It can be tricky to follow an encrypted connection, especially when LE Secure Connections is used. Even with Just Works pairing, it’s not possible for the sniffer to automatically decrypt the encrypted connection without a security key provided.
This exercise can be used in supplement to Exercise 1 Lesson 5 Security. If you haven’t completed the security exercise, you can use the provided solution.
Note that this is the same firmware as the solution to exercise 1 found in lesson5/blefund_less5_exer1_solution.
1. Build and flash the application on your board.
LED1 on your board should be blinking, indicating that your board is advertising.
2. View the log output from the application.
Open up a terminal window to see the log output from the application.
3. Filter only the device packets from Nordic_LBS.
Close and re-open Wireshark and run the sniffer again. Go to the Device drop-down list to select Nordic_Peripheral, just like we have done in the previous exercises.
4. Connect to the device using your phone.
Using the nRF Connect for Mobile application, connect to the device Nordic_LBS. Make sure that you can follow the connection with the sniffer.
Observe in the sniffer, that the connection is established (CONNECT_IND). You may want to use the Empty packet filter again to make it easier to follow.
5. Trigger bonding by doing a write command to change the LED state.
Just like we did in lesson 5, try writing a value to change the LED state, and you will be prompted to write in a 6-digit passkey that is printed in the UART log, like this.
Passkey for 4B:DA:4C:3B:E4:E0 (random): xxxxxx
When this is complete, you should see the following in the sniffer, look for the three packets highlighted below
Sent Write Request: The Write Request gets sent when we tried to write to the LED characteristic from the central (your phone).
Rcvd Error Respond: The Write Request gets rejected with Insufficient Authentication, because the connection is still open, and not encrypted, at security level 1. Recall from Exercise 1 in Lesson 5, that the requirement for accessing the LED characteristic is at security level 3.
Sent Pairing Request: After receiving the the rejection, the phone will send a Pairing Request to start the process of upgrading security level of the connection.
Continue with the pairing process in the sniffer trace, you will see the key is generated and the link is encrypted after the LL_START_ENC_REQ packet.
Notice that LL_START_ENC_REQ is the last packet where the communication is not encrypted. After this packet, the sniffer is not able to decrypt the communication and all the messages from there on out are marked as “Encrypted packet decrypted incorrectly”. Shortly after this, the sniffer won’t able to capture any more encrypted messages. This is because when the sniffer can’t decrypt the communication, it won’t be able to follow the change of timing or channel hopping of the connection.
6. Enable Bluetooth LE log information for sniffer.
To be able to decrypt the communication, we need to provide the sniffer with the LTK from the connection. The Kconfig symbol BT_LOG_SNIFFER_INFO will log the LTK of the connection after pairing so we can provide this key to the sniffer.
Add the following Kconfig symbols in the prj.conf file of the application
Go to your Bluetooth settings, find the device and select the pin wheel next to it. Then select Unpair.
Go to your Bluetooth settings, find the device and select the information icon next to it. Then select Forget This Device.
8. Perform the same pairing process as we did in step 5.
Connect to the device in nRF Connect for Mobile and try to write a value to the LED characteristic to be prompted with the Pairing Request.
Input the 6-digit passkey and notice in the UART log, that there is an extra line printed, containing the LTK:
*** Booting Zephyr OS build v3.2.99-ncs 1 ***
Starting Bluetooth Peripheral LBS example
Advertising successfully started
Passkey for 40:A1:08:FF:EF:95 (random):947467
Security changed 40:A1:08:FF:EF:95 (random) level 4
I: SC LTK: 0xe58c6433d0b6fa31cc5593483878ad536
9. Provide the sniffer with the outputted LTK, to decrypt the connection.
Back in the sniffer, in the header above the Packet List window, under Key, select SC LTK and then copy the LTK from the log output into the Value section. Click the small arrow to the right of the Value section to apply the changes.
The LTK is randomly generated after each pairing, so you will have your own LTK that you need to copy and paste into the nRF Sniffer. The example LTK provided here will not work for your connection.
10. Disconnect and re-connect the device from the phone.
In nRF Connect for Mobile, disconnect the device to the phone and then connect to it again. This time the LTK generated in the last connection will be re-used and the phone and the device will automatically re-encrypt the link. The sniffer will use the provided key to decrypt the link.
To confirm this, open a random packet, expand nRF Sniffer for Bluetooth LE and then Flags and note that the Encrypted flag is set.
Observe that there is no new Pairing Request and the central only sends LL_ENC_REQ to start re-encrypting the link. After the LL_START_ENC_REQ packet the link is encrypted, but this time the sniffer is able to decrypt the link and the Encrypted Flag is now changed to Yes after the LL_START_ENC_REQ.
Try to send an LED write request from the phone, and it will be observed by the sniffer trace, as shown above.
If your phone doesn’t support LE Secure Connection and only supports Legacy Pairing, you will need to select Legacy LTK instead of SC LTK in the Key dropdown menu.