Connection using old pairing information saved

I am running an experiment to use a static keys for pairing information without breaking the existing flow of pairing/bonding.
What I am doing is I am storing the pairing info of my central device and storing it into a structure and then erasing the flash to remove those information, and after reset I am retrieving those bonding information and connecting again using the same central devices but I am getting "Peer removed bonding info" response on my phone.

void store_ltk_in_zephyr(void)
{
    int id, err;
    struct bt_keys pairing_info = {
    .addr = {
        .type = BT_ADDR_LE_PUBLIC,
        .a.val = {0x43,0x82,0x5E,0xC7,0xE8,0xF4,0xFD}
    },
    .irk = {0x8A, 0x27, 0x1E, 0xA7, 0x92, 0x2A, 0xF0, 0x15, 0x41, 0x69, 0x48, 0xDD, 0xC0, 0x7E, 0xDD, 0xF7},
    .ltk = {
        .val = {0xc0, 0xe6, 0x9a, 0x0a, 0xf7, 0x4b, 0xdc, 0xb7, 0x7d, 0x23, 0xf4, 0xb4, 0x89, 0x8d, 0x96, 0x02},
        .ediv = {0x00,0x00},
        .rand = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
      }
    };

    // Store the keys using the settings API
    err = bt_keys_store(&pairing_info);
    if (err) {
        printk("Failed to store keys (err %d)\n", err);
    } else {
        printk("Keys stored successfully\n");
    }
}

In main, I am calling like this to load the info onto the flash-

  settings_subsys_init();
  //smp_bt_register();
	bt_conn_auth_cb_register(&auth_cb_display);
  bt_conn_auth_info_cb_register(&conn_auth_info_callbacks);
	err = bt_enable(NULL);
	if (err) {
		printk("Bluetooth init failed (err %d)\n", err);
    k_sleep(K_MSEC(100));
		err = bt_enable(NULL);                                      //Trying one more time after this system reset
    if(err) NVIC_SystemReset();
	}
  store_ltk_in_zephyr();
  if (IS_ENABLED(CONFIG_SETTINGS)) {
    settings_load();
  }

And on connect I am using like this-

  bt_conn_set_security(conn, BT_SECURITY_L1|BT_SECURITY_FORCE_PAIR);

Do let me know, how can I connect with the same bonding info which I have made a copy of from the same bonding structure.

Top Replies

Vidar Berg 2 months ago in reply to Gaurav +1 verified

It may be overwritten by the nRF5 SDK bootloader during DFU if the data is outside of the reserved application data region. https://docs.nordicsemi.com/bundle/sdk_nrf5_v17.1.0/page/lib_bootloader.…

Parents

0 Vidar Berg 3 months ago

Hello,

To troubleshoot this, I recommend you start by enabling CONFIG_BT_LOG_SNIFFER_INFO to have the keys printed on boot. This would help confirm us confirm if they keys were successfully stored or not.

Best regards,

Vidar
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gaurav 3 months ago in reply to Vidar Berg

I am reading the pairing info using nrfjprog --memrd 0xfe000 -n 1024, as I know its taking the info from the settings page and the address of the page is this -

Not getting any logs related to bonding on boot using CONFIG_BT_LOG_SNIFFER_INFO.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gaurav 3 months ago in reply to Gaurav

I think my key exchange is failing in le_ltk_request and inside this bt_smp_request_ltk is called which looks for ediv and rand values and the flags like BT_KEYS_LTK_P256 or BT_KEYS_PERIPH_LTK, which in our case is only BT_KEYS_LTK and hence callback of bt_conn_security_changed which disconnects with security reason being 2 BT_SECURITY_ERR_PIN_OR_KEY_MISSING.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vidar Berg 3 months ago in reply to Gaurav

Have you tried using BT_KEYS_PERIPH_LTK instead? We lack documentation for these flags as they are intended for internal use within the stack.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Gaurav 3 months ago in reply to Vidar Berg

Yeah I tried that but then the retrieved LTK becomes 0 like this-

00> [00:00:06.927,886] <dbg> bt_smp: bt_smp_accept: conn 0x20003890 handle 0
00> [00:00:06.927,917] <dbg> bt_smp: bt_smp_connected: chan 0x20003ce8 cid 0x0006
00> [00:00:06.928,161] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> Watchdog is getting fed here : adv 0 and conn 1
00> [00:00:06.928,863] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> LTK (reversed for display): 
00> 6c 53 4d d6 09 e2 6f 7e e2 9d 86 4c d4 f5 7f 63 LTK (reversed for display): 
00> 64 a4 LTK (reversed for display): 
00> 52 3b 87 4f 80 65 1d 0e LTK (reversed for display): 
00> 8a 27 1e a7 92 2a f0 15 41 69 48 dd c0 7e dd f7 [00:00:06.929,748] <inf> bt_keys: Legacy LTK: 0x00000000000000000000000000000000 (peripheral)
00> Connected
00> [00:00:07.103,607] <dbg> bt_keys: bt_keys_find: type 32 F4:E8:C7:5E:82:43 (public)
00> [00:00:07.103,790] <dbg> bt_keys: bt_keys_find: type 1 F4:E8:C7:5E:82:43 (public)
00> LTK retrieved
00>  63 7f f5 d4 4c 86 9d e2 7e 6f e2 09 d6 4d 53 6c[00:00:07.193,450] <dbg> bt_smp: bt_smp_disconnected: chan 0x20003ce8 cid 0x0006
00> [00:00:07.193,786] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> [00:00:07.193,969] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> Disconnected (reason 0x13)

0 Gaurav 3 months ago in reply to Gaurav

Made wrong assumption in getting the LTK in log, after using BT_KEYS_PERIPH_LTK, I should be looking for peripheral_ltk structure.
Made the changes for saving the values in this structure and still facing this issue, attaching the logs.

00> [00:00:07.677,642] <dbg> bt_smp: bt_smp_accept: conn 0x20003890 handle 0
00> [00:00:07.677,673] <dbg> bt_smp: bt_smp_connected: chan 0x20003ce8 cid 0x0006
00> [00:00:07.677,917] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> Watchdog is getting fed here : adv 0 and conn 1
00> [00:00:07.678,619] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> LTK (reversed for display): 
00> 27 e0 61 11 26 93 bb 5c da b0 e1 2e 44 13 ba eb LTK (reversed for display): 
00> 8d cd LTK (reversed for display): 
00> 69 5e 3b bf e1 40 a6 15 LTK (reversed for display): 
00> 8a 27 1e a7 92 2a f0 15 41 69 48 dd c0 7e dd f7 [00:00:07.679,504] <inf> bt_keys: Legacy LTK: 0x27e061112693bb5cdab0e12e4413baeb (peripheral)
00> Connected
00> [00:00:07.846,557] <dbg> bt_keys: bt_keys_find: type 32 F4:E8:C7:5E:82:43 (public)
00> [00:00:07.846,740] <dbg> bt_keys: bt_keys_find: type 1 F4:E8:C7:5E:82:43 (public)
00> LTK retrieved
00>  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[00:00:07.936,401] <dbg> bt_smp: bt_smp_disconnected: chan 0x20003ce8 cid 0x0006
00> [00:00:07.936,737] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> [00:00:07.936,920] <dbg> bt_keys: bt_keys_find_addr: F4:E8:C7:5E:82:43 (public)
00> Disconnected (reason 0x13)

0 Gaurav 3 months ago in reply to Gaurav

While saving the key information with respect to this flag, should I store LTK in pairing_info->ltk and EDIV,RAND in pairing_info->peripheral_ltk structure?

Not understanding the flow for legacy pairing.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Gaurav 3 months ago in reply to Gaurav

While saving the key information with respect to this flag, should I store LTK in pairing_info->ltk and EDIV,RAND in pairing_info->peripheral_ltk structure?

Not understanding the flow for legacy pairing.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Gaurav 3 months ago in reply to Gaurav

Vidar Berg Anything on this?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gaurav 3 months ago in reply to Gaurav

Its failing here in comparing EDIV and RAND values with the key`s one so that the LTK can be copied and connection can be passed on-
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vidar Berg 3 months ago in reply to Gaurav

I can't see the EDIV or RAND values. I suggest you print out both.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gaurav 3 months ago in reply to Vidar Berg

00> RAND from key : 17829121634713032291
00> RAND from HCI buf: 13934090300794250199
00> EDIV from key : 34889
00> EDIV from HCI buf : 61501

These are the values printed for EDIV and RAND.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Gaurav 3 months ago in reply to Gaurav

Used this flow for printing the logs-

#if !defined(CONFIG_BT_SMP_SC_PAIR_ONLY)
	LOG_DBG("Its inside this loop now %d\n",conn->le.keys->keys);
    uint64_t value = 0;
    for (int i = 0; i < 8; i++) {
        value |= ((uint64_t)conn->le.keys->periph_ltk.rand[i]) << (i * 8);
    }
	printk("RAND from key : %llu\n",value);
	printk("RAND from HCI buf: %llu\n",rand);
	printk("EDIV from key : %d\n",(conn->le.keys->periph_ltk.ediv[0]<<8)|conn->le.keys->periph_ltk.ediv[1]);	
	printk("EDIV from HCI buf : %d\n",ediv);		
	if (conn->le.keys && (conn->le.keys->keys & BT_KEYS_PERIPH_LTK) &&
	    !memcmp(conn->le.keys->periph_ltk.rand, &rand, 8) &&
	    !memcmp(conn->le.keys->periph_ltk.ediv, &ediv, 2)) {
		enc_size = conn->le.keys->enc_size;

		memcpy(ltk, conn->le.keys->periph_ltk.val, enc_size);
		if (enc_size < BT_SMP_MAX_ENC_KEY_SIZE) {
			(void)memset(ltk + enc_size, 0,
				     BT_SMP_MAX_ENC_KEY_SIZE - enc_size);
		}

		atomic_set_bit(smp->flags, SMP_FLAG_ENC_PENDING);
		return true;
	}
#endif /* !CONFIG_BT_SMP_SC_PAIR_ONLY */