Using Network Analyzer Tool to Monitor Bluetooth Mesh Traffic KEY FEATURES This training demonstrates the usage of the Network Analyzer tool provided by Silicon Labs, and applies it to monitor Bluetooth Mesh traffic. Demonstration of Network Analyzer Monitoring Bluetooth Mesh traffic silabs.com Smart. Connected. Energy-friendly Rev. 0.1
Introduction 1 Introduction EFR32 parts have a so called Packet Trace Interface (PTI), which provides the possibility to monitor all packets received and transmitted by the radio externally. If PTI is enabled, the content of each radio packets are sent out via SPI or UART interface (depending on the configuration) as soon as the packet is received/transmitted by the radio. Hence all radio traffic can be monitored externally. Silicon Labs Wireless Starter Kit (WSTK) captures PTI data from radio boards and after timestamping forwards the packets to the PC via USB (J-Link EMU-COM channel 15) or Ethernet (TCP port 4905). The received packets can be decoded and visualized by Silicon Labs Network Analyzer tool coming with Simplicity Studio 4. The Network Analyzer tool is prepared to decode different standards including Bluetooth and Bluetooth Mesh. Since the communication is often encrypted, the tool is also prepared to decrypt encrypted messages, provided that it knows the keys used for encryption. Bluetooth Mesh packets are sent via advertisements flooding the network. This means that all packets can be captured with any devices in the area of the network. I.e. by using the PTI on any of your Bluetooth Mesh devices you can monitor the whole traffic of the Mesh network. silabs.com Smart. Connected. Energy-friendly Rev. 0.1 1
Bluetooth Mesh Demos for Monitoring 2 Bluetooth Mesh Demos for Monitoring In the followings we will monitor the traffic of the BT Mesh Light Example demo application. This simulates a lightbulb that can be switched on/off with the help of a Bluetooth Mesh network. We will also need at least one BT Mesh Switch Example demo running on another device for testing purposes. 1. Open Simplicity Studio 2. Select your first device in the Devices tab 3. Check the Preferred SDK, it has to be Bluetooth Mesh 4. Click on the BT Mesh Light Example demo 5. Click Start in the dialog window 6. Select your second device in the Devices tab 7. Check the Preferred SDK again, it has to be Bluetooth Mesh 8. Click on the BT Mesh Switch Example demo 9. Click Start in the dialog window 10. You may repeat this for multiple lightbulbs and switches If you already have demo devices set up and provisioned, do a Factory reset on them. On the WSTK 1. Keep PB0 or PB1 pressed 2. Click reset 3. Wait until the screen shows *Factory reset* 4. Release PB0 or PB1 On your smartphone open Bluetooth Mesh app, go to Network view, long click on the Demo Network and click the X icon to flush network and group configuration. silabs.com Smart. Connected. Energy-friendly Rev. 0.1 2
Start Network Analyzer 3 Start Network Analyzer 1. To open Network Analyzer perspective click on Network Analyzer in the upper right corner of Simplicity Studio or if it is not available go to Window > Perspective > Network Analyzer 2. To enable decoding of Bluetooth packets select File > Preferences, browse for Network Analyzer > Decoding > Stack Versions, and make sure Bluetooth Smart is your default stack profile. Press OK. This would ensure, that the packets are parsed as Bluetooth packets. 3. Right click on your device and choose Connect then choose Start capture. This will open up a new window and start capturing your packets. 4. Right click on your device and chose Stop capture to stop monitoring silabs.com Smart. Connected. Energy-friendly Rev. 0.1 3
Start Network Analyzer silabs.com Smart. Connected. Energy-friendly Rev. 0.1 4
Provisioning 4 Provisioning The first step to connect a device to a mesh network is provisioning. An unprovisioned device has to advertise itself to be discoverable for the Provisioner. This can be done by the Unprovisioned Device Beacon and by advertising the Mesh Provisioning Service. To observe these: 1. Start capturing packets while your device is unprovisioned. Stop capturing after 30-40 seconds. 2. In the events window of the Network Analyzer you can find both Unprovisioned Device Beacons and Mesh Provisioning Service advertisements: 3. Find and select an Adv Indication packet where the MAC Src matches the MAC address of your device. (Note: the last 2 bytes of your MAC address is shown on the LCD of the WSTK). The content of this Mesh Provisioning Service advertisement is defined by the Bluetooth Mesh specification as You should observe the same packet format in the Event Details window: You can see the Mesh Provisioning Service advertised (UUID 0x1827) along with the Device UUID which is SilabsDev-XXXXXX, where XXXXXX is the MAC address of the device. 4. Now find and select an Unprovisioned Device Beacon packet (Note: these are much rarer then service advertisements). You can see its content decoded in the Event Details window: silabs.com Smart. Connected. Energy-friendly Rev. 0.1 5
Provisioning Next step is to provision the device. This can be done via ADV packets or via GATT connection. In this demo the provisioning is done via GATT connection. The provisioner (smartphone) connects to the device, builds up an authenticated channel via the Provisioning Service, and shares the secret Network Key with the device. 1. Open Silicon Labs Bluetooth Mesh Application on your smartphone 2. Select the Provision tab, click scan and find your device 3. Start capturing packets in Network Analyzer 4. Click on the mesh icon next to your device to provision it. 5. Stop capturing when provisioning is done. 6. Now you can see in the event log the smartphone and your device establishing a connection. After establishment, the smartphone and the device communicate via the Unprovisioned Device Service: the smartphone send write commands to the Mesh Provisioning Data In characteristic, and the device sends notifications via the Mesh Provisioning Data Out characteristic. 7. Click on any Attribute: Write Request or Attribute: Handle Value Notification packet. In the Event details you can see the data sent: The Provisioning data is currently not decoded. But you can easily find the Provisioning PDU Type (second octet), which can be one of the followings: silabs.com Smart. Connected. Energy-friendly Rev. 0.1 6
Provisioning The Network Key is shared in the Provisioning Data packet. However, the content of this packet is already encrypted, so you cannot observe the Network Key directly. To find the Network Key (and the Device Key): 1. Open Bluetooth Mesh app on your smartphone 2. Click on your Demo Network 3. Select Devices tab 4. Wait until the mesh icon in the upper right corner gets green 5. Long click on your device 6. Click on the settings icon 7. Select INFO tab From now on every communication with the device is encrypted with the Network Key and the Device Key. To be able to decrypt these messages you have to add the Network Key and the Device Key to the encryption keys of the Network Analyzer: 1. In Simplicity Studio select Window > Preferences > Network Analyzer > Decoding > Security Keys 2. Click New 3. Change the name to Mesh Network Key 4. Change the key value to the Net Key observed in the app 5. Click New 6. Change the name to Device Key 7. Change the key value to the Dev Key observed in the app 8. Click OK Now, before moving on, provision all of your other devices (lights and switches) in the demo network and add their device keys to the security keys of Network Analyzer! silabs.com Smart. Connected. Energy-friendly Rev. 0.1 7
Configuring the model 5 Configuring the model After all your devices are added to the network (provisioned), they have to be configured. This means assigning an application (e.g. light switching) and a model (e.g. on/off control or on/off device) to the device. Unlike provisioning, which was done on a point-to-point connection, configuration is done via the mesh network. The smartphone connects to one of the devices on the network that will serve as a proxy device: it forwards the messages of the smartphone to the mesh network. The message then floods the whole network via relayed advertisements. To find the proxy device: 1. Open Bluetooth Mesh app 2. Select Demo Network 3. Go to the Devices tab 4. Find the device with the red radio signal icon Now let s configure a device which is not the proxy. (If you configure the proxy, the messages are not necessarily forwarded on the mesh network, so you cannot observe mesh traffic!) 1. Start capturing packets on any of your devices 2. Open Bluetooth Mesh app on your smartphone 3. Select your network 4. Go to Devices tab 5. Long click on one of your devices which is not the proxy 6. Click the configuration icon 7. Select a functionality 8. Select a group 9. Click Apply 10. Stop capturing packet after some second silabs.com Smart. Connected. Energy-friendly Rev. 0.1 8
Configuring the model During the configuration process you can observe the following messages: BT Mesh Access Message: Config AppKey Add BT Mesh Access Message: Config AppKey Status BT Mesh Access Message: Config Model App Bind BT Mesh Access Message: Config Model App Status When the device is assigned to an application, the first step is providing them with the Application Key. This ensures that devices assigned to different application will not interfere (e.g. a light switch cannot open the door). Find the following packets: Clicking on any of the first two packets will reveal the content including the Application Key: You can find the same Application Key in the smartphone app at the same place where you can find the Network Key and Device Key (see previous section). Now add the Application Key to the security keys of Network Analyzer 1. In Simplicity Studio select Window > Preferences > Network Analyzer > Decoding > Security Keys 2. Click New 3. Change the name to Application Key 4. Change the key value to the Application Key 5. Click OK From now on you will be able to decrypt messages that are encrypted with the Application Key. Now, before moving on, configure all of your other devices (lights and switches) in the demo network! silabs.com Smart. Connected. Energy-friendly Rev. 0.1 9
Segmented Mesh Messages 6 Segmented Mesh Messages The BT Mesh Access Message: Config AppKey Add message is also a good example for segmented messages. Since the size of the advertisement packet is limited, messages often have to be split into segments. In this case the access message is: 1. Encrypted on the application level 2. Split into segments 3. Segments are encrypted on the network level Network Analyzer automatically groups up packets that are segments of the same message and decodes them as one message. The whole process is: 1. Decrypting the packets on the network level 2. Reassembling segments belonging to the same message 3. Decrypting the message on the application level 4. Decoding (parsing) the message The Events window shows each segments marking them with the segment number (e.g. [1/2]). The Event Detail window always shows the content of the reassembled message. The Hex Dump window shows the decrypted and reassembled message by default, however the raw captured data can also be observed for each segments: silabs.com Smart. Connected. Energy-friendly Rev. 0.1 10
Filtering Mesh Traffic 7 Filtering Mesh Traffic While capturing packets you may see a number of undesired advertisements originating from other Bluetooth devices around you, e.g. from smartphones advertising themselves. This often makes it hard to observe mesh traffic only. Unfortunately, these advertisement cannot be filtered out, but you can apply highlighting for Mesh traffic to find mesh packets easily. 1. Click on the Filter Manager icon in the toolbar or find Window > Show View > Expression Manager 2. In the Expression Manager window click on New 3. Change the name of the New Filter to Mesh filter 4. Type in the following expression: bleadv.adv_type_0 == 0x2a this will find advertisement packets with Mesh content 5. Tick the Color checkbox 6. Click on the box under Bg (background) or Fg (foreground) 7. Choose a color after clicking on Now all the Mesh traffic (events and transactions) will be highlighted with the chosen color. If there are multiple mesh networks in your vicinity (e.g. on a training) you may also want to filter for your own mesh network: 1. Find any mesh packet that could be decrypted by the Network Analyzer. (Since you know the Network Key of your own network only, packets from other mesh networks will show an error message: BT Mesh NWK level decryption failed) 2. Find the Network ID in the Event Details: 3. In the Expression Manager window click on New 4. Change the name of the New Filter to My Mesh Network 5. Type in the following expression: btmeshnw.nid == 0x14 Replace the number with your own Network ID! 6. Tick the Color checkbox and choose a color silabs.com Smart. Connected. Energy-friendly Rev. 0.1 11
Communication on the Mesh Network 8 Communication on the Mesh Network On a Bluetooth Mesh network devices are communicating via advertisements flooding the whole network. Consequently you can see all messages with any device on the network. However you can only decrypt messages that are encrypted with: o Network Key only o Network Key + your Device Key o Network Key + Application Key of the application you are involved in Network Analyzer will automatically try to decrypt the messages with the provided security keys. If succeeded the Mesh content is parsed. 1. Start capturing packets 2. Press PB0 or PB1 on a Switch Node in your demo network 3. Check if the light (LEDs) was turned on/off on the Light Nodes in your demo network 4. Stop capturing Find the following message and select it: This message was encrypted with the already known Network and Application Keys, hence it is automatically decrypted by the Network Analyzer and its content is parsed: silabs.com Smart. Connected. Energy-friendly Rev. 0.1 12
Saving Sessions The parsed data is organized into the standard Bluetooth Mesh layers: Network Layer Lower Transport Layer Upper Transport Layer Access Layer The Upper Transport layer is covered by the App Encryption MIC (message integrity check). 9 Saving Sessions You can easily save capture sessions into log files (.isd format) by simply selecting File > Save. However, you have to be aware, that security keys are not saved by default. Hence if someone other opens the log file on their own computer they will not be able to decrypt messages. To save security keys into the log file: 1. Go to Window > Preferences > Network Analyzer > Decoding > Security Keys 2. Tick the checkbox: Save decryption keys in ISD files. 3. Click OK silabs.com Smart. Connected. Energy-friendly Rev. 0.1 13