Attachments (1) Download All
Nordic Case Info
  • Case ID: 289146
Options

nRF52840 Dongle BLE Sniffing

ISMET FAIK SAGLAR

I have nRF52840 Dongle and I want to sniff packets between two BLE devices. When I search in the Nordic DevZone forum, there are inconsistent answer about BLE sniffing support for the nRF52840 Dongle. On the "nRF Sniffer for Bluetooth LE" tool page (https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE) the device is shown as supported. Whereas, on this page (https://devzone.nordicsemi.com/f/nordic-q-a/61805/nrf52840-dongle-as-sniffer) it is written as not supported. 

Would you please clarify the support and describe usage if supported.

Thank you.

Best Regards.

Parents
  • 0

    Hi,

    The nRF Sniffer for Bluetooth LE is supported on the nRF52840 Dongle. You can see supported DKs and Dongles under nRF Sniffer for Bluetooth LE > Minimum requirements.

    Information about installation and how to use the sniffer can be found in the documentation here: nRF Sniffer for Bluetooth LE.

    Best regards,

    Marte

  • 0 in reply to Marte Myrvold

    Thanks for this. I have successfully followed the instructions and now I am able to see BLE packets in Wireshark with the provided profile.

    But all I see is advertising packets.

    How can I see messages between bonded/paired devices ?

    The documentation says:

    1. Run the nRF Sniffer (if not already running).
    2. Select your device from the device list.
    3. Enter the LTK for the bond.

    But I don't have the LTK.

    I also followed the "Sniffing the pairing procedure of a connection" instructions but I could not get packetrs other than advertising.

    My devices pair withput a key. I just turn both devices on (reset them to force bonding) and select the device B from device A menu.

    Edit:

    I finally managed to sniff packets other than advertising data. But that only happens in the same session.

    To continue capturing in another session, I got the LTK from the first session but I was not able to use it.

    The problem is that,

    1.device B starts pairing to device A

    2.Then I get 2 LTKs (one is from master, the other one is from slave)

    3.In the next session, device A does not advertise because it is already bonded, so I can not select it from the device list.

    4. If I select device B from the list , then I try both LTK to get packets, I can not get any data other than advertising data.

    What am I doing wrong ?

  • 0 in reply to ilker

    Hi,

    If the device is not advertising you can add the device's LE address to the device list, as explained under Add LE Address in nRF Sniffer usage.

    Best regards,

    Marte

  • 0 in reply to Marte Myrvold

    Thank you.

    Now I am able to get packets from that specific device.

    However, I see "Encrypted packet decrypted incorrectly (bad MIC)" info

    In fact, from the previous pairing session I got the LTK.

    I got 2 LTKs, one from master device (sent encryption information)

    value: 24c2432367ca4ba062aa2be421b233e5

    one from the slave device (rcvd encryption information)

    value: c4383dae339da6bb0be21f61bd7cd0b6

    I tried both values entering them on the value field like 0xc4383dae339da6bb0be21f61bd7cd0b6

    selecting Legacy LTK

    but it is still not decrypting.

    Any ideas about where am I doing wrong ?

    thanks.

  • 0 in reply to ilker

    what might be wrong ?

  • 0 in reply to ilker

    Hi,

    It is difficult to say without looking at the sniffer trace. Can you upload it here as a pcap file?

    Best regarads,

    Marte

  • 0 in reply to ilker

    ble_captures.7z

    Hi,

    I have captured 5 files. The first one named "pairing" includes the pairing session.

    From that session following notes:

    d4:9c:dd:9e:f7:5b - camera (BLE client)
    94:a1:a2:25:5a:49 - remote (BLE server)

    33cd8dab22a023202a7074ad2a7afc69 - rcvd encryption information (packet 7887)
    b0ddb6dbfb16725a1091d08c2b547221 - sent encryption information (packet 7898)

    And with these keys I tried to decrypt other sessions. Files are named tfor easy understanding.

    I hope you can find my mistake.

    Thanks

Reply
  • 0 in reply to ilker

    ble_captures.7z

    Hi,

    I have captured 5 files. The first one named "pairing" includes the pairing session.

    From that session following notes:

    d4:9c:dd:9e:f7:5b - camera (BLE client)
    94:a1:a2:25:5a:49 - remote (BLE server)

    33cd8dab22a023202a7074ad2a7afc69 - rcvd encryption information (packet 7887)
    b0ddb6dbfb16725a1091d08c2b547221 - sent encryption information (packet 7898)

    And with these keys I tried to decrypt other sessions. Files are named tfor easy understanding.

    I hope you can find my mistake.

    Thanks

Children
  • 0 in reply to ilker

    Hi,

    You must reverse the byte order of the LTK. Wireshark is showing the LTK as little endian, but the LTK must be provided as big endian.

    Additionally, it is the LTK from the received encryption information you should use (so 33cd8dab22a023202a7074ad2a7afc69 in your case), since it is the central that starts the encryption.

    Best regards,

    Marte

  • 0 in reply to Marte Myrvold

    ok. thanks.

    is this 16bit ? how shouls I reverse the byte order ?

  • 0 in reply to ilker

    Hi,

    It is 16 bytes. You must reverse each byte, so 2 and 2 numbers. For example 33cd8dab22a023202a7074ad2a7afc69 will be 69fc7a... and so forth.

    Best regards,

    Marte

Terms of service