I cannot do a secure inclusion of my Aeotec Smart Switch 6. Each time when I try, the Smart Switch will be included ‘non secure’. I.e. the inclusion is successful but security is not used.
For inclusion, as the manual says, I press the action button of the Smart Switch 6 two times within 1 second. I tried several times without success.
I am using the current openHAB 2.4 with the ‘normal’ zwave binding 2.4.0. Part of the openHABian installation on a Raspberry Pi.
The “Secure Inclusion Mode” is set to “All Devices”.
I upgraded the firmware of the Smart Switch 6 to version 1.1.
From the log (inclusion as node 42):
2019-02-20 15:33:18.969 [DEBUG] [alization.ZWaveNodeInitStageAdvancer] - NODE 42: Node advancer - advancing to SECURITY_REPORT
2019-02-20 15:33:18.973 [DEBUG] [alization.ZWaveNodeInitStageAdvancer] - NODE 42: SECURE command class not supported
Also, there is no SECURE command class in AddNodeToNetwork ADD_NODE_STATUS_ADDING_SLAVE.
A few remarks:
The Smart Switch 6 communicates via another device with the controller (routing). Controller is an Aeotec Z-Stick Gen 5 ZW090.
Prior to inclusion I made a reset of the device. I think it not possible to do an exclusion ‘network wide’ (yet). Ok, unplugging the controller for the exclusion would have been possible too.
Further, I did not manage to do a secure inclusion for other devices too: I included a Qubino Flush Dimmer (ZMNHDD), again: “SECURE command class not supported”
What could be a reason why secure inclusion does not work for me?
From your log and according to the device db, this device does not support the SECURITY CC. So, you will not be able to securely include it. Devices need to support this command class to be securely included. Check to make sure that the other devices you were having trouble with also support it. But even if they do, consider why you would want this and the impact. Using secure devices in your network will slow things down, not just to those devices, but the entire network, since there are more and larger packets being used. For entry points it makes sense, but would it really matter if someone hacked your light switch? It’s your decision to make… just want to be sure you had all the info.
Select the controller, preferrably in Habmin, and you’ll find an exclude devices option. This will route, same as discovery.
For the Smart Switch 6 (ZW096):
I see, the SECURITY command class is not included in the device db. The attached user manual documents in section 1.3 that there is the “COMMAND_CLASS_SECURITY V1”. I’d guess that this command class should be sent when secure inclusion on the device shall be done (i.e. pressing the action button 2 times.)
For the Qubino Flush Dimmer (ZMNHDD):
Also here: the SECURITY command class is not included in the device db. But also here the attached user manual documents that the “COMMAND_CLASS_SECURITY” is supported.
If the SECURITY command class was added to the device db, would the secure inclusion work then?
If yes: in the good old days it was possible to manually patch the device db in the zwave jar file. Could I do such a manual patch in the zwave jar file and check if it works?
No, it will still securely include. The device db is only really used for setting up the Channels, but it doesn’t look like there are any additional command classes made available when it is securely included. So nothing should be needed in the db, other than to update it for completeness (SECURITY CC, double press for secure pairing, etc.).
Try bringing the device close to the controller when doing a secure inclusion. Close as in as close as you can… even touching. The documentation for the zwave binding details this. And be sure to exclude it first. Some devices are not excluded after a reset, but IIRC Aeon devices do.
One thing I noticed after a quick look at the log (and I’m certainly not the expert in secure inclusion)…
I thought the device was supposed to send a secure NIF, which the binding would interpret to mean that it should start secure inclusion. I didn’t see the device send the secure NIF (it looked like the normal non-secure NIF).
Maybe try different variations of the “Short press 2 times” (e.g. rapid double press, slow double press, etc.).
Also, before trying secure inclusion again, try doing a factory reset of the device after excluding it from the network.
When I tap very quick, then the device starts secure inclusion! The LED frame does then blick in blue colour (non-secure inclusion: blink in green).
I need to tap so fast that only one ‘click’ sound is hearable when pressing the action button twice. Before, I tapped such that two ‘click’ sounds were hearable, which obviously was too slow.
When tapping fast enough, then AddNodeToNetwork ADD_NODE_STATUS_ADDING_SLAVE NODE does contain the SECURITY command class. And then the secure inclusion is started by the zwave binding.
“Close to controller”
Putting the device close to the controller solved the exclusion problem: when the device is close to the controller then the exclusion via habmin does work! The exclusion does not work when the device is ‘far’ from the controller.
Now, here are the problems:
After some time the device did not react to commands any more (log for Node 50 and Node 255). I had to unplug the device and plug in again to make it work again.
Is your controller in Network Wide Inclusion mode? I’ve definitely been able to exclude from across the house and out in the detached garage… so it’s definitely possible!
Yes, but you can probably get this started with a few manual heals. In Habmin, select the device, then Tools (top right corner of screen)> Advanced> Heal. Another consideration though, is whether you have other devices in the mesh that can route for a secure devices. They would need Beaming.
The controller is in “Network Wide Inclusion”. I tested several times at the ‘far’ location: inclusion is possible, exclusion not.
The reason will probably be (“Z-Wave 500 Series Appl. Programmers Guide v6.71.03”, section 4.4.21 ZW_RemoveNodeFromNetwork):
ZW_RemoveNodeFromNetwork is used to remove a node from a Z-Wave network. It is also possible to
perform out-of-range removal of nodes from the network when repeater nodes are capable of forwarding
the new network wide exclusion (NWE) frame. It is not possible to perform out-of-range removal of nodes > based on a SDK older than SDK 6.61.xx.
The “Aeon Labs Smart Switch 6 Engineering Specifications and Advanced Functions for Developers” version 7 documents “SDK: 6.51.06”
I tried several manual “Heals” on the device; until now without improvement: the log is full of messages such as “SECURE ERROR NONCE ID invalid! 119<>-89”.
“Beaming”? I thought that is only needed for battery powered devices? The zw096 is a mains powered switch device (always plugged into the 230V socket). Anyway, the devices that are used for routing support beaming.
I think I will just wait for the nightly heal and then report again.
