CSA Certification Issues for ZBOSS 3.11.4.0 End Devices

We wanted to share our feedback as we recently went through Zigbee 3.0.1 BDB/cluster certification using the ZBOSS with our end device product. While we were ultimately able to meet the CSA's requirements for certification, we faced a large number of issues with the example use of the stack that proved to be non-certifiable, despite the ZBOSS platform being 'certification ready' for Zigbee.

Our hope is that these issues are addressed internally within the NCS + ZBOSS Zigbee components in order to reduce friction for other developers (and us, in the future) when trying to bring a Zigbee product to market with Nordic.

Immediate Post-OTA Validation (OTA Client Cluster)

The Zigbee spec lays out (11.13.9.3):

If the image fails any integrity checks, the client SHALL send an Upgrade End Request command to the
upgrade server with a status of INVALID_IMAGE. In this case, the client MAY reinitiate the upgrade
process in order to obtain a valid OTA upgrade image. The client SHALL not upgrade to the bad image and
SHALL discard the downloaded image data.

In our application, we use OTA via the NRF SDK Zigbee FOTA library with MCUboot as the underlying bootloader. Since our images are signed for MCUboot, we will always inherently reject bad images and discard them, as expected. However, the stack does not manage the INVALID_IMAGE response, which is explicitly mandated by the CSA test cases around OTA. Since MCUboot does not provide an effective pathway for user-space validation of the OTA image, the most straightforward response to this is to download the image, reset into MCUboot to confirm the image is valid, then boot back and send an INVALID_IMAGE or OK response accordingly. However, since resetting would cause a disconnect from the Zigbee network, this is hard to do in a timely fashion + it is not clear if this would actually successfully pass the CSA test cases.

Our solution for this was to implement user-space validation for MCUboot images, where we decrypt/validate the image payload from the app space, which requires importing the signing/encryption keys into the app and duplicating many of the responsibilities from MCUboot. This is not a trivial solution - ideally, we would be able to call into MCUboot from the app space in the worst case to re-use the existing validation logic, rather than repeating it from the app space. The complication involved in this flow, unless there's a better solution that we are unaware of, greatly complicates one's ability to certify the OTA client cluster with ZBOSS + NCS. 

FOTA Endpoint Restriction

The Zigbee FOTA implementation is restricted to a single endpoint, which is reserved and may only be used for the OTA client implementation. While this isn't against any spec, it does provide complication layers that we have found during product introduction. Namely, the testing software + harnesses established by the CSA are primarily designed around single-endpoint tests, and switching endpoints for OTA tests versus product functional tests proved to be a complicated communication barrier between our engineers + the test lab. Further, our Zigbee controller partners in the industry have provided us direct feedback that the multiple endpoint design for OTA is causing customers to have slower experiences during pairing / discovery of our Zigbee device, due to the additional endpoint discovery required.

This is a limitation explicitly called out in the documentation, but it isn't extremely transparent to end device developers, so we thought it was important to highlight since there were noticable caveats that arose during product certification and field trial. We will likely overcome this limitation by patching the FOTA system to enable better access to the FOTA endpoint.

Resetting Attribute State on Leave

The Zigbee BDB 3.0.1 spec defines (9.4):

Zigbee-PRO provides an Mgmt_Leave_req ZDO command which is designed to request that a remote node leaves the network by clearing all Zigbee persistent data (see sub-clause 6.9), except the outgoing NWK frame counter, and perform a reset such that the node is in much the same state as it was when it left the factory.

In our findings, a leave request does not trigger a wipe of persistent data, because some amount of data is cached in memory. While NVRAM writes are performed to wipe the network / attribute state as expected, and the network disconnects immediately, attribute state is still generally preserved in memory, allowing those values to carry over to a new network if the device is re-paired without power cycling. This causes the device to explicitly fail CSA's test suite, which specifically tests configuring a reporting interval on an attribute, sending a leave request, re-pairing, and testing to ensure the reporting interval is the default value, not the one previously configured. The sample applications handling the ZB_ZDO_SIGNAL_LEAVE signal do not demonstrate any need to reboot the system, causing the device to fail the CSA test cases (the default signal handler merely starts joining a new network upon leaving, without any reset).

Our workaround for this issue was simply to trigger a full factory reset + power cycle the DUT when we receive the appropriate leave signal (Mgmt_Leave_req with rejoin = false).

NWK_addr_req Extended Response

When configured as an end device, it seems that calls to NWK_addr_req with RequestType = Extended Response flag set are not well-handled. The specification does not clearly indicate the defined behavior when handling this request as an end device, only for coordinators and routers, in section 2.4.3.1.1.2:

If the RequestType was Extended response and the Remote Device is either the ZigBee coordinator or router, a NWK_addr_resp command shall be generated and sent back ...

As such, the expected behavior to respond to this command in this instance is not clear. However, we found that the CSA test cases test this behavior (end device receiving NWK_addr_req with extended request set) and failed our DUT. Seemingly, the stack behavior is to respond to NWK_addr_req with RequestType=Extended in the same way that it would respond if RequestType=Single Device, rather than throwing an error for an unsupported argument or otherwise handling the behavior. This caused an error in the CSA test executor as it tried to unpack a shortened, single device response as a longer, extended response, where the test was really not expecting a response in the first place. I am not clear if this is an explicit issue with the ZBOSS implementation, or a short-sided mistake in the test development from the CSA's perspective, but in any case, it did not pass this test and we had to receive a special exemption from the CSA to allow certifying this result. Since this behavior is contained within the ZBOSS stack, we did not have much surface area for a possible resolution on our side.

Access to standard ZBOSS PICS descriptors

One of the requirements for filing CSA certification is a collection of PICS files that describes fundamental behavior of the product + its networking behavior. While some of these aspects are user-controlled (e.g. which + how much of a cluster was implemented), some of the PICS files (especially the BDB 3.0.1 definition) rely on a lot of information that is internal to the ZBOSS stack and not user-facing. While many of the required PICS questions can be answered with testing + analysis of the Zigbee stack, we would expect that the NCS + ZBOSS certifiable implementation would provide basic information of the stack internals to fill out the PICS requirements plainly. We have found that other chipset manufacturers have provided detailed information about what PICS need to be filled out, and how to fill it out respective to their stack implementations. This can greatly reduce the amount of noise involved in approaching certification, since many of the nuanced questions are transferrable ZBOSS details that apply in all cases of implementation.

The issues listed above caused great friction with our test lab + with the CSA certification process, which was unexpected during final development and complicated our product timelines. Many of these issues are subtle and hard to catch until final certification is happening, which makes them especially poignant during the development process with ZBOSS.

Parents
  • Hi,

    Thank you for reporting this. I will look into it and get back to you by the end of the week.

    Best regards,
    Marte

  • Hi,

    The Zigbee team is still looking into your concerns, but I have feedback on a couple of them.

    NWK_addr_req Extended Response

    We are using tests provided by DSR and test towards the specification, so our devices should follow the specifications set by CSA.

    Access to standard ZBOSS PICS descriptors

    The ZBOSS PICS are available to download on CSA's webpage, where our SoCs are listed:

    If you or any customers have issues completing certification, we recommend creating a ticket on DevZone or contacting your local sales representative from Nordic Semiconductor.

    Best regards,
    Marte

  • Hi,

    Thank you for providing the information and logs!

    I have forwarded it internally, and I will let you know if I have more questions or any updates.

    Best regards,
    Marte

  • Hi,

    Do you have any sniffer logs from test FB-PRE-TC-02 that you can share?

    Best regards,
    Marte

  • Hi Marte,

    I just took a capture now + attached the dissection below.

    Note in the capture the first packet which performs a nwk_addr_req with extended flag set, and receives a 20 byte response, only containing the status, IEEEaddr, NWKaddr fields, omitting NumAssocDev and StartIndex. The second request (third packet) is a nwk_addr_req without the extended flag set, which yields the same result.

    The specification states that

    If the RequestType in the request is Extended Response and there are no associated devices on the Remote Device, this field SHALL be set to 0. 

    Since the initial request type is extended, the CSA tests appear to expect this byte to at least be included and set to zero to properly parse the message, otherwise the test fails. Whether that is an issue with the ZBOSS stack or with CSA's expectations in their testing, I am not sure however. Regardless, it is an official CSA test that will inhibit certification until the discrepancy is resolved between ZBOSS + the CSA tests.

    No.     Time           Source                Destination           Protocol Length Info
        207 120.563806     0xc794                0xcbb4                ZigBee ZDP 54     Network Address Request, Address: NordicSe_73:08:0d:0f:c0
    
    Frame 207: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface /dev/ttyACM1, id 0
        Interface id: 0 (/dev/ttyACM1)
            Interface name: /dev/ttyACM1
            Interface description: nRF Sniffer for 802.15.4
        Encapsulation type: IEEE 802.15.4 Wireless PAN with FCS not present (127)
        Arrival Time: Sep 26, 2024 18:29:02.823426000 UTC
        [Time shift for this packet: 0.000000000 seconds]
        Epoch Time: 1727375342.823426000 seconds
        [Time delta from previous captured frame: 0.001271000 seconds]
        [Time delta from previous displayed frame: 0.000000000 seconds]
        [Time since reference or first frame: 120.563806000 seconds]
        Frame Number: 207
        Frame Length: 54 bytes (432 bits)
        Capture Length: 54 bytes (432 bits)
        [Frame is marked: True]
        [Frame is ignored: False]
        [Protocols in frame: wpan:zbee_nwk:zbee_aps:zbee_zdp]
    IEEE 802.15.4 Data, Dst: 0xcbb4, Src: 0xc794
        Frame Control Field: 0x8861, Frame Type: Data, Acknowledge Request, PAN ID Compression, Destination Addressing Mode: Short/16-bit, Frame Version: IEEE Std 802.15.4-2003, Source Addressing Mode: Short/16-bit
            .... .... .... .001 = Frame Type: Data (0x1)
            .... .... .... 0... = Security Enabled: False
            .... .... ...0 .... = Frame Pending: False
            .... .... ..1. .... = Acknowledge Request: True
            .... .... .1.. .... = PAN ID Compression: True
            .... .... 0... .... = Reserved: False
            .... ...0 .... .... = Sequence Number Suppression: False
            .... ..0. .... .... = Information Elements Present: False
            .... 10.. .... .... = Destination Addressing Mode: Short/16-bit (0x2)
            ..00 .... .... .... = Frame Version: IEEE Std 802.15.4-2003 (0)
            10.. .... .... .... = Source Addressing Mode: Short/16-bit (0x2)
        Sequence Number: 39
        Destination PAN: 0xaabb
        Destination: 0xcbb4
        Source: 0xc794
        [Extended Source: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)]
        [Origin: 115]
    ZigBee Network Layer Data, Dst: 0xcbb4, Src: 0xc794
        Frame Control Field: 0x0208, Frame Type: Data, Discover Route: Suppress, Security Data
            .... .... .... ..00 = Frame Type: Data (0x0)
            .... .... ..00 10.. = Protocol Version: 2
            .... .... 00.. .... = Discover Route: Suppress (0x0)
            .... ...0 .... .... = Multicast: False
            .... ..1. .... .... = Security: True
            .... .0.. .... .... = Source Route: False
            .... 0... .... .... = Destination: False
            ...0 .... .... .... = Extended Source: False
            ..0. .... .... .... = End Device Initiator: False
        Destination: 0xcbb4
        Source: 0xc794
        Radius: 30
        Sequence Number: 91
        [Extended Source: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)]
        [Origin: 115]
        ZigBee Security Header
            Security Control Field: 0x28, Key Id: Network Key, Extended Nonce
                ...0 1... = Key Id: Network Key (0x1)
                ..1. .... = Extended Nonce: True
            Frame Counter: 606224
            Extended Source: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)
            Key Sequence Number: 0
            Message Integrity Code: 73a29484
            [Key: 85acabc02f7ede90dae3d8455ecf80d1]
            [Key Label: ]
    ZigBee Application Support Layer Data, Dst Endpt: 0, Src Endpt: 0
        Frame Control Field: Data (0x40)
            .... ..00 = Frame Type: Data (0x0)
            .... 00.. = Delivery Mode: Unicast (0x0)
            ..0. .... = Security: False
            .1.. .... = Acknowledgement Request: True
            0... .... = Extended Header: False
        Destination Endpoint: 0
        Network Address Request (Cluster ID: 0x0000)
        Profile: ZigBee Device Profile (0x0000)
        Source Endpoint: 0
        Counter: 255
    ZigBee Device Profile, Network Address Request, Address: NordicSe_73:08:0d:0f:c0
        Sequence Number: 2
        Extended Address: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)
        Request Type: Extended Response (1)
        Index: 0
    
    Frame (54 bytes):
    0000  61 88 27 bb aa b4 cb 94 c7 08 02 b4 cb 94 c7 1e   a.'.............
    0010  5b 28 10 40 09 00 3d 29 32 fe ff 5f 32 50 00 95   [(.@..=)2.._2P..
    0020  4e a9 98 13 9f 0e 10 27 cb f7 d8 0d 68 21 9d 65   N......'....h!.e
    0030  0e c1 73 a2 94 84                                 ..s...
    Decrypted ZigBee Payload (19 bytes):
    0000  40 00 00 00 00 00 00 ff 02 c0 0f 0d 08 73 36 ce   @............s6.
    0010  f4 01 00                                          ...
    
    No.     Time           Source                Destination           Protocol Length Info
        211 120.576539     0xcbb4                0xc794                ZigBee ZDP 71     Network Address Response, Status: Success, Address: NordicSe_73:08:0d:0f:c0 = 0xcbb4
    
    Frame 211: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on interface /dev/ttyACM1, id 0
        Interface id: 0 (/dev/ttyACM1)
            Interface name: /dev/ttyACM1
            Interface description: nRF Sniffer for 802.15.4
        Encapsulation type: IEEE 802.15.4 Wireless PAN with FCS not present (127)
        Arrival Time: Sep 26, 2024 18:29:02.836159000 UTC
        [Time shift for this packet: 0.000000000 seconds]
        Epoch Time: 1727375342.836159000 seconds
        [Time delta from previous captured frame: 0.002732000 seconds]
        [Time delta from previous displayed frame: 0.012733000 seconds]
        [Time since reference or first frame: 120.576539000 seconds]
        Frame Number: 211
        Frame Length: 71 bytes (568 bits)
        Capture Length: 71 bytes (568 bits)
        [Frame is marked: True]
        [Frame is ignored: False]
        [Protocols in frame: wpan:zbee_nwk:zbee_aps:zbee_zdp]
    IEEE 802.15.4 Data, Dst: 0xc794, Src: 0xcbb4
        Frame Control Field: 0x8861, Frame Type: Data, Acknowledge Request, PAN ID Compression, Destination Addressing Mode: Short/16-bit, Frame Version: IEEE Std 802.15.4-2003, Source Addressing Mode: Short/16-bit
            .... .... .... .001 = Frame Type: Data (0x1)
            .... .... .... 0... = Security Enabled: False
            .... .... ...0 .... = Frame Pending: False
            .... .... ..1. .... = Acknowledge Request: True
            .... .... .1.. .... = PAN ID Compression: True
            .... .... 0... .... = Reserved: False
            .... ...0 .... .... = Sequence Number Suppression: False
            .... ..0. .... .... = Information Elements Present: False
            .... 10.. .... .... = Destination Addressing Mode: Short/16-bit (0x2)
            ..00 .... .... .... = Frame Version: IEEE Std 802.15.4-2003 (0)
            10.. .... .... .... = Source Addressing Mode: Short/16-bit (0x2)
        Sequence Number: 121
        Destination PAN: 0xaabb
        Destination: 0xc794
        Source: 0xcbb4
        [Extended Source: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)]
        [Origin: 165]
    ZigBee Network Layer Data, Dst: 0xc794, Src: 0xcbb4
        Frame Control Field: 0x3a48, Frame Type: Data, Discover Route: Enable, Security, Destination, Extended Source, End Device Initiator Data
            .... .... .... ..00 = Frame Type: Data (0x0)
            .... .... ..00 10.. = Protocol Version: 2
            .... .... 01.. .... = Discover Route: Enable (0x1)
            .... ...0 .... .... = Multicast: False
            .... ..1. .... .... = Security: True
            .... .0.. .... .... = Source Route: False
            .... 1... .... .... = Destination: True
            ...1 .... .... .... = Extended Source: True
            ..1. .... .... .... = End Device Initiator: True
        Destination: 0xc794
        Source: 0xcbb4
        Radius: 30
        Sequence Number: 6
        Destination: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)
        Extended Source: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)
        ZigBee Security Header
            Security Control Field: 0x28, Key Id: Network Key, Extended Nonce
                ...0 1... = Key Id: Network Key (0x1)
                ..1. .... = Extended Nonce: True
            Frame Counter: 6
            Extended Source: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)
            Key Sequence Number: 0
            Message Integrity Code: a846c4dd
            [Key: 85acabc02f7ede90dae3d8455ecf80d1]
            [Key Label: ]
    ZigBee Application Support Layer Data, Dst Endpt: 0, Src Endpt: 0
        Frame Control Field: Data (0x40)
            .... ..00 = Frame Type: Data (0x0)
            .... 00.. = Delivery Mode: Unicast (0x0)
            ..0. .... = Security: False
            .1.. .... = Acknowledgement Request: True
            0... .... = Extended Header: False
        Destination Endpoint: 0
        Network Address Response (Cluster ID: 0x8000)
        Profile: ZigBee Device Profile (0x0000)
        Source Endpoint: 0
        Counter: 246
    ZigBee Device Profile, Network Address Response, Status: Success, Address: NordicSe_73:08:0d:0f:c0 = 0xcbb4
        Sequence Number: 2
        Status: Success (0)
        Extended Address: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)
        Nwk Addr of Interest: 0xcbb4
    
    Frame (71 bytes):
    0000  61 88 79 bb aa 94 c7 b4 cb 48 3a 94 c7 b4 cb 1e   a.y......H:.....
    0010  06 3d 29 32 fe ff 5f 32 50 c0 0f 0d 08 73 36 ce   .=)2.._2P....s6.
    0020  f4 28 06 00 00 00 c0 0f 0d 08 73 36 ce f4 00 65   .(........s6...e
    0030  f7 f5 da 19 98 dc 06 d2 fb 8e 15 c0 9d 39 db c7   .............9..
    0040  36 a2 26 a8 46 c4 dd                              6.&.F..
    Decrypted ZigBee Payload (20 bytes):
    0000  40 00 00 80 00 00 00 f6 02 00 c0 0f 0d 08 73 36   @.............s6
    0010  ce f4 b4 cb                                       ....
    
    No.     Time           Source                Destination           Protocol Length Info
        383 189.785082     0xc794                0xcbb4                ZigBee ZDP 48     Extended Address Request, Nwk Addr: 0xcbb4
    
    Frame 383: 48 bytes on wire (384 bits), 48 bytes captured (384 bits) on interface /dev/ttyACM1, id 0
        Interface id: 0 (/dev/ttyACM1)
            Interface name: /dev/ttyACM1
            Interface description: nRF Sniffer for 802.15.4
        Encapsulation type: IEEE 802.15.4 Wireless PAN with FCS not present (127)
        Arrival Time: Sep 26, 2024 18:30:12.044702000 UTC
        [Time shift for this packet: 0.000000000 seconds]
        Epoch Time: 1727375412.044702000 seconds
        [Time delta from previous captured frame: 0.003604000 seconds]
        [Time delta from previous displayed frame: 69.208543000 seconds]
        [Time since reference or first frame: 189.785082000 seconds]
        Frame Number: 383
        Frame Length: 48 bytes (384 bits)
        Capture Length: 48 bytes (384 bits)
        [Frame is marked: True]
        [Frame is ignored: False]
        [Protocols in frame: wpan:zbee_nwk:zbee_aps:zbee_zdp]
    IEEE 802.15.4 Data, Dst: 0xcbb4, Src: 0xc794
        Frame Control Field: 0x8861, Frame Type: Data, Acknowledge Request, PAN ID Compression, Destination Addressing Mode: Short/16-bit, Frame Version: IEEE Std 802.15.4-2003, Source Addressing Mode: Short/16-bit
            .... .... .... .001 = Frame Type: Data (0x1)
            .... .... .... 0... = Security Enabled: False
            .... .... ...0 .... = Frame Pending: False
            .... .... ..1. .... = Acknowledge Request: True
            .... .... .1.. .... = PAN ID Compression: True
            .... .... 0... .... = Reserved: False
            .... ...0 .... .... = Sequence Number Suppression: False
            .... ..0. .... .... = Information Elements Present: False
            .... 10.. .... .... = Destination Addressing Mode: Short/16-bit (0x2)
            ..00 .... .... .... = Frame Version: IEEE Std 802.15.4-2003 (0)
            10.. .... .... .... = Source Addressing Mode: Short/16-bit (0x2)
        Sequence Number: 62
        Destination PAN: 0xaabb
        Destination: 0xcbb4
        Source: 0xc794
        [Extended Source: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)]
        [Origin: 115]
    ZigBee Network Layer Data, Dst: 0xcbb4, Src: 0xc794
        Frame Control Field: 0x0208, Frame Type: Data, Discover Route: Suppress, Security Data
            .... .... .... ..00 = Frame Type: Data (0x0)
            .... .... ..00 10.. = Protocol Version: 2
            .... .... 00.. .... = Discover Route: Suppress (0x0)
            .... ...0 .... .... = Multicast: False
            .... ..1. .... .... = Security: True
            .... .0.. .... .... = Source Route: False
            .... 0... .... .... = Destination: False
            ...0 .... .... .... = Extended Source: False
            ..0. .... .... .... = End Device Initiator: False
        Destination: 0xcbb4
        Source: 0xc794
        Radius: 30
        Sequence Number: 111
        [Extended Source: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)]
        [Origin: 115]
        ZigBee Security Header
            Security Control Field: 0x28, Key Id: Network Key, Extended Nonce
                ...0 1... = Key Id: Network Key (0x1)
                ..1. .... = Extended Nonce: True
            Frame Counter: 606247
            Extended Source: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)
            Key Sequence Number: 0
            Message Integrity Code: 52981794
            [Key: 85acabc02f7ede90dae3d8455ecf80d1]
            [Key Label: ]
    ZigBee Application Support Layer Data, Dst Endpt: 0, Src Endpt: 0
        Frame Control Field: Data (0x40)
            .... ..00 = Frame Type: Data (0x0)
            .... 00.. = Delivery Mode: Unicast (0x0)
            ..0. .... = Security: False
            .1.. .... = Acknowledgement Request: True
            0... .... = Extended Header: False
        Destination Endpoint: 0
        Extended Address Request (Cluster ID: 0x0001)
        Profile: ZigBee Device Profile (0x0000)
        Source Endpoint: 0
        Counter: 5
    ZigBee Device Profile, Extended Address Request, Nwk Addr: 0xcbb4
        Sequence Number: 7
        Nwk Addr of Interest: 0xcbb4
        Request Type: Single Device Response (0)
        Index: 0
    
    Frame (48 bytes):
    0000  61 88 3e bb aa b4 cb 94 c7 08 02 b4 cb 94 c7 1e   a.>.............
    0010  6f 28 27 40 09 00 3d 29 32 fe ff 5f 32 50 00 de   o('@..=)2.._2P..
    0020  ea 89 60 52 a9 d3 e6 66 08 45 3c de 52 98 17 94   ..`R...f.E<.R...
    Decrypted ZigBee Payload (13 bytes):
    0000  40 00 01 00 00 00 00 05 07 b4 cb 00 00            @............
    
    No.     Time           Source                Destination           Protocol Length Info
        387 189.798560     0xcbb4                0xc794                ZigBee ZDP 71     Extended Address Response, Status: Success, Nwk Addr: 0xcbb4 = NordicSe_73:08:0d:0f:c0
    
    Frame 387: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on interface /dev/ttyACM1, id 0
        Interface id: 0 (/dev/ttyACM1)
            Interface name: /dev/ttyACM1
            Interface description: nRF Sniffer for 802.15.4
        Encapsulation type: IEEE 802.15.4 Wireless PAN with FCS not present (127)
        Arrival Time: Sep 26, 2024 18:30:12.058180000 UTC
        [Time shift for this packet: 0.000000000 seconds]
        Epoch Time: 1727375412.058180000 seconds
        [Time delta from previous captured frame: 0.003709000 seconds]
        [Time delta from previous displayed frame: 0.013478000 seconds]
        [Time since reference or first frame: 189.798560000 seconds]
        Frame Number: 387
        Frame Length: 71 bytes (568 bits)
        Capture Length: 71 bytes (568 bits)
        [Frame is marked: True]
        [Frame is ignored: False]
        [Protocols in frame: wpan:zbee_nwk:zbee_aps:zbee_zdp]
    IEEE 802.15.4 Data, Dst: 0xc794, Src: 0xcbb4
        Frame Control Field: 0x8861, Frame Type: Data, Acknowledge Request, PAN ID Compression, Destination Addressing Mode: Short/16-bit, Frame Version: IEEE Std 802.15.4-2003, Source Addressing Mode: Short/16-bit
            .... .... .... .001 = Frame Type: Data (0x1)
            .... .... .... 0... = Security Enabled: False
            .... .... ...0 .... = Frame Pending: False
            .... .... ..1. .... = Acknowledge Request: True
            .... .... .1.. .... = PAN ID Compression: True
            .... .... 0... .... = Reserved: False
            .... ...0 .... .... = Sequence Number Suppression: False
            .... ..0. .... .... = Information Elements Present: False
            .... 10.. .... .... = Destination Addressing Mode: Short/16-bit (0x2)
            ..00 .... .... .... = Frame Version: IEEE Std 802.15.4-2003 (0)
            10.. .... .... .... = Source Addressing Mode: Short/16-bit (0x2)
        Sequence Number: 160
        Destination PAN: 0xaabb
        Destination: 0xc794
        Source: 0xcbb4
        [Extended Source: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)]
        [Origin: 165]
    ZigBee Network Layer Data, Dst: 0xc794, Src: 0xcbb4
        Frame Control Field: 0x3a48, Frame Type: Data, Discover Route: Enable, Security, Destination, Extended Source, End Device Initiator Data
            .... .... .... ..00 = Frame Type: Data (0x0)
            .... .... ..00 10.. = Protocol Version: 2
            .... .... 01.. .... = Discover Route: Enable (0x1)
            .... ...0 .... .... = Multicast: False
            .... ..1. .... .... = Security: True
            .... .0.. .... .... = Source Route: False
            .... 1... .... .... = Destination: True
            ...1 .... .... .... = Extended Source: True
            ..1. .... .... .... = End Device Initiator: True
        Destination: 0xc794
        Source: 0xcbb4
        Radius: 30
        Sequence Number: 14
        Destination: SiliconL_ff:fe:32:29:3d (50:32:5f:ff:fe:32:29:3d)
        Extended Source: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)
        ZigBee Security Header
            Security Control Field: 0x28, Key Id: Network Key, Extended Nonce
                ...0 1... = Key Id: Network Key (0x1)
                ..1. .... = Extended Nonce: True
            Frame Counter: 14
            Extended Source: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)
            Key Sequence Number: 0
            Message Integrity Code: 09a4e49d
            [Key: 85acabc02f7ede90dae3d8455ecf80d1]
            [Key Label: ]
    ZigBee Application Support Layer Data, Dst Endpt: 0, Src Endpt: 0
        Frame Control Field: Data (0x40)
            .... ..00 = Frame Type: Data (0x0)
            .... 00.. = Delivery Mode: Unicast (0x0)
            ..0. .... = Security: False
            .1.. .... = Acknowledgement Request: True
            0... .... = Extended Header: False
        Destination Endpoint: 0
        Extended Address Response (Cluster ID: 0x8001)
        Profile: ZigBee Device Profile (0x0000)
        Source Endpoint: 0
        Counter: 250
    ZigBee Device Profile, Extended Address Response, Status: Success, Nwk Addr: 0xcbb4 = NordicSe_73:08:0d:0f:c0
        Sequence Number: 7
        Status: Success (0)
        Extended Address: NordicSe_73:08:0d:0f:c0 (f4:ce:36:73:08:0d:0f:c0)
        Nwk Addr of Interest: 0xcbb4
    
    Frame (71 bytes):
    0000  61 88 a0 bb aa 94 c7 b4 cb 48 3a 94 c7 b4 cb 1e   a........H:.....
    0010  0e 3d 29 32 fe ff 5f 32 50 c0 0f 0d 08 73 36 ce   .=)2.._2P....s6.
    0020  f4 28 0e 00 00 00 c0 0f 0d 08 73 36 ce f4 00 c0   .(........s6....
    0030  25 fe d8 75 95 81 47 9c d1 bf 0d 33 6d 41 46 60   %..u..G....3mAF`
    0040  30 dc 20 09 a4 e4 9d                              0. ....
    Decrypted ZigBee Payload (20 bytes):
    0000  40 00 01 80 00 00 00 fa 07 00 c0 0f 0d 08 73 36   @.............s6
    0010  ce f4 b4 cb                                       ....
    

  • Hi,

    Can you upload the capture as a pcap file?

    Best regards,
    Marte

  • Hi Marte,

    Sorry for the delay - I missed this message. I've attached the pcap file for the trace I previously sent. The ZB encryption key is `85acabc02f7ede90dae3d8455ecf80d1` as previously shared.

    zboss-nwk_addr_req-bug.pcap

Reply Children
Related