Zigbee Security issue with FRDM-KW41Z

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Zigbee Security issue with FRDM-KW41Z

2,440 Views
jiang_jason
Contributor II

We are trying to get the FRDM-KW41Z eval board with  frdmkw41z_wireless_examples_zigbee_3_0_end_device_freertos example(SDK version: 2.2.1) connect with our zigbee network. After our ZC device replied a successful association response, ZED device(KW41D) start to send out a lot of data request, instead of sending a device announcement. Eventually ZED device failed to join the network with  ZPS_APL_APS_E_SECURITY_FAIL(0xAD) as return code (sNwkJoinFailedEvent.u8Status).  The debug messages of KW41D eval board shows as below:

 

$ join

BDB: Disc on Ch 25 from 0x02000000

Nwk Join 00

$ BDB: APP_vGenCallback [0 10]

BDB: vNsTryNwkJoin - index 0 of 1 Nwks

BDB: Try To join 000eddffff438d84 on Ch 25

BDB zdo join network

APP-ZDO: Discovery Complete 0x00

BDB: APP_vGenCallback [0 15]

….

BDB: APP_vGenCallback [0 15]

BDB: APP_vGenCallback [0 8]

FailedToJoin sNwkJoinFailedEvent.u8Status=173 !!!                                                       

BDB: vNsTryNwkJoin - index 0 of 1 Nwks

BDB: Try To join 000eddffff438d84 on Ch 25

BDB zdo join network

failed to join event

 

 

Then we tried to disable APS security feature, yet it gave same error code(ZPS_APL_APS_E_SECURITY_FAIL) with same network capture.

We have modified following places to disable the security of APS:

 

app_zps_cfg.h

#define ZPS_APS_AIB_INIT_TRUST_CENTER_ADDRESS 0xFFFFFFFFFFFFFFFFULL

#define ZPS_APS_AIB_INIT_USE_INSECURE_JOIN TRUE

#define ZPS_NWK_NIB_INIT_SECURITY_LEVEL 0

#define ZPS_NWK_NIB_INIT_SECURE_ALL_FRAMES FALSE

 

bdb_options.h

#define BDB_TRUST_CENTER_REQUIRE_KEYEXCHANGE (FALSE)

 

So what did I miss to disable the security of APS layer? Or maybe I was on the wrong track, sNwkJoinFailedEvent.u8Status=173 was caused by something else.

Any idea will be helpful, and let me know if you need more debug details.

 

Thanks,

Jason

Labels (4)
Tags (1)
8 Replies

2,101 Views
Sebastian_Del_Rio
NXP Employee
NXP Employee

Hi Jason, I hope you're doing well!

 

Could you please provide some more information? Specifically, what kind of device is being used as the coordinator for the network, as well as information about the pre-existent network itself:

Is security on the network enabled?

Which profile is being used?

 

I tried replicating the issue, and we managed to connect successfully to the network. I attached the sniffer log to this reply.

 

Please let me know if you need any more information.

 

Take care, best regards,

Sebastian

0 Kudos

2,101 Views
jiang_jason
Contributor II

Hi Sebastian, 

Thank you for your response. 

Our device is using KW21D as coordinator, which is using old beestack. My goal is to get the FRDM-KW41Z board to connect to the old device. The security settings on the coordinator is disabled, that's why I'm looking for disabling it. The profile we are using on coordinator is self-created manufactuer profile, but all applications will be handled on different end-point. 

Other than that, I saw your sniffer log, if this is the end point example for KW41D SDK, I have another question. Did you enabled the device annoucement on ZED? I was expecting a device annoucement after it joined the network.

I attached our sniffer log to show how our product joined our ZC, as well as how FRDM-KW41Z failed to join.

Let me know if you need more details.

Thank you for your help.

Regards,

Jason

0 Kudos

2,101 Views
Sebastian_Del_Rio
NXP Employee
NXP Employee

Hi Jason,

 

Beestack is built on an older version of ZigBee, implementing version 1.2 of the Home Automation stack. Since the coordinator is on an older stack version, it could be causing issues for the ZigBee 3.0 End Device running on the KW41Z.

 

If possible, can you try enabling security on the coordinator's network? As this could be causing issues with the device joining.

 

If not, is it possible to perform some tests using a different coordinator, such as another KW41, or a USB JN5189 which implement the newer ZigBee 3.0 stack?

 

Please let me know if you need any more information.

 

Take care, best regards,

Sebastian

0 Kudos

2,101 Views
jiang_jason
Contributor II

Hi Sebastian, 

Since we have our older products made based on KW21D, and it's on beestack. I assume that if we enable security on ZC, it will make other devices on older version stack fail to join the network. My goal is trying to get FRDM-KW41Z join our previous zigbee 2.0 network without modify our previous products. That's why I'm looking into disable security on ZED. 

So is it possible for us to disable the security on ZED? What kind of issues that we will face, if we disabled security, and mixed us older stack vs zigbee 3.0 stack?

Thanks,

Jason

0 Kudos

2,101 Views
Sebastian_Del_Rio
NXP Employee
NXP Employee

Hi Jason, 

We're doing some tests to see the implications and possible issues with disabling the APS Security layer.

I will reply again soon with the results.

Please let me know if you need any more information.

Take care, best regards,

Sebastian

2,101 Views
jiang_jason
Contributor II

Hi Sebastian, any updates?

0 Kudos

2,101 Views
Sebastian_Del_Rio
NXP Employee
NXP Employee

Hi Jason,

 

After performing some tests, we found that the following function may be useful for your particular use case:

/****************************************************************************
 **
 ** NAME:       eZCL_SetSupportedSecurity
 **
 ** DESCRIPTION:
 ** Sets the security level that is supported in the stack.
 **
 ** The default is E_ZCL_SECURITY_APPLINK.  Can be overridden by app to
 ** E_ZCL_SECURITY_NETWORK, which means that all clusters are sent with only NWK security.
 ** This is useful for testing with a stack with no APS security or for easier sniffing of SE
 ** clusters.  It is not possible to send completely unsecure frames in a ZB Pro compliant stack
 ** so E_ZCL_SECURITY_NONE has been removed.
 **
 ** PARAMETERS:            Name                           Usage
 ** teZCL_ZCLSendSecurity  eSecuritySupported             The security level to set.
 **
 ** RETURN:
 ** E_ZCL_SUCCESS, E_ZCL_ERR_PARAMETER_RANGE
 **
 ****************************************************************************/
PUBLIC teZCL_Status eZCL_SetSupportedSecurity(teZCL_ZCLSendSecurity  eSecuritySupported)
{
    if (eSecuritySupported >= E_ZCL_SECURITY_ENUM_END)
        return (E_ZCL_ERR_PARAMETER_RANGE);
    psZCL_Common->eSecuritySupported = eSecuritySupported;
    return(E_ZCL_SUCCESS);
}‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

It's implemented as a part of the zcl.h cluster library header file, and allow future transmissions from the device to only enable Network Level Security, or revert back to APPLINK Security.

 

As noted in the comment of the function, the E_ZCL_SECURITY_NONE mode has been removed from the stack to keep compliance with the ZigBee Pro specification.

 

More information about this function can be found in the ZigBee Cluster Library User Guide, which can be found in the following path:

<…\SDK_2.2.1_FRDM-KW41Z\docs\wireless\Zigbee\ZigBee Cluster Library User Guide.pdf>

 

Still, we recommend taking a look at the newer devices supporting the ZigBee Stack like the JN5189/88 and K32W041/61, as these were recently released, and have full support for the ZigBee 3.0 stack like the KW41Z.

 

Please let me know if you need any more information.

 

Take care, best regards,

Sebastian

0 Kudos

2,101 Views
Sebastian_Del_Rio
NXP Employee
NXP Employee

Hi Jason,

I'm sorry for the delay, I'm currently doing some investigating and testing to see what is possible regarding the security of the network.

I'll provide an update as soon as possible.

In the meantime, please let me know if you need any more information, or have any other issues.

Take care, best regards,

Sebastian