After bonding, I receive write events from the central, but after reconnecting, the write events no longer come through.

Hi Keigo, 
It seems like the central managed to reconnect so I am not sure why the write command was not sent. 
My suggestion is to use a sniffer to capture the communication. This would give us more insight of what could be wrong. You may have issue decrypting the paired connection with the sniffer if you secure connection, but you may consider turn off pairing for the test. 

Please double check the code of the central to see if it actually send the write command on the 2nd connection or not. 

Dear Mr. Hung Bui,

Thank you very much for responding to my inquiries!

Is it possible to communicate with the Central without pairing by turning off pairing?

Also, since the Central receives finished products from the trading company and is not involved in the internal software, I have no knowledge of it.
Furthermore, it seems that there are other companies creating peripherals that collaborate with this Central using Nordic.

However, before using Nordic chips, I successfully communicated with the Central using a peripheral with Linux's BlueZ.
At that time, even after reconnecting, the write events were received properly.
Therefore, it seems there may be an issue with the peripheral I am trying to implement with Nordic this time.

Thank you for your assistance.

Hi Keigo-san, 

If you don't have control over the central device then it may not be possible to turn off pairing. 
One option is to get the LTK out from the peripheral and then input that to the sniffer so that the sniffer can decrypt the connection. 

I don't see any problem from the peripheral side. The central reconnected after the power reset. And then the link was re-encrypted, so everything looks normal at that point. The question is why the central didn't send any write command. 

Hello Mr. Hung Bui,

I am currently in the process of ordering the Sniffer.
It is expected to arrive sometime this week. Before that, I have a few questions.

1. After the bonding process is completed, what function in the nRF SDK should be used to retrieve the LTK from the peripheral? Also, considering that my PC is a MacBook, would Wireshark be suitable for the tools?

2. I am not confident that my peripheral-side implementation is flawless.
   I have some questions regarding the implementation.
   In the case of LE Secure Connection + Just Works pairing method, what actions should the application take in response to PM_EVT_CONN_SEC_PARAMS_REQ, BLE_GAP_EVT_SEC_PARAMS_REQUEST, and BLE_GAP_EVT_SEC_INFO_REQUEST events?
   Currently, based on various samples, my application is merely detecting events without taking any action.
   
   

   case BLE_GAP_EVT_SEC_PARAMS_REQUEST: {
           ble_gap_evt_sec_params_request_t const* p_sec_params_request = &p_ble_evt->evt.gap_evt.params.sec_params_request;
           NRF_LOG_INFO("BLE_GAP_EVT_SEC_PARAMS_REQUEST");
           UNUSED_PARAMETER(p_sec_params_request);
       } break;
   
   case BLE_GAP_EVT_SEC_INFO_REQUEST: {
           ble_gap_evt_sec_info_request_t const* p_sec_info_request = &p_ble_evt->evt.gap_evt.params.sec_info_request;
           NRF_LOG_INFO("BLE_GAP_EVT_SEC_INFO_REQUEST");
           UNUSED_PARAMETER(p_sec_info_request);
       } break;
       
   case PM_EVT_CONN_SEC_PARAMS_REQ: {
           pm_conn_sec_params_req_evt_t const* p_conn_sec_params_req = &p_evt->params.conn_sec_params_req;
           NRF_LOG_INFO("PM_EVT_CONN_SEC_PARAMS_REQ");
           UNUSED_PARAMETER(p_conn_sec_params_req);
       } break;

   
   
   

3. When BLE_GAP_EVT_CONN_PARAM_UPDATE is received, is there anything specific that the peripheral should do?

Thank you.

Hi Mr. Bung Bui-San.

LTK, but if I do the following, will the BLE_GAP_EVT_AUTH_STATUS event get a value for s_gap_sec_key?

When I want to see encrypted packets in sniffer,
Is it enough to know the LTK?

case BLE_GAP_EVT_SEC_PARAMS_REQUEST: {
        ble_gap_evt_sec_params_request_t const* p_sec_params_request = &p_ble_evt->evt.gap_evt.params.sec_params_request;
        NRF_LOG_INFO("BLE_GAP_EVT_SEC_PARAMS_REQUEST");
        // BLE_GAP_EVT_AUTH_STATUS -> insert to s_gap_sec_key
        sd_ble_gap_sec_params_reply(p_ble_evt->evt.gap_evt.conn_handle, BLE_GAP_SEC_STATUS_SUCCESS, &p_sec_params_request->peer_params, &s_gap_sec_key);
        UNUSED_PARAMETER(p_sec_params_request);
    } break;


case BLE_GAP_EVT_AUTH_STATUS: { // pairing complete event
        ble_gap_evt_auth_status_t const* p_auth_status = &p_ble_evt->evt.gap_evt.params.auth_status;
        // success pairing
        if (p_auth_status->auth_status == BLE_GAP_SEC_STATUS_SUCCESS) {
            NRF_LOG_INFO("BLE_GAP_EVT_AUTH_STATUS: Pairing Success!!");
            if (p_auth_status->bonded) {
                NRF_LOG_INFO("bonded:0x%x, kdist_own:0x%x kdist_peer:0x%x", p_auth_status->bonded, *(uint8_t*) (&p_auth_status->kdist_own), *(uint8_t*) (&p_auth_status->kdist_peer));
                NRF_LOG_INFO("own ltk:");
                NRF_LOG_HEXDUMP_INFO(s_gap_sec_key.keys_own.p_enc_key->enc_info.ltk, s_gap_sec_key.keys_peer.p_enc_key->enc_info.ltk_len);
                NRF_LOG_INFO("peer ltk:");
                NRF_LOG_HEXDUMP_INFO(s_gap_sec_key.keys_peer.p_enc_key->enc_info.ltk, s_gap_sec_key.keys_peer.p_enc_key->enc_info.ltk_len);
            }
            // error??
            else {
                NRF_LOG_ERROR("No bonded:0x%x", p_auth_status->bonded);
            }
        }
        // failed pairing
        else {
            NRF_LOG_ERROR("BLE_GAP_EVT_AUTH_STATUS: Pairing Failed!! resaon:0x%x", p_auth_status->auth_status);
        }

Hi Keigo, 

keigo.imaizumi said:

LTK, but if I do the following, will the BLE_GAP_EVT_AUTH_STATUS event get a value for s_gap_sec_key?

It's been a long time since I tested the LTK with nRF5 SDK and the sniffer but as far as I know the ltk key when you receive BLE_GAP_EVT_AUTH_STATUS  is the one that you should input to the sniffer. I am not so sure it should be own or peer key, I think it depends on which key is agreed when the 2 device pair. The sniffer trace (before encryption) should tell which key should be used. 

This same key will be re-used when the 2 re-connect. You can check that in the peer manager in the peripheral when they reconnect. 

Regardless if you can decrypt the encrypted link, please try to capture the sniffer trace, at least we can check if they can re-pair properly or not. 

From the log I don't see any problem with your peripheral regarding re-encryption the link. 

Hello, Hung Bui-San.

I can now see communication between Central and Peripheral using the sniffer.

However, I'm getting the error "Encrypted packet decrypted incorrectly (bad MIC)." Is there a solution?
I dumped the LTK "00 04 00 20 01 0a 00" in the lower left of the image and entered it into WireShark as SC LTK with 0x00040020010a00 (or in MSB),
but it didn't work.

Hello, Hung Bui-San.

I can now see communication between Central and Peripheral using the sniffer.

However, I'm getting the error "Encrypted packet decrypted incorrectly (bad MIC)." Is there a solution?
I dumped the LTK "00 04 00 20 01 0a 00" in the lower left of the image and entered it into WireShark as SC LTK with 0x00040020010a00 (or in MSB),
but it didn't work.

Hi Keigo, 

You would need to input the key and then try to capture a new connection (with the 2 same device, they will re-use the LTK). 

Could you send us your sniffer trace , even though it has "Encrypted packet decrypted incorrectly (bad MIC)." Both when you first bond the 2 devices and when you re-connect. 

I will send a packet sniffer.

No. 2358 is the first connection and bonding. No. 2682 marks the beginning of a reconnection. If there are any suspicious points, your guidance would be greatly appreciated! I've been struggling with this issue for days and haven't been able to resolve it.

Hi Keigo, 
I don't see anything suspicious from the sniffer trace. 
It seems that the re-encryption worked properly and the 2 devices managed to re-connect and re-pair with no problem. 
The question, I guess, is why the central doesn't want to send the write request on reconnection. If the link can be decrypted it would be much easier to inspect. 
Please make sure you type the key and click the arrow button after you enter it. 

If your central accept legacy pairing you can try disable LESC and only do legacy pairing, this way the sniffer can automatic decrypt Just Work encryption without you providing the key. 

Hello Mr. Hung Bui,

I'm sorry, but I'm not sure how to obtain the key.
I'm a beginner when it comes to bonding.
Could you please provide guidance on how to obtain the key?
By the way, is the key you mentioned the public key that appears in the sniffer? (Is it either x or y?)

Also, what type of key should be set in WireShark? (The part where you choose SC LTK or SC Private Key, etc.)
I apologize for the basic nature of these questions, as this is my first time delving into protocol analysis. Your guidance would be greatly appreciated!

Thank you.

Hi Keigo, 
I will try to do the test here but if you take a look at the documentation you can find the instruction: 
https://infocenter.nordicsemi.com/index.jsp?topic=%2Fug_sniffer_ble%2FUG%2Fsniffer_ble%2Faction_bonded.html

I think what you did was correct but for some reason it didn't work. I will check