Bluetooth Pairing via BlueZ in Just Work Mode Fails - Confirm Value Failed
Kernel: Linux 4.9.84 armv7l on board
Bluez: 5.65
Peer: Android 12 & IOS 16.6
Application:
- Use btmgmt open bluetooth settings
btmgmt power off
btmgmt connectable on
btmgmt pairable on
btmgmt power on
btmgmt le on
btmgmt io-cap 0x3(set io capability as NoInputNoOutput)
btmgmt ssp on (use legacy mode)
- BT_SECURITY for the L2CAP socket has been set to low, and an encryption requirement has been applied to one characteristic.
Process:
I didn't manually create an agent with IO capability via bluetoothctl, but with the above operations, it seems like the protocol automatically creates an agent to handle pairing issues when I try to access the characteristic with the encryption requirement.
We can see the communication via btmon.
> ACL Data RX: Handle 24 flags 0x02 dlen 11 #240 [hci0] 74.105218
SMP: Pairing Request (0x01) len 6
IO capability: KeyboardDisplay (0x04)
OOB data: Authentication data not present (0x00)
Authentication requirement: Bonding, MITM, SC, No Keypresses, CT2 (0x2d)
Max encryption key size: 16
Initiator key distribution: EncKey IdKey Sign LinkKey (0x0f)
Responder key distribution: EncKey IdKey Sign LinkKey (0x0f)
< ACL Data TX: Handle 24 flags 0x00 dlen 11 #241 [hci0] 74.105300
SMP: Pairing Response (0x02) len 6
IO capability: NoInputNoOutput (0x03)
OOB data: Authentication data not present (0x00)
Authentication requirement: Bonding, MITM, Legacy, No Keypresses (0x05)
Max encryption key size: 16
Initiator key distribution: EncKey Sign (0x05)
Responder key distribution: EncKey Sign (0x05)
> HCI Event: Number of Completed Packets (0x13) plen 5 #242 [hci0] 74.224936
Num handles: 1
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Count: 1
> ACL Data RX: Handle 24 flags 0x02 dlen 21 #243 [hci0] 75.304575
SMP: Pairing Confirm (0x03) len 16
Confim value: bf331d0c1af509252c7ac50a03acc66f
< ACL Data TX: Handle 24 flags 0x00 dlen 21 #244 [hci0] 75.304672
SMP: Pairing Confirm (0x03) len 16
Confim value: ac378c91768d6efd8b5b07ad5cd78ba4
> HCI Event: Number of Completed Packets (0x13) plen 5 #245 [hci0] 75.425942
Num handles: 1
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Count: 1
> ACL Data RX: Handle 24 flags 0x02 dlen 21 #246 [hci0] 75.484575
SMP: Pairing Random (0x04) len 16
Random value: 830af66a612fb5dcb8bf8376a43b8dda
< ACL Data TX: Handle 24 flags 0x00 dlen 6 #247 [hci0] 75.486908
SMP: Pairing Failed (0x05) len 1
Reason: Confirm value failed (0x04)
> HCI Event: Number of Completed Packets (0x13) plen 5 #248 [hci0] 75.545938
Num handles: 1
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Count: 1
> HCI Event: Disconnect Complete (0x05) plen 4 #249 [hci0] 79.624942
Status: Success (0x00)
Handle: 24 Address: 67:D0:40:D9:1D:BF (Resolvable)
Reason: Remote User Terminated Connection (0x13)
Problem: I faced the problem where the Peripheral (my board) confirmation failed during the confirm phase. For details, see the btmon message in the picture above.
ps : This picture from Core_v5.4 Vol3, Part H, pate 1618
Suspicion:
I'm not quite sure where the problem is located, but after reading the confirmation calculation formula, I suspect it might be due to the algorithm differences between my phone and my board or an address issue, as the other parameters seem to be the same.
I have tried to connect to my virtual machine(ubuntu) via Bluetooth with the same BlueZ version and the same operations, and it worked! Therefore, I suspect the problem is located in the kernel configuration of my board
The problem was finally located in the Linux Kernel configuration.
The recommended configuration from Bluez is shown in the picture below.
(Screenshot from A1 Bluetooth Linux Study Guide - Installation and Configuration.pdf Page 4 downloaded from the official website)
However, this configuration leads to a confirm value calculation failure, so an extra configuration is needed
* User-space interface for random number generator algorithms
- What is the interface for ARM system calls and where is it defined in the Linux kernel?
- Hooking syscall by modifying sys_call_table does not work
- How to compile BCC on Ubuntu 20.04?
- Why is detaching from a uprobe using bcc so much slower than attaching?
- Why is root directory always stored in inode two?
- eBPF: libbpf: failed to find BTF for extern 'bpf_dynptr_from_skb': -2
- dtb_overlay don't work more than one overlay
- How to build kernel module without full kernel source tree?
- Can a Linux Kernel Configuration Option Be Active Without Appearing in .config?
- How to create opengl context via drm (Linux)
- What's meaning of "EXPORT_SYMBOL" in Linux kernel code?
- How can a writer after a barrier be visible before a write preceding the barrier?
- Does Docker have support for cgroup v2's cpu.weight knob?
- Interpretation of prev task within context_switch() in Linux kernel scheduler code
- thread-aware gdb for the Linux kernel
- How to change Linux kernel to wait longer at UART before returning from read()?
- Modifying (stealing) Linux syscalls using kprobe
- How do I find i2c address of an IC
- can't kprobe "t" functions
- PCIe BAR alignment issue under Linux
- How can I add an include directory to a makefile for kernel source?
- compiling linux kernel with non-gcc
- What is a "slow" device in the context of I/O call?
- Selecting a Linux I/O Scheduler
- Debugging Linux kernel under QEMU with GDB: breakpoints are not hit
- How to use the Linux kernel hashtable API?
- How to print the current thread stack trace inside the Linux kernel?
- Is it possible to set CFLAGS to a linux kernel module Makefile?
- Can I use eBPF to trace functions defined in my own kernel modules?
- How does the kernel use task_struct?