diff options
Diffstat (limited to 'ma/safety_reset.tex')
-rw-r--r-- | ma/safety_reset.tex | 173 |
1 files changed, 91 insertions, 82 deletions
diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 9a9a20e..f05587e 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -60,6 +60,9 @@ \usepackage[draft=false,babel,tracking=true,kerning=true,spacing=true]{microtype} % optischer Randausgleich etc. % For german quotation marks +\usepackage{fltpage} + +\renewcommand{\floatpagefraction}{.8} \newcommand{\degree}{\ensuremath{^\circ}} \newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} @@ -84,8 +87,9 @@ \typ{Masterarbeit} \grad{Master of Science (M. Sc.)} \autor{Jan Sebastian Götte} -\gebdatum{Aus Datenschutzgründen nicht abgedruckt} % Geburtsdatum des Autors -\gebort{Aus Datenschutzgründen nicht abgedruckt} % Geburtsort des Autors +\gebdatum{\rule{2cm}{12pt}} % Geburtsdatum des Autors +\gebort{\rule{3cm}{12pt}} % Geburtsort des Autors +\input{private-data.tex} \gutachter{Prof. Dr. Björn Scheuermann}{Prof. Dr.-Ing. Eckhard Grass} \mitverteidigung \makeTitel @@ -104,9 +108,7 @@ \center{For alternative licensing options, source files, questions or comments please contact the author at \texttt{masterarbeit@jaseg.de}}. - \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The printed version of this - document will be marked \texttt{-dirty} due to the private personal information on the title page that is not - checked in to git. The git repository can be found at:} + \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:} \center{\url{https://git.jaseg.de/master-thesis.git}} \end{minipage} @@ -2056,7 +2058,7 @@ window respectively. \begin{figure} \centering - \includegraphics{../lab-windows/fig_out/freq_meas_trace_24h} + \includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_trace_24h} \caption{Trace of grid frequency over a 24 hour time span. One clearly visible feature are large positive and negative transients at full hours. Times shown are UTC. Note that the European continental synchronous area that this sensor is placed in covers several time zones which may result in images of daily load peaks appearing in 1 hour @@ -2067,12 +2069,12 @@ window respectively. \begin{figure} \begin{subfigure}{\textwidth} \centering - \includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_1} + \includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_trace_2h_1} \caption{A 2 hour window centered on 00:00 UTC.} \end{subfigure} \begin{subfigure}{\textwidth} \centering - \includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_2} + \includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_trace_2h_2} \caption{A 2 hour window centered on 18:30 UTC.} \end{subfigure} \caption{Two magnified 2 hour windows of the trace from Figure \ref{freq_meas_trace}.} @@ -2081,7 +2083,7 @@ window respectively. \begin{figure} \centering - \includegraphics{../lab-windows/fig_out/mains_voltage_spectrum} + \includegraphics[width=\textwidth]{../lab-windows/fig_out/mains_voltage_spectrum} \caption{Power spectral density of the mains voltage trace in Figure \ref{freq_meas_trace}. Data was captured using our frequency measurement sensor (\ref{sec-fsensor}) and FFT-processed after applying a Blackman window. The vertical lines indicate \SI{50}{\hertz} and odd harmonics. We can see the expected peak at \SI{50}{\hertz} along @@ -2118,7 +2120,7 @@ signals look very similar, suggesting that we have found a good synthetic approx \begin{figure} \centering - \includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_spectrum} + \hspace*{-1.2cm}\includegraphics[width=1.2\textwidth]{../lab-windows/fig_out/freq_meas_spectrum} \caption{Power spectral density of the 24 hour grid frequency trace in Figure \ref{freq_meas_trace} with some notable peaks annotated with the corresponding period in seconds. The $\frac{1}{f}$ line indicates a pink noise spectrum. Around a period of \SI{20}{\second} the PSD starts to fall off at about $\frac{1}{f^3}$ until we can make out some @@ -2132,7 +2134,8 @@ signals look very similar, suggesting that we have found a good synthetic approx \begin{figure} \centering - \includegraphics[width=\textwidth]{../lab-windows/fig_out/simulated_noise_spectrum} + \hspace*{-1.2cm} + \includegraphics[width=1.2\textwidth]{../lab-windows/fig_out/simulated_noise_spectrum} \caption{Synthetic grid frequency in comparison with measured data. The topmost graph shows the synthetic spectrum compared to the spline approximation of the measured spectrum (red line). The other graphs show time-domain synthetic data (blue) in comparison with measured data (orange). @@ -2201,9 +2204,8 @@ Gold code yields sufficient performance at manageable data rates. \begin{figure} \centering \begin{minipage}[c]{0.5\textwidth} - \includegraphics{../lab-windows/fig_out/dsss_gold_nbits_sensitivity} - \end{minipage} - \begin{minipage}[c]{0.45\textwidth} + \hspace*{-1cm}\includegraphics[width=1.1\textwidth]{../lab-windows/fig_out/dsss_gold_nbits_sensitivity} + \end{minipage}\begin{minipage}[c]{0.45\textwidth} \caption{ Amplitude at an SER of 0.5\ in mHz depending on symbol length. Here we can observe an increase of sensitivity with increasing symbol length, but we can clearly see diminishing returns above 6 bit (63 chips). Considering @@ -2241,7 +2243,7 @@ in Section \ref{sec-demo-fw-impl}. For comparison purposes this issue do not mat \begin{figure} \centering - \includegraphics{../lab-windows/fig_out/dsss_thf_amplitude_5678} + \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../lab-windows/fig_out/dsss_thf_amplitude_5678} \caption{ SER vs.\ amplitude graph similar to Figure \ref{dsss_gold_nbits_overview} with one color-coded traces for threshold factors between $1.5$ and $10.0$. Each graph shows traces for a single DSSS symbol length. @@ -2255,7 +2257,7 @@ yield adequate threshold factors for our use case. \begin{figure} \centering - \includegraphics{../lab-windows/fig_out/dsss_thf_sensitivity_5678} + \hspace*{-1cm}\includegraphics[width=1.1\textwidth]{../lab-windows/fig_out/dsss_thf_sensitivity_5678} \caption{ Graphs of amplitude at $SER=0.5$ for each symbol length as well as asymptotic SER for large amplitudes. Areas shaded red indicate that $SER=0.5$ was not reached for any amplitude in the simulated range. The bumps in the 7 @@ -2279,21 +2281,23 @@ duration like we did in Figure \ref{dsss_thf_sensitivity_all_bits} for threshold faint optimum for very short chips with a decrease of sensitivity for long chips. This effect is due to longer chips moving the signal band into noisier spectral regions (cf.\ Figure \ref{freq_meas_spectrum}). -\begin{figure} +\begin{FPfigure} \begin{subfigure}{\textwidth} \centering - \includegraphics[width=\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_5} + \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_5} + \vspace*{-1cm} \label{chip_duration_sensitivity_5} \caption{ 5 bit Gold code. } \end{subfigure} -\end{figure} -\begin{figure} - \ContinuedFloat +%\end{figure} +%\begin{figure} +% \ContinuedFloat \begin{subfigure}{\textwidth} \centering - \includegraphics[width=\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_6} + \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_6} + \vspace*{-1cm} \label{chip_duration_sensitivity_6} \caption{ 6 bit Gold code. @@ -2311,7 +2315,7 @@ moving the signal band into noisier spectral regions (cf.\ Figure \ref{freq_meas the grid can tolerate. } \label{chip_duration_sensitivity} -\end{figure} +\end{FPfigure} In the previous graphs we have used random clips of measured grid frequency noise as noise in our simulations. Comparing between a simulation using measured noise and synthetic noise generated as we outlined in the beginning of Section @@ -2320,21 +2324,23 @@ simulated noise is an adequate approximation of reality: Our prototype demodulat behavior between measured and simulated noise. Simulated noise causes slightly worse performance for long chips. Overall the results for both are very close in absolute value. -\begin{figure} +\begin{FPfigure} \begin{subfigure}{\textwidth} \centering - \includegraphics[width=\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_cmp_meas_6} + \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_cmp_meas_6} + \vspace*{-1cm} \label{chip_duration_sensitivity_cmp_meas_6} \caption{ Simulation using baseline frequency data from actual measurements. } \end{subfigure} -\end{figure} -\begin{figure} - \ContinuedFloat +%\end{figure} +%\begin{figure} +% \ContinuedFloat \begin{subfigure}{\textwidth} \centering - \includegraphics[width=\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_cmp_synth_6} + \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../lab-windows/fig_out/chip_duration_sensitivity_cmp_synth_6} + \vspace*{-1cm} \label{chip_duration_sensitivity_cmp_synth_6} \caption{ Simulation using synthetic frequency data. @@ -2347,7 +2353,7 @@ the results for both are very close in absolute value. synthesizer, but also that real grid frequency behaves like a frequency-shaped Gaussian noise process. } \label{chip_duration_sensitivity_cmp} -\end{figure} +\end{FPfigure} \section{Implementation of a demonstrator unit} \label{sec-prototype} @@ -2366,55 +2372,7 @@ analog optoisolator. \subsection{Selecting a smart meter for demonstration purposes} \label{sec-easymeter} -For our demonstrator to make sense we wanted to select a realistic reset target. In Germany where this thesis was -written a standards-compliant setup would consist of a comparatively feature-limited smart meter and a smart meter -gateway (SMGW) containing all of the complex bidirectional protocol logic such as wireless or landline IP connectivity. -The realistic target for a setup in this architecture would be the components of an SMGW such as its communication modem -or main application processor. In the German architecture the smart meter does not even have to have a bi-directional -data link to the SMGW effectively mitigating any attack vector for remote compromise. - -Despite these considerations we still chose to reset the application MCU inside smart meter for two reasons. One is that -SMGWs are much rarer on the second-hand market. The other is that SMGWs are a particular feature of the German -standardization landscape and in many other countries functions of an SMGW such as wireless protocol handling are -integrated into the meter itself (see e.g.\ \cite{honeywell01}). - -In the end we settled on a Q3DA1002 three phase 60A meter made by German manufacturer EasyMeter. This meter is typical -of what would be found in an average German household and can be acquired very inexpensively as new old stock on online -marketplaces. - -The meter consists of a plastic enclosure with a transparent polycarbonate top part and a gray ABS bottom part that are -ultrasonically welded together. In the bottom part of the case a PCB we call the \emph{measurement} board is potted in -epoxide resin (see Figure \ref{easymeter_composites}). This PCB contains three separate energy measurement ASICs for the -three phases (see Figure \ref{easymeter_detail_xrays}). It also contains a capacitive dropper power supply for the meter -circuitry and external modules such as a SMGW. The measurement board through three infrared links (one per phase) -communicates with a smaller unpotted PCB we call the \emph{display} board in the top of the case. This PCB handles -measurement logging and aggregation, controls a small segment LCD displaying totals and handles the externally -accessible \si{\kilo\watt\hour} impulse LED and serial IR links. - -The measurement board does not contain any logging or outside communication interfaces. All of that is handled on the -display board by a Texas Instruments \texttt{MSP430F2350} application MCU. This is a 16-bit RISC MCU with -\SI{16}{\kilo\byte} flash and \SI{2}{\kilo\byte} SRAM\footnote{ - At first glance the microcontroller might seem overkill for such a simple application, but most of its - \SI{16}{\kilo\byte} program flash is in fact used. A casual glance with Ghidra shows that a large part of program - flash is expended on keeping multiple redundant copies of energy consumption aggregates including error recovery in - case of data corruption and some effort has even been made to guard against data corruption using simple - non-cryptographic checksums. Another large part of the MCU's firmware handles data transmission over the meter's - externally accessible IR link through Smart Message Language\cite{bsi-tr-03109-1-IVb}. -}. There is an I2C EEPROM that is used in conjunction with the microcontroller's internal \SI{256}{\byte} data flash to -keep redundant copies of energy consumption aggregates. On the side of the display board there is a 14-pin header -containing both a standard TI MSP430 JTAG pinout and a UART serial interface for debugging. Conveniently, the JTAG port -was left enabled by fuse in our particular production unit. - -We chose to use this \texttt{MSP430} series application MCU as our reset target. Though in this particular unit remote -compromise is impossible due to a lack of bidirectional communication links some of its sister models do contain -bidirectional communication links\cite{easymeter01} making compromise through communication interfaces an at least -theoretical possibility. In other countries, meters with a similar architecture to the Q3DA1002 include complex protocol -logic as part of the meter itself or have bidirectional links to it\cite{honeywell01,ifixit01,bigclive01,eevblog01}. As -an example, the Honeywell REX2 uses a Maxim Integrated \texttt{71M6541} main application microcontroller along with a -Texas Instruments \texttt{CC1000} series radio transceiver and is advertised to support both over-the-air firmware -upgrade and a remotely accessible disconnect switch. - -\begin{figure} +\begin{figure}[h!] \centering \begin{subfigure}{\textwidth} \centering @@ -2451,7 +2409,7 @@ upgrade and a remotely accessible disconnect switch. \label{easymeter_composites} \end{figure} -\begin{figure} +\begin{figure}[h!] \centering \begin{subfigure}{0.45\textwidth} \centering @@ -2472,6 +2430,54 @@ upgrade and a remotely accessible disconnect switch. \label{easymeter_detail_xrays} \end{figure} +For our demonstrator to make sense we wanted to select a realistic reset target. In Germany where this thesis was +written a standards-compliant setup would consist of a comparatively feature-limited smart meter and a smart meter +gateway (SMGW) containing all of the complex bidirectional protocol logic such as wireless or landline IP connectivity. +The realistic target for a setup in this architecture would be the components of an SMGW such as its communication modem +or main application processor. In the German architecture the smart meter does not even have to have a bi-directional +data link to the SMGW effectively mitigating any attack vector for remote compromise. + +Despite these considerations we still chose to reset the application MCU inside smart meter for two reasons. One is that +SMGWs are much rarer on the second-hand market. The other is that SMGWs are a particular feature of the German +standardization landscape and in many other countries functions of an SMGW such as wireless protocol handling are +integrated into the meter itself (see e.g.\ \cite{honeywell01}). + +In the end we settled on a Q3DA1002 three phase 60A meter made by German manufacturer EasyMeter. This meter is typical +of what would be found in an average German household and can be acquired very inexpensively as new old stock on online +marketplaces. + +The meter consists of a plastic enclosure with a transparent polycarbonate top part and a gray ABS bottom part that are +ultrasonically welded together. In the bottom part of the case a PCB we call the \emph{measurement} board is potted in +epoxide resin (see Figure \ref{easymeter_composites}). This PCB contains three separate energy measurement ASICs for the +three phases (see Figure \ref{easymeter_detail_xrays}). It also contains a capacitive dropper power supply for the meter +circuitry and external modules such as a SMGW. The measurement board through three infrared links (one per phase) +communicates with a smaller unpotted PCB we call the \emph{display} board in the top of the case. This PCB handles +measurement logging and aggregation, controls a small segment LCD displaying totals and handles the externally +accessible \si{\kilo\watt\hour} impulse LED and serial IR links. + +The measurement board does not contain any logging or outside communication interfaces. All of that is handled on the +display board by a Texas Instruments \texttt{MSP430F2350} application MCU. This is a 16-bit RISC MCU with +\SI{16}{\kilo\byte} flash and \SI{2}{\kilo\byte} SRAM\footnote{ + At first glance the microcontroller might seem overkill for such a simple application, but most of its + \SI{16}{\kilo\byte} program flash is in fact used. A casual glance with Ghidra shows that a large part of program + flash is expended on keeping multiple redundant copies of energy consumption aggregates including error recovery in + case of data corruption and some effort has even been made to guard against data corruption using simple + non-cryptographic checksums. Another large part of the MCU's firmware handles data transmission over the meter's + externally accessible IR link through Smart Message Language\cite{bsi-tr-03109-1-IVb}. +}. There is an I2C EEPROM that is used in conjunction with the microcontroller's internal \SI{256}{\byte} data flash to +keep redundant copies of energy consumption aggregates. On the side of the display board there is a 14-pin header +containing both a standard TI MSP430 JTAG pinout and a UART serial interface for debugging. Conveniently, the JTAG port +was left enabled by fuse in our particular production unit. + +We chose to use this \texttt{MSP430} series application MCU as our reset target. Though in this particular unit remote +compromise is impossible due to a lack of bidirectional communication links some of its sister models do contain +bidirectional communication links\cite{easymeter01} making compromise through communication interfaces an at least +theoretical possibility. In other countries, meters with a similar architecture to the Q3DA1002 include complex protocol +logic as part of the meter itself or have bidirectional links to it\cite{honeywell01,ifixit01,bigclive01,eevblog01}. As +an example, the Honeywell REX2 uses a Maxim Integrated \texttt{71M6541} main application microcontroller along with a +Texas Instruments \texttt{CC1000} series radio transceiver and is advertised to support both over-the-air firmware +upgrade and a remotely accessible disconnect switch. + \subsection{Firmware implementation} \label{sec-demo-fw-impl} @@ -2555,12 +2561,14 @@ tendency towards incorrect decodings at even very large amplitudes. \centering \begin{subfigure}{\textwidth} \centering - \includegraphics[trim={0 4cm 0 0},clip]{../lab-windows/fig_out/dsss_thf_amplitude_56_jupyter_impl} + \hspace*{-1cm} + \includegraphics[trim={0 4cm 0 0},clip,width=1.2\textwidth]{../lab-windows/fig_out/dsss_thf_amplitude_56_jupyter_impl} \caption{Python prototype.} \end{subfigure} \begin{subfigure}{\textwidth} \centering - \includegraphics[trim={0 4cm 0 0},clip]{../lab-windows/fig_out/dsss_thf_amplitude_56_fw_impl} + \hspace*{-1cm} + \includegraphics[trim={0 4cm 0 0},clip,width=1.2\textwidth]{../lab-windows/fig_out/dsss_thf_amplitude_56_fw_impl} \caption{Embedded C implementation.} \end{subfigure} @@ -2762,6 +2770,7 @@ public repository listed on the second page of this document. \chapter{Demonstrator firmware symbol size map} +\emph{Please find this appendix enclosed in the pouch on the inside of the back cover.} \label{symbol_size_chart} \includepdf[fitpaper]{resources/safetyreset-symbol-sizes.pdf} |