• State Not Answered
  • Replies 11 replies
  • Subscribers 69 subscribers
  • Views 601 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 331963
Options

High Failure Rate in START ENCRYPTION Sequence: 2 Failures per 10 Trials (Baseband or Link Layer Issue)

Charles Changhun Han

Hello Nordic Semiconductor tech support team,

HW : nRF52840 ( Build code : nRF52840-CKAA-F )

SW : ncs 2.6.0

Sample Application :  zephyr/samples/bluetooth/hci_spi sample with SoftDevice Controller

While verifying our software design, we frequently encounter connection errors. Could you help us identify the possible cause of this issue and suggest a resolution? Right after the enhanced connection is completed, we’re expecting an Encryption Change Event from the SoftDevice Controller. However, instead of an Encryption Change Event, a Disconnect Complete (0x05) occurs with the reason ‘Connection Terminated due to MIC Failure (0x3d).

Device A : Android Mobile Phone (central), (iOS case is also reported)

Device B: nRF52840 (Peripheral) 

Frame 17605: 7 bytes on wire (56 bits), 7 bytes captured (56 bits) on interface Fake IF, Import from Hex Dump, id 0 (inbound)
Bluetooth
Bluetooth HCI H4
Bluetooth HCI Event - Disconnect Complete
Event Code: Disconnect Complete (0x05)
Parameter Total Length: 4
Status: Success (0x00)
Connection Handle: 0x00cd
Reason: Connection Terminated due to MIC Failure (0x3d)

(highlighted marked HCI events)

  • 0

    Hello,

    I get slight impression that there is some marginally timing here or that the wrong keys ares provided. 

    Do you see the same if you relax the SPI clock speed, and in specific if you relax (e.g. >10us for test) for instance the timing between slave select and first clock pulse.

    Kenneth

  • 0 in reply to Kenneth

    Hello Kenneth, 

    Thank you for your prompt response and update. Based on the HCI log from device B (nRF52840 SoftDevice controller), I have ruled out one possible cause: the wrong LTK case. During this test, we consistently used the same LTK.

    Could you please investigate this case from another perspective? Specifically, could you identify the scenario in which the SoftDevice Controller sends out the (0x3d) reason during a Disconnection Complete event, in collaboration with your BLE Core development team?

    According to our logs, the error occurred when the connection began encrypting immediately after it was created, rather than during heavy traffic to/from the SPI bus.

    Thanks,

    Charles

  • 0 in reply to Charles Changhun Han

    Hi Charles,

    Can you also provide an on-air sniffer log?

    Also, if you have a sniffer, it would be helpful if you enable CONFIG_BT_LOG_SNIFFER_INFO option to print LTK key. It is needed to have ability to decrypt encrypted traffic.

    One of the reason to disconnect during the Encryption start procedure is receiving a Data Physical Channel PDU. It is done according to the following Core Spec requirement:

    If, at any time during the encryption start procedure after the Peripheral has received
    the LL_ENC_REQ PDU or the Central has received the LL_ENC_RSP PDU, the Link
    Layer of the Central or the Peripheral receives an unexpected Data Physical Channel
    PDU from the peer Link Layer, it shall immediately exit the Connection state, and
    shall transition to the Standby state. The Host shall be notified that the link has been
    disconnected with the error code Connection Terminated Due to MIC Failure (0x3D).

    So, for instance, if the BLE softdevice controller receives a non-empty data PDU during the Encryption start procedure, SDC will disconnect with the 0x3D error code. It is difficult to say if it is a right explanation of this particular case without having a sniffer trace, but it is one of the possible explanations.

    Kenneth

  • 0 in reply to Kenneth

    Hello Kenneth, 

    Thank you for your valuable input. This case was reported by our integration test team. To verify it from my side, I tried to replicate the issue with other Android phones (Galaxy A12, A13, and Pixel 6). Up until now, I haven’t been able to replicate this case on these three phone models.

    So, I tried to get more information about the central device, which is an Android SS Galaxy A15, and it has the remote device information below. At the same time, I’m trying to get an A15 phone for myself. Once I get the A15 phone and the sniffer logs, I will share them with you.

    Bluetooth HCI Event - Read Remote Version Information Complete
    Event Code: Read Remote Version Information Complete (0x0c)
    Parameter Total Length: 8
    Status: Success (0x00)
    Connection Handle: 0x0004
    LMP Version: 5.3 (0x0c)

    Manufacturer Name: MediaTek, Inc. (0x0046)

    LMP Subversion: 0

    In the meantime, could you help me get the answers below?

    1) According to my code lookup, the NCS code CONFIG_BT_LOG_SNIFFER_INFO is only applicable to the Zephyr host configuration. Could you check if CONFIG_BT_LOG_SNIFFER_INFO works for the Zephyr Controller-only build as well (zephyr/samples/bluetooth/hci_spi)??

    2) Could you please ask your Application Engineer team to query if the nRF52840 SoftDevice Controller has a known issue with LMP Version: 5.3 (0x0c), Manufacturer Name: MediaTek, Inc. (0x0046), and LMP Subversion: 0 while starting encryption?

    Thanks,

    Charles 

  • 0 in reply to Charles Changhun Han

    Hello again,

    1. Your understanding is correct, CONFIG_BT_LOG_SNIFFER_INFO is only applicable to the Zephyr host. So you need to share the LTK some other way then.

    2. We didn't find any similar issues mentioned before.

    Please share sniffer log when you are able to replicate the issue.

    Kenneth

Related