manualshive.com logo in svg

EnOcean EASYFIT EMDCB, User Manual

Share
Download
EnOcean EASYFIT EMDCB User Manual Download Page 65

 
USER MANUAL

 

 
 
 

EMDCB 

 BLUETOOTH LOW ENERGY MOTION AND ILLUMINATION SENSOR 

 

© 2019 EnOcean  |  www.enocean.com   

 

 

 

 

EMDCB User Manual  | v1.3 | August 2019 |  Page 65/67 

 

B.5

 

Execution example 

 

At the time of writing, a suitable online AES calculator could be found here: 

http://testprotect.com/appendix/AEScalc

 

 

Likewise, a suitable online XOR calculator could be found here: 

http://xor.pw/

? 

 

We can now calculate the signature using a sequence of AES128 and XOR operations as 
shown in Figure 37 as follows:  
 

 

X_1 = AES128(B0, Key) 
X_1 = AES128(49C400000000E557E201000000000000, 9E0DE9C25386B6C4F070642E19E03680) 
X_1 = 97F967605F8B20A988A026AC76B0E4E0  
 
X_1A = XOR(X_1, B_1) 
X_1A = XOR(97F967605F8B20A988A026AC76B0E4E0, 001215FFDA0357E2010002AA44D60045) 
X_1A = 97EB729F8588774B89A024063266E4A5 
 
X_2 = AES128(X_1A, Key) 
X_2 = AES128(97EB729F8588774B89A024063266E4A5, 9E0DE9C25386B6C4F070642E19E03680) 
X_2 = 8CD6013AFFB05E19DA7891398FFA00B4 
 
X_2A = XOR(X_2, B_2) 
X_2A = XOR(8CD6013AFFB05E19DA7891398FFA00B4, 35002002000000000000000000000000) 
X_2A = B9D62138FFB05E19DA7891398FFA00B4 
 
X_3 = AES128(X_2A, Key) 
X_3 = AES128(B9D62138FFB05E19DA7891398FFA00B4,9E0DE9C25386B6C4F070642E19E03680) 
X_3 = 1FA1970E831CFA1C445EC14639CB4AFE 
 
 
S_0 = AES128(A0, Key) 
S_0 = AES128(01C400000000E557E201000000000000,9E0DE9C25386B6C4F070642E19E03680) 
S_0 = D76DC01C1302BEC9C7DC61042CE71D2C 
 
T_0 = XOR(X_3, S_0) 
T_0 = XOR(1FA1970E831CFA1C445EC14639CB4AFE, D76DC01C1302BEC9C7DC61042CE71D2C) 
T_0 = C8CC5712901E44D58382A042152C57D2 
 

The calculated signature is formed by the first four bytes of 

T_0

, i.e. it is 

C8CC5712

.   

 
The  calculated  signature  matches  the  signature  that  was  transmitted  as  part  of  the  data 

telegram payload (see chapter A.1).  
 
This  proves  that  the  telegram  originates  from  a  sender  that  possesses  the  same  security 

key and the telegram content has not been modified. 

 

 

Summary of Contents for EASYFIT EMDCB

Page 1: ...3 August 2019 Page 1 67 Patent protected WO98 36395 DE 100 25 561 DE 101 50 128 WO 2004 051591 DE 103 01 678 A1 DE 10309334 WO 04 109236 WO 05 096482 WO 02 095707 US 6 747 573 US 7 019 241 Observe pr...

Page 2: ...d for possible omissions or inaccuracies Circuitry and specifications are subject to change without notice For the latest product specifica tions refer to the EnOcean website http www enocean com As f...

Page 3: ...5 Motion detection 14 2 5 1 PIR detection characteristics 14 2 5 2 Installation recommendations 15 2 6 Illumination measurement 16 2 6 1 Light level sensor 16 2 6 2 Solar cell 16 3 Radio transmission...

Page 4: ...4 3 READY 1 state 37 7 4 4 READY 2 state 37 7 4 5 ACTIVE state 37 7 4 6 Read command 38 7 4 7 Write command 38 7 4 8 Password authentication PWD_AUTH command 39 7 5 Configuration memory organization...

Page 5: ...ficate 56 8 3 2 ISED Industry Canada Regulatory Statement 57 9 Product history 58 A Parsing EMDCB telegrams 59 A 1 Data telegram example 59 A 1 1 BLE advertising frame structure 59 A 1 2 Data telegram...

Page 6: ...etected the latest detected motion motion detected or no motion detected together with the measured light level EMDCB will report immediately if motion is detected for the first time after a period wi...

Page 7: ...tion detection is reported immediately User interface LRN button Sensitivity selection switch Notification LED Device identification Unique 48 Bit Device ID factory programmed Adjustable via NFC Secur...

Page 8: ...32 85 F indoor use only Humidity 20 to 85 r h non condensing Note 1 PIR detection requires that the moving object to be detected is significantly warmer than its environment For the case of human moti...

Page 9: ...Overview The energy harvesting ceiling mounted motion and illumination sensor EMDCB from EnOcean provides wireless motion and illumination sensing functionality without batteries Power is provided by...

Page 10: ...d for ceiling mounting It can be mounted on most ceilings with suitable screws or mounted on dropped ceilings using wire brackets 2 3 Product design Figure 2 below shows the EMDCB product design inclu...

Page 11: ...ensitivity selection switch as shown in Figure 3 below Figure 3 EMDCB internal view The internal product interface is accessible after removing the wall mount plate If EMDCB has not yet been mounted o...

Page 12: ...figuration shown in grey below Standby shown in orange below The transition between these modes occurs based on user action press of the LRN button motion detection or based on pre defined timing inte...

Page 13: ...possible to change the wake up intervals using the NFC interface as described in chap ter 7 In case of reducing the reporting interval the resulting increase in required energy provided by the availab...

Page 14: ...etect moving ob jects based on the temperature difference between the moving object and its environment 2 5 1 PIR detection characteristics EMDCB is designed to detect movement within a radius of up t...

Page 15: ...of sight from the sensor to the person s in the detection area is required Walls room dividers plants book shelfs hanging lights or other obstacles within the line of sight can limit the detection per...

Page 16: ...peration of EMDCB 2 6 1 Light level sensor EMDCB contains a dedicated humidity sensor with narrow aperture and a spectral response optimized to mimic the human eye s perception of ambient light This l...

Page 17: ...rface see chapter 7 The initialization value for data whitening is set as follows For BLE channels is set according to specification value radio channel For the custom radio channels the initializatio...

Page 18: ...38 CHANNEL39 INTERVAL 20ms or 10ms Figure 7 Default radio transmission sequence 3 3 User defined radio transmission sequences In certain situations it might be desirable to transmit radio telegrams o...

Page 19: ...equence The three channel radio transmission sequence is similar to the default transmission se quence with the difference that the radio channels BLE Channel 37 38 and 39 in the de fault transmission...

Page 20: ...ansmission sequence uses a default INTERVAL setting of 20 ms an alternative setting of 10 ms can be configured via NFC TX_CHANNEL1 TX_CHANNEL2 TX_CHANNEL1 TX_CHANNEL2 INTERVAL 20ms or 10ms TX_CHANNEL1...

Page 21: ...grams in the 2 4 GHz band For detailed information about the Bluetooth Low Energy standard please refer to the applica ble specifications Figure 11 below summarizes the general BLE frame structure Fig...

Page 22: ...arameters Figure 13 below shows the structure of the BLE header Figure 13 BLE header structure 4 4 Source address The 6 byte BLE Source Address MAC address uniquely identifies each EMDCB product EMDCB...

Page 23: ...source address can be config ured written via NFC as described in chapter 7 5 The structure of EMDCB static addresses is as follows The upper 2 bytes of the source address are for EnOcean Bluetooth se...

Page 24: ...transmitted Indi vidual advertising events used to transmit one telegram use the same prand value hash This field contains a verification value hash generated from prand using the IRK The structure o...

Page 25: ...random private addresses Figure 16 Resolving private source addresses Appendix C gives an example how to resolve a resolvable private address using a previous ly exchanged identity resolution key IRK...

Page 26: ...to 0xFF to designate manufacturer specific data field Manufacturer ID 2 byte The Manufacturer ID field is used to identify the manufacturer of BLE devices based on assigned numbers EnOcean has been as...

Page 27: ...Status field structure 4 6 2 Sensor Data Descriptor The Sensor Data Descriptor describes type and size of the following sensor data field It explicitly specifies the size to ensure forward compatibil...

Page 28: ...always reported TYPE ID Content Size byte Minimum Maximum Resolution Unit Conversion 0x05 Light level 2 0 65 533 1 lx 1 x 0x20 Occupancy status 1 0x01 Not occupied 0x02 Occupied Enumeration only spec...

Page 29: ...dress and the telegram payload Changing any of these three parame ters will therefore result in a different signature The receiver performs the same signature calculation based on sequence counter sou...

Page 30: ...dress 4 byte Sequence Counter and 3 bytes of value 0x00 for padding Note that both Source Address and Sequence Counter use little endian format least signifi cant byte first Figure 21 below shows the...

Page 31: ...his is achieved by exchanging a 128 Bit random security key used by EMDCB to au thenticate its radio telegrams EMDCB provides the following options for these tasks Radio based commissioning EMDCB can...

Page 32: ...ter A 2 The commissioning telegram will by default be transmitted on the BLE advertising channels CH 37 38 and 39 Use of custom radio channels is possible as described in chapter 3 3 The transmission...

Page 33: ...describes the ANSI MH10 8 2 data identifiers used by the EMDCB device la bel and shows the interpretation of the data therein Identifier Length of data excluding identifier Value 30S 12 characters St...

Page 34: ...terface of EMDCB EMDCB operation will automatically resume operation once the NFC reader has been disconnected 7 1 NFC interface parameters The NFC interface of EMDCB uses NFC Forum Type 2 Tag functio...

Page 35: ...2 HF NFC USB Reader with CDC interface from Elatec RFID Systems https www elatec rfid com fileadmin Files Data_Sheets DS_TWN4_MultiTech pdf This reader is shown in Figure 25 below Figure 25 Elatec TW...

Page 36: ...andard For specific implementation aspects related to the NXP implementation in NT3H2111 please refer to the NXP documentation which at the time of writing was available under this link http cache nxp...

Page 37: ...ing the ANTICOLLISION or SELECT commands for cascade level 1 READY 1 state is exited after the SELECT command from cascade level 1 with the matching complete first part of the UID has been executed Th...

Page 38: ...te in size For example if the specified address is 03h then pages 03h 04h 05h 06h are returned Spe cial conditions apply if the READ command address is near the end of the accessible memory area Figur...

Page 39: ...entication PWD_AUTH command The protected memory area can be accessed only after successful password verification via the PWD_AUTH command The PWD_AUTH command takes the password as parameter and if s...

Page 40: ...nformation which is not accessible to the user The following chapters provide information on key settings available via NFC The smallest access unit is one page of 4 byte If less than a full page i e...

Page 41: ...needed and the result be written back The organization of the NFC configuration memory is shown in Table 5 below Table 5 NFC Memory Map 0 1 2 3 00 03 04 1A 1B 3B 3C 3F 40 41 TX_CHANNEL1 TX_CHANNEL2 T...

Page 42: ...read and modified via the NFC interface as shown in Table 6 below Static Source Address Access Protection Page Remarks R W PIN Protected 0x40 Byte 0 4 Lower 4 byte of source address Upper 2 byte are a...

Page 43: ...ld for the supported custom transmission sequences Setting Transmission Sequence 0b0000 Default Commissioning and data telegrams in standard Advertising Mode 0b0001 Commissioning telegrams in standard...

Page 44: ...wer and 20 ms advertising interval These settings can be configured using the Transmission Settings as shown in Table 9 below Radio Configuration Access Protection Page Remarks R W PIN Protected 0x42...

Page 45: ...rval regis rer shown in Figure 32 below Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 ADVERTISING INTERVAL Default 0x00 0b00 20 ms Interval 0b01 10 ms Interval Others Reserved ADVERTISING INTERVAL R...

Page 46: ...by Data Byte 1 If length of Optional Data is set to 2 byte then Data Byte 0 will be transmitted first followed by Data Byte 1 Data Byte 2 and finally Data Byte 3 The organization of the Optional Data...

Page 47: ...arks R W PIN Protected 0x48 Byte 0 Security Key Access Byte 1 Address Mode Byte 2 LRN Telegram Byte 3 Security Mode Table 12 Security Configuration register address 7 6 7 1 Security Key Access Access...

Page 48: ...for each radio telegram transmission as described in chapter 4 4 2 The options for the Address Mode bit field are shown in Table 14 below Setting Address Mode 0x00 Default Static Source Address 0x01...

Page 49: ...e 16 Security Mode settings 7 6 8 Attribute Reporting Optional Data Size and LED Intensity EMDCB allows the configuration of which optional attributes are reported how much op tional data is reported...

Page 50: ...ructure 7 6 8 2 Optional Data Size The length of optional data 0 1 2 or 4 byte can be selected using the OPTION AL_DATA_SIZE field By default no optional data is transmitted Optional data to be trans...

Page 51: ...Area Page Remarks R W PIN Protected 0x4A Byte 0 1 TX_INTERVAL_UNOCCUPIED Default 0x78 120 seconds Byte 2 3 TX_INTERVAL_OCCUPIED Default 0x3C 60 seconds Table 18 Reporting Interval 7 6 10 Low Power Mod...

Page 52: ...n com 8 1 2 Waste treatment WEEE Directive Statement of the European Union The marking below indicates that this product should not be disposed with other household wastes throughout the EU To prevent...

Page 53: ...SER MANUAL EMDCB BLUETOOTH LOW ENERGY MOTION AND ILLUMINATION SENSOR 2019 EnOcean www enocean com EMDCB User Manual v1 3 August 2019 Page 53 67 8 2 FCC United States 8 2 1 FCC United States Certificat...

Page 54: ...using small amounts of energy and may be powered by a battery The module transmits short radio packets comprised of control signals in some cases the control signal may be accompanied with data such a...

Page 55: ...al prod uct Attaching a label to a removable portion of the final product such as a battery cover is not permitted The label must include the following text Contains FCC ID SZV TCM515B The enclosed de...

Page 56: ...MANUAL EMDCB BLUETOOTH LOW ENERGY MOTION AND ILLUMINATION SENSOR 2019 EnOcean www enocean com EMDCB User Manual v1 3 August 2019 Page 56 67 8 3 ISED Industry Canada 8 3 1 ISED Industry Canada Certifi...

Page 57: ...vice may not cause interference and 2 this device must accept any interference including interference that may cause unde sired operation of the device Le pr sent appareil est conforme aux CNR d Indus...

Page 58: ...com EMDCB User Manual v1 3 August 2019 Page 58 67 9 Product history Table 20 below lists the product history of EMDCB Revision Release date Key changes versus previous revision CA 01 December 2018 Fir...

Page 59: ...000000C4 Device unique address Length of payload 1 byte 0x15 21 byte of payload follow Type of payload 1 byte 0xFF Manufacturer specific data Manufacturer ID 2 byte 0x03DA EnOcean GmbH Payload 18 byte...

Page 60: ...byte 0x8E89BED6 Constant always used BLE Frame Control 2 byte 0x2542 Length 37 byte BLE Source Address 6 byte 0xE500000000C4 Device unique address Length of payload 1 byte 0x1E 30 byte of payload foll...

Page 61: ...authenticity telegram has not been modified and originality telegram comes from the assumed sender of a telegram The input data for the authentication process is listed in Table 26 below Parameter Co...

Page 62: ...rithm parameters Parameter Comment Description Example Length Field Size Size in bytes of the field used to encode the input length 2 always minimum permissible size Signature Size Desired size in byt...

Page 63: ...ed on the input data given in chapter B 1 Parameter Comment Description Value in the example Nonce 13 byte initialization vector based on concatenation of 6 byte source address 4 byte sequence counter...

Page 64: ...610 algorithm uses the variable internal parameters A_0 B_0 B_1 and B_2 togeth er with the private key to generate the authentication vector T_0 using four AES 128 and three XOR operations The algorit...

Page 65: ...729F8588774B89A024063266E4A5 9E0DE9C25386B6C4F070642E19E03680 X_2 8CD6013AFFB05E19DA7891398FFA00B4 X_2A XOR X_2 B_2 X_2A XOR 8CD6013AFFB05E19DA7891398FFA00B4 35002002000000000000000000000000 X_2A B9D6...

Page 66: ...receiver will then try for each locally stored IRK if the hash generated using the execu tion flow above matches the hash part of the resolvable private address field of the received telegram If it d...

Page 67: ...st significant bit of prand mode prand 0xC00000 22 mode 0b01 Referring to chapter 4 4 2 the setting of 0b01 indicates resolvable private address mode To generate the hash we add 104 bit of padding all...

Reviews:

No comments

Brands by name

Popular brands

Load more brands