BLE Just Works on nrf52832 and NRF Connect

Hi, I am working on something that requires me to use Just Works on nrf52832 custom board. Here is the work sccenario. under normal conditions, my module has a bonding PIN and the user is supposed to enter the PIN on his application to get data. My NRF module is a peripheral and i have enabled following in the prj.conf.



I have registered the necessary callbacks too.

What I now need to implement is a functionality which allows user to bond without a PIN temporarily after a button press. I assume BLE Just Works is what I need for this purpose. But I am open to any other suggestions or new perspectives to get this done.Thanks in advance.

  • Hi Midhunjac, 

    To be able to change the capability of the device to not have passkey (no display and keyboard) what you need to do is to 

    bt_conn_auth_cb_register() with NULL input to remove the callback. Then you recall the bt_conn_auth_cb_register() without the display or confirm or entry callback. 

    However we need to look at how you define your characteristics as well. Because in the characteristic definitions you also define the minimum level of security to access the characteristics. If you set it to requires MITM, having Just work bonding would not be enough to allow accessing the characteristics. 
    If it's the case you may want to reinitalize the characteristic with new parameter. 
  • I tried your suggestion but it didnt work. When I tried out what you suggested, the bonding failed. These are the logs.

    <inf>: Connected 68:4A:E9:DC:F3:BC (public)
    <wrn>: Security failed: 68:4A:E9:DC:F3:BC (public) level 1 err 4
    <inf> migration1: Pairing failed conn: 68:4A:E9:DC:F3:BC (public), reason 4
    <inf>: Disconnected: 68:4A:E9:DC:F3:BC (public) (reason 19)
    <inf>:Disconnected 68:4A:E9:DC:F3:BC (public) :
    I am sure it must be a mistake on my side. Can you please take a look at this ? Isn't this how you suggested that I do ? Just to make sure that we are not misunderstanding each other, I am using NCSv2.1.0 and for testing purposes, I have switched to the basic peripheral UART example. So the characteristics of that particular service applies now. What I am testing is if I can bond with the peripheral without a passkey. I am not trying to access any particular characteristic. I just want to bond with the peripheral straight away.

    /*some code*/
    err = bt_conn_auth_cb_register(NULL);
    err = bt_conn_auth_cb_register(&conn_auth_callbacks);
    /* some code */
    static struct bt_conn_auth_cb conn_auth_callbacks = {
    		.cancel = auth_cancel,

    Tried adding the bt_conn_auth_cb_register() with the passkey display and passkey entry and passkey confirm callbacks set to NULL. That didnt work out too.

  • Hi Midhunjac, 

    To sum up what you described:

    - You have two binary images. One image supports Just work and the other image supports fixed passkey. 

    - When you flash the Fixed passkey to replace the Just work (step 2) it worked fine, you can make new bonding

    - When you flash the Just work back to replace the Fixed passkey it didn't work. 

    Please be aware that CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y only allow replacement of unauthorized (Just Work) bonding. So you can't replace bonding automatically if the bonding was done with Passkey. 

    You would need to clear the bond either by erasing the chip or by the application itself. To make sure you have erased the chip, please use nrfjprog (or nRF Connect for desktop) and erase the chip. In VS Code you need to click the one with 2 arrows on the right hand side not the icon next to the "Flash" text.

    Could you explain what you are trying to achieve ? I thought you want to have a button to allow new bond without passkey. This means one single image can handle Just Work and Passkey depends on the state of the button? 
    Do  you still have an issue with my example ? 

  • Hi, you are right about my final goal. I want a button press event to allow both Just Work and passkey states. But it does not work. The example that you provided also did not yield any success. The button press events are registered but it does not allow the Just Work method. The two separate images were just part of debugging, to get a better clarity.

    But the summary you derived is not quite right. I will make myself clear.

    • First I flash the Just Works image. It works fine. (No passkey,just bonded fine) (log 1)
    • Next i flashed the Fixed passkey image. It works fine too.(Prompted to enter passkey. If passkey is right, bonded) (log 2)
    • Finally, flash the Just Works image again. This time it does not work as it worked in the first iteration.(log 3)

    As for the extension in VS code, I had been using the icon next to "flash". Maybe that explains my observation in the above three iterations. I will give the icon you mentioned a try and see if the situation changes.

    Please be aware that CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y only allow replacement of unauthorized (Just Work) bonding. So you can't replace bonding automatically if the bonding was done with Passkey. 

    Can you please elaborate on this ? Or can you point me to a document which explains what this is and its application? This seems to do what I want but somehow it feels like this is not the right way to implement Just Works.

    Also, what is the correct way to get Just Works working ?My characteristics do not require any encryption at all yet Just Works does not seem to work. Thank you for the help.

  • Hi again, 

    You can read about the CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE here. For any KConfig configuration you can search there.

    Basically when you enable this option, it allow a device that you already bonded can make another bond. Just like what you did in Step 2 and 3. 
    However this option only allow overwriting when the previous bond is UNAUTHORIZED (Just work) At step 3 , the previous bond as Passkey so it not allowed to overwrite the bond without erasing it first. 

    Please try to test my example again and list how you tested it and what you observed. 
    My suggestion is: 

    - First use nRF Connect to connect and bond, you should see a passkey appear and you need to press button 1 on the board to confirm the pass key (numeric comparison)

    - Disconnect

    - Press button 3 to erase bond

    - Press button 4 to change mode

    - Use nRF Connect to connect, then bond. You will see a pop up asking to pair, but no passkey, you don't have to press anything on the DK , only on the phone. This is Just work pairing. 

    If you still have issue please try to capture the sniffer trace. You don't need to install the Sniffer API, just need to follow what in the documentation. 

  • Hi,

    Thank you for the help. It works now as you described above.. Maybe i was using the wrong button for flashing the device in the VS code. There needs to be a few changes though. As I said, my module has a static passkey and the user should enter that passkey to bond. Not the other way round as it is in your example.

    normal conditions, my module has a bonding PIN and the user is supposed to enter the PIN on his application to get data. My NRF module is a peripheral and i have enabled following in the prj.conf.

    The way I understand, for the module to work like that, we need to set CONFIG_BT_FIXED_PASSKEY and CONFIG_BT_SMP to 'y'. right ?

    But if we do that, is there some way I can switch mode to Just Works during run time as I think that these configuration options blocks the working of Just Works ? I am aware that they are build configurations and may not be modifiable during runtime but is there any chance of achieving this ? Thanks again for helping me through this.

  • Hi Midhunjac, 

    No I don't see a problem with the configuration. A device can support both passkey and Just work. You can configure with passkey in the prj.conf and then if in the code you don't supply the callback for display then only Just work allowed.

Reply Children
  • Hi  

    Are you sure about that ? Because I made the above two changes to the prj.conf and deleted the display callback. Now I can set my passkey on the module with bt_passkey_set(). It works fine. I have to enter the said passkey in nrf connect application to bond. But now I cannot switch to Just Works with the changes you attached. The nrf connect will still prompt me to enter the preset passkey even after pressing the Button 4. Is there anything I am missing? Can you confirm this behavior at your end please? These are my callbacks and prj.conf configurations.

    static struct bt_conn_auth_cb conn_auth_callbacks = {
    	//.passkey_display = auth_passkey_display,
    	.passkey_confirm = auth_passkey_confirm,
    	.cancel = auth_cancel,
    static struct bt_conn_auth_cb conn_auth_callbacks2 = {
    	.cancel = auth_cancel,
    static struct bt_conn_auth_info_cb conn_auth_info_callbacks = {
    	.pairing_complete = pairing_complete,
    	.pairing_failed = pairing_failed

  • Hi, 

    Do this when in button 4 handler (before bt_conn_auth_cb_register calls)  and it should work: 

  • Hi,

    I did as instructed, but nothing much has changed except for on thing. Here are the two cases that I have tried.

    1) Establish a bond first with passkey and then try Just Works.

    • The passkey bonding works fine. But if I try to switch to Just Works, the bonding attempt fails without any error message. It just shows 'NOT BONDED' in the nrf connect. But from what I understand by examining the flags set, it seems like the module is still remembering the previous connections.

    2) Establish a bond first using Just Works. Unpair it from the nrf connect. Try pairing again using Just Works

    • The first time pairing using Just Works works fine. The device is paired. The second time the pairing using the same callbacks and same methods will be unsuccessful.

    Below is the snippet that I use with a custom function.

    static struct bt_conn_auth_cb conn_auth_callbacks = {
    	//.passkey_display = auth_passkey_display,
    	.passkey_confirm = auth_passkey_confirm,
    	.cancel = auth_cancel,
    static struct bt_conn_auth_cb conn_auth_callbacks2 = {
    	.cancel = auth_cancel,
    static struct bt_conn_auth_info_cb conn_auth_info_callbacks = {
    	.pairing_complete = pairing_complete,
    	.pairing_failed = pairing_failed
    void update()
        LOG_INF("Update ble pairing");
       // bt_unpair(BT_ID_DEFAULT,NULL);// including this line results in system crash

    Also, whenever I use bt_unpair function, the system crashes immediately with the following message

    ASSERTION FAIL [!arch_is_in_isr()] @ WEST_TOPDIR/zephyr/kernel/mutex.c:101
            mutexes cannot be used inside ISRs
    *** Booting Zephyr OS build v3.1.99-ncs1  ***
    Starting Nordic UART service example

    From what I've observed, whenever there is a previously established bond, if we try to unpair using bt_unpair(), this assertion fails. If there are no previous bonds, there is no problem.

    So, all the testing that I did above was done without invoking the bt_unpair(). But the bonding information from the nrf connect was deleted after each successful bonding. Is this why the module was still 'remembering' its previous state ? But even if that was the case, isnt the case (2) supposed to work ?

    Can you please explain this behavior ? Is there something wrong I am doing ? I do not seem to understand the issue here. Thanks a lot for helping me out.

  • Hi, Just to add to the my previous observations, here is the wireshark capture for the events. The file 'capture_whole_new.pcapng' contains the packets for the test case 1 described above. capture_whole_new.pcapng

  • Hi, 

    Have you tried with my example ? When you press button 3 on the kit would the bond information be deleted ? 

    Please do a chip erase before testing. 
