Elster A 1700 password

Gurux Network Component for C#, Java, ANSI C++ We have received a lot of inquiry how to make password for Elster A 1700. Formula is below:

/// 
/// Encrypt Elster PW for A1700.
/// 
/// Used password.
/// Seed received from the meter.
/// Password send back to meter.
string ElsterEncrypt(string password, string seed)
{
    //Convert hex string to byte array.
    byte[] s = GXCommon.HexToBytes(seed, false);
    byte[] crypted = new byte[8];
    for (int pos = 0; pos != 8; ++pos)
    {
        crypted[pos] = (byte)(password[pos] ^ s[pos]);
    }
    int last = crypted[7];
    for (int pos = 0; pos != 8; ++pos)
    {
        crypted[pos] = (byte)((crypted[pos] + last) & 0xFF);
        last = crypted[pos];
    }
    return GXCommon.ToHex(crypted, false);
}

Communicating with Elster A 1500 and 1700

We are receiving emails how to communicate with Elster meters. We are not supporting IEC 62056-21 anymore, but I'll add small description how to start.

First send identify command.
/?!\r\n

Meter replies it's FLAG name and used baudrate. After that is serial number. It's something like this:
/GEC5012345678901@000\r\n

Tell meter what baudrate you want to use. You must also change serial port baud rate to same. In this example baudrate is 9600
[0x6]051\r\n

Meter reply that you need to give password. Meter also gives seed as a parameter. Note this seed is different for each time.
[0x1]P0[0x2](FD2BA0E29731D230)[0x3]m\r\n

Use function above to count hashed password. Then send it to the meter.
[0x1]P2[0x2](BE2C10B158593B3E)[0x3 0x60]\r\n

If meter accepts password it returns ACK.
[0x6]

Now you can read data from the meter. Example:
[0x1]R1[0x2]798001(10)[0x3]e

Undefined

Comments

what does this line do?
==> long tmp = (crypted[pos] + last) & 0x800000FF;
seems it does nothing within the function

Kurumi's picture

Hi,

You are right. That is not needed. I updated the example.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Thanks a lot...
i was using Encrypt dll from ELSTER, since i move from delphi to lazarus in linux, this is a big help...
i'll compare it immediately

BR,

rads

Kurumi's picture

Hi,

We was also using encrypt.dll until we had a Linux project. We thought that there is also encrypt library for Linux. It was very surprising that there was not. In those few lines are weeks of hard work. :-)

Happy coding,

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Many thanks for this, just what I was looking for.

Hi Mr. Mikko, first I would like to say thanks for sharing this info.

I'm wondering which password you used in your example code, I'm trying with the default for this meter:
Pass 1: 0001ABCD
Pass 2: ABCD0002
Pass 3: FEDC0003
and I'm not getting the same output you've got, with the same seed.

Leonardo Chacon

Kurumi's picture

Hi Leonardo,

I can't remember the password what we used. Meter is not on our office and I can't read the meter right now and check it. I believe it was default password. You can try with 00000000.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Well it seems like I've got stuck, just in case some else is working with this instrument I'll like to let you know where I have gotten so far.
I’m not an experienced programmer though and have never submitted anything to github before, not sure how to use it.
Any way here it is, the current file I’m working with is Desencryptalo_v8.py, and there is a sample of the output I’m getting:

https://github.com/leonardoecv/A1700-meter-readuot

Leonardo Chacon

Kurumi's picture

Hi Leonardo,

Can you show your result also as hex so we can help you.
You should receive 0x6 as reply after you send your pw.
This is ACK message.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

C:\>py Desencryptalo_v10.py
2017-09-06 14:46:04 ### :Begining communication
2017-09-06 14:46:04 >>> : /?!
2017-09-06 14:46:07 <<< : /GEC5090100010300@000
2017-09-06 14:46:07 >>> : ♠051
2017-09-06 14:46:09 <<< : ☺P0☻(1DA5E8CFF12D8EC9)♥▼
2017-09-06 14:46:09 >>> : ☺P2☻(B9CE42839B9C1082)♥`
2017-09-06 14:46:11 <<< : __7{w+
5f 5f 37 7b 77 2b 0

C:\>py Desencryptalo_v10.py
2017-09-06 14:46:17 ### :Begining communication
2017-09-06 14:46:17 >>> : /?!
2017-09-06 14:46:20 <<< : /GEC5090100010300@000
2017-09-06 14:46:20 >>> : ♠051
2017-09-06 14:46:22 <<< : ☺P0☻(124E62E19028C261)♥↨
2017-09-06 14:46:22 >>> : ☺P2☻(4E63D7183031333A)♥`
2017-09-06 14:46:23 <<< : _;7ww+§
5f 3b 37 77 77 2b 15

C:\>py Desencryptalo_v10.py
2017-09-06 14:47:46 ### :Begining communication
2017-09-06 14:47:46 >>> : /?!
2017-09-06 14:47:49 <<< : /GEC5090100010300@000
2017-09-06 14:47:49 >>> : ♠051
2017-09-06 14:47:51 <<< : ☺P0☻(1D0B7880FD59783C)♥◄
2017-09-06 14:47:51 >>> : ☺P2☻(319191C3DBDC5050)♥`
2017-09-06 14:47:53 <<< : _⌂_Ww=§
5f 7f 5f 57 77 3d 15

the last message I'm getting no matter which of the defaults passwords I try with, looks always like that: with a NAK (15hex) character.

Leonardo Chacon

We're also banging our heads against this password encryption at the moment.

When running the function above against the seed in your example we don't get the same result with any of the passwords we've come across. (oooooooo, 00000000, 0001ABDC, ABCD0002, FEDC0003)

Sample log:
TX /?!<CR><LF>
RX /GEC5090100031111@000<CR><LF>

TX <ACK>051<CR><LF>
RX <SOH>P0<STX>(F01322D7BEB38CB7)<ETX><US>

TX <SOH>P2<STX>(0C7EF067696BDFE4)<ETX><FS>
RX <SOH>B0<ETX>q

The function is yours as converted into python by Leonardoecv (Excuse the formatting)

def decryptA1700(seed, password):
__seed = bytearray(seed, 'ascii')
__password = bytearray(password, 'ascii')
__crypted = bytearray(b'\x00\x00\x00\x00\x00\x00\x00\x00')
__for i in range (0, 8):
____crypted[i] = password[i] ^ seed[i]
__last = crypted[7]
__for i in range (0, 8):
____crypted[i] = (crypted[i] + last) & 0xFF
____last = crypted[i]
__crypted = (binascii.hexlify(crypted)).swapcase()

Have we missed something silly?

Hi dear kurumi
I have a problem
Please help me
Wich algorithm generate next character after ETX in p2 and others

Sample log:
TX /?!<CR><LF>
RX /GEC5090100031111@000<CR><LF>

TX <ACK>051<CR><LF>
RX <SOH>P0<STX>(F01322D7BEB38CB7)<ETX><US>

TX <SOH>P2<STX>(0C7EF067696BDFE4)<ETX><FS>
RX <SOH>B0<ETX>q

In this sample P0 is <US> AND P2 is <FS>

Kurumi's picture

Hi,

Your meter closes the connection. Check the password.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

hi
i want to read elster a120 uk.
this metter seeds like a1700 but i get ERR4 on reading lines.
any help plz ?

"+OK/?!\n" +
"/GEC5100200030100@000\n" +
"+OK<ACK>051\n" +
"+OK,END\n" +
"<SOH>P0<STX>(E53DE027E11E70D1)<ETX>e"+
"+OK<SOH>P2<STX>(0000000000000000)<ETX>b\n" +
"<ACK>"+
"+OK<SOH>P2<STX>(9C11B516E8165636)<ETX>b\n" +
"<NAK>"

my p2 password is correct becouse i generate same password that other software who can read this metter.
but i get <NAK>.

in P2<STX>(0000000000000000)<ETX>, when i send any other char for "b" i get <NAK>.
i think this char is important, for P2 too . yes or no?

Kurumi's picture

Hi,

P2 is generated from the seed what meter sends and password what you have. It's different each time.
You should also send P2 only once. Now you are sending it twice.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Hi Kurumi,
Not getting any response when I issue any of the commands below to the meter
<SOH>P2<STX>(0000000000000000)<ETX>b
<SOH>R1<STX>798001(10)<ETX>e
<SOH>R1<STX>795001(08)<ETX>a

Any ideas why the meter stops responding after generating the password seed?

Regards,
Frank

Kurumi's picture

Hi,

Check your password. That is usually the problem.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Hi

Please give me the command to read the data?

Thanks!

This makes sense! I know the meter password but I’ve been struggling to read it because of the hashed PW. Is the code above taking the hex value(P2), converting to array and sending it back to the meter?
“Use function above to count hashed password.”

Kurumi's picture

Hi,

Yes, you use seed that meter sends and password to generate a hash that you send to the meter.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

I've got a little further with the hashed PW, how to i encode the data so it makes sense?
bytearray(b'/?001!\r\n') TX
b'/GEC5090100031111@000\r\n' RX
bytearray(b'\x06051\r\n') TX
b'\x01P0\x02(C96FE055A13DACF5)\x03i' RX
bytearray(b'\x01P2\x02(4F7C1F30C1CE6A31)\x03\x11') TX
b'\x06' RX
Password Accepted
bytearray(b'\x01R1\x02507001(40)\x03d') TX
b'\x02(00446343050000000000000000000000004878960000000000000000000000000000000000000000000000000000000000122352050000000048789600000000)\x03\x05' RX
bytearray(b'\x01B0\x03q') TX
b'' RX

My Meter serial number is K17A001452

"Meter replies it's FLAG name and used baudrate. After that is serial number. It's something like this:
/GEC5012345678901@000\r\n" is this the serial number?

Kurumi's picture

Hi,

You need only baud-rate. You basically don't need the serial number.
It seems that you can make the connection to the meter.
Now you can read what you want to from the meter.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Just to add to this, the request for the Meter serial number is R1\x02798001(10), i get the response 2D2D2D2D2D2D4B313741303031343532 which is the meter serial number.

Hi Sorry to drag this up again,
But I would really like to be able to read from an A1140 using python.
But I have the same password seed issue as above. Does the A1140 have a different hashing method for the password, compared to the A1700. I have used the method above in python and it won't give the ACK signal and it quits. Anyone have any information on the A1140. Thanks for your help.

Chris

Kurumi's picture

Hi Chris,

I don't know from A1140, but different manufacturers are using different was to count the hash. That is the reason why we are not supporting IEC 62056-21 (formerly IEC 61107). There are too much variation between meters. I hope you can solve this.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Thanks for the reply, and how did you find out how to do the A1700 meter?
Might be able to follow where you got the infomation from.
Chris

Kurumi's picture

Hi,

We had a project several years ago where was reading A1700 meters in Linux. There was only Windows dll. It was taking a lot of time to figure it out. :-)

Meter manufacturers usually don't like to share information like this.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi