• State Not Answered
  • Replies 5 replies
  • Subscribers 68 subscribers
  • Views 714 views
  • Users 0 members are here
Attachments (4) Download All
Nordic Case Info
  • Case ID: 292687
Options

sd_ble_gap_sec_params_reply() failed, errCode=0x8

snowuyl

I set static passkey to "123456" and enter "123456" in nRF Connect passkey request dialog. But sd_ble_gap_sec_params_reply() return 0x8 error code.

static void ble_evt_handler(ble_evt_t const* pBleEvt, void* pContext)
{
    ret_code_t errCode = NRF_SUCCESS;
    
    switch (pBleEvt->header.evt_id)
    {
        case BLE_GAP_EVT_CONNECTED:
        {
            NRF_LOG_INFO("Connected.");
            BLE_UART_SetState(BLE_NUS_STATE_CONNECT);
            errCode = bsp_indication_set(BSP_INDICATE_CONNECTED);
            if (errCode != NRF_SUCCESS) {
                NRF_LOG_WARNING("bsp_indication_set() failed, errCode=0x%x\n", errCode);
                return;
            }    

            m_cur_conn_handle = pBleEvt->evt.gap_evt.conn_handle;

            errCode = nrf_ble_qwr_conn_handle_assign(&m_qwr, m_cur_conn_handle);
            if (errCode != NRF_SUCCESS) {
                NRF_LOG_WARNING("nrf_ble_qwr_conn_handle_assign() failed, errCode=0x%x\n", errCode);
                return;
            }

            ble_gap_sec_params_t secParam;
            secParam.bond           = SEC_PARAM_BOND;
            secParam.mitm           = SEC_PARAM_MITM;
            errCode = sd_ble_gap_authenticate(m_cur_conn_handle, &secParam);
            if (errCode != NRF_SUCCESS) {
                NRF_LOG_WARNING("sd_ble_gap_authenticate() failed, errCode=0x%x\n", errCode);
                return;
            }
        }    
        break;

        case BLE_GAP_EVT_DISCONNECTED:
            if (fstorageGetState() == FSTORAGE_STATE_ERASED) {
                fstorageWaitUpdateRecordFinish();
            }
            NRF_LOG_INFO("Disconnected.");
            BLE_UART_SetState(BLE_NUS_STATE_DISCONNECT);
            m_cur_conn_handle = BLE_CONN_HANDLE_INVALID;
            break;

        case BLE_GAP_EVT_SEC_PARAMS_REQUEST:
            NRF_LOG_INFO("BLE_GAP_EVT_SEC_PARAMS_REQUEST\n");
            ble_gap_sec_params_t secParam;
            securityParametersGet(&secParam);
            errCode = sd_ble_gap_sec_params_reply(m_cur_conn_handle,
                                                  BLE_GAP_SEC_STATUS_SUCCESS,
                                                  &secParam,
                                                  NULL);
            if (errCode != NRF_SUCCESS) {
                NRF_LOG_WARNING("sd_ble_gap_sec_params_reply() failed, errCode=0x%x\n", errCode);
                return;
            }
            break;

        case BLE_GAP_EVT_AUTH_STATUS:
            NRF_LOG_INFO("BLE_GAP_EVT_AUTH_STATUS\n");
            if (pBleEvt->evt.gap_evt.params.auth_status.auth_status != BLE_GAP_SEC_STATUS_SUCCESS) {
                errCode = sd_ble_gap_disconnect(m_cur_conn_handle,
                                                BLE_HCI_REMOTE_USER_TERMINATED_CONNECTION);
                if (errCode != NRF_SUCCESS) {
                    NRF_LOG_WARNING("sd_ble_gap_disconnect() failed, errCode=0x%x\n", errCode);
                    return;
                }
            }    
            break;

        default:
            // No implementation needed.
            break;
    }
}

log messages:

 0> <info> app: Version 1.0.0
 0>
 0> <info> app: ========| flash info |========
 0> <info> app: erase unit:   4096 bytes
 0> <info> app: program unit: 4 bytes
 0> <info> app: end address: 0x7FFFF
 0> <info> app: ==============================
 0> <info> app_timer: RTC: initialized.
 0> <debug> app: NOR_DATA_PERIOD=819
 0>
 0> <debug> app: NOR_RECORD_PERIOD=8192
 0>
 0> <info> app: bsp_button_longkey_handler 0.
 0> <warning> app: Battery volage 495mV is too low
 0>
 0> <warning> app: Battery volage 93mV is too low
 0>
 0> <warning> app: Battery volage 8mV is too low
 0>
 0> <warning> app: Battery volage 0mV is too low
 0>
 0> <debug> app: Battery volage 4058mV
 0>
 0> <info> app: POWER_ON.
 0> <info> app: External devices initializing start
 0> <info> app: External devices initializing finish
 0> <info> app: bsp_button_longkey_handler 1.
 0> <debug> nrf_ble_gatt: Requesting to update ATT MTU to 185 bytes on connection 0x0.
 0> <info> app: Connected.
 0> <debug> app: state=1
 0>
 0> <debug> nrf_ble_gatt: ATT MTU updated to 185 bytes on connection 0x0 (response).
 0> <info> app: BLE_GAP_EVT_SEC_PARAMS_REQUEST
 0>
 0> <warning> app: sd_ble_gap_sec_params_reply() failed, errCode=0x8
 0>
 0> <info> app: Connection secured: role: 1, conn_handle: 0x0, procedure: 2.
 0> <info> app: BLE_GAP_EVT_AUTH_STATUS

  • 0 in reply to snowuyl

    Fullscreen 4062.security.c Download 
    #include "sdk_config.h"
#include "advertising.h"
#include "ble_conn_state.h"
#include "error.h"
#include "fds.h"
#include "nrf_log.h"
#include "peer_manager.h"
#include "peer_manager_handler.h"
#include "peer_manager_types.h"
#include "security.h"

static void _pmEvtHandler(pm_evt_t const * pEvt) {
    ret_code_t errCode;

    switch (pEvt->evt_id) {
        case PM_EVT_BONDED_PEER_CONNECTED:
        {
            NRF_LOG_INFO("Connected to a previously bonded device.");
        } break;

        case PM_EVT_CONN_SEC_SUCCEEDED:
        {
            NRF_LOG_INFO("Connection secured: role: %d, conn_handle: 0x%x, procedure: %d.",
                         ble_conn_state_role(pEvt->conn_handle),
                         pEvt->conn_handle,
                         pEvt->params.conn_sec_succeeded.procedure);
        } break;


        case PM_EVT_CONN_SEC_FAILED:
        {
            NRF_LOG_INFO("Faield to secure connection with handle 0%x.", pEvt->conn_handle);
            errCode = sd_ble_gap_disconnect(pEvt->conn_handle,
                                      BLE_HCI_REMOTE_USER_TERMINATED_CONNECTION);
            if (errCode != NRF_ERROR_INVALID_STATE)
            {
                APP_ERROR_CHECK(errCode);
            }
            //pEvt->conn_handle = BLE_CONN_HANDLE_INVALID;
            /* Often, when securing fails, it shouldn't be restarted, for security reasons.
             * Other times, it can be restarted directly.
             * Sometimes it can be restarted, but only after changing some Security Parameters.
             * Sometimes, it cannot be restarted until the link is disconnected and reconnected.
             * Sometimes it is impossible, to secure the link, or the peer device does not support it.
             * How to handle this error is highly application dependent. */
        } break;

        case PM_EVT_CONN_SEC_CONFIG_REQ:
        {
            // Reject pairing request from an already bonded peer.
            pm_conn_sec_config_t conn_sec_config = {.allow_repairing = false};
            pm_conn_sec_config_reply(pEvt->conn_handle, &conn_sec_config);
        } break;

        case PM_EVT_STORAGE_FULL:
        {
            // Run garbage collection on the flash.
            errCode = fds_gc();
            if (errCode == FDS_ERR_NO_SPACE_IN_QUEUES)
            {
                // Retry.
            }
            else
            {
                APP_ERROR_CHECK(errCode);
            }
        } break;

        case PM_EVT_PEERS_DELETE_SUCCEEDED:
        {
            NRF_LOG_DEBUG("PM_EVT_PEERS_DELETE_SUCCEEDED");
            advertisingStart();
        } break;

        case PM_EVT_PEER_DATA_UPDATE_FAILED:
        {
            // Assert.
            APP_ERROR_CHECK(pEvt->params.peer_data_update_failed.error);
        } break;

        case PM_EVT_PEER_DELETE_FAILED:
        {
            // Assert.
            APP_ERROR_CHECK(pEvt->params.peer_delete_failed.error);
        } break;

        case PM_EVT_PEERS_DELETE_FAILED:
        {
            // Assert.
            APP_ERROR_CHECK(pEvt->params.peers_delete_failed_evt.error);
        } break;

        case PM_EVT_ERROR_UNEXPECTED:
        {
            // Assert.
            APP_ERROR_CHECK(pEvt->params.error_unexpected.error);
        } break;

        case PM_EVT_CONN_SEC_START:
        case PM_EVT_PEER_DATA_UPDATE_SUCCEEDED:
        case PM_EVT_PEER_DELETE_SUCCEEDED:
        case PM_EVT_LOCAL_DB_CACHE_APPLIED:
        case PM_EVT_LOCAL_DB_CACHE_APPLY_FAILED:
            // This can happen when the local DB has changed.
        case PM_EVT_SERVICE_CHANGED_IND_SENT:
        case PM_EVT_SERVICE_CHANGED_IND_CONFIRMED:
        default:
            break;
    }
}


/**@brief Function for the Peer Manager initialization.
 */
int peerManagerInit(const bool eraseBonds) {
    ble_gap_sec_params_t secParam;
    ret_code_t errCode;
    
    errCode = pm_init();
    if (errCode != NRF_SUCCESS) {
        NRF_LOG_WARNING("pm_init() failed, errCode=0x%x\n", errCode);
        return ERROR_PEER_MANAGER_INITIALIZE_FAIL;
    }    
     
    if (eraseBonds) {
        errCode = pm_peers_delete();
        if (errCode != NRF_SUCCESS) {
            NRF_LOG_WARNING("pm_peers_delete() failed, errCode=0x%x\n", errCode);
            return ERROR_PEER_MANAGER_INITIALIZE_FAIL;
        } 
    }

    securityParametersGet(&secParam);
    
        
        errCode = pm_sec_params_set(&secParam);
        if (errCode != NRF_SUCCESS) {
            NRF_LOG_WARNING("pm_sec_params_set() failed, errCode=0x%x\n", errCode);
            return ERROR_PEER_MANAGER_INITIALIZE_FAIL;
        } 
    
        errCode = pm_register(_pmEvtHandler);
        if (errCode != NRF_SUCCESS) {
            NRF_LOG_WARNING("pm_register() failed, errCode=0x%x\n", errCode);
            return ERROR_PEER_MANAGER_INITIALIZE_FAIL;
        } 

    return 0;
}

void securityParametersGet(ble_gap_sec_params_t* pSecParam) {
    memset(pSecParam, 0, sizeof(ble_gap_sec_params_t));
    
    // Security parameters to be used for all security procedures.
    pSecParam->bond           = SEC_PARAM_BOND;
    pSecParam->mitm           = SEC_PARAM_MITM;
    pSecParam->lesc           = SEC_PARAM_LESC;
    pSecParam->keypress       = SEC_PARAM_KEYPRESS;
    pSecParam->io_caps        = SEC_PARAM_IO_CAPABILITIES;
    pSecParam->oob            = SEC_PARAM_OOB;
    pSecParam->min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
    pSecParam->max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
    pSecParam->kdist_own.enc  = 1;
    pSecParam->kdist_own.id   = 1;
    pSecParam->kdist_peer.enc = 1;
    pSecParam->kdist_peer.id  = 1;
    
}
    2818.gap.h
    Fullscreen 8765.gap.c Download 
    #include "sdk_config.h"
#include "ble.h"
#include "ble_conn_params.h"
#include "ble_gap.h"
#include "gap.h"
#include "error.h"
#include "nrf_log.h"

#define DEVICE_NAME       "ANCS2"                         /**< Name of the device. Will be included in the advertising data. */
#define STATIC_PASSKEY    "123456"                        /**< Static passkey. */
#define MIN_CONN_INTERVAL MSEC_TO_UNITS(15, UNIT_1_25_MS) /**< Minimum acceptable connection interval (0.5 seconds). */
#define MAX_CONN_INTERVAL MSEC_TO_UNITS(30, UNIT_1_25_MS) /**< Maximum acceptable connection interval (1 second). */
#define SLAVE_LATENCY     0                               /**< Slave latency. */
#define CONN_SUP_TIMEOUT  MSEC_TO_UNITS(3000, UNIT_10_MS) /**< Connection supervisory time-out (4 seconds). */

static ble_opt_t _gStaticPasskeyOption;	/**< Pointer to the struct containing static pin option. */

/**@brief Function for initializing GAP connection parameters.
 *
 * @details Use this function to set up all necessary GAP (Generic Access Profile)
 *          parameters of the device. It also sets the permissions and appearance.
 */
int gapParamsInit(void) {
    ret_code_t              errCode;
    ble_gap_conn_params_t   gapConnParams;
    ble_gap_conn_sec_mode_t secMode;

    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&secMode);

    errCode = sd_ble_gap_device_name_set(&secMode, (const uint8_t *)DEVICE_NAME, strlen(DEVICE_NAME));
    if (errCode != NRF_SUCCESS) {
        NRF_LOG_WARNING("sd_ble_gap_device_name_set() failed, errCode=0x%x", errCode);
        return ERROR_GAP_INITIALIZE_FAIL;
    }

    memset(&gapConnParams, 0, sizeof(gapConnParams));

    gapConnParams.min_conn_interval = MIN_CONN_INTERVAL;
    gapConnParams.max_conn_interval = MAX_CONN_INTERVAL;
    gapConnParams.slave_latency     = SLAVE_LATENCY;
    gapConnParams.conn_sup_timeout  = CONN_SUP_TIMEOUT;

    errCode = sd_ble_gap_ppcp_set(&gapConnParams);
    if (errCode != NRF_SUCCESS) {
        NRF_LOG_WARNING("sd_ble_gap_ppcp_set() failed, errCode=0x%x", errCode);
        return ERROR_GAP_INITIALIZE_FAIL;
    }

    uint8_t passkey[] = STATIC_PASSKEY;
	_gStaticPasskeyOption.gap_opt.passkey.p_passkey = passkey;
	errCode = sd_ble_opt_set(BLE_GAP_OPT_PASSKEY, &_gStaticPasskeyOption);
	if (errCode != NRF_SUCCESS) {
        NRF_LOG_WARNING("sd_ble_opt_set() failed, errCode=0x%x", errCode);
        return ERROR_GAP_INITIALIZE_FAIL;
    }

    return 0;
}
    3007.security.h

  • 0

    Hello,

    Error 0x08 means NRF_ERROR_INVALID_STATE, meaning that the other device has not requested a 6-digit passkey at this point in time, which is correct. 

    When two devices pair using a 6-digit passkey, one of the devices will provide/display this code, while the other device should enter what is provided/displayed. 

    If you didn't change anything in the file security_dispatcher.c (you should not change anything there), then you don't need to do anything else in the BLE_GAP_EVT_SEC_PARAMS_REQUEST event.

    One example that uses 6-digit passkeys (but not static) is the ble_app_gls example. You can see there that it doesn't do anything in the BLE_GAP_EVT_SEC_PARAMS_REQUEST event, other than printing something to the log.

    You can however, try to add the BLE_GAP_EVT_PASSKEY_DISPLAY event, and see if that triggers. Look at the implementation from ble_evt_handler in the ble_app_gls example.

    BR,

    Edvin

  • 0 in reply to Edvin

    Thanks for your suggestion! I didn't change anything in the file security_dispatcher.c. And I have removed handling for BLE_GAP_EVT_SEC_PARAMS_REQUEST event.


    static void ble_evt_handler(ble_evt_t const* pBleEvt, void* pContext)
    {
        switch (pBleEvt->header.evt_id)
        {
            case BLE_GAP_EVT_SEC_PARAMS_REQUEST:
            {
                NRF_LOG_INFO("BLE_GAP_EVT_SEC_PARAMS_REQUEST\n");
            }
            break;
            ...
        }
    }

    log messages:
     0> <info> app: POWER_ON.
     0> <info> app: External devices initializing start
     0> <info> app: External devices initializing finish
     0> <info> app: bsp_button_longkey_handler 1.
     0> <debug> nrf_ble_gatt: Requesting to update ATT MTU to 185 bytes on connection 0x0.
     0> <info> app: Connected.
     0> <debug> app: state=1
     0>
     0> <debug> nrf_ble_gatt: ATT MTU updated to 185 bytes on connection 0x0 (response).
     0> <info> app: BLE_GAP_EVT_SEC_PARAMS_REQUEST
     0>
     0> <info> app: Connection secured: role: 1, conn_handle: 0x0, procedure: 2.
     0> <info> app: BLE_GAP_EVT_AUTH_STATUS
     0>

  • 0 in reply to snowuyl

    Good stuff,

    When you see the line "Connection secured: role: 1, conn_handle: 0x0, procedure: 2." which is printed from the event PM_EVT_CONN_SEC_SUCCEEDED in peer_manager_handler.c, it means that the link is encrypted. Role 1 means that peripheral, conn_handle is just the connection handle that is encrypted (only relevant if you have several concurrent connections), and procedure:2 means pairing. 

    Best regards,

    Edvin

Related