硬件平台:EFR32MG12P332F1024GL125 @10dBm #BRD4162A
网关开发板SN:440068869 zigbee 3.0加网设备SN:440101377
软件平台:EmberZNet6.4.0.0
相关Plugin:
- Security Link Keys library
- Install Code library
1.将“C:\SiliconLabs\SimplicityStudio\v4\developer\adapter_packs\commander\”添加进系统环境变量PATH
2. Win键+R键,输入cmd,打开命令行窗口
3.新建Install Code文档,Install code为6, 8, 12 , 16个字节的随机数,保存为“inst_001.txt”存放于目录C:\SiliconLabs\SimplicityStudio\v4\developer\adapter_packs\commander\
//16字节
Install Code: 88776655443322111122334455667788
//12字节
Install Code: 665544332211112233445566
//8字节
Install Code: 4433221111223344
//6字节
Install Code: 332211112233
4.安装zigbee3.0终端设备Install Code,CMD输入:
cd C:\SiliconLabs\SimplicityStudio\v4\developer\adapter_packs\commander
commander flash --tokengroup znet --tokenfile inst_002.txt --serialno 440101377
Writing 2048 bytes starting at address 0x0fe04000
Comparing range 0x0FE04000 - 0x0FE047FF (2 KB)
Programming range 0x0FE04240 - 0x0FE0435F (288 Bytes)
Verifying range 0x0FE04000 - 0x0FE047FF (2 KB)
DONE
5.查看设备烧录的Install Code:
commander tokendump --tokengroup znet --serialno 440101377
#
# The token data can be in one of three main forms: byte-array, integer, or string.
# Byte-arrays are a series of hexadecimal numbers of the required length.
# Integers are BIG endian hexadecimal numbers.
# String data is a quoted set of ASCII characters.
#
# MFG_EMBER_EUI_64 : 9E8764FEFF570B00
MFG_CUSTOM_VERSION : 0xFFFF
MFG_CUSTOM_EUI_64 : FFFFFFFFFFFFFFFF
MFG_STRING : ""
MFG_BOARD_NAME : ""
MFG_MANUF_ID : 0xFFFF
MFG_PHY_CONFIG : 0xFFFF
MFG_SYNTH_FREQ_OFFSET: 0xFFFF
MFG_CCA_THRESHOLD : 0xFFFF
MFG_EZSP_STORAGE : FFFFFFFFFFFFFFFF
MFG_CTUNE : 0xFFFF
MFG_XO_TUNE : 0xFFFF
MFG_LOCKBITS_PLW : 0x000000000000000000000000FFFFFFFF
MFG_LOCKBITS_CLW0 : 0xFFFFFFFF
MFG_LOCKBITS_MLW : 0xFFFFFFFF
MFG_LOCKBITS_ULW : 0xFFFFFFFF
MFG_LOCKBITS_DLW : 0xFFFFFFFF
MFG_BOOTLOAD_AES_KEY : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
MFG_SECURITY_CONFIG : 0xFFFF
MFG_ASH_CONFIG[0] : 0xFFFF
MFG_ASH_CONFIG[1] : 0xFFFF
MFG_ASH_CONFIG[2] : 0xFFFF
MFG_ASH_CONFIG[3] : 0xFFFF
MFG_ASH_CONFIG[4] : 0xFFFF
MFG_ASH_CONFIG[5] : 0xFFFF
MFG_ASH_CONFIG[6] : 0xFFFF
MFG_ASH_CONFIG[7] : 0xFFFF
MFG_ASH_CONFIG[8] : 0xFFFF
MFG_ASH_CONFIG[9] : 0xFFFF
MFG_ASH_CONFIG[10] : 0xFFFF
MFG_ASH_CONFIG[11] : 0xFFFF
MFG_ASH_CONFIG[12] : 0xFFFF
MFG_ASH_CONFIG[13] : 0xFFFF
MFG_ASH_CONFIG[14] : 0xFFFF
MFG_ASH_CONFIG[15] : 0xFFFF
MFG_ASH_CONFIG[16] : 0xFFFF
MFG_ASH_CONFIG[17] : 0xFFFF
MFG_ASH_CONFIG[18] : 0xFFFF
MFG_ASH_CONFIG[19] : 0xFFFF
#'MFG_CBKE_DATA (Smart Energy CBKE)' token group
Device Implicit Cert : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
CA Public Key : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Device Private Key : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# CBKE Flags : 0xFF
#'MFG_INSTALLATION_CODE (Smart Energy Install Code)' token group
# Install Code Flags : 0x0000
Install Code : 332211112233
# CRC : 0x59F3
#'MFG_SECURE_BOOTLOADER_KEY (Manufacture token space for storing secure bootloader key.)' token group
MFG_SECURE_BOOTLOADER_KEY : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#'MFG_CBKE_283K1_DATA (Smart Energy 1.2 CBKE)' token group
Device Implicit Cert (283k1) : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
CA Public Key (283k1) : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Device Private Key (283k1) : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# CBKE FLAGS (283k1) : 0xFF
#'MFG_SIGNED_BOOTLOADER_KEY_X (Manufacture token space for storing ECDSA signed bootloader key (X-point).)' token group
MFG_SIGNED_BOOTLOADER_KEY_X : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#'MFG_SIGNED_BOOTLOADER_KEY_Y (Manufacture token space for storing ECDSA signed bootloader key (Y-point).)' token group
MFG_SIGNED_BOOTLOADER_KEY_Y : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#'MFG_THREAD_JOIN_KEY (This is a token for saving the join key. This is for use with the Silicon Labs Thread stack only.)' token group
Join Key : ""
# Join Key Length : 0xFFFF
DONE
6.网关组网:
plugin network-creator start 1
7.将设备的Install code导入网关
option install-code 0 {00 0B 57 FF FE 64 87 9E} {33 22 11 11 22 33 F3 59}
第一个参数加网设备的 MFG_EMBER_EUI_64 : 9E8764FEFF570B00(小端格式)
第二个参数是Install Code+CRC(小端格式)
8.打印Install Code生成的Link Key
Z3GatewayTest>EMBER_SECURITY_LEVEL: 05
NWK Key out FC: 0000002C
NWK Key seq num: 0x00
NWK Key: 92 BF CF BF 9C A5 EE 70 82 40 46 21 4F D2 68 A2
Link Key out FC: 00000000
TC Link Key
- (>)000B57FFFE6487AD 00000000 L y CD 61 56 9C 1B 99 62 3D B7 E6 9C 95 4B A7 F0 65
Link Key Table
0 (>)000B57FFFE64879E 00000000 L y 7B 37 BB D2 D2 3E 60 11 E9 BA 19 D9 53 B2 C1 EF
1/6 entries used.
9.抓包,提前输入link key:
10. 网关打开Install code drive link key加网许可:
plugin network-creator-security open-with-key {00 0B 57 FF FE 64 87 9E} {7B 37 BB D2 D2 3E 60 11 E9 BA 19 D9 53 B2 C1 EF}
第一个参数为加网设备的 MFG_EMBER_EUI_64 : 9E8764FEFF570B00(小端格式)
第二个参数为Install code drive link key
11. 设备开始扫网
plugin network-steering start 1 //入网后不交换TC-Link Key
plugin network-steering start 0 //入网后交换TC-Link Key
12.分析抓包的加密Transport Key的Install code drive link key
EMBER_SECURITY_LEVEL: 05
NWK Key out FC: 000010D9
NWK Key seq num: 0x00
NWK Key: 1E 33 9F B1 0A EE B3 2F 4E DF 72 85 90 77 6C 5D
Link Key out FC: 00001008
TC Link Key
- (>)000B57FFFE6487AD 00000000 L y 80 4F 08 E1 15 E7 A1 50 56 51 B8 16 6B 7E 98 27
Link Key Table
0 (>)000B57FFFE64879E 00001002 L y 7B 37 BB D2 D2 3E 60 11 E9 BA 19 D9 53 B2 C1 EF
1/6 entries used.
Z3GatewayTest>