Tunnel – Meter reading via GSM data call (CSD) and IP communications (with SSL/TLS security). Incorporation of Device Manager (with SSL/TLS security) for modem management

Scenario details:

  • A large pack of electric meter boxes is available. For 15 years the readings of the contractors are carried out through GSM Data Calls (CSD) made to the modems which are connected to the electric meter boxes through the RS232 port. This project aims to make an evolution of this system, going from a GSM communications system (CSD) to one of IP communications. In addition, it is intended to add a remote modem management system (Device Manager) that allows remote monitoring of modems, as well as being able to make changes to remote configurations, firmware update, certificate management, etc.
  • It is necessary that the new system has high security. Therefore, both the IP data channel of the meter reading (communication between the modem and the Reading Center) and the modem monitoring control channel (that is, the communication between the modem and the Device Manager) must be performed through an IP communication with SSL/TLS security and mutual authentication
  • Currently, the reading infrastructure of the electric meter boxes is carried out by means of a GSM data call (CSD). Therefore, new modems must also be compatible with this type of CSD calls until the infrastructure migrates to IP communications. Taking advantage of the modem replacement, it is intended to add an additional security layer to the current GSM data calls (CSD), and that modems should only accept CSD calls that are made from authorized telephone numbers, that is, from the numbers Telephone Counter Reading Center.

Solution:

Config.txt configuration file (master):

Configuration Observations
COMM_baudrate: 9600
COMM_bitsperchar: 8
COMM_autorts: off
COMM_autocts: off
COMM_stopbits: 1
COMM_parity: none
GPRS_apn: movistar.es
GPRS_login: MOVISTAR
GPRS_password: MOVISTAR
GPRS_timeout: 0
MTX_mode: 2G
MTX_PIN: 0000
MTX_mode: serverTELNET_port: 20023
MTX_model: 199801422
MTX_ping: 35
MTX_pingIP: 8.8.8.8
MTX_ATLimited: off
MTX_ATEmbedded: temporalclient
MTX_temporalClientTimeout: 120
MTX_IDClient: [IMEI]
MTX_clientSSL: on
SMS_allPhones: off
SMS_sendIP: off
SMS_ATEnabled: on
SMS_ATResponse: on
SMS_validPhone1: +34666123456
SMS_validPhone2: +34666123457
FIREWALL_enabled: on
FIREWALL_IP1: 80.1.2.3
FIREWALL_IP2: 80.4.5.6
TCP_port: 20010
TCP_IP: 80.1.2.3
MQTT_enabled: on
MQTT_server: ssl://broker.cervello.io:8883
MQTT_id: yku41420t957oh8t
MQTT_login: jfj1usly8ijhh9hizfr453
MQTT_password: gthhdte67y3ttes33fgg
MQTT_attopic1: [IMEI]/AT
MQTT_atrtopic: [IMEI]/ATR
MQTT_keepalive: 300
DNS_enabled: on
DNS_mode: mqtt
DNS_mqttTopic: [IMEI]/dns
DNS_extended: off
DNS_period: 600
CSD_enabled: on
CSD_validPhone1: 666333444
CSD_validPhone2: 666444555
Serial port baud rate
Number of bits
No flow control
No flow control
1 stop bit
No parity
APN GPRS provided by the GSM operator
GPRS Login
GPRS Password
Modem is always GPRS connected
GPRS connection server type
Pin of the SIM
GPRS connection server type
Modem model
Ping time to oversee connection
Google IP (f.e.) to ping
No AT commands limitations
Embedded command only for temporal TCP socket
Socket closes if no traffic during x seconds
Identifying chain
TCP client socket
Send SMS with commands from any phone
Modem won’t respond to a missed call/SMS
Commands can be sent to the MTX by SMS
MTX responds with an SMS to a command SMS
Authorized phone number 1
Authorized phone number 2
Authorized IP will be able to connect to modem
IP address authorized 1
IP address authorized 2
Establish the gateway between ports
Reading platform IP address
MQTT service enabled
Broker IP/DNS specified, including identifying port
Identifier
Username
Password
MQTT topic to send AT commands
Topic to send replies to commands to
Connection keep alive (300 seconds)
Status data sending activated
MQTT sending mode
Topic where status data are sent
Extended data (E/S, ADCs…) are not sent
One sending every 600 secs (5 mins.)
CSD calls are enabled
Authorized phone number 1
Authorized phone number 2

Details:

  • The IP connection between the modem and the Device Manager is permanent and secure (SSL/TLS). It is always set and at any time it is possible to send an action command (configurationchange, reset, etc.) from the Device Manager to the modem
  • The connection between the modem and the reading platform is not permanent. The procedure by the reading platform to start reading an accountant safely is as follows:
    1. The reading platform connects to TCP port 20010 of the modem
    2. The reading platform sends the command:
      <MTXTUNNELR> AT ^ MTXTUNNEL = DEFAULTTEMPORALCLIENT </MTXTUNNELR>
      to the modem through said socket so that it opens a secure channel (SSL/TLS) of communications in TCP mode Client against the platform.
    3. The modem opens an SSL/TLS socket against the “TCP_port” port of the platform IP. Mutual authentication is performed between the reading platform and modem through digital
      certificates
    4. Once the secure socket (SSL/TLS) is established, the modem sends the value of its MTX_IDClient configuration parameter through this socket, an alphanumeric string that allows the reading platform to identify the modem that has been connected (in case you want to read several counters simultaneously)
      This socket will remain established until it is closed on the side of the reading platform or “MTX_temporalClientTimeout” seconds pass without traffic on it.
    5. The platform can start the meter reading through said socket as a transparent IP-RS232 gateway with SSL/TLS security
    6. Once the meter is read, the reading platform will close the reading socket and the modem will be ready to accept the command through the TCP_port port. To start a new meter reading, the process indicated in 1 is restarted
  • You must adjust the values of the COMM_ parameters by adjusting them to the serial port configuration of the connected device
  • For SSL communications, if you need to incorporate the root certificates of your servers, at the end of this document you will find an annex with the procedure
  • The modem will only accept connections to the TCP_port port from the IP addresses indicated in the FIREWALL_IP1 and FIREWALL_IP2 parameters
  • In this scenario, in addition to IP communications, it is allowed to connect to the meter box via GSM data call (CSD). That is why in this scenario the modem must be forced to use the 2G network (parameter GPRS_mode: 2g). If you do not need a GSM data call, you can change the GPRS_mode configuration parameter to an “auto” value, that way the modem will use the 2G/3G network according to availability