This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

[nRF52840 + zigbee] install code when production

Hi.

I am developing zigbee product with security function (using install codes).

1. function cmd_zb_install_code in zigbee_cli_cmd_bdb.c, there is a comment as bellows.


* For production devices, an install code must be installed by the production
* configuration present in flash.

=> calling "zb_secur_ic_add"  is not sufficient ?.

If i am misunderstanding, please give more detailed materials about that.

2. At joing device, zb_set_installcode_policy function is not exist in library. 

Just calling zb_secur_ic_set is enough to enable security at ZED/ZR site ?

3.

3.1 At coordinator,  zb_secure_ic_add with  ZED1's mac and predefined install codes and enable by zb_set_installcode.

3.2 At end device, zb_secure_ic_set with same install codes that register at coordinator.

3.3 End device can not join to coordinator. Is there something to do more ?

 zb_secure_ic_set is not sufficient ?

 what mean comment as bellow in cli source ?

" For production devices, an install code must be installed by the production
* configuration present in flash." 

Thanks.

Parents
  • Hi again.

    General question:
    Do we have some example for Installation Codes that is working that we can provide?

    Yes, our CLI example may be used to play with install codes. At the moment there is an issue with the CLI Agent Router in version 3.1.0, so please use version 3.0.0 if you just want to test.
    Here is a screenshot of the sniffer logs when I did the test:

    Commands used on the coordinator:

    Commands used on the router:


    Other questions you've asked:
    1. How many entries can I add with "zb_secur_ic_add" at the coordinator (ZC)?

            It is configurable - the number of install codes is set by the value of "ZB_CONFIG_N_APS_KEY_PAIR_ARR_MAX_SIZE" macro.

    2. Can I retrieve MAC address or Installation Codes that are added before?

            There are functions to do that, but right now they are not available through public API.


    3. Can I selectively delete a MAC/Installation Code entry that are added?

            Yes, please take a look at the following API: zb_ret_t zb_secur_ic_remove(zb_ieee_addr_t address);

    3. If 3 is not possible, is it only zigbee_erase_persistent_storage that can be used to erase all entries?

            Possible, thus no need to create workarounds.

    4. I want to change the PAN ID. In the file zigbee_cli_cmd_bdb.c, I can find "ZB_PIBCACHE_PAN_ID() = pan_id"; How do I change the PAN ID? I can find sentence "must sync it with MAC using MLME-SET" but don't know what api do that.

    If you set ERASE_PERSISTENT_CONFIG to ZB_TRUE, the PAN ID will change when you reset the device, as shown below:

    5. In the function cmd_zb_install_code in the file zigbee_cli_cmd_bdb.c, it states that: "For production devices, an install code must be installed by the production configuration present in flash." Does this mean that calling "zb_secur_ic_add" is not sufficient?

            It is sufficient. The reasoning: probably it is much easier to flash the same firmware to all devices and change the install code via production config feature than recompile the firmware for each device.

    6. At the device that is joining, the zb_set_installcode_policy function does not exist in the library. Is it enough to just call zb_secur_ic_set to enable security at ZED/ZR?

            Yes, it is sufficient to call zb_secur_ic_set on ZR/ZED.

    7. In the ZC, I have zb_secure_ic_add with ZED nr.1's MAC and predefined Installation Codes and enabled zb_set_installcode.
        In the ZED, I have zb_secure_ic_set with the same Installation Codes that are registered by zb_secure_ic_add in the ZC.
        The problem is that the end device cannot join the coordinator, do I need something else?
         Is it not sufficient to use zb_secur_ic_set at the ZED?


         Please verify your procedure by commissioning two CLI examples using install codes. Make sure that the IC policy is enabled on the ZC.

    Best regards,

    Andreas

Reply
  • Hi again.

    General question:
    Do we have some example for Installation Codes that is working that we can provide?

    Yes, our CLI example may be used to play with install codes. At the moment there is an issue with the CLI Agent Router in version 3.1.0, so please use version 3.0.0 if you just want to test.
    Here is a screenshot of the sniffer logs when I did the test:

    Commands used on the coordinator:

    Commands used on the router:


    Other questions you've asked:
    1. How many entries can I add with "zb_secur_ic_add" at the coordinator (ZC)?

            It is configurable - the number of install codes is set by the value of "ZB_CONFIG_N_APS_KEY_PAIR_ARR_MAX_SIZE" macro.

    2. Can I retrieve MAC address or Installation Codes that are added before?

            There are functions to do that, but right now they are not available through public API.


    3. Can I selectively delete a MAC/Installation Code entry that are added?

            Yes, please take a look at the following API: zb_ret_t zb_secur_ic_remove(zb_ieee_addr_t address);

    3. If 3 is not possible, is it only zigbee_erase_persistent_storage that can be used to erase all entries?

            Possible, thus no need to create workarounds.

    4. I want to change the PAN ID. In the file zigbee_cli_cmd_bdb.c, I can find "ZB_PIBCACHE_PAN_ID() = pan_id"; How do I change the PAN ID? I can find sentence "must sync it with MAC using MLME-SET" but don't know what api do that.

    If you set ERASE_PERSISTENT_CONFIG to ZB_TRUE, the PAN ID will change when you reset the device, as shown below:

    5. In the function cmd_zb_install_code in the file zigbee_cli_cmd_bdb.c, it states that: "For production devices, an install code must be installed by the production configuration present in flash." Does this mean that calling "zb_secur_ic_add" is not sufficient?

            It is sufficient. The reasoning: probably it is much easier to flash the same firmware to all devices and change the install code via production config feature than recompile the firmware for each device.

    6. At the device that is joining, the zb_set_installcode_policy function does not exist in the library. Is it enough to just call zb_secur_ic_set to enable security at ZED/ZR?

            Yes, it is sufficient to call zb_secur_ic_set on ZR/ZED.

    7. In the ZC, I have zb_secure_ic_add with ZED nr.1's MAC and predefined Installation Codes and enabled zb_set_installcode.
        In the ZED, I have zb_secure_ic_set with the same Installation Codes that are registered by zb_secure_ic_add in the ZC.
        The problem is that the end device cannot join the coordinator, do I need something else?
         Is it not sufficient to use zb_secur_ic_set at the ZED?


         Please verify your procedure by commissioning two CLI examples using install codes. Make sure that the IC policy is enabled on the ZC.

    Best regards,

    Andreas

Children
Related