Bluetooth Pairing via BlueZ in Just Work Mode Fails - Confirm Value Failed
Kernel: Linux 4.9.84 armv7l on board
Bluez: 5.65
Peer: Android 12 & IOS 16.6
Application:
- Use btmgmt open bluetooth settings
btmgmt power off
btmgmt connectable on
btmgmt pairable on
btmgmt power on
btmgmt le on
btmgmt io-cap 0x3(set io capability as NoInputNoOutput)
btmgmt ssp on (use legacy mode)
- BT_SECURITY for the L2CAP socket has been set to low, and an encryption requirement has been applied to one characteristic.
Process:
I didn't manually create an agent with IO capability via bluetoothctl, but with the above operations, it seems like the protocol automatically creates an agent to handle pairing issues when I try to access the characteristic with the encryption requirement.
We can see the communication via btmon.
> ACL Data RX: Handle 24 flags 0x02 dlen 11 #240 [hci0] 74.105218
SMP: Pairing Request (0x01) len 6
IO capability: KeyboardDisplay (0x04)
OOB data: Authentication data not present (0x00)
Authentication requirement: Bonding, MITM, SC, No Keypresses, CT2 (0x2d)
Max encryption key size: 16
Initiator key distribution: EncKey IdKey Sign LinkKey (0x0f)
Responder key distribution: EncKey IdKey Sign LinkKey (0x0f)
< ACL Data TX: Handle 24 flags 0x00 dlen 11 #241 [hci0] 74.105300
SMP: Pairing Response (0x02) len 6
IO capability: NoInputNoOutput (0x03)
OOB data: Authentication data not present (0x00)
Authentication requirement: Bonding, MITM, Legacy, No Keypresses (0x05)
Max encryption key size: 16
Initiator key distribution: EncKey Sign (0x05)
Responder key distribution: EncKey Sign (0x05)
> HCI Event: Number of Completed Packets (0x13) plen 5 #242 [hci0] 74.224936
Num handles: 1
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Count: 1
> ACL Data RX: Handle 24 flags 0x02 dlen 21 #243 [hci0] 75.304575
SMP: Pairing Confirm (0x03) len 16
Confim value: bf331d0c1af509252c7ac50a03acc66f
< ACL Data TX: Handle 24 flags 0x00 dlen 21 #244 [hci0] 75.304672
SMP: Pairing Confirm (0x03) len 16
Confim value: ac378c91768d6efd8b5b07ad5cd78ba4
> HCI Event: Number of Completed Packets (0x13) plen 5 #245 [hci0] 75.425942
Num handles: 1
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Count: 1
> ACL Data RX: Handle 24 flags 0x02 dlen 21 #246 [hci0] 75.484575
SMP: Pairing Random (0x04) len 16
Random value: 830af66a612fb5dcb8bf8376a43b8dda
< ACL Data TX: Handle 24 flags 0x00 dlen 6 #247 [hci0] 75.486908
SMP: Pairing Failed (0x05) len 1
Reason: Confirm value failed (0x04)
> HCI Event: Number of Completed Packets (0x13) plen 5 #248 [hci0] 75.545938
Num handles: 1
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Count: 1
> HCI Event: Disconnect Complete (0x05) plen 4 #249 [hci0] 79.624942
Status: Success (0x00)
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Reason: Remote User Terminated Connection (0x13)
Problem: I faced the problem where the Peripheral (my board) confirmation failed during the confirm phase. For details, see the btmon message in the picture above.
ps : This picture from Core_v5.4 Vol3, Part H, pate 1618
Suspicion:
I'm not quite sure where the problem is located, but after reading the confirmation calculation formula, I suspect it might be due to the algorithm differences between my phone and my board or an address issue, as the other parameters seem to be the same.
I have tried to connect to my virtual machine(ubuntu) via Bluetooth with the same BlueZ version and the same operations, and it worked! Therefore, I suspect the problem is located in the kernel configuration of my board
The problem was finally located in the Linux Kernel configuration.
The recommended configuration from Bluez is shown in the picture below.
(Screenshot from A1 Bluetooth Linux Study Guide - Installation and Configuration.pdf Page 4 downloaded from the official website)
However, this configuration leads to a confirm value calculation failure, so an extra configuration is needed
* User-space interface for random number generator algorithms
- confused by sys_stat, sys_statfs syscall works
- What to prefer between `spin_lock_init` and `DEFINE_SPINLOCK` and when?
- Add New Kernel Parameter To Custom Linux Image Generated By Yocto
- Install linux-headers on debian unable to locate package
- Bluetooth Pairing via BlueZ in Just Work Mode Fails - Confirm Value Failed
- Connecting display on BeagleBone AI-64 miniDP is not working
- Executing commands as root on API 31 + / File system access
- How to create opengl context via drm (Linux)
- Where is SYSCALL() implemented in Linux?
- Find out which thread/process is consuming CPU
- kretprobe handlers in kernel 3.x not getting called
- Is built PREEMPT_RT more pre-emptive than PREEMPT_DYNAMIC set on full?
- Linux shared library loading and sharing the code with other process
- Does asmlinkage mean stack or registers?
- Cannot read syscall arguments from a kprobe handler
- Send a ping packet using dev_queue_xmit
- Linux Kernel: System call hooking example
- Is it allowed to allocate spin locks on the stack?
- kernel probes shows wrong returned data
- Magic numbers of the Linux reboot() system call
- Is it possible to binary patch an uncritical compare instruction of /boot/vmlinuz and make it run as normal?
- Using epoll on a sampling perf_event_open file descriptor returns EPOLLHUP
- Include Linux kernel headers for intellisense in vs code
- Debugging a closed-source kernel module with CONFIG_KPROBES turned off
- Hooking syscall by modifying sys_call_table does not work
- Unrecognized jedec id
- How to measure the execution time of a function in Linux kernel Module?
- kprobe on getdents64() fails
- How can I make DPDK timers work really asynchronously?
- Troubleshooting Execution Failure of the musl-libc Shared Library