Hi,
I am working on a heart rate sensor application and I have put together an app which is working well. ie, I am able to connect and view HR using any standard android BLE app.
I am using the BASIC development kit as peripheral slave for this purpose.
Now, I want to add some security so that only a user with a pin can connect to the peripheral. I know that this is vulnerable to brute force attack but that is okay.
These are the changes I have made for the same.
void app_sec_init_func(void)
{
#if (BLE_APP_SEC)
app_sec_env.auth = (GAP_AUTH_REQ_MITM_BOND);
#endif
}
void app_send_pairing_rsp_func(struct gapc_bond_req_ind *param)
{
struct gapc_bond_cfm* cfm = KE_MSG_ALLOC(GAPC_BOND_CFM, KE_BUILD_ID(TASK_GAPC, app_env.conidx), TASK_APP, gapc_bond_cfm);
cfm->request = GAPC_PAIRING_RSP;
cfm->accept = true;
// OOB information
cfm - > data.pairing_feat。oob = GAP_OOB_AUTH_DATA_NOT_PRESENT;
// Encryption key size
cfm - > data.pairing_feat。key_size = KEY_LEN;
// IO capabilities
cfm - > data.pairing_feat。iocap = GAP_IO_CAP_DISPLAY_ONLY;
// Authentication requirements
cfm - > data.pairing_feat。auth = GAP_AUTH_REQ_MITM_BOND;
//Security requirements
cfm - > data.pairing_feat。sec_req = GAP_SEC1_AUTH_PAIR_ENC;
//Initiator key distribution
cfm - > data.pairing_feat。ikey_dist = GAP_KDIST_ENCKEY;
//Responder key distribution
cfm - > data.pairing_feat。rkey_dist = GAP_KDIST_ENCKEY;
ke_msg_send(cfm);
}
Since cfm->data.pairing_feat.iocap = GAP_IO_CAP_DISPLAY_ONLY;, the Android device is supposed to pop up a keyboard to enter the pin when pairing.
When a bonding request is received, the app_send_tk_exch_func() should be called which will set the static pin.
Now,the android when I try to pair using android device, the android device just says key mismatch without keyboard popping up. Also, I dont get GAPC_TK_EXCH request gapc_bond_req_ind_handler() for this case.
Just to check, if I change to cfm->data.pairing_feat.iocap = GAP_IO_CAP_KB_ONLY;,then when pairing Android device shows the random pairing code which should be entered on peripheral slave(as expected). However, this is not what I need.
Can you please tell me what could be wrong?
Thanks in advance.
Hi,
Anyone with any info on this?
Regards,
Ashwin
Hi Ashwin, one of the team will start to take a look at this for your tomorrow. BR JE_Dialog
Hi Ashwin Rao
If i understand correctly you would like to connect to your device by using a passkey which will be entered by the keyboard of your host (phone). Well, you can try changing the IO_Capabilities of your host to “Keyboard Only” in order to accomplish something like that. The device’s IO Capabilities should be NoInput/NoOutput since the device isn’t going to have any buttons and the PIN number would be fixed. The “Display capability” you mentioned I don’t think that will force the android device to display the keyboard.
Thanks MT_dialog
Hi,
Thanks for the response.
According to
https://developer.bluetooth.org/TechnologyOverview/Pages/LE-Security.aspx
The settings that I have mentioned is correct.
In your post, you have mentioned "The device’s IO Capabilities should be NoInput/NoOutput since the device isn’t going to have any buttons and the PIN number would be fixed."
But according to the above link, if that is done, then just works authentication mode will be used which is not what I need.
Hi Ashwin Rao
I m going to send you something offline, please have a look, i hope it will help you.
Thanks MT_dialog
I am reading through this post looking for help/hints on how I might be able to do something like this:
--On the peripheral, press a button, and for the next 2 seconds, broadcast and allow a connection from ANY android device that is scanning (looking for my service's UUID).
--Once that bond is established, turn off braodcasting, and now in the future, allow ONLY that android device to reconnect without the button press.
--This seems pretty straightforward, but I cannot find any good suggestions on how to do this.
--I already have everything else in the peripheral working, just want to add this in.
I should mention to you guys at Dialog that it might be much more helpful and save you a lot of work if wherever possible, you answer questions FULLY in the forums. Much of the posts that I have read over time here are unanswered, the final post being from a Dialog moderator who says something like "I'm going to send you something offline...." I realize that sometimes there is no easy answer to the many questions that you guys get, but it does us all very little good to run into a bunch of dead ends.
Hi klim, thanks for your feedback. I agree that it's not ideal to take things offline : sometimes its necessary (as the length / complexity of the issue means it cannot be dealt with on here) but overall your sentiments are correct and appreciated : the more online the better. I'll have one of the team look into your requirements and we'll feedback.
Thanks &BR JE_Dialog
Thanks JE_Dialog, I am glad that you didn't see this as a negative comment, it was not meant to be. I will keep an eye on this thread and see if you guys have something that will point me in the right direction.
Hi Klim9531, Our initial thought is that :
Do you need to distinguish between an android and iOS device ?
This could be built from the keyboard reference design (stripped down). We have an internal note on the whitelisting that we can share (this shows how to add a device to white-list , which effectively will make a list of known connections and only connect to those that are whitelisted).
BR JE_Dialog
Hi JE_Dialog,
Thanks for the input, here is some clarification:
——客户端设备是否都无所谓Android or iOS (I currently have a fully functioning android app to interface with the device, I intend to built an iOS app soon). The android app scans for advertising devices and if it finds one with my name/service, I begin data transfer. This design is based on the Serial Port Service app.
Your idea about. getting the device's Bluetooth Address and whitelisting it in the DA14580 seems right on target with my needs. This is my desired sequence:
1. DA14580 is powered on, has never before connected to a peer device (Android or iOS).
2. User presses a button on DA14580 (resets the whitelist, however this list is empty at first power-up).
3. User starts Android/iOS app, for 2.5 seconds the app begins scanning for any BT devices, finds my named service, and begins bi-directional communication (this part is currently working).
4. DA14580 queries the Android/iOS device and acquires a BD address, then stores that address in a whitelist.
5. Communication continues until DA14580 is powered down.
6. Upon restart of the DA14580, it will now ONLY ALLOW communication with the device which is in the whitelist.
7. If the button on the DA14580 is pressed again, the Android/iOS device in the whitelist is purged, and the DA14580 repeats the above starting at #2.
If you can post a link to Dialog's internal note on whitelisting --how to query the device, then add its BD address to a whitelist-- then that would help me sort this out.
I will wait for your reply and while doing so, look at the keyboard reference design.
Thanks for your help, klim9531
JE_Dialog,
This is exactly what I wish to do with the SPS. Can you comment how this was resolved?
thanks,
Rich
Hi Richard,
Please check your previous post, i trust that it will cover your question.
https://support.dialog-semiconductor.com/forums/post/dialog-smartbond-bl...
Thanks MT_dialog