ESP32 BLE Security #793
Comments
|
Hi chegewara, I think I found the solution. I tried to implement on Arduino BLE library all the missing things so I added in the file BLESecurity.h: In the file BLESecurity.cpp i added: void BLESecurity::setSpecifiedSecAuth(uint8_t auth_option) { void BLESecurity::setOobSupport(uint8_t oob_support) { And in the esp_gap_ble_api.h And always on esp_gap_ble_api.h #define ESP_BLE_ONLY_ACCEPT_SPECIFIED_AUTH_DISABLE 0 #define ESP_BLE_OOB_DISABLE 0 or should be better to update the old file with: I updated the BLE_server_passkey.ino: The result is the static passkey is not working (when I try to connect with nRF the connection is done without passkey), but if I change So I think is solved the problem that I had about security connection using random passkey, now I have to understand what to do to use static passkey. |
|
Hi, It should be |
|
Unfortunately ESP_IO_CAP_IO is not the solution I tried and I have to input a random passkey to connect. [D][BLEDevice.cpp:104] gattServerEventHandler(): gattServerEventHandler [esp_gatt_if: 4] ... Unknown |
|
Try this: I know static passkey is working because i tested it months ago when it was added to esp-idf. |
|
Tried same result. |
|
Hi, Replace this code: I will try to add it to BLESecurity. |
|
This is minimal code required to connect with static PIN: when you add this code to BLESecurity.cpp: PS im not sure that minimalist approach in this case is good |
|
I found the problem. |
|
After successfully connected with security one ESP32 and an Android smartphone I tried to connect using security two ESP32 I used for server: and for client: Starting Arduino BLE Client application... Could You confirm the same result if You try? Or tell me what I am doing wrong? |
|
Yes there is. I copied and pasted all the code |
|
Ok I understood what You mean. I though that problem was the new security implementation, so I tried the standard client server samples but I have the same error. |
|
Try this tool to decode backtrace: |
|
I searched on the forum about the problem and I found: Next I will continue to test how to connect two esp32 with security |
|
In these days, I tried to connect to ESP32 using security one as server and one as client, my goal was that the server provide a passkey (random for now) and the client connect using this passkey like works with a smartphone To make the server provide a password I wrote: BLESecurity *pSecurity = new BLESecurity(); When I try to connect with a smartphone i prompted to insert the passkey, if I write the wrong password I cannot read and write the characteristics. This is what I did with ESP32 client to connect to the server: BLESecurity *pSecurity = new BLESecurity(); I set ESP_IO_CAP_IN (I tried also ESP_IO_CAP_KBDISP) because on this side I have to write the passkey provided from the server. here the LOG Server side: as You can see when the client try to connect on the server side there is correctly an ESP_GAP_BLE_PASSKEY_NOTIF_EVT here the LOG Client side:
Here I can see that onAuthenticationComplete(): pair status = fail At this point I do not understand if I missing something or if there is a bug |
|
Try to setup this for every characteristic and descriptor: EDIT |
|
Thank You for super fast answer What I do not understand is how the client can input the right passkey to connect correctly to the server? |
|
You have 30 seconds to get passskey from keyboard attached to esp32 client and pass it here as return value(int): |
|
Well I see that, when a smartphone try to connect happens wath You say, it stop on: [D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 20] and only when I write the correct passkey i have: [D][BLEDevice.cpp:251] gapEventHandler(): ESP_GAP_BLE_KEY_EVT If I try with the ESP32 client there is no waiting time, this is the server log: [D][BLEDevice.cpp:106] gattServerEventHandler(): gattServerEventHandler [esp_gatt_if: 4] ... ESP_GATTS_CONNECT_EVT All this happen in one second. I tried to set a static key in the server 123456 and the client connect successfully. |
|
Because in onPassKeyRequest you need some sort of logic that will wait your key to be input from keypad and then when you have correct passkey you can return it. There is some logic missing, because you have to handle keypad input. If i would do this i would use semaphore or queue to wait for input. |
|
Ok sorry, I did not understand. |
|
good info here.
The problem is even when setting each characteristic with the read/write permission with encrypted flag: A client can still request and receive notifications without ever being prompted for the key. Please advise. |
Interesting. I can see 3 options here:
I didnt considered such case before and it requires tests/research or you could ask on esp-idf github issue tracker and get answer from someone smarter than me. |
I see, appreciate the quick reply. To clarify, are issues related to this BLE library for Arduino welcome in the esp-idf issue tracker? Im unfamiliar with it, but I would imagine that it would not be welcome as it is an abstraction of esp idf. Update: Apparently the Descriptor also needs to be protected with encryption flags. This makes sense because notify/indicate request by client is part of Descriptor function. After adding this to Descriptor if the client requests to receive notifications, it must first provide the key. |
|
Hello I am new on ESP32, |
|
Hello guys Is there any simply procedure to make it working even to the new version? |
|
This example is working with v1.0.4 for sure: |
|
I use the example you send me and when i compile the sketch its shows
"class BLESecurity has no member named 'setStaticPIN'
I have reinstalled the 1.0.4. Do i have to changes also the BLESecurity.h
and BLESecurity.cpp? What are the code of must add to work properly?
Thank you for your time!
Στις Δευ, 7 Δεκ 2020, 21:19 ο χρήστης chegewara <[email protected]>
έγραψε:
… This example is working with v1.0.4 for sure:
https://github.com/nkolban/esp32-snippets/blob/master/cpp_utils/tests/BLETests/Arduino/security/StaticPIN/StaticPIN.ino
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#793 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASBCJ7CCQQU2UAGPQWMLBF3STUTDHANCNFSM4GR33FPQ>
.
|
|
Well, you have to replace BLESecurity.cpp and .h in arduino library with files from this repository. I dont know why it has not been done yet in arduino-esp32. |
|
Of course it work
Thank you very much!!!
Have a nice day
Στις Δευ, 7 Δεκ 2020, 22:17 ο χρήστης chegewara <[email protected]>
έγραψε:
… Well, you have to replace BLESecurity.cpp and .h in arduino library with
files from this repository. I dont know why it has not been done yet in
arduino-esp32.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#793 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASBCJ7B4V3SYCZOEYSQWFUDSTUZ6VANCNFSM4GR33FPQ>
.
|
|
Unfortunately, when i use uart_example , i can transmit and recieve data
(over serial bt terminal app) even if i haven't bond the esp with my phone.
What can i do to make insert PIN process critical before start the transmission.
In other words if esp not bond with mobile phone do not start the communication-transmision
Στις Δευ, 7 Δεκ 2020, 22:40 ο χρήστης George Chalkidis <
[email protected]> έγραψε:
… Of course it work
Thank you very much!!!
Have a nice day
Στις Δευ, 7 Δεκ 2020, 22:17 ο χρήστης chegewara ***@***.***>
έγραψε:
> Well, you have to replace BLESecurity.cpp and .h in arduino library with
> files from this repository. I dont know why it has not been done yet in
> arduino-esp32.
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#793 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ASBCJ7B4V3SYCZOEYSQWFUDSTUZ6VANCNFSM4GR33FPQ>
> .
>
|
|
There is 2 options:
|
|
Because i'm new with the ESP32 ,i don't know how to do it so i'll appreciate if you can help me,here is my sketch : #include <BLEDevice.h> BLECharacteristic *pCharacteristic; #define SERVICE_UUID "6E400001-B5A3-F393-E0A9-E50E24DCCA9E" // UART service UUID class MyServerCallbacks: public BLEServerCallbacks { }; class MyCallbacks: public BLECharacteristicCallbacks { class MySecurity : public BLESecurityCallbacks { uint32_t onPassKeyRequest(){ void onPassKeyNotify(uint32_t pass_key){ bool onSecurityRequest(){ void onAuthenticationComplete(esp_ble_auth_cmpl_t cmpl){ void setup() { Serial.begin(115200); // Create the BLE Device // Create the BLE Server // Create the BLE Service // Create a BLE Characteristic pCharacteristic->addDescriptor(new BLE2902()); BLECharacteristic *pCharacteristic = pService->createCharacteristic( pCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ_ENCRYPTED | ESP_GATT_PERM_WRITE_ENCRYPTED); pCharacteristic->setCallbacks(new MyCallbacks()); pCharacteristic->setValue("Hello World says Neil"); // Start advertising BLESecurity *pSecurity = new BLESecurity(); } |
Yes, that should be enough. |
|
Unfortunately the problem exist using the above sketch.. The data transmission begin even without having bond the the esp32 with mobile phone.. So what will be the solution to force pair only with passkey on connect? |
|
Im pretty sure this should works. Maybe your smartphone is already bond with esp32? Did you erase all pairing data? I remember i did not erase data many times when ive been writing security class and i had headache because of that. |
|
Hiya legends, I've tried adding the Any advice? |
|
Hi,
|
|
So if I add either one, essentially it will prevent access to the characteristics unless passkey is entered? |
|
@chegewara you sir, are a legend! Added option 2 and work perfectly now. |
|
How to ensure/test AES128 bit encryption is enforced on Expressive BLE Hi there, we have an esp32-Wroom that we are trying to set a BLE server up on. We start up the esp32. and then use Wireshark to watch the communication between the phone and the ble server... Wireshark output:
are we doing something wrong? or how do we go about testing that encryption is indeed taking place when communicating to the BLE server |
|
2 posts above: |
|
Thanks for the quick response @chegewara, I've added the line as you mentioned, see code snippet below & screenshots:
I also see the response from the server: As you can see the "Sent Write Request" is still unencrypted, am I missing something? Kind regards, Marco |
|
You may have to play with other options too, like bonding. PS after checking the code i think i know the reason |
|
I tried that and it's still not encrypted
I can remove the static pin func and change the IO capability toe OUT, but the problem is that our server doesn't have a display that can be used to compare the two codes, and we would ideally like to use static pins. I agree with you regarding the Initiator key and Responder key being none, but I have no idea how to get it working: The client cleary get the right info in the sense of what security params have been declared on the server But the server responds with this: Do you by any chance have a working example that I can use to compare with? Thanks again for all your help. |
|
This is what finally worked for me trying to use the static pin. BLESecurity *pSecurity = new BLESecurity(); |
Hi everybody,
I trying to understand how BLE security works on ESP32 and I saw something strange for me.
I am using :
Arduino IDE 1.8.8
ESP32 1.0.0 Espressif Systems board library
ESP32 BLE Arduino 1.0.1 library by Neil Kolban
I downloaded:
BLE_server_passkey.ino
I tried to connect with two Android Smartphone:
First Vodafone Smart Ultra 6 (Android 6.0.1)
When I try to connect with nRF Connect App I have write the passkey as I expected, here the log:
[D][BLEDevice.cpp:104] gattServerEventHandler(): gattServerEventHandler [esp_gatt_if: 4] ... Unknown
[D][BLEServer.cpp:153] handleGATTServerEvent(): >> handleGATTServerEvent: Unknown
[D][BLECharacteristic.cpp:203] handleGATTServerEvent(): >> handleGATTServerEvent: Unknown
[D][BLECharacteristic.cpp:459] handleGATTServerEvent(): << handleGATTServerEvent
[D][BLEServer.cpp:280] handleGATTServerEvent(): << handleGATTServerEvent
[I][BLEDevice.cpp:239] gapEventHandler(): ESP_GAP_BLE_PASSKEY_NOTIF_EVT
[I][BLEDevice.cpp:241] gapEventHandler(): passKey = 756464
[I][BLE_server_passkey.ino:23] onPassKeyNotify(): The passkey Notify number:756464
[D][BLEDevice.cpp:559] getAdvertising(): get advertising
[D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 11]
[D][BLEDevice.cpp:559] getAdvertising(): get advertising
[D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 20]
[D][BLEDevice.cpp:249] gapEventHandler(): ESP_GAP_BLE_KEY_EVT
[I][BLEDevice.cpp:251] gapEventHandler(): key type = ESP_LE_KEY_LENC
[D][BLEDevice.cpp:559] getAdvertising(): get advertising
[D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 9]
[D][BLEDevice.cpp:249] gapEventHandler(): ESP_GAP_BLE_KEY_EVT
[I][BLEDevice.cpp:251] gapEventHandler(): key type = ESP_LE_KEY_PENC
[D][BLEDevice.cpp:559] getAdvertising(): get advertising
[D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 9]
[D][BLEDevice.cpp:559] getAdvertising(): get advertising
[D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 20]
[I][BLEDevice.cpp:255] gapEventHandler(): ESP_GAP_BLE_AUTH_CMPL_EVT
[I][BLE_server_passkey.ino:36] onAuthenticationComplete(): Starting BLE work!
Second HUAWEI GRA-L09 (HUAWEI P8) (Android 6.0)
When I try to connect with nRF Connect App I can connect without writing the passkey, here the log:
[D][BLEDevice.cpp:104] gattServerEventHandler(): gattServerEventHandler [esp_gatt_if: 4] ... Unknown
[D][BLEServer.cpp:153] handleGATTServerEvent(): >> handleGATTServerEvent: Unknown
[D][BLECharacteristic.cpp:203] handleGATTServerEvent(): >> handleGATTServerEvent: Unknown
[D][BLECharacteristic.cpp:459] handleGATTServerEvent(): << handleGATTServerEvent
[D][BLEServer.cpp:280] handleGATTServerEvent(): << handleGATTServerEvent
[D][BLEDevice.cpp:559] getAdvertising(): get advertising
[D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 20]
[D][BLEDevice.cpp:559] getAdvertising(): get advertising
[D][BLEAdvertising.cpp:479] handleGAPEvent(): handleGAPEvent [event no: 20]
[I][BLEDevice.cpp:255] gapEventHandler(): ESP_GAP_BLE_AUTH_CMPL_EVT
[I][BLE_server_passkey.ino:36] onAuthenticationComplete(): Starting BLE work!
Any idea?
Best Regards
Marco
The text was updated successfully, but these errors were encountered: