W-MBUS protocol reading in APATOR water meters - encryption and documentation

Question

Hi, Has anyone of you ever played with reading the MBUS protocol (W-MBUS / Wireless MBUS)? I would be particularly interested in reading water meters of Polish manufacturers with the emphasis on APATOR water meters. So far I have looked at the frames sent by 2 different water meter manufacturers...

retrofood · Answer

. I do not know what the situation is with water meters, but the subject of electricity meters does not encourage optimism. Energy suppliers are reluctant to share even the information necessary for the user, and knowledge of the full capabilities of the meters is more secret than military weapons. Few employees of the supplier have access to it and that's the end of it. The monopoly cannot be broken.

mks · Answer

However, one can understand the fear of tampering with the readout....
The desire to make money from the readout software and hardware also remains.
In any case, if anyone would like to see what the electronics from the radio overlay look like then the pictures are attached

TvWidget · Answer

Why do you need this information? External solutions are available for most meters to duplicate the radio chip inside.

mks · Answer

To write software to read water meters. Unfortunately I am reliant on apator and tenn does not want to share data.

ShEvU_elektro · Answer

The manufacturer declares that you can change the AES key when you know the previous one.
In that case, the new overlay, which costs 93 net, has an AES key that is reset to zero.

I wonder if there is the possibility of some kind of key reset when you have physical access to the overlay.... Have you asked the manufacturer ?

P.S I myself am trying to master remote reading.

P.S 2 - can you write the symbol of the radio chip ? Looks to me like some CC11xx

P.S 3 - don't you have more of these working overlays ? I would be happy to buy back for a small amount of money

mks · Answer

. No, I have not asked. . I see it poorly from my experience unfortunately.... But I hope you will share the information, whatever it may be . I have it somewhere, I asked on the ST forum myself. . The one I bought for myself was uceglified (I reset the program with the ST-Link programmer). I bought it on the most well-known auction portal for circa 50zł + shipping including water meter. The current situation is that I have (and will have) access to both the reading/programming device and the programmes. If you're patient I'll write something about it when I find the time to test it. More likely it will be after May. To be honest I don't think the default overlay key should be zeros alone. Of course I could be wrong, but I can provide you with example readings of several of the same overlays that differ only in date/time. If it was as you say then it would be possible to read these frames. If there is an opportunity to work out how it works then I will try to do it. I think then already with a piece of my own software.

ShEvU_elektro · Answer

As far as I can see it is the SPIRIT1 chip from ST. I have already ordered two counters. I'm looking for one more to use the overlay as a dev-board.

mks · Answer

. Yes, that's the one. At least that's what they told me on the ST forum. Edit: Actually, the new overlay has by default an AES key consisting of only zeros.

ShEvU_elektro · Answer

. I would be very happy to look at this data.

mks · Answer

These figures in the appendix are overlays + water meters.

ShEvU_elektro · Answer

Super. Thanks. Did you get hold of any wm-bus documentation yet ? Can you provide the ID of the overlay whose frames are in this file ? My meters will arrive in the days, so I will also fight

mks · Answer

So off the top of my head I won't tell you. On another example I can, but when I get home.
But generally it's that yellow A-Field.
As you have the value: 53 83 07 01 05 07 it generally reads "backwards". Something like 50 10 70 38 53. You have the overlay number on the overlay itself and on the PCB (where the QR code is).

As for the documentation, all of it is on the internet, but trying to decipher it without knowing what is being sent is a breakneck thing. There is a lot of this stuff in Apator.

ShEvU_elektro · Answer

Ok I understand. What did you use to collect the frames ?

mks · Answer

ADEUNIS DONGLE USB WMBUS AMR + software from the same company (free of charge, after prior e-mail contact). You might as well use any terminal (e.g. Termite), because everything goes over COM.

nyczz · Answer

Request to mks - is it possible to contact privately? i have some questions on the subject.

mks · Answer

. Privately you can, but if it's public then maybe someone else will benefit. I leave the decision to you.

pol102 · Answer

I'm just sitting on the topic, but this can probably be worked out quicker. Knowing that a regular overlay needs a converter to rs232.... you can force read.... I don't think the radio version is significantly(anyhow) different from the one on the cable.

mks · Answer

Will you elaborate on your thought? Because I don't quite understand two things - how can you force read? AND how is it supposed to be faster?

ShEvU_elektro · Answer

The colleague is a bit mistaken. The protocol itself is a bit similar to M-BUS, but only a bit. WM-BUS is governed by slightly different rules when it comes to communication.

mks · Answer

And I still have no idea what knowledge of RS232/M-BUS/WM-BUS has to do with real reading (not to mention communication)? Knowing the protocol is not the same as being able to interpret the data.

First you need to know what the frame looks like and what is contained in it. And this is unknown, because the frame can vary depending on the configuration of the overlay.

In my opinion, you can:
- try to decipher the framework by changing the configuration of the overlay (and for that you need their tools)
- decompile their software (basically an Android app) and try to see what it looks like in code.

Or both. Either way, even with access to the device, overlay and software, it's not going to be that quick to sit down in one evening and figure out what's what.

Am I wrong somewhere in my reasoning?

nyczz · Answer

Request to mks - please contact me at a.polak18@onet.pl.

mks · Answer

. Use private message.

tmf · Answer

The topic seems to have died a little, but maybe it is worth refreshing. I have an overlay on a water meter from Apator, I would like to read current water consumption from it precisely for HA purposes and detection of possible problems (leaking installation, anomalies in water consumption). Is this part of the meter information transmitted unencrypted or is it encrypted with AES?
Any progress on decoding the frame and receiving it? Will radio modules on 868 MHz receive such a frame? I am thinking, for example, of a simple RFM22 or related?
Assuming the pessimistic variant - the whole thing is encrypted. Has anyone processed getting an AES key from the water supplier? Overall, the water meter belongs to the property owner, from which it would follow that they have to share the key as it's my device.

ShEvU_elektro · Answer

. Overlays always have AES CBC encryption enabled. The new overlay has the key set to 16 zeros. All data is encrypted - obviously this does not apply to the frame header and CRC fields. . The supplier or operator will not give you the key because then you could change the overlay configurations - delete alarms too (e.g. magnetic field detection). P.S. The key can be extracted - however, interference with the overlay is required. . I intend to attempt to fire up WMBUS on RFM69 in the near future.

ShEvU_elektro · Answer

Confidence. I'll try to get the configuration right for RFM69, as that's what I'd ultimately like to run this on. I want to finish the API for their frames first. BTW. unlike Apator, the WMBUS overlays from BMeters I see are OMS compliant, so you can easily interpret the data from them

tmf · Answer

On which MCU are you writing the service?

mks · Answer

. How?

ShEvU_elektro · Answer

. For the moment, the API is being written in Python on the PC - while I 'play' with the overlays. Once I've got everything done, I'll then rewrite it in C to add it to my device I'm working on It's based on STM32.

W-MBUS protocol reading in APATOR water meters - encryption and documentation

Post #1

Post #2

Post #3

Post #4

Post #5

Post #6

Post #7

Post #8

Post #9

Post #10

Post #11

Post #12

Post #13

Post #14

Post #15

Post #16

Post #17

Post #18

Post #19

Post #20

Post #21

Post #22

Post #23

Post #24

Post #25

Post #26

Post #27

Post #28

Post #29

Post #30

Topic summary