• State Not Answered
  • Replies 12 replies
  • Subscribers 67 subscribers
  • Views 3356 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 233781
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

[nRF52840 + zigbee] install code when production

embedholic

Hi.

I am developing zigbee product with security function (using install codes).

1. function cmd_zb_install_code in zigbee_cli_cmd_bdb.c, there is a comment as bellows.


* For production devices, an install code must be installed by the production
* configuration present in flash.

=> calling "zb_secur_ic_add"  is not sufficient ?.

If i am misunderstanding, please give more detailed materials about that.

2. At joing device, zb_set_installcode_policy function is not exist in library. 

Just calling zb_secur_ic_set is enough to enable security at ZED/ZR site ?

3.

3.1 At coordinator,  zb_secure_ic_add with  ZED1's mac and predefined install codes and enable by zb_set_installcode.

3.2 At end device, zb_secure_ic_set with same install codes that register at coordinator.

3.3 End device can not join to coordinator. Is there something to do more ?

 zb_secure_ic_set is not sufficient ?

 what mean comment as bellow in cli source ?

" For production devices, an install code must be installed by the production
* configuration present in flash." 

Thanks.

Parents
  • 0

    Hi again.

    General question:
    Do we have some example for Installation Codes that is working that we can provide?

    Yes, our CLI example may be used to play with install codes. At the moment there is an issue with the CLI Agent Router in version 3.1.0, so please use version 3.0.0 if you just want to test.
    Here is a screenshot of the sniffer logs when I did the test:

    Commands used on the coordinator:

    Commands used on the router:


    Other questions you've asked:
    1. How many entries can I add with "zb_secur_ic_add" at the coordinator (ZC)?

            It is configurable - the number of install codes is set by the value of "ZB_CONFIG_N_APS_KEY_PAIR_ARR_MAX_SIZE" macro.

    2. Can I retrieve MAC address or Installation Codes that are added before?

            There are functions to do that, but right now they are not available through public API.


    3. Can I selectively delete a MAC/Installation Code entry that are added?

            Yes, please take a look at the following API: zb_ret_t zb_secur_ic_remove(zb_ieee_addr_t address);

    3. If 3 is not possible, is it only zigbee_erase_persistent_storage that can be used to erase all entries?

            Possible, thus no need to create workarounds.

    4. I want to change the PAN ID. In the file zigbee_cli_cmd_bdb.c, I can find "ZB_PIBCACHE_PAN_ID() = pan_id"; How do I change the PAN ID? I can find sentence "must sync it with MAC using MLME-SET" but don't know what api do that.

    If you set ERASE_PERSISTENT_CONFIG to ZB_TRUE, the PAN ID will change when you reset the device, as shown below:

    5. In the function cmd_zb_install_code in the file zigbee_cli_cmd_bdb.c, it states that: "For production devices, an install code must be installed by the production configuration present in flash." Does this mean that calling "zb_secur_ic_add" is not sufficient?

            It is sufficient. The reasoning: probably it is much easier to flash the same firmware to all devices and change the install code via production config feature than recompile the firmware for each device.

    6. At the device that is joining, the zb_set_installcode_policy function does not exist in the library. Is it enough to just call zb_secur_ic_set to enable security at ZED/ZR?

            Yes, it is sufficient to call zb_secur_ic_set on ZR/ZED.

    7. In the ZC, I have zb_secure_ic_add with ZED nr.1's MAC and predefined Installation Codes and enabled zb_set_installcode.
        In the ZED, I have zb_secure_ic_set with the same Installation Codes that are registered by zb_secure_ic_add in the ZC.
        The problem is that the end device cannot join the coordinator, do I need something else?
         Is it not sufficient to use zb_secur_ic_set at the ZED?


         Please verify your procedure by commissioning two CLI examples using install codes. Make sure that the IC policy is enabled on the ZC.

    Best regards,

    Andreas

  • 0 in reply to AndreasF

    Hi,

     How to  know if it using the install code instead of the default TC link key?

    I try to set "bdb ic policy enable" at CLI ZC, and call zb_secur_ic_set on ZR/ZED, the ZR/ZED can't joining Networks.

    if set "bdb ic policy disable" at ZC, ZR/ZED can joining like your test.

    Best regards,

    Song

  • 0 in reply to SongSie

    Hi again Song.

    It could be related to the issue I mention in my previous reply.

    Can you please create a new ticket where you describe the issue more in details, and if you could get some data traffic as well with the nRF sniffer and attach, that would be great. That way we keep the issues more clean and it's easier for me to forward the issue to our developers.

    Best regards,

    Andreas

  • 0 in reply to AndreasF

    Andreas,

      Thank you for your reply. But I think this is the same issue that about zigbee install code.

    I beg you to try "bdb ic policy enable" and tell me how to know the install code be used.

    Thank you.

    Best regards,

    Song

  • 0 in reply to SongSie

    Hi Song.

    I understand what you're saying, but I still would prefer that you create a new ticket that i can forward to our developers.

    Best regards,

    Andreas

  • 0 in reply to AndreasF

    Hi Andreas,

      Here is the new ticket. Please.

    Best regards,

    Song

  • 0 in reply to SongSie

    Hi again Song.

    I've replied in the ticket you created, if we could keep the discussion in that ticket that would be great.

    Best regards,

    Andreas

Reply Children
No Data
Related