Sunricher Sr-sbp2801-ble-e User manual

This manual suits for next models

Other Sunricher Lighting Equipment manuals

Sunricher

Sunricher SRP-2305-50-TW-CC User manual

Sunricher

Sunricher SR-ZV9001T-CCT-EU User manual

Sunricher

Sunricher SR-2803B Reference manual

Sunricher

Sunricher SR-2400RB-RGB User manual

Sunricher

Sunricher SR-2820B User manual

Sunricher

Sunricher SRP-2309-75-TW-CC User manual

Sunricher

Sunricher SR-2833T2 User manual

Sunricher

Sunricher SR-2830CDMX User manual

Sunricher

Sunricher SR-2819T Series User manual

Popular Lighting Equipment manuals by other brands

Brizo

Brizo 8SP-MU-4 manual

LUCE&LIGHT

LUCE&LIGHT BROM 1.0 installation instructions

IKEA

IKEA BJÖRKSPIREA manual

Laserworld

Laserworld Evolution Series ES-400RGB manual

EuroLite

EuroLite LED B-40 user manual

Qazqa

Qazqa Suplux SL 3 Black 103062 instruction manual

Commercial Electric

Commercial Electric 54568141 Use and care guide

CREE LIGHTING

CREE LIGHTING 304 Series installation instructions

Goobay

Goobay 49867 user manual

ECOMAN ITALIA

ECOMAN ITALIA LED T8 instruction manual

Alkalite

Alkalite Krypton KT-81 user manual

Clas Ohlson

Clas Ohlson GU10 manual

DTS

DTS DELTA 10 F user manual

ring

ring Solar Steplight manual

One Stop Gardens

One Stop Gardens 57696 Owner's manual & safety instructions

SIREM

SIREM Swimeo A2 instructions

Silvair

Silvair MESH-CEDRP quick start guide

S&P

S&P PCRL80 manual

SR-SBP2801-BLE-E Bluetooth Pushbutton Transmitter Module

Important: Read All Instructions Prior to Installation

1.1 Basic functionality

SR-SBP2801-BLE-E are wireless push switches for lighting, building or industrial automation control systems

using Bluetooth® low energy technology.

SR-SBP2801-BLE-E is mechanically compatible with existing switch elements enabling quick integration into a

wide range of designs. Key applications are wall-mounted or portable switches either with up to two rockers or

up to four push buttons.

SR-SBP2801-BLE-E pushbutton transmitters are battery-powered. When the push button is pushed down or

released, a radio telegram according to the Bluetooth® low energy standard is transmitted. This radio telegram

transmits the status of all four push buttons when the push button was pushed down or released. SR-SBP2801-

BLE-E radio telegrams are protected with AES-128 security based on a device-unique private key.

SR-SBP2801-BLE-E is available in the following variants:

1.SR-SBP2801-BLE-E

Stand-alone module without additional components for OEM integration

2.SR-SBP2801K4-BLE-E

SR-SBP2801-BLE-E integrated into European-style single / double rocker wall switch housing

3.SR-SBP2801K4-BLE-E(US)

SR-SBP2801-BLE-E integrated into US-style single or double rocker pad housing

The term “SR-SBP2801-BLE-E” as used in this document applies to all product variants unless otherwise

mentioned. Figure 1 below shows from left to right the SR-SBP2801-BLE-E module, the European wall

switches and the US-style rocker pads.

1. General description

Figure 1 – Standalone Module, European Wall Switches and US-style rocker pads

1.2 Technical data

Dimensions

Weight

Security

Power Supply

Button Inputs

Communication Range (guidance only)

Max. transmit power measured

Antenna

Communication Standard

Data Rate and Modulation

Radio Channels (default)

Configuration Interface

Device Identification

Radio Frequency (min / max)

AES128 (CBC Mode) with Sequence Code

20 g +/- 1g

3VDC (1*CR2430 Battery)

0.4dBm / 1.1mW

Integrated PCB antenna

75 m ideal line of sight / 10 m indoor environment

Up to four buttons or two rockers

40.0 x 40.0 x 11.2 mm

Bluetooth Low Energy (BLE)

Unique 48 Bit Device ID (factory programmed)

1 Mbit/s GFSK (default) / 2 Mbit GFSK (NFC option)

CH 37 / 38 / 39 (2402 MHz / 2426 MHz / 2480 MHZ)

NFC Forum Type 2 Tag (ISO/IEC 14443 Part 2 and 3)

2402 MHz / 2480 MHZ

1.3 Environmental conditions

Operating Temperature

Storage Temperature

Humidity

-25°C ... 65°C

0% to 95% r.h. (non-condensing)

-25°C ... 65°C

2. Functional information

2.1 Product overview

The pushbutton transmitter module SR-SBP2801-BLE-E from Sunricher enables the implementation of

wireless remote controls. It transmits Bluetooth Low Energy (BLE) data telegrams where the required energy is

provided by battery.

The SR-SBP2801-BLE-E product outline with key functional components is shown in Figure 2 below.

2.2 Basic functionality

When the push button is pushed down, a BLE radio telegram is transmitted which identifies the action (pressed

or not pressed) and the status of the four button contacts. Releasing the push button similarly transmits a

different radio telegram.

SR-SBP2801-BLE-E devices contain 4 button contacts which are pushed by an appropriate push button,

switch rocker or a similar construction mounted onto the device.

Button Contact

Snap-in and rotation axis for

pushbuttons or switch rocker

Figure 2 – SR-SBP2801-BLE-E Product Outline

By factory default, this module can not work with those platforms which have integrated

EnOcean switch, to enable this module to work with those platforms and get the same

functionality as the EnOcean switch, please execute the following steps:

Remove the rocker(s) and the switch housing from the SR-SBP2801-BLE-E module. Then,

all four button contacts (A0, A1, B0 and B1) have to be pressed and held at the same time

for over 10 seconds.

How to get the same functionality as EnOcean Switch and replace it

By identifying these different telegrams types and measuring the time between pushing and releasing of the

button, it is possible to distinguish between “Long” and “Short” button contact presses. This enables simple

implementation of applications such as dimming control or blinds control including slat action.

It is therefore possible to distinguish between radio telegrams sent when the button was pushed and radio

telegrams sent when the button was released.

2.3 Functional block diagram

Figure 3 – Functional block diagram of SR-SBP2801-BLE-E

Processor

Determines the status of the button contacts, encodes this status into a data word, generates the proper radio

telegram structure and sends it to the radio transmitter

RF transmitter

Transmits the data in the form of a series of short 2.4 GHz Bluetooth Low Energy radio telegrams using the

integrated antenna

NFC interface

Allows reading and writing certain product parameters using an NFC compliant reader /

writer supporting NFC Forum Type 2 tags (as specified by ISO/IEC 14443 Part 2 and 3).

2.4 User Interface

SR-SBP2801-BLE-E devices provide four button contacts. They

are grouped into two channels

(Channel A and Channel B) each containing two button contacts

(State O and State I).

The state of all four button contacts (pressed or not pressed) is

transmitted together with a unique device identification (48 Bit

device ID) whenever the energy bow is pushed or re- leased.

Figure 4 below shows the arrangement of the four button

contacts and their designation:

3. Telegram transmission

3.1 Radio channel parameters

SR-SBP2801-BLE-E transmits Bluetooth Low Energy (BLE) advertising telegrams within the 2.4 GHz

radio frequency band (2402MHz … 2480MHz).

By default, SR-SBP2801-BLE-E will use the three BLE advertising channels (BLE Channel 37, 38 and

39) defined for transmission. The transmission of a radio telegram on these three advertising channels is

called an Advertising Event.

Use of different radio channels within the frequency band from 2402 MHz to 2480 MHz is possible, see chapter

6.7.10.

The initialization value for data whitening is set as follows:

1.For BLE channels is set according to specification (value = radio channel)

2.For the custom radio channels the initialization value is equal to the offset from 2400 MHZ (e.g. value = 3 for

2403 MHz)

Table 1 below summarizes radio channels supported by SR-SBP2801-BLE-E.

Radio Channel

Frequency

2402 MHZ

2404 MHZ

2406 MHZ

2424 MHZ

2426 MHZ

2428 MHZ

2430 MHZ

2478 MHZ

2480 MHZ

2403 MHZ

2405 MHZ

2477 MHZ

2479 MHZ

Channel Type

BLE Advertising Channel

BLE Data Channel

BLE Advertising Channel

BLE Data Channel

BLE Advertising Channel

Custom Radio Channel

BLE Radio Channels

Custom Radio Channels

...

Table 1 – SR-SBP2801-BLE-E supported radio channels

A B

CHANNEL

STATE

Figure 4 – Button contact designation

Push

Button Battery

CH 37 CH 38 CH 39 INTERVAL

(20ms or 10ms ) CH 37 CH 38 CH 39 INTERVAL

(20ms or 10ms ) CH 37 CH 38 CH 39

Figure 5 – Default radio transmission sequence

3.3 User-defined radio transmission sequences

In certain situations, it might be desirable to transmit radio telegrams on channels other than the three

advertising channels.

SR-SBP2801-BLE-E therefore allows to select the radio channels to be used for the transmission of data

telegrams and commissioning telegrams. The following transmission modes are supported:

1.Both commissioning telegrams and data telegrams are transmitted on the advertising channels as three

advertising events. This is the default configuration and described in chapter 3.2 above.

2.Commissioning telegrams are transmitted on the advertising channels as three advertising events while data

telegrams are transmitted in a user-defined sequence as described below.

3.Both commissioning and data telegrams are transmitted in a user-defined sequence as described below.

The selection of the transmission mode is done using the VARIANT register of the NFC configuration interface

as described in chapter 6.7.9.

3.3.1 Supported radio transmission sequences

SR-SBP2801-BLE-E supports the following user-defined sequences:

1.Three channel sequence

This sequence is similar to the default Advertising Event with the difference that the user can select the radio

channels to be used. The three-channel sequence is described in chapter 3.3.2 below.

2.Two channel sequence

In this sequence the radio telegram is transmitted using four transmissions on two radio channels. It is

described in chapter 3.3.3 below.

3.One channel sequence

In this sequence the radio telegram is transmitted using six transmissions on one radio channel. It is described

in chapter 3.3.4 below.

The selection of user-defined radio transmission sequences is made via the VARIANT register of the NFC

configuration interface, please see chapter 6.7.9.

3.3.2 Three-channel radio transmission sequence

The three-channel radio transmission sequence is similar to the default transmission sequence. The difference

is that the radio channels (BLE Channel 37, 38 and 39 in the default transmission sequence) can be selected

using the registers TX_CHANNEL1, TX_CHANNEL2 and TX_CHANNEL3.

The SR-SBP2801-BLE-E telegram will in this mode be transmitted on the radio channel selected by

TX_CHANNEL1 first, immediately followed by a transmission on the radio channel selected by TX_CHANNEL2

and a transmission on the radio channel selected by TX_CHANNEL3.

This transmission sequence will be sent three times in total as shown in Figure 6 below.

The default interval between the advertising events is 20 ms. Starting with product version DC-06 it is possible

to reduce this interval to 10 ms via the NFC configuration interface. See chapter 6.7.9 for details.

TX_CHANNEL1 TX_CHANNEL2 TX_CHANNEL3

INTERVAL

(20ms or 10ms )

TX_CHANNEL1 TX_CHANNEL2 TX_CHANNEL3 TX_CHANNEL1 TX_CHANNEL2 TX_CHANNEL3

INTERVAL

(20ms or 10ms )

Figure 6 – Three channel radio transmission sequence

The format of TX_CHANNEL1, TX_CHANNEL2 and TX_CHANNEL3 is described in chapter 6.7.10.

3.3.3 Two-channel radio transmission sequence

The two-channel radio transmission sequence removes transmission on the third radio channel (selected by

TX_CHANNEL3) and instead repeats the transmission once more (four times in total).

The SR-SBP2801-BLE-E telegram will in this mode be transmitted on the radio channel selected by

TX_CHANNEL1 first, immediately followed by a transmission on the radio channel selected by

TX_CHANNEL2.

This two-channel transmission sequence will be sent four times in total as shown in Figure 7 below.

The default interval between the advertising events is 20 ms. Starting with product version DC-06 it is possible

to reduce this interval to 10 ms via the NFC configuration interface. See chapter 6.7.9 for details.

Figure 7 – Two channel radio transmission sequence

TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL1

Figure 8 – Single channel radio transmission sequence

TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL2 TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL2 TX_CHANNEL1

INTERVAL

(20ms or 10ms )

TX_CHANNEL2 TX_CHANNEL1 TX_CHANNEL2

3.3.4 Single-channel radio transmission sequence

The single-channel radio transmission sequence removes transmission on the second and third radio channel

(selected by TX_CHANNEL2 and TX_CHANNEL3 respectively), i.e. all transmissions will be on the radio

channel selected by TX_CHANNEL1.

The SR-SBP2801-BLE-E telegram will be sent six times on this radio channel as shown in Figure 8 below.

The default interval between the advertising events is 20 ms. Starting with product version DC-06 it is possible

to reduce this interval to 10 ms via the NFC configuration interface. See chapter 6.7.9 for details.

The format of TX_CHANNEL1 is described in chapter 6.7.10.

4. Telegram format

SR-SBP2801-BLE-E transmits Bluetooth Low Energy (BLE) radio telegrams in the 2.4 GHz band. For detailed

information about the Bluetooth Low Energy standard, please refer to the applicable specifications.

Figure 9 below summarizes the BLE frame structure.

Figure 9 – BLE frame structure

The content of these fields is described in more detail below.

The 4 byte BLE Access Address identifies the radio telegram type. For advertising frames, the value of the

Access Address is always set to 0x8E89BED6.

4.3 Header

The BLE Header identifies certain radio telegram parameters. Figure 10 below shows the structure of the BLE

header.

4.1 Preamble

The BLE Preamble is 1 byte long and identifies the start of the BLE frame. The value of the BLE Preamble is

always set to 0xAA.

4.2 Access Address

3.2 Default radio transmission sequence

SR-SBP2801-BLE-E transmits telegrams in its standard configuration by using so-called Advertising

Events.

An advertising event is defined as the transmission of the same radio telegram on all selected radio channels

(by default this would be on BLE Channel 37, 38 and 39) one after another with minimum delay in between.

For reliability reasons, SR-SBP2801-BLE-E will send several (minimum two, maximum three) advertising

events for each button input. The resulting transmission sequence is shown in Figure 5 below.

The default interval between the advertising events is 20 ms. Starting with product version DC-06 it is possible

to reduce this interval to 10 ms via the NFC configuration interface. See chapter 6.7.9 for details.

4.4 Source address

The 6 byte BLE Source Address (MAC address) uniquely identifies each SR-SBP2801-BLE-E product. SR-

SBP2801-BLE-E supports two source address modes:

1. Static Source Address mode (default)

In this mode, the source address is constant (but its lower 32 bit can be configured via NFC interface)

2. Resolvable Private Address mode (NFC configurable option)

In this mode, the source address changes for each transmission

By default, SR-SBP2801-BLE-E uses Static Source Address mode. Private Resolvable Address mode can be

selected by setting the Private Source Address flag in the Configuration register (see chapter 6.7.3) to 0b1.

These two address modes are described in the following chapters.

4.4.1 Static source address mode

By default, SR-SBP2801-BLE-E uses static source addresses meaning that the source address is constant

during normal operation. The static source address can be read and configured (written) via NFC as described

in chapter 6.

The structure of SR-SBP2801-BLE-E static addresses is as follows:

1.The upper 2 bytes of the source address are used to identify the device type and set to 0xE215 for all SR-

SBP2801-BLE-E devices (to designate Sunricher SBP 2801 device type). These two bytes cannot be changed.

2.The lower 4 bytes are uniquely assigned to each device. They can be changed using the NFC configuration

interface as described in chapter 6.7.4

Figure 11 below illustrates the static address structure used by SR-SBP2801-BLE-E.

Figure 11 – BLE static source address structure

4.4.2 Resolvable private address mode

For some applications it is desirable to obfuscate the origins of SR-SBP2801-BLE-E data telegrams in order to

prevent tracking of its radio transmissions. This can be achieved by using resolvable private addresses (RPA)

as defined in the Bluetooth Core Specification.

SR-SBP2801-BLE-E can be configured to use resolvable private addresses by setting the RPA ADDRESS

MODE flag within the Configuration register (described in chapter 6.7.3) to 0b1.

When using resolvable private addresses, the address used by SR-SBP2801-BLE-E is modified (rotated)

according to a defined scheme which on one hand precludes determining the device identity by unauthorized

receivers while allowing authorized receivers (sharing a specific security key with SR-SBP2801-BLE-E) to do

so.

The shared security key – which has to be known by both SR-SBP2801-BLE-E and the authorized receiver – is

called the Identity Resolution Key (IRK). SR-SBP2801-BLE-E uses its device-unique random key as identity

resolution key. This key can be modified if needed via the NFC configuration interface as described in chapter

6.7.5.

For each data telegram transmitted by SR-SBP2801-BLE-E (i.e. for every button push or release), a new

Figure 12 – BLE resolvable private address structure

The prand value is encrypted using the IRK. The lowest 24 bit of the result (encrypted val- ue) are then used as

hash. The concatenation of 24 bit prand and 24 bit hash will be transmitted as 48 bit private resolvable source

address.

The receiver maintains a list of IRK for all transmitters that have been commissioned to work with it.

Whenever the receiver receives a data telegram with a resolvable private address (identified by the most

significant bits of the address field being set to 0b10), it will itself generate a 24 bit hash from the 24 bit prand

sequentially using each IRK known to it (i.e. the IRK of each device that has been learned into it).

If an IRK matches (i.e. when prand is encoded with the IRK then the result matches hash), then the receiver has

established the IRK used by the transmitter and thereby the identity of the transmitter.

So conceptually the IRK takes the role of the device address of the transmitter while prand and hash provide a

mechanism for the receiver to select the correct IRK among the set of IRK known to it.

This mechanism is illustrated in Figure 13 below.

Refer to Appendix B for an example of resolving a resolvable private address.

Note that commissioning telegrams (as described in chapter 5.3.2) always use static source addresses (as

described in chapter 4.4.1) since they establish the device identity and contain the IRK in the payload.

4.5 Check Sum

The 3 byte BLE Check Sum is used to verify data integrity of received BLE radio telegrams. It is calculated as

CRC (cyclic redundancy check) of the BLE Header, Source Address and Payload fields.

4.6 Telegram payload

SR-SBP2801-BLE-E can transmit two types of telegrams:

1.Data telegrams

The payload of data telegrams contains the switch status together with optional data

Figure 13 – Resolving private addresses

Figure 10 – BLE header structure

resolvable private address is generated. The 48 bit address field of such resolvable private address is split into

two sub-fields:

1.prand

This field contains a random number which always starts (two most significant bits) with 0b10. The prand value

is changed for each telegram that is transmitted. Individual advertising events used to transmit one telegram

(as described in chapter 3) use the same prand value.

2.hash

This field contains a verification value (hash) generated from prand using the IRK The structure of a resolvable

private address is shown in Figure 12 below.

(if applicable), the current sequence counter value and the resulting authentication signature

2.Commissioning telegrams

The payload of commissioning telegrams contains the private security key as well as the current value of the

sequence counter and the device address

The payload structure of both telegram types is described in the following chapters.

4.6.1 Data telegram payload

The payload of data telegrams is 13 … 17 bytes long (depending on the size of the Optional

Data field) and consists of the following fields:

1.Length (1 byte)

The Length field specifies the combined length of the following fields. The content of the field depends on the

size of the Optional Data field (which can be 0 / 1 / 2 or 4 byte). The resulting Length setting would be 12 / 13 /

14 or 16 byte (0x0C / 0x0D /

0x0E / 0x10) respectively

2.Type (1 byte)

The Type field identifies the data type used for this telegram. For SR-SBP2801-BLE-E data telegrams, this field

is always set to 0xFF to designate manufacturer-specific data field

3.Manufacturer ID (2 byte)

The Manufacturer ID field is used to identify the manufacturer of BLE devices based on assigned numbers.

Sunricher has been assigned 0x0A78 as manufacturer ID code.

The Manufacturer ID can be changed via the NFC configuration interface as described in chapter 6.7.7.

4.Sequence Counter (4 byte)

The Sequence Counter is a continuously incrementing counter used for security processing. It is initialized to 0

at the time of production and incremented for each telegram (data telegram or commissioning telegram) sent.

5.Switch Status (1 byte)

The Switch Status field reports the button action. The encoding of this field is described in chapter 4.6.2.

6.Optional Data (0 / 1 / 2 or 4 byte)

SR-SBP2801-BLE-E provides the option to transmit additional user-defined data within each data telegram as

described in chapter 6.7.8.

7.Security Signature (4 byte)

The Security Signature is used to authenticate SR-SBP2801-BLE-E radio telegrams as described in chapter

4.6.3

Figure 14 below illustrates the data telegram payload.

Figure 14 – Data telegram payload structure

4.6.2 Button action encoding

The Switch Status field within the data telegram payload identifies the SR-SBP2801-BLE-E button action

(button push or release). SR-SBP2801-BLE-E uses the following sequence to identify and transmit button

contact status:

1. Determine direction of the button movement (Push Action or Release Action)

2. Read input status of all button contacts

3. Calculate data payload

4. Calculate security signature

In SR-SBP2801-BLE-E, the type of action (Press Action or Release Action) is indicated by Bit 0 (button). If a

button contact has been actuated during Press Action or Release Action, then this is indicated by the according

status bit set to ‘1’.

Note that all contacts that were pressed during Press Action will be released during Release Action. The case of

continuing to hold one (or several) button contacts during Release Action is mechanically not possible.

Figure 15 - SR-SBP2801-BLE-E button action encoding

4.6.3 Commissioning telegram payload

The payload of commissioning telegrams is 30 bytes long and consists of the following fields:

1.Length (1 byte)

The Length field specifies the combined length of the following fields. For SR-SBP2801-BLE-E

commissioning telegrams, this field is set to 0x1D to indicate 29 byte of manufacturer-specific data.

Note: In product versions prior to DC-06 this field was incorrectly set to 0x1E.

2.Type (1 byte)

The Type field identifies the data type used for this telegram. This field is set to 0xFF

to indicate a “Manufacturer-specific Data” field

3.Manufacturer ID (2 byte)

The Manufacturer ID field is used to identify the manufacturer of BLE devices based on assigned numbers. By

default, this field is set to 0x0A78 (Sunricher). This field can be changed via the NFC configuration interface as

described in chapter

6.7.7.

4.Sequence Counter (4 byte)

The Sequence Counter is a continuously incrementing counter used for security processing. It is initialized to 0

at the time of production and incremented for each telegram (data telegram or commissioning telegram) sent.

5.Security Key (16 byte)

Each SR-SBP2801-BLE-E device contains its own 16 byte device-unique random security key which is

generated and programmed during manufacturing. It is transmitted during commissioning to enable the

receiver to authenticate SR-SBP2801-BLE-E data telegrams and used as IRK for the case of resolvable private

address mode

6.Static Source Address (6 byte)

The Static Source Address is used to uniquely identify each BLE device. It is transmitted as part of the BLE

frame as described in chapter 4.4.1.

Some devices (most notable all iOS-based products) however do not expose this address to their applications.

This makes it impossible to use such applications to

commission SR-SBP2801-BLE-E. The Static Source Address is therefore again transmitted as

part of the payload.

Figure 16 below illustrates the commissioning telegram payload.

Figure 16 – Commissioning telegram payload structure

4.7 SR-SBP2801-BLE-E data telegram authentication

SR-SBP2801-BLE-E implements telegram authentication for

transmitted data telegrams to ensure that only telegrams from

transmitters using a previously exchanged security key will be

accepted by the receiver. Authentication relies on a 32 bit

telegram signature which is calculated as shown in Figure 17

below and exchanged as part of the radio telegram.

Figure 17 – Telegram authentication flow

The button action encoding used by SR-SBP2801-BLE-E is shown Figure 15 in below.

Figure 18 – AES128 Nonce structure

The AES128 Nonce and the 128 bit device-unique security key are then used to calculate a 32 bit signature of

the authenticated telegram payload shown in Figure 19 below.

Figure 19 – Authenticated payload

The calculated 32 bit signature is then appended to the data telegram payload as shown in Figure 14 in chapter

4.6.

In addition to the RFC3610 standard itself, please consult also Appendix C for a step by step description of the

authentication process.

5. Commissioning

Commissioning is the process by which SR-SBP2801-BLE-E is learned into a receiver (actuator, controller,

gateway, etc.).

The following two tasks are required in this process:

1.Device identification

The receiver needs to know how to uniquely identify this specific SR-SBP2801-BLE-E device. This is achieved

by using a unique 48 Bit ID (Source Address) for each SR-SBP2801-BLE-E

device as described in chapter 4.4. In addition, up to 4 byte of Optional Data can be

configured as described in chapter 6.7.8

2.Security parameter exchange

The receiver needs to be able to authenticate radio telegrams from SR-SBP2801-BLE-E in order to ensure that

they originate from this specific device and have not been modified as described in chapter 4.6.3. This is

achieved by exchanging a 128 Bit random security key used by SR-SBP2801-BLE-E to authenticate its radio

telegrams.

SR-SBP2801-BLE-E provides the following options for these tasks:

1.NFC-based commissioning

The SR-SBP2801-BLE-E parameters are read by a suitable commissioning tool (e.g. NFC

smartphone with suitable software) which is already part of the network into which

SR-SBP2801-BLE-E will be commissioned. The commissioning tool then communicates these parameters to

the intended receiver of SR-SBP2801-BLE-E radio telegrams. NFC-based commissioning is described in

chapter 6

2.Camera-based commissioning

Each SR-SBP2801-BLE-E module contains an optically readable QR Code which identifies its

ID and its security key. This QR code can be read by a by a suitable commissioning tool (e.g. smart phone)

which is already part of the network into which SR-SBP2801-BLE-E will be commissioned. The commissioning

tool then communicates these parameters to the intended receiver of SR-SBP2801-BLE-E radio telegrams.

The QR code structure is described in chapter 7.2.

3.Radio-based commissioning

SR-SBP2801-BLE-E can communicate its parameters via special radio telegrams (commission- ing telegrams)

to the intended receiver. To do so, SR-SBP2801-BLE-E can be temporarily

placed into radio-based commissioning mode as described in chapter 5.3

5.1 NFC-based commissioning

All required SR-SBP2801-BLE-E parameters can be read via a suitable NFC reader and writer sup- porting the

ISO/IEC 14443 Part 2 and 3 standards. The actual NFC implementation in SBP

2801 uses a Mifare Ultralight tag.

Commissioning via NFC should follow these steps:

1. Unlock SR-SBP2801-BLE-E using the default NFC PIN code 0x0000E215

2. Read the SR-SBP2801-BLE-E Source Address, Security Key and Sequence Counter and configure the

receiver accordingly

3. Important: The pre-programmed random security key used by SR-SBP2801-BLE-E can be obtained both

from the product DMC code as described in chapter 5.2, from received commissioning telegrams as described

in chapter 5.3 and via the NFC interface.

For security-critical applications where unauthorized users could have physical access to the switch it is

therefore strongly recommended to change the security key to a new security key as part of the NFC-based

commissioning process. To do so, follow the procedure outlined in chapter 6.7.5.

For additional security, NFC read-out of the new security key can be disabled by setting the PRIVATE

SECURITY KEY flag in the Configuration register before setting the new security key.

This ensures that even persons knowing the correct PIN code to configure this specific switch cannot read out

the programmed new security key. Please verify that you have properly documented the new security key as

there is no possibility to retrieve this after it has been written.

4. Important: It is strongly recommended to disable radio-based commissioning after programming a new

security key. This ensures that the new security key cannot be read out by triggering a commissioning telegram

as described in chapter 5.3.

To disable radio-based commissioning, set the DISABLE LRN TELEGRAM flag in the Configuration register to

0b1, see chapter 6.7.3.

5. Important: You should always change the NFC PIN code from its default setting to a new NFC PIN code and

lock the NFC configuration interface. This step is mandatory to avoid access to the SR-SBP2801-BLE-E

configuration using the default PIN code.

Should you lose the new NFC PIN code then SR-SBP2801-BLE-E can be reset to factory mode

(with the default NFC PIN code) by means of a factory reset as described in chapter

5.4. For security reasons, this factory reset will always reset the security key to its pre-programmed value.

5.2 Camera-based commissioning

Sequence counter, source address and the remaining telegram data together form the in- put data for the

signature algorithm. This algorithm uses AES128 encryption based on the device-unique random security key

to generate a 32 bit signature which will be transmitted as part of the radio telegram.

The signature is therefore dependent both on the current value of the sequence counter, the device source

address and the telegram payload. Changing any of these three parameters will therefore result in a different

signature.

The receiver performs the same signature calculation based on sequence counter, source address and the

remaining telegram data of the received telegram using the security key it received from SR-SBP2801-BLE-E

during commissioning.

The receiver then compares the signature reported as part of the telegram with the signature it has calculated.

If these two signatures match, then the following statements are true:

1.Transmitter (SR-SBP2801-BLE-E) and receiver use the same security key

2.The message content (address, sequence counter, data) has not been modified

At this point, the receiver has validated that the message originates from a trusted transmitter (as identified by

its security key) and that its content is valid.

In order to avoid message replay (capture and retransmission of a valid message), it is required that the

receiver tracks the value of the sequence counter used by SR-SBP2801-BLE-E and only accepts messages

with higher sequence counter values (i.e. not accepts equal or lower sequence counter values for subsequent

telegrams).

4.7.1 Authentication implementation

SR-SBP2801-BLE-E implements data telegram authentication based on AES128 in CCM (Counter with CBC-

MAC) mode as described in IETF RFC3610. At the time of writing, the RFC3610 standard could be found here:

https://www.ietf.org/rfc/rfc3610.txt

The 13 Byte CCM Nonce (number used once – unique) initialization value is constructed as concatenation of 6

byte Source Address, 4 byte Sequence Counter and 3 bytes of value

0x00 (for padding).

Note that both Source Address and Sequence Counter use little endian format (least significant byte first).

Figure 18 below shows the structure of the AES128 Nonce.

Figure 21 – Elatec TWN4 MultiTech Desktop NFC Reader

Each SR-SBP2801-BLE-E module contains an optically readable Commissioning Code implemented either as

Data Matrix Code or as QR Code depending on the device revision.

This Commissioning Code on the device label can be scanned by a suitable commissioning tool (e.g. smart

phone or PC with DMC / QR code reader) to read the static source address and the security key of the device.

The commissioning tool can the use this information to configure the intended receiver of

SR-SBP2801-BLE-E radio telegrams.

See chapter 7 for details of the commissioning code structure.

5.3 Radio-based commissioning

For cases where both NFC and camera-based commissioning are not feasible it is possible to set SR-

SBP2801-BLE-E into a specific mode where it transmits commissioning telegrams.

This functionality can be disabled via the NFC configuration interface by setting the DISABLE LRN TELEGRAM

flag in the Configuration register to 0b1 (see chapter 6.7.3).

Starting from product version DC-06, this functionality can also be disabled by means of a specific button press

(long press of A0 + A1 + B1), see chapter 5.3.4.

5.3.1 Commissioning mode entry

Commissioning mode is entered using a special button contact sequence. This is illustrated in Figure 20 below.

Figure 20 – Button sequence to enter radio-based commissioning mode

To enter commissioning mode, start by selecting one button contact of SR-SBP2801-BLE-E. Any button of SR-

SBP2801-BLE-E (A0, A1, B0, B1) can be used. This button is referred to as Button_X in Figure 20 above.

Next, execute the following long-short-long sequence:

1. Press and hold the selected button for more than 7 seconds before releasing it

2. Press the selected button quickly (hold for less than 2 seconds)

3. Press and hold the selected button again for more than 7 seconds before releasing it

Upon detection of this sequence, SR-SBP2801-BLE-E will enter commissioning mode if the DISABLE LRN

TELEGRAM flag in the Configuration register of the NFC interface is not set (0b0, default state).

If the DISABLE LRN TELEGRAM flag in the Configuration register of the NFC interface is set (0b1, configured

via NFC interface) then SR-SBP2801-BLE-E will not enter commissioning mode and transmit normal data

telegrams according to the button status.

5.3.2 Commissioning telegram transmission

SR-SBP2801-BLE-E will transmit a commissioning telegram (on the radio channels selected as described in

chapter 3.1) upon entering commissioning mode. The structure of the commissioning telegram is described in

chapter 4.6.3.

SR-SBP2801-BLE-E will continue to transmit commissioning telegrams whenever the button used for entry into

commissioning mode (Button_X) is pressed or released again.

5.3.3 Exit from commissioning mode

Pressing any key except the button used for entry into commissioning mode (Button_X) will cause SR-

SBP2801-BLE-E to stop transmitting commissioning telegrams and return to normal data telegram

transmission.

5.3.4 Disable commissioning mode

Starting with product version DC-06 it will be possible to disable commissioning mode in addition to using the

NFC interface also by means of a specific button input.

To do so, press button contacts A0, A1 and B1 and hold them for at least 10 seconds before releasing them.

Commissioning mode can be re-enabled by means of a factory reset as described below.

5.4 Factory reset

SR-SBP2801-BLE-E can be reset to its default settings by means of a factory reset.

This ensures that SR-SBP2801-BLE-E can be reset to a known configuration in case the

PIN for the NFC access has been lost or NFC access is not possible for other reasons

In order to execute such factory reset, the rocker(s) and switch housing have to be

removed from the SR-SBP2801-BLE-E module. Then, two diagonal button contacts (for

instance A0 and B1 or A1 and B0) have to be pressed and held at the same time for over 10

seconds.

Upon detecting this input, SR-SBP2801-BLE-E will restore the default settings of the

following items:

1.Static Source Address

2.Security Key and Security Key Write register

Both registers will be restored to the value of the factory-programmed security key

3.Manufacturer ID

The manufacturer ID will be reset to 0x0A78 (Sunricher)

4.NFC PIN Code

The NFC PIN Code will be reset to 0x0000E215

After such factory reset, Source Address and Security Key will again match the content of the DMC code on the

unit label as described in chapter 7.

In addition, SR-SBP2801-BLE-E will reset the following registers:

1.Configuration register (to 0x00)

2.Variant Register (to 0x00)

6. NFC interface

SR-SBP2801-BLE-E implements NFC Forum Type 2 Tag functionality as specified in the ISO/IEC 14443 Part 2

and 3 standards using an NXP NT3H2111 Mifare Ultralight tag.

This NFC functionality can be used to access (read and write) the SR-SBP2801-BLE-E configuration memory

and thereby configure the device as described in the following chapters.

Chapter 6.1 below gives an introduction to the NFC functionality and options to use the NFC interface.

For in-depth support for integrating the NXP NT3H2111 NFC functionality into PC or smartphone SW please

contact NXP technical support.

6.1 Using the NFC interface

Using the NFC interface requires the following:

1.NFC reader (either PC USB accessory or suitable smart phone / tablet)

2.NFC SW with read, write, PIN lock, PIN unlock and PIN change functionality

Sunricher recommends TWN4 (order code T4BT-FB2BEL2-SIMPL) from Elatec RFID Systems

(https://www.elatec-rfid.com/en/) as USB NFC reader. This reader is shown in Figure 21 below.

TWN4 can be configured as CDC / Virtual COM port and can then be accessed like any serial interface. It

provides all necessary commands for the NFC interface, specifically to:

1.Read data from configuration memory and write data to configuration memory

2.Authenticate the user (to allow read / write of protected memory) via 32 bit PIN

NFC functionality is also available in certain Android smart phones and tablets. NXP provides a SW framework

that can be used with Android devices and can advise regarding suitable tablets and smart phones.

NFC communication distance is for security reasons set to require direct contact between reader and switches

based on SR-SBP2801-BLE-E.

6.2 NFC interface functions

For a detailed description about the NFC functionality, please refer to the ISO/IEC 14443 standard.

For specific implementation aspects related to the NXP implementation in NT3H2111,

please refer to the NXP documentation which at the time of writing was available under this link:

https://www.nxp.com/docs/en/data-sheet/NT3H2111_2211.pdf

The following chapters summarize the different functions for reference purposes.

6.2.1 NFC interface state machine

Figure 22 below shows the overall state machine of the NFC interface.

Figure 22 – NFC interface state machine

6.2.2 IDLE state

IDLE is the waiting state after a Power-On Reset (POR), i.e. after the NFC tag has been introduced into the

magnetic field of the NFC reader.

The NFC tag exits the IDLE state towards the READY 1 state when either a REQA or a WUPA command is

received from the NFC reader. REQA and WUPA commands are transmitted by the NFC reader to determine

whether any cards are present within its working range.

Any other data received by the NFC tag while in IDLE state is discarded and the NFC tag will remain in IDLE

state.

6.2.3 READY 1 state

READY 1 is the first UID resolving state where the NFC tag resolves the first 3 bytes of the

7 byte UID using the ANTICOLLISION or SELECT commands for cascade level 1.

READY 1 state is exited after the SELECT command from cascade level 1 with the matching complete first part

of the UID has been executed. The NFC tag then proceeds into READY 2 state where the second part of the

UID is resolved.

6.2.4 READY 2 state

READY 2 is the second UID resolving state where the NFC tag resolves the remaining 4 bytes of the 7 byte UID

using the ANTICOLLISION or SELECT commands for cascade level 2.

READY 2 state is exited after the SELECT command from cascade level 2 with the matching complete part of

the UID has been executed. The NFC tag then proceeds into ACTIVE state where the application-related

commands can be executed.

6.2.5 ACTIVE state

ACTIVE state enables read and write accesses to unprotected memory.

If access to protected memory is required, then the tag can transition from the ACTIVE state to

AUTHENTICATED state by executing the PWD_AUTH command in conjunction with the correct 32 bit

password.

Figure 23 – NFC read command sequence

6.2.7 Write command

The WRITE command requires a start page

address and returns writes 4 bytes of data into

that page.

Figure 24 below shows the read command

sequence.

Figure 24 – NFC write command sequence

6.2.6 Read command

The READ command requires a start page

address, and returns the 16 bytes of four

NFC tag pages (where each page is 4 byte in

size).

For example, if the specified address is 03h

then pages 03h, 04h, 05h, 06h are returned.

Spe- cial conditions apply if the READ

command address is near the end of the

accessible

memory area.

Figure 23 below shows the read command

sequence.

6.2.8 Password authentication

(PWD_AUTH) command

The protected memory area can be accessed

only after successful password verification via

the PWD_AUTH command.

The PWD_AUTH command takes the

password as parameter and, if successful,

returns the password authentication

acknowledge, PACK.

Figure 25 below shows the password

authentication sequence. Figure 25 – Password authentication sequence

After successful authentication, the password can be changed by writing the new password to memory page

0xE5.

Note that a read access to page 0xE5 always return 0x00000000, i.e. it is not possible to read out the current

PIN code.

6.3 Using TWN4 as USB NFC reader

Elatec RFID Systems provides a PC software called “Director” as part of their software sup- port package. At

the time of writing, this was available from this address: https://www.elatec-rfid.com/en/download-

center/contact-form-twn4-devpack-sdk/

Figure 26 below shows the user interface of this software.

Figure 26 – User interface of TWN4 Director

By using this software, it is easily possible to generate the required serial commands that have to be sent via

CDC / Virtual COM port to TWN4 and understand the structure of the response that will be received back.

6.3.1 Useful commands

The following commands are especially useful:

1.SearchTag(maximum ID bytes)

Used to search for a connected tag and identify type and ID of such tag. This should always be used as first

operation ahead of any read / write / authenticate actions. Example: SearchTag(32)

2.NTAG_PwdAuth(32 bit password as hex bytes, 16 bit password_ack as hex bytes)

Used to authenticate access to the protected memory area

Example: NTAG_PwdAuth(0x00 0x00 0xE2 0x15, 0x00 0x00)

3.NTAG_Read(page)

Used to read one page of data

Example: NTAG_Read(0x04)

4.NTAG_Write(page, data)

Used to write one page of data

Example: NTAG_Write(0x40, 0x12 0x34 0x56 0x78)

5.NTAG_Write(0xE5, PIN Code)

Used to set a new pin code by writing to page 0xE5

Example: NTAG_Write(0xE5, 0x12 0x34 0x56 0x78)

6.3.2 Translation into binary data

In order to use these commands within a user application, they have to be translated into raw data. This can be

done by enabling the “Show Raw Data” feature in the command log of the Director software as shown in Figure

27 below.

Figure 27 – Enabling raw data display

This raw data can then be transmitted to TWN4 via a virtual COM port. TWN4 will respond to the request with

the corresponding response as shown in Figure 28 below.

Figure 28 – Binary data exchange

6.4 Configuration memory organization

The SR-SBP2801-BLE-E configuration

memory is divided into the following areas:

1.Public data

2.Protected data

In addition to that, SR-SBP2801-BLE-E

maintains a private configuration memory

region used to store default parameters and

confidential information which is not

accessible to the user.

Figure 29 below shows the configuration

memory structure used by SR-SBP2801-BLE-

Figure 29 – Configuration memory structure

6.5 NFC memory address map

The NFC-accessible configuration memory is organized in memory pages where each memory page is 4 byte

wide. An NFC access reads 16 bytes (4 pages) or writes 4 bytes (one page). The addresses map of the

configuration memory is shown in Table 2 below. The byte order is little endian, i.e. byte 0 will be read first and

byte 3 last.

Area NFC Page Byte Offset Byte 0 (LSB) Byte 1 Byte 2 Byte 3 (MSB)

Public

Protected

0 (0x00)

…

3 (0x03)

4 (0x04)

5 (0x05)

6 (0x06)

7 (0x07)

8 (0x08)

9 (0x09)

10 (0x0A)

11 (0x0B)

12 (0x0C)

13 (0x0D)

14 (0x0E)

15 (0x0F)

16 (0x10)

17 (0x11)

18 (0x12)

19 (0x13)

20 (0x14)

…

23 (0x17)

24 (0x18)

25 (0x19)

…

31 (0x1F)

32 (0x20)

…

95 (0x5F)

96 (0x60)

…

225 (0x10)

229 (0xE5)

…

100

…

124

128

…

380

384

…

900

916

Public Memory Area

Reserved

Product Name

"SBP2801 "

Product ID Public

NFC Revision Manufacturer ID

Reserved

Hardware Revision

Software Revision

Static Source Address

Sequence Counter

Protected Memory Area

Configuration Variant Reserved

Opt Data 0 Opt Data 1 Opt Data 2 Opt Data 3

Product ID Write

Source ID Write

Manufacturer ID Write Reserved

Security Key Write

TX_CHANNEL1 TX_CHANNEL2 TX_CHANNEL3

Reserved

Customer NFC Data

Reserved

PIN Code (Write Only)

Table 2 – Configuration memory address map

6.6 Public data

Public data can be read by any NFC-capable device supporting the ISO/IEC 14443 Part 2 and 3 standards. No

5.Optional Data register

This 4 byte register contains optional data that can be transmitted as part of all data telegrams, see chapter

4.6. Optional Data 0 is sent first, Optional Data 3 last.

6.Configuration register

This 1 byte register is used to configure the functional behavior of SR-SBP2801-BLE-E, see chapter 6.7.3

7.Variant register

This 1 byte register is used to configure the transmission behavior of SR-SBP2801-BLE-E, see chapter 6.7.9

8.Custom Radio Channel registers (TX_CHANNEL1, TX_CHANNEL2 and TX_CHANNEL3)

These 1 byte registers are used to configure the radio channels in custom transmis- sion mode of SR-

SBP2801-BLE-E, see chapter 6.7.10

9.Custom NFC Data

SR-SBP2801-BLE-E reserves 64 byte for customer-specific NFC data, see chapter 6.7.11

specific security measures are used to restrict read access to this data.

The following items are located in the public data area:

1.SR-SBP2801-BLE-E Product Name

This is always “SBP2801 ”

2.SR-SBP2801-BLE-E Product ID

This is an 8 byte field which is by default set to 0x0000000000000000.

Product ID and Manufacturer ID can be configured by the customer as required to identify his SR-SBP2801-

BLE-E based product, see chapter 6.7.7

3.SR-SBP2801-BLE-E Manufacturer ID

This is an 2 byte field used to identify the manufacturer of a BLE product, see chap- ter 4.6. This field is by

default set to 0x0A78(Sunricher).

Product ID and Manufacturer ID can be configured by the customer as required to identify his SR-SBP2801-

BLE-E based product, see chapter 6.7.7

4.SR-SBP2801-BLE-E Static Source Address

This is a 4 byte field containing the four least significant bytes (the two most significant bytes are always

0xE215) of the static source address used by SR-SBP2801-BLE-E, see chapter 4.4.1. Each SR-SBP2801-

BLE-E is pre-programmed with an individual static source address.

The Static Source Address can be configured by the customer as required to identify his SR-SBP2801-BLE-E

based product, see chapter 6.7.4

5.Hardware Revision, Software Revision and NFC Revision

These fields identify the device revision

6.Telegram sequence counter

This is a 4 byte field which is initialized to zero during manufacturing and incremented for each transmitted

telegram. Receivers shall never accept telegrams containing sequence counter values equal or less than

previously received values to avoid replay attacks.

Changing the Static Source Address, Manufacturer ID and Product ID fields is only possible via protected data

access as described below to prevent unauthorized modification.

For security reasons, the telegram sequence counter cannot be written or reset by any mechanism.

6.7 Protected data

The following items are located in the protected data area:

1.Source Address Write register

This 4 byte register is used to update the lower 4 byte of the Static Source Address, see chapter 6.7.4

2.Product ID Write register

This 8 byte register is used to update the Product ID, see chapter 6.7.7

3.Manufacturer ID Write register

This 4 byte register is used to update the Manufacturer ID, see chapter 6.7.7

4.Security Key Write register

This 16 byte register is used to update the security key used by SR-SBP2801-BLE-E, see chapter 6.7.5

Sunricher SR-SBP2801-BLE-E User manual

Popular Lighting Equipment manuals by other brands