• State
  • Locked Locked
  • Replies 4 replies
  • Subscribers 55 subscribers
  • Views 1479 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Commissioning Network Security, preconfigured nwk keys

Ben
Intellectual 410 points


I'm having difficulty getting the ccserver sample ZBA project to function correctly with security enabled.  SECURE=1 in the f8wConfig

My understanding of the ZBA spec is that security will be usedwhen connecting to the commissioning network, specifically the use of a preconfigured TC link key.  That key would be used to transport the network key ( which is NOT preconfigured ). 

Now, it's possible of course that I've misread the specification, but in any regard, what is the setup required to get a device to join with security?   The device gets associated, but times out on the network key - the APS transport of the key from the ZC / TC is encrypted with the TCLinkKey, as expected, but the joining ZED times out and resets.

Looking at the ZDApp code, it appears that the device will attempt to pull a NWK key from NV- but the whole point of the APS transport of the encrypted NWKKey is that I don't have to have a key in NV (yet), so why is this the procedure?  Is there some config that will allow this to work? 

from the zdapp.c module:

if ( ZG_SECURE_ENABLED && ( ZDApp_RestoreNwkKey() == false ) )
      {
        // wait for auth from trust center!!
        devState = DEV_END_DEVICE_UNAUTH;

        // Start the reset timer for MAX UNAUTH time
        ZDApp_ResetTimerStart( 10000 );//MAX_DEVICE_UNAUTH_TIMEOUT );
      }

 

 

 

  • 0
    Intellectual 410 points

    I've been digging through the stack code and found a suspicious section that has been commented out. 

    I'm unable for some reason to set breakpoints in this section to see if this function is even called, but the comments seem to indicate the expected behavior.

    So the question is: Why is the entire section commented out?  I tried un-commenting the couple of lines in question and still didn't get the syste, to function as expected, but that leads one to wonder if there's some known bug in there somewhere regarding this functionality...

    void ZDSecMgrEstablishKeyCfm( ZDO_EstablishKeyCfm_t* cfm )
    {
      // send the NWK key
      if ( ( ZG_BUILD_COORDINATOR_TYPE ) && ( ZG_DEVICE_COORDINATOR_TYPE ) )
      {
        // update control for specified EXT address
        ZDSecMgrDeviceCtrlUpdate( cfm->partExtAddr, ZDSECMGR_CTRL_SKKE_DONE );
      }
      else
      {
        // this should be done when receiving the NWK key
        // if devState ==
        //if ( devState == DEV_END_DEVICE_UNAUTH )
            //osal_set_event( ZDAppTaskID, ZDO_DEVICE_AUTH );     <-  this would stop the reset timer

        // if not in joining state -- this should trigger an event for an
        // end point that requested SKKE
        // if ( devState == DEV_END_DEVICE )
       //       devState == DEV_ROUTER;

      }
    }

  • 0 in reply to Ben
    Intellectual 410 points

    Experimentation seems to lead one to believe that the TC_LINKKEY_JOIN constant must be defined in the build (on both the ZC and the ZED) in order to get this functionality.

    While this is explained somewhat in the ZSE documentation, it goes unmentioned in the other docs, including the commissioning cluster and sample app docs. 

    I still am of the opinion that the ZBA specification requires this functionality in the commissioning network join, so I'm not sure why this seemingly was left out of the example and docs. 

     

     

  • 0
    Prodigy 110 points

    Hello Ben,

    Just wondering if you ever got the CCServer example code to run? I tried the application (unmodified), on the SmartRF05 kit and the problem that I see is that it joins any network and I expect it to only join the commissioning network on start-up.

    zbaGlobalCommissioningEPID is set the ZigBee standard commissioning value, but there appears to be some problem on start-up and this EPID is not being used in the join validation process. The problem seems to be that zclCCServer_Init( taskID ) is called after APS_Init() and APS_Init copies zgApsUseExtendedPANID to AIB_apsUseExtendedPANID. So when later zclCCServer_Init() copies zbaGlobalCommissioningEPID to zgApsUseExtendedPANID it is already to late and both AIB_apsUseExtendedPANID and ZDO_UseExtendedPANID remain at the default settings of all 0, which means that the router will join any extended PAN Id that is permitting joins.

    This problem aside, it is not clear to me just how the CCServer code allows new network parameters to be saved and then leave the current network and reboot and pick up the new network parameters. I can save network attributes without any problem, but on a restart, I do not see the code reading the network setting from the nvItemTable[] and it always starts as if from a fresh start.

    Anyone else have any luck with the CCServer application or using the commissioning cluster in general? My objective is to factory program router devices with the commissioning network parameters and then have them join a commissioning tool on site which would then tell the device its new channel and PAN Id and force it to leave the commissioning network and join the site network using the new parameters.

    The ZBA CCserver example code is included in the 2.5.1 stack and I noted that it is not included in the more recent releases of the Home Automation and Smart Energy stacks. Maybe there is a good reason for this?

    Thanks for any help or feedback.

    Leo

  • 0 in reply to Leo Cahalan
    Prodigy 110 points
    Has anyone had success with the commissioning cluster?