Decrypting Encrypted Bluetooth data with the BPA 500

Similar documents
Hardware and Software User Manual

Tracing Bluetooth Headsets with the CATC Bluetooth Analysers

Revision Date: 4/10/2014. ComProbe User Manual

Frontline Test System FTS4BT. User Manual

PA RT 3 CROSS LAYER FUNCTIONS

Computer Networks II Advanced Features (T )

Bluetooth. Bluetooth Radio

TDS Nomad Connect To Bluetooth Instrument. Tested with Trimble Nomad with integrated Bluetooth, and Sokkia 530R3 total station.

Amarjeet Singh. February 7, 2012

Hardware and Software User Manual

[A SHORT REPORT ON BLUETOOTH TECHNOLOGY]

HyperBlade Bluetooth Serial Port Setup Guide For use with Scimitar Software and USB Bluetooth adapter Hyperdyne Labs 2006

ART Demo Application for Mobile Phones

BT740 Development Kit Quick Start Guide v1.2

Bluetooth: Short-range Wireless Communication

Specification Volume 2. Specification of the Bluetooth System. Wireless connections made easy. Profiles

SafeTime ios App Wireframes Created by Zach Kuzmic 12/1/13

It doesn t matter what device your contact is using - You can still talk to them on Skype

SWITS User Manual. Accessing SWITS. This document focuses on the elements required to Access SWITS. Total Pages: 5

SFB Mac Meeting Environment

Setup Guide. Page 0

Hardware and Software User Manual

TxEIS on Internet Explorer 8

FRONTLINE TEST SYSTEM

Dominique Chomienne & Michel Eftimakis NewLogic

Tracker Xtreme Bluetooth ActiveSync

Keep Track of Your Passwords Easily

Azure Developer Immersions Application Insights

CS4/MSc Computer Networking. Lecture 13: Personal Area Networks Bluetooth

HOUR 18 Collaborating on Documents

Innovati s Bluetooth 100M Universal Wireless Bluetooth Module

Hardware and Software User Manual

Last Class: Clock Synchronization. Today: More Canonical Problems

Microsoft Excel 2007 Lesson 7: Charts and Comments

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

12/2/09. Mobile and Ubiquitous Computing. Bluetooth Networking" George Roussos! Bluetooth Overview"

Information Technology

SE 4C03 Winter 2005 Bluetooth Wireless Network Technology

Introduction to Bluetooth Wireless Technology

S600 Transferring Parameters

Implementing A Bluetooth Stack on UEFI

Outlook 2007 Calendar

Help Volume Agilent Technologies. All rights reserved. Instrument: Agilent Technologies 16550A Logic Analyzer

RADWIN 5000 SCB Jet User Manual Release

Objectives of the Bluetooth Technology

Classroom Blogging. Training wiki:

Getting classlists and Sending to students

BPA100 Bluetooth Protocol Analyzer

Trimble Recon Handheld: Using the Socket Bluetooth CompactFlash Card

First-Time Login Procedure on XWin32

Using the ispxpga Floorplanner

SpyLite User s Guide for BTW

Dotstack Porting Guide.

Exporting data from reference management software

SVN_Eclipse_at_home. 1. Download Eclipse. a. Go to: and select Eclipse IDE for Java Developers

Hardware and Software User Manual

Quick Reference Guide

Creating a new form with check boxes, drop-down list boxes, and text box fill-ins. Customizing each of the three form fields.

SETUP AND QUICK START GUIDE FTS4BT

ACC1000 QUICK NETWORKING GUIDE

the NXT-G programming environment

AFN Setup. If you have any trouble setting it up please contact the Help Desk by at Outlook 2007 and 2010

USING THE XPERT2 / 9210B ON A TCP/IP NETWORK

DBT-120 Bluetooth USB Adapter

BLUETOOTH HID PROFILE

MODBUS TESTER SOFTWARE U S E R M A N U A L

TOP Server V5 to MicroLogix Using DNP3 Ethernet Driver

Bluetooth Software Installation Readme

How to set up Restrictions on the ipad

Chapter 20 Troubleshooter

USING UPB LIGHTING DEVICES WITH HOMEVISION OR HOMEVISION-PRO

Control Characters used in DirectNET

5 PowerPoint Tricks To Save Time

Using the Computer for Essays

Please refer to application note AN00129 for further details on HCP2 configuration in ABB motion control products.

Web browsers - Firefox

HOST CONTROLLER INTERFACE FUNCTIONAL SPECIFICATION

Streaming Media System Requirements and Troubleshooting Assistance

Guide Installation and User Guide - Windows

Using Servosity PRO/STD to Restore Your Files. This chapter describes different ways files can be restored from the backup server.

Basics of UART Communication

PSoC Academy: How to Create a PSoC BLE Android App Lesson 3: Configure the BLE Component 1

How to set up your wireless network

Burning CDs in Windows XP

Download Keepass from select Professional Edition

etitlesearch User Guide Classic User Accounts

Winthrop University edtpa - Clipping Your Video using Adobe Premiere

x 2 + 3, r 4(x) = x2 1

Wireless for Windows 7

M-BUS/MODBUS CONFIGURATION SOFTWARE FOR GINEERS MMCR-64

THE TASKBAR: A TOOL FOR UNLOCKING THE SECRETS OF WINDOWS 10

ON SECURITY OF BLUETOOTH WIRELESS SYSTEM. Pavel Kucera, Petr Fiedler, Zdenek Bradac, Ondrej Hyncica

You ll find everything you need to get started with your VaaS-t conferencing account in the following pages.

ReCon T Energy Logger. Installation and connection manual

TRAINER MOODLE QUICK GUIDE

How to Setup an Auto-Subscription (Auto- ) for Your Clients in FlexMLS

Introduction to Minitab 1

CTC Accounts Active Directory Synchronizer User Guide

Depending on the computer you find yourself in front of, here s what you ll need to do to open SPSS.

INSTRUCTION MANUAL. BTManager 2.0. for FC-200 with Windows CE5.0

Transcription:

Decrypting Encrypted Bluetooth data with the BPA 500 How Encryption Works in Bluetooth: Bluetooth devices on an encrypted link share a common link key that is used to encrypt data to be transferred. How that link key is created depends upon the pairing method used. Legacy Pairing (Bluetooth 2.0 and earlier) In legacy pairing, this link key is derived from a shared PIN code, the master s Bluetooth clock, the master s BD_ADDR and a random number that is passed between the two devices. The sequence of events used to create this key, or pairing process, is shown in the CPAS Frame Display below. Frame 247 is the LMP_in_rand which is where a random number generated by the master is passed to the slave. The slave acknowledges that it has accepted the number in frame 249. In frames 250 and 251, the combination keys are passed between master and slave. In frame 252, the master sends its LMP_au_rand. This is the random number that has been encrypted using the link key that master has calculated. The slave then responds with frame 253, an LMP_sres confirming that it was able to compute the same number. That process is repeated in the other direction (slave to master) in frames 254 and 255. Then the setup_complete message is sent and they re slave requests encryption mode in frame 257, and the master accepts in frame 258. The actual encryption starts after the start encryption request in frame 261. In order for CPAS to decrypt an encrypted Bluetooth conversation, CPAS must compute the same link key being used by the devices being sniffed. Since this link key is never sent over the air, CPAS must have all of the same information the devices being sniffed have so that it can

calculate the same link key that each of the two devices does. To decrypt successfully, CPAS must know the PIN code and capture: The LMP_in_rand Both LMP_comb_keys Both LMP_au_rand/LMP_sres pairs. If any of these are missed, CPAS will not be able to decrypt. If you capture encrypted data and find that everything captured after the LMP_start_encryption_request is in error, look back at the LMP frames previous to that and you ll probably find one or more of these missing. The Start Encryption Request with also be marked by CPAS with an error that indicates that the link key calculated by CPAS is different from the one used by your devices. Creating a link key with Secure Simple Pairing (SSP) To capture and decrypt data between two Bluetooth devices using Secure Simple Pairing you have two choices. If one of your devices can be put into Secure Simple Pairing Debug Mode, all that needs to be done in I/O Settings is to choose your master and slave. It doesn t matter what s been selected in the Pairing Method drop down, CPAS will see the debug messages being If neither of your devices can be put into debug mode, you ll need to know the link key being used by one of your devices. If that is the case, enter the link key into the box provided. Once the link key has been created, decryption operates the same way it does in legacy pairing. How to Capture and Decrypt Data with the BPA 500 (Legacy Pairing) 1. Run CPAS and select Combined Connection (Classic/low energy)

This will bring up the BPA 500 Datasource. This is where parameters are set for sniffing, including synchronization mode, and the devices to be sniffed.. 2. Select the Devices Under Test tab on the CPAS Datasource. How to setup the I/O Parameters. Make both of your devices discoverable. Press the Discover Devices button (the binoculars on the toolbar). CPAS will find any discoverable Bluetooth devices within its range. You will then be able to select your devices from the master and slave drop down lists. If one or both of your devices can t be made discoverable, you may type in the BD_ADDR(s) directly. 5. If legacy pairing is being used, select Link Key (ASCII) from the Classic Encryption drop down and fill in the PIN. As mentioned above, CPAS needs the PIN code in order to calculate the link key the two devices are using. Alternately, you may enter the Link Key manually if it is known. CPAS also keeps a database of the link keys it s previously calculated, which may be accessed on the Device Database tab. 6. Select the Filter Out (esco/sco, NULL, POLL) set up. These filters are low level hardware filters. There are also Display Filters that you may use later to filter the captured data. Any data filtered out here will not be captured at all. In most cases the default set up (filter out nulls and polls, leave SCO data in) will be OK. 7. The OK button should now be available. If OK is grayed out, there is something set up incorrectly in the I/O Parameter window. For example, if you selected PIN code in the Encryption drop down but you neglected to fill in the PIN code, then OK will be grayed out.

8. Press OK, and then Start Sniffing. When you start sniffing, the Status Icon will go red (not yet synchronized). After a short time (a few seconds) the icon will turn green and the status will change to Waiting to synchronize with clock source. At this point CPAS is synchronized and waiting for a baseband connection. When your connection is established, the Status Icon will turn blue, signifying that a baseband link has been established and data should start to appear in the Frame Display. How to tell if one of your devices is in Secure Simple Pairing Debug Mode When a device is configured in SSP debug mode, CPAS will decode and display the debug key in the Encapsulated Payload message. There will be an Encapsulated Payload message sent from both the master and the slave. The message from the device that is in debug mode will show the debug key, the other will show the public key. Remember, only one of the devices needs to be in SSP debug mode. Encapsulated Payload message from a device in SSP Debug Mode:

Encapsulated Payload message from a device NOT in SSP Debug Mode:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback