Ah, I've just noticed that Dunker was pointing at his (or her) own post on Sonsivri. Since it's non-trivial to respond there, I'll ask here:
You said in your first post that you had both a Siemens S2A and an Ampy 5235. All your later examples all use the S2A. Was the password algorithm for the Ampy the same, and if not did you work out what it is? How did you work out the algorithm for the S2A?
I could just leave something trying random(ish) responses and logging which responses work for which challenges, and eventually see if I could work out the pattern. Is that how you did it? Does the meter lock you out after a few failed attempts? And if you have a test meter to play with, can you reset the lockout period by cycling its power?
I have an Ampy 5162E and a there's a cheap probe from eBay on the way, and I'm wondering if I should also get a second Ampy meter to play with... although I can't actually find any 5162Es for sale anywhere.
FWIW there are also password hints in this dump: Communication capture between application and energy meter via RS-485 (IEC62056-21) ยท GitHub.