encryptionbluetooth-lowenergywiresharkpacket-sniffers

How to decode BLE encrypted packets


Context

Bluetooth Low Energy Mesh Sniffing

I am using an nrf52840-MDK along with its sniffer software with wireshark to sniff packets sent from my IPhone to a BLE Mesh light bulb. I figured out that the commands I sent from my Iphone are sent using some type of encryption.

The encryption

During provisioning the master and slave communicate a set of 1024 bit public keys labeled X and Y. And the BLE lightbulb advertises no OOB support, and the FIPS p-256 elliptic curve algorithm in the « algorithm label ». I have a set of two public keys X and Y both 64 hexadecimals long. These are transmitted during provisioning. There is also a confirmation sent, with another hexadecimal number.

The question

I want to know if there are any available decoders for this algorithms availble ? How can I decode the encrypted data inside the packets ? The data seems to be sent with L2CAP fragmentation, and then reassembled in a « network_pdu (complete) » named packet. Any help would be appreciated. Links to good documentation would also be nice !

I tried looking for a decoder for this data, in which I can 1 : derive the private key from the two public keys I was given. And 2 : Plug the private key along with encrypted data to find the decrypted data. I had no luck, I am also wondering if maybe there is a better way to do this, my end-goal is to be able to have full access to all the services of this BLE light and make my own applications.


Solution

  • If it's Diffie Hellman key exchange you are talking about, then a passive eavesdropper can't "crack" it. You'd better download an equivalent Android app in apk format and decompile it, if you want to reverse engineer.