can't bound with OOB bonding. SDK13 nRF52 S132

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Mon, 23 Oct 2017 07:41:43 GMT

It's good to hear Mikhail. Happy to help.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Thu, 19 Oct 2017 14:59:48 GMT

Sorry for understanding. I mean that after sniff, also as You I had seen and interpretate this behavior. You are right. This code not my. It from previous developer. I comment

case PM_CONN_SEC_ERROR_PIN_OR_KEY_MISSING:

now works fine.

Hung, thanks a lot for your help. Really! Now works fine.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Thu, 19 Oct 2017 14:51:51 GMT

I don't understand this. Why couldn't you describe that so we can save lots of time ? I tried to clarify with you that the clone device would need to re-bond with the central because it doesn't have the LTK to re-encrypt.

allow_repairing is inside conn_sec_config and handled in PM_EVT_CONN_SEC_CONFIG_REQ event inside pm_evt_handler(). But I'm not sure it's there in your code.

Could you try to comment out the code inside PM_EVT_CONN_SEC_FAILED and maybe trigger a disconnection to see if the clone device still can re-pair ?

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Thu, 19 Oct 2017 14:15:54 GMT

Yes! I see same behavior. I didn't say it to you. And You confirm it. Clone device set bond like a new device. Better way will disable it. Let's try to do it.

	case PM_EVT_CONN_SEC_FAILED:
	{
		switch (p_evt->params.conn_sec_failed.error)
		{
			case PM_CONN_SEC_ERROR_PIN_OR_KEY_MISSING:
				err_code = pm_conn_secure(p_evt->conn_handle, true);
				if (err_code != NRF_ERROR_INVALID_STATE)
				{
					APP_ERROR_CHECK(err_code);
				}
				break;
			case PM_CONN_SEC_ERROR_DISCONNECT:
            __asm("nop");

        default:
            break;
		}
	}break;

Where can I find allow_repairing set? What is this a variable?

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Thu, 19 Oct 2017 12:51:49 GMT

Thanks for the trace Mikhail.

From your 3rd trace (connect to the clone.pcapng) I can clearly see the clone device didn't have the secret key.

It rejected the encryption request, at packet #40. Then the central started to send a pairing request on packet #41 and re-bond with new key exchange.

It's clearly show that the central started bonding with the cloned device as a new devicev(with same address). You need to disable this.

If you use peer manager , please check PM_EVT_CONN_SEC_FAILED event in pm_evt_handler() and check what you do there.

Also make sure allow_repairing set = false when you receive PM_EVT_CONN_SEC_CONFIG_REQ.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Thu, 19 Oct 2017 09:11:49 GMT

Please upload to any cloud storage and send me the link via personal message on devzone.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Wed, 18 Oct 2017 14:37:17 GMT

do you have email where can I send log?

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Wed, 18 Oct 2017 14:22:58 GMT

I'll make sniffer trace and post it. Wait.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Wed, 18 Oct 2017 14:14:59 GMT

You need to capture a sniffer trace to see actually what happen over the air. Try to capture a complete session, including first bonding between normal peripheral and the central, then the reconnect between them, then the connection with the clone device.

Have you verified that without bonding, you can't access the characteristic ?

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Wed, 18 Oct 2017 13:50:33 GMT

MAC I mean the Bluetooth Address. Looks like MAC. with BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM() same result... any idea? I not need secure connection after pairing. I need bond with only bonded before peripherial. And thanks for help.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Wed, 18 Oct 2017 13:29:21 GMT

By MAC, you mean the Bluetooth Address ?

Any device can be connected to the central, there is no way to avoid that. But the link won't be encrypted if the clone device doesn't have the LTK.

Make sure your characteristics would require encryption to be able to read or write. Using BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM() for attr_md.read_perm and attr_md.write_perm when you declare the service/characteristic instead of BLE_GAP_CONN_SEC_MODE_SET_OPEN()

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Wed, 18 Oct 2017 13:08:02 GMT

I use static passkey. I was try next configuration: Peripherial -

#define SEC_PARAM_BOND                  1                                
#define SEC_PARAM_MITM                  1                                
#define SEC_PARAM_LESC                  0
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_DISPLAY_ONLY         
#define SEC_PARAM_OOB                   0 
...
static void gap_params_init(void)
{
uint32_t err_code;
ble_opt_t static_pin_option;
static_pin_option.gap_opt.passkey.p_passkey = (uint8_t *)pass.passkey;
err_code = sd_ble_opt_set(BLE_GAP_OPT_PASSKEY, &static_pin_option);
APP_ERROR_CHECK(err_code);
...

on central side I use next:

#define SEC_PARAM_BOND                  1                                
#define SEC_PARAM_MITM                  1      
#define SEC_PARAM_LESC              	0                                 
#define SEC_PARAM_KEYPRESS          	0                                 
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_KEYBOARD_ONLY 

...

static void gap_params_init(void)
{
uint32_t err_code;
ble_opt_t static_pin_option;
static_pin_option.gap_opt.passkey.p_passkey = (uint8_t *)pass.passkey;
err_code = sd_ble_opt_set(BLE_GAP_OPT_PASSKEY, &static_pin_option);
APP_ERROR_CHECK(err_code);

Now I can pair and bond those 2 devices. Work fine. But I claim that if I clone MAC on another,I can connect to central despite was not bonded before. Check it himself. My be should use another type of passkey? Just tell me what should I do next? And where should modify in code?

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Wed, 18 Oct 2017 11:49:37 GMT

Are you sure it's the static passkey ?

What do you mean exactly by static passkey ? Have you used sd_ble_opt_set() with BLE_GAP_OPT_PASSKEY opt_id ? I have to ask because seems that the one who is generate passkey is the phone, not the central. Each time you bond the phone will generate a new passkey, not the same passkey (static passkey)

It's really hard to help you if you don't understand the code.

If you have a look at peer_manager_init() you can see the configuration of sec_param. Match that with what you see in the link I sent you:

sec_param.bond = true;
sec_param.mitm = true;
sec_param.lesc = 0;
sec_param.keypress = 0;
sec_param.io_caps = BLE_GAP_IO_CAPS_KEYBOARD_ONLY;
sec_param.oob = false;

On one device you set io_caps with KEYBOARD_ONLY, on the other device (peripheral for example) you set it with BLE_GAP_IO_CAPS_DISPLAY_ONLY

Then you can pair the 2 device with passkey. Normal passkey, not static passkey. After you pass that step, we will continue with static passkey.

" But repeat- possible after bond to clone mac to another pheripherial device and this cloned peripherial connect !!!! Karl !!! to central. " => I don't understand what you describe here. Bond information can't be cloned with just the mac address. Unless they have access to your device and clone the whole flash. Then it doesn't matter what type of bonding you have passkey or OOB or JustWork.

Or if you want to say the clone device clone the address, then try to re-bond (remove old bond information and bond again), you can configure the central of not allowing re-pairing.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Wed, 18 Oct 2017 09:19:10 GMT

Hi! I have read your link regarding bonding types. But can't undestand exactly how to do.

I already made application where on central side (nRF52) I have sec_param.io_caps = BLE_GAP_IO_CAPS_KEYBOARD_DISPLAY and static passkey. On a peripherial side I use smartphone. When central connect to smartphone, appear keyboard on smartfone where I have to type my static passkey from central. All works fine.

Now I need change peripherial smartphone to nRF52 in same mode.

Regarding bounding- ofcourse I mean bonding. Sorry for english )

When I set parameters like SDK bonding types- Just Works, I bond. But repeat- possible after bond to clone mac to another pheripherial device and this cloned peripherial connect !!!! Karl !!! to central. You can try this experiment.

So, let's try set settings on central and periph for exlude this behavior and bond with LTK key.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Wed, 18 Oct 2017 08:43:09 GMT

Have you really read the link I gave you ? It clearly shows you what configuration you need when you want "Passkey bonding with keyboard capabilities"

When you do passkey, one device will display the code (sec_param.io_caps = BLE_GAP_IO_CAPS_DISPLAY_ONLY) and one device will have keyboard to type that code in.

We are talking about normal passkey bonding. Static passkey we will do it in the next step, after you managed to do normal passkey bonding.

"But with those settings, it bond not secure and possible to clone same tag peripherial by MAC and I can connect to my central by second tag. It is not normal. " => What exactly you meant by this ? I don't understand, why other clone tag can connect to your central ? When you do bonding, the secret key LTK to re-establish connection will be exchanged after the connection is encrypted. That LTK is the key to re-encrypt the link on further connections.

And what is "bound" "bounding" ? it's bond you meant ?

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Tue, 17 Oct 2017 16:03:11 GMT

When I will use BLE_GAP_AUTH_KEY_TYPE_PASSKEY , which one settings set on central and peripherial? I can't just set MITM to on without any settings like OOB, or SEC_PARAM_IO_CAPABILITIES, because just set MITM to 1- project fall.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Tue, 17 Oct 2017 15:45:13 GMT

I really can't understand how it should work correct. Your link I already read. Let's again. Which one mode should I use from your link for my purpose? Do You understad what I need from central? Which type of bonding.

And tell me which settings should set on the peripherial side and on the central side and I'll give you more detail. I mean how I tested and what doesn't work.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Tue, 17 Oct 2017 15:39:14 GMT

I can't help if you don't do your work. You need to understand how the stuff work. I suggest you to read about BLE security both BLE legacy pairing and BLE secure connection.

"BLE_GAP_AUTH_KEY_TYPE_PASSKEY on central side doesn't work." => When something doesn't work, you need to provide information about that, how did you test, what doesn't work , which error, ? I don't see any reason passkey wouldn't work on the central.

Note that when you want to do passkey, you need to set the IO capabilities and you need to set MITM on. See here.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Tue, 17 Oct 2017 15:35:03 GMT

I have tested your glucose example. Yes, this works. Bound. But with those settings, it bond not secure and possible to clone same tag peripherial by MAC and I can connect to my central by second tag. It is not normal. I want excluse this behavoir.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Tue, 17 Oct 2017 14:46:01 GMT

BLE_GAP_AUTH_KEY_TYPE_PASSKEY on central side doesn't work. May be I should make any settings on a peripherial side?

Repeat: I have a task- make bonding central with peripherial. But Just works does not fit due to secure reason. Give me a way to decide this task. What should I do?

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Tue, 17 Oct 2017 13:55:25 GMT

OOB and passkey are not the same. You need to use BLE_GAP_AUTH_KEY_TYPE_PASSKEY instead of BLE_GAP_AUTH_KEY_TYPE_OOB.

I strongly suggest before you test with static passkey, you test with normal passkey example first. You can try the Blood Glucose example here.

After that you can start testing with the static passkey.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail — Tue, 17 Oct 2017 13:13:46 GMT

Hi! Thanks for answer.

I try to use simply enter passkey via code. (directly). May be I not correct use this function.
What does it mean kind of setup? On a central and on the peripherial I use nRF52, SDK13, S132.
No error. But when I try to bound central with peripherial- no success.
I did not try this example. I don't need use NFC.

I just need use static passkey which was write before. Ofcourse, this static passkey same in peripherial and central.

I added in the central event:

        case BLE_GAP_EVT_AUTH_KEY_REQUEST:
     {
      

  sd_ble_gap_auth_key_reply(conn_handle, BLE_GAP_AUTH_KEY_TYPE_OOB, (uint8_t *)pass.passkey);

}

and I see call this event when connect peripherial to tag. But after that no bound devices.

For any case- I just need make secure bound. Just works bond does not fit for secure reason.

RE: can't bound with OOB bonding. SDK13 nRF52 S132

Hung Bui — Tue, 17 Oct 2017 10:59:51 GMT

Hi Mikhail,

Please update more information on:

What OOB mechanism are you using ? it's NFC or something else ?
What kind of setup do you have ? Which chip is on the peripheral side and which device is on central side ?
What kind of error do you have ? Have you checked the log ?
Have you tried to test our OOB example in the SDK ?