Secured remote AT commands

Secure a node against unauthorized remote configuration

Secured Access is enabled by setting bits of SA (Secure Access). Additionally, an SRP Salt (*S) and verifier (*V, *W, *X, *Y) must be set. You can use XCTU to generate the salt and verifier based on a password.

Configure a node with a salt and verifier

In this example, the password is pickle.

1. The salt is randomly generated and the verifier is derived from the salt and password as follows:

*S = 0x1938438E

*V = 0x0771F57C397AE4019347D36FD1B9D91FA05B2E5D7365A161318E46F72942A45D

*W = 0xD4E44C664B5609C6D2BE3258211A7A20374FA65FC7C82895C6FD0B3399E73770

*X = 0x63018D3FEA59439A9EFAE3CD658873F475EAC94ADF7DC6C2C005b930042A0B74

*Y = 0xAEE84E7A00B74DD2E19E257192EDE6B1D4ED993947DF2996CAE0D644C28E8307

Note The salt and verifier will not always be the same even if the same password is used to generate them.

2. Enforce secure access for Remote AT Commands by setting Bit 1 of the SA command:

SA = 0x02

3. Write the configuration to flash using WR (Write).

WARNING! Make sure that this step is completed. If your device resets for any reason and *S, *V, *W, *X, *Y and SA are not written to flash they will revert to defaults, rendering the node open to insecure access.

4. From now on, any attempt to issue a Remote AT Command Request - 0x17 to this device will be rejected with a 0x0B status unless a secure session is established first.

Remotely configure a node that has been secured

In the example above a node is secured against unauthorized remote configuration. In this instance, the secured node acts as a Secure Session Server (remote). The sequence below describes how a Secure Session Client (local) can authenticate and securely configure the server remotely.

Establish a secure session using the password that was set on the server node

1. Generate a Secure Session Control - 0x2E.

• The destination address must match the 64-bit address (SH + SL) of the remote server.
• Since you are logging in, leave the options field as 0x00.
• Set a five minute timeout, which should give sufficient time for ad hoc configuration. The units are in tenths of a second, so 0x0BB8 gives you five minutes.
• The options are set for a fixed duration, so after the five minutes expire, both the server and client emit a modem status indicating the session ended.
• Enter the original password used to generate the verifier from the random salt above.

2. Pass the type 0x2E Control frame into the serial interface of the local client:

• For example, to log into a Secure Session server at address 0013A200 417B2162 for a five minute duration using the password pickle, use the following frame:
  7E 00 12 2E 00 13 A2 00 41 7B 21 62 00 0B B8 70 69 63 6B 6C 65 A2

3. Wait for a Secure Session Response - 0xAE to indicate the session establishment succeeded or failed with the reason.

• The address of the remote that is responding and the status is included in the response.
• For example, the response to the request above is as follows:
  7E 00 0B AE 00 00 13 A2 00 41 7B 21 62 00 5D. The 0x00 status indicates success.

4. Send remote AT Commands to the remote server using the Remote AT Command Request - 0x17 with bit 4 of the Command Options field set. Bit 4 indicates the AT command should be sent securely.

Note If you are using 802.15.4 firmware you must send secured packets using the device's 64 bit address. To do so, set MY (16-bit Source Address) to 0xFFFF.