nRF52840 Enable Pairing with Static Passkey

Hi Muqarrab, 

Please see the Security parameters documentation for pairing and this post for secure characteristics. 

-Amanda H.

Thanks, Amanda Hsieh

Can we perform Just Works bonding(without entering any key) without NFC Antenna?

yes, the ble_app_hrs example is without the NFC Antenna. 

-Amanda H

Thanks, Amanda Hsieh

I have uploaded the ble_app_hrs example and connected from the nRF app.
But I have not received/got pop up for pairing?

It won't pop up for pairing. You have to perform pairing as the Heart Rate Application documentation.

-Amanda H. 

Hi Amanda Hsieh

I have to question.

1-If I made authentic/secured characteristics. Can I read/write data using this pairing method? Is this pairing method secure?
2-How can I get a paring request like this in the attached image? Any example code?




Thanks

Hi, 

Muqarrab said:

1-If I made authentic/secured characteristics. Can I read/write data using this pairing method? Is this pairing method secure?

If you want to test that pairing is required but not Man In The Middle (MITM) protection, then I would suggest you try BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() instead.

Muqarrab said:

2-How can I get a paring request like this in the attached image? Any example code?

 Please see Glucose Application. 

-Amanda H.

Hi, 

Muqarrab said:

1-If I made authentic/secured characteristics. Can I read/write data using this pairing method? Is this pairing method secure?

If you want to test that pairing is required but not Man In The Middle (MITM) protection, then I would suggest you try BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() instead.

Muqarrab said:

2-How can I get a paring request like this in the attached image? Any example code?

 Please see Glucose Application. 

-Amanda H.

Hi,

Amanda Hsieh said:

Please see Glucose Application. 

I have already seen this example. It generates a pairing pin on UART but its mostly failed pairing when I enter that code.

So basically I want the pairing process without entering code that can read/ write authentic/secured characteristics. 

Hi, Amanda Hsieh,
As per your instruction, I have added BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM().
Now when I read/write characteristics device starts bonding.
Now can you please confirm that without pairing anyone can't read/write characteristics?

Hi,

Muqarrab said:

can you please confirm that without pairing anyone can't read/write characteristics?

if you use BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() a peer that pairs with Just Works will be able to access the characteristic value.

Please see the documentation:

BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM

Set sec_mode pointed to by ptr to require encryption, but no MITM protection.

-Amanda H.

Hi,
Are you talking about this?

/**@brief GAP connection security modes.
 *
 * Security Mode 0 Level 0: No access permissions at all (this level is not defined by the Bluetooth Core specification).\n
 * Security Mode 1 Level 1: No security is needed (aka open link).\n
 * Security Mode 1 Level 2: Encrypted link required, MITM protection not necessary.\n
 * Security Mode 1 Level 3: MITM protected encrypted link required.\n
 * Security Mode 1 Level 4: LESC MITM protected encrypted link using a 128-bit strength encryption key required.\n
 * Security Mode 2 Level 1: Signing or encryption required, MITM protection not necessary.\n
 * Security Mode 2 Level 2: MITM protected signing required, unless link is MITM protected encrypted.\n
 */
typedef struct
{
  uint8_t sm : 4;                     /**< Security Mode (1 or 2), 0 for no permissions at all. */
  uint8_t lv : 4;                     /**< Level (1, 2, 3 or 4), 0 for no permissions at all. */

} ble_gap_conn_sec_mode_t;

uint32_t custom_value_char_add(ble_cus_t * p_cus, const ble_cus_init_t * p_cus_init)
{
    uint32_t            err_code;
    ble_gatts_char_md_t char_md;
    ble_gatts_attr_md_t cccd_md;
    ble_gatts_attr_t    attr_char_value;
    ble_uuid_t          ble_uuid;
    ble_gatts_attr_md_t attr_md;


    memset(&char_md, 0, sizeof(char_md));

    char_md.char_props.read   = 1;
    char_md.char_props.write  = 1;
    char_md.char_props.notify = 0; 
    char_md.p_char_user_desc  = NULL;
    char_md.p_char_pf         = NULL;
    char_md.p_user_desc_md    = NULL;
    char_md.p_cccd_md         = NULL; 
    char_md.p_sccd_md         = NULL;


    memset(&attr_md, 0, sizeof(attr_md));

    attr_md.read_perm = p_cus_init->custom_value_char_attr_md.read_perm;
    attr_md.write_perm = p_cus_init->custom_value_char_attr_md.write_perm;
    
    attr_md.read_perm.lv = 2;
    attr_md.write_perm.sm = 2;

    attr_md.vloc       = BLE_GATTS_VLOC_STACK;
    attr_md.rd_auth    = 0;
    attr_md.wr_auth    = 0;
    attr_md.vlen       = 0;
 /* This code belongs in custom_value_char_add() in ble_cus.c*/

    ble_uuid.type = p_cus->uuid_type;
    ble_uuid.uuid = CUSTOM_VALUE_CHAR_UUID;


    /* This code belongs in custom_value_char_add() in ble_cus.c*/

    memset(&attr_char_value, 0, sizeof(attr_char_value));

    attr_char_value.p_uuid    = &ble_uuid;
    attr_char_value.p_attr_md = &attr_md;
    attr_char_value.init_len  = sizeof(uint8_t);
    attr_char_value.init_offs = 0;
    attr_char_value.max_len   = sizeof(uint8_t);


    /* This code belongs in custom_value_char_add() in ble_cus.c*/

err_code = sd_ble_gatts_characteristic_add(p_cus->service_handle, &char_md,
                                               &attr_char_value,
                                               &p_cus->custom_value_handles_2);
    if (err_code != NRF_SUCCESS)
    {
        return err_code;
    }

    return NRF_SUCCESS;

}

    attr_md.read_perm.lv = 2;
    attr_md.write_perm.sm = 2;

No. You can take a look at Heart Rate Application use Just Work pair and secure characteristics as

static inline void set_security_req(security_req_t level, ble_gap_conn_sec_mode_t * p_perm)
{


    BLE_GAP_CONN_SEC_MODE_SET_NO_ACCESS(p_perm);
    switch (level)
    {
        case SEC_NO_ACCESS:
            BLE_GAP_CONN_SEC_MODE_SET_NO_ACCESS(p_perm);
        break;
        case SEC_OPEN:
            BLE_GAP_CONN_SEC_MODE_SET_OPEN(p_perm);
        break;
        case SEC_JUST_WORKS:
            BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(p_perm);
        break;
        case SEC_MITM:
            BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(p_perm);
        break;
        case SEC_SIGNED:
            BLE_GAP_CONN_SEC_MODE_SET_SIGNED_NO_MITM(p_perm);
        break;
        case SEC_SIGNED_MITM:
            BLE_GAP_CONN_SEC_MODE_SET_SIGNED_WITH_MITM(p_perm);
        break;
    }
    return;
}

If you want the device to send the pairing request to mobile to allow pairing, you can add the code in the BLE_GAP_EVT_CONNECTED event. If the users cancel the pairing request from the peripheral on mobile, they cannot read/write characteristics. 

        case BLE_GAP_EVT_CONNECTED:
            NRF_LOG_INFO("Connected.");
            err_code = bsp_indication_set(BSP_INDICATE_CONNECTED);
            APP_ERROR_CHECK(err_code);
            m_conn_handle = p_ble_evt->evt.gap_evt.conn_handle;
            err_code = nrf_ble_qwr_conn_handle_assign(&m_qwr, m_conn_handle);
            APP_ERROR_CHECK(err_code);

            // send a security request to the peer (master)
            ret_code_t err = pm_conn_secure(m_conn_handle, false);
            NRF_LOG_RAW_INFO("%s: send secure connection request - err %d\r\n", (int) __func__, err);
            if (err != NRF_ERROR_INVALID_STATE)
            {
                APP_ERROR_CHECK(err);
           }

            
            break;

-Amanda H.