Questions about Wi-Fi provisioning using Bluetooth LE

RE: Questions about Wi-Fi provisioning using Bluetooth LE

Aleksander Nowakowski — Tue, 04 Mar 2025 13:16:14 GMT

For example, when we have 0x0110, the first selected message:
1. I think the data are 0x1001
2. 0x10 = 0001 0000 = 00010 | 000 = value 2, integer -> this is a Result type, so field 2 is Connection State
3. 0x01 = integer value 1 -> AUTHENTICATION

RE: Questions about Wi-Fi provisioning using Bluetooth LE

Aleksander Nowakowski — Tue, 04 Mar 2025 13:04:33 GMT

Hello, nice to meet you! Let me answer all your questions.

I'll be pointing to the source code of Android app "nRF Wi-Fi Provisioner".

The Wi-Fi Provisioning service has 3 characteristics:

https://github.com/NordicSemiconductor/Android-nRF-Wi-Fi-Provisioner/blob/70ad27852ee6c77a5aac6453db0109ae0abcad6a/lib/ble/src/main/java/no/nordicsemi/android/wifi/provisioner/ble/internal/ProvisionerBleManager.kt#L67-L70

The first one, Version, can be read without security, other 2 require pairing.

All the data are encoded as ProtoBuf using these files: https://github.com/NordicSemiconductor/Android-nRF-Wi-Fi-Provisioner/tree/main/lib/ble/src/main/proto

Version charactersitic is encoding using version.proto (Version type)

Control Point is using request.proto and response.proto (and common.proto) (Request and Response types)

Data Out characteristic is using result.proto (Result type).

Data Out is used to return Scan Results and Connection States.

Using my friend chat.gpt or https://www.protobufpal.com/ and providing the proto files I'm getting the following:

0x0110 represents a Result message where:

Field 2 (state) is set
Value is 1 → AUTHENTICATION

0x0210 represents a Result message where:

Field 2 (state) is set
Value is 2 → ASSOCIATION

You'll find all staes here: https://github.com/NordicSemiconductor/Android-nRF-Wi-Fi-Provisioner/blob/70ad27852ee6c77a5aac6453db0109ae0abcad6a/lib/ble/src/main/proto/common.proto#L69-L77

0x0108 seems to be a Request GET_STATUS.

Either https://www.protobufpal.com/ or your image has the data in other endianness, so you may need to revert bytes.

RE: Questions about Wi-Fi provisioning using Bluetooth LE

Mohammad Afaneh — Mon, 03 Mar 2025 14:15:15 GMT

Can someone explain how to figure out the values provided in the payloads of the packets based on the source code? or at least the values I highlighted in my sniffer capture screenshot?

RE: Questions about Wi-Fi provisioning using Bluetooth LE

Mohammad Afaneh — Fri, 28 Feb 2025 11:57:11 GMT

Yes, I did.

I looked at that and the file referenced there (.subsys/bluetooth/services/wifi_prov/proto/common.proto), but I still don't quite understand how to parse the values shown in the sniffer capture (e.g., 0x0110, 0x0210, ..., 0x0108).

What do these values mean, and what do they correspond to? For example, what are the RESULT values for SET_CONFIG (which I assume are the ones I highlighted in the sniffer capture image)? What do they correspond to?

It might be that I'm unfamiliar with the Protocol Buffers format.

RE: Questions about Wi-Fi provisioning using Bluetooth LE

Charlie — Fri, 28 Feb 2025 11:39:04 GMT

Hi Mohanmmad,

I think following page covered the Wi-Fi Provisioning Service characteristics. Do you already read them or not?

Wi-Fi Provisioning Service

Wi-Fi: Bluetooth LE based provision

Best regards,

Charlie

RE: Questions about Wi-Fi provisioning using Bluetooth LE

Mohammad Afaneh — Fri, 28 Feb 2025 10:52:14 GMT

Hi Charlie,

I'm very familiar with the Bluetooth specification, but Wi-Fi provisioning over Bluetooth LE is not a standardized Bluetooth thing.

It is also implemented as one of the nRF examples and not the Zephyr ones. So, there must be some documentation (or at least code comments) that explains the different values used in the packets. This shouldn't have anything to do with the closed-source BLE controller.

RE: Questions about Wi-Fi provisioning using Bluetooth LE

Charlie — Thu, 27 Feb 2025 13:02:57 GMT

Hi Mohanmmad,

Thanks for reaching out with your questions.

For documentation or source code that explains the meanings of different values used, as well as the workflow and packet exchange process, I recommend referring to the Bluetooth Core Specification. This is the definitive source for understanding Bluetooth packet structures and payloads. While it is not specific to Nordic, it is essential for understanding the protocol.

The BLE controller is an implementation of the Bluetooth specification. Nordic's SoftDevice Controller is our proprietary implementation of the BLE stack, but it is closed-source. However, you can refer to the open-source BLE controller from the Zephyr project to study its source code.

Additionally, have you gone through Lesson 6 - Bluetooth LE sniffer course n the Nordic Developer Academy? It covers both sniffer usage and BLE GAP and GATT packet analysis in real practice, which could be a great starting point for your exploration.

Let me know if you need further guidance!

Best regards,

Charlie