Manufacturing Flow for 800 series#

The following section describe the manufacturing flow for end devices and gateways using 800 series.

It is not recommended to use the Silicon Labs public signing key and encryption key used in the apps.

Further reading about the available security features and their usage can be found in IoT Endpoint Security Fundamentals.

End Devices#

The manufacturing production test flow for end devices based on 800 series must incorporate the following steps:

• Update the SE firmware (see Production Programming of Series 2 and Series 3 Devices)

• Update the Bootloader (see Production Programming of Series 2 and Series 3 Devices)

• Perform product-specific testing such as I/O, etc. Refer to the RAILtest User Guide.

• Perform RF testing, etc. Use RAILtest. Refer to [7] regarding RF testing. The 500 Series ApplicationTestPoll function is not available in the 800.

• Set the manufacturing codes:

  1. Write your own public signing key and encryption key to the SoC target via the SWD interface. A readme.txt file in the Z-Wave SDK release describes how to generate your own keys and write them to the device Lock Bits Page. The path to the readme file in the Z-Wave SDK release is:

     <Your ZWAVE Installation Directory\>\BootLoader\sample-keys\

  2. Download the application firmware to the SoC target via the SWD interface.

  3. The application in the SoC signals when the security materials, etc., are in place in the Lock Bit Page via the manufacturing token TOKEN_MFG_ZW_INITIALIZED. The following steps are performed in the SoC at the application startup:

     1. If public/private keypair and QR code are already present in the Lock Bit page (check manufacturing token TOKEN_MFG_ZW_INITIALIZED), jump to the last step continuing normal operation. Refer to [1] for details about manufacturing tokens.

     2. Calculate the public/private key based on Curve25519.

     3. Construct the QR code using the public key, product type, and product ID (latter two from the application) as described in [2].

     4. Calculate the SHA-1 checksum as per [2] and incorporate it in the QR code.

     5. Write the QR code to the Lock Bit Page as manufacturing token TOKEN_MFG_ZW_QR_CODE.

     6. Write the private/public keypair to the Lock Bit Page as manufacturing tokens TOKEN_MFG_ZW_PRK and TOKEN_MFG_ZW_PUK.

     7. Write completion of the Lock Bit Page initialization as manufacturing token TOKEN_MFG_ZW_INITIALIZED. This token can be used to sync completion of data to Lock Bits Page in a production system.

     8. Continue normal startup.

  4. Read the QR code from the SoC.

  5. Label the product with the QR code. Refer to [5] for details.

The QR code format enables customization of the QR code with extra TLVs (e.g., MaxInclusionRequestInterval, proprietary serial number, etc.) instead of using the internally generated one. The manufacturing line programmer must then read out the public key, etc., compose the wanted QR code, and print it to a label. The new QR code can also be stored in the User Data Page, for example.

• Perform Key Provisioning (see Production Programming of Series 2 and Series 3 Devices)

• Set the debug access (see Series 2 and 3 Secure Debug)

• Set the Anti-Tamper protection (see Anti-Tamper Protection Configuration and Use)

Gateways#

The manufacturing production test flow for gateways based on 800 series must incorporate the following steps.

Further reading about the available security features and their usage can be found in the IoT Endpoint Security Fundamentals.

• Update the SE firmware (see Production Programming of Series 2 and Series 3 Devices)

• Update the Bootloader (see Production Programming of Series 2 and Series 3 Devices)

• Product-specific testing such as I/O, etc. Refer to Using RAIL Test under the SDK documentation section in the Simplicity Studio distribution.

• Calibrate the 39MHz crystal used on each EFR32ZG14-based product to ensure the RF frequency is correct, see [4]. The crystal calibration can be done by using a RAILtest firmware, see KB - Z-Wave 700: EFR32ZG14 CTUNE Calibration.

• The RF performance testing for each product can also be done by using the same RAILtest firmware. Refer to [7] regarding RF performance testing. The 500 Series ApplicationTestPoll function is not available in 800 series.

• Generate your own public signing key and encryption key and write them to the SoC target via the Serial Wire Debug (SWD) interface. These keys are necessary for upgrading the firmware in the field. Following simplicity commander commands will be used for writing keys into the device’s Lock Bits Page.

  commander flash --tokengroup znet --tokenfile zg14_encrypt.key --tokenfile zg14_sign.key-tokens.txt -d EFR32ZG14

  The key files (do not use the Silicon Labs keys) are locked in the Z-Wave release in the following path on your SDK installation

  <Your ZWAVE Installation Directory\>\BootLoader\ZG14-keys\

• Download the application firmware to the SoC target via the Serial Wire Debug (SWD) interface.

• The application in the SoC signals when security materials, etc., are in place in the Lock Bit Page via manufacturing token TOKEN_MFG_ZW_INITIALIZED. The following steps are performed in the SoC at the application startup:

  1. If the public/private keypair and QR code are already present in the Lock Bit page (Check manufacturing token TOKEN_MFG_ZW_INITIALIZED), jump to the last step continuing normal operation. Refer to [1] for details about manufacturing tokens.

  2. Calculate the public/private key based on Curve25519.

  3. Construct the QR code using public key, product type, and product ID (latter two from application) as described in [2].

  4. Calculate SHA-1 checksum as per [2] and incorporate it in the QR code.

  5. Write the QR code to Lock Bit Page as manufacturing token TOKEN_MFG_ZW_QR_CODE.

  6. Write private/public keypair to the Lock Bit Page as manufacturing tokens TOKEN_MFG_ZW_PRK and TOKEN_MFG_ZW_PUK.

  7. Write completion of Lock Bit Page initialization as manufacturing token TOKEN_MFG_ZW_INITIALIZED. This token can be used to sync completion of data to the Lock Bits Page in a production system.

  8. Continue normal startup.

• Read the QR code from the SoC.

• Label the product with the QR code. It is optional to label a gateway in case the QR code is accessible via the UI. Refer to [5] for details.

  The QR code format enables customization of the QR code with extra TLVs (e.g., MaxInclusionRequestInterval, proprietary serial number, etc.) instead of using the internally generated one. The manufacturing line programmer must then read out the public key, etc., and compose the wanted QR code and print it to a label. The new QR code can also be stored in, e.g., the User Data Page.

• Perform Key Provisioning (see Production Programming of Series 2 and Series 3 Devices)

• Set the debug access (see Series 2 and 3 Secure Debug)

• Set the Anti-Tamper protection (see Anti-Tamper Protection Configuration and Use)