Tales of reading the fun manual an finally profiting 💰
The above image is sometimes a conversation starter in Kenya, like discussing who is has a power running low at their house.
The loud beeping sound that this module emits when the ‘token’ ( refered to as the credit score in the meter denoting the current units of power left / just like a prepaid card for your mobile subscription) will send crickets on an epic migration to a less noisy habitat.
, Let’s geek out !.
The above is a Single Phase two wire prepaid keypad Energy Meter, ~ phase refers to the distribution of a load. You can read more about that from the Google.
It is designed to be used for the prepayment of electricity before power if supplied to any household.
Main Functions
- energy measurement
- communication
- prepayment
- data display
- anti-tampering
- keypad input & inquiry
From the manual
Highlights
The interface is based on Standard Transfer Protocol, which is an open source standard and the only international specification on prepaid system
DLMS/COSEMC communication protocol, which ensures good interoperability
Recharge information is transferred in the form of TOKEN
Built-in contractor and varied control methods are supported
Pluggable PLC/GPRS module supports remote communication.
The meter has a energy measuring unit that can do voltage & and current sampling in the ICU.
It has a data processing unit comprising of an MCU and memory. A power supply unit, I/O unit which is the LCD display, neat features like PLC/GPRS communication and optical port. A load control unit which is handled by the contractor
Communication Interface
The meter has one optical communication port, and one PLC/GPRS communication port(only one communication module between PLC and GPRS can be chosen for one meter).
The two communication interfaces are independent from each other, thus, failure of one communication interface will not affect the other.
PLC Communication
The PLC communicates at a Baud rate of 4800bps, 8 data digits and without check digit. The meter reading can be realized through DCU via PLC communication in AMI network with a pluggable PLC comms module same spec for the GPRS communication
In order to recharge , a client purchases electricity and a 20-digit TOKEN is generated for the amount bought. The token is entered into the ciu by keying in the digits. The meter displays status codes after the token is entered.
successfull recharge
Credit on the meter should have an increased score.
01
When the token is wrong
02
When the token has already been used
03
When the token has expired
04
Expired security key
05
When charging amount exceeds the accumulated charging amount limit, meter displays
The meter has different types of Tokens , an interesting one is the Test Token which could be used to test any prepayment keypad meter which is compliant with STS (Standard transfer specification) , which is the Standard Transfer Specification that mainly provides the reference for the realization of electricity meter encryption, decryption and prepayment.
TEST TOKENS
contractor test
0000-0000-0001-5099-7584
LCD Test
0000-0000-0001-6777-4880
Display total active forward energy
0000-0000-0002-0132-8896
Display security key version
1844-6744-0738-4377-2416
Display tarrif index
3689-3488-1475-5332-2496
Display maximum power
0000-0000-0012-0797-4400
Display meter status
0000-0000-0022-8172-8512
Display instantaneous power
0000-0000-0044-2920-8064
Display meter version Number.
0000-0000-0087-2419-5840
Complete test
5649-3153-7254-5031-3471
Make contactor test, LCD display test, display total active forward energy test, display security key version test, and display tariff index display in turn.
The interval between each test shall be 8s~10s.
Short codes
The meter has a series of short codes that return interesting results. I believe these are the most useful
credit balance
801 : Display token balance
Emergency credit
811 This is how we got here, with this code , you can get an Emergency token which can be activated after your tokens run out, giving you 10 Tokens depending on your overdraft limit
Overdraft limit
810
meter serial number
804
meter status
807
Tarrif index
809
Token code of last recharge
830
Disable audible alarm
812
Last recharge amount
817
Times of Power off
819
Return logoff TOKEN
818
Sometimes good things hide in plain sight, ‘usikae kwa giza !’, I did take the module apart and YES! it has JTAG support which allows us to interact with the processor over serial communication for debugging capabilities, I don’t have any JTAG cables :-( laying around at the moment
next up is getting into the system !)