Extracting LTK value to decrypt RF sniffer packets - Simple Periperal example

Mathias Garbus

Other Parts Discussed in Thread: CC2650

Hi,

I need to extract the LTK from CC2650 to use in TI RFSniffer tool.

I can see the ltk is used in gapbondmgr.c and could be extracted breaking the functions in this c-file, but gapbondmgr.c is used in the STACK scope, so debugging is not possible for me, or is it?

How can I extract the LTK during bonding/rebonding when in debug?

I use ble_sdk_2_02_00_31_setup.exe and the Simple_Peripheral example.

Best Regards,

Mathias

over 9 years ago

0 Zahid Haq over 9 years ago

TI__Mastermind 25035 points

One way to extract the LTK is through the GAP_AuthenticationComplete event on the central side. See BTOOL example here: www.ti.com/.../swru270c.pdf

Best wishes

0 Mathias Garbus over 9 years ago in reply to Zahid Haq

Prodigy 220 points

Hi Zahid,
A smartphone is the Central device in this setup we are debugging right now. I do not know a way to fetch the LTK from an iPhone. Are there no other way to fetch the LTK when using your Simple_Peripheral example?

Best Regards

0 Christin Lee over 9 years ago in reply to Mathias Garbus

TI__Guru 56215 points

Hi,

Can I ask why do you need LTK information? Are you going to modify TI packet sniffer?
You can either :
1. turn off the encryption during debugging.
2. I would recommend to get a more advanced sniffer. Ex : frontline or Ellysis

Bluetooth®︎

Bluetooth forum

Extracting LTK value to decrypt RF sniffer packets - Simple Periperal example