Skip to content

Guide: Contiki ↔ Linux, with llsec

Zopieux edited this page Mar 16, 2016 · 1 revision

This article is a quick guide on configuring both a Contiki mote and a Linux device with a wpan interface. We'll focus on having LLSEC (link-layer security) enabled both sides for encrypted communications.

These instructions were tested successfully on February 2016 with OpenMote devices running Contiki 3.x and a Rapsberry Pi running Raspbian Linux (rpi-4.4.y) with an MRF24J401 radio.

Contiki configuration

Contiki LLSEC implementation is currently called noncoresec. Adapt your project-conf.h to use the noncoresec netstack framer and noncoresec netstack llsec. We'll use the 802.15.4 security level encryption + 32-bit MIC (decimal value 5 in the spec) but any other value is fine. Please note security level 1 is considered not secure2.

In this example we use an implicit key. Contiki also supports explicit keys but the author has not tested them yet.

#define NETSTACK_CONF_LLSEC noncoresec_driver
#define NETSTACK_CONF_FRAMER noncoresec_framer
// Sample key
	0x00, 0x01, 0x02, 0x03, \
	0x04, 0x05, 0x06, 0x07, \
	0x08, 0x09, 0x0A, 0x0B, \
	0x0C, 0x0D, 0x0E, 0x0F, \

Linux/iwpan configuration

You have to configure the Linux LLSEC stack, for example through iwpan, to communicate with the Contiki device.

First, retrieve the Contiki device 802.15.4 extended address. In this example, this is 00:22:4e:00:06:00:84:8a. Then we can proceed. Adapt the variables as needed. The short address is set to the generic (invalid) 0xffff because Contiki doesn't seem to use short addressing.

iwpan dev $WPAN set security 1
iwpan dev $WPAN key add 2 $KEY 0 $PANID 3 $EXTADDR
iwpan dev $WPAN seclevel add 0xff 2 0
iwpan dev $WPAN device add 0 $PANID $SHORTADDR $EXTADDR 0 0

Don't forget to use the same radio channel as the one used by the Contiki device. You can set the channel on Linux using iwpan phy phy0 set channel 0 <channel>, assuming the physical device is called phy0.

You should now be able, on Linux, to receive & decrypt 802.15.4 frames sent by Contiki. If you want to emit from Linux, you have to configure out_level and out_key_id. Note that currently, noncoresec requires the same security level and key for both inbound and outbound frames, meaning you have to set out_level to the same value as the one in Contiki project-conf.h, and the out_key_id must be an implicit extended key (iwpan syntax: 0 <panid> 3 <addr>).

  1. As of February 2016, the MRF24j40 driver contains a bug that prevents receiving secured frames; a patch set was sent to the kernel to fix the issue.