Zephyr BLE static passkey between central and peripheral on two nrf52840s

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

ErDarshan — Thu, 20 Jan 2022 13:00:40 GMT

Hi smohan,

I would like to have the same functionality as you described in the ticket. I can connect using static pass-key and nrf connect applications yet our goal is to have two nrf52840 (one as peripheral and one as central). Have you implemented central side code?

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

Kenneth — Thu, 20 May 2021 14:45:04 GMT

[quote user="smohan"]I find a security breach here , as the example is set to connect with peers only via passkey method , but if the peer device finds a way to manipulate its IO capabilities as nokeyboard-nodisplay then, it could make connect via just works. So what the use in having passkey secure pairing implementation.[/quote]

When you configure the GATT database, then you set the security level required to access these characteristics, so if the bond is established with lower than the intended security level, then the peer will not be able to write or read to these characteristics.

Kenneth

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

smohan — Thu, 20 May 2021 13:07:53 GMT

Thanks a ton Kenneth for your reply! .

I am going through the tutorials . Btw, I understood setting MITM .What really confuses me is the logic behind the security implementation from SIG. While I used this example for testing the passkey pairing, I found that , when the peer device ( another nRF kit connected to windows lap nRF Connect BLE app loaded with connectivity firmware) changed its I/O capabilities to nokeyboard-nodisplay, the pairing happens though and it follows Just works(Level 2), I further came to conclusion that this dynamic changing of security pairing method happens as described in here .

I find a security breach here , as the example is set to connect with peers only via passkey method , but if the peer device finds a way to manipulate its IO capabilities as nokeyboard-nodisplay then, it could make connect via just works. So what the use in having passkey secure pairing implementation.

Later I read here that we can force to a security level here .through bt_conn_security(), as it was not implicitly provided by any GATT service. I am going to test this now.

It would be great if you could get back and comment on my understanding.

Regards/Mohan

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

Kenneth — Thu, 20 May 2021 09:39:28 GMT

Maybe check out:

https://devzone.nordicsemi.com/nordic/nrf-connect-sdk-guides/b/software/posts/building-a-ble-application-on-ncs-comparing-and-contrasting-to-softdevice-based-ble-applications

https://devzone.nordicsemi.com/nordic/nrf-connect-sdk-guides/b/software/posts/building-a-ble-application-on-ncs-sdk---contrasting-to-softdevice-based-ble-applications---part-2-central-role

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

smohan — Thu, 20 May 2021 04:44:02 GMT

Hi Jonas,

I am working on a similar one, can you help me understand, how to update the IO capabilities on the peripheral device? and How to update the MITM flag?I could not find any api calls to be used from application layer

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

Jonas G L — Tue, 15 Dec 2020 11:42:46 GMT

Thanks a lot for your input, @Kenneth. Peripheral seems to work as intended as of now. However, I still struggle to grapple with the Central part. Do you have a good reference/link with regards to how a central connects and communicates with a peripheral in Zephyr? There is a sea of UUIDs, Handles and callbacks and I cannot find a clear explanation how to:

- Scan for connectable advertising peripherals

- Connect to a certain peripheral

- Perform service discovery and be prompted with what is found

- Perform read and writes to the peripheral from the central.

The first two points I can infer from existing code, but the last two I don't see yet how to perform. Hope you can help.

BR, Jonas

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

Kenneth — Wed, 09 Dec 2020 19:24:00 GMT

Hi,

You need to add to prj.conf:

CONFIG_BT_SMP=y
CONFIG_BT_FIXED_PASSKEY=y

In main.c make sure that .pairing_confirm callback is NULL like this:

static struct bt_conn_auth_cb conn_auth_callbacks = {
.passkey_display = auth_passkey_display,
.cancel = auth_cancel,
.pairing_confirm = NULL,
.pairing_complete = pairing_complete,
.pairing_failed = pairing_failed
};

Make sure to add to main():

unsigned int passkey = 123456;
bt_passkey_set(passkey);

Then it should work out of the box for a device to fake a display with 123456. Also see attachment where I have modified peripheral_lbs.

For the device with passkey entry you will need to register a .passkey_entry callback in conn_auth_callbacks, make sure to call bt_conn_auth_passkey_entry(with 123456) in the callback.

Kenneth

devzone.nordicsemi.com/.../8304.peripheral_5F00_lbs_5F00_fixed_5F00_passkey_5F00_ncs_5F00_1.4.0.zip

RE: Zephyr BLE static passkey between central and peripheral on two nrf52840s

Jonas G L — Mon, 07 Dec 2020 18:37:09 GMT

haakonsh Hung Bui I'm not sure if it is uncustomary to selectively ping support engineers, and I apologise if it is, but ive read some of your great guides on Zephyr BLE on other topics and thought you might have just the skill set to aid in this specific inquiry? :)