This page explains how a ZigBee frame is built. This example is based on a ZigBee frame catched from a Xiaomi Home Automation network. My network is composed of a Xiaomi GateWay version 2 and an Aqara wireless switch:
The network has been sniffed with an AT86RF233 for raw encrypted frames and an NXP OM15020 USB dongle for decrypted frames as explained on this page.
Our setup allows to sniff raw encrypted and decrypted frames. Here is the encrypted frame catched with the AT86RF233. The frame is composed of 53 bytes.
Raw encrypted frame: 61 88 64 47 24 00 00 8A 5C 48 02 00 00 8A 5C 1E 5D 28 E1 00 00 00 01 3C E8 01 00 8D 15 00 01 EA 59 DE 1F 96 0E EA 8A EE 18 5A 11 89 30 96 41 4E 05 A2 43 8A FB
Here is the same frame decrypted (53 bytes):
Raw decrypted frame: 61 88 64 47 24 00 00 8A 5C 48 02 00 00 8A 5C 1E 5D 28 E1 00 00 00 01 3C E8 01 00 8D 15 00 01 00 01 12 00 04 01 01 62 18 C3 0A 55 00 21 01 00 AC 4C 76 AF 8A FB
The network key has been previously listen on the network:
Network key: : AD 8E BB C4 F9 6A E7 00 05 06 D3 FC D1 62 7F B8
This frame is composed of 4 main layers (MAC, NWK, APS and ZCL layers) that are encapsulated according the the following diagram:
On the following figures, the layers has been separated for clarity:
According to these diagram, the above 53 bytes decrypted frame can be splitted:
61 88 64 47 24 00 00 8A 5C
48 02 00 00 8A 5C 1E 5D
28 E1 00 00 00 01 3C E8 01 00 8D 15 00 01
00 01 12 00 04 01 01 62
18 C3 0A
55 00 21 01 00
AC 4C 76 AF
8A FB
The MAC (Medium access control) header is composed of 9 bytes (61 88 64 47 24 00 00 8A 5C
) detailed
as:
Frame Control: 0x8861
···· ···· ···· ·001 = Frame Type: [0x1] Data
···· ···· ···· 0··· = Security Enabled: [0x0] No
···· ···· ···0 ···· = Frame Pending: [0x0] No
···· ···· ··1· ···· = Acknowledgement Request: [0x1] Yes
···· ···· ·1·· ···· = Intra-PAN: [0x1] Yes
···· ··00 0··· ···· = Reserved: 0x0
···· 10·· ···· ···· = Destination Addr Mode: [0x2] 16-bit Short Address
··00 ···· ···· ···· = Reserved: 0x0
10·· ···· ···· ···· = Source Addr Mode: [0x2] 16-bit Short Address
Sequence Number: 0x64 (100)
Destination PAN ID: 0x2447
Destination Address: 0x0000
Source Address: 0x5C8A
The MAC payload is composed of 42 bytes which contains the NWK layer:
48 02 00 00 8A 5C 1E 5D
28 E1 00 00 00 01 3C E8 01 00 8D 15 00 01
00 01 12 00 04 01 01 62
18 C3 0A 55 00 21 01 00
AC 4C 76 AF
The NWK header (network header) is composed of 8 bytes (48 02 00 00 8A 5C 1E 5D
)
detailled as follow:
NWK Header: 0x5D1E5C8A00000248
Frame Control: 0x0248
···· ···· ···· ··00 = Frame Type: [0x0] Data
···· ···· ··00 10·· = Protocol Version: [0x2] Zigbee Pro
···· ···· 01·· ···· = Route Discovery: [0x1] Enabled
···· ···0 ···· ···· = Multicast Flag: [0x0] Unicast or Broadcast
···· ··1· ···· ···· = Security Enabled: [0x1] Yes
···· ·0·· ···· ···· = Source Route Included: [0x0] No
···· 0··· ···· ···· = Destination IEEE Address Included: [0x0] No
···0 ···· ···· ···· = Source IEEE Address Included: [0x0] No
··0· ···· ···· ···· = End Device Initiator: [0x0] No
00·· ···· ···· ···· = Reserved: 0x0
Destination Address: 0x0000
Source Address: 0x5C8A
Radius: 0x1E
Sequence Number: 0x5D (93)
NWK auxiliary header, or security header is composed of 14 bytes (28 (or 2D) E1 00 00 00 01 3C E8 01 00 8D 15 00 01
)
detailled as follow:
NWK Aux Header: (14 bytes)
Network Security Control: 0x28 (or 0x2D)
···· ·000 = Network Security Level: [0x0] None (Should be 101)
···0 1··· = Key NWK ID: [0x1] Network Key
··1· ···· = Extended Nonce: [0x1] Yes
00·· ···· = Reserved: 0x0
NWK Frame Counter: 0xE1 (225)
Source Address: 00:15:8D:00:01:E8:3C:01
NWK Key Sequence Number: 0x01 (1)
Note that the 3-bit network security level
has been over written before transmission and
must be replaced according to the security level from the nwkSecurityLevel attribute of the NIB
(page 382 of the ZigBee specification).
In the present frame, the security level should be 0x05 (0b101 or ENC-MIC-32) according to
the page 425 of the ZigBee specification).
The NHK payload is composed of 16 bytes (00 01 12 00 04 01 01 62 18 C3 0A 55 00 21 01 00
)
which encapuste the APS layer (Application support sub-layer):
00 01 12 00 04 01 01 62
18 C3 0A 55 00 21 01 00
APS Header: 0x6201010400120100
Frame Control: 0x00
···· ··00 = Frame Type: [0x0] Data
···· 00·· = Delivery Mode: [0x0] Normal Unicast Delivery
···0 ···· = Acknowledgement Format: 0x0
Format: [0x0] Data Frame
··0· ···· = Security Enabled: [0x0] No
·0·· ···· = Acknowledgement Request: 0x0
Request: [0x0] No
0··· ···· = Extended Header Present: [0x0] No
Destination Endpoint: 0x01
Cluster ID: [0x0012] General: Multistate Input (Basic)
Profile ID: [0x0104] Zigbee Home Automation
Source Endpoint: 0x01
APS Counter: 0x62 (98)
The APS payload is composed of 8 bytes (18 C3 0A 55 00 21 01 00
):
ZCL Header: 0x0AC318
Frame Control: 0x18
···· ··00 = Frame Type: [0x0] Command Acts Across the Entire Profile
···· ·0·· = Manufacturer Specific: [0x0] Manufacturer Code Not Included in the ZCL Frame
···· 1··· = Direction: [0x1] From Server to Client
···1 ···· = Disable Default Response: [0x1] Yes
000· ···· = Reserved: 0x0
Transaction Sequence Number: 195
Command ID: 0x0A
General Command Frame: [0x0A] Report Attributes
ZCL Payload: 0x0001210055
Attributes 0: 0x0001210055
Attribute ID: [0x0055] Present Value
Data Type: [0x21] Unsigned 16-bit Integer
Data: 0x0001
Value: [1] Yes
The message integrity code (MIC) is used to check the frame integrity (security level):
NWK MIC: 0xAC4C76AF
MAC Footer: 0xFB8A
Frame Check Sequence: 0xFB8A