• State Not Answered
  • Replies 9 replies
  • Subscribers 73 subscribers
  • Views 4650 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 109919
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Sharing bonding info with DFU but getting BLE_GAP_EVT_CONN_SEC_UPDATE that causes issues

GaryG

I have the application saving off the information it should from the Nordic documentation titled "Sharing bonding information" which is part of the Info center software developers kit example section: m_peer_data.addr = key_set.keys_central.p_id_key->id_addr_info; m_peer_data.irk = key_set.keys_central.p_id_key->id_info; m_peer_data.enc_key.enc_info = key_set.keys_periph.enc_key.p_enc_key->enc_info; m_peer_data.enc_key.master_id = key_set.keys_periph.enc_key.p_enc_key->master_id;

I get the bootloader to start up and find the information, it bonds to my application and according to the Nordic Sniffer application the connection is encrypted. Then the S110 bootloader quickly gets a BLE_GAP_EVT_CONN_SEC_UPDATE event with data of security mode = 1, level = 2, and encr_key_size = 0x10. This causes the bootloader to call into service_change_indicate() which calls sd_ble_gatts_sys_attr_set() and this fails with a NRF_ERROR_INVALID_DATA. The sys_serv_attr is all zeros since the application doesn't set this to any values but I don't see how to get it set correctly. If I just call sd_ble_gatts_sys_attr_set() with the 2nd param NULL then everything works fine.

What am I missing?

I have changed the way the application is sharing the peer_data is it is going through a dm flash area that is shared between the app and bootloader, but that seems to be working as it gets the whitelist etc data to the bootloader to allow pairing with my application but another device running nRF Master Control Panel sees the device but doesn't have a "Connect" option for that device. If I don't do the sharing of bonding info it does show the "Connect" option.

...Gary

BootloaderSecureConnectionForNordic.pcapng

  • 0 in reply to Hung Bui

    Sorry, not sure how attachment got lost. I have added the attachment of the wireshark log to the original message. The central is another nRF51422 eval board for this tested with a PC over serial controlling it and it will be an nRF51 chip long term as well. ...Gary

  • 0 in reply to Hung Bui

    Hi Gary,

    The sniffer couldn't tell much because it couldn't decrypt the connection . You will see it's full of "Encrypted packet decrypted incorrectly" packet. To let the sniffer decrypt the connection, you would need to capture also the bonding procedure, where the keys are distributed then the sniffer can use that keys to decrypt the connection when you re-bond (in one shot, don't stop the sniffer)

    Could you clarify, that you are using the nRF51422 running serialization and act as a DFU master where you update another nRF51 board ? This mean you writing your own DFU master software on PC ?

    I would suggest you test first using our Master Control Panel software on PC to test the bootloader on the DFU target board first. A question, if you don't do bonding (just DFU with no encryption) would the DFU works ?

  • 0 in reply to Hung Bui

    Hung, Thanks for all your help understanding this issue. I feel that the event I was getting that was causing the issue in the bootloader can safely be worked around as the connection is lost between the central and peripheral and the peripheral has its SoftDevice, bootloader, and application restarted. This means the SoftDevice running with the bootloader will only ever see the bootloader service. Also, the fact that the packets are encrypted and the reflash is successful means the connection is good and working.

    The project is out of time and the solution seems reliable. It is maybe not as graceful as the Nordic solution but gets the job done.

    Thanks again for the help.

    ...Gary

    ...Gary

  • 0 in reply to Hung Bui

    Hi Gary,

    I am sorry that I don't fully understand the workaround you described.

    There is a workaround to not sending the service changed indication is to keep your DFU service on top of the ATT table. This way, it doesn't mater if you have your application services or not. You should still be able to do DFU without a service re-discovery. In addition, if you have full control over the DFU master, you can force the DFU master to do service discovery every time you establish connection.

Related
Terms of service