background image

 
USER MANUAL PREVIEW

 

 
 
 

PTM 535BZ 

 BLUETOOTH AND ZIGBEE GREEN POWER PUSHBUTTON TRANSMITTER 

 

© 2021 EnOcean  |  www.enocean.com  

F-710-017, V1.0     

 

PTM 535BZ User Manual  | v1.0 | May 2021 |  Page 112/112 

 

E.

 

Address resolution for resolvable private addresses (RPA) 

 
PTM 535BZ provides the option to obfuscate its identity by means of using resolvable private 
addresses (RPA that are generated using an Identity Resolution Key as described in 

Chapter 

3.3.5.2

. This appendix provides an example how to generate and resolve such address. 

 

E.1

 

Address resolution example 

 
We consider a PTM 535BZ module with the following 128 bit IRK:

 

IRK = BE759A027A4870FD242794F4C45220FB 

 
We further consider a telegram with the following 48 bit resolvable private address: 

RPA = 493970E51944  

 
We will now test if this resolvable private address was generated using the IRK above.  
 

Referring to the resolvable private address structure shown in 

Figure 12

, we split the re-

solvable private address into 

prand

 and 

hash

 as follows: 

prand  = (RPA & 0xFFFFFF000000) >> 24 
prand  = 0x493970 
 
hash   = RPA & 0x000000FFFFFF 
hash   = 0xE51944 

 

Next, we verify the address mode by checking the two most significant bit of 

prand

mode   = (prand & 0xC00000) >> 22 
mode   = 0b01 

 

Referring to 

Chapter 3.3.5.2

, the setting of 

0b01

 indicates resolvable private address mode. 

 

To generate the hash, we add 104 bit of padding (all zeros) to 

prand

padded prand = 0x00000000000000000000000000493970 

 

We can now generate the hash as AES128 operation between IRK and 

padded prand

:  

hash = AES128(IRK; padded prand) 
hash = AES128(0xBE759A027A4870FD242794F4C45220FB;0x00000000000000000000000000493970) 
 

At the time of writing, a suitable online AES calculator could be found here:  
 

http://testprotect.com/appendix/AEScalc

  

 
With this, we can calculate the result as: 

hash   = 0x286ACB1F9C8A80EE21B3F02225E51944 

 

With that, we can verify that the lowest 24 bit of the calculated 

hash

 (

0xE51944

) match the 

hash that was received as part of the resolvable private address. Therefore, the transmitter 

of this telegram used this specific IRK to generate this resolvable private address. 
 

 

Summary of Contents for PTM 535BZ

Page 1: ...535BZ User Manual v1 0 May 2021 Page 1 112 Patent protected WO98 36395 DE 100 25 561 DE 101 50 128 WO 2004 051591 DE 103 01 678 A1 DE 10309334 WO 04 109236 WO 05 096482 WO 02 095707 US 6 747 573 US 7 019 241 Observe precautions Electrostatic sensitive devices PTM 535BZ Bluetooth and Zigbee Green Power Pushbutton Transmitter 12 05 2021 ...

Page 2: ...tics No responsibility is assumed for possible omissions or inaccuracies Circuitry and specifications are subject to change without notice For the latest product specifications refer to the EnOcean website http www enocean com As far as patents or other rights of third parties are concerned liability is only assumed for modules not for the described applications processes and circuits EnOcean does...

Page 3: ...on sequence 16 3 3 Telegram format 17 3 4 Telegram payload 21 4 Zigbee Green Power ZGP radio 27 4 1 Radio channels 28 4 2 Radio transmission sequence 29 4 3 Telegram format 30 4 4 IEEE 802 15 4 MAC payload ZGP telegram 32 4 5 Channel selection 39 5 NFC configuration 42 5 1 Architecture 42 5 2 NFC memory map 46 5 3 PRODUCT NDEF 47 5 4 USER NDEF 47 5 5 NFC HEADER 47 5 6 ACTIVE CONFIGURATION 49 5 7 N...

Page 4: ...on request structure 86 A 4 1 1 Configuration request for USER1 86 A 4 1 2 Configuration status for USER1 87 A 4 1 3 Configuration request for USER2 87 A 4 1 4 Configuration status for USER2 87 A 4 2 Security configuration 88 A 4 2 1 Changing USER1_PIN 88 A 4 2 2 Changing USER2_PIN 88 A 4 2 3 Reading USER1_CONFIGURATION_OPTIONS 89 A 4 2 4 Reading USER2_CONFIGURATION_OPTIONS 90 A 4 2 5 Restricting ...

Page 5: ...2 Commissioning telegram example 104 C 2 1 BLE frame structure 104 C 2 2 EnOcean commissioning telegram payload structure 104 D Authentication of PTM 535BZ BLE data telegrams 105 D 1 Algorithm input parameters 105 D 1 1 Constant input parameters 105 D 1 2 Variable input parameters 106 D 1 3 Obtaining the security key 107 D 1 4 Internal parameters 107 D 1 5 Constant internal parameters 108 D 1 6 Va...

Page 6: ...transmitters are intended for operation together with the ECO 200 kinetic harvester which generates the required energy based on an external action such as a button press The combination of ECO 200 with PTM 535BZ enables the implementation of self powered no batteries and fully maintenance free products They can therefore be used in all environments including locations that are difficult to reach ...

Page 7: ...uthentication with sequence counter Transmission Power 4 dBm Transmission Range typ 30 m line of sight 10 m indoor environment Antenna Integrated antenna Power Supply Kinetic harvester ECO 200 Configuration Interface NFC ISO15683 tag and integrated antenna User Interface Learn button Operating Conditions 25 C 65 C 0 90 r h Indoor use in dry rooms only Dimensions 26 2 mm x 21 15 mm same as PTM 535 ...

Page 8: ... The term ECO 200 will be used throughout this document to describe a suitable energy converter When ECO 200 is actuated pressed pushed or released pulled electrical energy is gen erated and a BLE or ZGP radio telegram is transmitted which identifies the action pressed or released and the status of the two external input contacts When ECO 200 is actuated in the opposite direction restored to its o...

Page 9: ...on press or release Data processing Determines the status of the external inputs and the ECO 200 action encodes this status into a data word calculates the unique security signature generates the proper radio telegram structure and sends it to the 2 4 GHz BLE Zigbee radio transmitter 2 4 GHz BLE Zigbee radio transmitter Transmits the data in the form of a series of short 2 4 GHz Bluetooth Low Ener...

Page 10: ...nals of the ECO 200 harvester or another suitable power source Connection between PTM 535BZ and ECO 200 can either be made mechanically di rect connection between the ECO 200 contacts and the PTM 535BZ contacts or by wiring For a mechanical connection PTM 535BZ provides two pairs of AC1 and AC2 contact pads on the bottom of the PCB Having two pairs of contacts enables the user to select the orient...

Page 11: ... missioning LRN telegram and to execute the channel selection process in Zigbee Green Power 2 4 4 Radio subsystem PTM 535BZ integrates a radio transceiver including a 2 4 GHz antenna for the transmission of Bluetooth Low Energy BLE or Zigbee Green Power ZGP radio telegrams The BLE radio functionality is described in Chapter 3 the ZGP radio functionality is described in Chapter 4 By default PTM 535...

Page 12: ...ng can be changed by the user via the NFC interface and is NFC readable SECURITY_KEY1 will be reset to its factory programmed value by a Factory Reset as described in Chapter 5 1 4 3 SECURITY_KEY2 has to be programmed by the user via the NFC interface and is not NFC readable SECURITY_KEY2 will be updated to a new random value upon Factory Reset as described in Chapter 5 1 4 3 or if PTM 535BZ is tr...

Page 13: ... action press or release is executed as when the LRN button became pressed and ECO 200 was actuated For the other direction release or press no telegram will be transmitted If for instance the LRN button is pressed by the user and ECO 200 is then actuated into press direction then PTM 535BZ will transmit commissioning telegrams as long as the LRN button remains pressed and ECO 200 is moved into th...

Page 14: ... the three BLE advertising channels BLE Channel 37 38 and 39 defined for transmission Use of different radio channels within the frequency band from 2402 MHz to 2480 MHz can be configured using the NFC configuration interface as de scribed in Chapter 5 6 3 and Chapter 5 6 7 Table 1 below summarizes the supported radio channels that can be selected via the NFC configuration interface Radio Channel ...

Page 15: ... CH54 2431 MHz CH76 2475 MHz CH77 2477 MHz CH78 2479 MHz BLE Advertising Channel BLE Data Channel Custom Data Channel Figure 5 PTM 535BZ BLE radio channel assignment within the 2 4 GHz ISM band 3 1 3 Data whitening Data whitening prevents data with longs sequences of 0 s and 1 s from introducing a DC bias into the transmitted signal or from having a non uniform power distribution over the occupied...

Page 16: ...is approach increases transmission reliability by providing redundancy in time by transmitting the same telegram at different times and redundancy in frequency by transmitting the same telegram on different radio channels The default radio channels are the advertising channels Channel 37 38 and 39 they can be changed to different radio channels via the NFC configuration interface as described in C...

Page 17: ...an one byte then the least significant byte is transmitted first Considering for instance the case of the four byte Access Address 0x8E89BED6 these 4 bytes will be transmitted and received in the order 0xD6 first 0xBE second 0x89 third and 0x8E last 3 3 2 Preamble The BLE Preamble is 1 byte long and identifies the start of the BLE frame The value of the BLE Preamble is always set to 0xAA 3 3 3 Acc...

Page 18: ...ring manufacturing and remain constant unless the user configures a different source address via NFC Static source addresses are identified by the two most significant bits Bit 47 and Bit 46 in Figure 9 being set to 0b11 The structure of PTM 535BZ static source addresses is as follows The upper 2 bytes of the source address are used to identify the device type and set to 0xE215 for all PTM 535BZ d...

Page 19: ...PTM 535BZ and the receiver both know a common security key the so called Identity Resolution Key IRK This IRK is used to derive an authentication signature hash from a random plaintext value prand as shown in Figure 10 Figure 10 Resolvable private address generation The mechanism used to generate hash from prand and IRK is shown in Figure 11 Figure 11 Execution flow for resolving private addresses...

Page 20: ...er transmitter that have been commissioned To identify the originator of a message the receiver will sequentially try all IRK from its list until it finds a matching IRK that derives the hash value from the prand value This IRK then identifies the originator of the message Figure 13 below illustrates the address resolving scheme for resolvable private addresses For an example of resolving a resolv...

Page 21: ...pe field identifies the data type used for this telegram For PTM 535BZ data telegrams this field is always set to 0xFF to designate manufacturer specific data Manufacturer ID 2 byte The Manufacturer ID field is used to identify the manufacturer of BLE devices based on assigned numbers EnOcean has been assigned 0x03DA as manufacturer ID code The Manufacturer ID can be changed via NFC as described i...

Page 22: ...ring towards the PCB This default behaviour can be inverted using the NFC interface if required so that a press action would be a move of the ECO 200 spring towards the PCB and a release action would be a move of the ECO 200 spring away from the PCB If INPUT1 or INPUT2 are connected to GND while ECO 200 is actuated press action or release action then this is indicated by the according status bit s...

Page 23: ...pplicable table index will be transmitted in the IN PUT_STATUS field of the BLE data telegram Setting an entry to 0xFF means that PTM 535BZ will not transmit a data telegram if this particular input event occurs This could for instance be useful if PTM 535BZ should send a data telegram only on button push but no data telegram on button release The default values of the eight entries in the custom ...

Page 24: ...uence counter the device source address and the telegram payload Changing any of these three parameters will therefore result in a different signature The receiver performs the same signature calculation based on sequence counter source address and the remaining telegram data of the received telegram using the security key it received from PTM 535BZ during commissioning The receiver then compares ...

Page 25: ... least significant byte first Figure 17 below shows the structure of the Nonce Figure 17 Nonce structure The Nonce and the 128 bit device unique security key by default SECURITY_KEY1 alterna tively SECURITY_KEY2 are then used to calculate a 32 bit signature of the authenticated telegram payload shown in Figure 18 below LEN 0x0C TYPE 0xFF MANUFACTURER_ID Little Endian 0xDA SEQUENCE_COUNTER Little E...

Page 26: ... a continuously incrementing counter used for security pro cessing It is initialized to 0x00000000 at the time of production and incremented for each telegram data telegram or commissioning telegram sent Security Key 16 byte Each PTM 535BZ device contains its own 16 byte device unique random security key SECURITY_KEY1 which is generated and programmed during manufacturing It is transmitted during ...

Page 27: ...n of a commissioning telegram has been re quested via the NFC interface If the LRN button remains pressed then commissioning telegrams will be transmitted when ever the same ECO action press or release is executed as when the LRN button became pressed and ECO 200 was actuated For the other direction release or press no telegram will be transmitted If for instance the LRN button is pressed by the u...

Page 28: ...one of the primary channels Channel Number Channel Type Center Frequency 11 default Primary Channel 2405 MHz 12 Standard Channel 2410 MHz 13 Standard Channel 2415 MHz 14 Standard Channel 2420 MHz 15 Primary Channel 2425 MHz 16 Standard Channel 2430 MHz 17 Standard Channel 2435 MHz 18 Standard Channel 2440 MHz 19 Standard Channel 2445 MHz 20 Primary Channel 2450 MHz 21 Standard Channel 2455 MHz 22 ...

Page 29: ...ffset Figure 20 below shows the ZGP radio transmission sequence used by PTM 535BZ for data telegrams Figure 20 ZGP radio transmission sequence for data telegrams PTM 535BZ transmits ZGP commissioning telegrams which are much longer than ZGP data telegrams as a set of redundant transmissions where the same data telegram is transmitted 2 times The timing interval between the start of the two consecu...

Page 30: ...orrect reception of the IEEE 802 15 4 frame is ensured using a 2 byte Cyclic Redundancy Check CRC16 which forms the IEEE 802 15 4 MAC Trailer field 4 3 2 Byte order ZGP uses little endian byte order meaning that if a data structure e g Source Address Frame Control or Sequence Number is bigger than 1 byte then the least significant byte is transmitted first Considering the case of the 4 byte Source...

Page 31: ...46 byte 0x2E 0x00 0x06 0x10 Omitted legacy 42 byte 0x2A Command list with 1 command 45 byte 0x2D Command list with 2 commands 46 byte 0x2E Command list with 3 commands 47 byte 0x2F Command list with 4 commands 48 byte 0x30 Command list with 5 commands 49 byte 0x31 Command list with 6 commands 50 byte 0x32 Command list with 7 commands 51 byte 0x33 Command list with 8 commands 52 byte 0x34 Table 5 T...

Page 32: ...legrams The payload of data telegrams is either 13 byte Device ID 0x07 default or 12 byte all other supported Device ID long Figure 26 below shows the telegram structure for ZGP data telegrams Figure 26 Structure of ZGP data telegrams ZGP data telegrams contain the following fields Frame Control 1 byte The Frame Control field is set to 0x8C Extended Frame Control 1 byte The Extended Frame Control ...

Page 33: ...pe as defined by the ZGP specification 3 Table 6 below lists the ZGP Device ID that are supported by PTM 535BZ Device ID Description Payload size 0x00 Simple Generic 1 state Switch 1 byte 0x01 Simple Generic 2 state Switch 1 byte 0x02 ON OFF Switch 1 byte 0x03 Level Control Switch 1 byte 0x05 Advanced Generic 1 state Switch 1 byte 0x06 Advanced Generic 2 state Switch 1 byte 0x07 Default Generic 8 ...

Page 34: ...ring towards the PCB This default behaviour can be inverted using the NFC interface if required so that a press action would be a move of the ECO 200 spring towards the PCB and a release action would be a move of the ECO 200 spring away from the PCB The Button Status field following the 0x69 0x6A ZGP Command encodes the status of the input signals INPUT1 and INPUT2 as defined by the ZGP specificat...

Page 35: ...e PCB and that a Release action is a move of the ECO 200 spring towards the PCB Table 8 below shows the structure of this command table together with the default ZGP command for each of the eight possible combinations Table Index INPUT2 Status INPUT1 Status ECO 200 Action Default Command ZGP_COMMAND_0 Not connected Not connected Press action 0x22 ZGP_COMMAND_1 Not connected Not connected Release a...

Page 36: ...and therefore this field is set to 0x07 If an alternative Device ID from the list of supported Device ID in Table 6 is selected by the user then this field will be set accordingly Options 1 byte The Option field provides information about the structure of the commissioning tele gram It is set to 0x85 if Application Info is present default and to 0x81 if Application Info is not present optional set...

Page 37: ...onsists of the following fields Type 1 byte The Type field identifies the type of the application information that follows Length 1 byte The Length field indicates the size number of bytes of application information data that follows Data variable The Data field contains either the application information data Figure 29 below shows the structure of the Application Information field Figure 29 Appli...

Page 38: ...encoding 4 4 2 3 Application Information for Device ID other than 0x07 The Application Information structure for Device ID other than 0x07 contains the list of sup ported commands Figure 32 below illustrates the Application Information structure for De vice ID other than 0x07 Figure 32 Application Information structure for Device ID other than ID 0x07 The Application Information Type field is set ...

Page 39: ... to the ZGP speci fication 3 for details about ZGP data telegram authentication 4 5 Channel selection ZGP uses the IEEE 802 15 4 radio standard 5 for telegram transmissions which defines 16 radio channels designated as Channel 11 Channel 26 as described in Chapter 4 1 The radio channel used for communication is selected when a ZGP network is formed and usually remains the same throughout the lifet...

Page 40: ...ed ECO 200 harvester In manual channel selection mode PTM 535BZ will announce its identity Source Address Device ID Application Information Security Material sequentially on different radio chan nels If a ZGP network operates on the currently used radio channel and is configured to accept new devices for instance by pressing a dedicated button on the receiver then it can signal to the installer fo...

Page 41: ... configured via the NFC interface to use only use the current radio channel to use only the Primary radio channels 11 15 20 25 or to use all radio channels 11 26 default as described in Chapter 5 6 9 If PTM 535BZ is configured to only use the current radio channel then all commissioning telegrams will be on that channel If PTM 535BZ is configured to use only the Primary channels then commissioning...

Page 42: ...can restrict the set of available configuration options for a user with lower level access rights for instance an Installer to avoid unintended reconfiguration of certain device parameters PTM 535BZ supports requests to change the value of configuration register s as well as requests for transmission of a commissioning telegram for factory reset and for transmission of a ZGP decommissioning telegr...

Page 43: ... This re striction is done by clearing the corresponding bits in the USER2_CONFIGURATION_OPTIONS register Only USER1 can change this register 5 1 2 PIN codes USER1 authenticates requests by means of the 4 byte USER1_PIN while USER2 will authen ticate requests by means of the 4 byte USER2_PIN USER1_PIN can only be changed by USER1 after providing the currently active USER1_PIN The default value of ...

Page 44: ...ter 5 6 15 The PTM 535BZ NFC architecture allows for a total of 32 configuration options and functional requests In the current implementation 20 of those are used 18 configuration options 2 functional requests while 12 are reserved for future use RFU Each bit in the USER1_CONFIGURATION_OPTIONS that is set to 0b1 corresponds to a con figuration register that is changeable or a functional request t...

Page 45: ...terface if PTM 535BZ is configured to transmit ZGP telegrams If transmission of a decommissioning telegram has been requested and PTM 535BZ is con figured to transmit ZGP telegrams then a ZGP decommissioning telegram will be transmitted upon the next actuation press or release whichever comes next of the connected ECO 200 harvester After that PTM 535BZ will again transmit data telegrams If PTM 535...

Page 46: ...e device such as the intended installation location or additional instructions NFC HEADER Read access only This area contains information about the NFC revision ACTIVE CONFIGURATION Read access only This area contains the currently used configuration NEW CONFIGURATION Write access PIN required to execute the update This area is used to change configuration values The organization of the PTM 535BZ ...

Page 47: ...fier Value 30S 12 characters BLE Source Address 6 byte variable 30P 10 characters Ordering Code S3231 A535 2P 4 characters Step Code and Revision AB04 3C 2 characters Header Start Address 29 0x29 16S 8 characters SW Version Example 01000000 01 00 00 00 Table 11 NDEF Parameters 5 4 USER NDEF The USER NDEF area allows the user to store a string of up to 64 characters starting at page 0x18 and ending...

Page 48: ...s field is set to 0x0A since the header structure is 10 bytes long VERSION This field identifies the major revision and is set to 0x01 currently OEM The 16 bit OEM field identifies the manufacturer of the device so that manufacturer specific layout implementations can be determined For EnOcean GmbH this field is set to 0x000B DEVICE_IDENTIFIER The 24 bit DEVICE_IDENTIFIER field identifies an indiv...

Page 49: ...C Page Content Byte 0 Byte 1 Byte 2 Byte 3 0x2C INPUT_CONFIG RADIO_CONFIG 0x30 BLE_TX_CONFIG BLE_SEC_CONFIG BLE_MANUFACTURER_ID 0x31 BLE_SOURCE_ADDRESS 0x32 CH_REG1 CH_REG2 CH_REG3 0x33 0x34 BLE_INPUT_STATUS_0 BLE_INPUT_STATUS_1 BLE_INPUT_STATUS_2 BLE_INPUT_STATUS_3 0x35 BLE_INPUT_STATUS_4 BLE_INPUT_STATUS_5 BLE_INPUT_STATUS_6 BLE_INPUT_STATUS_7 0x38 ZGP_TX_CONFIG ZGP_SEC_CONFIG ZGP_PROTOCOL_CONFI...

Page 50: ...CO 200 harvester spring towards the PTM 535BZ PCB is consid ered as press event Additionally the input signals INPUT1 and INPUT2 described in chapter 2 4 2 can be disa bled using the corresponding status bits INPUT1 and INPUT2 If an input is disabled then it will always be treated as if it is not connected Figure 36 below shows the structure of the INPUT_CONFIG register Figure 36 INPUT_CONFIG regi...

Page 51: ...sion power By default PTM 535BZ will use a transmission power of 4 dBm The transmission power can be reduced to 0 dBm by setting the TX_POWER bit to 0b1 Figure 37 below shows the structure of the RADIO_CONFIG register Figure 37 RADIO_CONFIG register The bit fields within the RADIO_CONFIG register are shown in Table 15 below The default settings are shown in bold Bit Configuration Option Supported ...

Page 52: ...tting is that a data rate of 1 Mbit s is used this can be in creased to 2 Mbit s by setting the BLE_DATA_RATE field to 0b1 The BLE_ADV_INTERVAL field is used to select the advertising interval between two adver tising events as described in Chapter 3 2 The default setting is that an advertising interval of 20 ms is used this can be reduced to 10 ms by setting the BLE_ADV_INTERVAL field to 0b1 The ...

Page 53: ...ms on 2 custom channels CH1 CH2 0b011 Commissioning Telegrams on Advertising Channels Data Telegrams on 1 custom channel CH1 0b100 Commissioning Telegrams 3 custom channels CH1 CH2 CH3 Data Telegrams on 3 custom channels CH1 CH2 CH3 0b101 Commissioning Telegrams on 2 custom channels CH1 CH2 Data Telegrams on 2 custom channels CH1 CH2 0b110 Commissioning Telegrams on 1 custom channel CH1 Data Teleg...

Page 54: ...ld is used to enable and disable transmission of a BLE commis sioning telegram if the LRN button is pressed and SECURITY_KEY1 is selected By default a BLE commissioning telegram will be transmitted if the LRN button is pressed and the ECO 200 harvester is actuated Transmission of a commissioning telegram can be disabled by setting the BLE_LRN_BUTTON field to 0b1 Figure 39 below shows the BLE_SEC_C...

Page 55: ... to identify itself as the originator of BLE radio telegrams as described in chapter 3 3 5 1 The two most significant byte of this address are always 0xE215 i e the address always starts with 0xE215 The four least significant byte of this address are assigned during manufacturing and are listed in the BLE_SOURCE_ADDRESS register The resulting 6 byte Static Source Address used by PTM 535BZ for the ...

Page 56: ... standard values as described in Chapter 3 4 1 2 This feature can be enabled by setting the BLE_INPUT_STATUS field of the BLE_TX_CONFIG register to 0b1 If this feature is enabled then PTM 535BZ will select the value of the INPUT_STATUS field within the BLE data telegram from one of the eight registers BLE_INPUT_STATUS_0 BLE_INPUT_STATUS_7 depending on the input status The Index field provided in T...

Page 57: ...annot be changed with the LRN button Figure 43 below shows the structure of the ZGP_TX_CONFIG register Figure 43 ZGP_TX_CONFIG register structure The bit fields within the ZGP_TX_CONFIG register are shown in Table 18 below The default settings are shown in bold Bit Configuration Option Supported Settings 3 0 ZGP_TX_CHANNEL Defines the radio channel used for ZGP telegram transmissions 0b0000 IEEE 8...

Page 58: ... If transmission of commissioning telegrams is disabled then the ZGP radio channel has to be selected using ZGP_TX_CHAN NEL Figure 44 below shows the structure of the ZGP_SEC_CONFIG register Figure 44 ZGP_SEC_CONFIG register structure The bit fields within the ZGP_SEC_CONFIG register are shown in Table 19 below The de fault settings are shown in bold Bit Configuration Option Supported Settings 1 0...

Page 59: ...vice ID 0x07 is used This field has no effect when a Device ID other than 0x07 is used Figure 45 below shows the structure of the ZGP_PROTOCOL_CONFIG register Figure 45 ZGP_PROTOCOL_CONFIG register structure The bit fields within the ZGP_PROTOCOL_CONFIG register are shown in Table 20 below The default settings are shown in bold Bit Configuration Option Supported Settings 2 0 ZGP_DEVICE_ID Selects ...

Page 60: ...ccording to the status of the INPUT1 and INPUT2 signals and the ECO 200 action Setting the value of a ZGP_COMMAND_x x 0 7 register to 0xFF will cause PTM 535BZ no to transmit a data telegram This can for instance be useful is PTM 535BZ should only transmit a data telegram upon button press but not on release 5 6 14 SECURITY_KEY1 SECURITY_KEY2 and SECURITY_KEY3 As described in Chapter 2 5 PTM 535BZ...

Page 61: ...or USER2 are marked by the corresponding bit in the USER2_CONFIGURATION_OP TIONS register set to 0b1 USER1 can restrict the available configuration options for USER2 by setting the corresponding bits in the USER2_CONFIGURATION_OPTIONS register to 0b0 5 6 15 1 SECURITY OPTIONS option group Table 21 below shows the configuration options belonging to the SECURITY OPTIONS group Two fields in this conf...

Page 62: ...b1 Allowed 0b1 Allowed 5 0x20 ZGP_DECOMMISSIONING_REQUEST 0b1 Allowed 0b1 Allowed 6 0x40 RFU 0b0 Not Allowed 0b0 Not Allowed 7 0x80 RFU 0b0 Not Allowed 0b0 Not Allowed Table 22 ZGP OPTIONS group 5 6 15 3 BLE OPTIONS group Table 23 below shows the configuration options belonging to the BLE OPTIONS configuration group Two fields in this configuration group are reserved for future use and can therefo...

Page 63: ...FACTORY_RESET_REQUEST 0b1 Allowed 0b1 Allowed 2 0x04 RFU 0b0 Not Allowed 0b0 Not Allowed 3 0x08 RFU 0b0 Not Allowed 0b0 Not Allowed 4 0x10 BUTTON_CONFIG 0b1 Allowed 0b1 Allowed 5 0x20 RADIO_CONFIG 0b1 Allowed 0b1 Allowed 6 0x40 RFU 0b0 Not Allowed 0b0 Not Allowed 7 0x80 RFU 0b0 Not Allowed 0b0 Not Allowed Table 24 SYSTEM OPTIONS group 5 6 16 SEQUENCE_COUNTER PTM 535BZ maintains a 4 byte BLE Sequen...

Page 64: ...ommissioning Request 0x3A 0x5A 0x7A 0x9A 0xBA Factory Reset Request 0x3B 0x5B 0x7B 0x9B 0xBB ZGP Decommissioning Request 0x3C 0x5C 0x7C 0x9C 0xBC Table 25 CONFIGURATION STATUS encoding The following status can be reported SUCCESS The configuration update or the function request were successfully executed IN PROGRESS The configuration update or the functional request is in progress until the ECO 20...

Page 65: ...THENTICATION 0x53 0x54 INPUT_CONFIG RADIO_CONFIG 0x58 BLE_TX_CONFIG BLE_SEC_CONFIG BLE_MANUFACTURER_ID 0x59 BLE_SOURCE_ADDRESS 0x5A CH_REG1 CH_REG2 CH_REG3 0x5B 0x5C BLE_INPUT_STATUS_0 BLE_INPUT_STATUS_1 BLE_INPUT_STATUS_2 BLE_INPUT_STATUS_3 0x5D BLE_INPUT_STATUS_4 BLE_INPUT_STATUS_5 BLE_INPUT_STATUS_6 BLE_INPUT_STATUS_7 0x60 ZGP_TX_CONFIG ZGP_SEC_CONFIG ZGP_PROTOCOL_CONFIG 0x61 ZGP_SOURCE_ID 0x64...

Page 66: ... authenticated then PTM 535BZ will check if the user is permitted to execute the request and for the case of a configuration update check if the user is permitted to change the configuration registers specified in the CONFIGURATION_SELECTION register If one several or all registers cannot be changed by the user then PTM 535BZ will abort the update process and set the REQUEST_STATUS register to PER...

Page 67: ...P Decommissioning Request 0x14 USER2 Configuration Update Request 0x19 Commissioning Telegram Transmission 0x1A Factory Reset Request 0x1B ZGP Decommissioning Request 0x1C Table 27 REQUEST_ID encoding The execution of the request can be verified using the REQUEST_STATUS register as de scribed in Chapter 5 6 17 5 7 3 CONFIGURATION_SELECTION The CONFIGURATION_SELECTION register is used to specify th...

Page 68: ...annot be changed by him then PTM 535BZ will respond to the request with CONFIG_STATUS PERMISSION_ERROR The user may change the settings for one or several configuration registers at the same time 5 7 3 1 SECURITY configuration group Table 28 below shows the configuration options belonging to the SECURITY CONFIGURATION group Two fields in this configuration group are reserved for future use and can...

Page 69: ...U 0b0 Do not update 4 0x10 ZGP_PROTOCOL_CONFIG 0b0 Do not update 0b1 Update 5 0x20 ZGP_DECOMMISSIONING_REQUEST 0b0 This is a request and not a register 6 0x40 RFU 0b0 Do not update 7 0x80 RFU 0b0 Do not update Table 29 SECURITY OPTIONS group 5 7 3 3 BLE configuration group Table 30 below shows the configuration options belonging to the BLE configuration group Two fields in this configuration group...

Page 70: ...ettings 0 0x01 LRN_TELEGRAM_REQUEST 0b0 This is a request and not a register 1 0x02 FACTORY_RESET_REQUEST 0b0 This is a request and not a register 2 0x04 RFU 0b0 Do not update 3 0x08 RFU 0b0 Do not update 4 0x10 BUTTON_CONFIG 0b0 Do not update 0b1 Update 5 0x20 RADIO_CONFIG 0b0 Do not update 0b1 Update 6 0x40 RFU 0b0 Do not update 7 0x80 RFU 0b0 Do not update Table 31 SYSTEM configuration group 5 ...

Page 71: ...rrently active NFC PIN in the REQUEST_AUTHENTICATION register to authenticate the request Specify the new NFC PIN in the USER1_PIN register if updating the PIN for USER1 or the USER2_PIN register if updating the PIN for USER2 After that click the connected ECO 200 harvester 5 times in each direction to provide the required energy for the update Make sure that the new PIN code is properly noted esp...

Page 72: ...table smartphone with NFC functionality The selected reader has to support NFC read and write operations according to the ISO15693 standard For PC based applications EnOcean recommends the TWN4 Multitech 2 HF NFC Reader or der code T4BT FB2BEL2 SIMPL from Elatec RFID Systems sales rfid elatec com This reader is shown in Figure 51 below Figure 51 Elatec TWN4 MultiTech Desktop NFC Reader Many modern...

Page 73: ...bining one of the existing variants with an ECO 200 harvester can therefore also be used with PTM 535BZ Note that PTM 535BZ does not provide meander contacts on board those have been replaced with the NFC configuration interface Note also that PTM 535BZ provides five boundary contacts AC1 AC2 INPUT1 INPUT2 GND at different positions compared to previous designs 6 1 Product dimensions Figure 52 bel...

Page 74: ...x 2 walls Ferro concrete walls ceilings Typically 5 m range through max 1 ceiling depending on thickness Fire safety walls elevator shafts staircases and similar areas should be considered as shielded The angle at which the transmitted signal hits the wall is very important The effective wall thickness and with it the signal attenuation varies according to this angle Signals should be transmitted ...

Page 75: ... essen tial requirements and other relevant provisions of Directive 2014 53 EU A copy of the Dec laration of Conformity can be obtained from the product webpage at www enocean com 8 1 2 Waste treatment WEEE Directive Statement of the European Union The marking below indicates that this product should not be disposed with other household wastes throughout the EU To prevent possible harm to the envi...

Page 76: ...NUAL PREVIEW PTM 535BZ BLUETOOTH AND ZIGBEE GREEN POWER PUSHBUTTON TRANSMITTER 2021 EnOcean www enocean com F 710 017 V1 0 PTM 535BZ User Manual v1 0 May 2021 Page 76 112 8 2 ARIB Japan 8 2 1 ARIB certificate ...

Page 77: ...he product history of PTM 535BZ Revision Release date Key changes versus previous revision CA 05 January 2021 Product preview lead customers only DA 06 May 2021 Market release for all customers Table 32 Product History 10 References 1 ECO 200 Website 2 Bluetooth Core Specification 3 Zigbee Green Power Specification 4 RFC3610 5 IEEE 802 15 4 6 Bluetooth Assigned Numbers Company Identifiers 7 Elatec...

Page 78: ...ny suitable NFC writer supporting the NFC ISO15693 interface for instance a smartphone with built in NFC support or a PC with a suitable NFC writer A 1 Elatec NFC configuration tool Elatec RFID Systems provides a PC NFC configuration tool called Director as part of their software support package 7 which will be used as reference for the examples given here Figure 53 below shows the user interface ...

Page 79: ...x20 0x12 0x34 0x56 0x78 ISO15693_ReadSingleBlock page_address read_buffer_size This command is used to read a four byte NFC data page Data is returned in the order data_byte0 data_byte1 data_byte2 data_byte3 Read buffer size must be large enough to hold all returned data i e minimum 4 Example ISO15693_ReadSingleBlock 0x20 FF A 1 2 Translation into binary data If the user intends to use these comma...

Page 80: ...irtual COM port by issuing request data and parsing the corresponding response data The Elatec NFC reader uses 9600 baud as baud rate this is normally detected automati cally by the virtual COM port driver If the user application sends a binary command with the required data then the Elatec NFC reader will respond accordingly Figure 55 below shows this using the example of a write and a read opera...

Page 81: ...he content of the registers to be updated Applies if configuration request type is register update Update values are provided in the corresponding register of the NEW CONFIGURA TION area as described in Chapter 5 7 Registers for which no update has been re quested can be written as 0x00 their content will not be changed 5 Actuate the connected ECO 200 harvester five times in each direction to prov...

Page 82: ...telegram can also be requested via the NFC interface A 3 1 1 Commissioning telegram request by USER1 Transmission of a commission telegram can be requested by USER1 as follows Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_WriteSingleBlock 0x0050 0x12 0x00 0x00 0x00 Identify request and originator Commissioning Telegram Request Issued by USER1 ISO15693_WriteSi...

Page 83: ...de Response Type Description 0x3A SUCCESS The requested operation was successfully executed 0x5A IN PROGRESS The requested operation is in progress Additional ECO actuations are required to complete the operation 0x7A PIN ERROR The provided PIN code USER2_PIN is incorrect 0x9A PERMISSION ERROR The requested operation is not permitted USER1 has disabled this request for USER2 A 3 2 ZGP decommission...

Page 84: ...ssion telegram can be requested by USER2 as follows Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_WriteSingleBlock 0x0050 0x1C 0x00 0x00 0x00 Identify request and originator Commissioning Telegram Request Issued by USER2 ISO15693_WriteSingleBlock 0x0052 0x03 0x00 0x35 0xE5 Authenticate request PIN Code of USER2 PTM 535BZ will evaluate and execute this request...

Page 85: ...uested operation was successfully executed 0x53 IN PROGRESS The requested operation is in progress Additional ECO actuations are required to complete the operation 0x73 PIN ERROR The provided PIN code USER1_PIN is incorrect A 3 3 2 Factory reset request by USER2 Factory reset can be requested by USER2 as follows Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_W...

Page 86: ...of the configuration request optional A 4 1 1 Configuration request for USER1 Configuration requests for USER1 use the following sequence Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_WriteSingleBlock 0x0050 0x11 0x00 0x00 0x00 Identify request Configuration request by USER1 ISO15693_WriteSingleBlock 0x0052 0x02 0x00 0x35 0xE5 Authenticate request PIN Code of...

Page 87: ...will all be given for USER2 they can be adjusted to USER1 accordingly Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_WriteSingleBlock 0x0050 0x19 0x00 0x00 0x00 Identify request Configuration request by USER2 ISO15693_WriteSingleBlock 0x0052 0x03 0x00 0x35 0xE5 Authenticate request PIN Code of USER2 ISO15693_WriteSingleBlock 0x0051 0xNN 0xNN 0xNN 0xNN Identify...

Page 88: ...00 0x00 Identify register s to update SECURITY USER1_PIN ISO15693_WriteSingleBlock 0x0079 0x12 0x34 0x56 0x78 Provide new value 0x12345678 for USER1_PIN Make sure that the new PIN code is properly noted when changing USER1_PIN For security reasons it is not possible to modify or reset USER1_PIN unless the current USER1_PIN is known A 4 2 2 Changing USER2_PIN USER2_PIN is used to authenticate reque...

Page 89: ...ptions that are available by reading the USER1_CONFIGURATION_OPTIONS register This allows handling different product revisions where some features are present in one revision only The USER1_CONFIGURATION_OP TIONS register can be read as follows Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_ReadSingleBlock 0x0045 0xFF Read USER1_CONFIGURATION_OPTIONS This comm...

Page 90: ...n the four byte USER2_CONFIGURATION_OPTIONS as described in Chapter 5 6 15 This is shown below for reference USER2_CONFIGURATION_OPTIONS ADDRESS 0x46 VALUE 0x87 37 3F 33 Position Byte 0 SECURITY Byte 1 ZGP Byte 2 BLE Byte 3 SYSTEM 0x01 SECURITY_KEY1 0b1 ZGP_TX_CONFIG 0b1 BLE_TX_CONFIG 0b1 LRN_TELEGRAM_ REQUEST 0b1 0x02 SECURITY_KEY2 0b1 ZGP_SEC_CONFIG 0b1 BLE_SEC_CONFIG 0b1 FACTORY_RESET_ REQUEST ...

Page 91: ...osition Byte 0 SECURITY Byte 1 ZGP Byte 2 BLE Byte 3 SYSTEM 0x01 SECURITY_KEY1 0b1 ZGP_TX_CONFIG 0b1 BLE_TX_CONFIG 0b1 LRN_TELEGRAM_ REQUEST 0b1 0x02 SECURITY_KEY2 0b1 ZGP_SEC_CONFIG 0b1 BLE_SEC_CONFIG 0b1 FACTORY_RESET_ REQUEST 0b1 0x04 SECURITY_KEY3 0b1 ZGP_BUTTON_MAP 0b1 BLE_BUTTON_MAP 0b1 RFU 0b0 0x08 RFU 0b0 RFU 0b0 BLE_SOURCE_ADDRESS 0b1 RFU 0b0 0x10 USER2_CONFIG_ OPTIONS 0b0 ZGP_PROTOCOL_ C...

Page 92: ...FC A 4 2 7 Writing SECURITY_KEY1 SECURITY_KEY1 is initialized to a random value during production this value can be changed by the user Factory reset will restore the value set at production To write SECURITY_KEY1 follow these steps Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_WriteSingleBlock 0x0050 0x19 0x00 0x00 0x00 Identify request Configuration request...

Page 93: ...KEY2 via the NFC interface To write SECURITY_KEY2 follow these steps Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_WriteSingleBlock 0x0050 0x19 0x00 0x00 0x00 Identify request Configuration request by USER2 ISO15693_WriteSingleBlock 0x0052 0x03 0x00 0x35 0xE5 Authenticate request PIN Code of USER2 ISO15693_WriteSingleBlock 0x0051 0x02 0x00 0x00 0x00 Identify ...

Page 94: ...5 0xE5 Authenticate request PIN Code of USER2 ISO15693_WriteSingleBlock 0x0051 0x00 0x01 0x00 0x20 Identify register s to update SYSTEM RADIO_CONFIG ZGP ZGP_TX_CONFIG ISO15693_WriteSingleBlock 0x0054 0x00 0x01 0x00 0x00 Provide new register value for RADIO_CFG 0x01 Transmit ZGP Telegrams ISO15693_WriteSingleBlock 0x0060 0x04 0x00 0x00 0x00 Provide new value for ZGP_TX_CONFIG 0x04 Radio channel 15 ...

Page 95: ...02 A 4 3 3 ZGP input status encoding As described in Chapter 4 4 1 3 the user can change the input status encoding for Device ID other than 0x07 from the default encoding listed in Table 8 to a user defined encoding For this example we assume that we want to change the commands send when ECO 200 is actuated from 0x22 0x23 Toggle Release to 0x20 0x21 On Off and leave the remaining commands as is To...

Page 96: ...s will be encoded like a B0 press on a PTM 215B module INPUT_STATUS 0x09 and no telegram will be sent when the ECO is released INPUT_STATUS 0xFF meaning that no telegram will be sent Such input status encoding could be helpful when using a push button based on PTM 535BZ in toggle mode where each press of the button will toggle the status of the receiver This can be achieved by following these step...

Page 97: ... 0x00 Identify request Configuration request by USER2 ISO15693_WriteSingleBlock 0x0052 0x03 0x00 0x35 0xE5 Authenticate request PIN Code of USER2 ISO15693_WriteSingleBlock 0x0051 0x00 0x00 0x02 0x00 Identify register s to update BLE BLE_SEC_CONFIG ISO15693_WriteSingleBlock 0x0058 0x00 0x04 0x00 0x00 Provide new value BLE_SEC_CONFIG 0x04 To select SECURITY_KEY1 again follow these steps Command Desc...

Page 98: ...G ISO15693_WriteSingleBlock 0x0054 0x00 0x01 0x00 0x00 Provide new value for RADIO_CFG 0x01 Transmit BLE telegrams PTM 535BZ can be configured by USER2 to use BLE as radio protocol as follows Command Description SearchTag 32 Connect to tag Search for up to 32 byte ID ISO15693_WriteSingleBlock 0x0050 0x19 0x00 0x00 0x00 Identify request Configuration request by USER2 ISO15693_WriteSingleBlock 0x005...

Page 99: ...st by USER2 ISO15693_WriteSingleBlock 0x0052 0x03 0x00 0x35 0xE5 Authenticate request PIN Code of USER2 ISO15693_WriteSingleBlock 0x0051 0x00 0x00 0x00 0x10 Identify register s to update SYSTEM BUTTON_CONFIG ISO15693_WriteSingleBlock 0x0054 0x01 0x00 0x00 0x00 Provide new value for BUTTON_CFG 0x01 ECO_DIRECTION inverted PTM 535BZ can be configured by USER2 to use the standard encoding as follows C...

Page 100: ...not possible periodically in receive mode for a sufficiently long duration B 1 Scanning parameters Three key timing parameters have to be considered when configuring a receiver scanner for periodical reception of advertising events sent by a transmitter advertiser These three parameters are Advertising interval Time between two advertising events sent by the transmitter Scan interval Time between ...

Page 101: ...n where the receiver starts scanning directly after the start of one transmission and therefore misses a part of it Under these conditions it is necessary that the receiver remains active until the next advertising telegram has been fully transmitted This is illustrated in Figure 57 below Advertising Interval Scan Window Advertising Advertising Figure 57 Scan window setting Figure 57 above shows t...

Page 102: ...interval If PTM 535BZ uses 20 ms advertising intervals then the scan interval has to be less than the time between the end of the first advertising event and the begin of the third advertising event 2 20 ms 40 ms minus 0 5 ms telegram duration mi nus a timing margin to account for the random time offset at the transmitter Using a scan interval of no more than 37 ms is recommended for this case If ...

Page 103: ...E frame structure The message shown above can be parsed into the following components keep in mind the little endian byte order BLE Access Address 4 byte 0x8E89BED6 Advertising BLE Frame Control 2 byte 0x1342 Size of source address payload 0x13 19 byte Telegram type Non connectable Advertising BLE Source Address 6 byte 0xE21510000006 Length of payload 1 byte 0x0C 12 byte Type of payload 1 byte 0xF...

Page 104: ...ep in mind the little endian byte order BLE Access Address 4 byte 0x8E89BED6 BLE Frame Control 2 byte 0x2442 Size of source address payload 0x24 36 byte Telegram type Non connectable Advertising BLE Source Address 6 byte 0xE21510000006 Length of payload 1 byte 0x1D 29 byte Type of payload 1 byte 0xFF manufacturer specific data Manufacturer ID 2 byte 0x03DA EnOcean GmbH EnOcean Payload 27 byte 41 0...

Page 105: ...lgorithm and telegram properties and are the same for any PTM 535BZ telegram Variable algorithm input parameters These parameters identify telegram specific parameters and therefore depend on the specifics of the transmitted telegram D 1 1 Constant input parameters The RFC3610 implementation in PTM 535BZ requires two constant input parameters Length field size This is the size in byte of the field...

Page 106: ...enticated The length of the payload to be authenticated is 9 byte for PTM 535BZ data telegrams Security key Each PTM 535BZ is programmed with a random 16 byte security key during manufac turing Table 35 below summarizes these parameters and provides the corresponding values from the data telegram example in Appendix C 1 Parameter Comment Description Example Source Address Unique source address of ...

Page 107: ... it is transmitting BLE telegrams Via NFC by reading SECURITY_KEY1 or by writing SECURITY_KEY2 Via the product label which might provide information about SECURITY_KEY1 Via a commissioning telegram as described in Chapter 3 4 3 D 1 4 Internal parameters The RFC3610 implementation in PTM 535BZ derives a set of internal parameters for further processing from the provided input parameters Again there...

Page 108: ...ys B0_Flag 0b01 6 M 3 L 0x49 always i Iteration counter 0x0000 always Table 36 Constant internal parameters D 1 6 Variable internal parameters The RFC3610 implementation in PTM 535BZ derives four internal parameters Nonce A0 B0 and B1 based on the telegram specific input data and the constant internal parameters These variable internal parameters listed in Table 37 below are then used together wit...

Page 109: ...orithm execution sequence The algorithm uses the variable internal parameters A_0 B_0 B_1 together with the private key to generate the authentication vector T_0 using three AES 128 and two XOR operations The algorithm execution sequence is shown in Figure 59 below The first four bytes of T_0 are then used to authenticate PTM 535BZ telegrams Figure 59 Authentication algorithm sequence ...

Page 110: ... Source Address 0600001015E2 little endian representation of E215000019B8 Input Data 0CFFDA034000000001B0561C03 Input Length 0x0009 Sequence Counter 40000000 Security Key 1D76A7A0DE93E7F553132D5894CFF99B The constant internal parameters are always the same Parameter In this example A0_Flag 0x01 always B0_Flag 0x49 always i 0x0000 always Based on variable input data and constant internal algorithm ...

Page 111: ...8 X1A Key X_2 AES128 B3B0AB2E69A2B898D7C8A884AC7A2771 1D76A7A0DE93E7F553132D5894CFF99B X_2 B974A8873BE64E9EB0171A81D8FD53FB S_0 AES128 A0 Key S_0 AES128 010600001015E2400000000000000000 1D76A7A0DE93E7F553132D5894CFF99B S_0 0922B484107EEA202AAB404DB08A0F87 T_0 XOR X_2 S_0 T_0 XOR B974A8873BE64E9EB0171A81D8FD53FB 0922B484107EEA202AAB404DB08A0F87 T_0 B0561C032B98A4BE9ABC5ACC68775C7C The calculated si...

Page 112: ...re solvable private address into prand and hash as follows prand RPA 0xFFFFFF000000 24 prand 0x493970 hash RPA 0x000000FFFFFF hash 0xE51944 Next we verify the address mode by checking the two most significant bit of prand mode prand 0xC00000 22 mode 0b01 Referring to Chapter 3 3 5 2 the setting of 0b01 indicates resolvable private address mode To generate the hash we add 104 bit of padding all zer...

Reviews: