• State Not Answered
  • Replies 8 replies
  • Subscribers 74 subscribers
  • Views 1333 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 305535
Options

Getting Error Responses with "Insufficient Authentication" while central sends "write requests" to peripheral.

gliako

Hello,

I have two setups both using nrf5 SDK 16.0.

One based on the "multisink_central_pca10056_s140" where I based my work (bringing up and discovering some client services successfully). 

The second setup is a "custom" application and HW which is in working order and so far it was detecting some beacons. On this setup I had to import all my work from setup 1. Upon porting, when setup 2 is trying to connect and pair (just work) and then perform some initial standard "write requests", I experience Error Responses with "Insufficient Authentication" to all my write requests.

I suspect differences in the setup of the applications hence I am sharing the sdk_config.h files for both. The initialisation and handling of the services at the client/central side is the exact same code. So it is either something different in config or perhaps something within the security, connection module but I am not able to narrow down yet. 

Could you please provide some hints?

Regards

George


6786.sdk_config - setup1.h

7367.sdk_config - setup2.h

Parents
  • 0

    Hello,

    Insufficient Authentication suggests that the characteristic you are trying to read/write requires a security level higher than what you are currently using. I can't tell what level it requires without seeing the peripheral application, but it suggests that you need more than "just works" encryption. What sort of pairing did you use in your "setup 1"? If you want to keep the "just works" pairing, then you need to adjust the requirement on your peripheral. If you can't change the peripheral, then you need to up your pairing by adding e.g. MITM protection, or LESC (depending on the peripheral's requirement).

    Best regards,

    Edvin

  • 0 in reply to Edvin

    Hello,

    I made sure that setup2 has exactly the same peer_manager_init() as setup1 (see below) but still I get the same error over the air. Is there anywhere else in main.c or in sdk_config.h where I can check of MITM, LESC or other has been missed to be set?

    Is there a way, a log or something to find out what security has been set ot each setup and compare?

    Regards

    George

    /**@brief Function for the Peer Manager initialization.
    */
    static void peer_manager_init(void)
    {
    ble_gap_sec_params_t sec_param;
    ret_code_t err_code;

    err_code = pm_init();
    APP_ERROR_CHECK(err_code);

    memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

    // Security parameters to be used for all security procedures.
    sec_param.bond = SEC_PARAM_BOND; // 1
    sec_param.mitm = SEC_PARAM_MITM; // 0
    sec_param.lesc = SEC_PARAM_LESC; // 1
    sec_param.keypress = SEC_PARAM_KEYPRESS; // 0
    sec_param.io_caps = SEC_PARAM_IO_CAPABILITIES; // BLE_GAP_IO_CAPS_NONE 0x03
    sec_param.oob = SEC_PARAM_OOB; // 0
    sec_param.min_key_size = SEC_PARAM_MIN_KEY_SIZE; // 7
    sec_param.max_key_size = SEC_PARAM_MAX_KEY_SIZE; // 16
    sec_param.kdist_own.enc = 1;
    sec_param.kdist_own.id = 1;
    sec_param.kdist_peer.enc = 1;
    sec_param.kdist_peer.id = 1;

    err_code = pm_sec_params_set(&sec_param);
    APP_ERROR_CHECK(err_code);

    err_code = pm_register(pm_evt_handler);
    APP_ERROR_CHECK(err_code);
    }

Reply
  • 0 in reply to Edvin

    Hello,

    I made sure that setup2 has exactly the same peer_manager_init() as setup1 (see below) but still I get the same error over the air. Is there anywhere else in main.c or in sdk_config.h where I can check of MITM, LESC or other has been missed to be set?

    Is there a way, a log or something to find out what security has been set ot each setup and compare?

    Regards

    George

    /**@brief Function for the Peer Manager initialization.
    */
    static void peer_manager_init(void)
    {
    ble_gap_sec_params_t sec_param;
    ret_code_t err_code;

    err_code = pm_init();
    APP_ERROR_CHECK(err_code);

    memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

    // Security parameters to be used for all security procedures.
    sec_param.bond = SEC_PARAM_BOND; // 1
    sec_param.mitm = SEC_PARAM_MITM; // 0
    sec_param.lesc = SEC_PARAM_LESC; // 1
    sec_param.keypress = SEC_PARAM_KEYPRESS; // 0
    sec_param.io_caps = SEC_PARAM_IO_CAPABILITIES; // BLE_GAP_IO_CAPS_NONE 0x03
    sec_param.oob = SEC_PARAM_OOB; // 0
    sec_param.min_key_size = SEC_PARAM_MIN_KEY_SIZE; // 7
    sec_param.max_key_size = SEC_PARAM_MAX_KEY_SIZE; // 16
    sec_param.kdist_own.enc = 1;
    sec_param.kdist_own.id = 1;
    sec_param.kdist_peer.enc = 1;
    sec_param.kdist_peer.id = 1;

    err_code = pm_sec_params_set(&sec_param);
    APP_ERROR_CHECK(err_code);

    err_code = pm_register(pm_evt_handler);
    APP_ERROR_CHECK(err_code);
    }

Children
  • 0 in reply to gliako

    Hello again,

    I would also like to point out that setup1 is using the devkit PCA10056 where setup2 is using the actual custom, product pcb. Will this make any difference in terms of how the nrf52840 is connected (apart form software changes we discussed earlier)?

    Regards

    George

  • 0 in reply to gliako
    gliako said:

    Will this make any difference in terms of how the nrf52840 is connected (apart form software changes we discussed earlier)?

    Not that I can think of.

    Did you create setup1 as well? Or is it from a 3rd party company?

    And as for the peripheral, did you write that? Do you have access to it's source code? Did you try to connect to it using nRF Connect for Desktop -> Bluetooth LE? Are you able to pair/bond with it there, so that you can access the characteristics that are restricted?

    Please note that we will be very short staffed next week due to public holidays in Norway. I will be back in the office on April 11th. Sorry for the inconvenience.

    Best regards,

    Edvin

  • 0 in reply to Edvin

    Hello,

    I don't have access to the peripheral service implementation but it connects fine with setup1 (which I developed as proof of concept) and it also connects fine with nRF Connect app.

    The problem is with setup2 which was done initially from someone else and it was only meat to be act as peripheral (to connect to an app) and also to discover some beacons. 

    My changes into setup2 are introducing some discovery of services from a server which means this time setup2 must act as central.

    Perhaps, the "central" setup is not fully done correctly?

    Can nRF Connect app tell me what security level I need?

    Does the peer_manager_init() above makes sense to you?

    Regards

    George

  • 0 in reply to gliako

    Hello,

    It looks like the problem starts when central is trying to authenticate the link at connection time, at the call link_secure_authenticate() where sd_ble_gap_authenticate() returns NRF_ERROR_NO_MEM.

    My setting of NRF_SDH_BLE_CENTRAL_LINK_COUNT was set initially to 1 (where failure was found) but then increasing it to 2 made no difference.

    I am struggling to find out what is gong wrong here...

    Regards

    George

  • 0 in reply to gliako

    Hello,

    At the end of the day it looks like the issue was caused by an additional call to 

    sd_ble_cfg_set() following a call to nrf_sdh_ble_default_cfg_set() in the ble_stack_init() function. At this stage, I am not sure what was the purpose of this and if this was intentional but it looks like it was related to enabling channel survey role!

    Is this something that I need to look at of doing differently? By commenting out the following code, I can successfully discover all the services but I am not sure if the channel survey bit will work, any ideas?

    // Configure the GATTS attribute table.
    ble_cfg_t ble_cfg;
    memset(&ble_cfg, 0x00, sizeof(ble_cfg));
    ble_cfg.gap_cfg.role_count_cfg.periph_role_count = NRF_SDH_BLE_PERIPHERAL_LINK_COUNT;
    ble_cfg.gap_cfg.role_count_cfg.central_role_count = NRF_SDH_BLE_CENTRAL_LINK_COUNT;

    /* Enable channel survey role */
    ble_cfg.gap_cfg.role_count_cfg.qos_channel_survey_role_available = false;

    err_code = sd_ble_cfg_set(BLE_GAP_CFG_ROLE_COUNT, &ble_cfg, (uint32_t)&ram_start);
    if(err_code != NRF_SUCCESS){
    NRF_LOG_ERROR("sd_ble_cfg_set() returned %s when attempting to set BLE_GAP_CFG_ROLE_COUNT.",
    nrf_strerror_get(err_code));
    }

    Regards

    George

Related
Terms of service