A-RVariousInitial release and subsequent releases for various editorial updates and technical content updates
to keep current with product changes.
SMay 2015Update the SMT dimensions drawing. Added a section on deep sleep and sleep current
measurements. Updated the baud rates supported by the BD command. Updated the Brazil
ANATEL certification information.
TJuly 2015Revised the Maximum RF payload size section. Frames 0x90 and 0x91 no longer report the 0x40
indicator - removed it.
UDecember 2015Updated XBee-PRO Surface Mount agency approvals. Added missing Extended Modem Status
status code descriptions to the 0x98 frame. Added ANATEL labels.
VApril 2016Updated the firmware release notes section. Updated several hardware specifications with S2D
hardware information. Updated regulatory information. Revised the Programmable XBee SDK
section. Added the ED command. Updated the BD command. Added antennas for the S2D
hardware.
Product documentation
To find up-to-date documentation for all Digi products, visit www.digi.com/documentation.
To provide feedback on this documentation, send your comments to techcomm@digi.com.
Trademarks and copyright
Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other
countries worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Information in this document is subject to change without notice and does not represent a commitment on the part
of Digi International. Digi provides this document “as is,” without warranty of any kind, expressed or implied,
including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose. Digi may
make improvements and/or changes in this manual or in the product(s) and/or the program(s) described in this
manual at any time.
Warranty
To view product warranties online, visit www.digi.com/howtobuy/terms.
Customer support
Digi offers multiple technical support plans and service packages to help our customers get the most out of their Digi
product. For information on Technical Support plans and pricing, please contact us at 952.912.3456 or visit
www.digi.com/support.
XBee/XBee-PRO ZigBee RF Modules User Guide2
If you have a customer account, sign in to the Customer Support Web Portal at www.digi.com/support.
This manual describes the operation of the XBee/XBee-PRO ZigBee RF Module, which consists of ZigBee firmware
loaded onto XBee S2C and PRO S2C hardware.
XBee/XBee-PRO ZigBee RF Modules provide wireless connectivity to end-point devices in ZigBee mesh networks.
Using the ZigBee PRO Feature Set, these modules are inter-operable with other ZigBee devices, including devices
from other vendors. With the XBee, users can have their ZigBee network up-and-running in a matter of minutes
without configuration or additional development.
The XBee/XBee-PRO ZigBee RF Modules are compatible with other devices that use XBee ZigBee technology. These
include ConnectPortX gateways, XBee and XBee-PRO Adapters, Wall Routers, XBee Sensors, and other products with
the ZB name.
Worldwide acceptance
•FCC Approval (USA): Refer to Agency certifications on page 203 for FCC Requirements. Systems that
Addressing OptionsPAN ID and Addresses, Cluster IDs and Endpoints (optional)
Interface Options
UART1 Mb/s maximum (burst)
SPI5 Mb/s maximum (burst)
Agency approvals
The following table provides the agency approvals for the module.
NoteLegacy XBee-PRO SMT (model: PRO S2C; hardware version 21xx) has different FCC and IC IDs; see Agency
certifications on page 203.
Approval
United
States
(FCC Part
15.247)
Industry
Canada
(IC)
FCC/IC
Test
Transmit
Power
Output
range
Europe
(CE)
XBee
(Surface Mount)
FCC ID: MCQ-XBS2CFCC ID: MCQ-XBPS2C
IC: 1846A-XBS2CIC: 1846A-XBPS2C
-26 to +8 dBm -0.7 to +19.4 dBm-26 to +8 dBm+1 to +19 dBm-10 to +8 dBm
ETSIETSIETSI
XBee-PRO
(Surface Mount)
(revision K and
earlier)
FCC ID: MCQ-PS2CSM
(revision L and later)
(revision K and
earlier)
IC: 1846A-PS2CSM
(revision L and later)
XBee
(Through-hole)
FCC ID: MCQ-S2CTHFCC ID: MCQ-PS2CTH FCC ID: MCQ-
IC: 1846A-S2CTHIC: 1846A-PS2CTHIC: 1846A-S2DSM
XBee-PRO
(Through-hole)
XBee S2D SMT
S2DSM
AustraliaC-TickRCMRCMRCM
JapanR201WW10215369R210-105563
Brazil (Res.
506)
RoHSCompliant
XBee/XBee-PRO ZigBee RF Modules User Guide12
ANATEL: 0616-151209
ANATEL: 1533-151209
ANATEL: 4556-151209
ANATEL: 4077-151209
Serial communications specifications
Serial communications specifications
XBee RF modules support both UART (Universal Asynchronous Receiver / Transmitter) and SPI (Serial Peripheral
Interface) serial connections.
UART
The SC1 (Serial Communication Port 1) of the Ember 357 is connected to the UART port. The following table
provides the UART pin assignments.
SpecificationsModule Pin Number
UART PinsXBee (surface-mount)XBee (through-hole)
DOUT32
DIN / CONFIG
CTS
/ DIO72512
RTS
/ DIO62916
More information on UART operation is found in the UART section in Module operation on page 28.
43
SPI
The SC2 (Serial Communication Port 2) of the Ember 357 is connected to the SPI port.
SpecificationsModule Pin Number
SPI PinsXBee (surface mount)XBee (through-hole)
SPI_SCLK1418
SPI_SSEL
SPI_MOSI1611
SPI_MISO174
For more information on SPI operation, see the SPI section in Module operation on page 28.
1517
GPIO specifications
XBee RF modules have 15 General Purpose Input / Output (GPIO) ports available. The exact list will depend on the
module configuration, as some GPIO pads are used for purposes such as serial communication.
See Enabling GPIO 1 and 2 on page 201 for more information on configuring and using GPIO ports.
GPIO Electrical SpecificationValue
Voltage - Supply2.1 - 3.6 V
Low Schmitt switching threshold0.42 - 0.5 x VCC
High Schmitt switching threshold0.62 - 0.8 x VCC
Input current for logic 0-0.5 A
Input current for logic 10.5 A
XBee/XBee-PRO ZigBee RF Modules User Guide13
Hardware specifications for the programmable variant
GPIO Electrical SpecificationValue
Input pull-up resistor value29 k
Input pull-down resistor value29 k
Output voltage for logic 00.18 x VCC (maximum)
Output voltage for logic 10.82 x VCC (minimum)
Output source/sink current for pad numbers 3, 4, 5, 10, 12, 14, 15, 16, 17, 25, 26,
4 mA
28, 29, 30, and 32 on the SMT modules
Output source/sink current for pin numbers 2, 3, 4, 9, 12, 13, 15, 16, 17, and 19
4 mA
on the TH modules
Output source/sink current for pad numbers 7, 8, 24, 31, and 33 on the SMT
8 mA
modules
Output source/sink current for pin numbers 6, 7, 11, 18, and 20 on the TH
8 mA
modules
Total output current (for GPIO pads)40 mA
Hardware specifications for the programmable variant
If the module has the programmable secondary processor, add the following table values to the specifications
listed on page 8. For example, if the secondary processor is running at 20 MHz and the primary processor is in
receive mode then the new current value will be I
current of the secondary processor and I
is the receive current of the primary.
rx
Optional Secondary Processor Specification
total
= Ir2 + I
= 14 mA + 9 mA = 23 mA, where I
rx
These numbers add to specifications
(Add to RX, TX, and sleep currents depending
on mode of operation)
is the runtime
r2
Runtime current for 32k running at 20MHz+14mA
Runtime current for 32k running at 1MHz+1mA
Sleep current+0.5A typical
For additional specifications see Freescale
MC9S08QE32
Datasheet and Manual
Minimum Reset low pulse time for EM357+26S
VREF Range1.8VDC to VCC
Mechanical drawings
The following mechanical drawings of the XBee/XBee-PRO ZigBee RF ModuleRF Modules show all dimensions in
inches. The first drawing shows the surface-mount model (antenna options not shown).
XBee/XBee-PRO ZigBee RF Modules User Guide14
Mechanical drawings
3,1
3,1
3,1
5360$
8)/
:,5(:+,3
3&%$17(11$
The drawings below show the XBee through-hole module.
l
XBee/XBee-PRO ZigBee RF Modules User Guide15
The drawings below show the XBee-PRO through-hole model.
3&%$17(11$
:,5(:+,3
8)/
5360$
3,1
3,1
3,1
Pin signals for the surface mount module
Pin signals for the surface mount module
Pin #NameDirectionDefault StateDescription
1GND--
2VCC--
3DOUT / DIO13 BothOutput
4DIN / CONFIG
5DIO12 Both
6RESET
7RSSI PWM / DIO10BothOutput
8PWM1 / DIO11 BothDisabled
9[reserved]-Disabled
10DTR
11GND--
/ DIO14BothInput
Input
/ SLEEP_RQ / DIO8BothInput
Ground
Power Supply
UART Data Out / GPIO
UART Data In / GPIO
GPIO
Module Reset
RX Signal Strength Indicator / GPIO
Pulse Width Modulator / GPIO
Do Not Connect
Pin Sleep Control Line / GPIO
Ground
XBee/XBee-PRO ZigBee RF Modules User Guide16
Pin signals for the surface mount module
Pin #NameDirectionDefault StateDescription
12SPI_ATTN
13GND--
14SPI_CLK / DIO18InputInput
15SPI_SSEL
16SPI_MOSI / DIO16InputInput
17SPI_MISO / DIO15OutputOutput
18[reserved]*-Disabled
19[reserved]*-Disabled
20[reserved]*-Disabled
21[reserved]*-Disabled
22GND--
23[reserved]-Disabled
24DIO4BothDisabled
25CTS
/ BOOTMODE / DIO19OutputOutput
/ DIO 17InputInput
/ DIO7BothOutput
Serial Peripheral Interface Attention
Do not tie low on reset
Ground
Serial Peripheral Interface Clock / GPIO
Serial Peripheral Interface not Select / GPIO
Serial Peripheral Interface Data In / GPIO
Serial Peripheral Interface Data Out / GPIO
Do Not Connect
Do Not Connect
Do Not Connect
Do Not Connect
Ground
Do Not Connect
GPIO
Clear to Send Flow Control / GPIO
26ON / SLEEP
27VREFInput-
28ASSOCIATE / DIO5BothOutput
29RTS
30AD3 / DIO3BothDisabled
31AD2 / DIO2BothDisabled
32AD1 / DIO1BothDisabled
33AD0 / DIO0BothInput
34[reserved]-Disabled
35GND--
36RFBoth-
/ DIO9BothOutput
/ DIO6BothInput
Module Status Indicator / GPIO
Not used for EM357. Used for programmable
secondary processor. For compatibility with
other XBee modules, we recommend connecting
this pin to the voltage reference if Analog
Sampling is desired. Otherwise, connect to GND.
Associate Indicator / GPIO
Request to Send Flow Control / GPIO
Analog Input / GPIO
Analog Input / GPIO
Analog Input / GPIO
Analog Input / GPIO / Commissioning Button
Do Not Connect
Ground
RF IO for RF Pad Variant
XBee/XBee-PRO ZigBee RF Modules User Guide17
Pin signals for the through-hole module
Pin #NameDirectionDefault StateDescription
37[reserved]-Disabled
Signal Direction is specified with respect to the module
See Design notes for SMT RF pad modules on page 23 for details on pin connections
* Refer to the Writing Custom Firmware section for instructions on using these pins if JTAG functions are needed
Do Not Connect
Pin signals for the through-hole module
Pin #NameDirectionDefault StateDescription
1VCC--
2DOUT / DIO13 BothOutput
3DIN / CONFIG
4DIO12 / SPI_MISOBothDisabled
5RESET
6RSSI PWM / PWMO DIO10BothOutput
7PWM1 / DIO11 BothDisabled
8[reserved]--
/ DIO14BothInput
InputInput
Power Supply
UART Data Out
UART Data In
GPIO/ SPI slave out
Module Reset
RX signal strength indicator / GPIO
GPIO
Do Not Connect
9DTR
10GND--
11SPI_MOSI / DIO4BothDisabled
12CTS
13ON_SLEEP
14VREF--
15ASSOCIATE / DIO5BothOutput
16RTS
17AD3 / DIO3 / SPI_SSE
18AD2 / DIO2 / SPI_CLKBothDisabled
19AD1 / DIO1 / SPI_ATTN
20AD0 / DIO0 / CBBothDisabled
/ SLEEP_RQ / DIO8BothInput
/ DIO7BothOutput
/ DIO9BothOutput
/ DIO6BothInput
L BothDisabled
BothDisabled
Pin Sleep Control Line / GPIO
Ground
GPIO/ SPI slave in
Clear-to-Send Flow Control / GPIO
Module Status Indicator / GPIO
Not connected
Associate Indicator / GPIO
Request to Send Flow Control / GPIO
Analog Input / GPIO / SPI Slave Select
Analog Input / GPIO / SPI Clock
Analog Input / GPIO / SPI Attention
Analog Input / GPIO / Commissioning Button
XBee/XBee-PRO ZigBee RF Modules User Guide18
Pin signals for the through-hole module
EM357 pin mappings
The following table shows how the EM357 pins are used on the XBee.
NoteSome lines may not go to the external XBee pins in the programmable secondary processor version.
EM357 Pin #EM357 Pin Name
12
18
19
20
21
22
24
25
26
27
29
30
RST
PA7
PB3
PB4
PA0 / SC2MOSI
PA1 / SC2MISO
PA2 / SC2SCLK
PA3 / SC2SSEL
PA4 / PTI_EN
PA5 / PTI_DATA /
BOOTMODE
PA6
PB1 / SC1TXD
XBee (SMT)
Pad #
65
87
2916
2512
1611
174
1418
1517
3219
12NA
76
32
XBee (TH)
Pin #
Other Usage
Programming
Used for UART
Used for UART
Used for SPI
Used for SPI
Used for SPI
Used for SPI
OTA packet tracing
OTA packet tracing, force embedded serial bootloader,
and SPI attention line
Used for UART
31
33
34
35
36
38
41
42
43
PB2 / SC1RXD
PC2 / JTDO / SWO
PC3 / JTDI
PC4 / JTMS / SWDIO
PB0
PC1 / ADC3
PB7 / ADC2
PB6 / ADC1
PB5 / ADC0Temperature sensor on PRO version
43
2613
2815
54
109
3017
3118
3320
Used for UART
JTAG (see Writing custom firmware on page 201)
JTAG (see Writing custom firmware on page 201)
JTAG (see Writing custom firmware on page 201)
XBee/XBee-PRO ZigBee RF Modules User Guide19
Design notes
Design notes
The XBee modules do not specifically require any external circuitry or specific connections for proper operation.
However, there are some general design guidelines that are recommended for help in troubleshooting and
building a robust design.
Power supply design
Poor power supply can lead to poor radio performance, especially if the supply voltage is not kept within
tolerance or is excessively noisy. To help reduce noise, we recommend placing both a 1F and 8.2pF capacitor as
near to (pad 2/SMT, pin 1/TH) on the PCB as possible. If using a switching regulator for your power supply,
switching frequencies above 500kHz are preferred. Power supply ripple should be limited to a maximum 50mV
peak to peak.
NoteFor designs using the programmable modules, an additional 10F decoupling cap is recommended near
(pad 2/SMT, pin 1/TH) of the module. The nearest proximity to (pad 2/SMT, pin 1/TH) of the three caps
should be in the following order: 8.2pf, 1F followed by 10F.
Recommended pin connections
The only required pin connections are VCC, GND, DOUT and DIN. To support serial firmware updates, VCC, GND,
DOUT, DIN, RTS, and DTR should be connected.
All unused pins should be left disconnected. All inputs on the radio can be pulled high or low with 30k internal
pull-up or pull-down resistors using the PR and PD software commands. No specific treatment is needed for
unused outputs.
For applications that need to ensure the lowest sleep current, unconnected inputs should never be left floating.
Use internal or external pull-up or pull-down resistors, or set the unused I/O lines to outputs.
Other pins may be connected to external circuitry for convenience of operation, including the Associate LED pad
(pad 28/SMT, pin 15/TH) and the Commissioning pad (pad 33/SMT, pin 20/TH). The Associate LED pad will flash
differently depending on the state of the module to the network, and a pushbutton attached to pad 33 can
enable various join functions without having to send serial port commands. See Commissioning Pushbutton and
Associate LED on page 93 for more details. The source and sink capabilities are limited to 4mA for pad numbers 3,
4, 5, 10, 12, 14, 15, 16, 17, 25, 26, 28, 29, 30 and 32, and 8mA for pad numbers 7, 8, 24, 31 and 33 on the SMT
module. The source and sink capabilities are limited to 4mA for pin numbers 2, 3, 4, 9, 12, 13, 15, 16, 17, and 19,
and 8mA for pin numbers 6, 7, 11, 18, and 20 on the TH module.
The VRef pad (pad 27) is only used on the programmable versions of the SMT modules. For the TH modules, a
VRef pin (Pin #14) is used. For compatibility with other XBee modules, we recommend connecting this pin to a
voltage reference if analog sampling is desired. Otherwise, connect to GND.
Board layout
XBee modules are designed to be self sufficient and have minimal sensitivity to nearby processors, crystals or
other PCB components. As with all PCB designs, Power and Ground traces should be thicker than signal traces
and able to comfortably support the maximum current specifications. A recommended PCB footprint for the
module can be found in Manufacturing information on page 228. No other special PCB design considerations are
required for integrating XBee radios except in the antenna section.
The choice of antenna and antenna location is very important for correct performance. With the exception of the
RF Pad variant, XBees do not require additional ground planes on the host PCB. In general, antenna elements
XBee/XBee-PRO ZigBee RF Modules User Guide20
Design notes
radiate perpendicular to the direction they point. Thus a vertical antenna emits across the horizon. Metal objects
near the antenna cause reflections and may reduce the ability for an antenna to radiate efficiently. Metal objects
between the transmitter and receiver can also block the radiation path or reduce the transmission distance, so
external antennas should be positioned away from them as much as possible. Some objects that are often
overlooked are metal poles, metal studs or beams in structures, concrete (it is usually reinforced with metal
rods), metal enclosures, vehicles, elevators, ventilation ducts, refrigerators, microwave ovens, batteries, and tall
electrolytic capacitors.
Design notes for PCB antenna modules
PCB Antenna modules should not have any ground planes or metal objects above or below the antenna. For best
results, the module should not be placed in a metal enclosure, which may greatly reduce the range. The module
should be placed at the edge of the PCB on which it is mounted. The ground, power and signal planes should be
vacant immediately below the antenna section. The drawings on the following pages illustrate important
recommendations when designing with PCB antenna modules. It should be noted that for optimal performance,
this module should not be mounted on the RF Pad footprint described in the next section because the footprint
requires a ground plane within the PCB Antenna keep out area.
XBee/XBee-PRO ZigBee RF Modules User Guide21
Surface-mount keepout area
Design notes
XBee/XBee-PRO ZigBee RF Modules User Guide22
Through-hole keepout area
Design notes
Design notes for SMT RF pad modules
The RF Pad is a soldered antenna connection. The RF signal travels from pin 36 on the module to the antenna
through an RF trace transmission line on the PCB. Note that any additional components between the module and
antenna will violate modular certification. The RF trace should have a controlled impedance of 50 ohms. We
recommend using a microstrip trace, although coplanar waveguide may also be used if more isolation is needed.
Microstrip generally requires less area on the PCB than coplanar waveguide. Stripline is not recommended
because sending the signal to different PCB layers can introduce matching and performance problems.
It is essential to follow good design practices when implementing the RF trace on a PCB. The following figures
show a layout example of a host PCB that connects an RF Pad module to a right angle, through hole RPSMA jack.
The top two layers of the PCB have a controlled thickness dielectric material in between. The second layer has a
ground plane which runs underneath the entire RF Pad area. This ground plane is a distance d, the thickness of
the dielectric, below the top layer. The top layer has an RF trace running from pin 36 of the module to the RF pin
of the RPSMA connector. The RF trace's width determines the impedance of the transmission line with relation to
XBee/XBee-PRO ZigBee RF Modules User Guide23
Design notes
the ground plane. Many online tools can estimate this value, although the PCB manufacturer should be consulted
for the exact width. Assuming d=0.025”, and that the dielectric has a relative permittivity of 4.4, the width in this
example will be approximately 0.045" for a 50 ohm trace. This trace width is a good fit with the module footprint's
0.060" pad width. Using a trace wider than the pad width is not recommended, and using a very narrow trace
(under 0.010") can cause unwanted RF loss. The length of the trace is minimized by placing the RPSMA jack close
to the module. All of the grounds on the jack and the module are connected to the ground planes directly or
through closely placed vias. Any ground fill on the top layer should be spaced at least twice the distance d (in this
case, at least 0.050") from the microstrip to minimize their interaction.
Implementing these design suggestions will help ensure that the RF Pad module performs to its specifications.
The following illustration shows PCB layer 1 of an example RF layout.
The following illustration shows PCB layer 2 of an example RF layout.
XBee/XBee-PRO ZigBee RF Modules User Guide24
Module operation for the programmable variant
Module operation for the programmable variant
The modules with the programmable option have a secondary processor with 32k of flash and 2k of RAM. This
allows module integrators to put custom code on the XBee module to fit their own unique needs. The DIN, DOUT,
RTS, CTS, and RESET lines are intercepted by the secondary processor to allow it to be in control of the data
transmitted and received. All other lines are in parallel and can be controlled by either the EM357 or the
MC9SO8QE micro (see the Block Diagram for details). The pin use is automatically handled by the Programmable
XBee SDK native APIs.
In order for the secondary processor to sample with ADCs, the XBee VREF pin (27/SMT, 14/TH) must be connected
to a reference voltage.
Digi provides a bootloader that can take care of programming the processor over the air or through the serial
interface. This means that over the air updates can be supported through an XMODEM protocol. The processor
can also be programmed and debugged through a one wire interface BKGD (Pin 9/SMT, Pin 8/TH).
Programmable XBee SDK
The XBee Programmable module is equipped with a Freescale MC9S08QE32 application processor. This
application processor comes with a supplied bootloader. To interface your application code running on this
processor to the XBee Programmable module's supplied bootloader, use the Programmable XBee SDK.
To use the SDK, you must also download CodeWarrior. The download links are:
If these revisions change, search for the part number on Digi’s website. For example, search for “40003003”.
Install the IDE first, then install the SDK.
The documentation for the Programmable XBee SDK is built into the SDK, so the Getting Started guide appears
when you open CodeWarrior.
XBee/XBee-PRO ZigBee RF Modules User Guide25
The following figure shows the programmable connections for the SMT.
Overview of the XBee ZigBee RF Module
XBee/XBee-PRO ZigBee RF Modules User Guide26
The following illustration shows the programmable connections for the TH Module.
Overview of the XBee ZigBee RF Module
XBee/XBee-PRO ZigBee RF Modules User Guide27
Module operation
Serial communications
XBee RF Modules interface to a host device through a serial port. Through its serial port, the module can
communicate with any logic and voltage compatible UART, through a level translator to any serial device (for
example, through a RS-232 or USB interface board), or through a Serial Peripheral Interface, which is a synchronous
interface to be described later.
Two Wire serial Interface (TWI) is also available, but not supported by Digi. For information on the TWI, see the EM357
specification.
UART data flow
Devices that have a UART interface can connect directly to the pins of the RF module as shown in the figure below.
System data flow diagram in a UART-interfaced environment (Low-asserted signals distinguished with horizontal line
over signal name.)
Serial data
Data enters the module UART through the DIN (pin 4) as an asynchronous serial signal. The signal should idle high
when no data is being transmitted.
Each data byte consists of a start bit (low), 8 data bits (least significant bit first) and a stop bit (high). The following
figure illustrates the serial bit pattern of data passing through the module.
XBee/XBee-PRO ZigBee RF Modules User Guide28
Serial communications
UART data packet 0x1F (decimal number “31”) as transmitted through the RF module
Example Data Format is 8-N-1 (bits - parity - # of stop bits)
Serial communications depend on the two UARTs (the microcontroller's and the RF module's) to be configured
with compatible settings (baud rate, parity, start bits, stop bits, data bits).
The UART baud rate, parity, and stop bits settings on the XBee module can be configured with the BD, NB, and SB
commands respectively. See Serial interfacing (I/O) commands on page 186 for details.
SPI communications
The XBee modules support SPI communications in slave mode. Slave mode receives the clock signal and data
from the master and returns data to the master. The SPI port uses the following signals on the XBee:
•SPI_MOSI (Master Out, Slave In) - inputs serial data from the master
•SPI_MISO (Master In, Slave Out) - outputs serial data to the master
•SPI_SCLK (Serial Clock) - clocks data transfers on MOSI and MISO
•SPI_SSEL (Slave Select) - enables serial communication with the slave
The above four pins are standard for SPI. This module also supports an additional pin, which may be configured
to alert the SPI master when it has data to send. This pin is called SPI_ATTN
(through polling or interrupts), it can know when it needs to receive data from the module. SPI_ATTN
whenever it has data to send and it remains asserted until all available data has been shifted out to the SPI
master.
In this mode, the following apply:
. If the master monitors this pin
asserts
•Data/clock rates of up to 5 Mb/s are possible
•Data is MSB first
•Frame format mode 0 is used (see below)
The following illustration shows the frame format for SPI communications.
XBee/XBee-PRO ZigBee RF Modules User Guide29
Serial communications
Serial
Receiver
Buffer
RF TX
Buffer
Transmitter
RF Switch
Antenna
Port
Receiver
Serial Transmit
Buffer
RF RX
Buffer
Processor
DIN
DOUT
CTS
RTS
SPI operation
When the slave select (SPI_SSEL) signal is asserted by the master, SPI transmit data is driven to the output pin
(SPI_MISO), and SPI data is received from the input pin SPI_MOSI. The SPI_SSEL
the transmit serializer to drive data to the output signal SPI_MISO. A rising edge on SPI_SSEL
shift registers.
pin has to be asserted to enable
resets the SPI slave
If the SPI_SCLK is present, the SPI_MISO line is always driven whether with or without the SPI_SSEL
line driven.
This is a known issue with the Ember EM357 chip, and makes additional hardware necessary if multiple slaves are
using the same bus as the XBee.
If the input buffer is empty, the SPI serializer transmits a busy token (0xFF). Otherwise, all transactions on the SPI
port use API operation. See API Operation on page 130 for more information.
The SPI slave controller must guarantee that there is time to move new transmit data from the transmit buffer
into the hardware serializer. To provide sufficient time, the SPI slave controller inserts a byte of padding at the
start of every new string of transmit data. Whenever the transmit buffer is empty and data is placed into the
transmit buffer, the SPI hardware inserts a byte of padding onto the front of the transmission as if this byte were
placed there by software.
Serial port selection
In the default configuration the UART and SPI ports will both be configured for serial port operation. In this case,
serial data will go out the UART until the SPI_SSEL signal is asserted. Thereafter all serial communications will
operate only on the SPI interface until a reset occurs.
If only the UART is enabled, then only the UART will be used, and SPI_SSEL will be ignored.
If only the SPI is enabled, then only the SPI will be used, and UART communications will be ignored. If DOUT is
held low during boot, then only the SPI will be used.
Once SPI is in use, do not attempt to apply changes (AC) which change the UART or SPI settings. Instead, use 0x09
frames to reconfigure UART/SPI/other settings, use WR to save the settings, then FR to reset the XBee and use the
new configuration settings.
If neither serial port is enabled, then UART will remain enabled, only the UART will be used, and SPI_SSEL will be
ignored.
Serial buffers
The XBee modules maintain small buffers to collect received serial and RF data, which is illustrated in the figure
below. The serial receive buffer collects incoming serial characters and holds them until they can be processed.
The serial transmit buffer collects data that is received via the RF link that will be transmitted out the UART or SPI
port. The following figure shows an internal data flow diagram.
XBee/XBee-PRO ZigBee RF Modules User Guide30
Serial communications
Serial receive buffer
When serial data enters the RF module through the serial port, the data is stored in the serial receive buffer until it
can be processed. Under certain conditions, the module may receive data when the serial receive buffer is
already full. In that case the data is discarded.
The serial receive buffer becomes full when data is streaming into the serial port faster than it can be processed
and sent over the air (OTA). While the speed of receiving the data on the serial port can be much faster than the
speed of transmitting to data for a short period, sustained operation in that mode will cause data to be dropped
due to running out of places in the module to put the data. Some things that may delay over the air transmissions
are address discovery, route discovery, and retransmissions. Processing received RF data can also take away
time and resources for processing incoming serial data.
If the UART is the serial port and CTS flow control is enabled, the external data source is alerted when the receive
buffer is almost full. Then the host holds off sending data to the module until the module asserts CTS again,
allowing more data to come in.
If the SPI is the serial port, no hardware flow control is available. It is the user's responsibility to ensure that
receive buffer is not overflowed. One reliable strategy is to wait for a TX_STATUS response after each frame sent
to ensure that the module has had time to process it.
Serial transmit buffer
When RF data is received, the data is moved into the serial transmit buffer and sent out the UART or SPI port. If
the serial transmit buffer becomes full enough such that all data in a received RF packet won't fit in the serial
transmit buffer, the entire RF data packet is dropped.
Cases in which the serial transmit buffer may become full resulting in dropped RF packets:
1. If the RF data rate is set higher than the interface data rate of the module, the module could receive data
faster than it can send the data to the host.
2. If the host does not allow the module to transmit data out from the serial transmit buffer because of being
held off by hardware flow control.
UART flow control
The RTS and CTS module pins can be used to provide RTS and/or CTS flow control. CTS flow control provides an
indication to the host to stop sending serial data to the module. RTS flow control allows the host to signal the
module to not send data in the serial transmit buffer out the UART. RTS and CTS flow control are enabled using
the D6 and D7 commands. Note that serial port flow control is not possible when using the SPI port.
CTS flow control
If CTS flow control is enabled (D7 command), when the serial receive buffer is 17 bytes away from being full, the
module de-asserts CTS
after the serial receive buffer has 34 bytes of space.
(sets it high) to signal to the host device to stop sending serial data. CTS is re-asserted
RTS flow control
If RTS flow control is enabled (D6 command), data in the serial transmit buffer will not be sent out the DOUT pin
as long as RTS
filling the serial transmit buffer. If an RF data packet is received, and the serial transmit buffer does not have
enough space for all of the data bytes, the entire RF data packet will be discarded.
XBee/XBee-PRO ZigBee RF Modules User Guide31
is de-asserted (set high). The host device should not de-assert RTS for long periods of time to avoid
Serial communications
Note If the XBee is sending data out the UART when RTS is de-asserted (set high), the XBee could send up to 5
characters out the UART or SPI port after RTS is de-asserted.
Break control
If break is enabled for over five seconds, the XBee will reset. Then it will boot with default baud settings into
command mode.
This break function will be disabled if either P3 or P4 are not enabled.
Serial interface protocols
The XBee modules support both transparent and Application Programming Interface (API) serial interfaces.
Transparent operation
When operating in transparent mode, the modules act as a serial line replacement. All UART or SPI data received
through the DIN or MOSI pin is queued up for RF transmission. When RF data is received, the data is sent out
through the serial port. The module configuration parameters are configured using the AT command mode
interface. Note that transparent operation is not provided when using the SPI.
Data is buffered in the serial receive buffer until one of the following causes the data to be packetized and
transmitted:
•No serial characters are received for the amount of time determined by the RO (Packetization Timeout)
parameter. If RO = 0, packetization begins when a character is received.
•The Command Mode Sequence (GT + CC + GT) is received. Any character buffered in the serial receive buffer
before the sequence is transmitted.
•The maximum number of characters that will fit in an RF packet is received.
API operation
API operation is an alternative to transparent operation. The frame-based API extends the level to which a host
application can interact with the networking capabilities of the module. When in API mode, all data entering and
leaving the module is contained in frames that define operations or events within the module.
Transmit Data Frames (received through the serial port) include:
•RF Transmit Data Frame
•Command Frame (equivalent to AT commands)
Receive Data Frames (sent out the serial port) include:
•RF-received data frame
•Command response
•Event notifications such as reset, associate, disassociate, etc.
The API provides alternative means of configuring modules and routing data at the host application layer. A host
application can send data frames to the module that contain address and payload information instead of using
command mode to modify addresses. The module will send data frames to the application containing status
packets; as well as source, and payload information from received data packets.
The API operation option facilitates many operations such as the examples cited below:
XBee/XBee-PRO ZigBee RF Modules User Guide32
Serial communications
•Transmitting data to multiple destinations without entering Command Mode
•Receive success/failure status of each transmitted RF packet
•Identify the source address of each received packet
Comparing Transparent and API operation
The following table compares the advantages of transparent and API modes of operation:
Transparent Operation Features
Simple InterfaceAll received serial data is transmitted unless the module is in command mode.
Easy to supportIt is easier for an application to support transparent operation and command mode
API Operation Features
Easy to manage data
transmissions to
multiple destinations
Received data frames
indicate the sender's
address
Advanced ZigBee
addressing support
Advanced networking
diagnostics
Remote ConfigurationSet / read configuration commands can be sent to remote devices to configure them as needed
Generally, API mode is recommended when a device:
Transmitting RF data to multiple remotes only requires changing the address in the API frame. This
process is much faster than in transparent operation where the application must enter AT
command mode, change the address, exit command mode, and then transmit data.
Each API transmission can return a transmit status frame indicating the success or reason for
failure.
All received RF data API frames indicate the source address.
API transmit and receive frames can expose ZigBee addressing fields including source and
destination endpoints, cluster ID and profile ID. This makes it easy to support ZDO commands and
public profile traffic.
API frames can provide indication of IO samples from remote devices, and node identification
messages.
using the API.
• sends RF data to multiple destinations
• sends remote configuration commands to manage devices in the network
• receives RF data packets from multiple devices, and the application needs to know which device sent which
packet
• must support multiple ZigBee endpoints, cluster IDs, and/or profile IDs
• uses the ZigBee Device Profile services.
API mode is required when:
• using Smart Energy firmware
• using SPI for the serial port
• receiving I/O samples from remote devices
• using source routing
XBee/XBee-PRO ZigBee RF Modules User Guide33
Modes of operation
If the above conditions do not apply (e.g. a sensor node, router, or a simple application), then transparent
operation might be suitable. It is acceptable to use a mixture of devices running API mode and transparent mode
in a network.
Modes of operation
Idle Mode
When not receiving or transmitting data, the RF module is in Idle Mode. The module shifts into the other modes of
operation under the following conditions:
•Transmit Mode (Serial data in the serial receive buffer is ready to be packetized)
•Receive Mode (Valid RF data is received through the antenna)
•Sleep Mode (End Devices only)
•Command Mode (Command Mode Sequence is issued, not available with Smart Energy software or when
using the SPI port)
Transmit Mode
When serial data is received and is ready for packetization, the RF module will exit Idle Mode and attempt to
transmit the data. The destination address determines which node(s) will receive the data.
Prior to transmitting the data, the module ensures that a 16-bit network address and route to the destination
node have been established.
If the destination 16-bit network address is not known, network address discovery will take place. If a route is not
known, route discovery will take place for the purpose of establishing a route to the destination node. If a module
with a matching network address is not discovered, the packet is discarded. The data will be transmitted once a
route is established. If route discovery fails to establish a route, the packet will be discarded. The following figure
shows the Transmit Mode sequence.
XBee/XBee-PRO ZigBee RF Modules User Guide34
Modes of operation
16-bit Network
Address Discovery
Data Discarded
Successful
Transmi ssion
Yes
No
New
Transmission
16-bit Network
Add ress D iscovered?
Route Known?
Rou te Dis covered ?
16-bit Network
Address Known?
Rou te Discovery
Transmit Data
Idle Mode
No
Yes
NoNo
YesYes
When data is transmitted from one node to another, a network-level acknowledgment is transmitted back across
the established route to the source node. This acknowledgment packet indicates to the source node that the
data packet was received by the destination node. If a network acknowledgment is not received, the source node
will re-transmit the data.
It is possible in rare circumstances for the destination to receive a data packet, but for the source to not receive
the network acknowledgment. In this case, the source will retransmit the data, which could cause the destination
to receive the same data packet multiple times. The XBee modules do not filter out duplicate packets. The
application should include provisions to address this potential issue
See Transmission, addressing, and routing on page 59 for more information.
Receive Mode
If a valid RF packet is received, the data is transferred to the serial transmit buffer.
Command Mode
To modify or read RF Module parameters, the module must first enter into Command Mode - a state in which
incoming serial characters are interpreted as commands. Command Mode is only available over the UART when
not using the Smart Energy firmware. API Operation on page 130 describes an alternate means for configuring
modules which is available with the SPI and with Smart Energy, as well as over the UART with ZB code.
AT Command Mode
To Enter AT Command Mode:
Send the 3-character command sequence “+++” and observe guard times before and after the command
characters. [Refer to the “Default AT Command Mode Sequence” below.]
Default AT Command Mode Sequence (for transition to Command Mode):
XBee/XBee-PRO ZigBee RF Modules User Guide35
Modes of operation
Example: ATDL 1F<CR>
“AT”
Prex
ASCII
Command
Space
(optional)
Parameter
(optional, HEX)
Carriage
Return
•No characters sent for one second [GT (Guard Times) parameter = 0x3E8]
•Input three plus characters (“+++”) within one second [CC (Command Sequence Character) parameter =
0x2B.]
•No characters sent for one second [GT (Guard Times) parameter = 0x3E8]
Once the AT command mode sequence has been issued, the module sends an “OK\r” out the UART pad. The
“OK\r” characters can be delayed if the module has not finished transmitting received serial data.
When command mode has been entered, the command mode timer is started (CT command), and the module is
able to receive AT commands on the UART port.
All of the parameter values in the sequence can be modified to reflect user preferences.
Note Failure to enter AT Command Mode is most commonly due to baud rate mismatch. By default, the BD
(Baud Rate) parameter = 3 (9600 b/s).
To send AT commands:
Send AT commands and parameters using the syntax shown below.
NoteTo read a parameter value stored in the RF module’s register, omit the parameter field.
The preceding example would change the RF module Destination Address (Low) to “0x1F”. To store the new value
to non-volatile (long term) memory, subsequently send the WR (Write) command.
For modified parameter values to persist in the module’s registry after a reset, changes must be saved to nonvolatile memory using the WR (Write) Command. Otherwise, parameters are restored to previously saved values
after the module is reset.
Command response
When a command is sent to the module, the module will parse and execute the command. Upon successful
execution of a command, the module returns an “OK” message. If execution of a command results in an error, the
module returns an “ERROR” message.
Applying command changes
Any changes made to the configuration command registers through AT commands will not take effect until the
changes are applied. For example, sending the BD command to change the baud rate will not change the actual
baud rate until changes are applied. Changes can be applied in one of the following ways:
•The AC (Apply Changes) command is issued.
•AT command mode is exited.
To exit AT Command Mode:
1. Send the ATCN (Exit Command Mode) command (followed by a carriage return).
XBee/XBee-PRO ZigBee RF Modules User Guide36
Modes of operation
[OR]
2. If no valid AT Commands are received within the time specified by CT (Command Mode Timeout) Command, the
RF module automatically returns to Idle Mode.
NoteFor an example of programming the RF module using AT Commands and descriptions of each configurable
parameter, see Command reference tables on page 178.
Sleep Mode
Sleep modes allow the RF module to enter states of low power consumption when not in use. XBee RF modules
support both pin sleep (sleep mode entered on pin transition) and cyclic sleep (module sleeps for a fixed time). XBee
sleep modes are discussed in detail in Managing End Devices on page 107.
XBee/XBee-PRO ZigBee RF Modules User Guide37
ZigBee networks
Introduction to ZigBee
ZigBee is an open global standard built on the IEEE 802.15.4 MAC/PHY. ZigBee defines a network layer above the
802.15.4 layers to support advanced mesh routing capabilities. The ZigBee specification is developed by a growing
consortium of companies that make up the ZigBee Alliance. The Alliance is made up of over 300 members, including
semiconductor, module, stack, and software developers.
ZigBee stack layers
The ZigBee stack consists of several layers including the PHY, MAC, Network, Application Support Sublayer (APS), and
ZigBee Device Objects (ZDO) layers. Technically, an Application Framework (AF) layer also exists, but will be grouped
with the APS layer in remaining discussions. The ZigBee layers are shown in the figure below.
XBee/XBee-PRO ZigBee RF Modules User Guide38
ZigBee networking concepts
A description of each layer appears in the following table:
ZigBee LayerDescription
PHYDefines the physical operation of the ZigBee device including receive sensitivity, channel rejection, output
power, number of channels, chip modulation, and transmission rate specifications. Most ZigBee
applications operate on the 2.4 GHz ISM band at a 250kb/s data rate. See the IEEE 802.15.4 specification for
details.
MACManages RF data transactions between neighboring devices (point to point). The MAC includes services
such as transmission retry and acknowledgment management, and collision avoidance techniques (CSMACA).
NetworkAdds routing capabilities that allows RF data packets to traverse multiple devices (multiple "hops") to
route data from source to destination (peer to peer).
APS (AF)Application layer that defines various addressing objects including profiles, clusters, and endpoints.
ZDOApplication layer that provides device and service discovery features and advanced network management
capabilities.
ZigBee networking concepts
Device types
ZigBee defines three different device types: coordinator, router, and end device.
Node Types / Sample of a Basic ZigBee Network Topology
A coordinator has the following characteristics: It:
•Selects a channel and PAN ID (both 64-bit and 16-bit) to start the network
•Can allow routers and end devices to join the network
•Can assist in routing data
•Cannot sleep--should be mains powered
•Can buffer RF data packets for sleeping end device children
A router has the following characteristics: It:
•Must join a ZigBee PAN before it can transmit, receive, or route data
•After joining, can allow routers and end devices to join the network
•After joining, can assist in routing data
•Cannot sleep--should be mains powered
•Can buffer RF data packets for sleeping end device children
An end device has the following characteristics: It:
•Must join a ZigBee PAN before it can transmit or receive data
•Cannot allow devices to join the network
•Must always transmit and receive RF data through its parent, and cannot route data
•Can enter low power modes to conserve power and can be battery-powered
An example of such a network is shown below:
XBee/XBee-PRO ZigBee RF Modules User Guide39
ZigBee networking concepts
In ZigBee networks, the coordinator must select a PAN ID (64-bit and 16-bit) and channel to start a network. After
that, it behaves essentially like a router. The coordinator and routers can allow other devices to join the network
and can route data.
After an end device joins a router or coordinator, it must be able to transmit or receive RF data through that
router or coordinator. The router or coordinator that allowed an end device to join becomes the “parent” of the
end device. Since the end device can sleep, the parent must be able to buffer or retain incoming data packets
destined for the end device until the end device is able to wake and receive the data.
A module can only operate as one of the three device types. The device type is selected by configuration rather
than by firmware image as was the case on earlier hardware platforms.
By default, the module operates as a router in transparent mode. To select coordinator operation, set CE to 1. To
select end device operation, set SM to a non-zero value. To select router operation, both CE and SM must be 0.
One complication is that if a device is a coordinator and it needs to be changed into an end device, CE must be set
back to 0 first. If not, the SM configuration will conflict with the CE configuration. Likewise, to change an end
device into a coordinator, it must be changed into a router first.
Another complication is that default parameters for a router build don't always work very well for a coordinator
build. For example:
DH/DL is 0 by default, which allows routers and end devices to send data to the coordinator when they first come
up. If DH/DL is not changed from the default value when the device is changed to a coordinator, then the device
will send data to itself, causing characters to be echoed back to the screen as they are typed. Since this is
probably not the desired operation, DH/DL should be set to the broadcast address or some specific unicast
address when the device is changed to a coordinator.
Another example is EO for smart energy builds. This value should be 08 for routers and end devices and it should
be 02 for the coordinator to designate it as the trust center. Therefore, if using authentication, which is the
normal case for Smart Energy builds, EO should be changed from 02 to 08 when CE is set to 1.
Another example is EO for ZigBee builds. By default the value is 0x00. But if it and EE are set to 0x01 on all radios
in a network, then the network key will be sent in the clear (unencrypted) at association time. This may be a
useful setting in development environments, but is discouraged for security reasons for product deployment.
In general, when changing device types, it is the user's responsibility to ensure that parameters are set to be
compatible with the new device type.
XBee/XBee-PRO ZigBee RF Modules User Guide40
ZigBee application layers: in depth
PAN ID
ZigBee networks are called personal area networks or PANs. Each network is defined with a unique PAN identifier
(PAN ID). This identifier is common among all devices of the same network. ZigBee devices are either
preconfigured with a PAN ID to join, or they can discover nearby networks and select a PAN ID to join.
ZigBee supports both a 64-bit and a 16-bit PAN ID. Both PAN IDs are used to uniquely identify a network. Devices
on the same ZigBee network must share the same 64-bit and 16-bit PAN IDs. If multiple ZigBee networks are
operating within range of each other, each should have unique PAN IDs.
The 16-bit PAN ID is used as a MAC layer addressing field in all RF data transmissions between devices in a
network. However, due to the limited addressing space of the 16-bit PAN ID (65,535 possibilities), there is a
possibility that multiple ZigBee networks (within range of each other) could use the same 16-bit PAN ID. To
resolve potential 16-bit PAN ID conflicts, the ZigBee Alliance created a 64-bit PAN ID.
The 64-bit PAN ID (also called the extended PAN ID), is intended to be a unique, non-duplicated value. When a
coordinator starts a network, it can either start a network on a preconfigured 64-bit PAN ID, or it can select a
random 64-bit PAN ID. The 64-bit PAN ID is used during joining; if a device has a preconfigured 64-bit PAN ID, it
will only join a network with the same 64-bit PAN ID. Otherwise, a device could join any detected PAN and inherit
the PAN ID from the network when it joins. The 64-bit PAN ID is included in all ZigBee beacons and is used in 16bit PAN ID conflict resolution.
Routers and end devices are typically configured to join a network with any 16-bit PAN ID as long as the 64-bit
PAN ID is valid. Coordinators typically select a random 16-bit PAN ID for their network.
Since the 16-bit PAN ID only allows up to 65,535 unique values, and since the 16-bit PAN ID is randomly selected,
provisions exist in ZigBee to detect if two networks (with different 64-bit PAN IDs) are operating on the same 16bit PAN ID. If such a conflict is detected, the ZigBee stack can perform PAN ID conflict resolution to change the 16bit PAN ID of the network in order to resolve the conflict. See the ZigBee specification for details.
To summarize, ZigBee routers and end devices should be configured with the 64-bit PAN ID of the network they
want to join. They typically acquire the 16-bit PAN ID when they join a network.
Operating channel
ZigBee uses direct-sequence spread spectrum modulation and operates on a fixed channel. The 802.15.4 PHY
defines 16 operating channels (channels 11 to 26) in the 2.4 GHz frequency band. XBee modules support all 16
channels.
ZigBee application layers: in depth
This section provides a more in-depth look at the ZigBee application stack layers (APS, ZDO) including a
discussion on ZigBee endpoints, clusters, and profiles. Much of the material in this section can introduce
unnecessary details of the ZigBee stack that are not required in many cases.
Skip this section if
•The XBee does not need to interoperate or talk to non-Digi ZigBee devices
•The XBee simply needs to send data between devices
Read this section if
•The XBee may talk to non-Digi ZigBee devices
•The XBee requires network management and discovery capabilities of the ZDO layer
•The XBee needs to operate in a public application profile (smart energy, home automation, etc.)
XBee/XBee-PRO ZigBee RF Modules User Guide41
ZigBee application layers: in depth
Application Support Sublayer (APS)
The APS layer in ZigBee adds support for application profiles, cluster IDs, and endpoints.
Application profiles
Application profiles specify various device descriptions including required functionality for various devices. The
collection of device descriptions forms an application profile. Application profiles can be defined as “Public” or
“Private” profiles. Private profiles are defined by a manufacturer whereas public profiles are defined, developed,
and maintained by the ZigBee Alliance. Each application profile has a unique profile identifier assigned by the
ZigBee Alliance.
Examples of public profiles include:
•Home Automation
•Smart Energy
•Commercial Building Automation
The Smart Energy profile, for example, defines various device types including an energy service portal, load
controller, thermostat, in-home display, etc. The Smart Energy profile defines required functionality for each
device type. For example, a load controller must respond to a defined command to turn a load on or off. By
defining standard communication protocols and device functionality, public profiles allow interoperable ZigBee
solutions to be developed by independent manufacturers.
Digi XBee ZB firmware operates on a private profile called the Digi Drop-In Networking profile. However, API
mode can be used in many cases to talk to devices in public profiles or non-Digi private profiles. See API
Operation on page 130 for details.
Clusters
A cluster is an application message type defined within a profile. Clusters are used to specify a unique function,
service, or action. For example, the following are some clusters defined in the home automation profile:
•On/Off - Used to switch devices on or off (lights, thermostats, etc.)
•Level Control - Used to control devices that can be set to a level between on and off
•Color Control - Controls the color of color capable devices
Each cluster has an associated 2-byte cluster identifier (cluster ID). The cluster ID is included in all application
transmissions. Clusters often have associated request and response messages. For example, a smart energy
gateway (service portal) might send a load control event to a load controller in order to schedule turning on or off
an appliance. Upon executing the event, the load controller would send a load control report message back to
the gateway.
Devices that operate in an application profile (private or public) must respond correctly to all required clusters.
For example, a light switch that will operate in the home automation public profile must correctly implement the
On/Off and other required clusters in order to interoperate with other home automation devices. The ZigBee
Alliance has defined a ZigBee Cluster Library (ZCL) that contains definitions or various general use clusters that
could be implemented in any profile.
XBee modules implement various clusters in the Digi private profile. In addition, the API can be used to send or
receive messages on any cluster ID (and profile ID or endpoint). See Explicit Addressing ZigBee Command frame
on page 139 for details.
Endpoints
XBee/XBee-PRO ZigBee RF Modules User Guide42
ZigBee Coordinator operation
The APS layer includes supports for endpoints. An endpoint can be thought of as a running application, similar to
a TCP/IP port. A single device can support one or more endpoints. Each application endpoint is identified by a 1byte value, ranging from 1 to 240. Each defined endpoint on a device is tied to an application profile. A device
could, for example, implement one endpoint that supports a Smart Energy load controller, and another endpoint
that supports other functionality on a private profile.
ZigBee Device Profile
Profile ID 0x0000 is reserved for the ZigBee Device Profile. This profile is implemented on all ZigBee devices.
Device Profile defines many device and service discovery features and network management capabilities.
Endpoint 0 is a reserved endpoint that supports the ZigBee Device Profile. This endpoint is called the ZigBee
Device Objects (ZDO) endpoint.
ZigBee Device Objects (ZDO)
The ZDO (endpoint 0) supports the discovery and management capabilities of the ZigBee Device Profile. A
complete listing of all ZDP services is included in the ZigBee specification. Each service has an associated cluster
ID.
The XBee ZB firmware allows applications to easily send ZDO messages to devices in the network using the API.
See ZDO transmissions on page 77 for details.
ZigBee Coordinator operation
Forming a network
The coordinator is responsible for selecting the channel, PAN ID (16-bit and 64-bit), security policy, and stack
profile for a network. Since a coordinator is the only device type that can start a network, each ZigBee network
must have one coordinator. After the coordinator has started a network, it can allow new devices to join the
network. It can also route data packets and communicate with other devices on the network.
To ensure the coordinator starts on a good channel and unused PAN ID, the coordinator performs a series of
scans to discover any RF activity on different channels (energy scan) and to discover any nearby operating PANs
(PAN scan). The process for selecting the channel and PAN ID are described in the following sections.
Channel selection
When starting a network, the coordinator must select a “good” channel for the network to operate on. To do this,
it performs an energy scan on multiple channels (frequencies) to detect energy levels on each channel. Channels
with excessive energy levels are removed from its list of potential channels to start on.
PAN ID selection
After completing the energy scan, the coordinator scans its list of potential channels (remaining channels after
the energy scan) to obtain a list of neighboring PANs. To do this, the coordinator sends a beacon request
(broadcast) transmission on each potential channel. All nearby coordinators and routers (that have already
joined a ZigBee network) will respond to the beacon request by sending a beacon back to the coordinator. The
beacon contains information about the PAN the device is on, including the PAN identifiers (16-bit and 64-bit). This
scan (collecting beacons on the potential channels) is typically called an active scan or PAN scan.
After the coordinator completes the channel and PAN scan, it selects a random channel and unused 16-bit PAN ID
to start on.
XBee/XBee-PRO ZigBee RF Modules User Guide43
ZigBee Coordinator operation
Security policy
The security policy determines which devices are allowed to join the network, and which device(s) can
authenticate joining devices. See ZigBee Security on page 84 for a detailed discussion of various security policies.
Persistent data
Once a coordinator has started a network, it retains the following information through power cycle or reset
events:
•PAN ID
•Operating channel
•Security policy and frame counter values
•Child table (end device children that are joined to the coordinator).
•Binding Table
•Group Table
The coordinator will retain this information indefinitely until it leaves the network. When the coordinator leaves a
network and starts a new network, the previous PAN ID, operating channel, and child table data are lost.
XBee ZigBee Coordinator startup
The following table provides the network formation commands used by the coordinator to form a network.
CommandDescription
IDUsed to determine the 64-bit PAN ID. If set to 0 (default), a random 64-bit PAN ID will be selected.
SCDetermines the scan channels bitmask (up to 16 channels) used by the coordinator when forming a network.
The coordinator will perform an energy scan on all enabled SC channels. It will then perform a PAN ID scan
SDSet the scan duration period. This value determines how long the coordinator performs an energy scan or
ZSSet the ZigBee stack profile for the network.
EEEnable or disable security in the network.
NKSet the network security key for the network. If set to 0 (default), a random network security key will be used.
KYSet the trust center link key for the network. If set to 0 (default), a random link key will be used.
EOSet the security policy for the network.
Configuration changes will delay the start of network formation for 5 seconds after the last change is made.
Once the coordinator starts a network, the network configuration settings and child table data persist through
power cycles as mentioned in the “Persistent Data” section.
When the coordinator has successfully started a network, it
• Allows other devices to join the network for a time (see NJ command)
• Sets AI=0
• Starts blinking the Associate LED
• Sends an API modem status frame (“coordinator started”) out the serial port when using API mode
XBee/XBee-PRO ZigBee RF Modules User Guide44
ZigBee Coordinator operation
These behaviors are configurable using the following commands:
CommandDescription
NJSets the permit-join time on the coordinator, measured in seconds.
D5Enables the Associate LED functionality.
LTSets the Associate LED blink time when joined. Default is 1 blink per second.
If any of the command values in the network formation commands table changes, the coordinator will leave its
current network and start a new network, possibly on a different channel. Note that command changes must be
applied (AC or CN command) before taking effect.
Permit joining
The permit joining attribute on the coordinator is configurable with the NJ command. NJ can be configured to
always allow joining, or to allow joining for a short time.
Joining always enabled
If NJ=0xFF (default), joining is permanently enabled. This mode should be used carefully. Once a network has
been deployed, the application should strongly consider disabling joining to prevent unwanted joins from
occurring.
Joining temporarily enabled
If NJ < 0xFF, joining will be enabled only for a number of seconds, based on the NJ parameter. The timer is started
once the XBee joins a network. Joining will not be re-enabled if the module is power cycled or reset. The
following mechanisms can restart the permit-joining timer:
• Changing NJ to a different value (and applying changes with the AC or CN commands)
• Pressing the commissioning button twice
• Issuing the CB command with a parameter of 2
The last two cases enable joining for one minute if NJ is 0x0 or 0xFF. Otherwise, the commissioning button and
the CB2 command enable joining for NJ seconds.
Resetting the Coordinator
When the coordinator is reset or power cycled, it checks its PAN ID, operating channel and stack profile against
the network configuration settings (ID, CH, ZS). It also verifies the saved security policy against the security
configuration settings (EE, NK, KY). If the coordinator's PAN ID, operating channel, stack profile, or security policy
is not valid based on its network and security configuration settings, then the coordinator will leave the network
and attempt to form a new network based on its network formation command values.
To prevent the coordinator from leaving an existing network, the WR command should be issued after all
network formation commands have been configured in order to retain these settings through power cycle or
reset events.
XBee/XBee-PRO ZigBee RF Modules User Guide45
ZigBee Coordinator operation
Leaving a network
There are a couple of mechanisms that will cause the coordinator to leave its current PAN and start a new
network based on its network formation parameter values. These include the following:
•Change the ID command such that the current 64-bit PAN ID is invalid
•Change the SC command such that the current channel (CH) is not included in the channel mask
•Change the ZS or any of the security command values (excluding NK)
•Issue the NR0 command to cause the coordinator to leave
•Issue the NR1 command to send a broadcast transmission, causing all devices in the network to leave and
migrate to a different channel
•Press the commissioning button 4 times or issue the CB command with a parameter of 4
•Issue a network leave command
Note that changes to ID, SC, ZS, and security command values only take effect when changes are applied (AC or
CN commands).
Replacing a Coordinator (security disabled only)
In rare occasions, it may become necessary to replace an existing coordinator in a network with a new physical
device. If security is not enabled in the network, a replacement XBee coordinator can be configured with the PAN
ID (16-bit and 64-bit), channel, and stack profile settings of a running network in order to replace an existing
coordinator.
Note Having two coordinators on the same channel, stack profile, and PAN ID (16-bit and 64-bit) can cause
problems in the network and should be avoided. When replacing a coordinator, the old coordinator
should be turned off before starting the new coordinator.
To replace a coordinator, the following commands should be read from a device on the network:
AT CommandDescription
OPRead the operating 64-bit PAN ID.
OIRead the operating 16-bit PAN ID.
CHRead the operating channel.
ZSRead the stack profile.
Each of the commands listed above can be read from any device on the network. (These parameters will be the
same on all devices in the network.) After reading these commands from a device on the network, these
parameter values should be programmed into the new coordinator using the following commands.
XBee/XBee-PRO ZigBee RF Modules User Guide46
ZigBee Router operation
AT CommandDescription
IDSet the 64-bit PAN ID to match the read OP value.
IISet the initial 16-bit PAN ID to match the read OI value.
SCSet the scan channels bitmask to enable the read operating channel (CH command). For example, if the
operating channel is 0x0B, set SC to 0x0001. If the operating channel is 0x17, set SC to 0x1000.
ZSSet the stack profile to match the read ZS value.
NoteII is the initial 16-bit PAN ID. Under certain conditions, the ZigBee stack can change the 16-bit PAN ID of
the network. For this reason, the II command cannot be saved using the WR command. Once II is set, the
coordinator leaves the network and starts on the 16-bit PAN ID specified by II.
Example: starting a Coordinator
1. Set CE (Coordinator Enable) to 1, and use the WR command to save the changes.
1. Set SC and ID to the desired scan channels and PAN ID values. (The defaults should suffice.)
2. If SC or ID is changed from the default, issue the WR command to save the changes.
3. If SC or ID is changed from the default, apply changes (make SC and ID changes take effect) either by sending
the AC command or by exiting AT command mode.
4. The Associate LED will start blinking once the coordinator has selected a channel and PAN ID.
5. The API Modem Status frame (“Coordinator Started”) is sent out the serial port when using API mode.
6. Reading the AI command (association status) will return a value of 0, indicating a successful startup.
7. Reading the MY command (16-bit address) will return a value of 0, the ZigBee-defined 16-bit address of the
coordinator.
After startup, the coordinator will allow joining based on its NJ value.
Example: replacing a Coordinator (security disabled)
1. Read the OP, OI, CH, and ZS commands on the running coordinator.
2. Set the CE, ID, SC, and ZS parameters on the new coordinator, followed by WR command to save these
parameter values.
3. Turn off the running coordinator.
4. Set the II parameter on the new coordinator to match the read OI value on the old coordinator.
5. Wait for the new coordinator to start (AI=0).
ZigBee Router operation
Routers must discover and join a valid ZigBee network before they can participate in a ZigBee network. After a
router has joined a network, it can allow new devices to join the network. It can also route data packets and
communicate with other devices on the network.
XBee/XBee-PRO ZigBee RF Modules User Guide47
ZigBee Router operation
Discovering ZigBee networks
To discover nearby ZigBee networks, the router performs a PAN (or active) scan, just like the coordinator does
when it starts a network. During the PAN scan, the router sends a beacon request (broadcast) transmission on the
first channel in its scan channels list. All nearby coordinators and routers operating on that channel (that are
already part of a ZigBee network) respond to the beacon request by sending a beacon back to the router. The
beacon contains information about the PAN the nearby device is on, including the PAN identifier (PAN ID), and
whether or not joining is allowed. The router evaluates each beacon received on the channel to determine if a
valid PAN is found. A router considers a PAN to be valid if the PAN:
•Has a valid 64-bit PAN ID (PAN ID matches ID if ID > 0)
•Has the correct stack profile (ZS command)
•Is allowing joining
If a valid PAN is not found, the router performs the PAN scan on the next channel in its scan channels list and
continues scanning until a valid network is found, or until all channels have been scanned. If all channels have
been scanned and a valid PAN was not discovered, all channels will be scanned again.
The ZigBee Alliance requires that certified solutions not send beacon request messages too frequently. To meet
certification requirements, the XBee firmware attempts nine scans per minute for the first five minutes, and three
scans per minute thereafter. If a valid PAN is within range of a joining router, it should typically be discovered
within a few seconds.
Joining a network
Once the router discovers a valid network, it sends an association request to the device that sent a valid beacon
requesting a join on the ZigBee network. The device allowing the join then sends an association response frame
that either allows or denies the join.
When a router joins a network, it receives a 16-bit address from the device that allowed the join. The 16-bit
address is randomly selected by the device that allowed the join.
Authentication
In a network where security is enabled, the router must then go through an authentication process. SeeZigBee
Security on page 84 for a discussion on security and authentication.
After the router is joined (and authenticated, in a secure network), it can allow new devices to join the network.
Persistent data
Once a router has joined a network, it retains the following information through power cycle or reset events:
•PAN ID
•Operating channel
•Security policy and frame counter values
•Child table (end device children that are joined to the coordinator).
•Binding Table
•Group Table
The router will retain this information indefinitely until it leaves the network. When the router leaves a network,
the previous PAN ID, operating channel, and child table data are lost.
XBee/XBee-PRO ZigBee RF Modules User Guide48
ZigBee Router operation
ZB Router joining
When the router is powered on, if it is not already joined to a valid ZigBee network, it immediately attempts to
find and join a valid ZigBee network.
Note The DJ command can be set to 1 to disable joining. The DJ parameter cannot be written with WR, so a
power cycle always clears the DJ setting.
The following commands control the router joining process.
CommandDescription
IDSets the 64-bit PAN ID to join. Setting ID=0 allows the router to join any 64-bit PAN ID.
SCSet the scan channels bitmask that determines which channels a router will scan to find a valid network. SC on
the router should be set to match SC on the coordinator. For example, setting SC to 0x281 enables scanning on
channels 0x0B, 0x12, and 0x14, in that order.
SDSet the scan duration, or time that the router will listen for beacons on each channel.
ZSSet the stack profile on the device.
EEEnable or disable security in the network. This must be set to match the EE value (security policy) of the
coordinator.
KYSet the trust center link key. If set to 0 (default), the link key is expected to be obtained (unencrypted) during
joining.
Configuration changes will delay the start of joining for 5 seconds after the last change is made.
Once the router joins a network, the network configuration settings and child table data persist through power
cycles as mentioned in the “Persistent Data” section previously. If joining fails, the status of the last join attempt
can be read in the AI command register.
If any of the above command values change, when command register changes are applied (AC or CN commands),
the router will leave its current network and attempt to discover and join a new valid network.
When a ZB router has successfully joined a network, it:
•Allows other devices to join the network for a time
•Sets AI=0
•Starts blinking the Associate LED
•Sends an API modem status frame (“associated”) out the serial port when using API mode.
These behaviors are configurable using the following commands:
CommandDescription
NJSets the permit-join time on the router, or the time that it will allow new devices to join the
network, measured in seconds. If NJ=0xFF, permit joining will always be enabled.
D5Enables the Associate LED functionality.
LTSets the Associate LED blink time when joined. Default is 2 blinks per second (router).
XBee/XBee-PRO ZigBee RF Modules User Guide49
ZigBee Router operation
Permit joining
The permit joining attribute on the router is configurable with the NJ command. NJ can be configured to always
allow joining, or to allow joining for a short time.
Joining always enabled
If NJ=0xFF (default), joining is permanently enabled. This mode should be used carefully. Once a network has
been deployed, the application should strongly consider disabling joining to prevent unwanted joins from
occurring.
Joining temporarily enabled
If NJ < 0xFF, joining will be enabled only for a number of seconds, based on the NJ parameter. The timer is started
once the XBee joins a network. Joining will not be re-enabled if the module is power cycled or reset. The
following mechanisms can restart the permit-joining timer:
• Changing NJ to a different value (and applying changes with the AC or CN commands)
• Pressing the commissioning button twice
• Issuing the CB command with a parameter of 2 (software emulation of a 2 button press)
• Causing the router to leave and rejoin the network
The middle two cases enable joining for one minute if NJ is 0x0 or 0xFF. Otherwise, the commissioning button
and the CB2 command enable joining for NJ seconds.
Router network connectivity
Once a router joins a ZigBee network, it remains connected to the network on the same channel and PAN ID as
long as it is not forced to leave (see Leaving a network on page 46 for details). If the scan channels (SC), PAN ID
(ID) and security settings (EE, KY) do not change after a power cycle, the router will remain connected to the
network after a power cycle.
If a router may physically move out of range of the network it initially joined, the application should include
provisions to detect if the router can still communicate with the original network. If communication with the
original network is lost, the application may choose to force the router to leave the network (see Leaving a
network on page 46 for details). The XBee firmware includes two provisions to automatically detect the presence
of a network, and leave if the check fails.
Power-On join verification
The JV command (join verification) enables the power-on join verification check. If enabled, the XBee will
attempt to discover the 64-bit address of the coordinator when it first joins a network. Once it has joined, it will
also attempt to discover the 64-bit address of the coordinator after a power cycle event. If 3 discovery attempts
fail, the router will leave the network and try to join a new network. Power-on join verification is disabled by
default (JV defaults to 0).
Network Watchdog
The NW command (network watchdog timeout) can be used for a powered router to periodically check for the
presence of a coordinator to verify network connectivity. The NW command specifies a timeout in minutes where
the router must receive communication from the coordinator or data collector. The following events restart the
network watchdog timer:
XBee/XBee-PRO ZigBee RF Modules User Guide50
ZigBee Router operation
•RF data received from the coordinator
•RF data sent to the coordinator and an acknowledgment was received
•Many-to-one route request was received (from any device)
•Changing the value of NW
If the watchdog timer expires (no valid data received for NW time), the router will attempt to discover the 64-bit
address of the coordinator. If the address cannot be discovered, the router records one watchdog timeout. Once
three consecutive network watchdog timeouts have expired (3 * NW) and the coordinator has not responded to
the address discovery attempts, the router will leave the network and attempt to join a new network. Anytime a
router receives valid data from the coordinator or data collector, it will clear the watchdog timeouts counter and
restart the watchdog timer. The watchdog timer (NW command) is settable to several days. The network
watchdog feature is disabled by default (NW defaults to 0).
Leaving a network
There are a couple of mechanisms that will cause the router to leave its current PAN and attempt to discover and
join a new network based on its network joining parameter values.
These include the following:
• Change the ID command such that the current 64-bit PAN ID is invalid
• Change the SC command such that the current channel (CH) is not included in the channel mask
• Change the ZS or any of the security command values
XBee/XBee-PRO ZigBee RF Modules User Guide51
ZigBee Router operation
• Issue the NR0 command to cause the router to leave.
• Issue the NR1 command to send a broadcast transmission, causing all devices in the network to leave and
migrate to a different channel
• Press the commissioning button 4 times or issue the CB command with a parameter of 4
• Issue a network leave command
Note that changes to ID, SC, ZS, and security command values only take effect when changes are applied (AC or
CN commands).
Network Locator option
The Device Options Network Locator option is provided to support the swapping or replacement of a Coordinator
in a running network. The Network Locator option, if enabled (ATDO80), modifies the behavior of the JV and NW
options. Failure to communicate with the Coordinator does not result in the radio leaving the network, but
instead the radio starts a search for the network across the channels of the Search Channel mask (SC). If the
network is found on the old channel with the same OI (operating ID) the search mode ends and if NW is enabled,
NW is rescheduled. If the network is found with a new OI but satisfies the radio's search for a matching ID and ZS,
the radio leaves the old network and joins the new network with the new OI.
Resetting the Router
When the router is reset or power cycled, it checks its PAN ID, operating channel and stack profile against the
network configuration settings (ID, SC, ZS). It also verifies the saved security policy is valid based on the security
configuration commands (EE, KY). If the router's PAN ID, operating channel, stack profile, or security policy is
invalid, the router will leave the network and attempt to join a new network based on its network joining
command values.
To prevent the router from leaving an existing network, the WR command should be issued after all network
joining commands have been configured in order to retain these settings through power cycle or reset events.
Example: joining a network
After starting a coordinator (that is allowing joins), the following steps will cause a router to join the network:
1. Set ID to the desired 64-bit PAN ID, or to 0 to join any PAN.
2. Set SC to the list of channels to scan to find a valid network.
3. If SC or ID is changed from the default, apply changes (make SC and ID changes take effect) by issuing the AC
or CN command.
4. The Associate LED will start blinking once the router has joined a PAN.
5. If the Associate LED is not blinking, the AI command can be read to determine the cause of join failure.
6. Once the router has joined, the OP and CH commands will indicate the operating 64-bit PAN ID and channel
the router joined.
7. The MY command will reflect the 16-bit address the router received when it joined.
8. The API Modem Status frame (“Associated”) is sent out the serial port when using API mode.
9. The joined router will allow other devices to join for a time based on its NJ setting.
XBee/XBee-PRO ZigBee RF Modules User Guide52
End Device operation
End Device operation
Similar to routers, end devices must also discover and join a valid ZigBee network before they can participate in a
network. After an end device has joined a network, it can communicate with other devices on the network. Since
end devices are intended to be battery powered and therefore support low power (sleep) modes, end devices
cannot allow other devices to join, nor can they route data packets.
Discovering ZigBee networks
End devices go through the same process as routers to discover networks by issuing a PAN scan. After sending the
broadcast beacon request transmission, the end device listens for a short time in order to receive beacons sent
by nearby routers and coordinators on the same channel. The end device evaluates each beacon received on the
channel to determine if a valid PAN is found. An end device considers a PAN to be valid if the PAN:
•Has a valid 64-bit PAN ID (PAN ID matches ID if ID > 0)
•Has the correct stack profile (ZS command)
•Is allowing joining
•Has capacity for additional end devices (see End Device capacity on page 54).
If a valid PAN is not found, the end device performs the PAN scan on the next channel in its scan channels list and
continues this process until a valid network is found, or until all channels have been scanned. If all channels have
been scanned and a valid PAN was not discovered, the end device may enter a low power sleep state and scan
again later.
If scanning all SC channels fails to discover a valid PAN, XBee ZB modules will attempt to enter a low power state
and will retry scanning all SC channels after the module wakes from sleeping. If the module cannot enter a low
power state, it will retry scanning all channels, similar to the router. To meet ZigBee Alliance requirements, the
end device will attempt up to nine scans per minute for the first five minutes, and three scans per minute
thereafter.
Note The XBee ZB end device will not enter sleep until it has completed scanning all SC channels for a valid
network.
Joining a network
Once the end device discovers a valid network, it joins the network, similar to a router, by sending an association
request (to the device that sent a valid beacon) to request a join on the ZigBee network. The device allowing the
join then sends an association response frame that either allows or denies the join.
When an end device joins a network, it receives a 16-bit address from the device that allowed the join. The 16-bit
address is randomly selected by the device that allowed the join.
Parent child relationship
Since an end device may enter low power sleep modes and not be immediately responsive, the end device relies
on the device that allowed the join to receive and buffer incoming messages in its behalf until it is able to wake
and receive those messages. The device that allowed an end device to join becomes the parent of the end device,
and the end device becomes a child of the device that allowed the join.
XBee/XBee-PRO ZigBee RF Modules User Guide53
End Device operation
End Device capacity
Routers and coordinators maintain a table of all child devices that have joined called the child table. This table is
a finite size and determines how many end devices can join. If a router or coordinator has at least one unused
entry in its child table, the device is said to have end device capacity. In other words, it can allow one or more
additional end devices to join. ZigBee networks should have sufficient routers to ensure adequate end device
capacity.
The initial release of software on this platform supports up to 20 end devices when configured as a coordinator or
a router.
In ZB firmware, the NC command (number of remaining end device children) can be used to determine how many
additional end devices can join a router or coordinator. If NC returns 0, then the router or coordinator device has
no more end device capacity (Its child table is full).
Also of note, since routers cannot sleep, there is no equivalent need for routers or coordinators to track joined
routers. Therefore, there is no limit to the number of routers that can join a given router or coordinator device.
There is no “router capacity” metric.
Authentication
In a network where security is enabled, the end device must then go through an authentication process; see
ZigBee Security on page 84.
Persistent data
The end device can retain its PAN ID, operating channel, and security policy information through a power cycle.
However, since end devices rely heavily on a parent, the end device does an orphan scan to try and contact its
parent. If the end device does not receive an orphan scan response (called a coordinator realignment command),
it will leave the network and try to discover and join a new network. When the end device leaves a network, the
previous PAN ID and operating channel settings are lost.
Orphan scans
When an end device comes up from a power cycle, it performs an orphan scan to verify it still has a valid parent.
The orphan scan is sent as a broadcast transmission and contains the 64-bit address of the end device. Nearby
routers and coordinator devices that receive the broadcast check their child tables for an entry that contains the
end device's 64-bit address. If an entry is found with a matching 64-bit address, the device sends a coordinator
realignment command to the end device that includes the end device's 16-bit address, 16-bit PAN ID, operating
channel, and the parent's 64-bit and 16-bit addresses.
If the orphaned end device receives a coordinator realignment command, it is considered joined to the network.
Otherwise, it will attempt to discover and join a valid network.
ZigBee End Device joining
When an end device is powered on, if it is not joined to a valid ZigBee network, or if the orphan scan fails to find a
parent, it immediately attempts to find and join a valid ZigBee network.
Note The DJ command can be set to 1 to disable joining. The DJ parameter cannot be written with WR, so a
power cycle always clears the DJ setting.
Similar to a router, the following commands control the end device joining process.
XBee/XBee-PRO ZigBee RF Modules User Guide54
End Device operation
CommandDescription
IDSets the 64-bit PAN ID to join. Setting ID=0 allows the router to join any 64-bit PAN ID.
SCSet the scan channels bitmask that determines which channels an end device will scan to find a valid network.
SC on the end device should be set to match SC on the coordinator and routers in the desired network. For
example, setting SC to 0x281 enables scanning on channels 0x0B, 0x12, and 0x14, in that order.
SDSet the scan duration, or time that the end device will listen for beacons on each channel.
ZSSet the stack profile on the device.
EEEnable or disable security in the network. This must be set to match the EE value (security policy) of the
coordinator.
KYSet the trust center link key. If set to 0 (default), the link key is expected to be obtained (unencrypted) during
joining.
Once the end device joins a network, the network configuration settings can persist through power cycles as
mentioned in Persistent data on page 44. If joining fails, the status of the last join attempt can be read in the AI
command register.
If any of these command values changes, when command register changes are applied, the end device will leave
its current network and attempt to discover and join a new valid network.
When a ZB end device has successfully started a network, it
• Sets AI=0
• Starts blinking the Associate LED
• Sends an API modem status frame (“associated”) out the serial port when using API mode
• Attempts to enter low power modes
These behaviors are configurable using the following commands:
CommandDescription
D5Enables the Associate LED functionality.
LTSets the Associate LED blink time when joined. Default is 2 blinks per second (end devices).
SM, SP, ST, SN, SOParameters that configure the sleep mode characteristics. See Managing End Devices on page 107 for
details.
Parent Connectivity
The XBee ZB end device sends regular poll transmissions to its parent when it is awake. These poll transmissions
query the parent for any new received data packets. The parent always sends a MAC layer acknowledgment back
to the end device. The acknowledgment indicates whether the parent has data for the end device or not.
If the end device does not receive an acknowledgment for 3 consecutive poll requests, it considers itself
disconnected from its parent and will attempt to discover and join a valid ZigBee network. See Managing End
Devices on page 107 for details.
XBee/XBee-PRO ZigBee RF Modules User Guide55
End Device operation
Resetting the End Device
When the end device is reset or power cycled, if the orphan scan successfully locates a parent, the end device
then checks its PAN ID, operating channel and stack profile against the network configuration settings (ID, SC,
ZS). It also verifies the saved security policy is valid based on the security configuration commands (EE, KY). If the
end device's PAN ID, operating channel, stack profile, or security policy is invalid, the end device will leave the
network and attempt to join a new network based on its network joining command values.
To prevent the end device from leaving an existing network, the WR command should be issued after all network
joining commands have been configured in order to retain these settings through power cycle or reset events.
Leaving a network
There are a couple of mechanisms that will cause the router to leave its current PAN and attempt to discover and
join a new network based on its network joining parameter values. These include the following:
• The ID command changes such that the current 64-bit PAN ID is invalid
• The SC command changes such that the current operating channel (CH) is not included in the channel mask
• The ZS or any of the security command values change
• The NR0 command is issued to cause the end device to leave
• The NR1 command is issued to send a broadcast transmission, causing all devices in the network to leave and
migrate to a different channel
• The commissioning button is pressed 4 times or the CB command is issued with a parameter of 4
• The end device's parent is powered down or the end device is moved out of range of the parent such that the
end device fails to receive poll acknowledgment messages
Note that changes to command values only take effect when changes are applied (AC or CN commands).
Example: joining a network
After starting a coordinator (that is allowing joins), the following steps will cause an XBee end device to join the
network:
1. Set ID to the desired 64-bit PAN ID, or to 0 to join any PAN.
2. Set SC to the list of channels to scan to find a valid network.
3. If SC or ID is changed from the default, apply changes (make SC and ID changes take effect) by issuing the AC
or CN command.
4. The Associate LED will start blinking once the end device has joined a PAN.
5. If the Associate LED is not blinking, the AI command can be read to determine the cause of join failure.
6. Once the end device has joined, the OP and CH commands will indicate the operating 64-bit PAN ID and
channel the end device joined.
7. The MY command will reflect the 16-bit address the router received when it joined.
8. The API Modem Status frame (“Associated”) is sent out the serial port when using API mode.
9. The joined end device will attempt to enter low power sleep modes based on its sleep configuration
commands (SM, SP, SN, ST, SO).
XBee/XBee-PRO ZigBee RF Modules User Guide56
ZigBee channel scanning
ZigBee channel scanning
As mentioned previously, routers and end devices must scan one or more channels to discover a valid network to
join. When a join attempt begins, the XBee sends a beacon request transmission on the lowest channel specified
in the SC (scan channels) command bitmask. If a valid PAN is found on the channel, the XBee will attempt to join
the PAN on that channel. Otherwise, if a valid PAN is not found on the channel, it will attempt scanning on the
next higher channel in the SC command bitmask. The XBee will continue to scan each channel (from lowest to
highest) in the SC bitmask until a valid PAN is found or all channels have been scanned. Once all channels have
been scanned, the next join attempt will start scanning on the lowest channel specified in the SC command
bitmask.
For example, if the SC command is set to 0x400F, the XBee would start scanning on channel 11 (0x0B) and scan
until a valid beacon is found, or until channels 11, 12, 13, 14, and 25 have been scanned (in that order).
Once an XBee router or end device joins a network on a given channel, if the XBee is told to leave (see Leaving a
network on page 46), it will leave the channel it joined on and continue scanning on the next higher channel in
the SC bitmask.
For example, if the SC command is set to 0x400F, and the XBee joins a PAN on channel 12 (0x0C), if the XBee
leaves the channel, it will start scanning on channel 13, followed by channels 14 and 25 if a valid network is not
found. Once all channels have been scanned, the next join attempt will start scanning on the lowest channel
specified in the SC command bitmask.
Managing multiple ZigBee networks
In some applications, multiple ZigBee networks may exist in proximity of each other. The application may need
provisions to ensure the XBee joins the desired network. There are a number of features in ZigBee to manage
joining among multiple networks. These include the following:
•PAN ID Filtering
•Preconfigured Security Keys
•Permit Joining
•Application Messaging
PAN ID filtering
The XBee can be configured with a fixed PAN ID by setting the ID command to a non-zero value. If the PAN ID is set
to a non-zero value, the XBee will only join a network with the same PAN ID.
Pre-configured security keys
Similar to PAN ID filtering, this method requires a known security key be installed on a router to ensure it will join
a ZigBee network with the same security key. If the security key (KY command) is set to a non-zero value, and if
security is enabled (EE command), an XBee router or end device will only join a network with the same security
key.
Permit joining
The Permit Joining parameter can be disabled in a network to prevent unwanted devices from joining. When a
new device must be added to a network, permit-joining can be enabled for a short time on the desired network.
In the XBee firmware, joining is disabled by setting the NJ command to a value less than 0xFF on all routers and
coordinator devices. Joining can be enabled for a short time using the commissioning push-button (see Network
commissioning and diagnostics on page 91 for details) or the CB command.
XBee/XBee-PRO ZigBee RF Modules User Guide57
ZigBee channel scanning
Application messaging
If the above mechanisms are not feasible, the application could build in a messaging framework between the
coordinator and devices that join its network. For example, the application code in joining devices could send a
transmission to the coordinator after joining a network, and wait to receive a defined reply message. If the
application does not receive the expected response message after joining, the application could force the XBee
to leave and continue scanning (see the NR parameter).
XBee/XBee-PRO ZigBee RF Modules User Guide58
Transmission, addressing, and routing
Addressing
All ZigBee devices have two different addresses, a 64-bit and a 16-bit address. The characteristics of each are
described below.
64-bit device addresses
The 64-bit address is a device address which is unique to each physical device. It is sometimes also called the MAC
address or extended address. It is assigned during the manufacturing process. The first three bytes of the 64-bit
address is a Organizationally Unique Identifier (OUI) assigned to the manufacturer by the IEEE. The OUI of XBee
devices is 0x0013A2.
16-bit device addresses
A device receives a 16-bit address when it joins a ZigBee network. For this reason, the 16-bit address is also called the
network address. The 16-bit address of 0x0000 is reserved for the coordinator. All other devices receive a randomly
generated address from the router or coordinator device that allows the join. The 16-bit address can change under
certain conditions:
• An address conflict is detected where two devices are found to have the same 16-bit address
• A device leaves the network and later joins (it can receive a different address)
All ZigBee transmissions are sent using the source and destination 16-bit addresses. The routing tables on ZigBee
devices also use 16-bit addresses to determine how to route data packets through the network. However, since the
16-bit address is not static, it is not a reliable way to identify a device.
To solve this problem, the 64-bit destination address is often included in data transmissions to guarantee data is
delivered to the correct destination. The ZigBee stack can discover the 16-bit address, if unknown, before
transmitting data to a remote.
Application layer addressing
ZigBee devices can support multiple application profiles, cluster IDs, and endpoints (see ZigBee application layers: in
depth on page 41). Application layer addressing allows data transmissions to be addressed to specific profile IDs,
cluster IDs, and endpoints. Application layer addressing is useful if an application must
• Interoperate with other ZigBee devices outside of the Digi application profile
XBee/XBee-PRO ZigBee RF Modules User Guide59
Data transmission
C
R
R
E
R
E
R
E
E
R
E
R
Legend
C=Coordinator
R=R outer
E=En d D evice
E
• use service and network management capabilities of the ZDO
• Operate on a public application profile such as Home Controls or Smart Energy
API mode provides a simple yet powerful interface that can easily send data to any profile ID, endpoint, and
cluster ID combination on any device in a ZigBee network.
Data transmission
ZigBee data packets can be sent as either unicast or broadcast transmissions. Unicast transmissions route data
from one source device to one destination device, whereas broadcast transmissions are sent to many or all
devices in the network.
Broadcast transmissions
Broadcast transmissions within the ZigBee protocol are intended to be propagated throughout the entire
network such that all nodes receive the transmission. To accomplish this, the coordinator and all routers that
receive a broadcast transmission will retransmit the packet three times.
NoteWhen a router or coordinator delivers a broadcast transmission to an end device child, the transmission
is only sent once (immediately after the end device wakes and polls the parent for any new data). See
Parent operation on page 108 for details.
Broadcast data transmission
XBee/XBee-PRO ZigBee RF Modules User Guide60
Each node that transmits the broadcast will also create an entry in a local broadcast transmission table. This
entry is used to keep track of each received broadcast packet to ensure the packets are not endlessly
transmitted. Each entry persists for 8 seconds. The broadcast transmission table holds 8 entries.
Data transmission
For each broadcast transmission, the ZigBee stack must reserve buffer space for a copy of the data packet. This
copy is used to retransmit the packet as needed. Large broadcast packets will require more buffer space. This
information on buffer space is provided for general knowledge; the user does not and cannot change any buffer
spacing. Buffer spacing is handled automatically by the XBee module.
Since broadcast transmissions are retransmitted by each device in the network, broadcast messages should be
used sparingly.
Unicast transmissions
Unicast transmissions are sent from one source device to another destination device. The destination device
could be an immediate neighbor of the source, or it could be several hops away. Unicast transmissions that are
sent along a multiple hop path require some means of establishing a route to the destination device. See RF
packet routing on page 66 for details.
Address resolution
As mentioned previously, each device in a ZigBee network has both a 16-bit (network) address and a 64-bit
(extended) address. The 64-bit address is unique and assigned to the device during manufacturing, and the 16-bit
address is obtained after joining a network. The 16-bit address can also change under certain conditions.
When sending a unicast transmission, the ZigBee network layer uses the 16-bit address of the destination and
each hop to route the data packet. If the 16-bit address of the destination is not known, the ZigBee stack includes
a discovery provision to automatically discover the destination device's 16-bit address before routing the data.
To discover a 16-bit address of a remote, the device initiating the discovery sends a broadcast address discovery
transmission. The address discovery broadcast includes the 64-bit address of the remote device whose 16-bit
address is being requested. All nodes that receive this transmission check the 64-bit address in the payload and
compare it to their own 64-bit address. If the addresses match, the device sends a response packet back to the
initiator. This response includes the remote's 16-bit address. When the discovery response is received, the
initiator will then transmit the data.
Frames may be addressed using either the extended or the network address. If the extended address form is
used, then the network address field should be set to 0xFFFE (unknown). If the network address form is used,
then the extended address field should be set to 0xFFFFFFFFFFFFFFFF (unknown).
If an invalid 16-bit address is used as a destination address, and the 64-bit address is unknown
(0xFFFFFFFFFFFFFFFF), the modem status message will show a delivery status code of 0x21 (network ack failure)
and a discovery status of 0x00 (no discovery overhead). If a non-existent 64-bit address is used as a destination
address, and the 16-bit address is unknown (0xFFFE), address discovery will be attempted and the modem status
message will show a delivery status code of 0x24 (address not found) and a discovery status code of 0x01
(address discovery was attempted).
XBee/XBee-PRO ZigBee RF Modules User Guide61
Data transmission
Address table
Each ZigBee device maintains an address table that maps a 64-bit address to a 16-bit address. When a
transmission is addressed to a 64-bit address, the ZigBee stack searches the address table for an entry with a
matching 64-bit address, in hopes of determining the destination's 16-bit address. If a known 16-bit address is
not found, the ZigBee stack will perform address discovery to discover the device's current 16-bit address.
64-bit Address16-bit Address
0013 A200 4000 00010x4414
0013 A200 400A 35680x1234
0013 A200 4004 11220xC200
0013 A200 4002 11230xFFFE (unknown)
The XBee modules can store up to 10 address table entries. For applications where a single device (e.g.
coordinator) may send unicast transmissions to more than 10 devices, the application should implement an
address table to store the 16-bit and 64-bit addresses for each remote device. Any XBee that will send data to
more than 10 remotes should also use API mode. The application can then send both the 16-bit and 64-bit
addresses to the XBee in the API transmit frames which will significantly reduce the number of 16-bit address
discoveries and greatly improve data throughput.
If an application will support an address table, the size should ideally be larger than the maximum number of
destination addresses the device will communicate with. Each entry in the address table should contain a 64-bit
destination address and its last known 16-bit address.
When sending a transmission to a destination 64-bit address, the application should search the address table for
a matching 64-bit address. If a match is found, the 16-bit address should be populated into the 16-bit address
field of the API frame. If a match is not found, the 16-bit address should be set to 0xFFFE (unknown) in the API
transmit frame.
The API provides indication of a remote device's 16-bit address in the following frames:
• All receive data frames
• Rx Data (0x90)
• Rx Explicit Data (0x91)
• I/O Sample Data (0x92)
• Node Identification Indicator (0x95)
• Route Record Indicator (0xA1) etc.
• Transmit status frame (0x8B)
Group table
Each router and the coordinator maintain a persistent group table. Each entry contains an endpoint value, a two
byte group ID, and an optional name string of zero to 16 ASCII characters, and an index into the binding table.
More than one endpoint may be associated with a group ID, and more than one group ID may be associated with
a given endpoint. The capacity of the group table is 16 entries.
The application should always update the 16-bit address in the address table when one of these frames is
received to ensure the table has the most recently known 16-bit address. If a transmission failure occurs, the
application should set the 16-bit address in the table to 0xFFFE (unknown).
XBee/XBee-PRO ZigBee RF Modules User Guide62
Data transmission
Binding transmissions
Binding transmissions use indirect addressing to send one or more messages to other destination devices. An
Explicit Addressing ZigBee Command Frame (0x11) using the Indirect Tx Option (0x04) is treated as a binding
transmission request.
Address resolution
The source endpoint and cluster ID values of a binding transmission are used as keys to lookup matching binding
table entries. For each matching binding table entry, the type field of the entry indicates whether a unicast or a
multicast message should be sent.
In the case of a unicast entry, the transmission request is updated with the Destination Endpoint and MAC
Address, and unicast to its destination. In the case of a multicast entry, the message is updated using the two
least significant bytes of the Destination MAC Address as the groupID, and multicast to its destination(s).
Binding table
Each router and the coordinator maintain a persistent binding table to map source endpoint and cluster ID
values into 64 bit destination address and endpoint values. The capacity of the binding table is 16 entries.
Multicast transmissions
Multicast transmissions are used to broadcast a message to destination devices which have active endpoints
associated with a common group ID. An explicit transmit request frame (0x11) using the Multicast Tx Option
(0x08) is treated as a multicast transmission request.
Address resolution
The 64 bit destination address value does not matter and it is recommended it be set to 0xFFFFFFFFFFFFFFFF.
The 16 bit destination address value should be set to the destination groupID.
Fragmentation
Each unicast transmission may support up to 84 bytes of RF payload. (Enabling security or using source routing
can reduce this number. See the NP command for details.) However, the XBee ZB firmware supports a ZigBee
feature called fragmentation that allows a single large data packet to be broken up into multiple RF
transmissions and reassembled by the receiver before sending data out its serial port. This is shown in the image
below.
XBee/XBee-PRO ZigBee RF Modules User Guide63
Data transmission
The transmit frame can include up to 255 bytes of data, which will be broken up into multiple transmissions and
reassembled on the receiving side. If one or more of the fragmented messages are not received by the receiving
device, the receiver will drop the entire message, and the sender will indicate a transmission failure in the Tx
Status API frame.
Applications that do not wish to use fragmentation should avoid sending more than the maximum number of
bytes in a single RF transmission. See Maximum RF payload size on page 75 for details.
If RTS flow control is enabled on the receiving module (using the D6 command) and a fragmented message is
received, then RTS flow control will be ignored.
NoteBroadcast transmissions do not support fragmentation. Maximum payload size = up to 84 bytes.
Data transmission examples
AT firmware
To send a data packet in transparent mode, the DH and DL commands must be set to match the 64-bit address of
the destination device. DH must match the upper 4-bytes, and DL must match the lower 4 bytes. Since the
coordinator always receives a 16-bit address of 0x0000, a 64-bit address of 0x0000000000000000 is defined as the
coordinator's address (in ZB firmware). The default values of DH and DL are 0x00, which sends data to the
coordinator.
Example 1: send a transmission to the coordinator.
(In this example, a '\r' refers to a carriage return character.)
A router or end device can send data in two ways. First, set the destination address (DH and DL commands) to
0x00.
1. Enter command mode ('+++')
2. After receiving an OK\r, issue the following commands:
3. ATDH0\r
a. ATDL0\r
b. ATCN\r
4. Verify that each of the 3 commands returned an OK\r response.
5. After setting these command values, all serial characters will be sent as a unicast transmission to the
coordinator.
Alternatively, if the coordinator's 64-bit address is known, DH and DL can be set to the coordinator's 64-bit
address. Suppose the coordinator's address is 0x0013A200404A2244.
1. Enter command mode ('+++')
2. After receiving an OK\r, issue the following commands:
3. ATDH13A200\r
a. ATDL404A2244\
b. ATCN\r
4. Verify that each of the three commands returned an OK\r response.
XBee/XBee-PRO ZigBee RF Modules User Guide64
Data transmission
5. After setting these command values, all serial characters will be sent as a unicast transmission to the
coordinator.
API firmware
Use the transmit request, or explicit transmit request frame (0x10 and 0x11 respectively) to send data to the
coordinator. The 64-bit address can either be set to 0x0000000000000000, or to the 64-bit address of the
coordinator. The 16-bit address should be set to 0xFFFE when using the 64-bit address of all 0x00s.
To send an ASCII “1” to the coordinator's 0x00 address, the following API frame can be used:
If the explicit transmit frame is used, the cluster ID should be set to 0x0011, the profile ID to 0xC105, and the
source and destination endpoints to 0xE8 (recommended defaults for data transmissions in the Digi profile.) The
same transmission could be sent using the following explicit transmit frame:
Notice the 16-bit address is set to 0xFFFE. This is required when sending to a 64-bit address of 0x00s.
Now suppose the coordinator's 64-bit address is 0x0013A200404A2244. The following transmit request API frame
(0x10) will send an ASCII “1” to the coordinator:
Notice the destination 16-bit address is set to 0xFFFE for broadcast transmissions.
Example 3: send an indirect (binding) transmission.
This example will use the explicit transmit request frame (0x11) to send a transmission using indirect addressing
through the binding table. It assumes the binding table has already been set up to map a source endpoint of 0xE7
and cluster ID of 0x0011 to a destination endpoint and 64 bit destination address. The message data is a
XBee/XBee-PRO ZigBee RF Modules User Guide65
RF packet routing
manufacturing specific profile message using profile ID 0xC105, command ID 0x00, a ZCL Header of 151E10,
transaction number EE, and a ZCL payload of 000102030405.
NoteThe 64 bit destination address has been set to all 0xFF values, and the destination endpoint set to 0xFF.
The Tx Option 0x04 indicates indirect addressing is to be used. The 64 bit destination address and
destination endpoint will be filled in by looking up data associated with binding table entries which
match Example 5: Send a multicast (group ID) broadcast.
Example 4: send a multicast (group ID) broadcast.
This example will use the explicit transmit request frame (0x11) to send a transmission using multicasting. It
assumes the destination devices already have their group tables set up to associate an active endpoint with the
group ID (0x1234) of the multicast transmission. The message data is a manufacturing specific profile message
using profile ID 0xC105command ID 0x00, a ZCL Header of 151E10, transaction number EE, and a ZCL payload of
000102030405.
7E 001E 11 01 FFFFFFFFFFFFFFFF 1234 E6 FE 0001 C105 00 08 151E10EE000102030405 BC
NoteThe 64 bit destination address has been set to all 0xFF values, and the destination endpoint set to 0xFE.
The Tx Option 0x08 indicates multicast (group) addressing is to be used.
RF packet routing
Unicast transmissions may require some type of routing. ZigBee includes several different ways to route data,
each with its own advantages and disadvantages. These are summarized in the table below.
Routing ApproachDescriptionWhen to Use
Ad hoc On-demand
Distance Vector (AODV)
Mesh Routing
Many-to-One RoutingA single broadcast transmission configures
Source RoutingData packets include the entire route the packet
NoteEnd devices do not make use of these routing protocols. Rather, an end device sends a unicast
Routing paths are created between source and
destination, possibly traversing multiple nodes
(“hops”). Each device knows who to send data
to next to eventually reach the destination
reverse routes on all devices into the device that
sends the broadcast
should traverse to get from source to
destination
transmission to its parent and allows the parent to route the data packet in its behalf.
Use in networks that will not scale beyond about
40 destination devices.
Useful when many remote devices must send
data to a single gateway or collector device.
Improves routing efficiency in large networks
(over 40 remote devices)
NoteA network cannot revert from Many-to-One routing to AODV routing without first doing a network reset
(NR).
XBee/XBee-PRO ZigBee RF Modules User Guide66
RF packet routing
Device A
Device B
Neighbor A:
Outgoing cost: very poor
Incoming cost: very good
Neighbor B:
Outgoing cost: very good
Incoming cost: very poor
Link status (A to B)
Link status (B to A)
+18 dBm TX power
+3 dBm TX power
Link status transmission
Before discussing the various routing protocols, it is worth understanding the primary mechanism in ZigBee for
establishing reliable bi-directional links. This mechanism is especially useful in networks that may have a mixture
of devices with varying output power and/or receiver sensitivity levels.
Each coordinator or router device periodically sends a link status message. This message is sent as a 1-hop
broadcast transmission, received only by one-hop neighbors. The link status message contains a list of
neighboring devices and incoming and outgoing link qualities for each neighbor. Using these messages,
neighboring devices can determine the quality of a bi-directional link with each neighbor and use that
information to select a route that works well in both directions.
For example, consider a network of two neighboring devices that send periodic link status messages. Suppose
that the output power of device A is +18dBm, and the output power of device B is +3dBm (considerably less than
the output power of device A). The link status messages might indicate the following:
This mechanism enables devices A and B to recognize that the link is not reliable in both directions and select a
different neighbor when establishing routes. (Such links are called asymmetric links, meaning the link quality is
not similar in both directions.)
When a router or coordinator device powers on, it sends link status messages every couple seconds to attempt to
discover link qualities with its neighbors quickly. After being powered on for some time, the link status messages
are sent at a much slower rate (about every 3-4 times per minute).
AODV Mesh routing
ZigBee employs mesh routing to establish a route between the source device and the destination. Mesh routing
allows data packets to traverse multiple nodes (hops) in a network to route data from a source to a destination.
Routers and coordinators can participate in establishing routes between source and destination devices using a
process called route discovery. The Route discovery process is based on the Ad-hoc On-demand Distance Vector
routing (AODV) protocol.
Sample transmission through a Mesh network:
XBee/XBee-PRO ZigBee RF Modules User Guide67
AODV routing algorithm
RF packet routing
Routing under the AODV protocol is accomplished using tables in each node that store the next hop
(intermediary node between source and destination nodes) for a destination node. If a next hop is not known,
route discovery must take place in order to find a path. Since only a limited number of routes can be stored on a
Router, route discovery will take place more often on a large network with communication between many
different nodes.
NodeDestination AddressNext Hop Address
R3Router 6Coordinator
CRouter 6Router 5
R5Router 6Router 6
When a source node must discover a route to a destination node, it sends a broadcast route request command.
The route request command contains the source network address, the destination network address and a path
cost field (a metric for measuring route quality). As the route request command is propagated through the
network (refer to the Broadcast Transmission), each node that re-broadcasts the message updates the path cost
field and creates a temporary entry in its route discovery table.
Sample route request (broadcast) transmission where R3 is trying to discover a route to R6:
When the destination node receives a route request, it compares the ‘path cost’ field against previously received
route request commands. If the path cost stored in the route request is better than any previously received, the
XBee/XBee-PRO ZigBee RF Modules User Guide68
RF packet routing
destination node will transmit a route reply packet to the node that originated the route request. Intermediate
nodes receive and forward the route reply packet to the source node (the node that originated route request).
Sample route reply (unicast) where R6 sends a route reply to R3:
NoteR6 could send multiple replies if it identifies a better route.
Retries and acknowledgments
ZigBee includes acknowledgment packets at both the Mac and Application Support (APS) layers. When data is
transmitted to a remote device, it may traverse multiple hops to reach the destination. As data is transmitted
from one node to its neighbor, an acknowledgment packet (Ack) is transmitted in the opposite direction to
indicate that the transmission was successfully received. If the Ack is not received, the transmitting device will
retransmit the data, up to 4 times. This Ack is called the Mac layer acknowledgment.
In addition, the device that originated the transmission expects to receive an acknowledgment packet (Ack) from
the destination device. This Ack will traverse the same path that the data traversed, but in the opposite direction.
If the originator fails to receive this Ack, it will retransmit the data, up to 2 times until an Ack is received. This Ack
is called the ZigBee APS layer acknowledgment.
NoteRefer to the ZigBee specification for more details.
Many-to-One routing
In networks where many devices must send data to a central collector or gateway device, AODV mesh routing
requires significant overhead. If every device in the network had to discover a route before it could send data to
the data collector, the network could easily become inundated with broadcast route discovery messages.
Many-to-one routing is an optimization for these kinds of networks. Rather than require each device to do its own
route discovery, a single many-to-one broadcast transmission is sent from the data collector to establish reverse
routes on all devices. This is shown in the figure below. The left side shows the many broadcasts the devices can
send when they create their own routes and the route replies generated by the data collector. The right side
shows the benefits of many-to-one routing where a single broadcast creates reverse routes to the data collector
on all routers.
The many-to-one broadcast is a route request message with the target discovery address set to the address of the
data collector. Devices that receive this route request create a reverse many-to-one routing table entry to create
XBee/XBee-PRO ZigBee RF Modules User Guide69
RF packet routing
a path back to the data collector. The ZigBee stack on a device uses historical link quality information about each
neighbor to select a reliable neighbor for the reverse route.
When a device sends data to a data collector, and it finds a many-to-one route in its routing table, it will transmit
the data without performing a route discovery. The many-to-one route request should be sent periodically to
update and refresh the reverse routes in the network.
Applications that require multiple data collectors can also use many-to-one routing. If more than one data
collector device sends a many-to-one broadcast, devices will create one reverse routing table entry for each
collector.
In ZB firmware, the AR command is used to enable many-to-one broadcasting on a device. The AR command sets
a time interval (measured in 10 second units) for sending the many to one broadcast transmission. (See the
command table for details).
High/Low RAM Concentrator mode
When Many to One (MTO) requests are broadcast, DO40 (bit6) determines if the concentrator is operating in high
or low RAM mode. High RAM mode indicates the concentrator has enough memory to store source routes for the
whole network, and remote nodes may stop sending route records after the concentrator has successfully
received one. Low RAM mode indicates the concentrator lacks RAM to store route records, and that route records
should be sent to the concentrator to precede every inbound APS unicast message. By default the XBee uses low
RAM mode.
Source routing
In applications where a device must transmit data to many remotes, AODV routing would require performing one
route discovery for each destination device to establish a route. If there are more destination devices than there
are routing table entries, established AODV routes would be overwritten with new routes, causing route
discoveries to occur more regularly. This could result in larger packet delays and poor network performance.
ZigBee source routing helps solve these problems. In contrast to many-to-one routing that establishes routing
paths from many devices to one data collector, source routing allows the collector to store and specify routes for
many remotes.
To use source routing, a device must use the API mode, and it must send periodic many-to-one route request
broadcasts (AR command) to create a many-to-one route to it on all devices. When remote devices send RF data
using a many-to-one route, they first send a route record transmission. The route record transmission is unicast
along the many-to-one route until it reaches the data collector. As the route record traverses the many-to-one
route, it appends the 16-bit address of each device in the route into the RF payload. When the route record
reaches the data collector, it contains the address of the sender, and the 16-bit address of each hop in the route.
The data collector can store the routing information and retrieve it later to send a source routed packet to the
remote. This is shown in the images below.
XBee/XBee-PRO ZigBee RF Modules User Guide70
RF packet routing
The data collector sends a many-to-one route request
broadcast to create reverse routes on all devices.
A r emo te d evi ce s ends an R F da ta p ack et t o th e da ta c oll ect or.
This is prefaced by a route record transmission to the data
collector.
Route request broadcast
Route reply unicast
Data collector
Router
After obtaining a source route, the data collector sends a
source routed transmission to the remote device.
Acquiring source routes
Acquiring source routes requires the remote devices to send a unicast to a data collector (device that sends
many-to-one route request broadcasts). There are several ways to force remotes to send route record
transmissions.
1. If the application on remote devices periodically sends data to the data collector, each transmission will force
a route record to occur.
XBee/XBee-PRO ZigBee RF Modules User Guide71
RF packet routing
Coordinator
R1
R2
R3
R4
R5
2. The data collector can issue a network discovery command (ND command) to force all XBee devices to send a
network discovery response. Each network discovery response will be prefaced by a route record.
3. Periodic IO sampling can be enabled on remotes to force them to send data at a regular rate. Each IO sample
would be prefaced by a route record. See Analog and digital I/O lines on page 123 for details.
4. If the NI string of the remote device is known, the DN command can be issued with the NI string of the remote
in the payload. The remote device with a matching NI string would send a route record and a DN response.
Storing source routes
When a data collector receives a route record, it sends it out the serial port as a Route Record Indicator API frame
(0xA1). To use source routing, the application should receive these frames and store the source route
information.
Sending a source routed transmission
To send a source routed transmission, the application must send a Create Source Route API frame (0x21) to the
XBee to create a source route in its internal source route table. After sending the Create Source Route API frame,
the application can send data transmission or remote command request frames as needed to the same
destination, or any destination in the source route. Once data must be sent to a new destination (a destination
not included in the last source route), the application must first send a new Create Source Route API frame.
NoteIf a Create Source Route API frame does not precede data frames, data loss may be encountered.
The XBee can buffer one source route that includes up to 11 hops (excluding source and destination). For
example, suppose a network exists with a coordinator and 5 routers (R1, R2, R3, R4, R5) with known source routes
as shown below.
To send a source-routed packet to R3, the application must send a Create Source Route API frame (0x21) to the
XBee, with a destination of R3, and 2 hops (R1 and R2). If the 64- bit address of R3 is 0x0013A200 404a1234 and the
16-bit addresses of R1, R2, and R3 are:
0x0013A200 404A1234 - 64-bit address of R3 (destination)
0xEEFF - 16-bit address of R3 (destination)
0x00 - Route options (set to 0)
RF packet routing
0x02 - Number of intermediate devices in the source route
0xCCDD - Address of furthest device (1-hop from target)
0xAABB - Address of next-closer device
0x5C - Checksum (0xFF - SUM (all bytes after length))
Repairing source routes
It is possible in a network to have an existing source route fail (i.e. a device in the route moves or goes down, etc.).
If a device goes down in a source routed network, all routes that used the device will be broken.
As mentioned previously, source routing must be used with many-to-one routing. (A device that uses source
routing must also send a periodic many-to-one broadcast in order to keep routes fresh). If a source route is
broken, remote devices must send in new route record transmissions to the data collector to provide it with a
new source route. This requires that remote devices periodically send data transmissions into the data collector.
See Acquiring source routes on page 71 for details.
Retries and acknowledgments
ZigBee includes acknowledgment packets at both the Mac and Application Support (APS) layers. When data is
transmitted to a remote device, it may traverse multiple hops to reach the destination. As data is transmitted
from one node to its neighbor, an acknowledgment packet (Ack) is transmitted in the opposite direction to
indicate that the transmission was successfully received. If the Ack is not received, the transmitting device will
retransmit the data, up to 4 times. This Ack is called the Mac layer acknowledgment.
In addition, the device that originated the transmission expects to receive an acknowledgment packet (Ack) from
the destination device. This Ack will traverse the same path that the data traversed, but in the opposite direction.
If the originator fails to receive this Ack, it will retransmit the data, up to two times until an Ack is received. This
Ack is called the ZigBee APS layer acknowledgment.
NoteRefer to the ZigBee specification for more details.
XBee/XBee-PRO ZigBee RF Modules User Guide73
Encrypted transmissions
Disabling MTO routing
To disable MTO (many-to-one) routing in a network, first reconfigure the AR setting on the aggregator and then
broadcast a network wide power reset (0x08 of the RE command) to rebuild the routing tables.
1. Set AR on the aggregator to 0xFF.
2. Do an AC command to enact the change.
3. Do a WR command if the saved configuration setting value for AR is not 0xFF.
This ends the periodic broadcast of aggregator messages if the previous setting was 0x01-0xFE, and prevents a
single broadcast after a power reset if the previous setting was 0x00. Broadcast a FR remote command to the
network and wait for the network to reform. This removes the aggregator's status as an aggregator from the
network's routing tables so that no more route records will be sent to the aggregator.
Disabling route records
If an aggregator has collected route records from the nodes of the network and no longer needs to have route
records (which consume network throughput) sent:
1. Set Bit 6 of DO to Enable High RAM Concentrator mode. High RAM mode means the aggregator has sufficient
memory to hold route records for its potential destinations.
2. Set AR to 0x00 for a one-time broadcast (which some nodes might miss), or a value in the range of 0x01 to
0xFE (in units of 10 seconds) to periodically send a broadcast to inform the network that the aggregator is
operating in High RAM Concentrator mode and no longer needs to receive route records.
3. Use Create Source Route (API frame type 0x21) to load the route record for a destination into the local XBee's
source route table.
4. Send a unicast to the destination. The route record will be embedded in the payload and determine the
sequence of routers to use in transmitting the unicast to the destination. After receiving the unicast, the
destination will no longer send route records to the aggregator, now that it has confirmed the High RAM
Concentrator aggregator 'knows' its route record.
Clearing the source route table
To clear the source route table, change the AR setting from a non-0xFF setting to 0xFF and do an AC command. To
re-establish periodic aggregator broadcasts, change the AR setting to a non-0xFF setting and do an AC command.
Encrypted transmissions
Encrypted transmissions are routed similar to non-encrypted transmissions with one exception. As an encrypted
packet propagates from one device to another, each device decrypts the packet using the network key, and
authenticates the packet by verifying packet integrity. It then re-encrypts the packet with its own source address
and frame counter values, and sends the message to the next hop. This process adds some overhead latency to
unicast transmissions, but it helps prevent replay attacks. See ZigBee Security on page 84 for details.
XBee/XBee-PRO ZigBee RF Modules User Guide74
Maximum RF payload size
Maximum RF payload size
The NP command returns the maximum payload size in bytes. The actual maximum payload is a function of:
•message type (broadcast or unicast)
•AP setting
•APS encryption option
•source-routing.
Broadcasts, which are neither APS encryptable or fragmentable, have a maximum payload of 0x54 bytes.
Unicasts where AP is 0 also have a maximum payload of 0x54 bytes. A non-zero AP means NP will be 0xFF or 255
bytes.
For broadcast messages and unicast messages when AP==0, the maximum payload is 0x54 bytes.
For unicast messages when AP is nonzero (API mode) the maximum payload is 0xFF (255 decimal) bytes. As
needed, if the combination of payload and optional APS encryption overhead (EE1, TxOption 0x20) is too high,
the message fragments into a maximum of five fragments. The firmware encrypts and transmits each fragment
separately. The destination radio reassembles the fragments into a full message.
For Smart Energy firmware revision 5x32 and earlier, NP==0x80. As of 5x56, NP==0xFF.
The maximum payload is complicated to estimate for aggregator source-routing. To reduce the maximum
payload, when an aggregator sends a source-routed message it embeds the route into the message as overhead,
or into each fragment of the message if fragmentation is necessary. If you use APS encryption (EE1, Tx Option
0x20), it reduces the number further.
The route overhead is 2 bytes plus 2 bytes per hop. The bytes are:
•one byte is the number of hops
•one byte is an index into the route list that increments in value at each hop
•the other data is a list of the 16-bit network addresses of the routing radios
Firmware revisions before 4x58 support a maximum of 11 aggregator source-routed hops. Firmware revisions
4x58 and following support a maximum of 25 aggregator source-routed hops.
Aggregator source-routed payload maximums do not apply to messages that are sourced by non-aggregator
nodes, which send route records ahead of their messages to aggregators. Aggregators are either Coordinators or
Routers which:
•have source routing enabled
or
•have an AR setting which is not 0xFF
The following table shows the aggregator source-routed payload maximums as a function of hops and APS
encryption:
Throughput in a ZigBee network can vary by a number of variables, including: number of hops, encryption
enabled/disabled, sleeping end devices, failures/route discoveries. Our empirical testing showed the following
throughput performance in a robust operating environment (low interference).
Data throughput
ConfigurationData Throughput
1 hop, RR, SD58 kb/s
1 hop, RR, SE34 kb/s
1 hop, RE, SDNot yet available
1
1 hop, RE, SENot yet available
1 hop, ER, SDNot yet available
1 hop, ER, SENot yet available
4 hops, RR, SDNot yet available
4 hops, RR, SENot yet available
XBee/XBee-PRO ZigBee RF Modules User Guide76
Latency timing specifications
ConfigurationData Throughput
RR = router to router
RE = router to end device (non-sleeping)
ER = end device (non-sleeping) to router
SD = security disabled
SE = security enabled
4 hops = 5 nodes total, 3 intermediate router nodes
1. Data throughput measurements were made setting the serial interface rate to 115200 b/s, and measuring the time to
send 100,000 bytes from source to destination. During the test, no route discoveries or failures occurred.
Latency timing specifications
Network Depth100 Node Network200 Node Network
1
2
4
1-byte packet:
32-byte packet:
1-byte packet:
32-byte packet:
1-byte packet:
32-byte packet:
1-byte packet:
32-byte packet:
1-byte packet:
32-byte packet:
1-byte packet:
32-byte packet:
ZDO transmissions
ZigBee defines a ZigBee Device Objects layer (ZDO) that can provide device and service discovery and network
management capabilities. This layer is described below.
ZDO
The ZDO is supported to some extent on all ZigBee devices. The ZDO is an endpoint that implements services
described in the ZigBee Device Profile in the ZigBee specification. Each service has an assigned cluster ID, and
most service requests have an associated response. The following table describes some common ZDO services.
Cluster NameCluster IDDescription
Network Address Request0x0000Request a 16-bit address of the radio with a matching 64-bit address
(required parameter).
Active Endpoints Request0x0005Request a list of endpoints from a remote device.
LQI Request0x0031Request data from a neighbor table of a remote device.
Routing Table Request0x0032Request to retrieve routing table entries from a remote device.
Network Address Response0x8000Response that includes the 16-bit address of a device.
LQI Response0x8031Response that includes neighbor table data from a remote device.
Routing Table Response0x8032Response that includes routing table entry data from a remote device.
XBee/XBee-PRO ZigBee RF Modules User Guide77
ZDO transmissions
Refer to the ZigBee specification for a detailed description of all ZigBee Device Profile services.
Sending a ZDO command
To send a ZDO command, an explicit transmit API frame must be used and formatted correctly. The source and
destination endpoints must be set to 0, and the profile ID must be set to 0. The cluster ID must be set to match the
cluster ID of the appropriate service. For example, to send an active endpoints request, the cluster ID must be set
to 0x0005.
The first byte of payload in the API frame is an application sequence number (transaction sequence number) that
can be set to any single byte value. This same value will be used in the first byte of the ZDO response. All
remaining payload bytes must be set as required by the ZDO. All multi-byte values must be sent in little endian
byte order.
Receiving ZDO commands and responses
In XBee ZB firmware, ZDO commands can easily be sent using the API. In order to receive incoming ZDO
commands, receiver application addressing must be enabled with the AO command; see examples later in this
section. Not all incoming ZDO commands are passed up to the application.
When a ZDO message is received on endpoint 0 and profile ID 0, the cluster ID indicates the type of ZDO message
that was received. The first byte of payload is generally a sequence number that corresponds to a sequence
number of a request. The remaining bytes are set as defined by the ZDO. Similar to a ZDO request, all multi-byte
values in the response are in little endian byte order.
Example 1: send a ZDO LQI request to read the neighbor table contents of a remote.
Looking at the ZigBee specification, the cluster ID for an LQI Request is 0x0031, and the payload only requires a
single byte (start index). This example will send an LQI request to a remote device with a 64-bit address of
0x0013A200 40401234. The start index will be set to 0, and the transaction sequence number will be set to 0x76
API frame
7E 0016 11 01 0013A200 40401234 FFFE 00 00 0031 0000 00 00 76 00 CE
0x0016 - length
0x11 - Explicit transmit request
0x01 - frame ID (set to a non-zero value to enable the transmit status message, or set to 0 to disable)
0x0013A200 40401234 - 64-bit address of the remote
0xFFFE - 16-bit address of the remote (0xFFFE = unknown). Optionally, set to the 16-bit address of the destination
if known.
0x00 - Source endpoint
0x00 - Destination endpoint
0x0031 - Cluster ID (LQI Request, or Neighbor table request)
0x0000 - Profile ID (ZigBee Device Profile)
0x00 - Broadcast radius
0x00 - Tx Options
0x76 - Transaction sequence number
XBee/XBee-PRO ZigBee RF Modules User Guide78
ZDO transmissions
0x00 - Required payload for LQI request command
0xCE - Checksum (0xFF - SUM (all bytes after length))
Description
This API frame sends a ZDO LQI request (neighbor table request) to a remote device to obtain data from its
neighbor table. Recall that the AO command must be set correctly on an API device to enable the explicit API
receive frames in order to receive the ZDO response.
Example 2: send a ZDO network Address Request to discover the 16-bit address of a
remote.
Looking at the ZigBee specification, the cluster ID for a network Address Request is 0x0000, and the payload only
requires the following:
[64-bit address] + [Request Type] + [Start Index]
This example will send a Network Address Request as a broadcast transmission to discover the 16-bit address of
the device with a 64-bit address of 0x0013A200 40401234. The request type and start index will be set to 0, and
the transaction sequence number will be set to 0x44
0x33 - Checksum (0xFF - SUM (all bytes after length))
Description
This API frame sends a broadcast ZDO Network Address Request to obtain the 16-bit address of a device with a
64-bit address of 0x0013A200 40401234. Note the bytes for the 64-bit address were inserted in little endian byte
order. All multi-byte fields in the API payload of a ZDO command must have their data inserted in little endian
byte order. Also recall that the AO command must be set correctly on an API device to enable the explicit API
receive frames in order to receive the ZDO response.
XBee/XBee-PRO ZigBee RF Modules User Guide79
Transmission timeouts
Transmission timeouts
The ZigBee stack includes two kinds of transmission timeouts, depending on the nature of the destination
device. For destination devices such as routers whose receiver is always on, a unicast timeout is used. The unicast
timeout estimates a timeout based on the number of unicast hops the packet should traverse to get data to the
destination device. For transmissions destined for end devices, the ZigBee stack uses an extended timeout that
includes the unicast timeout (to route data to the end device's parent), and it includes a timeout for the end
device to finish sleeping, wake, and poll the parent for data.
The ZigBee stack includes some provisions for a device to detect if the destination is an end device or not. The
ZigBee stack uses the unicast timeout unless it knows the destination is an end device.
The XBee API includes a transmit options bit that can be set to specify if the extended timeout should be used for
a given transmission. If this bit is set, the extended timeout will be used when sending RF data to the specified
destination. To improve routing reliability, applications should set the extended timeout bit when sending data
to end devices if:
•The application sends data to 10 or more remote devices, some of which are end devices, AND
•The end devices may sleep longer than the unicast timeout
Equations for these timeouts are computed in the following sections.
NoteThe timeouts in this section are worst-case timeouts and should be padded by a few hundred
milliseconds. These worst-case timeouts apply when an existing route breaks down (e.g. intermediate
hop or destination device moved).
Unicast timeout
The unicast timeout is settable with the NH command. The actual unicast timeout is computed as ((50 * NH) +
100). The default NH value is 30 which equates to a 1.6 second timeout.
The unicast timeout includes 3 transmission attempts (1 attempt and 2 retries). The maximum total timeout is
about:
3 * ((50 * NH) + 100).
For example, if NH=30 (0x1E), the unicast timeout is about
3 * ((50 * 30) + 100), or
3 * (1500 + 100), or
3 * (1600), or
4800 ms, or
4.8 seconds.
Extended timeout
The worst-case transmission timeout when sending data to an end device is somewhat larger than when
transmitting to a router or coordinator. As described Parent operation on page 108, RF data packets are actually
sent to the parent of the end device, who buffers the packet until the end device wakes to receive it. The parent
will buffer an RF data packet for up to (1.2 * SP) time.
To ensure the end device has adequate time to wake and receive the data, the extended transmission timeout to
an end device is:
XBee/XBee-PRO ZigBee RF Modules User Guide80
Transmission timeouts
(50 * NH) + (1.2 * SP)
This timeout includes the packet buffering timeout (1.2 * SP) and time to account for routing through the mesh
network (50 * NH).
If an acknowledgment is not received within this time, the sender will resend the transmission up to two more
times. With retries included, the longest transmission timeout when sending data to an end device is:
3 * ((50 * NH) + (1.2 * SP))
The SP value in both equations must be entered in millisecond units. (The SP command setting uses 10ms units
and must be converted to milliseconds to be used in this equation.)
For example, suppose a router is configured with NH=30 (0x1E) and SP=0x3E8 (10,000 ms), and that it is either
trying to send data to one of its end device children, or to a remote end device. The total extended timeout to the
end device is about:
3 * ((50 * NH) + (1.2 * SP)), or
3 * (1500 + 12000), or
3 * (13500), or
40500 ms, or
40.5 seconds.
Transmission examples
Example 1: send a unicast API data transmission to the coordinator using 64-bit address
0, with payload “TxData”.
API frame
7E 0014 10 01 00000000 00000000 FFFE 00 00 54 78 44 61 74 61 AB
Field composition
0x0014 - length
0x10 - API ID (TX data)
0x01 - frame ID (set greater than 0 to enable the TX-status response)
0x00000000 00000000 - 64-bit address of coordinator (ZB definition)
0xFFFE - Required 16-bit address if sending data to 64-bit address of 0.
0xAB - Checksum (0xFF - SUM (all bytes after length))
Description
This transmission sends the string “TxData” to the coordinator, without knowing the coordinator device's 64-bit
address. A 64-bit address of 0 is defined as the coordinator in ZB firmware. If the coordinator's 64-bit address was
XBee/XBee-PRO ZigBee RF Modules User Guide81
Transmission timeouts
known, the 64-bit address of 0 could be replaced with the coordinator's 64-bit address, and the 16-bit address
could be set to 0.
Example 2: send a broadcast API data transmission that all devices can receive (including
sleeping end devices), with payload “TxData”.
API frame
7E 0014 10 01 00000000 0000FFFF FFFE 00 00 54 78 44 61 74 61 AD
Field composition
0x0014 - length
0x10 - API ID (TX data)
0x01 - frame ID (set to a non-zero value to enable the TX-status response)
0x00000000 0000FFFF - Broadcast definition (including sleeping end devices
0xFFFE - Required 16-bit address to send broadcast transmission.
0xAD - Checksum (0xFF - SUM (all bytes after length))
Description
This transmission sends the string “TxData” as a broadcast transmission. Since the destination address is set to
0xFFFF, all devices, including sleeping end devices can receive this broadcast.
If receiver application addressing is enabled, the XBee will report all received data frames in the explicit format
(0x91) to indicate the source and destination endpoints, cluster ID, and profile ID that each packet was received
on. (Status messages like modem status and route record indicators are not affected.)
To enable receiver application addressing, set the AO command to 1 using the AT command frame (0x08). Here's
how to do this:
API frame
7E 0005 08 01 414F 01 65
Field composition
0x0005 - length
0x08 - API ID (at command)
0x01 - frame ID (set to a non-zero value to enable AT command response frames)
0x414F - ASCII representation of 'A','O' (the command being issued)
0x01 - Parameter value
0x65 - Checksum (0xFF - SUM (all bytes after length))
Description
XBee/XBee-PRO ZigBee RF Modules User Guide82
Transmission timeouts
Setting AO=1 is required for the XBee to use the explicit receive API frame (0x91) when RF data packets are received.
This is required if the application needs indication of source or destination endpoint, cluster ID, and/or profile ID
values used in received ZigBee data packets. ZDO messages can only be received if AO=1.
XBee/XBee-PRO ZigBee RF Modules User Guide83
ZigBee Security
ZigBee supports various levels of security that can be configured depending on the needs of the application. Security
provisions include:
• 128-bit AES encryption
• Two security keys that can be preconfigured or obtained during joining
• Support for a trust center
• Provisions to ensure message integrity, confidentiality, and authentication
The first half of this section describes various security features defined in the ZigBee specification, while the last half
illustrates how the XBee modules can be configured to support these features
Security modes
The ZigBee standard supports three security modes – residential, standard, and high security. Residential security
was first supported in the ZigBee 2006 standard. This level of security requires a network key be shared among
devices. Standard security adds a number of optional security enhancements over residential security, including an
APS layer link key. High security adds entity authentication, and a number of other features not widely supported.
XBee ZB modules primarily support standard security, although end devices that support residential security can join
and interoperate with standard security devices. The remainder of this section focuses on material that is relevant to
standard security.
ZigBee security model
ZigBee security is applied to the Network and APS layers. Packets are encrypted with 128-bit AES encryption. A
network key and optional link key can be used to encrypt data. Only devices with the same keys are able to
communicate together in a network. Routers and end devices that will communicate on a secure network must
obtain the correct security keys.
Network layer security
The network key is used to encrypt the APS layer and application data. In addition to encrypting application
messages, network security is also applied to route request and reply messages, APS commands, and ZDO
commands. Network encryption is not applied to MAC layer transmissions such as beacon transmissions, etc. If
security is enabled in a network, all data packets will be encrypted with the network key.
XBee/XBee-PRO ZigBee RF Modules User Guide84
ZigBee security model
Packets are encrypted and authenticated using 128-bit AES. This is shown in the figure below.
Frame counter
The network header of encrypted packets includes a 32-bit frame counter. Each device in the network maintains
a 32-bit frame counter that is incremented for every transmission. In addition, devices track the last known 32-bit
frame counter for each of its neighbors. If a device receives a packet from a neighbor with a smaller frame
counter than it has previously seen, the packet is discarded. The frame counter is used to protect against replay
attacks.
If the frame counter reaches a maximum value of 0xFFFFFFFF, it does not wrap to 0 and no more transmissions
can be sent. Due to the size of the frame counters, reaching the maximum value is a very unlikely event for most
applications. The following table shows the required time under different conditions, for the frame counter to
reach its maximum value.
Average Transmission RateTime until 32-bit frame counter expires
1 / second136 years
10 / second13.6 years
To clear the frame counters without compromising security, the network key can be changed in the network.
When the network key is updated, the frame counters on all devices reset to 0. (See the Network Key Updates
section for details.)
Message integrity code
The network header, APS header, and application data are all authenticated with 128-bit AES. A hash is
performed on these fields and is appended as a 4-byte message integrity code (MIC) to the end of the packet. The
MIC allows receiving devices to ensure the message has not been changed. The MIC provides message integrity in
the ZigBee security model. If a device receives a packet and the MIC does not match the device’s own hash of the
data, the packet is dropped.
Network layer encryption and decryption
Packets with network layer encryption are encrypted and decrypted by each hop in a route. When a device
receives a packet with network encryption, it decrypts the packet and authenticates the packet. If the device is
not the destination, it then encrypts and authenticates the packet, using its own frame counter and source
address in the network header section.
XBee/XBee-PRO ZigBee RF Modules User Guide85
ZigBee security model
Since network encryption is performed at each hop, packet latency is slightly longer in an encrypted network
than in a non-encrypted network. Also, security requires 18 bytes of overhead to include a 32-bit frame counter,
an 8-byte source address, 4-byte MIC, and 2 other bytes. This reduces the number of payload bytes that can be
sent in a data packet.
Network key updates
ZigBee supports a mechanism for changing the network key in a network. When the network key is changed, the
frame counters in all devices reset to 0.
APS layer security
APS layer security can be used to encrypt application data using a key that is shared between source and
destination devices. Where network layer security is applied to all data transmissions and is decrypted and reencrypted on a hop-by-hop basis, APS security is optional and provides end-to-end security using an APS link key
that only the source and destination device know. APS security can be applied on a packet-by-packet basis. APS
security cannot be applied to broadcast transmissions.
If APS security is enabled, packets are encrypted and authenticated using 128-bit AES. This is shown in the figure
below:
Message integrity code
If APS security is enabled, the APS header and data payload are authenticated with 128-bit AES. A hash is
performed on these fields and appended as a 4-byte message integrity code (MIC) to the end of the packet. This
MIC is different than the MIC appended by the network layer. The MIC allows the destination device to ensure the
message has not been changed. If the destination device receives a packet and the MIC does not match the
destination device’s own hash of the data, the packet is dropped.
APS link keys
There are two kinds of APS link keys – trust center link keys and application link keys. A trust center link key is
established between a device and the trust center, where an application link key is established between a device
and another device in the network where neither device is the trust center.
XBee/XBee-PRO ZigBee RF Modules User Guide86
ZigBee security model
APS layer encryption and decryption
Packets with APS layer encryption are encrypted at the source and only decrypted by the destination. Since APS
encryption requires a 5-byte header and a 4-byte MIC, the maximum data payload is reduced by 9 bytes when
APS encryption is used.
Network and APS layer encryption
Network and APS layer encryption can both be applied to data. The following figure demonstrates the
authentication and encryption performed on the final ZigBee packet when both are applied.
Trust center
ZigBee defines a trust center device that is responsible for authenticating devices that join the network. The trust
center also manages link key distribution in the network.
Forming and joining a secure network
The coordinator is responsible for selecting a network encryption key. This key can either be preconfigured or
randomly selected. In addition, the coordinator generally operates as a trust center and must therefore select the
trust center link key. The trust center link key can also be preconfigured or randomly selected.
Devices that join the network must obtain the network key when they join. When a device joins a secure network,
the network and link keys can be sent to the joining device. If the joining device has a pre-configured trust center
link key, the network key will be sent to the joining device encrypted by the link key. Otherwise, if the joining
device is not pre-configured with the link key, the device could only join the network if the network key is sent
unencrypted (“in the clear”). The trust center must decide whether or not to send the network key unencrypted
to joining devices that are not pre-configured with the link key. Sending the network key unencrypted is not
recommended as it can open a security hole in the network. To maximize security, devices should be preconfigured with the correct link key.
XBee/XBee-PRO ZigBee RF Modules User Guide87
Implementing security on the XBee
Implementing security on the XBee
If security is enabled in the XBee ZB firmware, devices acquire the network key when they join a network. Data
transmissions are always encrypted with the network key, and can optionally be end-to-end encrypted with the
APS link key. The following sections discuss the security settings and options in the XBee ZB firmware.
Enabling security
To enable security on a device, the EE command must be set to 1. If the EE command value is changed and
changes are applied (e.g. AC command), the XBee module will leave the network (PAN ID and channel) it was
operating on, and attempt to form or join a new network.
If EE is set to 1, all data transmissions will be encrypted with the network key. When security is enabled, the
maximum number of bytes in a single RF transmission will be reduced. See the NP command for details.
NoteThe EE command must be set the same on all devices in a network. Changes to the EE command should
be written to non-volatile memory (to be preserved through power cycle or reset events) using the WR
command.
Setting the Network Security Key
The coordinator must select the network security key for the network. The NK command (write-only) is used to
set the network key. If NK=0 (default), a random network key will be selected. (This should suffice for most
applications.) Otherwise, if NK is set to a non-zero value, the network security key will use the value specified by
NK. NK is only supported on the coordinator.
Routers and end devices with security enabled (ATEE=1) acquire the network key when they join a network. They
receive the network key encrypted with the link key if they share a pre-configured link key with the coordinator.
See the following section for details.
NoteIn ZigBee, if EE and EO are set to 0x01, then the network key is sent in the clear (unencrypted) with the
link key at association time. This may be a useful setting in development environments, but we
discourage it for product deployment for security reasons.
Setting the APS Trust Center Link Key
The coordinator must also select the trust center link key, using the KY command. If KY=0 (default), the
coordinator will select a random trust center link key (not recommended). Otherwise, if KY is set greater than 0,
this value will be used as the pre-configured trust center link key. KY is write-only and cannot be read.
NoteApplication link keys (sent between two devices where neither device is the coordinator) are not
supported in ZB firmware at this time.
Random Trust Center Link keys
If the coordinator selects a random trust center link key (KY=0, default), then it will allow devices to join the
network without having a pre-configured link key. However, this will cause the network key to be sent
unencrypted over-the-air to joining devices and is not recommended.
Pre-configured Trust Center Link keys
XBee/XBee-PRO ZigBee RF Modules User Guide88
XBee security examples
If the coordinator uses a pre-configured link key (KY > 0), then the coordinator will not send the network key
unencrypted to joining devices. Only devices with the correct pre-configured link key will be able to join and
communicate on the network.
Enabling APS encryption
APS encryption is an optional layer of security that uses the link key to encrypt the data payload. Unlike network
encryption that is decrypted and encrypted on a hop-by-hop basis, APS encryption is only decrypted by the
destination device. The XBee must be configured with security enabled (EE set to 1) to use APS encryption.
APS encryption can be enabled in API mode on a per-packet basis. To enable APS encryption for a given
transmission, the “enable APS encryption” transmit options bit should be set in the API transmit frame. Enabling
APS encryption decreases the maximum payload size by 9 bytes.
Using a Trust Center
The EO command can be used to define the coordinator as a trust center. If the coordinator is a trust center, it will
be alerted to all new join attempts in the network. The trust center also has the ability to update or change the
network key on the network.
In ZB firmware, a secure network can be established with or without a trust center. Network and APS layer
encryption are supported if a trust center is used or not.
Updating the Network Key with a Trust Center
If the trust center has started a network and the NK value is changed, the coordinator will update the network key
on all devices in the network. (Changes to NK will not force the device to leave the network.) The network will
continue to operate on the same channel and PAN ID, but the devices in the network will update their network
key, increment their network key sequence number, and restore their frame counters to 0.
Updating the Network Key without a Trust Center
If the coordinator is not running as a trust center, the network reset command (NR1) can be used to force all
devices in the network to leave the current network and rejoin the network on another channel. When devices
leave and reform then network, the frame counters are reset to 0. This approach will cause the coordinator to
form a new network that the remaining devices should join. Resetting the network in this manner will bring the
coordinator and routers in the network down for about 10 seconds, and will likely cause the 16-bit PAN ID and 16bit addresses of the devices to change.
XBee security examples
This section covers some sample XBee configurations to support different security modes. Several AT commands
are listed with suggested parameter values. The notation in this section includes an '=' sign to indicate what each
command register should be set to - for example, EE=1. This is not the correct notation for setting command
values in the XBee. In AT command mode, each command is issued with a leading 'AT' and no '=' sign - for
example ATEE1. In the API, the two byte command is used in the command field, and parameters are populated
as binary values in the parameter field.
Example 1: forming a network with security (pre-configured link keys)
1. Start a coordinator with the following settings:
2. ID=2234 (arbitrarily selected)
XBee/XBee-PRO ZigBee RF Modules User Guide89
XBee security examples
d. EE=1
e. NK=0
f. KY=4455
g. WR (save networking parameters to preserve them through power cycle)
3. Configure one or more routers or end devices with the following settings:
a. ID=2234
b. EE=1
c. KY=4455
d. WR (save networking parameters to preserve them through power cycle)
4. Read the AI setting on the coordinator and joining devices until they return 0 (formed or joined a network).
In this example, EE, ID, and KY are set the same on all devices. After successfully joining the secure network, all
application data transmissions will be encrypted by the network key. Since NK was set to 0 on the coordinator, a
random network key was selected. And since the link key (KY) was configured the same on all devices, to a nonzero value, the network key was sent encrypted by the pre-configured link key (KY) when the devices joined.
Example 2: forming a network with security (obtaining keys during joining)
1. Start a coordinator with the following settings:
a. ID=2235
b. EE=1
c. NK=0
d. KY=0
e. WR (save networking parameters to preserve them through power cycle)
2. Configure one or more routers or end devices with the following settings:
a. ID=2235
b. EE=1
c. KY=0
d. WR (save networking parameters to preserve them through power cycle)
3. Read the AI setting on the coordinator and joining devices until they return 0 (formed or joined a network).
In this example, EE, ID, and KY are set the same on all devices. Since NK was set to 0 on the coordinator, a random
network key was selected. And since KY was set to 0 on all devices, the network key was sent unencrypted (“in the
clear”) when the devices joined. This approach introduces a security vulnerability into the network and is not
recommended.
XBee/XBee-PRO ZigBee RF Modules User Guide90
Network commissioning and diagnostics
Network commissioning is the process whereby devices in a mesh network are discovered and configured for
operation. The XBee modules include several features to support device discovery and configuration. In addition to
configuring devices, a strategy must be developed to place devices to ensure reliable routes.
To accommodate these requirements, the XBee modules include various features to aid in device placement,
configuration, and network diagnostics.
Device configuration
XBee modules can be configured locally through serial commands (AT or API), or remotely through remote API
commands. API devices can send configuration commands to set or read the configuration settings of any device in
the network.
Device placement
For a mesh network installation to be successful, the installer must be able to determine where to place individual
XBee devices to establish reliable links throughout the mesh network.
Link testing
A good way to measure the performance of a mesh network is to send unicast data through the network from one
device to another to determine the success rate of many transmissions. To simplify link testing, the modules support
a loopback cluster ID (0x12) on the data endpoint (0xE8). Any data sent to this cluster ID on the data endpoint will be
transmitted back to the sender. This is shown in the figure below:
XBee/XBee-PRO ZigBee RF Modules User Guide91
Device discovery
The configuration steps to send data to the loopback cluster ID depend on the serial port mode as determined by
the AP command.
Transparent Mode
To send data to the loopback cluster ID on the data endpoint of a remote device, set the CI command value to
0x12. The SE and DE commands should be set to 0xE8 (default value). The DH and DL commands should be set to
the address of the remote (0 for the coordinator, or the 64-bit address of the remote). After exiting command
mode, any received serial characters will be transmitted to the remote device, and returned to the sender.
API Mode
Send an Explicit Addressing ZigBee Command API frame (0x11) using 0x12 as the cluster ID and 0xE8 as the
source and destination endpoint. Data packets received by the remote will be echoed back to the sender.
RSSI indicators
It is possible to measure the received signal strength on a device using the DB command. DB returns the RSSI
value (measured in –dBm) of the last received packet. However, this number can be misleading. The DB value
only indicates the received signal strength of the last hop. If a transmission spans multiple hops, the DB value
provides no indication of the overall transmission path, or the quality of the worst link – it only indicates the
quality of the last link and should be used sparingly.
The DB value can be determined in hardware using the RSSI/PWM module pin (pin 6). If the RSSI PWM
functionality is enabled (P0 command), when the module receives data, the RSSI PWM is set to a value based on
the RSSI of the received packet. (Again, this value only indicates the quality of the last hop.) This pin could
potentially be connected to an LED to indicate if the link is stable or not.
Device discovery
Network discovery
The network discovery command can be used to discover all Digi modules that have joined a network. Issuing the
ND command sends a broadcast node discovery command throughout the network. All devices that receive the
command will send a response that includes the device’s addressing information, node identifier string (see NI
command), and other relevant information. This command is useful for generating a list of all module addresses
in a network.
When a device receives the node discovery command, it waits a random time before sending its own response.
The maximum time delay is set on the ND sender with the NT command. The ND originator includes its NT setting
XBee/XBee-PRO ZigBee RF Modules User Guide92
Commissioning Pushbutton and Associate LED
A pushbutton and an LED can be connected
to module pins 33 and 28 (SMT), or pins 20
and 15 (TH) respectively to support the
commissioning pushbutton and Associate
LED functionalities.
in the transmission to provide a delay window for all devices in the network. Large networks may need to
increase NT to improve network discovery reliability. The default NT value is 0x3C (6 seconds).
ZDO discovery
The ZigBee Device Profile includes provisions to discover devices in a network that are supported on all ZigBee
devices (including non-Digi products). These include the LQI Request (cluster ID 0x0031) and the Network Update
Request (cluster ID 0x0038). The LQI Request can be used to read the devices in the neighbor table of a remote
device, and the Network Update Request can be used to have a remote device do an active scan to discover all
nearby ZigBee devices. Both of these ZDO commands can be sent using the XBee Explicit API transmit frame
(0x11). See API Operation on page 130 for details. Refer to the ZigBee specification for formatting details of these
two ZDO frames.
Joining Announce
All ZigBee devices send a ZDO Device Announce broadcast transmission when they join a ZigBee network (ZDO
cluster ID 0x0013). These frames will be sent out the XBee's serial port as an Explicit Rx Indicator API frame (0x91)
if AO is set to 1. The device announce payload includes the following information:
The 16-bit and 64-bit addresses are received in little-endian byte order (LSB first). See the ZigBee specification for
details.
Commissioning Pushbutton and Associate LED
The XBee modules support a set of commissioning and LED behaviors to aid in device deployment and
commissioning. These include the commissioning pushbutton definitions and associate LED behaviors. These
features can be supported in hardware. The following figure shows the Commissioning Pushbutton and
Associate LED functionalities.
XBee/XBee-PRO ZigBee RF Modules User Guide93
Button
∆t
Device Not Joined
Dev ice has joi ned a netw ork
Associate
The associate pin can indicate the joined status of a device . Once the device has joined a
network, the associate pin toggles state at a regular interval (∆t). The time can be set by
using the LT command.
Presses
Commissioning Pushbutton and Associate LED
Commissioning Pushbutton
The commissioning pushbutton definitions provide a variety of simple functions to aid in deploying devices in a
network. The commissioning button functionality on pin 33 (SMT) or pin 20 (TH) is enabled by setting the D0
command to 1 (enabled by default).
If module is joined to a networkIf module is not joined to a network
Wakes an end device for 30 seconds
1
Sends a node identification broadcast transmission
Wakes an end device for 30 seconds
Blinks a numeric error code on the Associate pin
indicating the cause of join failure.
Sends a broadcast transmission to enable joining on
2
the coordinator and all devices in the network for 1
minute. (If joining is permanently enabled on a device
N/A
(NJ = 0xFF), this action has no effect on that device.)
Causes the device to leave the PAN.
Issues ATRE to restore module parameters to default
4
values, including ID and SC.
The device attempts to join a network based on its ID
Issues ATRE to restore module parameters to default
values, including ID and SC.
The device attempts to join a network based on its ID
and SC settings.
and SC settings.
Button presses may be simulated in software using the ATCB command. ATCB should be issued with a parameter
set to the number of button presses to execute. (e.g. sending ATCB1 will execute the action(s) associated with a
single button press.)
The node identification frame is similar to the node discovery response frame – it contains the device’s address,
node identifier string (NI command), and other relevant data. All API devices that receive the node identification
frame send it out their serial port as an API Node Identification Indicator frame (0x95).
Associate LED
The Associate pin (pin 28/SMT, pin 33/TH) can provide indication of the device’s network status and diagnostics
information. To take advantage of these indications, an LED can be connected to the Associate pin as shown in
the figure above. The Associate LED functionality is enabled by setting the D5 command to 1 (enabled by default).
If enabled, the Associate pin is configured as an output and will behave as described in the following sections.
Joined indication
The Associate pin indicates the network status of a device. If the module is not joined to a network, the Associate
pin is set high. Once the module successfully joins a network, the Associate pin blinks at a regular time interval.
The following figure shows the joined status of a device
XBee/XBee-PRO ZigBee RF Modules User Guide94
Commissioning Pushbutton and Associate LED
Associate
(D5 = 1
Device not joined)
A single commissioning button press when the device has not joined a network that
causes the associate pin to blink to indicate the AI Code where: AI = # blinks + 0x20.
In this example, AI = 0x22.
AD0/DIO0
Associate Pin
(D5 = 1)
AD0/DIO0 Pi n
(Remote Device)
A single button press on a remote device causes a broadcast node identification transmission
to be sent. All devices that receive this transmission blink their associate pin rapidly for one
second if the associate LED functionality is enabled. (D5 = 1)
The LT command defines the blink time of the Associate pin. If set to 0, the device uses the default blink time
(500ms for coordinator, 250ms for routers and end devices).
Diagnostics support
The Associate pin works with the commissioning pushbutton to provide additional diagnostics behaviors to aid
in deploying and testing a network. If the commissioning push button is pressed once, and the device has not
joined a network, the Associate pin blinks a numeric error code to indicate the cause of join failure. The number
of blinks is equal to (AI value – 0x20). For example, if AI=0x22, 2 blinks occur.
If the commissioning push button is pressed once, and the device has joined a network, the device transmits a
broadcast node identification packet. If the Associate LED functionality is enabled (D5 command), a device that
receives this transmission will blink its Associate pin rapidly for 1 second.
The following figures demonstrate these behaviors.
Binding
There are three binding request messages supported by the Digi XBee firmware: End Device Bind, Bind, and
Unbind.
End_Device_Bind_req
The End Device Bind request (ZDO cluster 0x0020) is described in the ZigBee Specification.
During a deployment, an installer may need to bind a switch to a light. He presses a commissioning button
sequence on each device. This causes them to send End_Device_Bind_req messages to the Coordinator within a
time window (60 s). The payload of each message is a simple descriptor which lists input and output clusterIDs.
The Coordinator matches the requests by pairing complementary clusterIDs. After a match has been made, it
sends messages to bind the devices together. When the process is over, both devices will have entries in their
binding tables which support indirect addressing of messages between their bound endpoints.
XBee/XBee-PRO ZigBee RF Modules User Guide95
R1->C End_Device_Bind_req
R2->C End_Device_Bind_req
R1, R2 send End_Device_Bind_req within 60 s of each other to C
C matches the requests.
C tests one to see if binding is already in place:
R2<-C Unbind_req
R2->C Unbind-rsp (status code - NO_ENTRY)
C proceeds to create binding table entries on the two devices.
R1<-C Bind_req
R1->C Bind_rsp
R2<-C Bind_req
R2->C Bind_rsp
C sends responses to the original End_Device_Bind_req messages.
R1-<C End_Device_Bind_rsp
Commissioning Pushbutton and Associate LED
R2-<C End_Device_Bind_rsp
End Device binding sequence (binding)
This message has a toggle action. If the same two devices were to subsequently send End_Device_Bind_req
messages to the Coordinator, the Coordinator would detect they were already bound, and then send Unbind_req
messages to remove the binding.
An installer can use this to remove a binding which was made incorrectly, say from a switch to the wrong lamp,
simply by repeating the commissioning button sequence he used beforehand.
R1->C End_Device_Bind_req
R2->C End_Device_Bind_req
R1, R2 send End_Device_Bind_req within 60 s of each other to C
C matches the requests.
C tests one to see if binding is already in place:
R2<-C Unbind_req
R2->C Unbind-rsp (status code - SUCCESS)
C proceeds to remove binding table entries from the two devices.
R1<-C Unbind_req
R1->C Unbind_rsp
R2<-C Unbind_req
R2->C Unbind_rsp
C sends responses to the original End_Device_Bind_req messages.
R1-<C End_Device_Bind_rsp
R2-<C End_Device_Bind_rsp
XBee/XBee-PRO ZigBee RF Modules User Guide96
Commissioning Pushbutton and Associate LED
End Device binding sequence (removal)
This example shows a correctly formatted End_Device_Bind_req (ZDO cluster 0x0020) using a Digi 0x11 Explicit
API Frame:
Here is the RFData (the ZDO payload) broken into labeled fields. Note the multi-byte fields of a ZDO payload are
represented in little-endian format.
01Transaction Sequence Number
f299Binding Target (16 bit network address of sending device)
5cb5474000a21300 (64 bit address of sending device)
e6Source Endpoint on sending device
05c1ProfileID (0xC105) - used when matching End_Device_Bind_requests
01Number of input clusters
0100Input cluster ID list (0x0100)
01Number of output clusters
0200Output cluster ID list (0x0200)
Example of a End_Device_Bind_req
XBee/XBee-PRO ZigBee RF Modules User Guide97
Commissioning Pushbutton and Associate LED
Bind_req
The Bind request (ZDO cluster 0x0021) is described in the ZigBee Specification. A binding may be coded for either
a unicast or a multicast/groupID message.
Unbind_req
The Unbind request (ZDO cluster 0x0022) is described in the ZigBee Specification.
Group Table API
Unlike the Binding Table which is managed with ZDO commands, a ZigBee Group Table is managed by the ZigBee
Cluster Library Groups Cluster (0x0006) with ZCL commands.
The Digi ZigBee XBee firmware is intended to work with an external processor where a Public Application Profile
with endpoints and clusters is implemented, including a Groups Cluster. The ZigBee XBee firmware should be
configured to forward all ZCL commands addressed to this Group Cluster out the UART (see ATAO3). The ZigBee
XBee will not use remote Groups Cluster commands to manage its own Group Table.
But for the sake of implementing multicast (group) addressing within the XBee, the external processor must keep
the XBee's group table state in sync with its own. And so a Group Table API has been defined whereby the
external processor can manage the state of the ZigBee XBee's group table.
The design of the Group Table API of the XBee firmware is derived from the ZCL Group Cluster 0x0006. Developers
should use the Explicit API frame 0x11 addressed to the Digi Device Object endpoint (0xE6) with the Digi XBee
ProfileID (0xC105) to send commands and requests to the local device.
As a design note, the ZigBee Home Automation Public Application Profile says groups should only be used for
sets of more than 5 devices. This implies sets of 5 or fewer devices should be managed with multiple binding
table entries.
There are five commands implemented in the API: Add Group, View Group, Get Group Membership, Remove
Group, and Remove All Groups.
There is a sixth command of the Group Cluster described in the ZCL, Add Group If Identifying, which is not
supported in this API, because its implementation requires access to the Identify Cluster, which is not maintained
on the XBee. The external processor will need to implement that server command while using the Group Table
API to keep the XBee's group table in sync using the five command primitives described hereafter.
Add Group
The purpose of the Add Group command is to add a group table entry to associate an active endpoint with a
groupID and optionally a groupName. The groupID is a two byte value. The groupName consists of zero to 16
ASCII characters.
The intent of the example which follows is to add a group table entry which associates endpoint E7 with groupID
1234 and groupName “ABCD”.
The example packet is given in three parts, the preamble, ZCL Header, and ZCL payload:
The packet is addressed to the local node, using a source endpoint of 0xE6, clusterID of 0x0006, and profileID of
0xC105. The destination endpoint E7 holds the endpoint parameter for the “Add Group” command.
ZCL_header = “01 ee 00"
The first field (byte) is a frame control field which specifies a Cluster Specific command (0x01) using a Client>Server direction(0x00). The second field is a transaction sequence number which is used to associate the
response with the command request. The third field is the command identifier for “Add Group” (0x00)[2].
XBee/XBee-PRO ZigBee RF Modules User Guide98
Commissioning Pushbutton and Associate LED
ZCL_payload = “3412 04 41 42 43 44"
The first two bytes is the group Id to add in little endian representation. The next byte is the string name length
(00 if no string is wanted). The other bytes are the descriptive ASCII string name (“ABCD”) for the group table
entry. Note the string is represented with its length in the first byte, and the other bytes containing the ASCII
characters.
API 0x91 64DestAddr 0x0013A2004047B55C 16DestAddr 0xFFFE SrcEP 0xE7 DestEP 0xE6
ClusterID 0x8006 ProfileID 0xC105 Options 0x00
RF_Data 0x09EE00003412
The response in terms of Preamble, ZCL Header, and ZCL payload:
Preamble = “910013a2004047b55cfffee7e68006c10500”
The packet has its endpoint values reversed from the request, and the clusterID is 0x8006 indicating a Group
cluster response.
ZCL_header = “09 ee 00"
The first field is a frame control field which specifies a Cluster Specific command (0x01) using a Server-> Client
direction. The second field is a transaction sequence number which is used to associate the response with the
command request. The third field is the command identifier “Add Group” (0x00)[2].
ZCL_payload = “00 3412"
The first byte is a status byte (SUCCESS=0x00)[3][4]. The next two bytes hold the group ID (0x1234) in little endian
form.
And here is the decoded second message, which is a Tx Status for the original command request. If the FrameId
value in the original command request had been zero, or if no space was available in the transmit UART buffer,
then no Tx Status message would occur.
ZigBee Tx Status
API 0x8B FrameID 0x01 16DestAddr 0xFFFE
Transmit Retries 0x00 Delivery Status 0x00 Discovery Status 0x00 Success
XBee/XBee-PRO ZigBee RF Modules User Guide99
Commissioning Pushbutton and Associate LED
View Group
The purpose of the View Group command is to get the name string which is associated with a particular endpoint
and groupID.
The intent of the example is to get the name string associated with the endpoint E7 and groupID 1234.
The packet is addressed to the local node, using a source endpoint of 0xE6, clusterID of 0x0006, and profileID of
0xC105. The destination endpoint E7 is the endpoint parameter for the “View Group” command.
ZCL_header = “01 ee 01"
The first field is a frame control field which specifies a Cluster Specific command (0x01) using a Client->Server
direction(0x00). The second field is a transaction sequence number which is used to associate the response with
the command request. The third field is the command identifier “View Group” (0x01) [5].
ZCL_payload = “3412”
The two byte value is the groupID in little-endian representation.
API 0x91 64DestAddr 0x0013A2004047B55C 16DestAddr 0xFFFE SrcEP 0xE7 DestEP 0xE6
ClusterID 0x8006 ProfileID 0xC105 Options 0x00
RF_Data 0x09EE010034120441424344
The response in terms of Preamble, ZCL Header, and ZCL payload:
Preamble = “910013a2004047b55cfffee7e68006c10500”
The packet has its endpoint values reversed from the request, and the clusterID is 0x8006 indicating a Group
cluster response.
ZCL_header = “09 ee 01"
The first field is a frame control field which specifies a Cluster Specific command (0x01) using a Server->Client
direction (0x08). The second field is a transaction sequence number which is used to associate the response with
the command request. The third field is the command identifier “View Group” (0x01) [6].
ZCL_payload = “00 3412 0441424344"
The first byte is a status byte (SUCCESS=0x00)[6][4]. The next two bytes hold the groupID (0x1234) in little-endian
form. The next byte is the name string length (0x04). The remaining bytes are the ASCII name string characters
(“ABCD”).
And here is the decoded second message, which is a Tx Status for the original command request. If the FrameId
value in the original command request had been zero, or if no space was available in the transmit UART buffer,
then no Tx Status message would occur.
ZigBee Tx Status
XBee/XBee-PRO ZigBee RF Modules User Guide100
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.