Home

EEN_BT09 - Ellisys

1. 7 170 302 875 Paging Headset 00 24 1C C1 D7 97 gt Phone 94 01 C2 63 D7 05 responded 253 ms aster Heads gt Slave Pfione 7 734 052 625 th A SDP Service Search Attribute Transfer Hands Free Audio Gateway Hands Free Audio Ga Master Headset lt gt Slave Phone 7 877 802 000 5 E2 RFCOMM Connect Channel Signaling Master Headset lt gt Slave Phone 7 882 802 000 crs RFCOMM DLC Parameter Negotiation 3 R 7 1 7 Master Headset lt gt Slave Phone 7 900 302 000 E RFCOMM Connect Channe 3 Master Headset lt gt Slave Phone 7 905 302 000 GA RFCOMM Modem Status 3 Yes Yes Master Headset lt gt Slave Phone Phone 8 044679 625 es RFCOMM Modem Status Ch 3 Data Valid Yes Yes Master Headset lt gt Slave Phone 8 047 802 125 e AT HFP Supported Features AT BRSF 159 gt gt BRSF 871 gt gt OK Master Headset lt gt Slave Phone 8 055 303 500 e AT HFP Available Codecs AT BAC 2 1 gt gt OK Master Headset lt gt Slave Phone 8 055 928 750 A SDP Service Search Attribute Transaction Hands Free Hands Free Generic Audio Hands Master Headset lt gt Slave Phone 8 071552125 Q ATMT Indicator AT CIND gt gt 4CIND call 0 1 callsetup 0 3 service Master Headset lt gt Slave Phone v Sm M M i4 b 7 734052 625 lt oa Instant Piconet ba Summary iid Instant Channels ara Raw data Instant Timing a X Details ax
2. Type filter Y Type filter Transmitter ne Item a Master Dongle 29 CD 00 99 FF 56 H S LLCP Encryption Start EDI 0x0000 SKDm 0x074C7C3A41FAFBE8 IVm 0x0C23B7B5 gt SkDs 0xA245DAE ior Slave Keyfob 3C 2D B7 84 06 67 amp SMP Transport Specific Key Distributic van Dongle Slave Keyfob 3C 2D B7 84 06 67 S SMP Encryption Information TK 3A57C2AC 40411828 28C726D5 Mm me pi 442 270 378875 82 roti sa CA nek Se i 5 Instant Piconet D Summary Instant Channels Slave Keyfob 3C 2D B7 84 06 67 Se Start Complete LE U Transfer Details Aa Xx Slave Keyfob 3C 2D B7 84 06 67 Sq Start Complete LE U Unit All fields Show in overview Display iy Search E Master Dongle 29 CD 00 99 FF 56 amp gt Empty LE U Packet APE A ave Keyfob 3C 2D B7 84 06 6 t Start Complete LE U Packet wD 7 EFR t c ie Slave Keyfob 3C 2D B7 84 06 67 E 4 SMP Master Identification EDI 0x53DB Rafid 0xEA5CDODF 11089854 NESN i Slave Keyfob 3C 2D B7 84 06 67 E ATT Notification Packet OxFFF4 03 SN 0 Security MD 0 Payload Data Length 25 Fill missing fields Manage ECDH Keys ha ii 21 bytes Time Master Slave Link Key ACO IV p L2CAP Frame Dst 0x0006 SMP Notapplicable Not applic L2CAP SDU Basic 17 bytes ga 64 143572 Dongle 29 CD 00 99 FF 56 co Keyfob 3C 2D B7 84 06 67 Q SMP Frame Wirbiess 7 Keyfo
3. 4 _ amp _ Welcome BR EDR Overview Low Energy Overview HCI Overview Serial HCI Overview USB MessageLog fm Instant Spectrum 4 gt Instant Piconet a x Protocol Single selection eee hf LFR FF JF SEP GAWD O KH ww 16 items kept 200filtered 2 Time Item Version Number a 0 826 248 250 E2 LMP Version Exchange Master 2 0 gt Slave 2 1 0 EDR Bluetooth Core Specification 2 0 EDR 0 826 248 250 E3 LMP Version Request Bluetooth Core Specification 2 0 EDR 0 930 623 625 4 Eg LMP Version Response Bluetooth Core Specification 2 1 EDR Bluetooth Core Specification 2 1 EDR 1 568 747 500 S E RFCOMM Connect Signaling l ol 1 584 997 500 RFCOMM DLC Parameter Negotiation Channe 2 Initial Credits R 0 I 0 phon resource 1 672 497 375 RFCOMM Connect Che 2 1 738 122 500 E RFCOMM Modem Status Channe 2 Data Valid No No 1 739 996 375 A RFCOMM Modem Status 2 Data No No 1 743 746 375 E E RFCOMM UIH Frame Channel 2 I 0 R 0 10 10 9 085 616 375 RFCOMM UIH Frame 2 I 7 8 15 R 10 25 543 723 125 RFCOMM Modem Status Channe 2 Data Valid No No 26 724 347500 F RFCOMM Modem Status 2 No No 26 809 971750 amp RFCOMM Modem Status Channel 2 Data Valid No No O ee i alt Re ZS i Instant Piconet amp Summary iid Instant Channels a91 Raw data a X Fill missing fields Manage ECDH Keys A Time Master Slave 1 249 37
4. E My Files A Stay awake Screen will never sle storage emulated 0 Android data woven YR See The screenshot below shows the BEX400 Import menu with BT Snoop HCI selected for import The BT Snoop file created by the phone is referenced as the location from which to do the import Import Sf Please choose the input file and format e Import format BT Snoop HCI Ellisys UART HCI Capture Ellisys USB 2 0 HCI Capture Import data from C Users chuck Desktop btsnoop_hci log Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com Ellisys Bluetooth Expert Notes EEN_BTO9 Methods for Accessing a Link Key Better Analysis Below the resulting capture after the phone s BT Snoop log has been imported by the BEX400 application This shows the link key established between the Phone and the Headset This key will be stored by the analyzer software and used to decrypt traffic on captures of subsequent connections between the phone and headset x File View Layout Search Record Tools Help E Fullscreen E t
5. Importantly for BEX400 users the hunt for a key is not really needed as the analyzer is able to crack the security for Bluetooth Smart Future evolutions of Bluetooth Smart will make this much more difficult but the BEX400 architecture will accommodate these changes easily see Secure Connections for Bluetooth Smart below Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com ellisys Ellisys Bluetooth Expert Notes EEN_BTO9 Methods for Accessing a Link Key Better Analysis The screenshot below depicts the LTK being sent from a key fob to a dongle Note that STK enabled encryption is already in place at the time this packet is sent x File View Layout Search Record Tools Help Ei Fullscreen E tt E Analysis FEY Add D Ha AA DP Record E Stop E Restart amp Save amp Continue 2 3 E Navigate Markers Filtering Only Dongle Keyfob set reset Welcome BR EDR Overview Low Energy Overview HCL Overview USE HCLOverview Seria MessageLog _ fej Instant 4 Instant Pconet a x Protocol Multiple selection e 9 224 items kept 4 filtered Search
6. 34 Raw Notebook 00 02 76 1E Pl tidi ddl om m dih b k mami banii IIIEELELLTELTELI Deta q x x isplay Lig 7 Fill missing fields Manage ECDH Keys Value __Time _ Master Slave PIN Iv 71 378 405 500 Notebook 00 02 76 1E 10 E6 Notapplicable ae co USB Dongle C0 E4 22 FE 17 1F Link Key Notificatior Link CO E4 22 FE 17 1F Link IN y Link Key 83359E53 AE76155 USB HCI Key Type Authenticated Coml USB 2 0 T T T T T T T T T T T B T T T 7 T T T T T T T T T T T T T T T T T T Li T T T T T T T T 1 80 0 90 0 10 0 20 0 30 0 40 0 50 0 60 0 70 0 80 0 90 0 10 0 20 0 30 0 40 0 50 0 60 0 70 0 80 0 90 0 1C 62 00 s 83 00 s 84 00 s Zoom bar i fad Instant Timing dia Instant Audio A Instant Throughput lt gt Ready 40 5372 Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com l el T sy S Ellisys Bluetooth Expert Notes oe EEN _BTO9 Methods for Accessing a Link Key Better Analysis Ellisys HCI Injection API The Bluetooth Explorer 400 software application supports an HCI HCI Overview Injection y Message Log BR EDR Overview Low Injec
7. R9 a Wireless J Fill missing fields Manage ECDH Keys Fn Time Master Slave PIN Link Key ACO IV i 6 469 675 000 PC E8 24 EA B4 DE 7A Notapplicable Missing Notapplicable Not applic Headset 00 24 1C 7 97 T 7 777 806 625 Headset 00 24 1C C1 D7 97 Phone 94 01 C2 1 1 1 1 1 1 1 1 T T 1 1 r 1 T 1 1 T T 1 ServiceSearchPattern 0 02 0 03 0 04 0 05 0 06 0 07 0 08 0 09 0 01 0 02 0 03 0 04 0 05 0 06 43 7 70 s Y Service Class 1 Hands Free Audio Gateway Zoom bar E 4 AttributelDList fad Instant Timing Tial Instant Audio g Instant Throughput Attribute ID Service Class ID List y Ready E A Standard methods The following methods work independently of the Bluetooth radio or stack manufacturer used However these methods may require low level access to the Bluetooth hardware and are therefore not always applicable with off the shelf products Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com ellisys Ellisys Bluetooth Expert Notes EEN BTO9 Methods for Accessing a Link Key Better Analysis PIN code based pairing LMP pairing also known as PIN code based pairing or sometimes called Leg
8. RF rg AT MT EventReporting AT CMER 3 0 0 1 gt gt OK Master Comp PC E8 24 EA B DE 7A lt gt Slave Headset 00 24 1C C 1 D7 97 Ox0041 RF GA AT String OK 2 bytes OD 0A Master Comp PC E8 2A4 EA B4 DE 74 lt gt Slave Headset 00 24 1C C i D 97 Ox0041 RF A AT String 851R 0 OK 10 bytes 28 4 Master Comp PC ES 2A EA B4 DE 7A lt gt Slave Headset 00 24 10 C D 97 Ox0041 RF AT Exchange AT CLIP 1 gt rin gt OK r n Master Comp PC E8 2A EA B4 DE 7A lt gt Slave Headset 00 24 10 C1 D7 97 B AT Exchange AT NREC 0 gt OK OK Master Comp PC E8 2A EA B4 DE 7A lt gt Slave Headset 00 24 1C C1 D7 97 Ox0041 RF Many Windows systems will use a third party Bluetooth stack instead of the Microsoft stack such as Toshiba Widcomm etc Registry access to these third party stacks may not be quite as obvious so one approach is to force the system to revert from the third party stack to the Windows stack The user should set a system restore point do an uninstall of the third party stack and then reboot The system should then default to the Microsoft stack In some cases browsing online forums may be useful The URL below is one example computer Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest tech
9. made the choice to not accept an SSP pairing with other devices that are in Debug Mode when their device is not in Debug Mode This is a non standard behavior which unfortunately diminishes the usefulness of Debug Mode since in such cases both devices have to be put in Debug Mode SSP Private Key Injection As explained above SSP Debug Mode is just a way of using a known SSP Private Key Even when not using SSP Debug Mode if the Private Key is known then it can simply be provided to the protocol analyzer software by the user By knowing the Private Key the analyzer software is capable of automatically determining the link key whenever a pairing involving the known Private Key is detected This provides great usability since it avoids having to ever enter the link key manually This approach also provides an added level of security to the SSP Debug Mode as only the analyzer configured with the specific SSP Private Key is capable of determining the link key other sniffers in the area will not be able to decrypt the traffic This feature entry of the Private Key is provided by the Ellisys analyzer software using the Manage SSP Key feature located in the Security pane illustrated below Private Key 985DEA8CEDDC430CEA8699C00349AFFDD33918FCEE8A9C62 Public KeyX C7ABA18E DFOZESAC 769DCF8F 26820E7B FS8DAC81A 32741816 Public Key Y 90EB4702 9C74C1C3 722D776C 67663896 E9DCC585 AE6B746C Add Private Public X Public Y 985DEA8C 6DDC430C E
10. to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com ellisys Ellisys Bluetooth Expert Notes EEN_BTO9 Methods for Accessing a Link Key Better Analysis Below is a typical setup involving USB HCI capture from a Bluetooth dongle The analyzer captures both the air traffic as well as the HCI traffic concurrently Note that in normal circumstances the dongle is extended away from the antenna using a 6 inch USB STD A to STD A extender cable as otherwise the dongle may present an overly strong signal when situated very close to the antenna ellisys fy rower r Si polora STD A to Micro B USB Cable In the picture below the BEX400 analyzer has captured USB HCI concurrently with BR EDR traffic with the link key being automatically extracted from the HCI capture and used to decrypt the BR EDR traffic A similar approach can be used to capture other forms of HCI such as UART or SPI using a special cable at the rear of the BEX400 analyzer wireless usb uart spectrum 2btt btt Ellisys Bluetooth Analyzer e File View Layout Search Record Tools Help E Full screen E Analysis El exptnt E Add D ed W W BA b Record E Stop Gl Restart Ep Save amp Continue 2 5 Ll Navigat
11. 4 500 Phone 00 14 DC 66 C8 F4 co AudioSource 00 1A4 7D 21 38 CD Throughput S g Header SCOseSCO Y OpCode LMP_version_req E 4 Payload cm Y Version Number Bluetooth Core Specification 2 0 EDR a a ea Sa a ey a ae ery a erences ae 0 90 s Y Sub Version Number 1 740 Zoom bar v tod Instant Timing Jj Instant Audio g Instant Throughput y Ready 40 5372 SSP Debug Mode SSP Debug Mode is a special mode used by SSP enabled devices where a well known Private Public key pair is used instead of the normal Private Public key pair If at least one of the two devices is in SSP Debug Mode the link key will be deduced automatically by the BEX400 analyzer which recognizes the well known Public key transmitted over the air Again only one of the two devices must be in Debug Mode not both If one of the two devices is in Debug Mode then the analyzer will know its SSP Private Key and will thus be capable of computing the link key with the same algorithms used by each device Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com ell isy Ss Ellisys Bluetooth Expert Notes ot EEN_BT09 Methods for Accessing a Link Key Note that some manufacturers have
12. A8699C0 0349AFFD D33918FC EE8A9C62 C7ABA18E DF02E5AC 769DCF8F 26820E7B F8DAC81A 32741816 90EB4702 9C74C 1C3 722D776C 67663896 E9DCC585 AE6B746C lt HCI Capture While the link key is not transmitted over the air the good news is that it is transmitted between the radio chip and the host over the host controller interface HCI and is accessible over this medium Even better the Ellisys analyzer can capture HCI traffic concurrently with the air traffic hence the analyzer has access to the link key this way Access to HCI is easily available on prototypes or developer kits SDKs used during development stages but such access will likely not be available on most off the shelf devices One exception is USB HCI such as that used by Bluetooth dongles For example using a PC with an attached USB dongle is an easy way to get access to the HCI This is done by attaching the dongle to the BEX400 analyzer at the STD A port under the antenna then connecting a USB Micro B to USB STD A cable from the adjacent Micro AB receptacle on the analyzer to the PC The analyzer software will capture the air traffic concurrently with the USB HCI traffic and will extract the link key automatically in order to decrypt the air traffic Note that HCI access is required on one of the two devices only not both as the link key is the same for both devices Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way
13. acy Pairing is not at all secure but as with SSP it also uses creates a link key that must be known in order to decrypt the traffic The Ellisys BEX400 analyzer software can automatically decipher the PIN code and deduce the link key just by looking at the captured pairing traffic PIN code based pairing is not used for Bluetooth 2 1 devices and higher SSP enabled devices unless these devices are pairing to a Bluetooth 2 0 or earlier device This means you can use the Ellisys analyzer to fully decrypt traffic from a default SSP enabled device if you pair it with a Bluetooth 2 0 or earlier device thus forcing the SSP enabled device to revert to crackable PIN code based pairing Below is an example of a Bluetooth 2 1 device or higher pairing with a Bluetooth 2 0 device or lower where the pairing reverts to PIN code pairing as the Bluetooth 2 0 device has no concept of SSP The BEX400 software has deciphered the Pin Code of 0000 and calculated the Link Key with subsequent decryption of the traffic taking place automatically Note that if the user had entered the wrong PIN code the Ellisys software would have advised of this error and indicated the correct PIN code to be entered Easy HfpSco btt Ellisys Bluetooth Analyzer 2 File View Layout Search Record Tools Help E Full screen E Analysis FEY Add D GW lg l P Record E Stop E Restart Save amp Continue 2 5 Gi Navigate Markers Filtering Exclude Background
14. b 3C 2D B7 84 06 3A57C2AC 40411828 2BC726D5 C2B 198E4 Dongle 29 CD 00 93 F lt i i i Throughput f A z A Say R as a 7 aie Data type Packet Raw Data X Search x SCOje500 Oeste a A S et Se ha G 01234567894BC OxO000 06 19 11 00 06 OO 06 ES S86 Bi C2 ps 26 58 OxOo0oD 24 B4 3B 0x0014 F6 Al BC 36 02 6 T T T T T T T T T T T T T T T tant 1 0 10 0 15 0 20 0 25 0 30 0 35 0 40 T T T T T T T T T T T 0 45 0 55 0 60 0 65 0 70 0 75 0 80 0 85 of 442 270 50 ms 5 0 05 442 270 00 ms Zoom bar fad Instant Timing A Instant Audio a Instant Throughput Ready 40 5372 Secure Connections for Bluetooth Smart An upcoming revision to the Bluetooth specification v4 2 will add various enhancements including the addition of LE Secure Connections that will greatly improve security for Bluetooth Smart devices This addition updates the pairing procedures to utilize the P 256 elliptic curve and FIPS approved algorithms AES CMAC and P 256 elliptic curve in a way that is similar to BR EDR Secure Connection SSP This change also includes provisions for a shared secret key LE legacy pairing described in the section above will still be available Note that for BR EDR Secure Connections was added with the 4 1 version of the specification and consisted mainly of a change in the encryption method the pairing method still being SSP but with longer Private Public Keys 256 bits ins
15. between these devices is b i LocalServices Eee di PerDevices immediately decrypted Name Type Data ab Default REG SZ value not set SMISE REG_BINARY 58 48 f3 de ff d5 9c 2b a9 e4 Sb 53 9c 3c le 61 Below we see the analyzer has now decrypted the traffic filtered to show only the AT Protocol Note the Communication column which lists the two communicating devices and their BD ADDRs Fill missing fields Manage ECDH Keys Time Master Slave PIN IV f Gia 6 469 675 000 Comp PC E8 2A4 EA B4 DE 7A Notapplicak 6 582 176 250 21 5 Headset 00 24 1C C1 D7 97 301 Raw data amp Security _ Welcome BR EDR Overview Low Energy Overview HCI Qverview Serial HCI Overview USB MessageLog e InstantSpectrum d Protocol Single selection All layers d ff OPRAO F A G amp Ges amp gy MY 16 items displayed Search ta Type filter Y Type filte W Type filter Y Type filter tern Status Payload orrmidnication Destinatior taa AT HFF Supported Features AT BRSF 159 gt gt OK Comp PC EB 2A EA B4 DE 7A lt gt Slave Headset 00 24 1C C 1 07 97 Ox0041 RF o AT MT Indicator AT CIND gt CIND ser OK Comp PE BSE AB DE 7A lt gt Slave Headset GRA ICIC UDO 0x004 RF B AT MT Indicator AT ZIND CIND 0 0 0 OK Master Comp PC E8 24 EA B4 DE 7A lt gt Slave Headset 00 24 1C C1 D7 97 Ox0041
16. d in the Security pane The connection from the headset to the PC however is still encrypted because the link key has not yet been obtained chucks phone Phone The link key between the phone and the headset was obtained using a vendor specific method and is described in the Android stack section in Vendor specific methods described later in this document Note that the analyzer is actually capturing the encrypted traffic PC to headset and displaying this on a single line This line will expand into decrypted traffic once the key is provided to the software either during the capture or after it is saved See the section on Vendor specific methods later in this document for details on how this PC to headset encrypted traffic is decrypted chucks phone headset and computer btt Ellisys Bluetooth Analyzer et File View Layout Search Record Tools Help E Full screen FEY Add D Gd aA D Record E Stop K Restart Eb Save amp Continue 2 3 Navigate Markers Wal Filtering Exclude Background 4 Welcome BR EDR Overview Low Energy Overview HCI Overview Serial HCL Overview USB Message Log Instant Spectrum 4 gt Instant Piconet a x Protocol Single selection eead PFF EFF AF BSH OAD A W 38items kept 110 filtered 2 E Time m Item Communication Payloac 6 483 426 000 aa ACLU Flow Stop No data 6 547 176 625 ge Encrypted Traffic x 1 688 25 7 s byte Sic Master PC lt gt Slave Headset
17. dows Similar to the Windows stack section above try the location in the registry below for Widcomm HKEY_CURRENT_USER Software Widcomm BTConfig LinkKeys Bluetooth Smart Low Energy Security features for Bluetooth Smart per specification version 4 0 differ from those used by BR EDR A Bluetooth Smart pairing procedure results in the generation of a long term key LTK which is derived using a process that varies significantly from the process used by BR EDR that results in generation of a link key Bluetooth Smart devices are architecturally simpler than BR EDR devices as they are intended for simpler tasks so there is generally less processing and storage capabilities on these devices and in fact a simpler and less secure approach to privacy See the section below titled Secure Connections for Bluetooth Smart for information on future changes involving security for Bluetooth Smart With Bluetooth Smart one device determines the LTK then sends this to another device using temporary encryption based on a short term key STK One benefit to this simpler approach is faster connections and reconnections a primary design goal of Bluetooth Smart and a major difference to the slower connecting BR EDR A drawback is a lack of eavesdropping protection So with Bluetooth Smart we re using key transport the LTK is transmitted to the other device instead of key agreement the link key is determined symmetrically by both devices
18. e Delete Reconnect Reset BC Coe The hex data is directly supported by the Ellisys software and can be provided in the Link Key field of the Security view as is without further conversion The Ellisys software will recognize CSR format and will convert it automatically Nokia Mobile Phones Some Nokia models can be put in Debug Mode by typing 2873 Linux BlueZ Bluetooth stack BlueZ is official Linux Bluetooth protocol stack This stack is also used on many Android platforms prior to Android 4 2 See www bluez org for information on utilities that may be useful for accessing link keys The link below has information on the BlueZ Utils application which features an HCI tool that may also be useful https www linux com news hardware peripherals 44623 working with bluetooth connecting to all those cool devices var 1ib Bluetooth BD_ADDR linkkeys Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com el il sy S Ellisys Bluetooth Expert Notes EEN_BTO9 Methods for Accessing a Link Key Better Analysis Widcomm Bluetooth stack Note that Widcomm was acquired by Broadcom Widcomm was the first Bluetooth stack used by Win
19. e E Markers 7 4 GQ W Filtering Exclude Background A ow Energy Overview Vat Instant 4 gt HCI Overview USB a 4 gt instant Piconet q x eae Pte Q Protocol Single selectiom All layers le LERO w9 NERA Q z l Type filter Y Type filtet S Item Link 82 712938625 Jat SDP Service Search Attribute Transaction L2CAP OBEX HCI User Confirmation Request CO E4 22 FE 17 1F Pass 097175 i 82 778 565625 F RFCOMM Connect Channel Signaling 4 HCI Simple Pairing Complete Success COsE4 22 FE 17 4 i 2 82 779 190 500 R SDP Service Search Attribute Transaction PnP Informat 0 HCI Link Key Notification CO E4 22 FE 17 1F Key 83359E53 AE76 153F COF69E08 C6231E8D poe 82 819 815 750 F RFCOMM DLC Parameter Negotiation Channe 1 Initia ag B Encryption On BR EDR E0 LE AES CCM 82 820 440 125 z L2CAP Disconnection Src 0x0041 Dst 0x0040 L2CAP Connection Src 0x0041 PSM SDP gt Dst Ux00 82 861066 125 RFCOMM Connect Channel 1 L2CAP Connection Src 0x0041 PSM RFCOMM gt Dst 0x0042 Notebaak 87 261690 750 ma 2CAP Connection Sr 0 NN43 PSM SNP gt Nst oxnn m 2CAP Confine Mst 0xNN41 MTI 1 017 gt Sre OwNN4 MN T N17 wi lt gt lt gt Instant Timing l aX L3 W Q mE origin 82 08 s v span 2 02s Display Logic inputs Lig oT USB Dongle CO E4 22 p bl M4 b 82 430 336 533 Instant Pic Sum jig Instant Cha
20. i el LS ys Ellisys Bluetooth Expert Notes oy EEN _BTO9 Methods for Accessing a Link Key Better Analysis Methods for Accessing a Link Key Foreword Since the advent of Simple Secure Pairing SSP Bluetooth engineers have faced a new challenge in debugging Bluetooth devices SSP simplifies the end user s pairing experience while providing greater security for the connection but it inherently presents obstacles to Bluetooth engineers seeking to decrypt analyzer captured Bluetooth traffic of course these obstacles are intentionally present for anyone seeking to do such decryption At the center of the challenge is gaining access to the link key This document will explore some of the methods available to locate and access this key The Ellisys Bluetooth Explorer 400 Analyzer is uniquely capable of capturing encrypted Bluetooth traffic without a priori knowledge of the link key Encrypted traffic captured using the Ellisys analyzer can be decrypted at a later time when the link key becomes available and therefore fully understood by the Bluetooth engineer The link key is a 128 bit random number and is a shared secret between devices it is never transmitted over the air It is created during the pairing process is stored and kept secret and is used at every connection for authentication and derivation of the encryption key Even a portion of the pairing sequence where the link key is created is encrypted The link key is just
21. ion Requested 0x000C gt 283545 gt Master Host Unknown BD_ADDR lt gt Slave Phone 169B6C41 CDAF9687 D 1D9 12FE EA525A I S HCI Write Link Policy Settings Connection Ox000C Settings Role Sw Master Host Unknown BD_ADDR lt gt Slave Phon ATST Key eee e HCI Write Link Supervision Timeout Connection 0x000C Timeout 5s Master Host Unknown BD_ADDR lt gt Slave Phone ga e HCI Packet EE HCI Read Remote Extended Features Connection 0x000C Page 1 gt Master Host Unknown BD_ADDR lt gt Slave Phone a HCI Change Connection Packet Type Connection 0x000C Master Host Unknown BD_ADDR lt gt Slave Phone a 4 vitamin Link Key Notification HCI Write Link Policy Settings Connection 0x000C Settings Role Sw Master Host Unknown BD_ADDR lt gt Slave Phone BD_ADDR 00 24 1C C1 D7 97 e HCI Remote Name Request 00 24 1C C1 D7 97 gt Motorola HX550 Master Host Unknown BD_ADDR lt gt Slave Phone CA L2CAP Connection Src 0x0040 PS5SM SDP gt Dst 0x0041 Master Phone lt gt Slave Headset gt Beer ERAEN ii ri i 7 Key Type Unauthenticated Combination Key P 1 a L2CAP Configure DOst 0x0041 MTU 256 gt Src 0x0040 Master Phone lt gt Slave Headset a amp L2CAP Configure Dst 0x0040 MTU 64 gt Src 0x0041 Master Phone lt gt Slave Headset 2 HC Authentication Complete Success Connection 0x000C Jal SDP Service Search Attrib
22. ions on both of these transports you just have to pair once In other words an LTK generated during the LE pairing process may be converted to a BR EDR link key for use on the BR EDR transport and conversely a BR EDR link key generated during the BR EDR SSP pairing process can be converted to an LTK for use on the LE transport Feedback needed Do you know of other ways to access link keys or do you have feedback on the implementation of the suggestions in this document Please share your feedback with us at expert ellisys com and we will update this document accordingly we ll attribute your input in the updated document if you wish This will be a great help to the Bluetooth community Other interesting readings EEN BTO3 Your First Wide Band Capture EEN BTO6 Bluetooth Security Truths and Fictions EEN BTO7 Secure Simple Pairing Explained More Ellisys Expert Notes available at http www ellisys com technology expert_notes ph Rev A Updated 2014 10 01 Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com
23. llisys BEX400 Explorer application natively supports the format of CSR s PSTool utility The keys are stored in configuration data 42 to 49 Y BlueCore Persistent Store Fie Entry Stores Bootmode View Factory Help Filter user Hex HARM HHHH User configuration data 33 Taa E a a oT BET AATEC EEE User confiquration data 34 __ Ofe O02e 008d 0061 O06e OOFS O0ef O0bS O0Se 0046 0093 0000 O00 User configuration data 35 User configuration data 36 User configuration data 37 User configuration data 38 User configuration data 39 User configuration data 40 User configuration data 41 User configuration data 42 User configuration data 43 User configuration data 44 User configuration data 45 User configuration data 46 User configuration data 47 User configuration data 48 User configuration data 49 User DSF configuration data 0 User DSF configuration data 1 User DSP configuration data 2 User DSF configuration data 3 User DSF configuration data 4 User DSF configuration data 5 User DSF configuration data 6 User DSF configuration data F User DSF configuration data 6 User DSF configuration data User DSF configuration data 10 User DSF configuration data 11 User DSF configuration data 12 B32 UxUeb4 PSKE Y_USha2 User DSF configuration data 13 User DSF configuration data 14 User DSP configuration data 15 sel Read Describe Reset amp Close User DSF configuration data 16 User DSF configuration data 17 Close Toroa ee iee
24. nical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com l el T sy S Ellisys Bluetooth Expert Notes r EEN_BTO9 Methods for Accessing a Link Key Better Analysis Android stack Later versions of the Android operating system provide a Developer Mode which can be enabled through the Settings About Phone menu by depressing the Build Number selection several times repeatedly typically seven times Consult your phone s User Manual to be sure you have Developer Mode available and for specific instructions The Developer Mode includes a variety of features including an option to enable a log file containing HCI traffic This file is in BT Snoop format This file which will contain link keys from pairing events can be easily imported to the BEX400 analyzer software The analyzer software will store these link keys and will associate these with the devices using them so subsequent air captures of the connected devices will be automatically decrypted The pictures below depict an abbreviated sequence to enable the Developer Mode and the resulting BT Snoop HCI log file The file can be accessed over the phone s USB connection or it can be shared in a variety of ways such as by E Mail a a e a EEA 4 09 PM lt Developer options Desktop backup password Full desktop backups are not currently mE ee df 45 g 4 05 PM lt
25. ny cases this is located in the BTHPORT folder as shown below associated with the applicable Bluetooth address i e the Bluetooth device to which the system is connected Note that this folder may require administrative permissions for access and that such permissions may be changed in order to gain access right click the folder for this option Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com ellisys Ellisys Bluetooth Expert Notes EEN_BTO9 Methods for Accessing a Link Key Better Analysis HKEY_ LOCAL _MACHINE SYSTEM CurrentControlSet Services BTHPORT Parameters Keys In our case here at right the computer a WIN8 PC shows a registry directory in a BTHPORT BTHPORT Parameters labeled e82aeab4de7a which is the BD ADDR of the PC a W D Daie i h ICES gt pe ExceptionDB Below we see the contents of this directory with O0241cc1d797 shown as the BD ADDR AD Palisa of the connected device the headset in this case The data associated with the headset is ap kK the link key We simply copy this link key and paste it into the Ellisys analyzer application r in the Security pane and as shown below the traffic
26. oftware allows the user to manually input a link key either during capture or even on a saved capture in order to decrypt the traffic When standard link key access methods such as HCI capture or injected HCl are not applicable it may still be possible to extract the link key from devices with vendor specific methods and then enter the link key into the analyzer s Security pane for decryption In these cases it is required to have access to special features of the radio chip the operating system the SDK or the host stack For example access to a Windows registry where a link key may be stored or to developer modes available on some mobile phones By no means is the list below complete it is a work in progress Ellisys encourages readers to submit suggestions on methods to find link keys across various devices stacks etc for inclusion in this document See information at the end of this document on how to contact Ellisys Ellisys also strongly suggests checking with your device manufacturer before attempting any changes to your system software For developers most Bluetooth stack providers or chip developers will include an API or an SDK that provides access to the system registers that likely will include an option to read Bluetooth link keys Contact your supplier as needed for details Windows Bluetooth stack The link key for Windows based systems using the Windows stack is often accessible from the Windows registry In ma
27. one of the parameters used to generate the encryption key See EEN BTO7 Secure Simple Pairing Explained for details on how SSP works Since the link key is never transmitted over the air the Bluetooth engineer must be aware of the various methods available to access this key This Expert Note will cover some of these methods Note that for Bluetooth Smart Bluetooth Low Energy things work a bit differently in that there is in fact an over the air transmission of a critical key see the section on Bluetooth Smart Low Energy below Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com ellisys Ellisys Bluetooth Expert Notes EEN _BTO9 Methods for Accessing a Link Key Better Analysis Key Concepts Below and right the Ellisys Bluetooth Explorer software is used to illustrate some key concepts In the illustration we see three devices a phone headset and a PC comprising two connected piconets one scatternet The PC is master to the headset and the headset is dual role master to the phone as well as slave to the PC The connection between the headset and the phone has been fully decrypted as the link key has been obtained as indicate
28. t E expt nt FFY Add f 3 H Md BA D Record E Stop E Restart Eb Save amp Continue 2 8 Navigate E Markers 1 4 Gy Filtering Exclude Background Welcome BR EDR Overview Low Energy Overview HCI Overview Serial HCI Overview USB MessageLog In lt 4 gt Details a x z E f fe PEK E NERA AW amp O A 122 items displayed Allfields 24 Showin overview Display jy Search Type filter Iv Type filter Y Type filter l Name Value A SS Spore sarees 4 HCI Simple Pairing Complete Success 00 24 1C C1 D7 97 amp e HCI Create Connection 00 24 1C C1 D7 97 Allow Switch Yes gt Con Master Host Unknown BD_ADDR lt gt Slave Phone e HCI Max Slots Change Connection 0x000C Slots 5 Master Host Unknown BD_ADDR lt gt Slave Phone E e HCI Packet HCI Read Clock Offset Connection 0x000C gt 0x00145FC Master Host Unknown BD_ADDR lt gt Slave Phone Event Code Simple Pairing Complete E a L2CAP Information Extended Features Supported Master Phone lt gt Slave Headset E 4 Parameters E e HCI Read Remote Version Information Connecton 0x000C gt Version 3 Master Host Unknown BD_ADDR lt gt Slave Phone 9 Status Success E e HCI Read Remote Supported Features Connection 0x000C gt 41 Fe Master Host Unknown BD_ADDR lt gt Slave Phone BDADDR 00 24 1C C1 D7 97 a HCI Authenticat
29. tead of 192 bits Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com eC j SY S Ellisys Bluetooth Expert Notes EEN_BTO9 Methods for Accessing a Link Key Better Analysis The diagram below describes the expected architecture for LE Secure Connections as well as a comparison to LE legacy pairing and BR EDR Secure Connections LE Legacy LE Secure Connections BR EDR Secure Connections Pairing Pairing Pairing TK mRAND sRAND DH Key N1 N2 BD_ADDRm BD_ADDRs BR EDR Secure Connections BR EDR Short Term Key Link Key legacy LE LTK tmp1 f5 AES CMAC 128 s1 AES 128 LE Legacy Key Distribution h6 AES CMAC 128 h6 AES CMAC 128 ILK lebr ILTK LTK EDIV RAND IRK CSRK Long Term Key h6 AES CMAC 128 legacy h6 AES CMAC 128 BR EDR Link Key BR EDR Link Key LTK LE Key Distribution IRK CSRK Stored Long Term Key As depicted in the diagram above LE Secure Connections will also allow a key derived over one transport e g BR EDR to be used for another transport e g Bluetooth Smart So if you have two devices that both support BR EDR and Bluetooth Smart and both support Secure Connect
30. tion API selectable in the Available Analyzers dialog in the Record poten ia RAAR aN menu The Injection API uses UDP User Datagram Protocol to push HCI traffic to the Bluetooth Explorer 400 software which is displayed live in EE O the HCI Overview Injection just as if this traffic was being captured on Blisvs Iniection API one of the standard HCI capture ports on the analyzer Link keys captured with this method are stored by the analyzer software and associated with the device connection so that any subsequent 5 PERPE EPE s captures of air traffic between the devices is automatically decrypted The User Manual for the Bluetooth Explorer 400 provides a link to download explanatory documents and sample code Ellisys Remote Control API The Ellisys Remote Control API can be used to programmatically inject link keys obtained from any source into the Ellisys BEX400 software application For instance it is possible to build a Remote Control API client that monitors Windows Registries for changes and pushes new link keys into the analysis application The link provided below contains an introductory guide the plug in DLL and sample code written in C using Microsoft Visual Studio 2010 Compatibility is Visual Studio 2005 or higher http www ellisys com better_analysis bex400a_remote_api zip Vendor specific methods The BEX400 analyzer captures all Bluetooth traffic in the vicinity even encrypted traffic The analyzer s s
31. ute Transfer PnP Information PnP Informat Master Phone lt gt Slave Headset D OEE OEE ae a EEE E HA Packet lt gt z Event Code Authentication Complete A E E h t Rg Parameters W Qa mE origin 70 059 33 ms span 3 26 ms Display Logic inputs Lig Statis Success i lt gt HCI Injected A Details BA Instant Piconet Summary j Instant Channels Link IN o Data type A T Oe ey sic eS a 012345678 A ___ OO O Mr E S E T T E S Re SP 0x0000 18 17 97 D C1 1C 24 00 BB K 0 9 20 9 40 9 60 9 80 0 20 0 40 0 60 0 80 1 00 1 20 1 40 1 60 1 80 2 20 2 40 2 oxo009 fs ere 70 060 00 ms 70 062 00 ms 5 Zoom bar E Sass E p P E be hai ad Instant Timing J Instant Audio A Instant Throughput m Raw data 8 Security Ready M For information on the Android Developer SDK consult the link below http developer android com sdk index html Ellisys 2014 Information contained herein is for illustrative purposes and is not intended in any way to be used as a design reference Readers should refer to the latest technical specifications for specific design guidance Ellisys Chemin Du Grand Puits 38 CH1217 Meyrin Geneva 41 22 77 777 89 USA 1 866 724 9185 www ellisys com ellisys Ellisys Bluetooth Expert Notes EEN BTO9 Methods for Accessing a Link Key Better Analysis CSR Persistent Store For developers working with CSR devices and tools there is good news the E

EEN_BT09 - Ellisys

Contents

Download Pdf Manuals

Related Search

Related Contents