Efergy Elite Wireless Meter Hack


 

I always wanted to track my house's power consumption and usage. I have an Efergy monitor but it doesn't have PC (USB|Serial) connection so I decided to try to get some information.

 

Hardware

 

Transmitter

The transmitter has three 3.5'' jacks for connecting one or three current clamps (monophase vs triphase).

It transmits current information every 6, 12 or 18seconds (configurable with push button)

I configured mine every 6 seconds to help with sniffing information

 

Receiver

 

 

RF Side

The wireless monitor uses an AMICCOM A7201A UHF receiver (SSOP20 package) working in hardware pin mode (SPI disabled)

It's configured as:

Pin  Name  Value  Comment 
13 SPIS Low Disable SPI -> Hardware Pin mode
14  BAND High  434 Mhz  
15  SPI_CLK  Low  Not used 
16  AFSK  Low  FSK 

 

Pin 18 is data out.

I hooked a scope on this pin, and I can see a pulse train every 6 seconds. See a data sample: Efergy.xlsx

 

Communication 

The first pulses (~2.6 to ~3.8 msec) are variable and I assume is some sort of pseudo-random information to match transmitter with receiver. This pulse is variable and I've seen if ranging from ~1 to ~4 mseconds.

 

Then, at ~7,6 msec there's a long high pulse that leads the data start. At ~8.6 msec the actual data starts.

In the following graph, you can see the overlapped data start of 6 transmissions:

 

Each bit starts at each high to low transition. 

The encoding for 1s is to have a >50% duty cycle for the bit.

The encoding for 0s is to have a <50% duty cycle for the bit.

In the next graph, you can see the whole data transfer. Red line shows bit times (316 usec bit time -> 3200 baud?) . Green line shows bits:  1 (pulse present) or 0 (no pulse)

 

 

The data from the previous graph can be read as:

00000000 01001011 10101001 00000000 00000....

There are some missing bits in the graph. The complete sequence is:

00000000 01001011 10101001 00000000 00000001 00000000 00000010 00000000 11110111

Transformed to decimal:

0 75 169 0 1 0 2 0 247

 

Then I started measuring the same data with different loads in the current clamp:

Byte  Data 0 watt (no current) 0 watt (No clamp conn.)  2 watt (Led lamp)  40 watt (Bulb) 60 watt (Bulb)  100 watt (Bulb)  600 watt (Some appliances)   800 watt 1860 watt  2180 watt (+microwave) 2960 watt  3060 watt (+electric oven)   4230 watt (+air condition) 
 
0
0
0
0
0
0
0
0
0
0
0
0
 
75
75
75
75
75
75
75
75
75
75
75
75
75
 
169
169
169
169
169
169
169
169
169
169
169
169
169
 
0
128
0
0
0
128
0
0
0
0
0
0
0
 
1
1
1
1
1
1
0
0
0
0
0
0
0
6  
0
0
0
0
0
0
0
16
16
16
16
32
32
7  
2
2
2
2
2
2
1
1
1
1
1
1
1
8 Current?
0
0
2
16
24
39
243
38
172
201
253
11
75
9 Checksum
247
119
247
7
15
158
232
43
177
206
2
32
96

 

In the Efergy receiver, you have to manually set the voltage (230 v in my case) so I assume what's transmitted is the 6 seconds current average.

 

Doing some analysis:  

Byte  Data 0 watt 2 watt 40 watt  60 watt 100 watt  600 watt 800 watt  1860 watt 2180 watt 2960 watt  3060 watt 4230 watt
6  
0
0
0
0
0
0
16
16
16
16
32
32
8  
0
2
16
24
39
243
38
172
201
253
11
75
                           
  LCD reading
0
 
40
60
90
0.60k
0.80k
1.86k
2.18k
2.96k
3.06k
4.23k
 

Calculated

Current 

 
 
40/230 = 
0.17 A
60/230 = 
0.26 A
90/230 = 
0.39 A
600/230 = 
2.61 A
800/230 = 
3.47 A
1860/230 = 
8.09 A
2180/230 = 
9.47 A
2960/230 = 
12.87 A
3060/230 = 
13.3 A
4230/230 = 
18.39 A
Byte 8 * 0.01A    
0.16 A
0.24 A
0.39 A
2.43 A
           

 

It seems that the current is shown in Byte 8 in 0.01 A increments (Maximum 2.55 A). When the counter overflows, I see byte 6 moving. I guess each bit it's some kind of multiplier of the Maximum.... I need more data to be sure....

 

CPU Side

There's a microcontroller glued to the PCB but no information about brand/model. There are some hints about the Xtal location but nothing more....

 

 

Next Steps

 

Links