Elster A 1700 password

Gurux Network Component for C#, Java, ANSI C++ We have received a lot of inquiry how to make password for Elster A 1700. Formula is below:

/// 
/// Encrypt Elster PW for A1700.
/// 
/// Used password.
/// Seed received from the meter.
/// Password send back to meter.
string ElsterEncrypt(string password, string seed)
{
    //Convert hex string to byte array.
    byte[] s = GXCommon.HexToBytes(seed, false);
    byte[] crypted = new byte[8];
    for (int pos = 0; pos != 8; ++pos)
    {
        crypted[pos] = (byte)(password[pos] ^ s[pos]);
    }
    int last = crypted[7];
    for (int pos = 0; pos != 8; ++pos)
    {
        crypted[pos] = (byte)((crypted[pos] + last) & 0xFF);
        last = crypted[pos];
    }
    return GXCommon.ToHex(crypted, false);
}

Communicating with Elster A 1500 and 1700

We are receiving emails how to communicate with Elster meters. We are not supporting IEC 62056-21 anymore, but I'll add small description how to start.

First send identify command.
/?!\r\n

Meter replies it's FLAG name and used baudrate. After that is serial number. It's something like this:
/GEC5012345678901@000\r\n

Tell meter what baudrate you want to use. You must also change serial port baud rate to same. In this example baudrate is 9600
[0x6]051\r\n

Meter reply that you need to give password. Meter also gives seed as a parameter. Note this seed is different for each time.
[0x1]P0[0x2](FD2BA0E29731D230)[0x3]m\r\n

Use function above to count hashed password. Then send it to the meter.
[0x1]P2[0x2](BE2C10B158593B3E)[0x3 0x60]\r\n

If meter accepts password it returns ACK.
[0x6]

Now you can read data from the meter. Example:
[0x1]R1[0x2]798001(10)[0x3]e

Undefined

Comments

what does this line do?
==> long tmp = (crypted[pos] + last) & 0x800000FF;
seems it does nothing within the function

Kurumi's picture

Hi,

You are right. That is not needed. I updated the example.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Thanks a lot...
i was using Encrypt dll from ELSTER, since i move from delphi to lazarus in linux, this is a big help...
i'll compare it immediately

BR,

rads

Kurumi's picture

Hi,

We was also using encrypt.dll until we had a Linux project. We thought that there is also encrypt library for Linux. It was very surprising that there was not. In those few lines are weeks of hard work. :-)

Happy coding,

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Many thanks for this, just what I was looking for.

Hi Mr. Mikko, first I would like to say thanks for sharing this info.

I'm wondering which password you used in your example code, I'm trying with the default for this meter:
Pass 1: 0001ABCD
Pass 2: ABCD0002
Pass 3: FEDC0003
and I'm not getting the same output you've got, with the same seed.

Leonardo Chacon

Kurumi's picture

Hi Leonardo,

I can't remember the password what we used. Meter is not on our office and I can't read the meter right now and check it. I believe it was default password. You can try with 00000000.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Well it seems like I've got stuck, just in case some else is working with this instrument I'll like to let you know where I have gotten so far.
I’m not an experienced programmer though and have never submitted anything to github before, not sure how to use it.
Any way here it is, the current file I’m working with is Desencryptalo_v8.py, and there is a sample of the output I’m getting:

https://github.com/leonardoecv/A1700-meter-readuot

Leonardo Chacon

Kurumi's picture

Hi Leonardo,

Can you show your result also as hex so we can help you.
You should receive 0x6 as reply after you send your pw.
This is ACK message.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

C:\>py Desencryptalo_v10.py
2017-09-06 14:46:04 ### :Begining communication
2017-09-06 14:46:04 >>> : /?!
2017-09-06 14:46:07 <<< : /GEC5090100010300@000
2017-09-06 14:46:07 >>> : ♠051
2017-09-06 14:46:09 <<< : ☺P0☻(1DA5E8CFF12D8EC9)♥▼
2017-09-06 14:46:09 >>> : ☺P2☻(B9CE42839B9C1082)♥`
2017-09-06 14:46:11 <<< : __7{w+
5f 5f 37 7b 77 2b 0

C:\>py Desencryptalo_v10.py
2017-09-06 14:46:17 ### :Begining communication
2017-09-06 14:46:17 >>> : /?!
2017-09-06 14:46:20 <<< : /GEC5090100010300@000
2017-09-06 14:46:20 >>> : ♠051
2017-09-06 14:46:22 <<< : ☺P0☻(124E62E19028C261)♥↨
2017-09-06 14:46:22 >>> : ☺P2☻(4E63D7183031333A)♥`
2017-09-06 14:46:23 <<< : _;7ww+§
5f 3b 37 77 77 2b 15

C:\>py Desencryptalo_v10.py
2017-09-06 14:47:46 ### :Begining communication
2017-09-06 14:47:46 >>> : /?!
2017-09-06 14:47:49 <<< : /GEC5090100010300@000
2017-09-06 14:47:49 >>> : ♠051
2017-09-06 14:47:51 <<< : ☺P0☻(1D0B7880FD59783C)♥◄
2017-09-06 14:47:51 >>> : ☺P2☻(319191C3DBDC5050)♥`
2017-09-06 14:47:53 <<< : _⌂_Ww=§
5f 7f 5f 57 77 3d 15

the last message I'm getting no matter which of the defaults passwords I try with, looks always like that: with a NAK (15hex) character.

Leonardo Chacon

We're also banging our heads against this password encryption at the moment.

When running the function above against the seed in your example we don't get the same result with any of the passwords we've come across. (oooooooo, 00000000, 0001ABDC, ABCD0002, FEDC0003)

Sample log:
TX /?!<CR><LF>
RX /GEC5090100031111@000<CR><LF>

TX <ACK>051<CR><LF>
RX <SOH>P0<STX>(F01322D7BEB38CB7)<ETX><US>

TX <SOH>P2<STX>(0C7EF067696BDFE4)<ETX><FS>
RX <SOH>B0<ETX>q

The function is yours as converted into python by Leonardoecv (Excuse the formatting)

def decryptA1700(seed, password):
__seed = bytearray(seed, 'ascii')
__password = bytearray(password, 'ascii')
__crypted = bytearray(b'\x00\x00\x00\x00\x00\x00\x00\x00')
__for i in range (0, 8):
____crypted[i] = password[i] ^ seed[i]
__last = crypted[7]
__for i in range (0, 8):
____crypted[i] = (crypted[i] + last) & 0xFF
____last = crypted[i]
__crypted = (binascii.hexlify(crypted)).swapcase()

Have we missed something silly?

Hi dear kurumi
I have a problem
Please help me
Wich algorithm generate next character after ETX in p2 and others

Sample log:
TX /?!<CR><LF>
RX /GEC5090100031111@000<CR><LF>

TX <ACK>051<CR><LF>
RX <SOH>P0<STX>(F01322D7BEB38CB7)<ETX><US>

TX <SOH>P2<STX>(0C7EF067696BDFE4)<ETX><FS>
RX <SOH>B0<ETX>q

In this sample P0 is <US> AND P2 is <FS>

Kurumi's picture

Hi,

Your meter closes the connection. Check the password.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

hi
i want to read elster a120 uk.
this metter seeds like a1700 but i get ERR4 on reading lines.
any help plz ?

"+OK/?!\n" +
"/GEC5100200030100@000\n" +
"+OK<ACK>051\n" +
"+OK,END\n" +
"<SOH>P0<STX>(E53DE027E11E70D1)<ETX>e"+
"+OK<SOH>P2<STX>(0000000000000000)<ETX>b\n" +
"<ACK>"+
"+OK<SOH>P2<STX>(9C11B516E8165636)<ETX>b\n" +
"<NAK>"

my p2 password is correct becouse i generate same password that other software who can read this metter.
but i get <NAK>.

in P2<STX>(0000000000000000)<ETX>, when i send any other char for "b" i get <NAK>.
i think this char is important, for P2 too . yes or no?

Kurumi's picture

Hi,

P2 is generated from the seed what meter sends and password what you have. It's different each time.
You should also send P2 only once. Now you are sending it twice.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

Hi Kurumi,
Not getting any response when I issue any of the commands below to the meter
<SOH>P2<STX>(0000000000000000)<ETX>b
<SOH>R1<STX>798001(10)<ETX>e
<SOH>R1<STX>795001(08)<ETX>a

Any ideas why the meter stops responding after generating the password seed?

Regards,
Frank

Kurumi's picture

Hi,

Check your password. That is usually the problem.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi