nRF52840 Cannot Sniff Encrypted Connection

I am trying to sniff the connection between my Garmin fitness watch and the Garmin app on my Android phone.  I can see the advertisements, and when I initiate pairing I can see the pairing happening.  But once the encrypted connection is established, Wireshark only shows a series of “Encrypted packet decrypted incorrectly (bad MIC)”.  I know traffic is occurring because I can see my heart rate on the phone.  I have read a number of similar cases on DevZone and I have not seen a solution.

 

Here is my process:

  1. From the phone, ensure that the watch is not paired.
  2. Plug the nRF52840 dongle into a USB extension cable, and plug the cable into a USB port on the computer. The cable is to allow me to place the dongle between the watch and the phone, but it makes no difference if I plug the dongle directly into the computer.
  3. Launch Wireshark. I start to see advertising traffic.
  4. Select my watch in the Device dropdown.
  5. Initiate pairing from the watch. Then from the phone app, I have to click “add device”.
  6. The watch displays a 6 digit code. I enter that code in Wireshark as a “Legacy Passkey” and press enter, then enter the same code in the phone app.
  7. At this point I can see much traffic in Wireshark, including “Sent Pairing Request”, “Received Pairing Response”, several sets of “Sent Pairing Confirm” and “Rcvd Pairing Confirm”, “Sent Pairing DHKey Check” and “Rcvd Pairing DHKey Check”, LL_ENC_REQ, LL_ENC_RSP, and LL_START_ENC_REQ. But as soon as the LL_START_ENC_REQ is sent, everything after that is “Encrypted packet decrypted incorrectly (bad MIC)” and eventually there are no more packets.

A Wireshark capture is attached. The problem occurs at packet 6066.

Pairing_Capture.pcapng

Here is my setup.

Windows 11

nRF52840 Dongle with nRF Sniffer for Bluetooth LE version 4.1.1

Wireshark 4.0.2

 

What can I do to be able to see to traffic once pairing is complete?

  • Hello,

    Unfortunately, a BT sniffer will not be able to pick up the encryption key when the devices use LE secure connections pairing (LESC) to establish the bond like in your case.  LESC uses a Diffie-Hellman key exchange that protects against passive eavesdropping.  For comparison, with LE Legacy pairing, the encryption key would be sent in cleartext on air. Thus, making it easy for a passive sniffer to retreive the key. 

    If you have a spare DK/Dongle, you may try to use the nRF Connect Bluetooth Low Energy app in nRF Connect for Desktop. This allows you to configure the security capabilities for pairing so you can force LE legacy pairing mode. 

    Initiate Pairing in nRF Connect Bluetooth Low Energy app

    Best regards,

    Vidar

  • Thanks, Vidar.  A couple of followup questions:

    1. I wasn't aware that the watch is using LESC.  How can you tell?  Is it from the "Secure Connection Flag" in the pairing request (packet 3053)?

    2. I don't have a spare dongle, but I thought I would at least try the nRF Connect Bluetooth Low Energy app as you suggested.  But I am getting a error as shown in the attached screenshot and log file.  Does this indicate a problem with the dongle?

    2023-01-05T18:28:06.856Z DEBUG Application data folder: C:\Users\steph\AppData\Roaming\nrfconnect-bluetooth-low-energy\bundle
    2023-01-05T18:28:06.951Z INFO Using nrf-device-lib-js version: 0.4.4
    2023-01-05T18:28:06.952Z INFO Using nrf-device-lib version: 0.10.3
    2023-01-05T18:28:06.952Z INFO Using nrfjprog DLL version: 10.15.1
    2023-01-05T18:28:06.952Z INFO Using JLink version: JLink_V7.66a
    2023-01-05T18:28:06.977Z DEBUG App pc-nrfconnect-ble v4.0.4 official
    2023-01-05T18:28:06.977Z DEBUG App path: C:\Users\steph\AppData\Local\Programs\nrfconnect-bluetooth-low-energy\resources\app.asar\resources/bundle/
    2023-01-05T18:28:06.977Z DEBUG nRFConnect 4.0.4, required by the app is (^3.8.0)
    2023-01-05T18:28:06.977Z DEBUG nRFConnect path: C:\Users\steph\AppData\Local\Programs\nrfconnect-bluetooth-low-energy\resources\app.asar
    2023-01-05T18:28:06.977Z DEBUG HomeDir: C:\Users\steph
    2023-01-05T18:28:06.977Z DEBUG TmpDir: C:\Users\steph\AppData\Local\Temp
    2023-01-05T18:28:07.002Z INFO Updated list of uuids with data from https://github.com/NordicSemiconductor/bluetooth-numbers-database/tree/master/v1
    2023-01-05T18:28:29.916Z INFO Selected device with s/n A28A421EF8D5A30A
    2023-01-05T18:28:29.921Z INFO Device setup completed
    2023-01-05T18:28:29.921Z INFO Connectivity firmware version: ble-connectivity 4.1.4+Mar-11-2021-08-36-04. SoftDevice API version: 5. Baud rate: 1000000.
    2023-01-05T18:28:29.922Z INFO Opening adapter connected to COM4
    2023-01-05T18:28:30.881Z INFO Successfully opened COM4. Baud rate: 1000000. Flow control: none. Parity: none.
    2023-01-05T18:28:30.881Z DEBUG State change: STATE_START -> STATE_RESET
    2023-01-05T18:28:30.882Z DEBUG        1 ->  [N/A] type:          RESERVED_5 reliable: no seq#:0 ack#:0 payload_length:0 data_integrity:0 err_code:0x0
    2023-01-05T18:28:30.885Z INFO Reset performed on adapter COM4
    2023-01-05T18:28:31.181Z DEBUG State change: STATE_RESET -> STATE_UNINITIALIZED
    2023-01-05T18:28:31.181Z DEBUG        2 ->  [01 7e ] type: LINK_CONTROL_PACKET reliable: no seq#:0 ack#:0 payload_length:2 data_integrity:0 err_code:0x0 [SYNC]
    2023-01-05T18:28:31.431Z DEBUG        3 ->  [01 7e ] type: LINK_CONTROL_PACKET reliable: no seq#:0 ack#:0 payload_length:2 data_integrity:0 err_code:0x0 [SYNC]
    2023-01-05T18:28:31.683Z DEBUG        4 ->  [01 7e ] type: LINK_CONTROL_PACKET reliable: no seq#:0 ack#:0 payload_length:2 data_integrity:0 err_code:0x0 [SYNC]
    2023-01-05T18:28:31.933Z DEBUG        5 ->  [01 7e ] type: LINK_CONTROL_PACKET reliable: no seq#:0 ack#:0 payload_length:2 data_integrity:0 err_code:0x0 [SYNC]
    2023-01-05T18:28:32.183Z DEBUG        6 ->  [01 7e ] type: LINK_CONTROL_PACKET reliable: no seq#:0 ack#:0 payload_length:2 data_integrity:0 err_code:0x0 [SYNC]
    2023-01-05T18:28:32.434Z DEBUG        7 ->  [01 7e ] type: LINK_CONTROL_PACKET reliable: no seq#:0 ack#:0 payload_length:2 data_integrity:0 err_code:0x0 [SYNC]
    2023-01-05T18:28:32.685Z DEBUG State change: STATE_UNINITIALIZED -> STATE_NO_RESPONSE
    2023-01-05T18:28:32.685Z ERROR Received status with code 0 PKT_SEND_MAX_RETRIES_REACHED, message: 'No response from device. Tried to send packet 6 times.'
    2023-01-05T18:28:33.881Z DEBUG serial port read on port COM4 aborted.
    2023-01-05T18:28:33.903Z ERROR Error occured when opening port. Errorcode: NRF_ERROR_TIMEOUT (0xd)
    
    

  • Yes, LESC pairing should be used if both devices include the "Secure Connection Flag" in their pairing request/response. You can also tell that LESC is used by the SMP packets sent after the pairing response. Legacy pairing will not include the public key exchange or the DHKey check at the end.

    With regards to the nRF Connect issue, try to press the Reset button on the dongle to make it enter DFU mode (The red LED indicates DFU mode). Then select the "open bootloader" device from the dropdown menu and click yes when prompted to program it. This will allow the app to replace the sniffer FW with the connectivity FW which is needed for BLE connectivity.

Related