By Administrator, 31 May, 2016

Gurux Network Component for C#, Java, ANSI C++ We have received a lot of inquiry how to make password for Elster A 1700. Formula is below:

/// 
/// Encrypt Elster PW for A1700.
/// 
/// Used password.
/// Seed received from the meter.
/// Password send back to meter.
string ElsterEncrypt(string password, string seed)
{
    //Convert hex string to byte array.
    byte[] s = GXCommon.HexToBytes(seed, false);
    byte[] crypted = new byte[8];
    for (int pos = 0; pos != 8; ++pos)
    {
        crypted[pos] = (byte)(password[pos] ^ s[pos]);
    }
    int last = crypted[7];
    for (int pos = 0; pos != 8; ++pos)
    {
        crypted[pos] = (byte)((crypted[pos] + last) & 0xFF);
        last = crypted[pos];
    }
    return GXCommon.ToHex(crypted, false);
}

Communicating with Elster A 1500 and 1700

We are receiving emails how to communicate with Elster meters. We are not supporting IEC 62056-21 anymore, but I'll add small description how to start.

First send identify command.
/?!\r\n

Meter replies it's FLAG name and used baudrate. After that is serial number. It's something like this:
/GEC5012345678901@000\r\n

Tell meter what baudrate you want to use. You must also change serial port baud rate to same. In this example baudrate is 9600
[0x6]051\r\n

Meter reply that you need to give password. Meter also gives seed as a parameter. Note this seed is different for each time.
[0x1]P0[0x2](FD2BA0E29731D230)[0x3]m\r\n

Use function above to count hashed password. Then send it to the meter.
[0x1]P2[0x2](BE2C10B158593B3E)[0x3 0x60]\r\n

If meter accepts password it returns ACK.
[0x6]

Now you can read data from the meter. Example:
[0x1]R1[0x2]798001(10)[0x3]e

ELSTER A1700

what does this line do?
==> long tmp = (crypted[pos] + last) & 0x800000FF;
seems it does nothing within the function

ELSTER A1700

Hi,

You are right. That is not needed. I updated the example.

BR,

Mikko

ELSTER A1700

Thanks a lot...
i was using Encrypt dll from ELSTER, since i move from delphi to lazarus in linux, this is a big help...
i'll compare it immediately

BR,

rads

We was also using encrypt.dll until we had a Linux project. We thought that there is also encrypt library for Linux. It was very surprising that there was not. In those few lines are weeks of hard work. :-)

Happy coding,

BR,

Mikko

Elster A1700

Many thanks for this, just what I was looking for.

Regarding the password used in example

Hi Mr. Mikko, first I would like to say thanks for sharing this info.

I'm wondering which password you used in your example code, I'm trying with the default for this meter:
Pass 1: 0001ABCD
Pass 2: ABCD0002
Pass 3: FEDC0003
and I'm not getting the same output you've got, with the same seed.

ELSTER A1700 Password

Hi Leonardo,

I can't remember the password what we used. Meter is not on our office and I can't read the meter right now and check it. I believe it was default password. You can try with 00000000.

BR,

Mikko

ELSTER A1700 Password

Well it seems like I've got stuck, just in case some else is working with this instrument I'll like to let you know where I have gotten so far.
I’m not an experienced programmer though and have never submitted anything to github before, not sure how to use it.
Any way here it is, the current file I’m working with is Desencryptalo_v8.py, and there is a sample of the output I’m getting:

https://github.com/leonardoecv/A1700-meter-readuot

ELSTER A1700 Password

Hi Leonardo,

Can you show your result also as hex so we can help you.
You should receive 0x6 as reply after you send your pw.
This is ACK message.

BR,
Mikko

C:\>py Desencryptalo_v10.py

C:\>py Desencryptalo_v10.py
2017-09-06 14:46:04 ### :Begining communication
2017-09-06 14:46:04 >>> : /?!
2017-09-06 14:46:07 <<< : /GEC5090100010300@000
2017-09-06 14:46:07 >>> : ♠051
2017-09-06 14:46:09 <<< : ☺P0☻(1DA5E8CFF12D8EC9)♥▼
2017-09-06 14:46:09 >>> : ☺P2☻(B9CE42839B9C1082)♥`
2017-09-06 14:46:11 <<< : __7{w+
5f 5f 37 7b 77 2b 0

C:\>py Desencryptalo_v10.py
2017-09-06 14:46:17 ### :Begining communication
2017-09-06 14:46:17 >>> : /?!
2017-09-06 14:46:20 <<< : /GEC5090100010300@000
2017-09-06 14:46:20 >>> : ♠051
2017-09-06 14:46:22 <<< : ☺P0☻(124E62E19028C261)♥↨
2017-09-06 14:46:22 >>> : ☺P2☻(4E63D7183031333A)♥`
2017-09-06 14:46:23 <<< : _;7ww+§
5f 3b 37 77 77 2b 15

C:\>py Desencryptalo_v10.py
2017-09-06 14:47:46 ### :Begining communication
2017-09-06 14:47:46 >>> : /?!
2017-09-06 14:47:49 <<< : /GEC5090100010300@000
2017-09-06 14:47:49 >>> : ♠051
2017-09-06 14:47:51 <<< : ☺P0☻(1D0B7880FD59783C)♥◄
2017-09-06 14:47:51 >>> : ☺P2☻(319191C3DBDC5050)♥`
2017-09-06 14:47:53 <<< : _⌂_Ww=§
5f 7f 5f 57 77 3d 15

the last message I'm getting no matter which of the defaults passwords I try with, looks always like that: with a NAK (15hex) character.

ELSTER A1700 Password

We're also banging our heads against this password encryption at the moment.

When running the function above against the seed in your example we don't get the same result with any of the passwords we've come across. (oooooooo, 00000000, 0001ABDC, ABCD0002, FEDC0003)

Sample log:
TX /?!<CR><LF>
RX /GEC5090100031111@000<CR><LF>

TX <ACK>051<CR><LF>
RX <SOH>P0<STX>(F01322D7BEB38CB7)<ETX><US>

TX <SOH>P2<STX>(0C7EF067696BDFE4)<ETX><FS>
RX <SOH>B0<ETX>q

The function is yours as converted into python by Leonardoecv (Excuse the formatting)

def decryptA1700(seed, password):
__seed = bytearray(seed, 'ascii')
__password = bytearray(password, 'ascii')
__crypted = bytearray(b'\x00\x00\x00\x00\x00\x00\x00\x00')
__for i in range (0, 8):
____crypted[i] = password[i] ^ seed[i]
__last = crypted[7]
__for i in range (0, 8):
____crypted[i] = (crypted[i] + last) & 0xFF
____last = crypted[i]
__crypted = (binascii.hexlify(crypted)).swapcase()

Have we missed something silly?

Wich algorithm generate next character after ETX in p2 and other

Hi dear kurumi
I have a problem
Please help me
Wich algorithm generate next character after ETX in p2 and others

Sample log:
TX /?!<CR><LF>
RX /GEC5090100031111@000<CR><LF>

TX <ACK>051<CR><LF>
RX <SOH>P0<STX>(F01322D7BEB38CB7)<ETX><US>

TX <SOH>P2<STX>(0C7EF067696BDFE4)<ETX><FS>
RX <SOH>B0<ETX>q

In this sample P0 is <US> AND P2 is <FS>

ELSTER A1700 Password

Hi,

Your meter closes the connection. Check the password.

BR,

Mikko

Any method for a120

hi
i want to read elster a120 uk.
this metter seeds like a1700 but i get ERR4 on reading lines.
any help plz ?

"+OK/?!\n" +

"+OK/?!\n" +
"/GEC5100200030100@000\n" +
"+OK<ACK>051\n" +
"+OK,END\n" +
"<SOH>P0<STX>(E53DE027E11E70D1)<ETX>e"+
"+OK<SOH>P2<STX>(0000000000000000)<ETX>b\n" +
"<ACK>"+
"+OK<SOH>P2<STX>(9C11B516E8165636)<ETX>b\n" +
"<NAK>"

my p2 password is correct becouse i generate same password that other software who can read this metter.
but i get <NAK>.

in P2<STX>(0000000000000000)<ETX>, when i send any other char for "b" i get <NAK>.
i think this char is important, for P2 too . yes or no?

Elster A 1700 password

Hi,

P2 is generated from the seed what meter sends and password what you have. It's different each time.
You should also send P2 only once. Now you are sending it twice.

BR,

Mikko

A1700 METER not responding after outputting the password seed

Hi Kurumi,
Not getting any response when I issue any of the commands below to the meter
<SOH>P2<STX>(0000000000000000)<ETX>b
<SOH>R1<STX>798001(10)<ETX>e
<SOH>R1<STX>795001(08)<ETX>a

Any ideas why the meter stops responding after generating the password seed?

Regards,
Frank

Hi,

Check your password. That is usually the problem.

BR,
Mikko

Hi

Please give me the command to read the data?

Thanks!

This makes sense! I know the

This makes sense! I know the meter password but I’ve been struggling to read it because of the hashed PW. Is the code above taking the hex value(P2), converting to array and sending it back to the meter?
“Use function above to count hashed password.”

Hi,

Yes, you use seed that meter sends and password to generate a hash that you send to the meter.

BR,
Mikko

I've got a little further

I've got a little further with the hashed PW, how to i encode the data so it makes sense?
bytearray(b'/?001!\r\n') TX
b'/GEC5090100031111@000\r\n' RX
bytearray(b'\x06051\r\n') TX
b'\x01P0\x02(C96FE055A13DACF5)\x03i' RX
bytearray(b'\x01P2\x02(4F7C1F30C1CE6A31)\x03\x11') TX
b'\x06' RX
Password Accepted
bytearray(b'\x01R1\x02507001(40)\x03d') TX
b'\x02(00446343050000000000000000000000004878960000000000000000000000000000000000000000000000000000000000122352050000000048789600000000)\x03\x05' RX
bytearray(b'\x01B0\x03q') TX
b'' RX

My Meter serial number is K17A001452

"Meter replies it's FLAG name and used baudrate. After that is serial number. It's something like this:
/GEC5012345678901@000\r\n" is this the serial number?

GEC

Hi,

You need only baud-rate. You basically don't need the serial number.
It seems that you can make the connection to the meter.
Now you can read what you want to from the meter.

BR,
Mikko

Just to add to this, the

Just to add to this, the request for the Meter serial number is R1\x02798001(10), i get the response 2D2D2D2D2D2D4B313741303031343532 which is the meter serial number.

Elster A1140

Hi Sorry to drag this up again,
But I would really like to be able to read from an A1140 using python.
But I have the same password seed issue as above. Does the A1140 have a different hashing method for the password, compared to the A1700. I have used the method above in python and it won't give the ACK signal and it quits. Anyone have any information on the A1140. Thanks for your help.

Chris

Hi Chris,

I don't know from A1140, but different manufacturers are using different was to count the hash. That is the reason why we are not supporting IEC 62056-21 (formerly IEC 61107). There are too much variation between meters. I hope you can solve this.

BR,
Mikko

Thanks for the reply, and how

Thanks for the reply, and how did you find out how to do the A1700 meter?
Might be able to follow where you got the infomation from.
Chris

A1700

Hi,

We had a project several years ago where was reading A1700 meters in Linux. There was only Windows dll. It was taking a lot of time to figure it out. :-)

Meter manufacturers usually don't like to share information like this.

BR,

Mikko

Error in password seed received from meter

I appreciate that you are not supporting IEC 62056-21 anymore, but wondered if you have come across the following?

[13:51:36] COM3-> /?001!<CR><LF>
[13:51:38] COM3-> /?001!<CR><LF>
[13:51:39] <-COM3 [AF]G[C5][C3]5[B1]30[B7]000[B1]0[B1][B1]D[C0]000[8D]<LF>
[13:51:40] COM3-> <ACK>051<CR>
[13:51:40] COM3-> <LF>
[13:51:41] <-COM3 [81]P0[82]([C6]A03[B4][B2]D[C3]5[C6][B7]6[B1]3AA[A9]<ETX>[95]
[13:51:41] ERROR: Error in password seed received from meter. (66)

Is this perhaps because I'm using the wrong password, or something else?

Regards,
Neil

Hi Neil,

Have you tried to send plain /?!\r\n?

BR,
Mikko

Elster A1700

Hi,

We are implemeting the Elster protocol and we already got the authentication, but now we are not able to get the register of the meter because what we receive doesnt have sense. By discussing with some customers they said that Elster provide a key for decode what we read. Do you have this key or help me to read out the meter?

Thanks a lot

Hi,

I'm sorry, but we haven't read Elster A1700 meters for a long time and I don't know the new features. I believe that your data is ciphered and you need to decrypt the received data, but I don't know what encryption they are using. Honeywell/Elster is using GMAC for some other meters, so it might be that you can decrypt it with AES-128-GCM. Read this if it helps you:

https://www.gurux.fi/node/16639

BR,
Mikko

Sorry, if i ask you, but do

Sorry, if i ask you, but do you have any contacts from Honeywell/Elster in order to ask them this?

Hi,

I'm sorry, but I can't help you with this.

BR,
Mikko

Communicating with Elster A 1500 and 1700

Comments