BLE Reject new devices attempting to pair, only allow old bonded device

RE: BLE Reject new devices attempting to pair, only allow old bonded device

rfleming — Wed, 12 Jan 2022 06:17:18 GMT

Hey Simonr,

After a bit more playing around I found the answer!

I couldn't get the remote_info to work as you suggested. The callback function within the bt_conn_cb is never called. Moreover if I do the call manually from the connected callback, it doesn't populate any fields to do with the IRK nor the RPA conversion or confirmation against a previously Public address.

static void remote_info_available(struct bt_conn *conn, struct bt_conn_remote_info *remote_info)
{
	printk("remote info available\n");
}

static struct bt_conn_cb conn_callbacks = {
	.connected = connected,
	.disconnected = disconnected,
	.identity_resolved = identity_resolved,
	.remote_info_available = remote_info_available,
#ifdef CONFIG_BT_LBS_SECURITY_ENABLED
	.security_changed = security_changed,
#endif
};

After a bit more poking around I found a function buried in the rpa.c file called bt_rpa_irk_matches though after testing it within connected callback, either I am doing something wrong with my irk, or the function wasn't made for this purpose.

I tried reversing the byte order in case I had the wrong endianess, same result.

NEVERTHELESS,

As it turns out, once a device has been bonded, once it enters the connect callback, even if the device has to enter the passkey again, the conn argument (struct bt_conn *conn) contains the target resolved address.

bt_conn structure has 3 ble addresses that it parses.

conn->le.init_addr the address as seen by a sniffer, raw and unresolved. Likely private etc.

conn->le.dst if device was previoulsy bonded, this address actually is already resolved with the public one <---- Solution!!

conn->le.resp_addr the address of THIS device.

So by taking the address provided by the destination, I am able to reject any bonded devices!

Thanks again for your help,

Ryan.

RE: BLE Reject new devices attempting to pair, only allow old bonded device

Simonr — Tue, 11 Jan 2022 07:13:48 GMT

Hi again Ryan

Yes, as long as you store this data in flash, which won't be lost if you reset or go to system OFF mode this should indeed be possible.

To get information from the device you connect to you can use the bt_conn_get_remote_info() I think and compare it to the stored data.

Best regards,

Simon

RE: BLE Reject new devices attempting to pair, only allow old bonded device

rfleming — Mon, 10 Jan 2022 12:33:39 GMT

Hi Simonr,

What if I have a bonded device and my peripheral restarts. Can I still compare this the way you speak of?

Could you please identify the functions that I should look into? I've been scraping through quite a few of these functions in various header files all day and don't quite know what I am looking at to be honest.

Cheers,

Ryan.

RE: BLE Reject new devices attempting to pair, only allow old bonded device

Simonr — Mon, 10 Jan 2022 10:02:56 GMT

Hi Ryan

I think what you're looking for is the Connection Management API in the nRFConnect SDK. As long as you store the first connected central's data you can compare it in the next CONNECTED event and trigger a disconnect if it doesn't match.

Best regards,

Simon

RE: BLE Reject new devices attempting to pair, only allow old bonded device

rfleming — Sun, 09 Jan 2022 21:43:35 GMT

Hey,

Thanks for the reply Simon.

Though as mentioned, this is what I am currently trying to do, though don't know the best (or appropriate) way to match the private addresses (IRK?) to the bonded address I discover through the bt_foreach_bond function.

After a more reading around. Turns out what I get is the random address and can be resolved by doing an AES decryption. My issue is all the examples that I could find online were all for the previous NRF SDK, rather than NRF Connect SDK (ncs).

Is there any APIs based on the Zephyr implementation that come to mind that could work like an example provided on this forum for the nrf sdk:

devzone.nordicsemi.com/.../resolving-private-resolvable-addresses

Security changed: 6A:05:8D:39:63:AF (random) level 4
Pairing completed: 94:XX:XX:XX:XX:9B (public), bonded: 1
irk: 000000000000000xxxETCxxx0000715d

i got my IRK from

struct bt_keys *keys = bt_keys_find_irk(BT_ID_DEFAULT, bt_conn_get_dst(conn));
		// keys->irk
		printk("irk: %s\n", bt_hex(keys->irk.val, 16));

Cheers,

Ryan.

RE: BLE Reject new devices attempting to pair, only allow old bonded device

Simonr — Fri, 07 Jan 2022 11:49:03 GMT

As far as I know there is no way to blacklist devices from the peripheral side, but what you could do is to check the peer address when the periphearl gets a CONNECTED event, and disconnect immediately if it's not the address it is bonded to.

Best regards,

Simon