• State
  • Locked Locked
  • Replies 3 replies
  • Subscribers 51 subscribers
  • Views 1105 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

BTle "Pairing request"

Kenny Kenorbaty
Prodigy 20 points

Hello,
i want to know if i can catch "pairing request" and "pairing response" with ubertooth one.
I can see communication in this order:
1. ADV_IND
2. SCAN_REQ
3. SCAN_RSP
4. CONNECTION_REQ
5. LL_VERSION_IND
6. LL_START_ENC_REQ
7. ...other communication..
..

But i want to know which of these type they are using:

1. LE Legacy Pairing:
- Just Works
- Passkey
- Out-of-Band
2. LE Secure Connection:
+ Numeric Comparison

How i can recognize it? I know that I need to use OBB, MITM and IO cap flags for chose type.
But i dont see them in any packet:(

I am working on project of security IoT and i made program, which gets as many information as possible about devices. But this part of pairing is for me big mystery. I spend 3 days searching informations but unsuccessfully.

Thx for your answer in advance.

  • 0
    TI__Genius 11740 points
    Hi Kenny,

    As you mention, you should see those flags in the pairing request and response - these aren't LL_CONTROL packets (like LL_Version_Ind or LL_Start_Enc_Req). They may not get highlighted by your sniffer automatically. The pairing request/response will show up as a L2CAP packet containing SMP (LE Security Manager Protocol) data, most likely with a code saying Security Request.

    In other words, you're going to have to look at all the L2CAP data packets and look for anything with the channel ID of 0x0006 (LE Security Manager Protocol)

    The fact there's a LL_Start_Enc_Req means keys were exchanged at some point.

    Good luck,
    Rebel
  • 0 in reply to A. Rebel
    Prodigy 20 points

    Hi Rebel,

    first of all thank you for your quick response.I really appreciate your help.

    I was very surprised with this information. I thought that they need to change these information like IOcap before connection. But if they change it in P2CAP data packet, can be communication already encrypted? Or do they need to do this before enc.?

    Have a nice day.

    Kenny

  • 0 in reply to Kenny Kenorbaty
    TI__Genius 11740 points
    Hi Kenny,

    Which part surprised you?

    But yes, LL_START_ENC_REQ will happen after keys are exchanged (or retrieved from non-volatile flash).

    L2CAP information can be encrypted, but doesn't initially start out so - I hope that helps

    Regards,
    Rebel