nRF52840 Dongle BLE Sniffing

RE: nRF52840 Dongle BLE Sniffing

user92402 — Tue, 07 Jun 2022 06:25:09 GMT

Hi,

It is 16 bytes. You must reverse each byte, so 2 and 2 numbers. For example 33cd8dab22a023202a7074ad2a7afc69 will be 69fc7a... and so forth.

Best regards,

Marte

RE: nRF52840 Dongle BLE Sniffing

user116343 — Sat, 04 Jun 2022 21:02:18 GMT

ok. thanks.

is this 16bit ? how shouls I reverse the byte order ?

RE: nRF52840 Dongle BLE Sniffing

user92402 — Fri, 03 Jun 2022 10:10:22 GMT

Hi,

You must reverse the byte order of the LTK. Wireshark is showing the LTK as little endian, but the LTK must be provided as big endian.

Additionally, it is the LTK from the received encryption information you should use (so 33cd8dab22a023202a7074ad2a7afc69 in your case), since it is the central that starts the encryption.

Best regards,

Marte

RE: nRF52840 Dongle BLE Sniffing

user116343 — Wed, 01 Jun 2022 20:45:22 GMT

did you see my post below ? Is it helpful to understand the problem ?

RE: nRF52840 Dongle BLE Sniffing

user116343 — Mon, 30 May 2022 16:51:08 GMT

test-devzone.nordicsemi.com/.../ble_5F00_captures.7z

Hi,

I have captured 5 files. The first one named "pairing" includes the pairing session.

From that session following notes:

d4:9c:dd:9e:f7:5b - camera (BLE client)
94:a1:a2:25:5a:49 - remote (BLE server)

33cd8dab22a023202a7074ad2a7afc69 - rcvd encryption information (packet 7887)
b0ddb6dbfb16725a1091d08c2b547221 - sent encryption information (packet 7898)

And with these keys I tried to decrypt other sessions. Files are named tfor easy understanding.

I hope you can find my mistake.

Thanks

RE: nRF52840 Dongle BLE Sniffing

user92402 — Mon, 30 May 2022 07:55:26 GMT

Hi,

It is difficult to say without looking at the sniffer trace. Can you upload it here as a pcap file?

Best regarads,

Marte

RE: nRF52840 Dongle BLE Sniffing

user116343 — Sun, 29 May 2022 15:35:33 GMT

what might be wrong ?

RE: nRF52840 Dongle BLE Sniffing

user116343 — Mon, 23 May 2022 12:09:28 GMT

Thank you.

Now I am able to get packets from that specific device.

However, I see "Encrypted packet decrypted incorrectly (bad MIC)" info

In fact, from the previous pairing session I got the LTK.

I got 2 LTKs, one from master device (sent encryption information)

value: 24c2432367ca4ba062aa2be421b233e5

one from the slave device (rcvd encryption information)

value: c4383dae339da6bb0be21f61bd7cd0b6

I tried both values entering them on the value field like 0xc4383dae339da6bb0be21f61bd7cd0b6

selecting Legacy LTK

but it is still not decrypting.

Any ideas about where am I doing wrong ?

thanks.

RE: nRF52840 Dongle BLE Sniffing

user92402 — Mon, 23 May 2022 10:44:49 GMT

Hi,

If the device is not advertising you can add the device's LE address to the device list, as explained under Add LE Address in nRF Sniffer usage.

Best regards,

Marte

RE: nRF52840 Dongle BLE Sniffing

user116343 — Sat, 21 May 2022 12:45:18 GMT

Thanks for this. I have successfully followed the instructions and now I am able to see BLE packets in Wireshark with the provided profile.

But all I see is advertising packets.

How can I see messages between bonded/paired devices ?

The documentation says:

Run the nRF Sniffer (if not already running).
Select your device from the device list.
Enter the LTK for the bond.

But I don't have the LTK.

I also followed the "Sniffing the pairing procedure of a connection" instructions but I could not get packetrs other than advertising.

My devices pair withput a key. I just turn both devices on (reset them to force bonding) and select the device B from device A menu.

Edit:

I finally managed to sniff packets other than advertising data. But that only happens in the same session.

To continue capturing in another session, I got the LTK from the first session but I was not able to use it.

The problem is that,

1.device B starts pairing to device A

2.Then I get 2 LTKs (one is from master, the other one is from slave)

3.In the next session, device A does not advertise because it is already bonded, so I can not select it from the device list.

4. If I select device B from the list , then I try both LTK to get packets, I can not get any data other than advertising data.

What am I doing wrong ?

RE: nRF52840 Dongle BLE Sniffing

user92402 — Wed, 18 May 2022 08:25:50 GMT

Hi,

The nRF Sniffer for Bluetooth LE is supported on the nRF52840 Dongle. You can see supported DKs and Dongles under nRF Sniffer for Bluetooth LE > Minimum requirements.

Information about installation and how to use the sniffer can be found in the documentation here: nRF Sniffer for Bluetooth LE.

Best regards,

Marte