"Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Sat, 17 Aug 2024 09:26:43 GMT

sorry but you support people don't understand my scenario, I believe.

I am not using your devices to simulate or develop something.

I am using your device ONLY to sniff traffic between 2 other devices. In this scenario, using nRF Connect SDK will not help me. So why are you frequently mentioning it ? It is useless for me.

I am just looking for help (if there's any possibility) to sniff traffic between and Android app and a custom BLE device.

If that's not possible in my scenario, just let me know and close this question.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

Amanda Hsieh — Thu, 15 Aug 2024 13:55:39 GMT

NCS is our nRF Connect SDK.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Wed, 14 Aug 2024 21:03:44 GMT

I am sorry, I don't understand. What is NCS ?

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

Amanda Hsieh — Tue, 13 Aug 2024 20:01:25 GMT

[quote user="ilker Aktuna"]if it would be possible to get the LTK , or decrypt using hci sniff on the android phone.[/quote]

I think it cannot get LTK from your sniffer log, but you can refer to that course to get LTK if you are using NCS.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Tue, 13 Aug 2024 16:38:55 GMT

which tool ? and in what situation ?

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Tue, 13 Aug 2024 16:38:38 GMT

I have read through that tutorial/course, but as you can see in my scenario, LTK is not transferred in pairing phase (or am I missing it ?)

I have already provided you pcap output, so you can see from there.

So what is the point of following that tutorial in my case ?

If the LTK is not provided while pairing , I won't be able to decrypt packets.

I asked you if it would be possible to get the LTK , or decrypt using hci sniff on the android phone.

I could not get an answer to this.

So what is the purpose of suggesting me to read the tutorial (which I already did) ?

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

billtsai — Fri, 02 Aug 2024 02:33:57 GMT

I'm not sure the tool will provide enough information or not.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

Amanda Hsieh — Thu, 01 Aug 2024 19:52:11 GMT

Hi,

[quote user=""]all I see is "empty PDU" or "Encrypted packet decrypted incorrectly (bad MIC)"[/quote]

It is most commonly caused by the sniffer not having the private keys for the connection, so it can not decrypt the packages it intercepts.

Please check Exercise 3 Follow and decrypt a paired connection on how to get the LTK if you are using NCS. It cannot decrypt without a LTK.

-Amanda H.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Thu, 01 Aug 2024 13:09:50 GMT

thank you. Would that be possible to sniff from the phone (on the phone , using hci snoop ?)

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

billtsai — Thu, 01 Aug 2024 01:06:08 GMT

Hi,

The device actually uses lesc.

If you can't read the device's flash, It's impossible to get the LTK throug sniffer.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Wed, 31 Jul 2024 21:25:21 GMT

I checked it now but it does not match with my scenario.

First of all I am not using that board. I am trying to sniff some 3rd party device. And the communication is different. If you had checked my file mb.pcapng that I had attached in my previous post, you could understand. One side requests LTK but the other side does not send LTK.

In this case how shall I get the LTK or how shall I decrypt without a LTK ?

Please download my file and check.

Thanks.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

Amanda Hsieh — Wed, 31 Jul 2024 15:46:12 GMT

Hi,

Please check out Exercise 3 Follow and decrypt a paired connection in the Bluetooth Low Energy Fundamentals course (which is highly recommended).

-Amanda H.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Wed, 31 Jul 2024 10:26:26 GMT

this traffic is between a BLE device and an app on Android phone.

Probably the app has an hardcoded LTK and without it I won't be able to decrypt the traffic for investigation.

Would it be possible to get the LTK on the Android phone ? Is it possible to sniff on the phone itself and get an unencrypted trace ?

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Wed, 31 Jul 2024 10:13:35 GMT

devzone.nordicsemi.com/.../mb.pcapng

Can you please check this file ? My sniff session is not like your example.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

billtsai — Wed, 31 Jul 2024 02:31:54 GMT

I can't download your file.

You can refer to my sniffer file. My wireshark version is v4.0.6.

In packet 2134, the device responses host that device does not support secure connection.

In packet 2433, the device sends LTK to host.

You can use the same method to find more information.

devzone.nordicsemi.com/.../desktop_5F00_dfu_5F00_sniffer_5F00_log.pcapng

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Tue, 30 Jul 2024 21:00:50 GMT

I am not sure if I'm using any of these SDKs because I am not developing anything. I am just using the sniffer to understand the traffic.

I am attaching the capture from sniffer. Maybe you can help me extract the LTK from this capture.

Which packet should I look at ? And then how to format the LTK and use it for other sniff sessions ?

I am also attaching a sreenshot of my Wireshark screen so that you can tell me what option to use on Wireshark.

https://tmpfiles.org/10219552/mb.cap

Thanks

tmpfiles.org/.../mb.cap

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

billtsai — Tue, 30 Jul 2024 01:01:41 GMT

Nordic has two general sdk now.

NCS SDK : https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/index.html

nRF5x SDK : https://developer.nordicsemi.com/nRF5_SDK/

Lesc is low energy secure connection. This function can be enabled or disabled by your application code.

Sniffer will auto get LTK throung pairing process if you use just work and without lesc.

You can attach your sniffer log, that will show more information.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

ilker Aktuna — Mon, 29 Jul 2024 18:52:08 GMT

thanks for your response. But I am not a professional and the terms you use , I am not familiar with them.

"if your devişce has no lesc" -> what is lesc , and how do I know if my device has lesc ?

"then you can sniff LTK in pairing process" -> how can I do that ?

"which sdk you use." -> I don't know. I have a laptop with Wireshark installed and 2 years ago I had installed extensions to sniff using nRF52840. I had followed official guides that time. But I'm not sure where the guide is now.

RE: "Encrypted packet decrypted incorrectly (bad MIC)" - how to get LTK

billtsai — Mon, 29 Jul 2024 03:20:13 GMT

Hi,

If your device has no lesc, then you can sniff LTK in pairing process.

Otherwise, you need a LTK to decrypt packet.

LTK will store in flash if you use bonding.

But you need to provide which sdk you use.