Hi Marcel,
> > >>>> Yes, for secure connection the LTK is generated locally.
> > >>>> But issue here is observed that after Pairing is complete the key
> > >>>> distribution is not completed from Master.
> > >>>>
> > >>>> i.e. After Slave sends the "Signature key:" but Master doesn't
> > >>>> share any key. Attached logs.
> > >>> I get that and that is clear from the logs. Something is stalling
> > >>> here and because of that, you run into the 30 seconds SMP timeout.
> > >>> We just need to know if the 4.9 kernel is doing this correctly. If
> > >>> so, then you can bi-sect that patch that fixes. Without proof that
> > >>> 4.9 is also broken, nobody will even bother to chase this down.
> > >>
> > >> I think the problem here is race between ACL data and HCI events on
> > >> USB dongle... We get initial slave keys but those get dropped due
> > >> to encryption changed event not being received yet. Since keys were
> > >> silently dropped we later on get unexpected SMP PDU and ignoring
> > >> remaining keys as well which eventually leads to SMP timeout.
> > >>
> > >> If this is USB dongle (using btusd) then only (AFAIK) solution
> > >> would be to have a workaround for this inside chip (it would delay
> > >> ACL data received right after encryption change giving host time to
> > >> handle encpryption
> > change event).
> > >> Bluetooth specification for USB transport is unfortunatelly kinda broken.
> > >>
> > >> --
> > >> pozdrawiam
> > >> Szymon Janc
> > >
> > > Thank you for your reply. Your inputs are valuable to us in helping
> > > to debug the
> > issue. Yes, we are indeed using the btusb kernel module and it is
> > using a USB interface (Bluetooth over USB).
> > >
> > > I noticed that when btmgmt settings are set to turn 'bredr off', the
> > > 'ssp' mode
> > also turns off. Is this behavior expected to occur?
> > > My current settings are 'powered connectable discoverable bondable
> > > le
> > secure-conn’
> >
> > the SSP (Secure Simple Pairing) is a BR/EDR only feature. So when you
> > disable BR/EDR, it will be disabled as well.
>
> Thank you for your reply. It looks like I have understood this incorrectly as
> initially I read somewhere that LE adopts the SSP model in v4.1. Looks like this is
> not the case.
>
> From the specification, I noted that SSP was introduced in BR/EDR in v2.1 which
> makes it a BR/EDR only feature.
>
> I finally understand why ssp mode is disabled when I turned bredr off via
> btmgmt. Thank you for your clarification!
I would like to follow up with this item.
I have managed to run the tests as you have suggested on a newer linux 4.10 kernel. I used a newer bluez v5.43 version as there were some unrecognized "MGMT command" in btmon when I used bluez v5.40. The BT interface used is USB 2.0.
The LE pairing between two devices are still failing even on the newer kernel. The IO capability of the master and slave is set to KeyboardDisplay.
You may find the pairing logs in btmon as follows:
Bluetooth monitor ver 5.43
= Note: Linux version 4.10.12-yocto-standard (x86_64) 0.285655
= Note: Bluetooth subsystem version 2.22 0.285662
= New Index: 74:C6:3B:AB:68:D8 (Primary,USB,hci0) [hci0] 0.285665
= Open Index: 74:C6:3B:AB:68:D8 [hci0] 0.285667
= Index Info: 74:C6:3B:AB:68.. (Marvell Technology Group Ltd.) [hci0] 0.285669
@ MGMT Open: bluetoothd (privileged) version 1.14 {0x0001} 0.285672
@ MGMT Open: btmon (privileged) version 1.14 {0x0002} 0.285706
< HCI Command: LE Create Connection (0x08|0x000d) plen 25 [hci0] 48.939434
Scan interval: 60.000 msec (0x0060)
Scan window: 60.000 msec (0x0060)
Filter policy: White list is not used (0x00)
Peer address type: Public (0x00)
Peer address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Own address type: Public (0x00)
Min connection interval: 50.00 msec (0x0028)
Max connection interval: 70.00 msec (0x0038)
Connection latency: 0x0000
Supervision timeout: 420 msec (0x002a)
Min connection length: 0.000 msec (0x0000)
Max connection length: 0.000 msec (0x0000)
> HCI Event: Command Status (0x0f) plen 4 [hci0] 48.942593
LE Create Connection (0x08|0x000d) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 19 [hci0] 50.227066
LE Connection Complete (0x01)
Status: Success (0x00)
Handle: 128
Role: Master (0x00)
Peer address type: Public (0x00)
Peer address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Connection interval: 67.50 msec (0x0036)
Connection latency: 0.00 msec (0x0000)
Supervision timeout: 420 msec (0x002a)
Master clock accuracy: 0x01
@ MGMT Event: Device Connected (0x000b) plen 19 {0x0002} [hci0] 50.227131
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Flags: 0x00000000
Data length: 6
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
TX power: 3 dBm
@ MGMT Event: Device Connected (0x000b) plen 19 {0x0001} [hci0] 50.227131
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Flags: 0x00000000
Data length: 6
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
TX power: 3 dBm
< HCI Command: LE Read Remote Used Fea.. (0x08|0x0016) plen 2 [hci0] 50.227313
Handle: 128
> HCI Event: Command Status (0x0f) plen 4 [hci0] 50.228555
LE Read Remote Used Features (0x08|0x0016) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 12 [hci0] 50.371316
LE Read Remote Used Features (0x04)
Status: Success (0x00)
Handle: 128
Features: 0x4f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
LE Encryption
Connection Parameter Request Procedure
Extended Reject Indication
Slave-initiated Features Exchange
LL Privacy
< ACL Data TX: Handle 128 flags 0x00 dlen 11 [hci0] 50.371466
SMP: Pairing Request (0x01) len 6
IO capability: KeyboardDisplay (0x04)
OOB data: Authentication data not present (0x00)
Authentication requirement: Bonding, MITM, SC, No Keypresses (0x0d)
Max encryption key size: 16
Initiator key distribution: EncKey Sign (0x05)
Responder key distribution: EncKey IdKey Sign (0x07)
< ACL Data TX: Handle 128 flags 0x00 dlen 7 [hci0] 50.374662
ATT: Exchange MTU Request (0x02) len 2
Client RX MTU: 517
> ACL Data RX: Handle 128 flags 0x02 dlen 7 [hci0] 50.437738
ATT: Exchange MTU Request (0x02) len 2
Client RX MTU: 517
< ACL Data TX: Handle 128 flags 0x00 dlen 7 [hci0] 50.438094
ATT: Exchange MTU Response (0x03) len 2
Server RX MTU: 517
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.438096
Num handles: 1
Handle: 128
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.438708
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 11 [hci0] 50.505237
SMP: Pairing Response (0x02) len 6
IO capability: KeyboardDisplay (0x04)
OOB data: Authentication data not present (0x00)
Authentication requirement: Bonding, MITM, SC, No Keypresses (0x0d)
Max encryption key size: 16
Initiator key distribution: EncKey Sign (0x05)
Responder key distribution: EncKey Sign (0x05)
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.505592
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 7 [hci0] 50.505981
ATT: Exchange MTU Response (0x03) len 2
Server RX MTU: 517
< ACL Data TX: Handle 128 flags 0x00 dlen 69 [hci0] 50.509608
SMP: Pairing Public Key (0x0c) len 64
X: 8c4d11fb51932f8f0a0c20f669821c12c98a030027dae6a2660f7f4395adae90
Y: 6c95accf9f4afdbd302edfe5a3e6463eb7ea924160c6ca2c4fa4f93a3e09c415
< ACL Data TX: Handle 128 flags 0x00 dlen 11 [hci0] 50.509945
ATT: Read By Group Type Request (0x10) len 6
Handle range: 0x0001-0xffff
Attribute group type: Primary Service (0x2800)
> ACL Data RX: Handle 128 flags 0x02 dlen 11 [hci0] 50.574023
ATT: Read By Group Type Request (0x10) len 6
Handle range: 0x0001-0xffff
Attribute group type: Primary Service (0x2800)
< ACL Data TX: Handle 128 flags 0x00 dlen 18 [hci0] 50.574377
ATT: Read By Group Type Response (0x11) len 13
Attribute data length: 6
Attribute group list: 2 entries
Handle range: 0x0001-0x0005
UUID: Generic Access Profile (0x1800)
Handle range: 0x0006-0x0009
UUID: Generic Attribute Profile (0x1801)
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.574437
Num handles: 1
Handle: 128
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.575080
Num handles: 1
Handle: 128
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.640191
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 69 [hci0] 50.640657
SMP: Pairing Public Key (0x0c) len 64
X: debfb1d7a36c63483dce9bc79720a7f5bd1a9faba3d00c957ae6b1e31c6ab142
Y: 0ab2fbb64adb4537b9c3b6163558b49852968de0c082dbd6ac5faa51f415c511
> ACL Data RX: Handle 128 flags 0x02 dlen 21 [hci0] 50.642552
SMP: Pairing Confirm (0x03) len 16
Confim value: 1d4c75463d9bc9f133b5a13d7b6eb78d
> ACL Data RX: Handle 128 flags 0x02 dlen 18 [hci0] 50.643049
ATT: Read By Group Type Response (0x11) len 13
Attribute data length: 6
Attribute group list: 2 entries
Handle range: 0x0001-0x0005
UUID: Generic Access Profile (0x1800)
Handle range: 0x0006-0x0009
UUID: Generic Attribute Profile (0x1801)
< ACL Data TX: Handle 128 flags 0x00 dlen 21 [hci0] 50.645056
SMP: Pairing Random (0x04) len 16
Random value: 59df1e7dbf22a075c0a5f2dc7a6fd310
< ACL Data TX: Handle 128 flags 0x00 dlen 11 [hci0] 50.645466
ATT: Read By Group Type Request (0x10) len 6
Handle range: 0x000a-0xffff
Attribute group type: Primary Service (0x2800)
> ACL Data RX: Handle 128 flags 0x02 dlen 11 [hci0] 50.707690
ATT: Read By Group Type Request (0x10) len 6
Handle range: 0x000a-0xffff
Attribute group type: Primary Service (0x2800)
< ACL Data TX: Handle 128 flags 0x00 dlen 9 [hci0] 50.708100
ATT: Error Response (0x01) len 4
Read By Group Type Request (0x10)
Handle: 0x000a
Error: Attribute Not Found (0x0a)
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.708237
Num handles: 1
Handle: 128
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.708782
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 21 [hci0] 50.775328
SMP: Pairing Random (0x04) len 16
Random value: a853588b0dbe6a132e13c85ee157a4cf
@ MGMT Event: User Confirmation R.. (0x000f) plen 12 {0x0002} [hci0] 50.775460
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Confirm hint: 0x00
Value: 0x00059905
@ MGMT Event: User Confirmation R.. (0x000f) plen 12 {0x0001} [hci0] 50.775460
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Confirm hint: 0x00
Value: 0x00059905
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.775600
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 9 [hci0] 50.775889
ATT: Error Response (0x01) len 4
Read By Group Type Request (0x10)
Handle: 0x000a
Error: Attribute Not Found (0x0a)
< ACL Data TX: Handle 128 flags 0x00 dlen 9 [hci0] 50.817634
ATT: Write Request (0x12) len 4
Handle: 0x0009
Data: 0200
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 50.842843
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 5 [hci0] 50.978861
ATT: Write Response (0x13) len 0
< ACL Data TX: Handle 128 flags 0x00 dlen 7 [hci0] 50.979284
ATT: Read Request (0x0a) len 2
Handle: 0x0003
> ACL Data RX: Handle 128 flags 0x02 dlen 9 [hci0] 50.979406
ATT: Write Request (0x12) len 4
Handle: 0x0009
Data: 0200
< ACL Data TX: Handle 128 flags 0x00 dlen 5 [hci0] 50.979859
ATT: Write Response (0x13) len 0
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 51.045192
Num handles: 1
Handle: 128
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 51.045670
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 20 [hci0] 51.114037
ATT: Read Response (0x0b) len 15
Value: 696e74656c2d636f726569372d3634
< ACL Data TX: Handle 128 flags 0x00 dlen 7 [hci0] 51.114529
ATT: Read Request (0x0a) len 2
Handle: 0x0005
> ACL Data RX: Handle 128 flags 0x02 dlen 7 [hci0] 51.116755
ATT: Read Request (0x0a) len 2
Handle: 0x0003
< ACL Data TX: Handle 128 flags 0x00 dlen 20 [hci0] 51.143659
ATT: Read Response (0x0b) len 15
Value: 696e74656c2d636f726569372d3634
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 51.180383
Num handles: 1
Handle: 128
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 51.180716
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 7 [hci0] 51.248880
ATT: Read Response (0x0b) len 2
Value: 0000
> ACL Data RX: Handle 128 flags 0x02 dlen 7 [hci0] 51.249364
ATT: Read Request (0x0a) len 2
Handle: 0x0005
< ACL Data TX: Handle 128 flags 0x00 dlen 7 [hci0] 51.249800
ATT: Read Response (0x0b) len 2
Value: 0000
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 51.315365
Num handles: 1
Handle: 128
Count: 1
@ MGMT Command: User Confirmation... (0x001c) plen 7 {0x0001} [hci0] 52.949743
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
@ MGMT Event: Command Complete (0x0001) plen 10 {0x0001} [hci0] 52.949841
User Confirmation Reply (0x001c) plen 7
Status: Success (0x00)
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
< ACL Data TX: Handle 128 flags 0x00 dlen 21 [hci0] 52.949855
SMP: Pairing DHKey Check (0x0d) len 16
E: cee8b0e545488d0224a777594840c45a
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 53.002806
Num handles: 1
Handle: 128
Count: 1
> ACL Data RX: Handle 128 flags 0x02 dlen 21 [hci0] 55.230445
SMP: Pairing DHKey Check (0x0d) len 16
E: 96dcfc6cc1f76974c3dc674feeb9983b
< HCI Command: LE Start Encryption (0x08|0x0019) plen 28 [hci0] 55.230548
Handle: 128
Random number: 0x0000000000000000
Encrypted diversifier: 0x0000
Long term key: 0e01142be9ddab9e6e6cef545562adc4
> HCI Event: Command Status (0x0f) plen 4 [hci0] 55.234468
LE Start Encryption (0x08|0x0019) ncmd 1
Status: Success (0x00)
> ACL Data RX: Handle 128 flags 0x02 dlen 21 [hci0] 55.500569
SMP: Signing Information (0x0a) len 16
Signature key: 1d916d5951791a271416a161cda981d6
> HCI Event: Encryption Change (0x08) plen 4 [hci0] 55.513836
Status: Success (0x00)
Handle: 128
Encryption: Enabled with AES-CCM (0x01)
> HCI Event: Disconnect Complete (0x05) plen 4 [hci0] 85.811189
Status: Success (0x00)
Handle: 128
Reason: Remote User Terminated Connection (0x13)
@ MGMT Event: Device Disconnected (0x000c) plen 8 {0x0002} [hci0] 85.811256
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Reason: Connection terminated by remote host (0x03)
@ MGMT Event: Device Disconnected (0x000c) plen 8 {0x0001} [hci0] 85.811256
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Reason: Connection terminated by remote host (0x03)
@ MGMT Event: Command Complete (0x0001) plen 10 {0x0001} [hci0] 85.811293
Pair Device (0x0019) plen 7
Status: Failed (0x03)
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
As observed from above, the status showed "Failed (0x03)" for the pairing.
When I performed the LE pairing with the master IO capability set as KeyboardDisplay and the slave IO capability set as NoInputNoOutput, the LE pairing is successful. It uses LE Secure Connections i.e. "Unauthenticated key from P-256".
The excerpt of the log for the pairing that shows it is successful is as follows:
@ MGMT Event: New Long Term Key (0x000a) plen 37 {0x0002} [hci0] 171.581417
Store hint: Yes (0x01)
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Key type: Unauthenticated key from P-256 (0x02)
Master: 0x00
Encryption size: 16
Diversifier: 0000
Randomizer: 0000000000000000
Key: a9e0f3f80bd99df0c2239ea48951219f
@ MGMT Event: New Long Term Key (0x000a) plen 37 {0x0001} [hci0] 171.581417
Store hint: Yes (0x01)
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
Key type: Unauthenticated key from P-256 (0x02)
Master: 0x00
Encryption size: 16
Diversifier: 0000
Randomizer: 0000000000000000
Key: a9e0f3f80bd99df0c2239ea48951219f
@ MGMT Event: Command Complete (0x0001) plen 10 {0x0001} [hci0] 171.581427
Pair Device (0x0019) plen 7
Status: Success (0x00)
LE Address: 74:C6:3B:AB:68:E0 (OUI 74-C6-3B)
< ACL Data TX: Handle 128 flags 0x00 dlen 21 [hci0] 171.581437
SMP: Signing Information (0x0a) len 16
Signature key: fa27079d8024c1859741391fdd83fb99
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 171.581593
Num handles: 1
Handle: 128
Count: 1
Ideally, we would like the LE pairing to be successful over all IO capabilities.
Thank you.
Best regards,
Joshua
��.n��������+%�������w��{.n�����{�����^n�r�������&��z�ޗ�zf���h���~����������_��+v���)ߣ�
