EnOcean PTM 215B User Manual Download Page 81

Page: 81 / 85

USER MANUAL

PTM 215B – BLUETOOTH

PUSHBUTTON TRANSMITTER MODULE

F-710-017, V1.0

PTM 215B User Manual | v1.9 | June 2019 | Page 81/85

C.3

Examples

The following four chapters give step by step examples based on one actual device and 0 /
1 / 2 or 4 byte of optional data.

C.3.1

Data telegram without optional data

For this example, we consider the following telegram payload received from a PTM 215B

with the source address

E215000019B8

and security key

3DDA31AD44767AE3CE56DCE2B3CE2ABB

0C FF DA 03 5D 04 00 00 11 B2 FA 88 FF

The last four bytes of this payload (

B2 FA 88 FF

) are the sender-provided signature which

has to be authenticated (compared against the signature the receiver calculates based on

its own security key).

The variable input parameters are therefore the following:

Parameter

In this example

Source Address

B819000015E2 (little endian representation of E215000019B8)

Input Data

0CFFDA035D04000011

Input Length

0x0009

Sequence Counter

5D040000

Security Key

3DDA31AD44767AE3CE56DCE2B3CE2ABB

The constant internal parameters are always the same:

Parameter

In this example

A0_Flag

0x01

(always)

B0_Flag

0x49

(always)

0x0000

(always)

Based on variable input data and constant internal algorithm parameters, we can now de-

rive the following variable internal parameters:

Parameter

In this example

Nonce

B819000015E25D040000000000

01B819000015E25D0400000000000000

49B819000015E25D0400000000000000

00090CFFDA035D040000110000000000

We can now calculate the signature using AES128 and XOR operations.

At the time of writing, a suitable online AES calculator could be found here:

http://testprotect.com/appendix/AEScalc

Likewise, a suitable XOR calculator could be found here:

http://xor.pw/

Summary of Contents for PTM 215B

Page 1: ...User Manual v1 9 June 2019 Page 1 85 Patent protected WO98 36395 DE 100 25 561 DE 101 50 128 WO 2004 051591 DE 103 01 678 A1 DE 10309334 WO 04 109236 WO 05 096482 WO 02 095707 US 6 747 573 US 7 019 24...

Page 2: ...ogos are registered trademarks owned by the Bluetooth SIG Inc and any use of such marks by EnOcean GmbH is under license Other trademarks and trade names are those of their respective owners Important...

Page 3: ...13 3 3 3 Two channel radio transmission sequence 14 3 3 4 Single channel radio transmission sequence 14 4 Telegram format 15 Preamble 15 Access Address 15 Header 15 Source address 16 4 4 1 Static sou...

Page 4: ...ite register 42 6 7 8 Optional Data register 43 6 7 9 Variant register 44 6 7 10Radio channel selection registers 46 6 7 11Customer Data 47 Private Data 48 6 8 1 Security Key 48 6 8 2 Default Settings...

Page 5: ...solution example 73 C Authentication of PTM 215B data telegrams 74 C 1 Algorithm input parameters 74 C 1 1 Constant input parameters 74 C 1 2 Variable input parameters 75 C 1 3 Obtaining the security...

Page 6: ...ed energy is generated by an elec tro dynamic energy transducer actuated by an energy bow located on the left and right of the module This energy bow which can be pushed from outside the module by an...

Page 7: ...ate and Modulation default 1 Mbit s GFSK Configuration Interface NFC Forum Type 2 Tag ISO IEC 14443 Part 2 and 3 Device Identification Unique 48 Bit Device ID factory programmed Security AES128 CBC Mo...

Page 8: ...the device An internal spring will release the energy bow as soon as it is not pushed down anymore When the energy bow is pushed down electrical energy is created and a BLE radio tele gram is transmit...

Page 9: ...acts and the energy bow encodes this status into a data word generates the proper radio telegram structure and sends it to the radio transmitter RF transmitter Transmits the data in the form of a seri...

Page 10: ...hannels Channel A and Channel B each containing two button contacts State O and State I The state of all four button contacts pressed or not pressed is transmitted together with a unique device identi...

Page 11: ...6 7 10 The initialization value for data whitening is set as follows For BLE channels is set according to specification value radio channel For the custom radio channels the initialization value is eq...

Page 12: ...CH 38 CH 39 INTERVAL 20ms or 10ms INTERVAL 20ms or 10ms CH 37 CH 38 CH 39 CH 37 CH 38 CH 39 Figure 5 Default radio transmission sequence User defined radio transmission sequences In certain situations...

Page 13: ...hannel radio transmission sequence The three channel radio transmission sequence is similar to the default transmission se quence The difference is that the radio channels BLE Channel 37 38 and 39 in...

Page 14: ...INTERVAL 20ms or 10ms TX_CHANNEL1 TX_CHANNEL2 INTERVAL 20ms or 10ms TX_CHANNEL1 TX_CHANNEL2 INTERVAL 20ms or 10ms Figure 7 Two channel radio transmission sequence The format of TX_CHANNEL1 and TX_CHA...

Page 15: ...summarizes the BLE frame structure Figure 9 BLE frame structure The content of these fields is described in more detail below Preamble The BLE Preamble is 1 byte long and identifies the start of the...

Page 16: ...s flag in the Configuration register see chapter 6 7 3 to 0b1 These two address modes are described in the following chapters 4 4 1 Static source address mode By default PTM 215B uses static source ad...

Page 17: ...Resolution Key IRK PTM 215B uses its device unique ran dom key as identity resolution key This key can be modified if needed via the NFC configu ration interface as described in chapter 6 7 5 For each...

Page 18: ...itter and thereby the identity of the transmitter So conceptually the IRK takes the role of the device address of the transmitter while prand and hash provide a mechanism for the receiver to select th...

Page 19: ...he size of the Optional Data field which can be 0 1 2 or 4 byte The resulting Length setting would be 12 13 14 or 16 byte 0x0C 0x0D 0x0E 0x10 respectively Type 1 byte The Type field identifies the dat...

Page 20: ...transmit button contact status 1 Determine direction of the energy bar movement Push Action or Release Action 2 Read input status of all button contacts 3 Calculate data payload 4 Calculate security...

Page 21: ...ace as described in chapter 6 7 7 Sequence Counter 4 byte The Sequence Counter is a continuously incrementing counter used for security pro cessing It is initialized to 0 at the time of production and...

Page 22: ...nter the device source address and the telegram payload Changing any of these three parame ters will therefore result in a different signature The receiver performs the same signature calculation base...

Page 23: ...Source Address 4 byte Sequence Counter and 3 bytes of value 0x00 for padding Note that both Source Address and Sequence Counter use little endian format least signifi cant byte first Figure 18 below...

Page 24: ...its radio telegrams PTM 215B provides the following options for these tasks NFC based commissioning The PTM 215B parameters are read by a suitable commissioning tool e g NFC smartphone with suitable...

Page 25: ...tional security NFC read out of the new security key can be disabled by set ting the PRIVATE SECURITY KEY flag in the Configuration register before setting the new security key This ensures that even...

Page 26: ...receiver of PTM 215B radio telegrams See chapter 8 for details of the commissioning code structure Radio based commissioning For cases where both NFC and camera based commissioning are not feasible i...

Page 27: ...igured via NFC interface then PTM 215B will not enter commissioning mode and transmit normal data telegrams according to the button status 5 3 2 Commissioning telegram transmission PTM 215B will trans...

Page 28: ...d at the down position for at least 10 seconds before be ing released The button contacts A0 A1 B0 and B1 can be released at any time after pressing the energy bow down i e it is no requirement to hol...

Page 29: ...following NFC reader either PC USB accessory or suitable smartphone tablet NFC SW with read write PIN lock PIN unlock and PIN change functionality EnOcean recommends TWN4 from Elatec RFID Systems http...

Page 30: ...tandard For specific implementation aspects related to the NXP implementation in NT3H2111 please refer to the NXP documentation which at the time of writing was available under this link http cache nx...

Page 31: ...using the ANTICOLLISION or SELECT commands for cascade level 1 READY 1 state is exited after the SELECT command from cascade level 1 with the matching complete first part of the UID has been executed...

Page 32: ...byte in size For example if the specified address is 03h then pages 03h 04h 05h 06h are returned Spe cial conditions apply if the READ command address is near the end of the accessible memory area Fi...

Page 33: ...ion via the PWD_AUTH command The PWD_AUTH command takes the password as parameter and if successful returns the password authentication acknowledge PACK Figure 25 below shows the password authenticati...

Page 34: ...sup port package At the time of writing this was available from this address https www elatec rfid com en download center contact form twn4 devpack sdk Figure 26 below shows the user interface of thi...

Page 35: ...0xE2 0x15 0x00 0x00 NTAG_Read page Used to read one page of data Example NTAG_Read 0x04 NTAG_Write page data Used to write one page of data Example NTAG_Write 0x40 0x12 0x34 0x56 0x78 NTAG_Write 0xE5...

Page 36: ...The PTM 215B configuration memory is divided into the following areas Public data Protected data In addition to that PTM 215B maintains a private configuration memory region used to store default para...

Page 37: ...ublic 8 0x08 32 NFC Revision Manufacturer ID Public 9 0x09 36 Reserved Public 10 0x0A 40 Hardware Revision Public 11 0x0B 44 Software Revision Public 12 0x0C 48 Static Source Address Public 13 0x0D 52...

Page 38: ...entify his PTM 215B based product see chapter 6 7 7 PTM 215B Static Source Address This is a 4 byte field containing the four least significant bytes the two most signifi cant bytes are always 0xE215...

Page 39: ...16 byte register is used to update the security key used by PTM 215B see chapter 6 7 5 Optional Data register This 4 byte register contains optional data that can be transmitted as part of all data t...

Page 40: ...meters the user has to write the new value into specific reg isters Source Address Write Product ID Write Manufacturer ID Write and Security Key Write in the protected data area and set the according...

Page 41: ...be replaced with a user defined key by fol lowing these steps 1 Write new security key into the Security Key Write register Note that for security reasons setting the Security Key to the following va...

Page 42: ...o the desired security key and the UPDATE SECURITY KEY flag in the Configuration register is to 0b1 and pushing the energy bar The protected memory is designed to support 1000 modifications of the sec...

Page 43: ...store user specific or ap plication specific information The size of the Optional Data field is specified by the OPTIONAL DATA SIZE field in the Con figuration register The following settings of OPTI...

Page 44: ...de selection Table 3 below shows the supported custom radio transmission modes that can be selected using Bit 2 0 of the Custom Variant register Setting Meaning 0b000 Commissioning and data telegrams...

Page 45: ...de fault setting of 20 ms to 10 ms by setting bit 3 of the Variant register Setting Result 0b0 20 ms Interval Default configuration 0b1 10 ms Interval Table 4 Interval settings 6 7 9 3 Data rate sele...

Page 46: ...d by PTM 215B Standard BLE radio channels BLE Channel 0 BLE Channel 39 use the even frequencies from 2402 MHz to 2480 Custom radio channels in between the standard BLE channels Custom Channel 40 78 us...

Page 47: ...ecific information such as product type revi sion date code or similar There is however no restriction other than the maximum size of 256 byte on the type of content that can be stored in this memory...

Page 48: ...field contains the 128 bit private key used for authenticating PTM 215B telegrams and for resolving private source addresses This register is programmed with a random value during manufacturing It can...

Page 49: ...e va riety of existing designs Mechanical Interface Characteristics Energy bow travel operating force 1 8 mm typ 9 N At room temperature Only one of the two energy bows may be actuated at the same tim...

Page 50: ...TER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 50 85 1 these catwalks are not needed when using one single rocker only 2 dimensions of rocker part Figu...

Page 51: ...5B BLUETOOTH PUSHBUTTON TRANSMITTER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 51 85 Figure 34 PTM 215B cut A 2 dimensions of rocker part Figure 35 PTM...

Page 52: ...MANUAL PTM 215B BLUETOOTH PUSHBUTTON TRANSMITTER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 52 85 Hatched areas support planes Figure 36 PTM 215B rear...

Page 53: ...ker part Figure 37 PTM 215B side view If the rocker is not mounted on the rotation axis of PTM 215B several tolerances have to be considered The measure from support plane to top of the energy bow is...

Page 54: ...ired to use non conductive material no metal or plastic with metal or graphite elements for the rockers the frame and the base plate to ensure best transmission range PTM 215B is powered by the electr...

Page 55: ...de should at a minimum contain the two fields listed in Table 7 below Identifier Length of data excluding identifier Value 30S 12 characters Static Source Address hex Z 32 characters Security Key hex...

Page 56: ...s on the revision of the device Revisions up to DB 05 produced before July 2018 use a device label with two DMC codes Revisions starting with DC 06 produced after July 2018 use a new label with only o...

Page 57: ...ID SOURCE_ID OOB DEVICE_KEY This data string identifies the following product parameters Product name always PTM215B 48 bit Static Source Address unique for each device starts with E215 Prefix 128 bit...

Page 58: ...7 the Dolphin logo is replaced by EnOcean 8 2 1 QR Code format The QR code used in the new product label encodes the product parameter according to the ANSI MH10 8 2 2013 industry standard The QR code...

Page 59: ...concrete walls ceilings Typically 5 m range through max 1 ceiling depending on thickness Fire safety walls elevator shafts staircases and similar areas should be considered as shielded The angle at wh...

Page 60: ...oximately 3 ms in total when using 3 radio channels which means that the total time between the start of two advertising events is approxi mately 23 ms Considering that the receiver might start scanni...

Page 61: ...It is the responsibility of the OEM manufac turer to demonstrate compliance to all applicable EU directives and standards The EnOcean attestation of conformity can be used as input to the declaration...

Page 62: ...USER MANUAL PTM 215B BLUETOOTH PUSHBUTTON TRANSMITTER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 62 85 FCC United States Certificate...

Page 63: ...une 2019 Page 63 85 10 2 1 FCC United States Regulatory Statement This device complies with part 15 of the FCC Rules Operation is subject to the following two conditions 1 this device may not cause ha...

Page 64: ...USER MANUAL PTM 215B BLUETOOTH PUSHBUTTON TRANSMITTER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 64 85 IC Industry Canada Certificate...

Page 65: ...device may not cause interference and 2 this device must accept any interference including interference that may cause unde sired operation of the device Le pr sent appareil est conforme aux CNR d In...

Page 66: ...USER MANUAL PTM 215B BLUETOOTH PUSHBUTTON TRANSMITTER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 66 85 ACMA Australia Declaration of Conformity...

Page 67: ...USER MANUAL PTM 215B BLUETOOTH PUSHBUTTON TRANSMITTER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 67 85...

Page 68: ...ER MANUAL PTM 215B BLUETOOTH PUSHBUTTON TRANSMITTER MODULE 2019 EnOcean www enocean com F 710 017 V1 0 PTM 215B User Manual v1 9 June 2019 Page 68 85 ARIB Japan Construction Type Conformity Certifacti...

Page 69: ...ion registers Changed format of commissioning telegram o Addition of Static Source Address o Removal of Product Name PTM215B DB 05 March 2018 Internal version component update no customer change DC 06...

Page 70: ...23 A 1 1 BLE frame structure The message shown above can be parsed into the following components keep in mind the little endian byte order BLE Access Address 4 byte 0x8E89BED6 BLE Frame Control 2 byte...

Page 71: ...D6 BLE Frame Control 2 byte 0x2442 Size of source address payload 0x24 36 byte Telegram type Non connectable Advertising BLE Source Address 6 byte 0xE21500001B9F Length of payload 1 byte 0x1E 30 byte...

Page 72: ...e 42 below 0000000 0000000 prand 104 Bit Padding all zero 24 Bit prand Identity Resolution Key IRK 128 Bit Identity Resolution Key IRK AES128 Don t Care hash 104 Bit Don t Care 24 Bit hash Figure 42 E...

Page 73: ...ext we verify the address mode by looking at the two most significant bit of prand mode prand 0xC00000 22 mode 0b01 Referring to chapter 4 4 2 the setting of 0b01 indicates resolvable private address...

Page 74: ...m input parameters These parameters identify high level algorithm and telegram properties and are the same for any PTM 215B telegram Variable algorithm input parameters These parameters identify teleg...

Page 75: ...er is transmitted as part of the input data The receiver of PTM 215B telegrams keeps track of this counter and will accept only telegrams with counter values higher than the highest previously used va...

Page 76: ...y via the product DMC code Obtaining the key via a dedicated commissioning telegram Each option is described now in detail C 1 3 1 Obtaining the security key via NFC interface Using the Elatec TWN4 re...

Page 77: ...QRbot smartphones The content of this example DMC code is PTM215BIDE215000019B8OOB3DDA31AD44767AE3CE56DCE2B3CE2ABB The structure of the DMC code is described in chapter 8 1 1 The location of the secur...

Page 78: ...payload 1D FF DA 03 56 04 00 00 3D DA 31 AD 44 76 7A E3 CE 56 DC E2 B3 CE 2A BB B8 19 00 00 15 E2 Please see Figure 16 in chapter 5 3 2 for a description of the commission telegram struc ture The loca...

Page 79: ...ounter 0x0000 always Table 12 Constant internal parameters C 1 6 Variable internal parameters The RFC3610 implementation in PTM 215B derives four internal parameters Nonce A0 B0 and B1 based on the te...

Page 80: ...on sequence The algorithm uses the variable internal parameters A_0 B_0 B_1 together with the private key to generate the authentication vector T_0 using three AES 128 and two XOR opera tions The algo...

Page 81: ...nput parameters are therefore the following Parameter In this example Source Address B819000015E2 little endian representation of E215000019B8 Input Data 0CFFDA035D04000011 Input Length 0x0009 Sequenc...

Page 82: ...S128 41e60586f0e20faa52c660435c1f247d 3DDA31AD44767AE3CE56DCE2B3CE2ABB X_2 8d89e733da516ae3e08f9e30184909fc S_0 AES128 A0 Key S_0 AES128 01B819000015E25D0400000000000000 3DDA31AD44767AE3CE56DCE2B3CE2A...

Page 83: ...nternal algorithm parameters we can now de rive the following variable internal parameters Parameter In this example Nonce B819000015E262040000000000 A0 01B819000015E2620400000000000000 B0 49B81900001...

Page 84: ...t internal algorithm parameters we can now de rive the following variable internal parameters Parameter In this example Nonce B819000015E263040000000000 A0 01B819000015E2630400000000000000 B0 49B81900...

Page 85: ...nstant internal algorithm parameters we can now de rive the following variable internal parameters Parameter In this example Nonce B819000015E26A040000000000 A0 01B819000015E26A0400000000000000 B0 49B...

Search results

Summary of Contents for PTM 215B

Reviews:

Related manuals for PTM 215B

Brands by name

Popular brands

EnOcean PTM 215B, User Manual

Search results

Summary of Contents for PTM 215B

Reviews:

Related manuals for PTM 215B

Brands by name

Popular brands