• State Verified Answer
  • Replies 23 replies
  • Subscribers 73 subscribers
  • Views 6052 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 125997
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

can't bound with OOB bonding. SDK13 nRF52 S132

Mikhail

Hi!

I can't start project with OOB bonding. If I set settings like just works (MITM = 0, OOB =0), all works correct. But I need more security for bounding. For this reason I want to use OOB bonding. Or you can advise to me another mode for secure bounding.

I use on advertise size only MITM = 1, BOND = 1, OOB =1, like discribed here: link

On the central side I use PM, white list and same settings for OOB bound: MITM = 1, BOND = 1, OOB =1

And after start project, no bound central with peripherial. May be I have some wrongs when PM and white list init on central side?

void peer_manager_init(void)
{
ble_gap_sec_params_t sec_param;
ret_code_t err_code;

err_code = pm_init();
APP_ERROR_CHECK(err_code);

memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

sec_param.bond           = SEC_PARAM_BOND;
sec_param.mitm           = SEC_PARAM_MITM;
sec_param.lesc           = SEC_PARAM_LESC;
sec_param.keypress       = SEC_PARAM_KEYPRESS;
sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES; 
sec_param.oob            = SEC_PARAM_OOB;
sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
sec_param.kdist_own.enc  = 1;
sec_param.kdist_own.id   = 1;
sec_param.kdist_peer.enc = 1;
sec_param.kdist_peer.id  = 1;

err_code = pm_sec_params_set(&sec_param);
APP_ERROR_CHECK(err_code);

err_code = pm_register(pm_evt_handler);
APP_ERROR_CHECK(err_code);
}

I whitelist init after scan start:

void scan_start(void)
{
uint32_t flash_busy;

if(ble_conn_state_n_centrals() >= CENTRAL_LINK_COUNT)
	return;

scan_stop();

(void) fs_queued_op_count_get(&flash_busy);
if(flash_busy != 0)
    return;

ble_gap_addr_t whitelist_addrs[8];
ble_gap_irk_t  whitelist_irks[8];

memset(whitelist_addrs, 0x00, sizeof(whitelist_addrs));
memset(whitelist_irks,  0x00, sizeof(whitelist_irks));

uint32_t addr_cnt = (sizeof(whitelist_addrs) / sizeof(ble_gap_addr_t));
uint32_t irk_cnt  = (sizeof(whitelist_irks)  / sizeof(ble_gap_irk_t));

whitelist_load();

ret_code_t ret = pm_whitelist_get(whitelist_addrs, &addr_cnt, whitelist_irks, &irk

	m_scan_param.use_whitelist = (((addr_cnt == 0) && (irk_cnt == 0)) || (m_bonding)) ? 0 : 1;

	if(ble_conn_state_n_centrals() == 0)
	{
		m_scan_param.interval = BLE_GAP_SCAN_INTERVAL_MAX;
		m_scan_param.window		= BLE_GAP_SCAN_WINDOW_MAX;
	}
	else
	{
		m_scan_param.interval = SCAN_INTERVAL;
		m_scan_param.window		= SCAN_WINDOW;
	}
	
ret = sd_ble_gap_scan_start(&m_scan_param);
APP_ERROR_CHECK(ret);
}
  • 0

    I can't help if you don't do your work. You need to understand how the stuff work. I suggest you to read about BLE security both BLE legacy pairing and BLE secure connection.

    "BLE_GAP_AUTH_KEY_TYPE_PASSKEY on central side doesn't work." => When something doesn't work, you need to provide information about that, how did you test, what doesn't work , which error, ? I don't see any reason passkey wouldn't work on the central.

    Note that when you want to do passkey, you need to set the IO capabilities and you need to set MITM on. See here.

  • 0

    I really can't understand how it should work correct. Your link I already read. Let's again. Which one mode should I use from your link for my purpose? Do You understad what I need from central? Which type of bonding.

    And tell me which settings should set on the peripherial side and on the central side and I'll give you more detail. I mean how I tested and what doesn't work.

  • 0

    When I will use BLE_GAP_AUTH_KEY_TYPE_PASSKEY , which one settings set on central and peripherial? I can't just set MITM to on without any settings like OOB, or SEC_PARAM_IO_CAPABILITIES, because just set MITM to 1- project fall.

  • 0

    Have you really read the link I gave you ? It clearly shows you what configuration you need when you want "Passkey bonding with keyboard capabilities"

    When you do passkey, one device will display the code (sec_param.io_caps = BLE_GAP_IO_CAPS_DISPLAY_ONLY) and one device will have keyboard to type that code in.

    We are talking about normal passkey bonding. Static passkey we will do it in the next step, after you managed to do normal passkey bonding.

    "But with those settings, it bond not secure and possible to clone same tag peripherial by MAC and I can connect to my central by second tag. It is not normal. " => What exactly you meant by this ? I don't understand, why other clone tag can connect to your central ? When you do bonding, the secret key LTK to re-establish connection will be exchanged after the connection is encrypted. That LTK is the key to re-encrypt the link on further connections.

    And what is "bound" "bounding" ? it's bond you meant ?

  • 0

    Hi! I have read your link regarding bonding types. But can't undestand exactly how to do.

    I already made application where on central side (nRF52) I have sec_param.io_caps = BLE_GAP_IO_CAPS_KEYBOARD_DISPLAY and static passkey. On a peripherial side I use smartphone. When central connect to smartphone, appear keyboard on smartfone where I have to type my static passkey from central. All works fine.

    Now I need change peripherial smartphone to nRF52 in same mode.

    Regarding bounding- ofcourse I mean bonding. Sorry for english )

    When I set parameters like SDK bonding types- Just Works, I bond. But repeat- possible after bond to clone mac to another pheripherial device and this cloned peripherial connect !!!! Karl !!! to central. You can try this experiment.

    So, let's try set settings on central and periph for exlude this behavior and bond with LTK key.

Related
Terms of service