Can't setup the nRF BLE Sniffer

RE: Can't setup the nRF BLE Sniffer

Einar Thorsrud — Wed, 30 Jun 2021 09:04:17 GMT

You are right that using the debug key on one side is enough if the sniffer intercepts the LESC process (as then it gets the peers public key from air and have what it needs to calculate the shared secret). It is not supported by the current nRF Sniffer though.

[quote user="RTMerkel"]Are there any plans to add this ability to the nRF sniffer did the same?[/quote]

We are in fact working on a new version of the nRF sniffer for BLE (4.x.x), and this is intended to support input of DH Private Key to support sniffing LESC connections as well as inputting the LTK if that is known/calculated from before.

RE: Can't setup the nRF BLE Sniffer

RTMerkel — Tue, 29 Jun 2021 17:24:15 GMT

Re: Regarding LESC debug keys, that is only usable if both devices are in debug mode.

That's too bad, we hoped to use the nRF sniffer for cases where one, or the other, peer was using debug keys, i.e., nRF connection (iOS) and a peripheral running the debug LESC keys.

Note that the Ellisys sniffer works when just one peer is running LESC debug keys, but of course it has to capture pairing. Are there any plans to add this ability to the nRF sniffer did the same?

Thanks,

RE: Can't setup the nRF BLE Sniffer

Einar Thorsrud — Mon, 28 Jun 2021 09:43:11 GMT

Hi,

It is good to see that you are up and running with the sniffer. Thanks for the comments on the documentation. I will forward those.

You write that you use LESC, and then nRF Connect will not be able to decrypt the packets. The nRF Sniffer can decrypt packets if the paring procedure was LE legacy, as then pairing happens in clear text, and all the sniffer needs to do is to listen in on the pairing. However, LESC uses a Diffie–Hellman key exchange to prevent this, so that even if an attacker listens in on everything, he will not have a way to know the shared secret. So in this case you will only be able to see the encrypted packets after the link is secured.

Regarding LESC debug keys, that is only usable if both devices are in debug mode. But even in that case, this is not supported by the nRF Sniffer (I think it should be possible to get Wireshark to parse the packets if you calculate and provide the LTK for the debug key, though).

RE: Can't setup the nRF BLE Sniffer

RTMerkel — Fri, 25 Jun 2021 16:05:51 GMT

Step: Adding a Wireshark profile for nRF Sniffer

Between steps 5 and 6 should include that you have to manually install the profile.

I'm sniffing... but not decrypting. Note that we use LESC and Just Works. I did the following:

"Forgot" the peripheral on my iPhone
Started capture and woke the peripheral. I can see advertising
Connected to the peripheral from my iPhone, paired
Disconnect, stop capture.

But the sniffer isn't decrypting:

3015 10.531 Master_0xaf9ab5d8 LE 2M LE LL 1 29759µs 1 1 False 132 Encrypted packet decrypted incorrectly (bad MIC)

Sniffing a connection between paired devices suggest that one of the devices must use the debug LESC keys. I ran a test with a Central that always uses the debug keys, but that doesn't bond

"Encrypted packet decrypted incorrectly (bad MIC)

Looking at devzone.nordicsemi.com/.../capture-le-secure-connection-occurs-bad-mic-after-successfully-sniffering-the-air-packets-for-a-while

RE: Can't setup the nRF BLE Sniffer

RTMerkel — Fri, 25 Jun 2021 15:37:16 GMT

I tried the following:

>>> import serial
>>> dir(serial)
['__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__path__', '__spec__', 'abc', 'absolute_import', 'division', 'errors', 'generators', 'hooks', 'marshal', 'meta', 'model', 'nested_scopes', 'print_function', 'properties', 'request', 'test', 'unicode_literals', 'utilities', 'with_statement']

And then, following the suggestions at https://stackoverflow.com/questions/33267070/no-module-named-serial:

C:\Program Files\Wireshark\extcap>pip3 uninstall pyserial
Found existing installation: pyserial 3.5
Uninstalling pyserial-3.5:
  Would remove:
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\scripts\pyserial-miniterm.exe
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\scripts\pyserial-ports.exe
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\pyserial-3.5.dist-info\*
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\*
  Would not remove (might be manually added):
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\abc\__init__.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\abc\model.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\abc\properties.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\errors.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\hooks.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\marshal.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\meta.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\model.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\properties.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\request.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\test.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\utilities\__init__.py
    c:\users\310260622\appdata\local\packages\pythonsoftwarefoundation.python.3.9_qbz5n2kfra8p0\localcache\local-packages\python39\site-packages\serial\utilities\compatibility.py
Proceed (y/n)? y
  Successfully uninstalled pyserial-3.5

C:\Program Files\Wireshark\extcap>pip3 install pyserial
Collecting pyserial
  Using cached pyserial-3.5-py2.py3-none-any.whl (90 kB)
Installing collected packages: pyserial
  WARNING: The scripts pyserial-miniterm.exe and pyserial-ports.exe are installed in 'C:\Users\310260622\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Scripts' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed pyserial-3.5

C:\Program Files\Wireshark\extcap>python
Python 3.9.5 (tags/v3.9.5:0a7dcbd, May  3 2021, 17:27:52) [MSC v.1928 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import serial
>>> dir(serial)
['CR', 'EIGHTBITS', 'FIVEBITS', 'LF', 'PARITY_EVEN', 'PARITY_MARK', 'PARITY_NAMES', 'PARITY_NONE', 'PARITY_ODD', 'PARITY_SPACE', 'PortNotOpenError', 'SEVENBITS', 'SIXBITS', 'STOPBITS_ONE', 'STOPBITS_ONE_POINT_FIVE', 'STOPBITS_TWO', 'Serial', 'SerialBase', 'SerialException', 'SerialTimeoutException', 'Timeout', 'VERSION', 'XOFF', 'XON', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__path__', '__spec__', '__version__', 'absolute_import', 'basestring', 'importlib', 'io', 'iterbytes', 'os', 'protocol_handler_packages', 'serial_for_url', 'serialutil', 'serialwin32', 'sys', 'time', 'to_bytes', 'unicode', 'win32']

Now the modified BAT file works:

C:\Program Files\Wireshark\extcap>nrf_sniffer_ble.bat --extcap-interfaces
extcap {version=3.1.0}{display=nRF Sniffer for Bluetooth LE}{help=https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Sniffer-for-Bluetooth-LE}
control {number=0}{type=selector}{display=Device}{tooltip=Device list}
control {number=1}{type=string}{display=Passkey / OOB key}{tooltip=6 digit temporary key or 16 byte Out-of-band (OOB) key in hexadecimal starting with '0x', big endian format. If the entered key is shorter than 16 bytes, it will be zero-padded in front'}{validation=\b^(([0-9]{6})|(0x[0-9a-fA-F]{1,32}))$\b}
control {number=2}{type=string}{display=Adv Hop}{default=37,38,39}{tooltip=Advertising channel hop sequence. Change the order in which the siffer switches advertising channels. Valid channels are 37, 38 and 39 separated by comma.}{validation=^\s*((37|38|39)\s*,\s*){0,2}(37|38|39){1}\s*$}{required=true}
control {number=3}{type=button}{role=help}{display=Help}{tooltip=Access user guide (launches browser)}
control {number=4}{type=button}{role=restore}{display=Defaults}{tooltip=Resets the user interface and clears the log file}
control {number=5}{type=button}{role=logger}{display=Log}{tooltip=Log per interface}
value {control=0}{value= }{display=All advertising devices}{default=true}

I'm not sure how this worked, but the linked to stack overflow says something about indexing.

I'll continue with the official procedure and let you know how it works.

RE: Can't setup the nRF BLE Sniffer

RTMerkel — Fri, 25 Jun 2021 15:22:53 GMT

I tried the link - it's to a private website which requires a password.

RE: Can't setup the nRF BLE Sniffer

RTMerkel — Fri, 25 Jun 2021 15:20:00 GMT

Hi Einar!

I'll take a look at the unofficial instructions to day.

My py points to Python 3.7.8 while "python" runs 3.9.5. My guess is that "pip3 install -r requirements.txt" is updating 3.9.5.

Any suggestions on debugging "ImportError: cannot import name 'SerialException' from 'serial'"? My guess is that the Philips scripts are out of date with the [py]serial installed by pip3.

RE: Can't setup the nRF BLE Sniffer

Einar Thorsrud — Fri, 25 Jun 2021 13:56:10 GMT

Hi Randy,

[quote user=""]Daniel Veilleux suggests that it actually worked as the log says "DFU for Application completed successfully!" If so, the instructions should note this.[/quote]

Daniel is right, you will get this error as long as the new firmware does not have the DFU trigger library. I agree that should be stated, though.

I will forward the needs for improving the documentation. There is another set of instructions here, which is unofficial but quite good: How to install BLE Sniffer on nRF52840 Dongle and run it.

py should normally point to the default python version in your system. I am not sure exactly why this causes problems but it seems you are getting issues because you have two python 3 versions installed at the same time. Can you first make sure you only have a single python 3 install before going forward?

Einar