Discovery of modules in a DigiMesh

Hello there,
In my application i am trying to implement network discovery functionality. I am working in a DigiMesh and I would like to find all nodes in the network. For testing purposes I have used XCTU with console connected.

In XCTU I was connected using uart to a device with mac address 0x0013A2004125E0F5. The other rf module I found in the network was 0x0013A20040FCDD56.

I was trying to trace back what XCTU did in order to find this one module. Here is the console session of the discovery:

07-21-2017 12:38:32.351,-,API,“NODE2,0013A2004125E0F5,XBee Pro DigiMesh 2.4,8073,COM9 - 9600/8/N/1/N,3”

07-21-2017 12:32:13.635,0,SENT,7E0004085B4E54FA
07-21-2017 12:32:13.661,1,RECV,7E0007885B4E54000082F8
07-21-2017 12:32:13.699,2,SENT,7E000408024E4463
07-21-2017 12:32:26.036,3,RECV,7E001E88024E4400FFFE0013A20040FCDD56204E4F44453300FFFE0100C105101E57
07-21-2017 12:32:26.050,4,SENT,7E000F175C0013A20040FCDD56FFFE02523FD8
07-21-2017 12:32:26.106,5,RECV,7E000F975C0013A20040FCDD56FFFE523F0258
07-21-2017 12:32:26.120,6,SENT,7E000F175D0013A20040FCDD56FFFE02254300
07-21-2017 12:32:26.186,7,RECV,7E0010975D0013A20040FCDD56FFFE2543000181
07-21-2017 12:32:26.200,8,SENT,7E000F175E0013A20040FCDD56FFFE024856C9
07-21-2017 12:32:26.256,9,RECV,7E0011975E0013A20040FCDD56FFFE485600184CE7
07-21-2017 12:32:26.270,10,SENT,7E000F175F0013A20040FCDD56FFFE025652BE
07-21-2017 12:32:26.337,11,RECV,7E0011975F0013A20040FCDD56FFFE56520080734D
07-21-2017 12:32:26.352,12,SENT,7E000F17600013A20040FCDD56FFFE024150D4
07-21-2017 12:32:26.407,13,RECV,7E001097600013A20040FCDD56FFFE4150000056

Pastebin here for clarity: https://pastebin.com/kCgNWxJ4

If I understand correctly the procedure went like this:

  • XCTU sets NT (13 seconds) for my the device
  • XCTU sets (The network discovery starts)
  • Ansfer for ND comes. Here I dont know how to decode the AT command parameter:

FF FE ---- 00 13 A2 00 41 25 E0 AB ---- 20 4E 4F 44 45 31 00 FF FE 01 00 C1 05 10 1E

I see clearly that there is the mac address of the found device in there, but what are the other bytes, what do they stand for? Also what would happen if more than one device would be found?

  • XCTU sends R? (to remote device) and receives invalid command answer- What is R? at command? I cannot find it in the Digimesh datasheet.
  • XCTU sends %C (to remote device) and gets the answer but here as well I cannot find what is %C command.

At the end XCTU read the hardware and software version from the external device and sets the API mode.

To summarize: What are “R?” and “%C” AT commands and what is the format of ND response? How to decode found devices? I would appreciate all help.

PS: I am using XBee PRO S1 modules.

The ND reports the following data:

PARENT_NETWORK ADDRESS (2 Bytes) (always 0xFFFE)

PARENT_NETWORK ADDRESS (2 Bytes)

DEVICE_TYPE (1 Byte: 0 = Coordinator, 1 = Router, 2 = End Device)

STATUS (1 Byte: Reserved)

PROFILE_ID (2 Bytes)

MANUFACTURER_ID (2 Bytes)

DIGI DEVICE TYPE (4 Bytes. Optionally included based on NO settings.)

RSSI OF LAST HOP (1 Byte. Optionally included based on NO settings.)

But your explanation doesnt consist of MAC address and Device ID and they are there. From what I can tell it is like this:

PARENT_NETWORK ADDRESS (2 Bytes) (always 0xFFFE)
MAC_ADDRESS (8 bytes)
DEVICE_ID (max 20 bytes)

And I dont know what are the rest of bytes. Can you relate to this?

7E001E88024E4400FFFE0013A20040FCDD56204E4F44453300FFFE0100C105101E57 strips down to:

FF FE 00 13 A2 00 40 FC DD 56 20 4E 4F 44 45 33 00 FF FE 01 00 C1 05 10 1E

which is as fallows:

PARENT_NETWORK ADDRESS FFFE
64 bit address 00 13 A2 00 40 FC DD 56
network address DD 56
DEVICE_TYPE 20
STATUS 4E
PROFILE_ID 4F 44
MANUFACTURER_ID
DIGI DEVICE TYPE (4 Bytes. Optionally included based on NO settings.) 00 FF FE 01
RSSI OF LAST HOP (1 Byte. Optionally included based on NO settings.)00

I think I see the issue, you are using Explicit frames. That is going to add a few bytes that are NOT documented in the data frame. Items such as Source and destination end points, Profile ID (C015) and a few others.

So to sum this up, what would be the exact schema? Because it still does not match. Device ID comes right after mac. This still doesnt seem right. Please take a look again at the whole frame:

7E 00 1F 88 5E 4E 44 00 FF FE 00 13 A2 00 41 25 E0 B6 4E 4F 44 45 31 32 33 00 FF FE 01 00 C1 05 10 1E 2B

Here I have stripped it byte by byte: https://pastebin.com/15vpfX0E

There are 8 unknown bytes.

64-bit source address

MSB 4

0x00

5

0x13

6

0xA2

7

0x00

8

0x40

9

0x74

10

0x02

LSB 11

0xAC

Reserved

12 	

0xFF
13

0xFE

Receive options

14

0xC2

Reserved

15

0xFF

16

0xFE

64-bit remote address

MSB 17

0x00

18

0x13

19

0xA2

20

0x00

21

0x40

22

0x74

23

0x02
LSB 24

0xAC

NI string

25

0x20

26

0x00

Reserved

27

0xFF

28

0xFE

Device type

29

0x01

Source event

30

0x01

Digi Profile ID

31

0xC1

32

0x05

Digi Manufacturer ID

33

0x10

34

0x1E

Digi DD value

(optional)

35

0x00

36

0x0C

37

0x00

38

0x00

RSSI (optional)

39

0x2E

Checksum

40

0x33

Could you please reformat?

Could you please reformat your answer? It got messed up.

FF FE Parent network address
00 13 A2 00 41 25 E0 B6 64 bit address
4E 4F 44 45 31 32 33 00 Possible NI value
FF FE network address
01 Device type
00 Status
C1 05 Profile ID
10 Manufacture ID
1E RSSI

Thank you for answer, are the additional fields described anywhere?
If I understand correctly device type stands for router, API or end device?
I gues status 0x00 is OK, but what are the other flags?
I dont know what is a profile ID.
Is manufacture ID fixed?
The RSSI is the strength of which message exactly? The last received by the sender of this frame?
Thank you so far, I would appreciate further help.

Yes the profile ID and Manufacture ID fields are fixed. They are all for Zigbee applications and carried over for compatibility.