pairing fail with ncs 2.8.0

RE: pairing fail with ncs 2.8.0

Einar Thorsrud — Fri, 31 Jan 2025 14:09:08 GMT

Hi Ziv,

I am not sure I understand the question. By keys I assume you mean the key related to the pairing/bonding? Secrutiy in BLE is handled by the Security Management Protocol.

RE: pairing fail with ncs 2.8.0

ziv123 — Thu, 30 Jan 2025 06:34:20 GMT

hi Einar

as suggested here the issue on the ncs side is the attempt to work with mcumgr befor pairing was completed .. though it is strange to me..

in what layer/protocol/service the keys should pass between 2 sides to achieve the completion of the pairing before starting to use the smp service /mcumgr ?

if authentication must occur before working with mcumgr then, how the keys are passed ?

hope to read you soon

best regards

Ziv

RE: pairing fail with ncs 2.8.0

GalBrandwine — Sun, 19 Jan 2025 10:14:44 GMT

Hey, I've worked on the same problem. I found the issue:

the client tried to access MCUMGR BT Transport before it was authenticated.

Hence the LL dropped the connection.

Adding `CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW=y` solved the issue.

Thanks.

RE: pairing fail with ncs 2.8.0

Einar Thorsrud — Fri, 10 Jan 2025 15:19:23 GMT

I see. Would it be possible to make sniffer traces of each case so that we can see what happens on air? It could also be interesting to compare those with traces from 2.7 so that we can see what has changed (if any). Hopefully this can point to where to look next.

RE: pairing fail with ncs 2.8.0

ziv123 — Wed, 08 Jan 2025 15:20:50 GMT

[quote userid="7377" url="~/f/nordic-q-a/117338/pairing-fail-with-ncs-2-8-0/517429"]or does it also vary with the same peer device[/quote]

each peer device give the same type of error all the time.. the difference is between different peer devices

RE: pairing fail with ncs 2.8.0

Einar Thorsrud — Wed, 08 Jan 2025 10:17:54 GMT

Hi Ziv,

I understand that this issue appeared after migrating to v2.8.0, but I am not ablet o see any changes that obviously explan this. It is interesting that you get different failures with didfferent error codes. Does it depend on the peer device, or does it also vary with the same peer device? Or is there another pattern here? Are you able to share logs and sniffer traces for some of the specific error codes, so that we can understand more about what happened?

RE: pairing fail with ncs 2.8.0

ziv123 — Fri, 20 Dec 2024 16:46:55 GMT

Hi Einar

well debugging is a bit tricky i have another thread open on that and some one suggested allowing local ip ports but from hat i see this is not the issue, i will elaborate on the relevant thread if i manage to solve the issue...

back to our issue .. i actually got the BT_SECURITY_ERR_UNSPECIFIED by checking with a tool on my laptop that is running the same app as my node devices, and i actually see different results for each device i am attempting to pair with.

with the tool running on my laptop i get

i don't even get the first pairing completed callback, i get right on start

bt_smp: pairing failed (peer reason 0xc) , followed by pairing_failed callback with error BT_SECURITY_ERR_AUTH_FAIL

with one type of node (ble 4.2)

i get the callback for pairing completed followed by the ".security_changed" callback with status

BT_SECURITY_L2. which looks like it actually working, though i did not see the first ".security_changed" callback which i usually see.

and another node with (ble 5.0) and i think the ble device is actually nrf52840

i get 'pairing_completed' call back followed by the initial error i posted (seems the extra config did not solve the issue ) -> bt_smp: pairing failed (peer reason 0x3) , followed by the ".security_changed" callback giving error BT_SECURITY_ERR_AUTH_REQUIREMENT.

just to be clear i do not try to connect with all of them at the same time, with each device i did several pairing attempts without the noise of other devices and those were the results

regarding the debug the one time it did run i did not get to the break point on the BT_SECURITY_ERR_UNSPECIFIED, which is reasonable since we got different types of errors

any ideas ?

do i see different results cause of different ble stacks ? or there is something else

[quote userid="7377" url="~/f/nordic-q-a/117338/pairing-fail-with-ncs-2-8-0/515662"]No, there has not been significant changes on this part. But this is a common issue that we often see when testing[/quote]

i will point again that before migrating to v2.7.0 and 2.8.0 we did not have an issue with pairing to each one of those node types.

hope to read you soon

best regards

Ziv

RE: pairing fail with ncs 2.8.0

Einar Thorsrud — Thu, 19 Dec 2024 08:58:26 GMT

Hi Ziv,

[quote user="ziv123"].. so by deleting the bond it will mean that the key generation will take place in every connection ? [/quote]

I should have specified better. You can only bond once with the same peer. If allready bonded, the bonding information (key etc) is re-used every time. However, if the peer device lost the bonding information for some reason (typically a user deleted it on a phone or similar), the old bond information is no longer valid. In this case, bonding again is not allowed, as a bond allready exist. I am wondering if that is what has happened here? If so, and i fyou want to allow bondign again even if a bond exist (to gracefully handle the case where the peer device no longer has the bond), you need to explicitly allow it.

[quote user="ziv123"]can you elaborate a bit on why it is desired and in what ,example ,case can this be undesired ?[/quote]

For usability reasons, you often want to be able to bond again with a device you have an existing bond with, if the bond has been deleted (deliberately or not) on that device without explicitly deletign that bond first. For many products this is in practice a requierment. However, this also opens up the possability that an attacker can spoof the address of another device and replace it's bond, which is why it is not allowed by default.

[quote user="ziv123"]

and also is this something that was added or changed in ncs 2.7.0 or 2.8.0 that cause this issue to arise for us now ?

and last but not least .. when added the configs you mentioned to prj.conf i get a different err from my callback implementation for pairing failed -> reason is BT_SECURITY_ERR_UNSPECIFIED .. any ideas what i am doing wrong ?

[/quote]

No, there has not been significant changes on this part. But this is a common issue that we often see when testing, if a bond is deleted during that process. But it seems you are seeing a different issue.

Can you debug and see where exactly the BT_SECURITY_ERR_UNSPECIFIED comes from? It is not much used, so a simple way to do it could be to set a breakpoint on all lines with "return BT_SECURITY_ERR_UNSPECIFIED;" in the code.

Einar

RE: pairing fail with ncs 2.8.0

ziv123 — Wed, 18 Dec 2024 17:58:03 GMT

Hi Einar

[quote userid="7377" url="~/f/nordic-q-a/117338/pairing-fail-with-ncs-2-8-0/515459"]f there is allready an existing bond with the peer? If so, the bond needs to be deleted[/quote]

not sure i follow, because we pair once and then save the generated keys in flash for next pairing, not to go through the process every time. i don't think we deliberately unpair, and we do not use multiple ble identities (.. the only scenario that could be is that a device connects with 2 different nodes and has to pair with each one separately and another scenario that is not yet active is pairing with 2 different adaptores on the same node).

.. so by deleting the bond it will mean that the key generation will take place in every connection ?

[quote userid="7377" url="~/f/nordic-q-a/117338/pairing-fail-with-ncs-2-8-0/515459"]which is often the desiered behaviour, but not always.[/quote]

can you elaborate a bit on why it is desired and in what ,example ,case can this be undesired ?

and also is this something that was added or changed in ncs 2.7.0 or 2.8.0 that cause this issue to arise for us now ?

hope to read you soon

best regards

Ziv

RE: pairing fail with ncs 2.8.0

Einar Thorsrud — Wed, 18 Dec 2024 11:54:32 GMT

Hi Ziv,

Ah, yes - I missed that. As you get BT_SECURITY_ERR_AUTH_REQUIREMENT I wonder if there is allready an existing bond with the peer? If so, the bond needs to be deleted, or you need to allow re-pairing by adding CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y and CONFIG_BT_ID_UNPAIR_MATCHING_BONDS=y. This means that bonds can be replaced without specific actions, which is often the desiered behaviour, but not always.

RE: pairing fail with ncs 2.8.0

ziv123 — Tue, 17 Dec 2024 22:07:45 GMT

Hi Einar

[quote userid="7377" url="~/f/nordic-q-a/117338/pairing-fail-with-ncs-2-8-0/515289"]I assume the reason you print is an bt_security_err instance (which you get in the pairing_failed callback)[/quote]

in this callback i actually print reason 4 -> BT_SECURITY_ERR_AUTH_REQUIREMENT (still wonder why, and now i know it also happens sometimes with ncs 2.7.0, but we did not had this issue before)

[quote userid="7377" url="~/f/nordic-q-a/117338/pairing-fail-with-ncs-2-8-0/515289"]That is not an error I would expect unless you are doing OOB pairing?[/quote]

we are not doing out of band pair.

the peer reason 3 is a print that exist in the ncs itself

(v2.8.0/zephyr/subsys/bluetooth/host/smp.c , line 1299 and/or line 3811

(v2.7.0/zephyr/subsys/bluetooth/host/smp.c , line 1236 and/or line 3733

any idea what this '3' error is or why i get BT_SECURITY_ERR_AUTH_REQUIREMENT ?

hope to read you soon

best regards

Ziv

RE: pairing fail with ncs 2.8.0

Einar Thorsrud — Tue, 17 Dec 2024 14:26:56 GMT

Hi Ziv,

I assume the reason you print is an bt_security_err instance (which you get in the pairing_failed callback). And then, reason 3 is BT_SECURITY_ERR_OOB_NOT_AVAILABLE. That is not an error I would expect unless you are doing OOB pairing?