturer: 0601
Serial: 0180361
Version: 05
Medium: 07
Header: 7A - short: 7A
Counter: 3A
Status00
.

After decoding the frame it comes out that all the data is contained in "manufacture specific data"
Meter values:
DIF:0Fh (SpecialFunctions)
Manufacture specific data:
4A5282952D02004380008051648C51648C01010000108000000071013A0000003A000000A008C9F503FFFF3A7B

I decoded the frame online: http://www.miller-alex.de/WMbus, AES key 00000000000000000000000000000000. At the beginning of the frame you need to add its length in hex (3E).
Look in this "manufacture specific data", write down some water meter states and the corresponding frames and you will see where things change.

I don't have access to APATOR, I play around with B-METERS. There, in manufacture specific data, the reading history and error flags are stored. The current status is in the standard fields: DIF:0Ch (Bcd8) VIF:13h Date:34120700h Volume 71,234 m³
#64 19869990 07 Feb 2022 14:49

Idealsound Idealsound

Level 1

Posts: 1
Board Language: polish
» | Helpful post? (0)

Post #64
19869990 07 Feb 2022 14:49

Hello Dear all, I need help to clarify some issues related to the WMbus radio module.
Do any of you have enough knowledge to help me with the design ? write on priv any help is welcome !!!
ADVERTISEMENT
#65 19895171 20 Feb 2022 13:52

olekdata olekdata

Company Account
Level 12

Posts: 38

Help: 1

Rate: 3
Board Language: polish
» | Helpful post? (0)

Post #65
19895171 20 Feb 2022 13:52

Greetings,
I have the simplest receiver connected to the RPi
.
after rtl_test I get

and after rtl_sdr -f 868.95M -s 1.6e6 -n 100 -

Seemingly receives something, but no frame from Apator.
Listened for several hours in the middle of the day.
after rtl_sdr -f 868.95M -s 1.6e6 - | rtl_wmbus
nothing selects although there are two meters with Apator overlays in the same room

What else can I check?
Is the receiver responding correctly and this received "rubbish" is the correct response of the receiver?

Greetings.

Company Account:
DataSoft
ul. Wejherowska 110, Szemud, 84-217 | Company Website: olekdata.pl
#66 19895387 20 Feb 2022 15:35

matidyba matidyba

Level 10

Posts: 46

Rate: 9
Board Language: polish
» | Helpful post? (0)

Post #66
19895387 20 Feb 2022 15:35

https://www.smartnydom.pl/forum/domoticz/wmbus-odczyt-danych-z-wodomierza/

Maybe this will help? Let me know
#67 19896753 21 Feb 2022 10:05

olekdata olekdata

Company Account
Level 12

Posts: 38

Help: 1

Rate: 3
Board Language: polish
» | Helpful post? (0)

Post #67
19896753 21 Feb 2022 10:05

rtl_sdr I had installed from the standard package
apt-get install rtl_sdr

However, I compiled it from scratch as was done in the indicated post.

unfortunately no change.

Company Account:
DataSoft
ul. Wejherowska 110, Szemud, 84-217 | Company Website: olekdata.pl
#68 19940320 20 Mar 2022 15:13

Vivant Vivant

Level 6

Posts: 3
Board Language: polish
» | Helpful post? (0)

Post #68
19940320 20 Mar 2022 15:13

olekdata wrote:
rtl_sdr I had installed from the standard package
apt-get install rtl_sdr

However, I compiled it from scratch as was done in the indicated post.

unfortunately no change.

You may have a meter in a metal box that attenuates the signal when the overlay battery is weak. This was the case for me.
ADVERTISEMENT
#69 20128772 03 Aug 2022 22:11

olekdata olekdata

Company Account
Level 12

Posts: 38

Help: 1

Rate: 3
Board Language: polish
» | Helpful post? (0)

Post #69
20128772 03 Aug 2022 22:11

Welcome back.

I most likely have a non-functioning rtl-sdr usb dongle.
I also found that I can't read the weather station on the same 868Mh frequency. Although FM radio could be listened to, but it's a different range.
So I made a receiver on esp8266 and cc1101 and it went, with the station.
With the same set up he wants to get on with the apator162. Following the thread on reading w-mbus Remote water meter reading with IZAR overlay .
reads w-mbus, not wanting to play with decoding I send the frames to wmbusmeters
Code: Bash
Log in, to see the code
.
(:hex is intentional)
Something pops up for me, but without meaning to. Different id every time, let alone the rest.
Code: Bash
Log in, to see the code
.
Or is there a different key to the zeros themselves?
Is it possible to ask for some guidance.

Company Account:
DataSoft
ul. Wejherowska 110, Szemud, 84-217 | Company Website: olekdata.pl
#70 20162373 26 Aug 2022 19:43

_Szczepan_ _Szczepan_

Level 11

Posts: 45

Rate: 7
Board Language: polish
» | Helpful post? (0)

Post #70
20162373 26 Aug 2022 19:43

Component for ESPHome to read wMBus T1 868.95Mhz frames.
https://github.com/SzczepanLeon/esphome-components
#71 20335856 15 Dec 2022 11:01

_Szczepan_ _Szczepan_

Level 11

Posts: 45

Rate: 7
Board Language: polish
» | Helpful post? (+1)

Post #71
20335856 15 Dec 2022 11:01

Component for ESPHome to read wMBus T1 868.95Mhz frames.
https://github.com/SzczepanLeon/esphome-components
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply | New topic

Report a violation of the law

Topic summary

✨ The discussion focuses on reading W-MBUS (Wireless M-Bus) protocol data from Polish water meters, particularly those manufactured by APATOR. Users report significant variability in frame lengths and note that APATOR employs AES-128 encryption (AES CBC mode) on most or all data fields, except for frame headers and CRC. The AES key for new overlays is often set to 16 zero bytes by default, but suppliers typically do not share encryption keys or detailed protocol documentation, citing security and anti-tampering concerns. Physical access and interference with the overlay hardware may allow key extraction, but this is complex and legally sensitive. Some users have reverse-engineered parts of the frame structure, identifying standard W-MBUS fields (SOF, length, CField, MField, AField, CIField) and manufacturer-specific data blocks containing encrypted consumption and status information. Tools used include ADEUNIS USB WMBUS dongles, RTL-SDR receivers, and software such as Inkasent PC3 and open-source projects like wmbusmeters on GitHub. The SPIRIT1 and CC1101 radio chips are commonly found in overlays. Other manufacturers like BMeters provide OMS-compliant frames, which are easier to interpret. Attempts to read APATOR meters with alternative radio modules (e.g., RFM22, RFM69) and LoRaWAN networks are ongoing. Some users develop custom software APIs in Python and C for frame decoding. Overall, the community faces challenges due to encryption, proprietary data formats, and limited manufacturer cooperation, but progress is made through reverse engineering and open-source tools.
Generated by the language model.