• State Not Answered
  • Replies 5 replies
  • Subscribers 67 subscribers
  • Views 2332 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 233623
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

[nRF52840 + zigbee] About install codes

embedholic

Hi,

I will add feature "installation codes".

I guess that security API do work.

At coordinator side, zb_secur_ic_add, zb_set_installcode_policy functions 

At end device side, zb_secur_ic_set and zb_set_installcode_policy functions

Questions

1. My understanding is correct ?

2. At zigbee router, how can activate installation codes ? 

(Router shall call zb_secur_ic_add or not ?)

3. zb_secur_ic_add and zb_secur_ic_set function save installation infromation into flash ??

4. Where can i find examples using security features?

Thanks.

Parents
  • 0

    Hi.

    You can take a look at how installation codes are used in the CLI, you can find the code in the SDK under components\zigbee\cli\zigbee_cli_cmd_bdb.c.

    /** @brief Set install code on the device, add information about the install code
 *  on the trust center, set the trust center install code policy.
 *
 * @code
 * bdb ic add <h:install code> <h:eui64>
 * bdb ic set <h:install code>
 * bdb ic policy <enable|disable>
 * @endcode
 *
 * @pre Setting and defining policy only before @ref start "bdb start".
 * Adding only after @ref start "bdb start".
 * 
 * <tt>bdb ic set</tt> must only be used on a joining device.
 *
 * <tt>bdb ic add</tt> must only be used on a coordinator.
 *
 * <tt>bdb ic policy</tt> must only be used on a coordinator.
 *
 * Provide the install code as an ASCII-encoded hex including CRC16.
 *
 * For production devices, an install code must be installed by the production
 * configuration present in flash.
 *
 *
 * Example:
 * @code
 * > bdb ic add 83FED3407A939723A5C639B26916D505C3B5 0B010E2F79E9DBFA
 * Done
 * @endcode
 */
static void cmd_zb_install_code(nrf_cli_t const * p_cli, size_t argc, char **argv)
{
    const char *   p_err_msg = NULL;
    zb_ieee_addr_t addr;
    zb_uint8_t     ic[ZB_CCM_KEY_SIZE + 2]; // +2 for CRC16

    if (nrf_cli_help_requested(p_cli) || (argc == 1))
    {
        print_usage(p_cli, argv[0],
                    "ic - set or add install code. Enable IC policy.\r\n"
                    "ic set <h:install code> - set the ic code to <install_code>\r\n"
                    "ic add <h:install code> <h:eui64> - add ic for device with given eui43\r\n"
                    "ic policy - set Trust Center install code policy");
        return;
    }

    if ((argc == 2) && (strcmp(argv[0], "set") == 0))
    {
        if (!parse_hex_str(argv[1], ic, 2*sizeof(ic), false))
        {
            p_err_msg = "Failed to parse IC";
            goto exit;
        }

        if (zb_secur_ic_set(ic) != RET_OK)
        {
            p_err_msg = "Failed to set IC";
            goto exit;
        }
    }
    else if ((argc == 3) && (strcmp(argv[0], "add") == 0))
    {
        if (!parse_hex_str(argv[1], ic, 2*sizeof(ic), false))
        {
            p_err_msg = "Failed to parse IC";
            goto exit;
        }

        if (!parse_long_address(argv[2], addr))
        {
            p_err_msg = "Failed to parse eui64";
            goto exit;
        }

        if (zb_secur_ic_add(addr, ic) != RET_OK)
        {
            p_err_msg = "Failed to add IC";
            goto exit;
        }
    }
    else if ((argc == 2) && (strcmp(argv[0], "policy") == 0))
    {
        if (strcmp(argv[1], "enable") == 0)
        {
            zb_set_installcode_policy(ZB_TRUE);
        }
        else if (strcmp(argv[1], "disable") == 0)
        {
            zb_set_installcode_policy(ZB_FALSE);
        }
        else
        {
            p_err_msg = "Syntax error";
            goto exit;
        }
    }
    else
    {
        p_err_msg ="Syntax error";
    }

exit:
    if (p_err_msg)
    {
        print_error(p_cli, p_err_msg);
    }
    else
    {
        print_done(p_cli, ZB_FALSE);
    }
}

    You have to run zb_secur_ic_set at the client side (the side without TC) and you have to run zb_secur_ic_add at the ZC (the side with TC).

    Best regards,

    Andreas

  • 0 in reply to AndreasF

    Thanks for reply.

    I have  more questionㄴ.

    1. At ZR(router) side, what to do for security ?

    2. using 

    "zb_secur_ic_set" and

    "zb_secur_ic_add" 

    Information is saved in flash ? or volatile ?

    Best reguards.

  • 0 in reply to embedholic

    Hi.

    1.

    The router is a joining device before it becomes a router, so you should use zb_secur_ic_set.

    2.

    The information is stored in NVRAM.

    Best regards,

    Andreas

  • 0 in reply to AndreasF

    Thanks.

    Sorry for more questions.

    1. Is there any API to retrieve registered Install Codes with mac at coordinator side ?

      (same question for end device)

    2. How can erase registered(in NVRAM) specific MAC-IC  pair ?

    If there is no way to erase specific tuple, then how to erase all the secure IC ?

    zigbee_erase_persistent_storage(ZB_TRUE) does that ?

    3. I found that PAN_ID setting function in cli souces(in zigbee cli cmd_bdb.c).

    but Changing pan id with "ZB_PIBCACHE_PAN_ID() = pan_id" only update

    cached structure. 

    In comment in zboss_api_nwk.h,  "must sync it with MLME-SET".

    What api correspoding "MLME-SET" ?

    Sincerely yours.

  • 0 in reply to embedholic

    Hi.

    Can we please clarify what you need help with at this moment? I find it a bit confusing when you have created 4 different tickets in a short time span.

    (devzone.nordicsemi.com/.../233623)

    (devzone.nordicsemi.com/.../233787)

    (devzone.nordicsemi.com/.../233781)

    (devzone.nordicsemi.com/.../233766)

    Can we please keep the discussion in one ticket?

    I would like to keep the discussion in this ticket.

    I will have to talk with out developers about your question, please be patient Blush

    Best regards,

    Andreas

Reply Children
No Data
Related