Autopsy of a ZigBee frame

Introduction

This page explains how a ZigBee frame is built. This example is based on a ZigBee frame catched from a Xiaomi Home Automation network. My network is composed of a Xiaomi GateWay version 2 and an Aqara wireless switch:

Xiaomi Aquara switch used for explaing ZigBee frames

The network has been sniffed with an AT86RF233 for raw encrypted frames and an NXP OM15020 USB dongle for decrypted frames as explained on this page.

Raw frames

Our setup allows to sniff raw encrypted and decrypted frames. Here is the encrypted frame catched with the AT86RF233. The frame is composed of 53 bytes.

Raw encrypted frame: 61 88 64 47 24 00 00 8A 5C 48 02 00 00 8A 5C 1E 5D 28 E1 00 00 00 01 3C E8 01 00 8D 15 00 01 EA 59 DE 1F 96 0E EA 8A EE 18 5A 11 89 30 96 41 4E 05 A2 43 8A FB

Here is the same frame decrypted (53 bytes):

Raw decrypted frame: 61 88 64 47 24 00 00 8A 5C 48 02 00 00 8A 5C 1E 5D 28 E1 00 00 00 01 3C E8 01 00 8D 15 00 01 00 01 12 00 04 01 01 62 18 C3 0A 55 00 21 01 00 AC 4C 76 AF 8A FB

The network key has been previously listen on the network:

Network key: : AD 8E BB C4 F9 6A E7 00 05 06 D3 FC D1 62 7F B8

Frame overview

This frame is composed of 4 main layers (MAC, NWK, APS and ZCL layers) that are encapsulated according the the following diagram:

Overview of a ZigBee frame encapsulation

On the following figures, the layers has been separated for clarity:

Diagram of a ZigBee frame (MAC, NWK, APS and ZCL layers)

According to these diagram, the above 53 bytes decrypted frame can be splitted:

MAC header

The MAC (Medium access control) header is composed of 9 bytes (61 88 64 47 24 00 00 8A 5C) detailed as:


Frame Control: 0x8861
    ···· ···· ···· ·001 = Frame Type: [0x1] Data
    ···· ···· ···· 0··· = Security Enabled: [0x0] No
    ···· ···· ···0 ···· = Frame Pending: [0x0] No
    ···· ···· ··1· ···· = Acknowledgement Request: [0x1] Yes
    ···· ···· ·1·· ···· = Intra-PAN: [0x1] Yes
    ···· ··00 0··· ···· = Reserved: 0x0
    ···· 10·· ···· ···· = Destination Addr Mode: [0x2] 16-bit Short Address
    ··00 ···· ···· ···· = Reserved: 0x0
    10·· ···· ···· ···· = Source Addr Mode: [0x2] 16-bit Short Address
Sequence Number: 0x64 (100)
Destination PAN ID: 0x2447
Destination Address: 0x0000
Source Address: 0x5C8A

MAC payload

The MAC payload is composed of 42 bytes which contains the NWK layer:

NWK header

The NWK header (network header) is composed of 8 bytes (48 02 00 00 8A 5C 1E 5D) detailled as follow:


NWK Header: 0x5D1E5C8A00000248
    Frame Control: 0x0248
        ···· ···· ···· ··00 = Frame Type: [0x0] Data
        ···· ···· ··00 10·· = Protocol Version: [0x2] Zigbee Pro
        ···· ···· 01·· ···· = Route Discovery: [0x1] Enabled
        ···· ···0 ···· ···· = Multicast Flag: [0x0] Unicast or Broadcast
        ···· ··1· ···· ···· = Security Enabled: [0x1] Yes
        ···· ·0·· ···· ···· = Source Route Included: [0x0] No
        ···· 0··· ···· ···· = Destination IEEE Address Included: [0x0] No
        ···0 ···· ···· ···· = Source IEEE Address Included: [0x0] No
        ··0· ···· ···· ···· = End Device Initiator: [0x0] No
        00·· ···· ···· ···· = Reserved: 0x0
    Destination Address: 0x0000
    Source Address: 0x5C8A
    Radius: 0x1E
    Sequence Number: 0x5D (93)

NWK aux header

NWK auxiliary header, or security header is composed of 14 bytes (28 (or 2D) E1 00 00 00 01 3C E8 01 00 8D 15 00 01) detailled as follow:


NWK Aux Header: (14 bytes)
    Network Security Control: 0x28 (or 0x2D)
        ···· ·000 = Network Security Level: [0x0] None (Should be 101)
        ···0 1··· = Key NWK ID: [0x1] Network Key
        ··1· ···· = Extended Nonce: [0x1] Yes
        00·· ···· = Reserved: 0x0
    NWK Frame Counter: 0xE1 (225)
    Source Address: 00:15:8D:00:01:E8:3C:01
    NWK Key Sequence Number: 0x01 (1)

Note that the 3-bit network security level has been over written before transmission and must be replaced according to the security level from the nwkSecurityLevel attribute of the NIB (page 382 of the ZigBee specification). In the present frame, the security level should be 0x05 (0b101 or ENC-MIC-32) according to the page 425 of the ZigBee specification).

NWK payload

The NHK payload is composed of 16 bytes (00 01 12 00 04 01 01 62 18 C3 0A 55 00 21 01 00) which encapuste the APS layer (Application support sub-layer):

APS header


APS Header: 0x6201010400120100
    Frame Control: 0x00
        ···· ··00 = Frame Type: [0x0] Data
        ···· 00·· = Delivery Mode: [0x0] Normal Unicast Delivery
        ···0 ···· = Acknowledgement Format: 0x0
            Format: [0x0] Data Frame
        ··0· ···· = Security Enabled: [0x0] No
        ·0·· ···· = Acknowledgement Request: 0x0
            Request: [0x0] No
        0··· ···· = Extended Header Present: [0x0] No
    Destination Endpoint: 0x01
    Cluster ID: [0x0012] General: Multistate Input (Basic)
    Profile ID: [0x0104] Zigbee Home Automation
    Source Endpoint: 0x01
    APS Counter: 0x62 (98)

APS payload

The APS payload is composed of 8 bytes (18 C3 0A 55 00 21 01 00):

ZCL header

ZCL Header: 0x0AC318
    Frame Control: 0x18
        ···· ··00 = Frame Type: [0x0] Command Acts Across the Entire Profile
        ···· ·0·· = Manufacturer Specific: [0x0] Manufacturer Code Not Included in the ZCL Frame
        ···· 1··· = Direction: [0x1] From Server to Client
        ···1 ···· = Disable Default Response: [0x1] Yes
        000· ···· = Reserved: 0x0
    Transaction Sequence Number: 195
    Command ID: 0x0A
        General Command Frame: [0x0A] Report Attributes
ZCL payload
ZCL Payload: 0x0001210055
    Attributes 0: 0x0001210055
        Attribute ID: [0x0055] Present Value
        Data Type: [0x21] Unsigned 16-bit Integer
        Data: 0x0001
            Value: [1] Yes

NWK MIC

The message integrity code (MIC) is used to check the frame integrity (security level):


NWK MIC: 0xAC4C76AF

MAC Footer


MAC Footer: 0xFB8A
    Frame Check Sequence: 0xFB8A

Download


Last update : 02/18/2021