• State Not Answered
  • Replies 9 replies
  • Subscribers 75 subscribers
  • Views 1463 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 317974
Options

Decoding ANCS service discovery using sniffer.

Jithin A

Hi,

We are trying to implement Apple Notification Center Service (ANCS) in the custom board, and we came across your implementation.

We try to sniff the discovery procedure using Wireshark and we are getting "Encrypted packet decrypted incorrectly (bad MIC)" error in the Wireshark logs.

We started the sniffer from the beginning itself that is, we are sniffing the board before pairing and even then, we are getting the above error message.

Can anyone please guide us to decrypt these packets as it may help us to replicate the procedure on our end too.

We are new to Wireshark tool and sniffer terms so please help us on how to use the Wireshark and submit the passkey to decrypt these packets.

Parents Reply
  • 0 in reply to Vidar Berg

    Hi Vidar,

    Thank you for the quick response.

    I see the key in the debug log after enabling the macro you provided.

    <inf> bt_keys: SC LTK: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    The thing is it is not static key, each time the key changes.

    Is there any kconfig param to use static key instead.

    Or how to decrypt in wireshark if this is the case. I see in the sniffing link you have provided does not have information on how to sniff pairing info if SC LTK key is used.

    Please guide me through this,

Children
  • 0 in reply to Jithin A

    Hi,

    The documentation I linked to instructs you to inpu the SC LTK before pairing is iniated:

    For connections that use LE Secure Connections with a private key:
    Before the devices initiate pairing, select SC Private Key as input key and type the 32-byte Diffie-Hellman private key of your device in big-endian, hexadecimal format with a leading "0x" into the input field in Wireshark.
    Initiate pairing between the devices if it does not happen automatically.

  • 0 in reply to Vidar Berg

    Correct. 

    Can you please guide me where we can get that SC Private key?

    I do not see this in the debug log.

  • 0 in reply to Jithin A

    You stated earlier that you could see the key from the debug log.

    Jithin A said:
    I see the key in the debug log after enabling the macro you provided.

    Did something change?

  • 0 in reply to Vidar Berg

    Nothing changed.

    Let me explain,

    I am getting the SC LTK key in the debug log, and this is changing every time.

    So I can not apply the keys before starting the sniffer and pairing process.

    Once the device is bonded, in debug mode I get the static key which I can use for decrypting the packets received after bonding.

    But I need those pairing data exchanges because during the pairing process I am getting insufficient authentication error in my custom board.

    I am trying to replicate the pairing process as in NRF, so decrypting pairing info is what I am focusing now.

    I read, once the device is bonded with it's peer, it do not initiate pairing state again on reconnection so I can only get the pairing info before bonding.

    Below is my test procedure:

    1. Remove bonding info if any.
    2. Start debug logging. (key is not displayed in the log yet)
    3. Start sniffer.
    4. Try to pair with iphone.
    5. After connection is made I get the pop-up in iPhone to piar.
    6. I click on pair and this is when the key is displayed in the debug log.
    7. Sniffer did not get the key during this stage and it shows error: "Encrypted packet decrypted incorrectly (bad MIC)"
    8. I disconnect my iPhone.
    9. Restart NRF-DK, I now get SC LTK static debug key.
    10. Copy and paste the key in the wireshark as mentioned.
    11. Connect iPhone and test notifications.
    12. Wireshark can decrypt all the packets.

    From the above test I was able to get only notification packet format.

    I did not get pairing packet exchange. Please let me know if I am doing anything wrong.

    Thank you for quick responses. Appreciate your support.

  • 0 in reply to Jithin A

    Hi,

    I tested it here to make sure I was not missing anything and it turns out that CONFIG_BT_LOG_SNIFFER_INFO=y will actually print the Long Term Encryption Key (LTK), which is the key used for encryption, not the SC private key used to compute this key during the pairing exchange. With this LTK, the sniffer should be able to decrypt all connections with the given peer device.

    Jithin A said:
    I am getting the SC LTK key in the debug log, and this is changing every time.

    The LTK should remain the same across connections if the devices were bonded. Does the log say "bonded: 1" when you perform the initial pairing as shown here: 

    ?

Related
Terms of service