nRF52840 random disconnection

Hi Daniel, 

I got the update from Brian Kim about your email discussion. I agree with Brian that the sniffer trace would play a very important role here to solve the issue. I have some comments: 

- Regarding the sniffer trace, I could see the communication because the link was encrypted. What you need to do is to either do Legacy pairing and use the sniffer to follow the initial bonding. Or use LESC but in debug mode. 

- Another option you can try is to turn off bonding and encryption requirement to see if the issue is related to bonding or not. If the issue remain, please capture a sniffer trace. 

- The disconnection happened at second 26th into the connection so it may not related to the 30seconds GAP/GATT timeout.

- Please try to do a chip erase on the defected board and test again.

- Please try to test using one of our example in the SDK, ble_app_proximity for example. 

Hi again,

I have programmed one equipment turning bonding off, and then it is imposssible to connect (please, look at the attached screenshot with nRF Connect).

In order to set it off, I set my variable 'BONDING_WITH_NO_CODE' to 1, and I have implement this in 'peer_manager_init' function:

static void peer_manager_init(void)
{
    ble_gap_sec_params_t sec_param;
    ret_code_t           err_code;

    err_code = pm_init();
    APP_ERROR_CHECK(err_code);

    memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

    // Security parameters to be used for all security procedures.
		if(BONDING_WITH_NO_CODE)
		{
			sec_param.bond         = 0;    
			sec_param.oob          = 0;
			sec_param.mitm         = 0; 
			sec_param.io_caps      = BLE_GAP_IO_CAPS_NONE;
			sec_param.kdist_own.enc  = 0;
			sec_param.kdist_own.id   = 0;
			sec_param.kdist_peer.enc = 0;
			sec_param.kdist_peer.id  = 0;
		}
		else
		{
			sec_param.bond           = SEC_PARAM_BOND;
			sec_param.oob            = SEC_PARAM_OOB;
			sec_param.mitm           = SEC_PARAM_MITM; //Static Key
			sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES;    
			sec_param.kdist_own.enc  = 1;
			sec_param.kdist_own.id   = 1;
			sec_param.kdist_peer.enc = 1;
			sec_param.kdist_peer.id  = 1;
		}
		
        
    sec_param.lesc           = SEC_PARAM_LESC;
    sec_param.keypress       = SEC_PARAM_KEYPRESS;    
    sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
    sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
    

    err_code = pm_sec_params_set(&sec_param);
    APP_ERROR_CHECK(err_code);

    err_code = pm_register(pm_evt_handler);
    APP_ERROR_CHECK(err_code);
}

Furthermore, in this case, in all services, I proceed in the following way:

if(BONDING_WITH_NO_CODE)
{
	BLE_GAP_CONN_SEC_MODE_SET_OPEN(&attr_md.read_perm);
	BLE_GAP_CONN_SEC_MODE_SET_OPEN(&attr_md.write_perm);			
}		
else
{
	BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&attr_md.read_perm);
	BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&attr_md.write_perm);
}

Hope to go ahead with the solution.

Best regards,

Dani.

First of all I have set SEC_PARAM_LESC = 0 with no bonding, I have tried to connect to nRFConnect Application. After discovering services, my device should constantly send information to smartphone, and now, it is not receiving nothing.

Please, look at attached log output from nRFConnect tool

nRF Connect, 2022-05-18
A-SMART 2 (F9:4F:3C:FA:8E:43)
V	14:35:20.700	Connecting to F9:4F:3C:FA:8E:43...
D	14:35:20.700	gatt = device.connectGatt(autoConnect = false, TRANSPORT_LE, preferred PHY = LE 1M)
D	14:35:22.804	[Broadcast] Action received: android.bluetooth.device.action.BOND_STATE_CHANGED, bond state changed to: BOND_BONDING (11)
D	14:35:22.808	[Callback] Connection state changed with status: 0 and new state: CONNECTED (2)
I	14:35:22.808	Connected to F9:4F:3C:FA:8E:43
D	14:35:22.833	[Broadcast] Action received: android.bluetooth.device.action.ACL_CONNECTED
D	14:35:22.854	[Broadcast] Action received: android.bluetooth.device.action.PAIRING_REQUEST, pairing variant: PAIRING_VARIANT_CONSENT (3)
I	14:35:23.460	Connection parameters updated (interval: 7.5ms, latency: 0, timeout: 5000ms)
I	14:35:24.040	Connection parameters updated (interval: 45.0ms, latency: 0, timeout: 5000ms)
D	14:35:26.169	[Broadcast] Action received: android.bluetooth.device.action.BOND_STATE_CHANGED, bond state changed to: BOND_BONDED (12)
I	14:35:26.169	Device bonded
D	14:35:26.179	wait(1600ms)
V	14:35:27.793	Discovering services...
D	14:35:27.793	gatt.discoverServices()
D	14:35:27.805	[Callback] Services discovered with status: 0
I	14:35:27.805	Services discovered
V	14:35:27.845	Generic Access (0x1800)
- Device Name [R W] (0x2A00)
- Appearance [R] (0x2A01)
- Peripheral Preferred Connection Parameters [R] (0x2A04)
- Central Address Resolution [R] (0x2AA6)
Generic Attribute (0x1801)
- Service Changed [I] (0x2A05)
   Client Characteristic Configuration (0x2902)
Unknown Service (00001000-0000-1000-8000-00805f9b34fb)
- Unknown Characteristic [R W] (00001001-1212-efde-1523-785feabcd123)
- Unknown Characteristic [N R] (00001002-1212-efde-1523-785feabcd123)
   Client Characteristic Configuration (0x2902)
Unknown Service (00002000-1212-efde-1523-785feabcd123)
- Unknown Characteristic [R W] (00002001-1212-efde-1523-785feabcd123)
- Unknown Characteristic [N R] (00002002-1212-efde-1523-785feabcd123)
   Client Characteristic Configuration (0x2902)
Unknown Service (00003000-1212-efde-1523-785feabcd123)
- Unknown Characteristic [R W] (00003001-1212-efde-1523-785feabcd123)
- Unknown Characteristic [N R] (00003002-1212-efde-1523-785feabcd123)
   Client Characteristic Configuration (0x2902)
Unknown Service (00004000-1212-efde-1523-785feabcd123)
- Unknown Characteristic [R W] (00004001-1212-efde-1523-785feabcd123)
- Unknown Characteristic [N R] (00004002-1212-efde-1523-785feabcd123)
   Client Characteristic Configuration (0x2902)
Unknown Service (00005000-1212-efde-1523-785feabcd123)
- Unknown Characteristic [R W] (00005001-1212-efde-1523-785feabcd123)
Unknown Service (00006000-1212-efde-1523-785feabcd123)
- Unknown Characteristic [N R] (00006002-1212-efde-1523-785feabcd123)
   Client Characteristic Configuration (0x2902)
Secure DFU Service (0xFE59)
- Secure Buttonless DFU [I W] (8ec90004-f315-4f60-9fb8-838830daea50)
   Client Characteristic Configuration (0x2902)
D	14:35:27.845	gatt.setCharacteristicNotification(00002a05-0000-1000-8000-00805f9b34fb, true)
D	14:35:27.848	gatt.setCharacteristicNotification(00001002-1212-efde-1523-785feabcd123, true)
D	14:35:27.849	gatt.setCharacteristicNotification(00002002-1212-efde-1523-785feabcd123, true)
D	14:35:27.850	gatt.setCharacteristicNotification(00003002-1212-efde-1523-785feabcd123, true)
D	14:35:27.852	gatt.setCharacteristicNotification(00004002-1212-efde-1523-785feabcd123, true)
D	14:35:27.853	gatt.setCharacteristicNotification(00006002-1212-efde-1523-785feabcd123, true)

I have also saved the sniffer trace following next procedure (Attached):Android_Pairing_without_bonding_18_05_22.pcapng

- Device advertising

- Device connected using nRFConnect (with Wireshark all frames appear as empty, and as I have said, looking at nRFConnect, no services information is given)

- Device is disconnected from nRFConnect and it starts advertising again

Hope it helps

Dani

Hi Dani, 

Please try to debug. Have you made sure you change the configuration of the characteristic to use BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM  ?

I can see that CCCD has been written but after that there were no activity from the device. 
Please check why the device doesn't send the indication. 

Hi Hung,

The configuration of the characteristic using BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM, must it apply to both CCCD and attribute values?

Dani

Hi Dani, 
Yes , correct. This is so that you don't need to bond with MITM and the sniffer can be easier to decrypt the connection. 

Hi,

I have been doing some tests without bonding and with BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM, and with SEC_PARAM_LESC=0. In CCCD in all services I have implemented this:

BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm);
BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&cccd_md.write_perm);

Now, equipment is not disconnecting.

Please find attached a sniffer trace doing the following procedure:

- Equipment advertising

- Equipment connected and receiving data

- Equipment disconnects and starts advertising again

So, from that point, how to find the solution to the problem I have? I need to use bonding, and I'm using a 6 digit-pin.

DaniAndroid_Pairing_without_bonding_No_MITM_19_05_22.pcapng

Hi,

I have been doing some tests without bonding and with BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM, and with SEC_PARAM_LESC=0. In CCCD in all services I have implemented this:

BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm);
BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&cccd_md.write_perm);

Now, equipment is not disconnecting.

Please find attached a sniffer trace doing the following procedure:

- Equipment advertising

- Equipment connected and receiving data

- Equipment disconnects and starts advertising again

So, from that point, how to find the solution to the problem I have? I need to use bonding, and I'm using a 6 digit-pin.

DaniAndroid_Pairing_without_bonding_No_MITM_19_05_22.pcapng

Hi Dani, 
It's possible for the sniffer to track Legacy pairing with Passkey. You just need to enter the passkey in the Sniffer menu and click the "Arrow" button (before input that into your phone):

But I found this method is not very reliable as the central and peripheral may change the LTK in further re-connections. 

It's also possible to track LESC pairing if you can find the LTK key. And I found this is a more reliable solution. 

To print the LTK out you can edit security_dispatcher.c in sec_info_request_process () as follows: 

    NRF_LOG_INFO("LTK: length =%d 0x",p_enc_info->ltk_len);
    for(int i=0;i<p_enc_info->ltk_len;i++) NRF_LOG_INFO("%x ",p_enc_info->ltk[i]);

You need to input the LTK into wireshark, and need to pay attention to the endianess. Basically if the log print out this (after you disconnect and reconnect to bonded device): 


You need to input this to the sniffer and click the arrow button: 

Hi Hung,

Should I see the LTK info through the log of the nRF Connect tool?

I'm not seeing it.

Dani

Hi Dani, 

No nRF Connect wouldn't display the LTK (it's not available to the app on the phone). You can only get it by using the log as I suggested in the last reply. 

Hi Hung,

I dind't know how to get this log with my equipment: no way, I have debugged it and I succeded to read the LTK code. Then I have introduced it into the Wireshark tool and I register connection and auto-disconnection after around 30".

Please, find attached a screenshot of Wireshark tool and the trace.

Dani.Android_pairing_with_disconnection_bonded_LTK_23_05_22.pcapng

Hi Dani,

 I don't think it's managed to decrypt the connection. You can see here that the sniffer didn't managed to decrypt the connection: 

You would need to input the LTK when select SC LTK, not Passkey/OOB key as showed in your screenshot. 
Please refer to this screenshot: