• State Verified Answer
  • Replies 20 replies
  • Subscribers 65 subscribers
  • Views 4117 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 264591
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Pairing without entering the PIN

Matej Kupljen

H,

I have a problem, that I can connect to my BT device without entering the PIN upon first paring.
The device is based on nRF52832 and I followed peripheral_sc_only sample, which I found sets the correct security level for required pairing.
I am using: Zephyr OS build v2.4.0-ncs1

Here is also my prj.conf (there are also other settings, but I believe those are important for mandatory pairing):

# Enable settings                                                               
CONFIG_BT_SETTINGS=y                                                            
CONFIG_FLASH=y                                                                  
CONFIG_FLASH_PAGE_LAYOUT=y                                                      
CONFIG_FLASH_MAP=y                                                              
CONFIG_NVS=y                                                                    
CONFIG_SETTINGS=y                                                               
# Enable explicit pairing                                                       
CONFIG_BT_SMP=y                                                                 
CONFIG_BT_SMP_SC_ONLY=y                                                         
CONFIG_BT_TINYCRYPT_ECC=y                                                       
CONFIG_BT_FIXED_PASSKEY=y                                                       
#CONFIG_BT_SMP_ENFORCE_MITM=y                                                   
CONFIG_BT_BONDING_REQUIRED=y

When I use nRF Connect on my phone, I can see the device on the Scan tab and if I click connect, the dialog for pairing appears, but also the services discovered.
If I click Cancel and quickly on one of the services discovered, I can then click on all of them and can send data to my device.

Is there any other option I need to turn on, so I can make paring "really" mandatory?

Thanks,
Matej

  • 0

    That does not sound secure and does not seem that the pairing has gone through either.

    Can you please attach the sniffer trace of the sequence you mentioned in the description? Just want to see how the services are still being accessed without pairing being successful.

  • 0 in reply to Susheel Nuguru

    Hi Susheel,

    thanks for replying.
    One thing that I remembered now is that I use fixed pass key. I just change the configuration that it doesn't use this and the result is the same.

    This is the Log I get trough Segger RTT on the BT module:

    [00:00:01.838,012] <inf> fs_nvs: 6 Sectors of 4096 bytes
[00:00:01.838,012] <inf> fs_nvs: alloc wra: 0, ff0
[00:00:01.838,012] <inf> fs_nvs: data wra: 0, 0
[00:00:01.838,165] <inf> sdc_hci_driver: SoftDevice Controller build revision: 
cf 5c 0f 11 88 9c d7 02  15 27 c7 c3 ca 60 19 85 |.\...... .'...`..
b7 c4 50 e3                                      |..P.             
[00:00:01.840,911] <inf> bt_hci_core: HW Platform: Nordic Semiconductor (0x0002)
[00:00:01.840,911] <inf> bt_hci_core: HW Variant: nRF52x (0x0002)
[00:00:01.840,911] <inf> bt_hci_core: Firmware: Standard Bluetooth controller (0x00) Version 207.3932 Build 3617359889
[00:00:01.841,247] <inf> bt_hci_core: No ID address. App must call settings_load()
[00:00:01.841,735] <inf> bt_hci_core: Identity: e3:41:0f:bf:6c:61 (random)
[00:00:01.841,766] <inf> bt_hci_core: HCI: version 5.2 (0x0b) revision 0x1123, manufacturer 0x0059
[00:00:01.841,766] <inf> bt_hci_core: LMP: version 5.2 (0x0b) subver 0x1123
[00:00:17.054,870] <inf> app: Connected 4f:5d:b5:e3:b0:5c (random)
[00:00:20.888,214] <err> bt_smp: reason 0x9
[00:00:20.888,458] <wrn> app: Security failed: 4f:5d:b5:e3:b0:5c (random) level 1 err 6
[00:00:20.888,519] <inf> app: Pairing failed conn: 4f:5d:b5:e3:b0:5c (random), reason 6
[00:00:23.948,974] <inf> app: Disconnected: 4f:5d:b5:e3:b0:5c (random) (reason 19)
[00:00:47.425,659] <inf> app: Connected 47:5e:85:20:f9:9f (random)
[00:01:20.470,092] <inf> app: Disconnected: 47:5e:85:20:f9:9f (random) (reason 19)
[00:01:25.293,395] <inf> app: Connected 47:5e:85:20:f9:9f (random)
[00:01:30.504,821] <err> bt_smp: reason 0x9
[00:01:30.505,065] <wrn> app: Security failed: 47:5e:85:20:f9:9f (random) level 1 err 6
[00:01:30.505,126] <inf> app: Pairing failed conn: 47:5e:85:20:f9:9f (random), reason 6
[00:01:33.430,267] <inf> app: Disconnected: 47:5e:85:20:f9:9f (random) (reason 19)
[00:01:39.410,064] <inf> app: Connected 47:5e:85:20:f9:9f (random)
[00:01:42.430,114] <err> bt_smp: reason 0x9
[00:01:42.430,358] <wrn> app: Security failed: 47:5e:85:20:f9:9f (random) level 1 err 6
[00:01:42.430,419] <inf> app: Pairing failed conn: 47:5e:85:20:f9:9f (random), reason 6
[00:01:45.400,543] <inf> app: Disconnected: 47:5e:85:20:f9:9f (random) (reason 19)
[00:01:54.693,176] <inf> app: Connected 47:5e:85:20:f9:9f (random)
[00:01:57.415,527] <err> bt_smp: reason 0x9
[00:01:57.415,771] <wrn> app: Security failed: 47:5e:85:20:f9:9f (random) level 1 err 6
[00:01:57.415,863] <inf> app: Pairing failed conn: 47:5e:85:20:f9:9f (random), reason 6
[00:03:41.548,126] <inf> app: Received data from: 47:5e:85:20:f9:9f (random)

    And this it the log from nRF Connect on the phone:

    nRF Connect, 2021-02-11
Inosmart Door Lock (E3:41:0F:BF:6C:61)
I	16:51:46.493	[Server] Server started
V	16:51:46.502	Heart Rate (0x180D)
- Heart Rate Measurement [N] (0x2A37)
   Client Characteristic Configuration (0x2902)
- Body Sensor Location [R] (0x2A38)
- Heart Rate Control Point [W] (0x2A39)
Unknown Service (0000aaa0-0000-1000-8000-aabbccddeeff)
- Unknown Characteristic [N R] (0000aaa1-0000-1000-8000-aabbccddeeff)
   Client Characteristic Configuration (0x2902)
   Unknown Descriptor (0000aab0-0000-1000-8000-aabbccddeeff)
   Characteristic User Description (0x2901)
   Characteristic Presentation Format (0x2904)
- Unknown Characteristic [I W WNR] (0000aaa2-0000-1000-8000-aabbccddeeff)
   Client Characteristic Configuration (0x2902)
User Data (0x181C)
- First Name [R W] (0x2A8A)
- Last Name [R W] (0x2A90)
- Gender [R W] (0x2A8C)
V	16:51:46.741	Connecting to E3:41:0F:BF:6C:61...
D	16:51:46.741	gatt = device.connectGatt(autoConnect = false, TRANSPORT_LE, preferred PHY = LE 1M)
D	16:51:46.787	[Server callback] Connection state changed with status: 0 and new state: CONNECTED (2)
I	16:51:46.787	[Server] Device with address E3:41:0F:BF:6C:61 connected
D	16:51:46.796	[Callback] Connection state changed with status: 0 and new state: CONNECTED (2)
I	16:51:46.796	Connected to E3:41:0F:BF:6C:61
D	16:51:46.834	[Broadcast] Action received: android.bluetooth.device.action.ACL_CONNECTED
D	16:51:46.875	[Broadcast] Action received: android.bluetooth.device.action.BOND_STATE_CHANGED, bond state changed to: BOND_BONDING (11)
D	16:51:46.878	[Broadcast] Action received: android.bluetooth.device.action.PAIRING_REQUEST, pairing variant: PAIRING_VARIANT_CONSENT (3)
I	16:51:47.460	Connection parameters updated (interval: 7.5ms, latency: 0, timeout: 5000ms)
I	16:51:47.776	Connection parameters updated (interval: 45.0ms, latency: 0, timeout: 5000ms)
D	16:51:49.404	[Broadcast] Action received: android.bluetooth.device.action.BOND_STATE_CHANGED, bond state changed to: BOND_NONE (10)
I	16:51:49.404	Bonding failed
V	16:51:49.439	Discovering services...
D	16:51:49.439	gatt.discoverServices()
D	16:51:49.452	[Callback] Services discovered with status: 0
I	16:51:49.452	Services discovered
V	16:51:49.458	Generic Attribute (0x1801)
- Service Changed [I] (0x2A05)
   Client Characteristic Configuration (0x2902)
- Client Supported Features [R W] (0x2B29)
- Database Hash [R] (0x2B2A)
Generic Access (0x1800)
- Device Name [R] (0x2A00)
- Appearance [R] (0x2A01)
- Peripheral Preferred Connection Parameters [R] (0x2A04)
Nordic UART Service (6e400001-b5a3-f393-e0a9-e50e24dcca9e)
- TX Characteristic [N] (6e400003-b5a3-f393-e0a9-e50e24dcca9e)
   Client Characteristic Configuration (0x2902)
- RX Characteristic [W WNR] (6e400002-b5a3-f393-e0a9-e50e24dcca9e)
D	16:51:49.458	gatt.setCharacteristicNotification(00002a05-0000-1000-8000-00805f9b34fb, true)
D	16:51:49.459	gatt.setCharacteristicNotification(6e400003-b5a3-f393-e0a9-e50e24dcca9e, true)
V	16:51:52.053	Reading characteristic 00002a01-0000-1000-8000-00805f9b34fb
D	16:51:52.053	gatt.readCharacteristic(00002a01-0000-1000-8000-00805f9b34fb)
I	16:51:52.188	Read Response received from 00002a01-0000-1000-8000-00805f9b34fb, value: (0x) 41-03
A	16:51:52.188	"[833] Heart Rate Sensor: Heart Rate Belt (Heart Rate Sensor subtype)" received
I	16:51:52.999	Connection parameters updated (interval: 45.0ms, latency: 0, timeout: 420ms)
V	16:51:53.118	Reading characteristic 00002a01-0000-1000-8000-00805f9b34fb
D	16:51:53.118	gatt.readCharacteristic(00002a01-0000-1000-8000-00805f9b34fb)
I	16:51:53.176	Read Response received from 00002a01-0000-1000-8000-00805f9b34fb, value: (0x) 41-03
A	16:51:53.176	"[833] Heart Rate Sensor: Heart Rate Belt (Heart Rate Sensor subtype)" received
V	16:51:53.867	Reading characteristic 00002a01-0000-1000-8000-00805f9b34fb
D	16:51:53.867	gatt.readCharacteristic(00002a01-0000-1000-8000-00805f9b34fb)
I	16:51:53.942	Read Response received from 00002a01-0000-1000-8000-00805f9b34fb, value: (0x) 41-03
A	16:51:53.942	"[833] Heart Rate Sensor: Heart Rate Belt (Heart Rate Sensor subtype)" received
V	16:51:54.552	Reading characteristic 00002a01-0000-1000-8000-00805f9b34fb
D	16:51:54.552	gatt.readCharacteristic(00002a01-0000-1000-8000-00805f9b34fb)
I	16:51:54.616	Read Response received from 00002a01-0000-1000-8000-00805f9b34fb, value: (0x) 41-03
A	16:51:54.616	"[833] Heart Rate Sensor: Heart Rate Belt (Heart Rate Sensor subtype)" received
V	16:51:55.199	Reading characteristic 00002a01-0000-1000-8000-00805f9b34fb
D	16:51:55.199	gatt.readCharacteristic(00002a01-0000-1000-8000-00805f9b34fb)
I	16:51:55.292	Read Response received from 00002a01-0000-1000-8000-00805f9b34fb, value: (0x) 41-03
A	16:51:55.292	"[833] Heart Rate Sensor: Heart Rate Belt (Heart Rate Sensor subtype)" received
V	16:51:57.031	Reading characteristic 00002a04-0000-1000-8000-00805f9b34fb
D	16:51:57.031	gatt.readCharacteristic(00002a04-0000-1000-8000-00805f9b34fb)
I	16:51:57.091	Read Response received from 00002a04-0000-1000-8000-00805f9b34fb, value: (0x) 18-00-28-00-00-00-2A-00
A	16:51:57.091	"Connection Interval: 30.00ms - 50.00ms,
Slave Latency: 0,
Supervision Timeout Multiplier: 42" received
V	16:53:33.563	Writing request to characteristic 6e400002-b5a3-f393-e0a9-e50e24dcca9e
D	16:53:33.563	gatt.writeCharacteristic(6e400002-b5a3-f393-e0a9-e50e24dcca9e, value=0x74657374)
I	16:53:33.660	Data written to 6e400002-b5a3-f393-e0a9-e50e24dcca9e, value: (0x) 74-65-73-74, "test"
A	16:53:33.660	"test" sent

    You can see in the log that the bonding failed, but I was still able to send that to UART service.

    Did you mean any other logs?
    If yes, which one and please explain if I need anything else to turn on.

    Thanks,
    Matej

  • 0

    Hi

    Susheel is currently out of office, so I have been assigned this case until he's back. What he requests in his first reply is a Sniffer trace, either using an Sniffer tool like the Ellisys sniffer or similar, or our nRFSniffer which lets you use an nRF52 DK or Dongle to see what exactly is going on over the air. This way we should be able to see what exactly happens when you're able to "bypass" the pairing and discover services without doing this process.

    Best regards,

    Simon

  • 0 in reply to Simonr

    Hi,

    sorry for this late reply, but we needed to order nRF52840 dongles and we needed to wait for them to come to the office.
    Today I have connected everything, erased the whole Flash in my device and programmed the test application.
    Connected the sniffer and captured the traffic. File can be downloaded from here (please note, it will expire in 15 days! Could not find an option to attach the file to this post.)

    I tested the application again and I was able to connect to the device without paring.
    Like I said, when the pairing dialog appears (the services are already listed in the application) and if I quickly click cancel and send some that over UART service, I can stay connected without the pairng.

    If you need anything else, please let us know.

    BR,
    Matej

  • 0 in reply to Matej Kupljen

    sorry for the late reply. I was away few days and have downloaded the files just now. I will take a look at them today and will comeback to you with my observations. Thanks a lot for your patience.

Related

core_v2_widget.Hide()