• State Verified Answer
  • Replies 11 replies
  • Subscribers 64 subscribers
  • Views 207 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 326486
Options

Unable to decrypt Zigbee Shell traffic in Wireshark

Wayne

Hi,

I'm using nRF Connect v2.6.2 with Wireshark (3.6) and it is setup with the nRF sniffer + Nordic network keys configured.

I can decrypt packets from another Zigbee network (Pi + SkyConnect based using the added Home Assistant network key)

I have performed a full flash erase before flashing the shell firmware on my nrf52840.

The command sequence I'm using is as follows (it is/should be re-using the Nordic example network key already configured in Wireshark):

```

bdb start
bdb factory_reset

# nRF HW Reset at this point and reconnect to shell cli

nvram disable
bdb nwkkey abcdef01234567890000000000000000
nvram enable


bdb role zc
bdb start

```

At this point any packets appearing in Wireshark are never decrypted.  

Is anyone able to help point out what steps I have missed or am I doing wrong?

Thank you,

Wayne

Parents
  • 0

    Hi Wayne,

    Can you explain why you are starting the network, factory resetting the device, and disabling/enabling NVRAM before starting the network again?

    Are you able to decrypt the packets if you simply configure the network key, configure the device as coordinator, and then start the network?

    bdb nwkkey abcdef01234567890000000000000000
    bdb role zc
    bdb start

    Best regards,
    Marte

  • 0 in reply to Marte Myrvold

    Hi,

    I've also tried setting the network key in the shell main.c hoping this would be the default key instead of any randomly assigned one:

    int main(void)
    {
    LOG_INF("Starting Zigbee shell application");
     
    ...
    uint8_t network_key[ZB_CCM_KEY_SIZE] = {0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
    zb_secur_setup_nwk_key(network_key,0);

    LOG_INF("Zigbee shell application started");

    return 0;
    }

    Although this doesn't work either, but it's not clear to me that this actually takes effect and is not overwritten by any other zigbee startup code.

    All the best

    Wayne

  • 0 in reply to Marte Myrvold

    Hi Marte,

    Please find attached a log of issuing a light toggle command a few times. (zcl cmd 0x7be2 1 0x0006 0x02)

    I've also tried setting the network key to that of the HomeAssistant one (the Home Assistant network is off), but it still doesn't decrypt.  EDIT: Just to be clear the key being used for the attached log is the 'Nordic Examples' key.

    Thanks

    Wayne

    toggle_light.pcapng.zip zigbee_pc_keys.zip

  • 0 in reply to Wayne

    Hi Wayne,

    The sniffer log is decrypted on my side as well.

    Wayne said:
    Prior to trying out the steps you've suggested I've performed a 'recovery' and 'erase' flash but the result is the packets remain encrypted in Wireshark, log: 

    Have you tried setting the network key after performing an erase?

    I'm not sure why you can't decrypt the packets in the sniffer log. I've tested with the same commands as you, but I can't reproduce the issue. Are you starting the sniffer before the coordinator starts the network? If the sniffer is running while a device is commissioned to the network, it should be able to pick up the network key and use it to decrypt the packets regardless of the keys you have configured in Wireshark.

    Just to verify, are you using install codes?

    Best regards,
    Marte

  • 0 in reply to Marte Myrvold

    Hi Marte,

    The network key is set after the erase, I have just tried a test with the sniffer running prior to my testing. I'm going to upgrade to WS 4.x to see if that makes a difference.

    What are "install codes"?

    Thanks

    Wayne

  • 0 in reply to Wayne

    Hi Wayne,

    Install code is a security feature in Zigbee that allows you to configure the network so that only devices with install codes can join it. When using this, the install code and extended address of a joining device must be added to the coordinator before the device can join, and during joining, the device's install code is used to generate a unique trust center link key for the device. If you were using this, it could explain why the packets are encrypted since the sniffer would not be able to decrypt the packets of a network using install codes with just the network key.

    With Zigbee shell, you can manually enable and add install codes, but it does not seem like you are doing so, so you can just ignore my question regarding it Slight smile

    Best regards,
    Marte

  • 0 in reply to Marte Myrvold

    Hi Marte,

    Thanks for letting know.  

    Please could you also let me know which version of: the nRF Connect SDK, Wireshark and the nRF MCU you are using to test please ?

    Thanks

    Wayne

Reply Children
Related