nRF52840 Dongle BLE Sniffing

I have nRF52840 Dongle and I want to sniff packets between two BLE devices. When I search in the Nordic DevZone forum, there are inconsistent answer about BLE sniffing support for the nRF52840 Dongle. On the "nRF Sniffer for Bluetooth LE" tool page (https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE) the device is shown as supported. Whereas, on this page (https://devzone.nordicsemi.com/f/nordic-q-a/61805/nrf52840-dongle-as-sniffer) it is written as not supported.

Would you please clarify the support and describe usage if supported.

Thank you.

Best Regards.

Parents

0 Marte Myrvold over 3 years ago

Hi,

The nRF Sniffer for Bluetooth LE is supported on the nRF52840 Dongle. You can see supported DKs and Dongles under nRF Sniffer for Bluetooth LE > Minimum requirements.

Information about installation and how to use the sniffer can be found in the documentation here: nRF Sniffer for Bluetooth LE.

Best regards,

Marte
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ilker over 3 years ago in reply to Marte Myrvold
Thanks for this. I have successfully followed the instructions and now I am able to see BLE packets in Wireshark with the provided profile.

But all I see is advertising packets.

How can I see messages between bonded/paired devices ?

The documentation says:

Run the nRF Sniffer (if not already running).

Select your device from the device list.

Enter the LTK for the bond.

But I don't have the LTK.

I also followed the "Sniffing the pairing procedure of a connection" instructions but I could not get packetrs other than advertising.

My devices pair withput a key. I just turn both devices on (reset them to force bonding) and select the device B from device A menu.

Edit:

I finally managed to sniff packets other than advertising data. But that only happens in the same session.

To continue capturing in another session, I got the LTK from the first session but I was not able to use it.

The problem is that,

1.device B starts pairing to device A

2.Then I get 2 LTKs (one is from master, the other one is from slave)

3.In the next session, device A does not advertise because it is already bonded, so I can not select it from the device list.

4. If I select device B from the list , then I try both LTK to get packets, I can not get any data other than advertising data.

What am I doing wrong ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marte Myrvold over 3 years ago in reply to ilker

Hi,

If the device is not advertising you can add the device's LE address to the device list, as explained under Add LE Address in nRF Sniffer usage.

Best regards,

Marte
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ilker over 3 years ago in reply to Marte Myrvold

Thank you.

Now I am able to get packets from that specific device.

However, I see "Encrypted packet decrypted incorrectly (bad MIC)" info

In fact, from the previous pairing session I got the LTK.

I got 2 LTKs, one from master device (sent encryption information)

value: 24c2432367ca4ba062aa2be421b233e5

one from the slave device (rcvd encryption information)

value: c4383dae339da6bb0be21f61bd7cd0b6

I tried both values entering them on the value field like 0xc4383dae339da6bb0be21f61bd7cd0b6

selecting Legacy LTK

but it is still not decrypting.

Any ideas about where am I doing wrong ?

thanks.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ilker over 3 years ago in reply to ilker

what might be wrong ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marte Myrvold over 3 years ago in reply to ilker

Hi,

It is difficult to say without looking at the sniffer trace. Can you upload it here as a pcap file?

Best regarads,

Marte
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ilker over 3 years ago in reply to ilker

ble_captures.7z

Hi,

I have captured 5 files. The first one named "pairing" includes the pairing session.

From that session following notes:

d4:9c:dd:9e:f7:5b - camera (BLE client)
94:a1:a2:25:5a:49 - remote (BLE server)

33cd8dab22a023202a7074ad2a7afc69 - rcvd encryption information (packet 7887)
b0ddb6dbfb16725a1091d08c2b547221 - sent encryption information (packet 7898)

And with these keys I tried to decrypt other sessions. Files are named tfor easy understanding.

I hope you can find my mistake.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 ilker over 3 years ago in reply to ilker

ble_captures.7z

Hi,

I have captured 5 files. The first one named "pairing" includes the pairing session.

From that session following notes:

d4:9c:dd:9e:f7:5b - camera (BLE client)
94:a1:a2:25:5a:49 - remote (BLE server)

33cd8dab22a023202a7074ad2a7afc69 - rcvd encryption information (packet 7887)
b0ddb6dbfb16725a1091d08c2b547221 - sent encryption information (packet 7898)

And with these keys I tried to decrypt other sessions. Files are named tfor easy understanding.

I hope you can find my mistake.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Marte Myrvold over 3 years ago in reply to ilker

Hi,

You must reverse the byte order of the LTK. Wireshark is showing the LTK as little endian, but the LTK must be provided as big endian.

Additionally, it is the LTK from the received encryption information you should use (so 33cd8dab22a023202a7074ad2a7afc69 in your case), since it is the central that starts the encryption.

Best regards,

Marte
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ilker over 3 years ago in reply to Marte Myrvold

ok. thanks.

is this 16bit ? how shouls I reverse the byte order ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marte Myrvold over 3 years ago in reply to ilker

Hi,

It is 16 bytes. You must reverse each byte, so 2 and 2 numbers. For example 33cd8dab22a023202a7074ad2a7afc69 will be 69fc7a... and so forth.

Best regards,

Marte
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel