ZigBee sniffer

Introduction

This page presents a ZigBee sniffer to listen communication between ZigBee or IEEE 802.15.4 modules. The following has been performed with the following softwares:

Windows 10
Ubiqua protocol analyser 2.3.0233

Hardware

I bought a 5€ USB Dongle on eBay. Note sure this is an original, but it does the job. The original device is a OM15020 JN5169 USB Dongle manufactured by NXP. More details about the device on this page.

You should be able to buy this USB Dongle via one of these links :

OM15020: JN5169 USB Dongle for ZigBee (the original)
5€ on eBay
10.11€ on Banggood
57.65€ on mouser

Plug the harware on a USB port, a new COM port is mounted in Windows. Check the COM port number and keep the number for later. In my case, it was COM4.

Re-programming

The official documentation says the device supplied in the pack is pre-programmed as an IEEE802.15.4 packet sniffer. The device I received was not programmed, I add to manualy upload the packet sniffer. By the way, this is why I assume mine was not an original.

Flash programmer

Since the device is based on the JN5169 manufactured by NXP, NXP provides tools for programming the device. The right part is referenced JN-SW-4107 JN51xx Production Flash Programmer and can be downloaded on this page or with the following link:

JN-SW-4107 JN51xx Production Flash Programmer

Unzip the file and install the software. Check the path where the software is installed. Launch a command line console and change diretories for the installation folder, in my case:

$ cd C:\\NXP\\ProductionFlashProgrammer

Once in the programming directory, you can check if the programmer find your COM port, with the following command :

$ JN51xxProgrammer.exe -l

Backup current firmware

I recommand by security to backup the current firmware. As explained in the flash programmer user guide, the following commands uses the -F option to set save the contents of the Flash memory of the JN5169 device on the serial connection specified using the -s option:

$ JN51xxProgrammer.exe -s COM4 -F flash.bin

The following command uses the -E option to set save the contents of the EEPROM of the JN5169 device on the serial connection specified using the -s option:

$ JN51xxProgrammer.exe -s COM4 -E eeprom.bin

The commands generates two binary files, keep the files if you want to restore the original firmware.

Programming

NXP provides a SDK for the JN5169 (JN-SW-4163). This SDK includes the sniffer firmware. You can downlaod the SDK on the NXP website or the binary on the following link:

JennicSniffer_JN5169_1000000_HP.bin

Copy the binary in the programmer folder. The following command flashes the USB dongle with the ZigBee snifer firmware :

$ JN51xxProgrammer.exe -s COM4 -f JennicSniffer_JN5169_1000000_HP.bin

It's not mandatory, but you can erase the EEPROM with the following command:

$ JN51xxProgrammer.exe -s COM4 --eraseeeprom=full

Once the device is programmed, the red LED should blink. The device is ready.

Software

To analyse ZigBee data, I used the Ubiqua protocol analyser from Ubilogix. This software is not free, but Ubilogix offers a free 21-day evaluation license. This licence let you to decode up to 1,000 packets per capture session. Install the software, plug the USB dongle and launch the application.

In the device manager window, click on Add Device. A pop-up window appears. Select your COM port and the NXP JN51xx application:

Once the device appears in your device list, turn the device on. If there is ZigBee traffic in the air, the frames should be reported in the main window:

Enjoy !