• State Not Answered
  • Replies 9 replies
  • Subscribers 87 subscribers
  • Views 4814 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 258746
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to implement the LESC for ble peripheral?

fox.tai

SDK version: SDK17.0.2

Product: nRF52840-DK

IDE: Segger

Role: ble peripheral

OS: non-os

Example: examples\ble_central_and_peripheral\experimental\ble_app_multirole_lesc\pca10056\s140

Softdevice: s140

Sniffer equipment: Ellisys

Hi,

  Recently, I would like to use the example ble_app_multirole_lesc as a template for ble peripheral, which runs on nrf52840. I expect it could perform the LESC to do pairing, bonding, and connect to the APP (Android or iPhone). Now I use the Android APP, nRF Connect or nRF Toolbox to connect nrf52840. Actually, I don't want to press button 1 to confirm the passkey, so I make a little change in this example as following:

(in main.c)

#define LESC_MITM_NC                    0

as for LESC_DEBUG_MODE, I've tested to set to 1 or 0.

When I tab the connect button in nRF Connect app, nrf52840 starts to bond, it prints the following message:

<info> app_timer: RTC: initialized.
<info> app: LE Secure Connections example started.
<info> app: Scanning
<info> app: Advertising
<info> app: PERIPHERAL: Connected, handle 1.
<info> app: PERIPHERAL: BLE_GAP_EVT_SEC_PARAMS_REQUEST
<info> app: PERIPHERAL: BLE_GAP_EVT_LESC_DHKEY_REQUEST
<info> nrf_ble_lesc: Calling sd_ble_gap_lesc_dhkey_reply on conn_handle: 1
<info> peer_manager_handler: Connection secured: role: Peripheral, conn_handle: 1, procedure: Bonding
<info> app: PERIPHERAL: BLE_GAP_EVT_AUTH_STATUS: status=0x0 bond=0x1 lv4: 0 kdist_own:0x3 kdist_peer:0x2
<info> peer_manager_handler: Peer data updated in flash: peer_id: 0, data_id: Bonding data, action: Update
<info> peer_manager_handler: Peer data updated in flash: peer_id: 0, data_id: Peer rank, action: Update
<info> peer_manager_handler: Peer data updated in flash: peer_id: 0, data_id: Local database, action: Update
<info> peer_manager_handler: Peer data updated in flash: peer_id: 0, data_id: Central address resolution, action: Update

Then I tab the "Read Characteristic" or "Enable CCCDs", nrf52840 starts to encrypt, it prints the following message:

B.T.W., I add some message to print the LTK (from p_enc_info->ltk[]) after calls sd_ble_gap_sec_info_reply() in sec_info_request_process()  in security_dispatcher.c.

<info> peer_manager_smd: [sec_info_request_process:372] GOT LTK p_enc_info->ltk[]
<info> peer_manager_smd: 5D BC 17 DD
<info> peer_manager_smd: D3 ED 67 45
<info> peer_manager_smd: 84 3D 3C DE
<info> peer_manager_smd: 40 95 CD A6
<info> peer_manager_handler: Connection secured: role: Peripheral, conn_handle: 1, procedure: Encryption
<info> peer_manager_handler: Peer data updated in flash: peer_id: 0, data_id: Peer rank, action: Update, no change

nRF connect app

Everything seemed to go well, but the LTK only successfully decrypt my sniffer packets at the 1st time. And I track the LLCP packets, it show the complete 5 packets as following:

(Actually, this picture is not the 1st time's sniffer packets, because I forgot to save its file... but I'm quite sure these packets are like that)

LLCP complete 5 packets

Their opcode are LL_ENC_REQ,  LL_ENC_RSPLL_START_ENC_REQ, LL_START_ENC_RSP, and  LL_START_ENC_RSP. And I use the LTK which I get from sec_info_request_process() , it can decrypt the packets.

But when I try to test again and again (refresh the code, unpair and delete bond), the LLCP packets didn't get the LL_START_ENC_RSP from central (nRF Connect), which means it only has 3 incomplete sequence as following:

LLCP_incomplete_3_packets

now I cannot decrypt the packets with the LTK. I guess the LTK may be wrong, so the central won't send the LL_START_ENC_RSP to nrf52840.  

Could you please tell me what can I do now?

 

Thanks,

Fox Tai

Parents
  • 0

    Hi Simon,

    Actually, I wonder where can I find the correct LTK in code, then I would print it out this LTK and fill into the Ellisys application to decrypt sniffer packets.

    Few days ago, I followed this article How can I find the long term key being currently used -peer manager to obtain LTK in function sec_info_request_process(). Because it said "read from flash in sec_info_request_process() with pdb_peer_data_ptr_get() when the device reconnect and re-encrypt", but in bonding procedure, no one called sec_info_request_process(), which means I didn't get the LTK.

    And I remind that article mentioned reconnect device and re-encrypt, program would read the LTK from flash, that's why I try to connect, disconnect, then connect to get the LTK. Now I get the LTK from peer_data.p_bonding_data->own_ltk.enc_info.ltk[] in function auth_status_success_process() after bonding, the first 16 bytes of this LTK is the same with in sec_info_request_process(), but it's weird that strlen size of peer_data.p_bonding_data->own_ltk.enc_info.ltk[] is 17 bytes, the last byte always 0x43. And I ignore the last byte and use the first 16 bytes to decrypt.

    Unfortunately, this LTK often cannot decrypt the sniffer packets. Maybe run 10 times, only 1 time can decrypt successfully. Every time I run the test, I would delete bond, and reflash the image of the Glucose application

    B.T.W., I also try to set LESC_DEBUG_MODE to 1 and 0. LTK usually cannot decrypt my sniffer packets. So I wonder where can I find the correct LTK in source code?

    Thanks,

    Fox Tai

  • 0 in reply to fox.tai

    Hi Simon,

    I found this article LESC_DEBUG_MODE define in ble_app_multirole_lesc, nRF5 SDK 15.0.0, it seems that marco LESC_DEBUG_MODE is not used after sdk 15.0? So debug key is still available in sdk 17.02? 

    Thansk,

    Fox Tai

Reply Children
No Data
Related
Terms of service