Decrypt DLMS Security Suite 0, HLS5 Data

By joli_u, 12 March, 2021

Forums

Hi,

i recently got a Smartmeter. It is a KAIFA MA309 and it has an M-BUS interface. My energy company send me some instructions on how to read the data.

According to their documentation the Interface only sends out every 5 seconds an encrypted PDU. With a normal serial to M-BUS converter interface I was able to receive ecrypted data.

The company gave me the following information about the encryption:

GUEK (Global Unicast Encryption Key): 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
DLMS Security Suite 0, HLS5

Example encrypted PDU provided by energy Company:
DB085341475905E6A31381F8200001D23432B01242AC1A995207422F7CC452CA85CA0612F1BF9922A7ACC7E51DA8C897C97AF5EFF013D3E47E602BE65E860C1F253DF010B435B5EDBBFDE0C295B1027E8EB65D1CF6575FA07C80B33F274D3FAA21C89E2DF3F36023CA30775597F5BA3BB4A5F844C6DCC5C32AD68FED3CD3DD08A9C125B1D565B78F583B6BACA03C4CD91CE1154180E8F9F099F0C23A66A67A9A86F7B9C5A59613FE23F9FA55967E06A4CD0EF02D3A791D553C2517D2E29B6CB707A8B17D9762353D0FE56854277419B5F2C1FDAD40FA9686997E60AE1FCD6C5DC5DC756B141D8B160EF05455C7B9C07A435E43B75DAD570990697702691901D7249EE1DF

Example decrypted PDU provided by energy Company:
0F800000040C07E001040117222300FFC4000223090C07E001040117222300FFC40009060100010800FF06000020B002020F00161E09060100020800FF0600000C6902020F00161E09060100010700FF060000000002020F00161B09060100020700FF060000000002020F00161B09060100200700FF1208F902020FFF162309060100340700FF1208FD02020FFF162309060100480700FF1208FA02020FFF1623090601001F0700FF12000002020FFE162109060100330700FF12000002020FFE162109060100470700FF12000002020FFE1621090601000D0700FF1003E802020FFD16FF090C313738323130303031313037

With the https://www.gurux.fi/GuruxDLMSTranslator I can successfully read the decryped PDU but i have no clue on how to decrypt the data.

First I have tried standard AES but the output does not match the example.
With the secure client I get an error (see below).

import time
from gurux_dlms import *
from gurux_dlms.enums import *
from gurux_common import *
from gurux_dlms.secure import *
from Crypto.Cipher import AES
import binascii

cyphertext = "DB085341475905E6A31381F8200001D23432B01242AC1A995207422F7CC452CA85CA0612F1BF9922A7ACC7E51DA8C897C97AF5EFF013D3E47E602BE65E860C1F253DF010B435B5EDBBFDE0C295B1027E8EB65D1CF6575FA07C80B33F274D3FAA21C89E2DF3F36023CA30775597F5BA3BB4A5F844C6DCC5C32AD68FED3CD3DD08A9C125B1D565B78F583B6BACA03C4CD91CE1154180E8F9F099F0C23A66A67A9A86F7B9C5A59613FE23F9FA55967E06A4CD0EF02D3A791D553C2517D2E29B6CB707A8B17D9762353D0FE56854277419B5F2C1FDAD40FA9686997E60AE1FCD6C5DC5DC756B141D8B160EF05455C7B9C07A435E43B75DAD570990697702691901D7249EE1DF"

print("Hello")
print(cyphertext)

cl = GXDLMSSecureClient()
cl.ciphering.setSecurity(Security.ENCRYPTION);
cl.ciphering.getBlockCipherKey()

key=GXCommon.hexToBytes("000102030405060708090A0B0C0D0E0F")
cyphertext_bytes=GXCommon.hexToBytes(cyphertext)

plaintext = cl.decrypt(kek=key, data=cyphertext_bytes)

print("Decrypted:")
print(binascii.hexlify(plain))

Output:
Hello
DB085341475905E6A31381F8200001D23432B01242AC1A995207422F7CC452CA85CA0612F1BF9922A7ACC7E51DA8C897C97AF5EFF013D3E47E602BE65E860C1F253DF010B435B5EDBBFDE0C295B1027E8EB65D1CF6575FA07C80B33F274D3FAA21C89E2DF3F36023CA30775597F5BA3BB4A5F844C6DCC5C32AD68FED3CD3DD08A9C125B1D565B78F583B6BACA03C4CD91CE1154180E8F9F099F0C23A66A67A9A86F7B9C5A59613FE23F9FA55967E06A4CD0EF02D3A791D553C2517D2E29B6CB707A8B17D9762353D0FE56854277419B5F2C1FDAD40FA9686997E60AE1FCD6C5DC5DC756B141D8B160EF05455C7B9C07A435E43B75DAD570990697702691901D7249EE1DF
Traceback (most recent call last):
File "decrypt_test1.py", line 21, in <module>
plaintext = cl.decrypt(kek=key, data=cyphertext_bytes)
File "/usr/local/lib/python3.8/dist-packages/gurux_dlms/secure/GXDLMSSecureClient.py", line 101, in decrypt
return gcm.decryptAes(data)
File "/usr/local/lib/python3.8/dist-packages/gurux_dlms/GXDLMSChipperingStream.py", line 874, in decryptAes
block[8:16] = buf[8 * (i - 1):8*i]
TypeError: slice indices must be integers or None or have an __index__ method

Can someone give me some hints on how to decrypt correctly this data?

Thanks & best regards,
joli

Hi,

The example data is not valid. Also, data is containing only the PDU and the framing (like M-Bus) is missing. After you have the correct data and key you can get the data using GXDLMSTranslator or with GXDLMSSecureClient like this:

bb = GXByteBuffer("Value coming from the meter")
cl = GXDLMSSecureClient()
data = GXReplyData()
notify = GXReplyData()
cl.interfaceType = InterfaceType.PDU
cl.ciphering.security = Security.ENCRYPTION
cl.ciphering.blockCipherKey = GXCommon.hexToBytes("000102030405060708090A0B0C0D0E0F")
plaintext = cl.getData(bb, data, notify)
print(notify.value)

BR,
Mikko

Hi, thanks for your help. I

Hi, thanks for your help. I also came to the conclusion that this test data must be wrong.

I put real data from the meter into the GXDLMSDirector and it can at least decode the non encrypted parts of the data like the serial number of the meter which matches.

Is there some documentation public available where the structure of these PDU's is explained?

What exactly does the Interface type change? I Have seen that there is also Wireless M-Bus interface but no wired M-MBUS? Does the InterfaceType.PDU work directly with the wired M-BUS Data from the meter?

Thanks & Best regards
Joli

Hi,

Because DLMS is a standard there are a lot of documents from DLMS. The bad side is that DLMS is not an easy protocol and standards are not public.

You can see a few of PDUs in GuruxDLMSTranslator?.
http://www.gurux.fi/GuruxDLMSTranslator?pdu=0501022BC8

Wired M-MBus is not released for Python yet, but it's coming...
In InterfaceType.PDU there is no framing, only PDU. There are several ways to send PDU in frames and more to come. There is its own framing mechanism for Over The Air standards (LPWAN and Wi-Sun).

After those are released there are 10 different framing mechanisms that Gurux is supporting.

BR,
Mikko

Decrypt DLMS Security Suite 0, HLS5 Data

Forum Rules

Hi,

Hi, thanks for your help. I

Hi,