• State Not Answered
  • Replies 6 replies
  • Subscribers 74 subscribers
  • Views 1857 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 293026
Options

How to enable sniffer decryption on nrf5340 ADK

cwhit

I have an Ellisys Bluetooth Explorer 400 sniffer and am trying to sniff the ISO audio data between nrf5340 ADK boards. I enabled CONFIG_BT_LOG_SNIFFER_INFO, CONFIG_BT_DEBUG_KEYS and CONFIG_BT_DEBUG_SMP. This allows me to see in the debug logs a bunch of the different keys used for establishing encryption. But it is hard to tell which is the Link Key, and, worse, my sniffer says it isn’t getting enough info over the air to even make use of the Link Key if I provided it. See the below screenshot.

I’m surprised the ADK docs don’t seem to provide a simple “switch” or process for enabling sniffer decryption. Sniffing the traffic is a fundamental part of analysis and development. Am I missing something here?

Thanks,
Chris

  • 0

    Hello Chris,

    Are you certain that the Ellisys Explorer 400 has the capability to sniff Isochronous channel traffic?
    I took a look through the product specification of the Explorer versus the Vanguard and I could find no mention of Isochronous channel sniffing in the Explorer's datasheet, while the Vanguard details how it is able to sniff isochronous traffic.
    I think I would check with Ellisys directly, to find out whether or not it has this capability, unless you know it to have this capability already.

    Additionally, it is the CONFIG_BT_LOG_SNIFFER_INFO define that makes the Long-term key (LTK) be output to the terminal, so you should need no more than that to be able to sniff an encrypted link after it has already been established.

    Best regards,
    Karl

  • 0 in reply to Karl Ylvisaker

    Hi Karl,

    Yes, I am certain the Explorer 400 can sniff isochronous traffic. Ellisys updated the SW for LE Audio, and I’ve used it with other LE Audio platforms. 

    I first tried getting the key by just enabling CONFIG_BT_LOG_SNIFFER_INFO (and not the other two) but didn’t see the key printed out. But, I’ll try that again to see if I was just somehow missing something. Should it get printed out for both the gateway and headset devices?

    Maybe I’ll also ask Ellisys about their mysterious “information is missing” message.

    Thanks,

    Chris

  • 0 in reply to cwhit

    Hello again, Chris

    cwhit said:
    Yes, I am certain the Explorer 400 can sniff isochronous traffic. Ellisys updated the SW for LE Audio, and I’ve used it with other LE Audio platforms. 

    Aha, that's good news. Then I would reach out to Ellisys about the 'information is missing' message, and ask if there is any difference in the approach for using the Explorer to sniff isochronous channel traffic.
    Just for the record, are you attempting to sniff a Connected Isochronous stream, or a Broadcast Isochronous stream? 

    cwhit said:
    I first tried getting the key by just enabling CONFIG_BT_LOG_SNIFFER_INFO (and not the other two) but didn’t see the key printed out. But, I’ll try that again to see if I was just somehow missing something. Should it get printed out for both the gateway and headset devices?

    Are you using the provided LE Audio controller for these tests? 
    If so, I will have to check whether printout of the LTKs are supported by the LE Audio controller.

    Alternatively, the sniffer should always be able to sniff the connection either way as long as it is present for the establishment of the link so that it can pick up the key directly. This would mean that if you hold up on the pairing until you have found and honed in on the peripheral device in the sniffer interface you should be able to see all the traffic from there on out.
    The LTK is primarily needed for when you are debugging a previously bonded connection.

    Best regards,
    Karl

  • 0 in reply to Karl Ylvisaker

    Hi Karl,

    Yes, I'm using the provided LE Audio controller (ble5-ctr-rpmsg_3251.hex). I'm running your gateway and headset examples and flashing both the app and net cpu images using the buildprog.py script.

    I've been careful to get the sniffer running before establishing the link between boards, because I am indeed familiar with the need to do this.

    Can you send me an example UART log printout that shows what it looks like when the LTK is printed out? It would be helpful to have this reference.

    Thanks,
    Chris

  • 0 in reply to cwhit

    Hello again, Chris

    Thank you for providing the additional information.

    Apologies, it seems that I forgot to mention that you must also enable the HCI debug logging, it should look like this:

    CONFIG_BT_LOG_SNIFFER_INFO=y
CONFIG_BT_DEBUG_LOG=y


    I mentioned this to some colleagues, and they mentioned that you can set
    # Enable these to get a predefined LTK, makes sniffing easier
# Should not be enabled on server as they will cause a CMake Warning
CONFIG_BT_TINYCRYPT_ECC=y
CONFIG_BT_USE_DEBUG_KEYS=y

    In your prj.conf to make it easier to sniff with the ellisys sniffers, because this will make the connection use a preset key which the ellisys already knowns - try this, and see if this makes the ellisys sniffer capable of sniffing the connection.

    Best regards,
    Karl

Related
Terms of service