• State Not Answered
  • Replies 18 replies
  • Subscribers 75 subscribers
  • Views 5768 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 275273
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF Sniffer Firmware > v3.0.0 doesn't work on nRF51822 based board

Thinner

Hi Nordic,

i'm using a nRF51822 based board (Adafruit Bluefruit LE Sniffer, PRODUCT ID: 2269, https://www.adafruit.com/product/2269) and could sucessfully update to nRF Sniffer firmware v3.0.0.

But the recorded pcap files can't be decrypted by 3rd party tools like crackle (github.com/.../crackle) or bsniffhub (https://github.com/homewsn/bsniffhub) even with known LTK (but this is another topic *1).

I was very happy to see lately released v4.0.0 supports setting LTK, so i flashed this version to the board, but there is no interface in Wireshark v3.4.7 (running with admin rights and correct extcapt) and there is no output when connecting serial port terminal. I've also tried firmware v3.1.0 with same result. I'm using Python v3.7.5.

Adafruit says "If by chance you have an nRF51822 board you want to load the firmware on, here's a hex  that does not require the 32khz crystal (but does require the 16 mhz crystal)" (https://learn.adafruit.com/introducing-the-adafruit-bluefruit-le-sniffer/using-with-sniffer-v2). This hex is v2.0.0beta1.

I've soldered a 32.768kHz crystal to the backside of the board today (without caps). Surprisingly firmware 3.1.0 is now working too.

Question: Is a 32kHz crystal really needed to run firmware > 3.0.0?

But v4.0.0 still doesn't work. There is no interface in Wireshark and there is no output when connecting serial port terminal.

Question: Any ideas how to get it working?

Additional Question:
Is there any distributor shipping nRF52840 Dongle from Europe?

wbr

Thinner

*1
It looks like that packets that can't be decrypted by nRF Sniffer firmware are getting corrupted (see https://github.com/homewsn/bsniffhub/blob/master/src/ble_decoder.c line 1227, "but, unfortunately, nRF Sniffer corrupts the original payload if it cannot decrypt, so no chance to decrypt here") . I've recorded the same session on two Adafruit devices, one running nRF Sniffer v3.0.0 and one running btlejack (github.com/.../btlejack). But only btlejack pcap-file can be decrypted by crackle with known LTK. I've added some debug output to crackle to log raw packet data. See screenshot, left one is nRF Sniffer, right one is btlejack. It can be seen bytes are completely different but number of bytes do correlate. See line 11, 7 bytes data + 4 bytes mic on the left (=11 bytes), 11 bytes data and 4 bytes mic on the right (=15 bytes). There is always a difference of 4 btyes. Maybe you want to have a look at this.

Parents Reply
  • 0 in reply to Thinner

    No, I don't think there will be updates to the 3.x, not with the changes you need anyway.

    I can't say if we will follow up on updating bsniffhub or not for sniffer version 4.x.
    Let's first see if they take in the current patch.

    It works to some degree though, so maybe updating is not even required. I only tested decrypting the legacy pin trace.

    If we don't (or you want to do it yourself) the follow changes are needed:
    When protocol version >= 3
    Time field is a timestamp, not a delta.
    Packet with ID 0x02 = Advertising PDUs, 0x06 = Connection Data PDUs.
    When PHY is LE Coded the Coding Indicator is included in the packet.

    For reference look here:
    gitlab.com/.../packet-nordic_ble.c

Children
Related
Terms of service