Zigbee CC2531 USB Dongle and Intruder Alarm System - zigbee

I have a problem with my CC2531 USB Dongle. I use it as a Zigbee coordinator. I can see all the devices inside my PAN, but IAS zones are not communicating with it. When I change the state of contact switch, or Motion sensor, I don't get data in my gateway app. But, I have IAS remote controller, and in my gateway application i get data on TCP port when i click remote controller button. I read something about Enrollment function on coordinator, but I don't really understand what it means. I guess that problem is that I don't have IAS CIE and I need my CC2531 to act like one.
Does anyone have idea what to do? Do I need to flash other firmware or change something in config files. I am quite new in this so I don't really know what is important, so if you need some additional info please ask.

IAS Devices work slightly differently than other Zigbee devices in that they are "locked" to a CIE node. This basically means that commissioning IAS devices requires the following steps
Write your USB dongle's IEEE/MAC address to the IAS CIE attribute on the device
If the device is "trip to pair", trip the sensor and it will send in a ZoneEnrollRequest message, to which you respond with a ZoneEnrollResponse with a status of SUCCESS
If the device does not require "trip to pair", you can just directly send a ZoneEnrollResponse message after writing the IAS CIE attribute.
Out of curiosity, which brand of sensors are you testing with?

Related

Is there a way to broadcast UDP packets with ESP8266 without wifi connection?

My question is regarding an ESP8266 board and the ESP-touch technology.
ESP-touch uses the length field of a UDP package to broadcast wifi ID and PW through a device (like a smartphone) to the chip (like in my case ESP 8266).
I want to turn this around, more specifically:
I want the ESP8266 chip to broadcast UDP packets with some sort of identifier-number in the length field of the UDP packet, without beeing connected to any wifi connection. Then these UDP packets are recieved by an app on a smartphone so the identifier-number can be extracted and used on the smartphone.
I am relatively new to this topic and do not know if this can work.
When I try to find any information online they all say that the first step is to connect the chip to a wifi. But I don't want that. The smartphone and the chip don't know each other and are not connected in any way. So I want this type of "broadcasting" so that the smartphone can recieve the package without really beeing connected to the chip.
I guess there must be some way to make it function like I explained above, but I can't find a way how this can work.
I don't need the chip to send UDP packets explicitely, it can be any type of package. I took UDP packet as an example because there is already the ESP-touch technology which is more or less similar.
The important thing is that the package that I send has a field where I can put some identifier-number in (not encrypted), which can then be recieved by another device like a smartphone where this identifier-number is extracted.
For clarification: I don't need to use ESP touch or anything related to that. I only stated this technology as an example. I just want to achieve the behavior stated above and in the picture! :)
This is an example picture how I want it to work:
No, it's not possible to send any packages without being connected to the network. ESP-touch or TI Smart Config or similar technologies utilize Monitor mode. As the name suggests, in this mode one can listen for packages, but can't send them.
ESPNOW provides data flow between ESP devices without connections via router. It is another feature of the Espressive API. There are tutorials for ESP8266 and ESP32...
https://randomnerdtutorials.com/esp-now-esp8266-nodemcu-arduino-ide/ .. https://www.instructables.com/ESP32-With-ESP-Now-Protocol/

Is running HM10 on a soft-serial enable the Low Energy charecteristics ? If so, how can the UUIDs and GATT profiles be tweaked in this case ?

I've been tinkering with the HM-10 board for a few weeks now, trying to push data from phone to module and vice-versa. The ultimate goal was to enable the BLE mode and tweak with the characteristics and GATT profiles. I'm pretty new to this domain so can anyone help me out ?
And is there any way we can interface the HM-10 with the hardware rx-tx channel instead of soft-serial ?
Your question is still not very clear, but i think you mean sending AT-commands over BLE-radio.
To make this possible you have to change the MODE using serial connection.
In standard mode the device can only be configured over the serial connection (pins RXD and TXD) using AT commands.
AT+MODE0: It only accepts AT-commands over the serial connection (RXD/TXD)
until a central device connects to the module.
AT+MODE1: Same as MODE0, once a connection is established,
AT-commands can be sent over BLE and manipulate some PIO pins on
the device.
AT+MODE2: Same as MODE0, once a connection is established,
AT-commands can be sent over BLE.
To test it just send a string to hm-10 as "AT\r\n" and it will respond with OK.
Update:
You cannot change the services and characteristics with AT-commands.
There are a lot of other things you can change,like advertising, setup a beacon and change a lot of settings.
For a full list of AT commands and more see the official data sheet:
http://www.jnhuamao.cn/bluetooth41_en.zip

How to spoof individual BLE packets

I'm doing a security analysis project on an IoT device that uses an unencrypted BLE connection (with ATT protocol) and I want to spoof an individual BLE packet with the source address of an already connected device. Is there some tool or API that would allow me to do this easily? I've already tried gatttool and spooftooph but they seem to be connection based and don't allow you to send out single packets with modified fields (as far as I could tell).
You will need some hardware where you can access the radio peripheral directly. What you basically need to do is to find or write a ble sniffer firmware, with the modification that it at a given moment sends a packet on the connection it is currently listening to. But note that the signal strength must be stronger than the original device's signal so it doesn't interfere.
The only open source project I'm aware of is Ubertooth. You will also be able to do this with an nRF52 but then you need to write your own sniffer firmware since Nordic Semiconductor's is closed source.
I can't comment on Emils reply yet, < 50 rep:
Nordic Semis nRF Sniffer v2 needs only the nRF52DK and wireshark to work as a general BLE sniffer. At 40$ it's not that expensive. I know for a fact they will release a new dongle soon that will sell for ~10-15 bucks if you can wait a a month or two.

Zigbee sniffing using killerbee channel detecting error

I configured two Digi xbee s1 module with same channel and PAN ID and both as end device. Communication happens perfectly between these modules.
Problem is when i use rzusbstick with killerbee firmware to look for all the available PAN ID and channel.
using zbstumbler it didnt detect any PANID on my channel.
when enabled verbose i get
"Received frame is not a beacon (FCF=6188).
Received frame."
I tried with different channel, PANID and Destination/MY address. Still the same.
Is it a problem with the module or the configuration or something else?
XBee Series 1 modules are 802.15.4 only, and don't implement the ZigBee protocol. Make sure you're sniffing tools are only looking at 802.15.4 frames, and not assuming they're ZigBee. It's even possible that the XBee modules are using a proprietary protocol on top of 802.15.4 for their features like Remote AT Commands and Transparent Serial Data.

Check for Serial Port GSM Modem Connection status

I have a GSM ModeM connected to a serial port, and I use it so send SMS upon certain events.
Since it is not Plug-and-Play, I am confused as to how I'll detect its connection status. Win APIs like GetCommState will obviously not work.
I could periodically send packets of data and check whether the data is being consumed or not, but I'm wary about the risks of polling over performance and clogging up the buffers which might be in use.
So, is there any other method, or some interrupt based thing, which I could use to check whether is still connected, via a serial port, to my system?
I'd be grateful for any help on this.
Thanks.
From Windows 7 onwards, use Windows Mobile Broadband API to get information about a GSM modem.
Serial ports are very primitive communication devices, they date from the very early days of computing. It is what you plugged your ASR-33 teletype into to start banging in your Fortran program. The only reason they are still around is because they are simple, hardware vendors like them because they don't have to spend money developing and supporting a custom api to use their device.
Still, even back in the sixties did a computer have a need to find out if a teletype was attached. Which is done through the hardware handshake signals. The DSR signal, Data Set Ready, is turned on by the device when it is powered up. If you use the .NET SerialPort class then you can check that signal with the SerialPort.DsrHolding property. If you use the winapi then use GetCommModemStatus(), MS_DSR_ON flag.
That still only tells you that some device is attached. If you want to find out that it is the modem that you wrote your program for then you can interrogate it with AT commands, a protocol that's specific to modems. No vendor implements this exactly the same way but you can usually count on an identification from the modem with the ATI command. Check the programming manual for the modem for details.

Resources