I switched into an analog digitizers position at work. The day I joined the team (last Monday), all my new peers decided to take 2 weeks off, so I've been analyzing our products and figuring out all the various high speed circuit theories we've implemented into shipping products. I moved from a high precision, low speed group to a high speed, low precision group, which means all the circuits I'm used to are moot.
So today I browsed Wikipedia researching:
phase locked loops
history of timekeeping accuracy
direct digital synthesis clocks
fractional frequency converters
future time event synchronization across GPS (sweet)
voltage controlled oscillators
phase accumulators
bang bang charge pumps
interpolations filters
positive dual emitter long tail paired circuits
linearization of active opamp circuits
overlimit safety modes
etc. (this is about 1% of the hyperlinks I clicked on today)
I did similar research yesterday, too. It's like I'm in college, only I'm getting paid and I'm spending 10 solid hours a day learning a very specific subset of high speed analog front end design. With this knowledge, I've already been able to help people understand problems in our designs, and I'm in the middle of troubleshooting a clock coupling issue and a floating ground problem... I'm in hog heaven, but nervous because I've been doing a bunch of research and little development for the digitizers group. I am, however, still working on a project from two positions ago; I spent 4 days on it last week and the beginning of this week to try and wrap it all up.
...
After reading about phase locked loops, I decided it would be neat if we could pull our power from the utility without it registering on the meter. This is just an exercise... I have no plans on 'stealing' power, but it would be difficult to prove that I'm stealing it because no meter tampering would be required.
So unlike old meters, which literally had an analog, continuous current meter and an analog multiplier for voltage, newer meters are discrete, which means they do not continuously sample the voltage or current. Voltage and current, of course, are used to determine the real power your house is consuming. The imaginary power usually isn't billed to the customer, even though the utility still has to generate it.
So these new meters have discrete analog to digital converters that sample the voltage and current every N milliseconds. If you knew the sample rate of the V ADC on a utility meter, then you could make a load that only pulls power in short increments between samples. If that load were, say, a 1:1 AC-AC high frequency converter that that only drew power when the meter wasn't discretely calculating the power you're pulling, then you could switch power into a rectifier and then use that output to charge a capacitor. Then ,using a simple inverter, you could convert the power back to AC.
Considering a utility meter is able to calculate power factor, the sample rate is at lest 10x the 60Hz frequency, but an AC-AC transformer phase locked to the 60Hz line could easily operate in the 100kHz or higher range using a switched mode power supply. Ultimately, if the ADCs in the meter are running less than 10kHz, a simple PLL with an offset adjust and a >10x divider would allow you to pull peak power when between discrete ADC samples. This would mean the utility meter would register less consumed (real) power than you actually pulled through it. If you could pull enough power in the ~80% window between samples, the perceived power consumption would approach zero.
So with this in mind, I wanted to see how a typical power meter ADC works... what would hose us from the start would be if the meter used a delta sigma ADC, which 'continuously' streams the input into the ADC somewhere around 15MHz or so, producing a 1 bit high speed output that when averaged digitally returns the true voltage (or current) at the meter. Fortunately, no, my meter doesn't use a delta sigma ADC... it uses a SAR operating at about 1kHz. This means I only need to divide the 60Hz frequency entering the phase locked loop by at least 17 to lock to the mains frequency. Why do I need to lock to the mains frequency? Because the kWh meter uses a direct digital synthesis converter to generate its clock, which, surprise, is derived from the 60Hz mains frequency.
So with a 5 bit counter (8, actually, but set to count down continuously from 32 to 0, 32 to 0, ad infinum), we're able to generate a 1920 Hz signal that is in phase with the 60Hz mains frequency. This gives us about twice the frequency of the ADC, which means we could turn the high frequency AC:AC converter on every other clock cycle (using a flip flop). Then, by simply watching the kWh meter and placing a huge load on the other end of the AC:AC converter, we'd see one of two things: 1) The actual real power consumed by the low would register on the kWh meter (because we're in phase with the ADC) or 2) No real power would appear on the kWh meter (because our charge circuit is enabled ~180 degrees out of phase from the kWh meter's ADC... whenever the voltage ADC in the kWh meter measures the voltage, it reads the 120V, but unfortunately whenever the current ADC (which is actually measuring a voltage across a known resistance to derive the current using I=V/R) takes a measurement, it reads very close to zero amps. The AC:AC converter will stay 180 degrees out of phase because both the ADCs in the kWh meter and the digital control of the high speed MOSFETs are phase locked to the same 60 Hz reference frequency. Even if the 60Hz frequency drifts, the phase locked frequency on both downstream devices will shift accordingly, and stay out of phase.
So that's it, right? Ship it?
Well, no. First, this is highly illegal. Second, the circuit isn't optimized. We have an 8 bit counter dividing the voltage controlled oscillator return to the phase locked loop, so why not use all 8 bits (count down from 255 to 0 repeatedly)? What does this do? This makes the AC:AC converter operate at 15,360 Hz, which means we can increase the time we're pulling power while the ADC is off. Before, with the 1920Hz signal, we're only able to achieve 52.08% of our ideal load without the AC:AC converter installed (100% minus the 1000Hz ADC clock rate divided by the 1920 Hz Phase locked loop frequency. Now, with 15360 Hz, we can get 93.49% of the power we'd get without the DUT. While this isn't necessary unless you're pulling close to the rated current of your power meter, it's a freebie. One side effect is that the transformer used in the pure sine wave DC:AC inverter will be audible (because the human hearing range is ~20-20,000 Hz). So you could either 1)Not care about this or 2) get a 10 bit counter for 5 cents more and count down from 1024 instead (bringing the frequency up to ~61kHz). A power inverter operating at such a high frequency will have reduced efficiency due to the Eddy currents in the transformer, so if it were me, I'd count down from 256 and just live with the noise...
During my research, I found that my utility meter is programmable.
http://www.landisgyr.com/za/files/pdf1/MAP120_UserManual.pdf
Using the irDA port on my 1998 PowerBook G3 Pismo (I knew I'd have a use for it) and a fresh install of LabVIEW interfacing over the Palm Sync API (which accepts straight serial data, God this is easy), I was able to verify my assumption that my utility provider does not change the default password, leaving the entire meter open to my perusal. Obviously, changing anything on the meter is highly illegal, so I just looked... but it's quite simple to change the parameters. For example, one could manually set the number of consumed kWhs by changing the 64 bit 'kWh total' register.
Conceptually discussing these shortcomings is not illegal, but implementing them is... I do not condone theft, but was more interested in the proof of concept.
How could a utility company prevent this? For starters, they could use a local oscillator instead of a phase locked loop to derive the frequency. Since the ADC clock isn't referenced to the 60Hz mains frequency if the clock is generated by, say, an onboard quartz reference, it would be impossible to phase lock loop to the crystal frequency without opening up the meter. Even if you knew the exact frequency of the meter, the phase in your circuit would never match the phase of the meter, which means your power consumption would appear to alias (i.e. a constant load would appear to sinusoidally consume power as the crystal and hack circuit drifted into and out of phase with my lock).
Another option would be to use a delta sigma converter, which I mentioned previously. These converters continuously digitize the input voltage and current due to a fixed low value capacitor on the input and a high frequency oversampled clock running well into the 10s of MHz. It would be difficult to design a high power transistorized circuit to operate at the bare minimum 2x sample rate. Efficiency would be crap because FETs generate heat as they transition from on to off (due to the voltage ramping up while the current ramps down when turning on and vice versa when turning off).
Or the utility could generate a pseudorandom direct digital synthesis mechanism that randomly sampled the input.
But they don't, because they know that a EE isn't going to steal power. We work hard to route electrons... trillions at a time... from here to there.
This entire post is more of a rambling exploration than anything else.