[nRF52840 + zigbee] About install codes

RE: [nRF52840 + zigbee] About install codes

AndreasF — Mon, 05 Aug 2019 06:49:42 GMT

Hi.

Can we please clarify what you need help with at this moment? I find it a bit confusing when you have created 4 different tickets in a short time span.

(devzone.nordicsemi.com/.../233623)

(devzone.nordicsemi.com/.../233787)

(devzone.nordicsemi.com/.../233781)

(devzone.nordicsemi.com/.../233766)

Can we please keep the discussion in one ticket?

I would like to keep the discussion in this ticket.

I will have to talk with out developers about your question, please be patient 😊

Best regards,

Andreas

RE: [nRF52840 + zigbee] About install codes

embedholic — Fri, 02 Aug 2019 13:36:18 GMT

Thanks.

Sorry for more questions.

1. Is there any API to retrieve registered Install Codes with mac at coordinator side ?

(same question for end device)

2. How can erase registered(in NVRAM) specific MAC-IC pair ?

If there is no way to erase specific tuple, then how to erase all the secure IC ?

zigbee_erase_persistent_storage(ZB_TRUE) does that ?

3. I found that PAN_ID setting function in cli souces(in zigbee cli cmd_bdb.c).

but Changing pan id with "ZB_PIBCACHE_PAN_ID() = pan_id" only update

cached structure.

In comment in zboss_api_nwk.h, "must sync it with MLME-SET".

What api correspoding "MLME-SET" ?

Sincerely yours.

RE: [nRF52840 + zigbee] About install codes

AndreasF — Fri, 02 Aug 2019 06:42:54 GMT

Hi.

The router is a joining device before it becomes a router, so you should use zb_secur_ic_set.

The information is stored in NVRAM.

Best regards,

Andreas

RE: [nRF52840 + zigbee] About install codes

embedholic — Fri, 02 Aug 2019 05:23:15 GMT

Thanks for reply.

I have more questionㄴ.

1. At ZR(router) side, what to do for security ?

2. using

"zb_secur_ic_set" and

"zb_secur_ic_add"

Information is saved in flash ? or volatile ?

Best reguards.

RE: [nRF52840 + zigbee] About install codes

AndreasF — Thu, 01 Aug 2019 11:38:15 GMT

Hi.

You can take a look at how installation codes are used in the CLI, you can find the code in the SDK under components\zigbee\cli\zigbee_cli_cmd_bdb.c.

/** @brief Set install code on the device, add information about the install code
 *  on the trust center, set the trust center install code policy.
 *
 * @code
 * bdb ic add <h:install code> <h:eui64>
 * bdb ic set <h:install code>
 * bdb ic policy <enable|disable>
 * @endcode
 *
 * @pre Setting and defining policy only before @ref start "bdb start".
 * Adding only after @ref start "bdb start".
 * 
 * <tt>bdb ic set</tt> must only be used on a joining device.
 *
 * <tt>bdb ic add</tt> must only be used on a coordinator.
 *
 * <tt>bdb ic policy</tt> must only be used on a coordinator.
 *
 * Provide the install code as an ASCII-encoded hex including CRC16.
 *
 * For production devices, an install code must be installed by the production
 * configuration present in flash.
 *
 *
 * Example:
 * @code
 * > bdb ic add 83FED3407A939723A5C639B26916D505C3B5 0B010E2F79E9DBFA
 * Done
 * @endcode
 */
static void cmd_zb_install_code(nrf_cli_t const * p_cli, size_t argc, char **argv)
{
    const char *   p_err_msg = NULL;
    zb_ieee_addr_t addr;
    zb_uint8_t     ic[ZB_CCM_KEY_SIZE + 2]; // +2 for CRC16

    if (nrf_cli_help_requested(p_cli) || (argc == 1))
    {
        print_usage(p_cli, argv[0],
                    "ic - set or add install code. Enable IC policy.\r\n"
                    "ic set <h:install code> - set the ic code to <install_code>\r\n"
                    "ic add <h:install code> <h:eui64> - add ic for device with given eui43\r\n"
                    "ic policy - set Trust Center install code policy");
        return;
    }

    if ((argc == 2) && (strcmp(argv[0], "set") == 0))
    {
        if (!parse_hex_str(argv[1], ic, 2*sizeof(ic), false))
        {
            p_err_msg = "Failed to parse IC";
            goto exit;
        }

        if (zb_secur_ic_set(ic) != RET_OK)
        {
            p_err_msg = "Failed to set IC";
            goto exit;
        }
    }
    else if ((argc == 3) && (strcmp(argv[0], "add") == 0))
    {
        if (!parse_hex_str(argv[1], ic, 2*sizeof(ic), false))
        {
            p_err_msg = "Failed to parse IC";
            goto exit;
        }

        if (!parse_long_address(argv[2], addr))
        {
            p_err_msg = "Failed to parse eui64";
            goto exit;
        }

        if (zb_secur_ic_add(addr, ic) != RET_OK)
        {
            p_err_msg = "Failed to add IC";
            goto exit;
        }
    }
    else if ((argc == 2) && (strcmp(argv[0], "policy") == 0))
    {
        if (strcmp(argv[1], "enable") == 0)
        {
            zb_set_installcode_policy(ZB_TRUE);
        }
        else if (strcmp(argv[1], "disable") == 0)
        {
            zb_set_installcode_policy(ZB_FALSE);
        }
        else
        {
            p_err_msg = "Syntax error";
            goto exit;
        }
    }
    else
    {
        p_err_msg ="Syntax error";
    }

exit:
    if (p_err_msg)
    {
        print_error(p_cli, p_err_msg);
    }
    else
    {
        print_done(p_cli, ZB_FALSE);
    }
}

You have to run zb_secur_ic_set at the client side (the side without TC) and you have to run zb_secur_ic_add at the ZC (the side with TC).

Best regards,

Andreas