I spent one day out of the recent holidays taking measurements of our electric power usage at near-hourly intervals. This involved going outside and walking around to the meter to read whatever number was flashing at the time. While I got good data, obviously it isn’t convenient to step outside all the time. (And before you say it, yes I’m a hopeless geek. Deal with it!)
I know the meter can be queried via from the street, so I did some research on how this works. Apparently the meter (an Itron Centron) transmits as a Part 15 (i.e., unlicensed) device on the 900MHz band. It uses spread-spectrum frequency hopping over 50 channels, a fact that makes it somewhat difficult (but not impossible) to zero in on the data stream. However, the channels are published and span 909.6 Mhz through 921.8 MHz, well within the range of my scanner.
Thus, my idea of Do It Yourself Meter Reading (also described here)may be possible, after all. I haven’t found any description of the data stream, nor if its encrypted, so I do not know what information is available nor how to decode it. One step at a time, though.
Interestingly enough, the frequencies the electric meters use are right in the middle of the amateur radio 33cm band. Being licensed operators, hams thus have priority on these frequencies. I wonder how long it will be before reports surface about interference on this band?
I’ve been doing some research on this as well, in an attempt to avoid having to install an X10 camera over the meter to OCR the images :D.
Where did you find the bit about it frequency hopping over 50 channels?
Itron makes a number of EMT modules for AMR purposes and I’m guessing that they all use pretty much the same protocol (that makes it easier to sell more stuff and easier to develop new products for the same line). The modules can be integrated with old style meters to retrofit AMR capability to old equipment or it can be installed as a plugin module to electronic meters (and of course Itron sells their own meters as well, I’ve got the Centron CS1R model). The CS1R/R300 IDM meters presumably either use the 5xESS ERT modules or a built-in version of the same thing. Thus a utility using, e.g. GE meters with 52ESS ERT modules could also buy Centron CS1R meters from Itron and use all the same remote-read equipment.
The literature all touts the Spread Spectrum radio bit, and that generally means some flavor of frequency hopping where bits or chips of the message are transmitted across multiple frequencies and the entire message is not available on any one frequency. Itron seems to keeps this information secret though, so their competitors don’t set up to read it (except where the FTC forced them to give a license to Neptune as a anti-anti-competitive measure).
The thing is, I don’t think they are doing any fancy spread spectrum stuff. The primary consideration is not security (anybody can walk up to the meter, and its just utility usage data anyway) but reliability. AMR technology is there to save money, and hard-to-read meters cost more. Also, I suspect the ‘spread spectrum’ is in the sales literature to look fancy and sound impressive, not to tell us they are using a fancy PN frequency hopping routine to secure the information.
Here are some bits I’ve scrounged up:
One of the important bits there is this “The RF transmission lasts less than one second and contains eight identical data packets, each at a different frequency.”
It sounds to me like they are transmitting the exact same, complete message on 8 independent frequencies spread across the spectrum (thus, “spread spectrum” in the sales literature). I would not be surprised at all if this is really just 8 redundant OOK broadcasts at different frequencies. This would be consistent with the two driving principles, avoiding interference and keeping the cost low.
The data sounds like it consists of 3 SCM messages, each containing bits representing the payload, the ERT and the counters. The payload for each SCM is configurable. The 3 SCM’s comprise a single data packet and are transmitted in under one second, probably with at least (IIRC) 15 seconds between them (in compliance with FCC Part 15 sub C).
In bubble-up (1 way) mode you’d receive the broadcasts constantly. In wake-up (also referred to as 1.5 way) mode the reader has to chirp some kind of wake up message to get the meter to broadcast. I didn’t find any information about the reader’s wake up broadcast, but there might be some clues in the FCC’s documentation:
Of course it is possible that the docs I’ve turned up are wrong and the broadcast is a ‘real’ spread spectrum broadcast, but this simpler case should be easy to check out, provided you can confirm that your meter operates in bubble-up mode.
If we can confirm that the meter is transmitting a basic OOK/FSK message as I suspect, it shouldn’t be a huge leap to work out the signaling protocol (probably also a standard scheme). Determining how the checksum works could be more difficult, but for stationary monitoring we can get a way without it. They might also ‘encrypt’ the data, but since we know the KWH used at the time of transmission at least that part of the data should be recoverable (presuming a simple scrambling system).
I’ve emailed both my power company and Itron about reading the meter myself. Both were very friendly. The Basic DOS-based meter reader is available if you want to buy it, but at a bit over 5 kilobucks it’s not a viable solution (unless you can get your utility company to sell you any broken readers at a substantial discount).
Suggestions?
Well, the info I found was all on the FCC website as part of Itron’s FCC certification process. I plugged the FCC ID into The Google and up popped some links to the appropriate documents.
Itron uses spread-spectrum not for security but for versatility. If there are 50 meters in a small area (say, at an apartment complex), the meters have a far less chance of stepping on each other if each one is using frequency hopping.
At any rate, all 50 channels are listed in the FCC documents. Thus is possible to scan them all with a moderately fast scanner.
I tuned up to the band on my scanner the other day but heard nothing but static. I have yet to program in the individual channels. Once I do that I can leave the scanner running and record its output. A couple of data bursts should provide more clues about the protocol.
Please keep me posted on any findings!
Mark
Have you had a chance to review Itron’s patents on the subject?
Here is an index of some relevant patents:
http://www.patentstorm.us/assignees/Itron,_Inc_-52765-1.html
This one is very relevant:
“Communication Protocol for remote data generating stations”
http://www.patentstorm.us/patents/5673252-description.html
In particular the description of the Network Service Module (NSM) is useful.
Also “Frequency Hopping Spread Spectrum system with high sensitivity tracking and syncronization”, which describes the details of how the SS system works:
http://www.patentstorm.us/patents/6934316-description.html
I haven’t finished reading it all, but what I understand is that the receiver starts out in a wideband receive mode to pick out the transmitter’s preamble. Evidently the transmitter and receiver don’t have a predetermined channel hopping pattern, the transmitter hops around however it wishes and the receiver does it’s best to find the signal. When the first part (34 chips of Manchester coded bitstream) of the preamble is found an FFT runs and cuts the 7Mhz spectrum into 32 channels which it watches for the remaining 6 chips. These chips show up most strongly in one of the channels, or bins, identifying the narrowband frequency the transmitter is using. The receiver then tunes and syncs a narrowband receiver to that frequency to pick up the packet data. If the signal strength is high enough to receive the data in wideband mode it doesn’t bother switching to narrowband mode.
I think that part is particularly interesting. Because we are interested in reading only one nearby meter we can ignore the whole frequency hopping part and use a wideband receiver with low selectivity. Since each packet is transmitted 8 times across the spectrum the band doesn’t even have to be very wide, we’ll be likely to pick up enough data for what we want with a simple receiver, even if some of the packets and broadcasts are missed.
-The transmitter uses Manchester coding: “the preamble 32 of the packet 30 consists of 20 bits plus one sync bit. This data is Manchecter[sic] encoded so we have 42 “chips” (i.e. transition states) possible to correlate on. The first 34 chips are used to correlate on and the last 6 to determine the best bin for data decoding.”
-The narrowband data is OOK : “In a preferred embodiment, the encoded data of the packet 30 is on-off keyed (OOK) modulated.”
-Eight duplicate packets are sent, each entirely on a single channel: “A typical end point transmitter will respond to a valid wake-up with eight packets, which will be sent at slightly different frequencies”
-The wake-up tone, if it is used, is a simple flag signal and encodes no data: “end-point modules, even those that normally operate in a bubble-up fashion, respond to a wake-up tone, which is a proper frequency carrier modulated at the programmed wake-up tone.”
“end point transmitters provide the capability to select a wide range of wake-up frequencies (952-956 MHz) and wake-up tones (28-62 Hz)”
Other Itron patents describe the data content of the packets and the length (about 100mS, 8 of which then take “under one second”). So, I think this project can be done without too much trouble.
I confirmed with the Itron rep that works with my power company that my meter operates in bubble-up mode, so I know that the data is there, I just need to set up a receiver to look for it.
I was curious if anyone has made any progress on this front.
My local power company uses the Centron meters as well, and our power bills have been getting insane… I’m wanting to document power consumption and see if I can find any patterns of usage.
It amazes me that Itron doesn’t produce a small scale end-user reader for people to do this. The electronics behind it shouldn’t be that expensive to produce.
–3of9
Hi 3of9,
No, not yet. Not me, anyway. It is an interesting project but I’ve been engaged by so much else lately that I haven’t been able to explore it further. Perhaps once it gets blazingly hot here in the summertime and my power consumption goes through the roof, I’ll find it worthwhile to pick things up again. 🙂