Building zigbee packets

Question

Can someone point me to a doc or site with information about how to build the encrypted section(s) of a zigbee packet? I'm looking at the output of a zigbee sensor system and I can see where most of the 'data' packets are being produced but there is a section call NWK Payload that is encrypted. I've watched the whole sequence of the connection with the 'base station' and I don't see where any sort of encryption key is being passed.

This shows the section I'm referring to. The packet analyzer has figured out the rest.

Long term goal is to build these packets and use the sensors separately from the 'base station'. To do that I need to be able to replicate the whole communication cycle.

Answer 1

In Zigbee there is are two keys used for encryption: the Link Key and the Network Key. The Link Key is used during the network association process, and the Network Key is used to encrypt all traffic once the device is "associated" (also referred to as "joined") to the network.

If the device is HA (Home Automation), the security handshake goes something like:

1. Joining Device sends Association Request to the Trust Center (usually address 0x000)
2. Trust Center responds to joining device with a NWK Key packet. The contents of this packet are encrypted using the well know Home Automation Link Key.

You should be able to decrypt the NWK Key packet if you know the Link Key. I'm pretty sure I can't post the key (sorry), but you can probably find it online.

As for the actual encryption algorithm, that's defined in the main Zigbee Specification, which I believe you have to be a member to gain access too. There are a few open source Zigbee stacks though ZBoss and FreakZ.

You might also look at Wireshark, I believe they have a decent Zigbee packet decoder though I haven't used it personally.