Unable to decrypt Zigbee Shell traffic in Wireshark

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Wayne — Thu, 16 May 2024 06:43:39 GMT

Hi Marte,

Thanks for your help, I'm able to see decrypted packets.

All the best

Wayne

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Marte Myrvold — Mon, 13 May 2024 07:17:20 GMT

Hi Wayne,

I tested with nRF Connect SDK v2.6.1, Wireshark v4.2.4 on Ubuntu 22.04, and nRF52840 DK.

Best regards,
Marte

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Wayne — Wed, 08 May 2024 14:51:05 GMT

Hi Marte,

Thanks for letting know.

Please could you also let me know which version of: the nRF Connect SDK, Wireshark and the nRF MCU you are using to test please ?

Thanks

Wayne

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Marte Myrvold — Wed, 08 May 2024 13:30:36 GMT

Hi Wayne,

Install code is a security feature in Zigbee that allows you to configure the network so that only devices with install codes can join it. When using this, the install code and extended address of a joining device must be added to the coordinator before the device can join, and during joining, the device's install code is used to generate a unique trust center link key for the device. If you were using this, it could explain why the packets are encrypted since the sniffer would not be able to decrypt the packets of a network using install codes with just the network key.

With Zigbee shell, you can manually enable and add install codes, but it does not seem like you are doing so, so you can just ignore my question regarding it 🙂

Best regards,
Marte

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Wayne — Tue, 07 May 2024 14:14:04 GMT

Hi Marte,

The network key is set after the erase, I have just tried a test with the sniffer running prior to my testing. I'm going to upgrade to WS 4.x to see if that makes a difference.

What are "install codes"?

Thanks

Wayne

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Marte Myrvold — Tue, 07 May 2024 14:08:12 GMT

Hi Wayne,

The sniffer log is decrypted on my side as well.

[quote user="waynek"]Prior to trying out the steps you've suggested I've performed a 'recovery' and 'erase' flash but the result is the packets remain encrypted in Wireshark, log: [/quote]

Have you tried setting the network key after performing an erase?

I'm not sure why you can't decrypt the packets in the sniffer log. I've tested with the same commands as you, but I can't reproduce the issue. Are you starting the sniffer before the coordinator starts the network? If the sniffer is running while a device is commissioned to the network, it should be able to pick up the network key and use it to decrypt the packets regardless of the keys you have configured in Wireshark.

Just to verify, are you using install codes?

Best regards,
Marte

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Wayne — Tue, 07 May 2024 11:28:46 GMT

Hi Marte,

Please find attached a log of issuing a light toggle command a few times. (zcl cmd 0x7be2 1 0x0006 0x02)

I've also tried setting the network key to that of the HomeAssistant one (the Home Assistant network is off), but it still doesn't decrypt. EDIT: Just to be clear the key being used for the attached log is the 'Nordic Examples' key.

Thanks

Wayne

devzone.nordicsemi.com/.../toggle_5F00_light.pcapng.zip devzone.nordicsemi.com/.../zigbee_5F00_pc_5F00_keys.zip

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Marte Myrvold — Tue, 07 May 2024 11:12:33 GMT

Hi Wayne,

Can you upload your sniffer log here as a pcap file, as well as a screenshot of your pre-configured keys in Wireshark?

Best regards,
Marte

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Wayne — Tue, 07 May 2024 10:33:19 GMT

Hi,

I've also tried setting the network key in the shell main.c hoping this would be the default key instead of any randomly assigned one:

int main(void)

{

LOG_INF("Starting Zigbee shell application");

...

 uint8_t network_key[ZB_CCM_KEY_SIZE] = {0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

zb_secur_setup_nwk_key(network_key,0);

LOG_INF("Zigbee shell application started");

return 0;

}

Although this doesn't work either, but it's not clear to me that this actually takes effect and is not overwritten by any other zigbee startup code.

All the best

Wayne

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Wayne — Tue, 07 May 2024 09:48:03 GMT

Hi Marte,

The factory reset and nvram commands are there because I wanted a standalone end-to-end test case, as I was getting:

```

uart:~$ bdb nwkkey abcdef01234567890000000000000000
Zigbee stack has been configured in the past.
Please disable NVRAM to change the preconfigured network key.
Error: Can't change NWK key - NVRAM not empty

```

and also

```

uart:~$ nvram disable

Error: Stack already started

```

So wanted the NVRAM to be cleared without having to erase the entire flash every time I ran a test.

Prior to trying out the steps you've suggested I've performed a 'recovery' and 'erase' flash but the result is the packets remain encrypted in Wireshark, log:

```

*** Booting nRF Connect SDK v3.5.99-ncs1-1 ***
[00:00:00.014,739] <inf> app: Starting Zigbee shell application
[00:00:00.014,984] <inf> app: Zigbee shell application started
uart:~$ bdb nwkkey abcdef01234567890000000000000000
Done
uart:~$ bdb role zc
Zigbee shell does not erase the NVRAM between reboots, but is not aware of the previously configured role.
Remember to set the coordinator role after rebooting the device.
Coordinator set
Done
uart:~$ bdb start
Started coordinator
Done
[00:00:07.212,860] <inf> zigbee_app_utils: Production configuration is not present or invalid (status: -1)
[00:00:07.213,409] <inf> zigbee_app_utils: Zigbee stack initialized
[00:00:07.219,604] <inf> zigbee_app_utils: Device started for the first time
[00:00:07.219,635] <inf> zigbee_app_utils: Start network formation
[00:00:07.755,767] <inf> zigbee_app_utils: Unimplemented signal (signal: 54, status: 0)
[00:00:07.758,148] <inf> zigbee_app_utils: Network formed successfully, start network steering (Extended PAN ID: f4ce363f302b9946, PAN ID: 0x8e64)
[00:00:08.221,771] <inf> zigbee_app_utils: Unimplemented signal (signal: 54, status: 0)
[00:00:08.224,761] <inf> zigbee_app_utils: Joined network successfully (Extended PAN ID: f4ce363f302b9946, PAN ID: 0x8e64)

```

Thanks

Wayne

RE: Unable to decrypt Zigbee Shell traffic in Wireshark

Marte Myrvold — Tue, 07 May 2024 09:31:03 GMT

Hi Wayne,

Can you explain why you are starting the network, factory resetting the device, and disabling/enabling NVRAM before starting the network again?

Are you able to decrypt the packets if you simply configure the network key, configure the device as coordinator, and then start the network?

bdb nwkkey abcdef01234567890000000000000000
bdb role zc
bdb start

Best regards,
Marte