• State Verified Answer
  • Replies 23 replies
  • Subscribers 73 subscribers
  • Views 6072 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 125997
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail

Hi!

I can't start project with OOB bonding. If I set settings like just works (MITM = 0, OOB =0), all works correct. But I need more security for bounding. For this reason I want to use OOB bonding. Or you can advise to me another mode for secure bounding.

I use on advertise size only MITM = 1, BOND = 1, OOB =1, like discribed here: link

On the central side I use PM, white list and same settings for OOB bound: MITM = 1, BOND = 1, OOB =1

And after start project, no bound central with peripherial. May be I have some wrongs when PM and white list init on central side?

void peer_manager_init(void)
{
ble_gap_sec_params_t sec_param;
ret_code_t err_code;

err_code = pm_init();
APP_ERROR_CHECK(err_code);

memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

sec_param.bond           = SEC_PARAM_BOND;
sec_param.mitm           = SEC_PARAM_MITM;
sec_param.lesc           = SEC_PARAM_LESC;
sec_param.keypress       = SEC_PARAM_KEYPRESS;
sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES; 
sec_param.oob            = SEC_PARAM_OOB;
sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
sec_param.kdist_own.enc  = 1;
sec_param.kdist_own.id   = 1;
sec_param.kdist_peer.enc = 1;
sec_param.kdist_peer.id  = 1;

err_code = pm_sec_params_set(&sec_param);
APP_ERROR_CHECK(err_code);

err_code = pm_register(pm_evt_handler);
APP_ERROR_CHECK(err_code);
}

I whitelist init after scan start:

void scan_start(void)
{
uint32_t flash_busy;

if(ble_conn_state_n_centrals() >= CENTRAL_LINK_COUNT)
	return;

scan_stop();

(void) fs_queued_op_count_get(&flash_busy);
if(flash_busy != 0)
    return;

ble_gap_addr_t whitelist_addrs[8];
ble_gap_irk_t  whitelist_irks[8];

memset(whitelist_addrs, 0x00, sizeof(whitelist_addrs));
memset(whitelist_irks,  0x00, sizeof(whitelist_irks));

uint32_t addr_cnt = (sizeof(whitelist_addrs) / sizeof(ble_gap_addr_t));
uint32_t irk_cnt  = (sizeof(whitelist_irks)  / sizeof(ble_gap_irk_t));

whitelist_load();

ret_code_t ret = pm_whitelist_get(whitelist_addrs, &addr_cnt, whitelist_irks, &irk

	m_scan_param.use_whitelist = (((addr_cnt == 0) && (irk_cnt == 0)) || (m_bonding)) ? 0 : 1;

	if(ble_conn_state_n_centrals() == 0)
	{
		m_scan_param.interval = BLE_GAP_SCAN_INTERVAL_MAX;
		m_scan_param.window		= BLE_GAP_SCAN_WINDOW_MAX;
	}
	else
	{
		m_scan_param.interval = SCAN_INTERVAL;
		m_scan_param.window		= SCAN_WINDOW;
	}
	
ret = sd_ble_gap_scan_start(&m_scan_param);
APP_ERROR_CHECK(ret);
}
Parents
  • 0

    Are you sure it's the static passkey ?

    What do you mean exactly by static passkey ? Have you used sd_ble_opt_set() with BLE_GAP_OPT_PASSKEY opt_id ? I have to ask because seems that the one who is generate passkey is the phone, not the central. Each time you bond the phone will generate a new passkey, not the same passkey (static passkey)

    It's really hard to help you if you don't understand the code.

    If you have a look at peer_manager_init() you can see the configuration of sec_param. Match that with what you see in the link I sent you:

    sec_param.bond = true;
sec_param.mitm = true;
sec_param.lesc = 0;
sec_param.keypress = 0;
sec_param.io_caps = BLE_GAP_IO_CAPS_KEYBOARD_ONLY;
sec_param.oob = false;

    On one device you set io_caps with KEYBOARD_ONLY, on the other device (peripheral for example) you set it with BLE_GAP_IO_CAPS_DISPLAY_ONLY

    Then you can pair the 2 device with passkey. Normal passkey, not static passkey. After you pass that step, we will continue with static passkey.

    " But repeat- possible after bond to clone mac to another pheripherial device and this cloned peripherial connect !!!! Karl !!! to central. " => I don't understand what you describe here. Bond information can't be cloned with just the mac address. Unless they have access to your device and clone the whole flash. Then it doesn't matter what type of bonding you have passkey or OOB or JustWork.

    Or if you want to say the clone device clone the address, then try to re-bond (remove old bond information and bond again), you can configure the central of not allowing re-pairing.

Reply
  • 0

    Are you sure it's the static passkey ?

    What do you mean exactly by static passkey ? Have you used sd_ble_opt_set() with BLE_GAP_OPT_PASSKEY opt_id ? I have to ask because seems that the one who is generate passkey is the phone, not the central. Each time you bond the phone will generate a new passkey, not the same passkey (static passkey)

    It's really hard to help you if you don't understand the code.

    If you have a look at peer_manager_init() you can see the configuration of sec_param. Match that with what you see in the link I sent you:

    sec_param.bond = true;
sec_param.mitm = true;
sec_param.lesc = 0;
sec_param.keypress = 0;
sec_param.io_caps = BLE_GAP_IO_CAPS_KEYBOARD_ONLY;
sec_param.oob = false;

    On one device you set io_caps with KEYBOARD_ONLY, on the other device (peripheral for example) you set it with BLE_GAP_IO_CAPS_DISPLAY_ONLY

    Then you can pair the 2 device with passkey. Normal passkey, not static passkey. After you pass that step, we will continue with static passkey.

    " But repeat- possible after bond to clone mac to another pheripherial device and this cloned peripherial connect !!!! Karl !!! to central. " => I don't understand what you describe here. Bond information can't be cloned with just the mac address. Unless they have access to your device and clone the whole flash. Then it doesn't matter what type of bonding you have passkey or OOB or JustWork.

    Or if you want to say the clone device clone the address, then try to re-bond (remove old bond information and bond again), you can configure the central of not allowing re-pairing.

Children
No Data
Related
Terms of service