nRF52840 Enable Pairing with Static Passkey

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Mon, 05 Oct 2020 06:17:29 GMT

Hi,

You need to bond from the mobile to encrypted the link, then you could access the secured characteristics.

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Fri, 02 Oct 2020 05:34:33 GMT

Thank you so much, @amanda Hsieh
Problem Solved.
JUST last thing sometimes I don't get pairing request in mobile but my mobile is bonded with the device. So I don't need to worry about that?

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Thu, 01 Oct 2020 13:38:15 GMT

Hi,

[quote user="muqarrab_rahman"]I have set this BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM and now can read/write characteristic, that means my link is encrypted by pair?[/quote]

In the Template example, it is set to Just Works bonding to encrypted the link if you enable the bond function from the app.

#define SEC_PARAM_BOND                  1                                       /**< Perform bonding. */
#define SEC_PARAM_MITM                  0                                       /**< Man In The Middle protection not required. */
#define SEC_PARAM_LESC                  0                                       /**< LE Secure Connections not enabled. */
#define SEC_PARAM_KEYPRESS              0                                       /**< Keypress notifications not enabled. */
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_NONE                    /**< No I/O capabilities. */
#define SEC_PARAM_OOB                   0                                       /**< Out Of Band data not available. */
#define SEC_PARAM_MIN_KEY_SIZE          7                                       /**< Minimum encryption key size. */
#define SEC_PARAM_MAX_KEY_SIZE          16                                      /**< Maximum encryption key size. */

[quote user="muqarrab_rahman"]I have added the mentioned code. But still getting the following issue.[/quote]

Remove the pairing request part in the BLE_GAP_EVT_CONNECTED event. Then, if you delete bond information after the first bond, the next connection will pop up the allow to pair window. That can fix the issue.

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Thu, 01 Oct 2020 11:20:45 GMT

Hi,

[quote userid="77782" url="~/f/nordic-q-a/66290/nrf52840-enable-pairing-with-static-passkey/272493#272493"]No, it sets the characteristic accessible when the link is encrypted by pair. [/quote]

I have set this BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM and now can read/write characteristic, that means my link is encrypted by pair?

[quote userid="77782" url="~/f/nordic-q-a/66290/nrf52840-enable-pairing-with-static-passkey/272493#272493"]If you want the nRF to allow re-pairing when only the phone has deleted the bonding data, you have to set ".allow_repairing = true" in the handling of the PM_EVT_CONN_SEC_CONFIG_REQ event. as this post.[/quote]

I have added the mentioned code. But still getting the following issue. 😓

static void pm_evt_handler(pm_evt_t const * p_evt)
{
    pm_handler_on_pm_evt(p_evt);
    pm_handler_flash_clean(p_evt);

    switch (p_evt->evt_id)
    {
        case PM_EVT_PEERS_DELETE_SUCCEEDED:
            advertising_start(false);
        break;

        case PM_EVT_CONN_SEC_CONFIG_REQ:
        {
            // Allow pairing request from an already bonded peer.
            pm_conn_sec_config_t conn_sec_config = {.allow_repairing = true};
            pm_conn_sec_config_reply(p_evt->conn_handle, &conn_sec_config);
        } 
        break;

        default:
            break;
    }
}

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Thu, 01 Oct 2020 11:16:11 GMT

Hi,

[quote user="muqarrab_rahman"]Now after setting this BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM my link will be encrypted?[/quote]

No, it sets the characteristic accessible when the link is encrypted by pair.

[quote user="muqarrab_rahman"]I have solved this issue.[/quote]

Good.

[quote user="muqarrab_rahman"]I have added this part and get this error sometimes when I unpair on try to repair.
"couldn't pair with the device because of incorrect PIN or Passkey"[/quote]

How do you delete bonding information on the nRF side and on the phone side? As long as the bonding information has been deleted on both sides, then they should pair again in exactly the same way as they did initially. However, if the bonding data is only deleted on one side, then this has to be explicitly allowed.

You'll need to delete the bonds from your nRF. You should be able to do so by pressing button 2 while the nRF is asleep according to the BSP BLE Button Assignments.

If you want the nRF to allow re-pairing when only the phone has deleted the bonding data, you have to set ".allow_repairing = true" in the handling of the PM_EVT_CONN_SEC_CONFIG_REQ event. as this post.

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Thu, 01 Oct 2020 10:27:02 GMT

Sorry, Amanda Hsieh I'm bothering you. :|

One last thing:

"When you configure the characteristic with BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(), the central/client will receive a Insufficient Authorization when it tries to read/write to the characteristic. After that the default behavior is that the central will initiate the pairing/bonding process. And the link will be encrypted after that. "

Now after setting this BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM my link will be encrypted?

[quote userid="77782" url="~/f/nordic-q-a/66290/nrf52840-enable-pairing-with-static-passkey/272467#272467"]The error NRF_ERROR_INVALID_STATE coming from the main.c Line 670 nrf_ble_qwr_conn_handle_assign () means If the given context has not been initialized.[/quote]

I have solved this issue.

[quote userid="77782" url="~/f/nordic-q-a/66290/nrf52840-enable-pairing-with-static-passkey/272300#272300"]If you want the device to send the pairing request to mobile to allow pairing, you can add the code in the BLE_GAP_EVT_CONNECTED event. If the users cancel the pairing request from the peripheral on mobile, they cannot read/write characteristics.[/quote]

I have added this part and get this error sometimes when I unpair on try to repair.
"couldn't pair with the device because of incorrect PIN or Passkey"

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Thu, 01 Oct 2020 09:41:49 GMT

Hi,

If you want to use set_security_req, I would suggest you study the Heart Rate Application on how to use set_security_req in the ble_srv_common.c. Otherwise, you can just call BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM to set permission for characteristics. That will be easy. See the BLE Characteristics, a beginner's tutorial.

The error NRF_ERROR_INVALID_STATE coming from the main.c Line 670 nrf_ble_qwr_conn_handle_assign () means If the given context has not been initialized.

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Thu, 01 Oct 2020 06:43:04 GMT

Hi Amanda Hsieh

[quote userid="77782" url="~/f/nordic-q-a/66290/nrf52840-enable-pairing-with-static-passkey/272300#272300"]No. You can take a look at Heart Rate Application use Just Work pair and secure characteristics as[/quote]

I have added in mentioned code in the main.c but getting an error
(static declaration of 'set_security_req' follows non-static declaration).

So I changed like this.

static void gap_params_init(void)
{
    ret_code_t              err_code;
    ble_gap_conn_params_t   gap_conn_params;
    ble_gap_conn_sec_mode_t sec_mode;
    security_req_t level;


    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&sec_mode);

    err_code = sd_ble_gap_device_name_set(&sec_mode,
                                          (const uint8_t *)DEVICE_NAME,
                                          strlen(DEVICE_NAME));
    APP_ERROR_CHECK(err_code);

    /* YOUR_JOB: Use an appearance value matching the application's use case.
       err_code = sd_ble_gap_appearance_set(BLE_APPEARANCE_);
       APP_ERROR_CHECK(err_code); */

    memset(&gap_conn_params, 0, sizeof(gap_conn_params));

    gap_conn_params.min_conn_interval = MIN_CONN_INTERVAL;
    gap_conn_params.max_conn_interval = MAX_CONN_INTERVAL;
    gap_conn_params.slave_latency     = SLAVE_LATENCY;
    gap_conn_params.conn_sup_timeout  = CONN_SUP_TIMEOUT;

    err_code = sd_ble_gap_ppcp_set(&gap_conn_params);
    APP_ERROR_CHECK(err_code);


    ble_gap_conn_sec_mode_t * p_perm;
    p_perm->lv=2;
    p_perm->sm=2;

    set_security_req_1(SEC_JUST_WORKS,p_perm);

}


void set_security_req_1(security_req_t level, ble_gap_conn_sec_mode_t * p_perm)
{



    BLE_GAP_CONN_SEC_MODE_SET_NO_ACCESS(p_perm);
    switch (level)
    {
        case SEC_NO_ACCESS:
            BLE_GAP_CONN_SEC_MODE_SET_NO_ACCESS(p_perm);
        break;
        case SEC_OPEN:
            BLE_GAP_CONN_SEC_MODE_SET_OPEN(p_perm);
        break;
        case SEC_JUST_WORKS:
            BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(p_perm);
        break;
        case SEC_MITM:
            BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(p_perm);
        break;
        case SEC_SIGNED:
            BLE_GAP_CONN_SEC_MODE_SET_SIGNED_NO_MITM(p_perm);
        break;
        case SEC_SIGNED_MITM:
            BLE_GAP_CONN_SEC_MODE_SET_SIGNED_WITH_MITM(p_perm);
        break;
    }
    return;
}

Is this the correct way to call set_security_req?

When I connect the device I get the following error.

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Wed, 30 Sep 2020 12:21:24 GMT

No. You can take a look at Heart Rate Application use Just Work pair and secure characteristics as

static inline void set_security_req(security_req_t level, ble_gap_conn_sec_mode_t * p_perm)
{


    BLE_GAP_CONN_SEC_MODE_SET_NO_ACCESS(p_perm);
    switch (level)
    {
        case SEC_NO_ACCESS:
            BLE_GAP_CONN_SEC_MODE_SET_NO_ACCESS(p_perm);
        break;
        case SEC_OPEN:
            BLE_GAP_CONN_SEC_MODE_SET_OPEN(p_perm);
        break;
        case SEC_JUST_WORKS:
            BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(p_perm);
        break;
        case SEC_MITM:
            BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(p_perm);
        break;
        case SEC_SIGNED:
            BLE_GAP_CONN_SEC_MODE_SET_SIGNED_NO_MITM(p_perm);
        break;
        case SEC_SIGNED_MITM:
            BLE_GAP_CONN_SEC_MODE_SET_SIGNED_WITH_MITM(p_perm);
        break;
    }
    return;
}

If you want the device to send the pairing request to mobile to allow pairing, you can add the code in the BLE_GAP_EVT_CONNECTED event. If the users cancel the pairing request from the peripheral on mobile, they cannot read/write characteristics.

        case BLE_GAP_EVT_CONNECTED:
            NRF_LOG_INFO("Connected.");
            err_code = bsp_indication_set(BSP_INDICATE_CONNECTED);
            APP_ERROR_CHECK(err_code);
            m_conn_handle = p_ble_evt->evt.gap_evt.conn_handle;
            err_code = nrf_ble_qwr_conn_handle_assign(&m_qwr, m_conn_handle);
            APP_ERROR_CHECK(err_code);

            // send a security request to the peer (master)
            ret_code_t err = pm_conn_secure(m_conn_handle, false);
            NRF_LOG_RAW_INFO("%s: send secure connection request - err %d\r\n", (int) __func__, err);
            if (err != NRF_ERROR_INVALID_STATE)
            {
                APP_ERROR_CHECK(err);
           }

            
            break;

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Wed, 30 Sep 2020 11:26:21 GMT

Hi,
Are you talking about this?

/**@brief GAP connection security modes.
 *
 * Security Mode 0 Level 0: No access permissions at all (this level is not defined by the Bluetooth Core specification).\n
 * Security Mode 1 Level 1: No security is needed (aka open link).\n
 * Security Mode 1 Level 2: Encrypted link required, MITM protection not necessary.\n
 * Security Mode 1 Level 3: MITM protected encrypted link required.\n
 * Security Mode 1 Level 4: LESC MITM protected encrypted link using a 128-bit strength encryption key required.\n
 * Security Mode 2 Level 1: Signing or encryption required, MITM protection not necessary.\n
 * Security Mode 2 Level 2: MITM protected signing required, unless link is MITM protected encrypted.\n
 */
typedef struct
{
  uint8_t sm : 4;                     /**< Security Mode (1 or 2), 0 for no permissions at all. */
  uint8_t lv : 4;                     /**< Level (1, 2, 3 or 4), 0 for no permissions at all. */

} ble_gap_conn_sec_mode_t;

I have tried this but getting error.

uint32_t custom_value_char_add(ble_cus_t * p_cus, const ble_cus_init_t * p_cus_init)
{
    uint32_t            err_code;
    ble_gatts_char_md_t char_md;
    ble_gatts_attr_md_t cccd_md;
    ble_gatts_attr_t    attr_char_value;
    ble_uuid_t          ble_uuid;
    ble_gatts_attr_md_t attr_md;


    memset(&char_md, 0, sizeof(char_md));

    char_md.char_props.read   = 1;
    char_md.char_props.write  = 1;
    char_md.char_props.notify = 0; 
    char_md.p_char_user_desc  = NULL;
    char_md.p_char_pf         = NULL;
    char_md.p_user_desc_md    = NULL;
    char_md.p_cccd_md         = NULL; 
    char_md.p_sccd_md         = NULL;


    memset(&attr_md, 0, sizeof(attr_md));

    attr_md.read_perm = p_cus_init->custom_value_char_attr_md.read_perm;
    attr_md.write_perm = p_cus_init->custom_value_char_attr_md.write_perm;
    
    attr_md.read_perm.lv = 2;
    attr_md.write_perm.sm = 2;

    attr_md.vloc       = BLE_GATTS_VLOC_STACK;
    attr_md.rd_auth    = 0;
    attr_md.wr_auth    = 0;
    attr_md.vlen       = 0;
 /* This code belongs in custom_value_char_add() in ble_cus.c*/

    ble_uuid.type = p_cus->uuid_type;
    ble_uuid.uuid = CUSTOM_VALUE_CHAR_UUID;


    /* This code belongs in custom_value_char_add() in ble_cus.c*/

    memset(&attr_char_value, 0, sizeof(attr_char_value));

    attr_char_value.p_uuid    = &ble_uuid;
    attr_char_value.p_attr_md = &attr_md;
    attr_char_value.init_len  = sizeof(uint8_t);
    attr_char_value.init_offs = 0;
    attr_char_value.max_len   = sizeof(uint8_t);


    /* This code belongs in custom_value_char_add() in ble_cus.c*/

err_code = sd_ble_gatts_characteristic_add(p_cus->service_handle, &char_md,
                                               &attr_char_value,
                                               &p_cus->custom_value_handles_2);
    if (err_code != NRF_SUCCESS)
    {
        return err_code;
    }

    return NRF_SUCCESS;

}

    attr_md.read_perm.lv = 2;
    attr_md.write_perm.sm = 2;

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Wed, 30 Sep 2020 11:02:19 GMT

Hi,

[quote user="muqarrab_rahman"]can you please confirm that without pairing anyone can't read/write characteristics?[/quote]

if you use BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() a peer that pairs with Just Works will be able to access the characteristic value.

Please see the documentation:

BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM

Set sec_mode pointed to by ptr to require encryption, but no MITM protection.

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Wed, 30 Sep 2020 09:56:39 GMT

Hi, Amanda Hsieh,
As per your instruction, I have added BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM().
Now when I read/write characteristics device starts bonding.
Now can you please confirm that without pairing anyone can't read/write characteristics?

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Tue, 29 Sep 2020 08:47:01 GMT

Hi,

[quote userid="77782" url="~/f/nordic-q-a/66290/nrf52840-enable-pairing-with-static-passkey/271974#271974"]Please see Glucose Application. [/quote]

I have already seen this example. It generates a pairing pin on UART but its mostly failed pairing when I enter that code.

So basically I want the pairing process without entering code that can read/ write authentic/secured characteristics. 😟

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Tue, 29 Sep 2020 08:19:33 GMT

Hi,

[quote user="muqarrab_rahman"]1-If I made authentic/secured characteristics. Can I read/write data using this pairing method? Is this pairing method secure?[/quote]

If you want to test that pairing is required but not Man In The Middle (MITM) protection, then I would suggest you try BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() instead.

[quote user="muqarrab_rahman"]2-How can I get a paring request like this in the attached image? Any example code?[/quote]

Please see Glucose Application.

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Mon, 28 Sep 2020 11:46:06 GMT

Hi Amanda Hsieh

I have to question.

1-If I made authentic/secured characteristics. Can I read/write data using this pairing method? Is this pairing method secure?
2-How can I get a paring request like this in the attached image? Any example code?

Thanks

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Mon, 28 Sep 2020 05:59:36 GMT

It won't pop up for pairing. You have to perform pairing as the Heart Rate Application documentation.

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Fri, 25 Sep 2020 13:33:01 GMT

Thanks, Amanda Hsieh

I have uploaded the ble_app_hrs example and connected from the nRF app.
But I have not received/got pop up for pairing?

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Fri, 25 Sep 2020 13:26:46 GMT

yes, the ble_app_hrs example is without the NFC Antenna.

-Amanda H

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Fri, 25 Sep 2020 13:15:47 GMT

Is it possible without NFC Antenna?

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Fri, 25 Sep 2020 13:12:26 GMT

Yes, many of the BLE examples in the SDK uses Just Works with pairing/bonding, e.g. the ble_app_hrs example. As seen here, the Device/Peer Manager is configured as this when using "Just Works bonding":

sec_param.bond = true;
sec_param.mitm = false;
sec_param.lesc = 0;
sec_param.keypress = 0;
sec_param.io_caps = BLE_GAP_IO_CAPS_NONE;
sec_param.oob = false;
sec_param.min_key_size = 7;
sec_param.max_key_size = 16;
sec_param.kdist_own.enc = 1;
sec_param.kdist_own.id = 1;
sec_param.kdist_peer.enc = 1;
sec_param.kdist_peer.id = 1;

-Amanda H.

RE: nRF52840 Enable Pairing with Static Passkey

Muqarrab — Fri, 25 Sep 2020 10:53:03 GMT

Thanks, Amanda Hsieh

Can we perform Just Works bonding(without entering any key) without NFC Antenna?

RE: nRF52840 Enable Pairing with Static Passkey

Amanda Hsieh — Thu, 24 Sep 2020 11:33:45 GMT

Hi Muqarrab,

Please see the Security parameters documentation for pairing and this post for secure characteristics.

-Amanda H.