I love how far this is going! I can't wait to see the final steps one day!

I work alongside energy providers. A UK industry approved electric smart meter has 3 anti tamper switches built in. It sends a signal if any tamper is detected. It also flags if the meter doesn't pole within a given time frame. When it flags up we get the job to attend and investigate.

Just subscribed. I'm an old electronics engineer (in my 60's) and I find what you are doing, fascinating. Back in the early days, all the microchips only had 8 legs, and I could see them all without a magnifying glass. 😁

The local power company swapped out my meter to a smart meter a few months ago. For over 20 years I have always consumed between 205-270 kwh per month. First bill with the smart meter was 280 kwh, second 285. Two highest months I've ever had in 22 years here! Instead of electronically attacking the meter, I just pieced together everything I need to go off grid. I'm curious what the meter will read in a few months with my main breaker turned off!

I have friends working on smart meter head-end APIs here in New Zealand who are quite interested in your vids funnily enough ;) Thanks for sharing!

This is way above my head how you work it out but interesting what you are doing, and yeah i really do think we should know what kind of data is being shared with these companies 👍🏾

Awesome explanation! Thanks for sharing your learnings with us!

Great success! I've noticed my Aussie ones have an IR IO for the meter reader, but commonly now they have a 3G or 4G modem in them. Happy to solder up something myself for you to test.

Great progress on this. Can't wait to see what happens next :)

your process reveals a ton of info, thank you

The special cable you need. Is an IR input output cable. On the front right of the meter you’ll see 2 round IR diodes. One is output one input. That’s how they communicate to a laptop. It’s basically the smart meter network cable. The plastic cover normally has a triangle directly in front of the IR port. It’s what aligns and holds the programming cable to the meter. They plug in via usb to the laptop. The program sends the information @ 9600 baud and the same 16 bit data you already have created.

I remember glitching from the days when I glitched DTV cards! very cool.

My man! Excellent clip from Sneakers!

There is a guy who did a similar technique to break into a bit coin wallet, did you see that video?

Ever since SCE switched to smart meters, they no longer declare the kWh “from/to” readings on their monthly bills. I wonder how they’re able to get away with this. Imagine a gas station not displaying their meter readings at the pump. How is the Department of Weights and Measures okay with this practice? This is a serious concern.

A bit of addition to "38911bytefree": there is no real requirement to keep the meter's firmware secret (mainly IP protection). As part of the security certification, the certifier may even get access to the source code to search for vulnerabilities. And in many cases, even the commented source code is pretty incomprehensible for the uninitiated. The main protection is that every meter has individual cryptographic keys. As smart meters are a very cost-sensitive product, all unnecessary functions are omitted (memory costs money). Often not more than an RTE such as a stripped-down ThreadX or embos. The attack surface is small, the devices use only one protocol (ANSI in the USA, DLMS in pretty much the rest of the world).

Nice work fella. Keep on a working with 0's and 1's for total control.

No idea where this is gonna take you but I had to subscribe. Too damn cool!

0:29 - Anybody remember how to defeat an electronic keypad from the 90s ? - Don't even joke about that Martin, those things are impossible... X'D

Glanced past your channel and it seems like you're more interested in the meter boards when all the juicy attack surface is on the multiple AMI chip vendors. FYI, what you're examining is simply the board that provides basic volt/amp/angle/phase info to the meter. Every single manufacturer has multiple RF/PLC chips that go into their meters. But I would hope you know that. For instance, that Landis & Gyr meter you show has no less than 20 companies making AMI chips for it. If you want to attack one, start with it's modulation interface which is always handled by the AMI vendor. You wanna reset your meter? Change the read? Disconnect/reconnect? Change the MAC address? Date/time? Intercept interval usage? Set outage notification? Voltage notifiers? Temperature? Tamper indication? All handled by the vendor chip.

Very cool. Having read Colin O'Flynn's new book, I'm looking forward to seeing you put some of those techniques to work. Good luck!

You mean the built in back door they engineered into all our chips. Gotcha...

Even though I don't use these systems unless I flip on a switch in someone's establishment. I have to say. This is the very thing that everyone should get involved in. I have several ideas in this reversed engineering concept which we could all use today. However there are not but a hand full of electrical engineers that have the honor and integrety to take on these tasks. I wish I could work with this man on projects like this. Even though my cousin is the inventor of the FIRST IC. I was never afforded training in electrical engineering, so I'm only an inventor. But.....EVERYTHING STARTS IN THE MINDS UNDERSTANDING. keep up the great work 👍 I'll be watching. Peace ,✌

I think my smart meter is picking up multiphase, var freq motors pulses and running my bill up 30+% .

I am a magnetics and different forms of electricity specialist. I have also noted weird behavior when using some specialized transmitting equipment not even too near to computers... Yes, you are very right on your approach. ... Have you watched Ben Gurion university hacks? They also boast a lot of different types of attack possibilities. I am very interested in this reserach you are conducting as it is one of the key areas of the fabric :) . I have created self charging power sources and quite some other types of more exotic devices so I am always open to watching new avenues. This Smartmeter hacking is very tantalizing. You hit right on spot with the importance of this project. Congratulations!

Now this has me pondering if there would be any useable benefits to employing such a method as this to automotive applications? Fascinating video sir and though, in the words of Sgt. Schultz, "I know nothing", I'll definitely be tagging along for this one. Thank you for the video!

Amazing video, so detailed! Just curious, how do you get so much time to do such deep work on this? Are you a full-time cybersecurity analyst for smart meters or is this a personal interest/hobby?

Since we are in real danger of an EMP attack, how would that effect these smart meters verses the older mechanical one?

Very interesting. My city currently does not have smart meters. The one on my place is digital but not connected to anything else and quite a few around town are the old analog ones. They are wanting to change that so they can do prepay, monthly average billing, and a few other things. I have heard that the way the digital ones figure a KWH is different than the old analog ones but have no clue. I have my own meter based off of an ESP32 running ESPHome hooked up to the main panel feeding data into HomeAssistant so it will be interesting if there is a difference from the old meter to the new ones if they are put in.

My interest in your pursuit is mundane but has benefits to all of us who use the services of the electric companies. While living in my mountain home in Costa Rica paying about $75.00 monthly one month it skyrocketed to $350. Thinking the decimal was erroneously positioned , I went to the GOVERNMENT electricity company( ICE) and waited to see an ICE rep. While in line two other people had a similar issue and we all allow could hear the ICEagent tell (accuse)both customers separately that THE CUSTOMER was responsible for the excessive monthly usage charge , claiming that the customer was having many lights on, cooking up excessive pork rinds, Ticos love making Chicharones, or that their was a short in their home electrical system and a few other made up contrivance!! Sadly the poor customer paid the bill. The EXACT accusations were leveled against me !! And under duress I paid my electric bill. In the few days following on a local FB page I noticed a lawyer named Mauricio , who spoke perfect English and was a Fan and could recite passages verbatim of the Classic Movie The Princess Bride,,, from San Jose, who has a rental property near the village of Ojochal was asking about anyone else incurring excessive electricity service charges!! Hmmmmmm. A random pattern was becoming Obvious! I'll cut to the chase ! I confronted the ICE agent with photos of my meter reading and asked for their recording of my meter reading and their reading was blatantly five times higher and apparently ICE was sporadically and without remorse continuing their fraud ! While THE Particular month's charge was adjusted they wouldn't lower or refund the previous months!! I began demonstrating through local community media how to combat this fraud and then ICE started intermittently cutting my power and also threatening for me to move my meter from my house to a half mile away ! The resulting cost of that possibility had me bite my tongue and coupled with their border customs immigration service agent threatening to not allow me back into ( PURA VIDA) Costa Rica I decided to sell and return to the US. Fast forward my to my new residence here in the Eastern Appachian foothills of Kentucky where I have a main cabin and an empty horse barn with one light in use and with a spot electric heater for a tool room I was being charged almost as much electricity for the barn as the main cabin which has all the normal appliances and then some. So I performed a simple test. I deliberately ran the spot heater ,1500 watts , in my barn for an hour observed the usage showing on the Smart Meter display and then ran the heater in the main cabin for an hour and the meter reading was 3 times higher that the main cabin meter reading!! So call my provider and alarmingly I notice similar condemnation of my usage as in Costa Rica. The agent said that the meter CANNOT be Manipulated or Hacked and I'm still waiting for a replacement meter and as of March 10th 2022 no replacement . The claims of replacement of the previous Analogue meters with the present Smart meters is to have customers be charged more equitably for usage during peak hours of The Day and less at night when usage is less ,, well that is BS . Are we to NOW supposed to cook clean bathe perform work tasks from 7pm till 5 am ?? I think your quest may be more beneficial than you think!! What do you think??

First video of yours I've clicked on. Very intriguing subject. I definitely dig both the technical challenge and the phreaking. But, I'm 98% certain the current reading of the laws could put using this type of device to tamper with the truthful readings of an electric meter firmly in the illegal category... That said... Good stuff. Subscribed! 👍

Wow. You are providing a great service. Love the movie clip

Here's a question with a problem this video would address... My water meter is wireless and 'read' by the water company from a truck that parks across the street. Ironically, or not so much, my water minimimal water draw is usually almost exactly the same every month... but 2-4 months for the past few years the meter 'reads' almost twice or more water randomly some months... there's NOTHING that draws an extra 1000-2000 gallons a month possible around here.. not even a dishwasher or clothes washer. My theory is the guy is occasionally reading the house across the street with a family of 5 that easily uses the spiked amounts I randomly see. They say nope, that's your water bill but it's not possible to randomly change like that over the past few years. They already made a $500 error misreading 1 first number a few years ago i had to fight to reconcile, them always telling me i'm wrong... but they found my old meter and a pic of it, and I was right about a 1,000 gallon over charge. So... I bet here is where we can figure out if they guy is getting 'mixed signals' from the wireless meters, or it's the mixed signals in their head I have to straighten out once and for all. You have your mission. What say you all?

This meters have really complex SW models regarding SW separation to protect the legally relevant sections that are sensitive since they are related to billing. On the other side, you cant hide (to their systems) that the meter has been tampered with, and even when you are able to do that, you will trigger alarms on their systems, as they keep analizing and comparing anything with your historic. I suggest you read the current regulations for this kind of devices and how Utilities work. This is, nice as project, never attemp that on a real billing device. They can submit the meter to its manufacturer for audit when in doubt. And yes, THIS IS THING. It is way more recilient than you think.

Oh thank heavens. You stil need physical access for attacks like this, so I'm fine with those. It's the potential for remote attacks that concern me most.

When I was growing up. I remember my mother had a friend come over and pull the power meter out and turn it upside down and plugged it back in. So we could use the crap out of the power for 2 weeks . The meter was running backwards.. Then the guy came back and pulled it out and turned it right side up and plugged it back in. So we could use the crap out of the power again. Sorry but my dad wouldn’t pay my mother child support. Why? Because they didn’t have that program back then.

in my country there is no smarmeter network. they just dump prepaid meters. you enter code and enables more eletricty units

I have been refusing smart meters for years now. Never was I going to let something like this even near my home. Until now. Now I wanna explore these evil things. 😂

I wrote software for two of these types of meters. They have two basic functions, to meter the power being used and to send it upstream to the power company. The former you can easily do without messing with the meter simply by hooking an ammeter arrangement up to (say) a Raspberry PI. You can even do that without breaking the circuit (non-contact ammeter). If you are interested in verifying your power bill is correct, that is the way to go. The other purpose would be breaking into the billing part to scam the power company. It would be a lot of work to do, and the power company can do things like tally the individual meters against the power consumption for the whole neighborhood to trace down who has broken into their meter, resulting in anything from having your power cut off to jail time.

You need to be careful It is possible for a brownout to find reflash code and completely erase the flash in that Atmel processor.

Sharing software in this case is not copyright related but it can still get you into trouble. Just doing it can get you into trouble.

Who's the manufacturer of the meter and what power company uses it?

This is so interesting!

really diggin' this.

You sir! You are my new favorite channel !

Good Ole HP48G ! Loved that thing. Now I need a backlight, so went with that HP.

do these run an interface on a handset that accepts commands like an ip camera?(does it have a webserver for meter readers to use the handset?) sometimes those commands are passed as system and you can make it do interesting things like keep cycling a reboot until it goes to a debug mode where you can pull the entire file directory all firmware and drivers

Reading the transmitted data would be interesting. There is a cell and a repeater network signal output. That's what an employee divulged.

It would seem that anything digital can be hacked …… in time.

You can share the ' spec sheet ' of the firmware. Do some research of the BIOS wars and how cloned BIOS was done legally. They had 2 teams, first dug in the code and created a list of data points, pointers ( with different names than the original ) and basically a ' spec sheet ' of what it did, the second team took the data, a motherboard with no ROM and made their own. The ' team two ' aspect would be the rest of the world. It's still considered Case Law in the USA, just ask AMI Bios.

I have been able to receive and decode the transmissions of these smart meters using a device that is readily available. It's based on a SDR. Do you have specific frequencies that they use because looking at some of the data sheets of these meters they can be interrogated over radio frequencies. They may be programmable over radio too. The smart meter that was installed by the electric company in my house was done by some stupid woman that just killed the power to my house without even a warning. The next thing I hear is a banging noise as she is hammering on the old meter to get it free. I'm annoyed that the electric company can just come onto my property and install a radio transmitter without notification of any kind.

Their lawyers are working full time.

@Recessim Why don;t use quarz lighter trick? Should be working like to other electronic device? Remove quarz from a lighter, then engage electric arc from quartz near lcd side. You must find in which side. Electronics must enter to a glitch and freeze. Try that for a new video.

"Smart Meters are Vulnerable to this Attack..." "What is a claw hammer?" DING DING DING!

Eagerly waiting for the next update 😬

Lol...video brought back memories. I remember "glitching" HU satellite cards back in the early 2000s.

It is very annoying that smart meters report logging data back to base but not locally (although they do send data to the local display, so maybe one ca get useful local logging that way?) I just want logging data from my own meters. Doesn't seem unreasonable, but so far as I know is not provided.

Thank you for showing the vulnerability of UK smartmeters.

if you tamper with a meter, that’s theft of service. Your service will be turned off. When they catch you, you will have to pay a large deposit and a large fee and pay for the meter. You have tampered with to be replaced. after of year of behaving yourself, you will get all your money back with interest. I am retired from an electric utility company, and I worked in the field, doing investigations as well as other duties when people would move in, or move out, needed their final bill, or a beginning bill, or if they have not paid, I was sent out to turn the service off. When they paid a reconnect fee and a deposit and their entire balance., they would send me out to reconnect the service. I can’t begin to count how many theft of service situation’s I encountered . hundreds Sure there’s lots of ways People can bypass the meter... but don’t get caught… just a simple decline in your average bill year to year will trigger an investigation.. but just consider this. Would you be better off without electricity service at all?

In Australia Smart Meters are forced on all new home builders and any whom upgrade to solar. Including those who have battery backups. That said I'd like to ask you... Do you Consider the Smart meter to be a certifiable metering device?

If the meter is really smart it will report the tamper attempt before you could even start glitching it.

How long before you hear in the news *"...today, a man was charged with fraud after an energy company discovered an Arduino wired into his smart meter..."*

It is great how bad ass I feel, just by drinking half a bottle of sweet white wine and watching one reverse engineering hacking video on youtube...

you are a national asset.

Companies are manipulate the meters. Does anyone consider that smart meter allows the power company to speed up your meter! That is why alot of people are saying the smart meters are reading more or faster.

Hash, good stuff. Distributech International is in your back yard May 23-25 with every smart meter manufacturer attending - in case you're interested. 🔌

ive installed a bunch of mod chips and this is so cool.

last week another seeminly routine automatic windows10 update crashed my hard drive. to save updates it shut down came back on but this time error codes popping up nonstop. stop code system service exception, unexpected store exception, unexpected kernal mode, kernal data inpage error, error 87 & cleanup image is unknown. i googled the repair was directed to defaults in command software and had to set moduals installed to manual. somehow the update set it to auto. i got pc back to 70% working but anytime i try to google anything hardrive crashes again & again. its pooched

Great work, You have invested many hours! Do You have any idea on how people inject a frecuency thru a capacitor yo isiste from the 220 volts backwards tord the meter, I meen from inside a house and it confuses the meters sensor? Cheers from SOUTH AMÉRICA

Really like your videos, thanks for uploading them. Is their any chance that I could get a copy of your C code and python script that you used just for my own interest. Also the chip whisperer you used. Is that the CW 1173 lite version or some other ?

why can't you accept funds directly? There's nothing illegal about that... Because if you're worried about legality, then you should understand that even your open source software is illegal under the reverse engineering clause of the DMCA

WHAT IF a neighbor has weaponized your smart meter and the EC WONT listen and it is being used against you with MUCH pain? it was changed in Feb with NO knowledge of the EC...PLS HELP???

but can you glitch automated fuel station to trigger plc to activate fuel pump relay

Any idea how I can use a flipper zero on my meter ?

Here from. Tik tok! Love the content.. Hardwear cracking was a interest of mine!

The reason channel's like this are allowed is because it's a great way for various intelligence agencies to crowd source possible fixes for vulnerabilities, for free. I'm not saying that it's a bad thing, necessarily. Bcause at least everybody still gets to learn things they didn't already know. I'm just letting people know why certain subjects, that you'd think would've already been forbidden years ago, are allowed to stay on big platforms. These big platforms aren't just "being nice." But hey, I like learning new things, too.

So it seems like you're doing some kind of trial-and-error "brute-force" attack on the processor chip by spiking voltages with various specific input patterns and seeing how it responds. But my question is, how is that supposed to help you retrieve the full firmware on that chip exactly? Seems more likely/plausible that you'll just be interrupting normal operation with some "glitches" as you put it (which is more likely to hang/freeze the program or cause it to malfunction, surely?) - I don't see how this could actually be beneficial in a practical sense. It could take years and years of tampering and still come out with nothing, wasting all that time - right? So could you summarize the objective as follows: glitch the chip in the HOPE that by some stroke of sheer luck, the security bit be misread by the processor for enough duration that it thinks its not protected and then you can start reading the firmware with an SPI/JTAG interface? It just seems a bit far fetched that you could obtain any useful information from the chip simply by fluctuating supply voltages? What am I missing? :) This almost seems like "hollywood worthy" sci-fi fiction, lol. But respect to you for the patience to do this type of work where it may seem like you're "working in the dark" until those waveforms on the scope start to make any real sense

is he keep people on just to rase his rating ? over my head hop it works

Hi how to get the same Model without Steel them? Its an Landisgyr E450 G3. And I guess the use a Custom FW.

I'm in the acquiring hw fase. and reading the phabulous manuals fase. this will b fun. thx

Why not an ICD and brute force the bit flip?

will just replaced shunt resistors which measure currents.

My meter is digital. What if one just went out there with a rubber mallet and just starting hitting it from angles or used something with super heavy vibration. Surely the vibration would Jack the chip board up which in return sends or doesn't send data to the billing department. There would be no way for them to prove you did it. These companies are scamming us.

I got questions Can I hook my smart meter to a inverter .to block any data it's collecting .

I would love to see the results of a complete reverse engineering of one of these damnable devices and how they are used to work with smart devices in our homes against us. This IOT technology is taking our privacy away!

What app are you using to get the data sheets? Is it free, or what is the cost?

This is very interesting. Thank you

first time watcher.. you just showed up in my list of things to watch. Love this.. Ive used voltage glitching before, I have actually seen it done purposely by a manufacturer to prevent someone from using a generic version of a device in place of their proprietary.. send a voltage "glitch" and if the processor didnt behave as they expected they assumed it was a virgin device.. ive never messed with smart meters.. my area mostly is in messing with the chinese Air conditioners (mini splits).. to make them do what i want .. they also use Atmel micros.. so ill be interested in watching more vids to see how you spring these devices open

3 bifurcations if you want to cloak your visitors.

Loving this

I've got an old meter, if I install it what happens?

How to get rid of altogether?, I opted out and PSEG still put the dang thing on. Would love to pry it off my home with my crowbar!🤬🤬🤬 they had no right to trespass on my property!!!! Plus they stole my lock that I had on the outside of my odometer meter!!

this reminds me of the blizzard lawsuit against the "glider" bot company. blizzard (world of warcraft, back when it was the biggest online game) couldnt get the company that sold the most popular bot "Glider" to stop selling its software. the program Glider was sophisticated enough to trick blizzards industry leading cheat surveillance shadow program (called sheriff? i think). Eventually blizzard was able to bankrupt the company by getting a copyright lawsuit ruling in a lower court against the small botting company, on the basis that the way Glider operated via "injection" or something. Essentially Glider required duplicating the world of warcraft game client script and then injected itself into it on the client side such that the anticheating surveillance program sheriff recognized it as self/native and went on undetected. This all sounds so similar and im no expert on copyright law but i bet this is one of the few cases that established precedence here in what youre talking about. going to subscribe and see where youre projects end up. thanks for uploading. what i wanted to know is because blizzard had to run the Glider script inorder to figure out how it was working, didnt they too commit some kind of copyright infringement by coppying the new injected programing language on their own pc's? and therefore they likely had to break the same copyright rules they accused glider of breaking rofl.

My hp48 gx just ... stopped working ... last week. Can't afford another - end of an era 😢

Usually modbus or canbus protocol.

If you don't get it. Why are you even commenting? No, no, don't even answer. Obviously I I just made a mistake to say that. What I mean is that mabe you should gather up some comprehension and reading skills. No, no, no, obviously thats not going to help you. So.... just ignor it because I'm not going to explain anything to the one who has this type of response. Oh,, yea. .. I'm not being rude. But I can't be squandering away my time with unreachable minds. Ok peace.

It would be good to know how the smart meters work. But how will the help anyone?

well that took about 30 seconds for me to figure out that I was way out of my depth

can someone twell me what prducts he used to hack the smart meters?

Love it, go for it.